LDAP in deltasyncrepl method
by Aravind Arjunan
hi,
am configuring openldap 2.3 in RHEL 5 operating system.
I need the configuration file for master and slave slapd.conf file
for reference.
i need to configure *openldap in delta-syncrepl method.*
If any one configured openldap in this method plz send me the configuration
file reference.
or any one plz say me how to configure ldap in master/slave in RHEL 5 OS
15 years, 4 months
Log system
by Alain Siani
Hello,
As soon as i activate LDAP log system in syslog, the system does not
respond...and many many logs is written in log.
I stop syslog, system is up and running ok
CentOS release 5 (Final)
any idea ?
thks,
Alain
15 years, 4 months
slurpd replication problmes
by Almir Karic
i'm trying to set up the repliacation with openldap 2.3 (using the one
debian etch), when i add things to master everything is fine, it
replicates it to slave just fine, on the other hand when i add things
to slave it simply writes it to it's own tree.
here is slapd.conf of the slave (stripped of any comments):
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ldap/cacert.pem
TLSCertificateFile /etc/ldap/servercrt.pem
TLSCertificateKeyFile /etc/ldap/serverkey.pem
loglevel stats
database bdb
suffix "dc=kiberpipa,dc=org"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=kiberpipa,dc=org" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=kiberpipa,dc=org" write
by * read
updatedn "cn=admin,dc=kiberpipa,dc=org"
updateref "ldaps://chat.kiberpipa.org:636"
with this command "ldapadd -d 65535 -WxD
'cn=admin,dc=kiberpipa,dc=org' -f /tmp/b00" (on slave) i'm getting
http://static.kiberpipa.org/~redduck666/local_adding.txt with
"ldapadd -d 65535 -WxD 'cn=admin,dc=kiberpipa,dc=org' -f /tmp/b00 -H
ldaps://chat.kiberpipa.org:636" i get
http://static.kiberpipa.org/~redduck666/add_to_master.txt (passing it
the same password they write to
i have seen the certificate error there, if i change the ldap.conf on
slave to point to ldap:// instead of ldaps:// that error goes away,
however it still doesn't touch master.
i also read i really shouldn't set updatedn to be the same as rootdn,
well, tried changing it and granting full priviledges to the newly
created account, no difference
any pointers appreciated :-)
--
For far too long, power has been concentrated in the hands of "root"
and his "wheel" oligarchy. We have instituted a dictatorship of the
users. All system administration functions will be handled by the
People's Committee for Democratically Organizing the System (PC-DOS).
15 years, 4 months
Multithreaded LDAP client
by Rakesh Yadav
Hi,
LDAP version: openldap-2.3.38
I want to write multithreaded ldap client but don't have any idea about
multithreaded ldap client.
I have seen somewhere a sample code for multithreaded client but it is
having some structures
which r available only on Solaris.
struct ldap_thread_fns : available on Solaris but not present in linux
Please give me a solution for writting a multithreaded client on linux ..
waiting for reply
Thanks
--
Rakesh Yadav
Pune.
15 years, 4 months
Password management question
by daniel rahmeh
hi,
I have a question about the password management. As i know, it is
possible to use hach functions into openLDAP, for exemple:
password-hash {CRYPT}
password-crypt-salt-format "$1$somesalt$"
my question is about the compatibility with applications. today, we
have some applications that uses openLDAP to create and authenticate
users. Is there a way to say to openLDAP to hash received userPassword
before inserting it into his database?
exemple:
imagine an application (application1) that wants to insert a new
record (user account) in a openLDAP directory. Application1 doesn't
know how to hash a password, is there a way to say to openLDAP to hash
this password before adding the entry.
application1 ----------userPassword: testpasswd-----> openLDAP
(hash(testpasswd))------------->bdb ({CRYPT}$1$salt$EdFRTTT.BNHH.
the goal is to make openLDAP manage the hashing process and avoid to
patch the applications
thank you
15 years, 4 months
ldap_sasl_bind_s
by Gavin Henry
Hi All,
I've been debugging the RealTime Asterisk LDAP driver, namely the function:
static int ldap_reconnect(void)
{
int bind_result = 0;
struct berval cred;
if (ldapConn) {
ast_debug(2, "Everything seems fine.\n");
return 1;
}
if (ast_strlen_zero(url)) {
ast_log(LOG_ERROR, "Not enough parameters to connect to
ldap database\n");
return 0;
}
if (LDAP_SUCCESS != ldap_initialize(&ldapConn, url)) {
ast_log(LOG_ERROR, "Failed to init ldap connection to
'%s'. Check debug for more info.\n", url);
return 0;
}
if (LDAP_OPT_SUCCESS != ldap_set_option(ldapConn,
LDAP_OPT_PROTOCOL_VERSION, &version)) {
ast_log(LOG_WARNING, "Unable to set LDAP protocol version
to %d, falling back to default.\n", version);
}
if (!ast_strlen_zero(user)) {
ast_debug(2, "bind to '%s' as user '%s'\n", url, user);
cred.bv_val = (char *) pass;
cred.bv_len = strlen(pass);
bind_result = ldap_sasl_bind_s(ldapConn, user,
LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL);
} else {
ast_debug(2, "bind %s anonymously\n", url);
bind_result = ldap_sasl_bind_s(ldapConn, "",
LDAP_SASL_SIMPLE, NULL, NULL, NULL, NULL);
}
if (bind_result == LDAP_SUCCESS) {
ast_debug(2, "Successfully connected to database.\n");
connect_time = time(NULL);
return 1;
} else {
ast_log(LOG_WARNING, "bind failed: %s\n",
ldap_err2string(bind_result));
ldap_unbind_ext_s(ldapConn, NULL, NULL);
ldapConn = NULL;
return 0;
}
}
The line:
bind_result = ldap_sasl_bind_s(ldapConn, NULL, LDAP_SASL_SIMPLE, NULL,
NULL, NULL, NULL);
is giving:
May 26 14:52:03 asterisk slapd[30075]: conn=1 fd=12 ACCEPT from
IP=127.0.0.1:57926 (IP=0.0.0.0:389)
May 26 14:52:03 asterisk slapd[30075]: bind: ber_scanf failed
May 26 14:52:03 asterisk slapd[30075]: conn=1 op=0 DISCONNECT tag=120
err=2 text=decoding error
May 26 14:52:03 asterisk slapd[30075]: conn=1 fd=12 closed (operations error)
Any debug tips would be greatly appreciated.
Two different libldap have been tested (Centos 5.1 package and Symas
OpenLDAP Devel package):
openldap-devel-2.3.27-8.el5_1.3
cdsdevel-3.9-2
Thanks.
--
Kind Regards,
Gavin Henry.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
15 years, 4 months
ldap database backend vs requests
by Ricardo Moreira
Hi there,
I would like to know if in a database backend it's possible to know the
request binded DN at on the search call?
What I want is to build a wrapper database backend and integrate LDAP
protocol with the private protocol used on the backend
authentication/authorization system at my work. Our backend system deals
with authentication/authorization and search in one request, usually our
request is composed of: user + pass + input parameters + atributes (to be
returned).
I appreaciate any help!
Regards,
--
:: Ricardo Moreira
15 years, 4 months
[Fwd: 2 identical names in address book]
by Thomas De Reyck
Hello,
I am not sure if this is the correct place to ask this kind of
information, so if I am mistaken, I apologize..
I am quite new to LDAP, however I have used some applications that
require it and am now a semi-decent openLDAP administrator. So, as a
next step, I am trying to program an address book with an LDAP backend.
I have noticed that usually the cn is used as a dn when working with
address book entries. This seems to lead to an interesting conflict
which I need to resolve before I begin to program:
What can be done when one has to import 2 people with an identical
name?
This seems to be irrelevant, since the chances of an identical name are
small, but I for one know 2 people with the same first and last ames.
Lets face it: names are not MD5 hashes ;-)..
I guess someone must have thought this over before.. how oes one
resolve this problem cleanly? Does one use another property? f so,
which one?
I am aware that this might be a very silly question, but I have een
wondering about this for a few days now and google doesn't eem to
satisfy my need for a solution.. :-).
Thanks in advance,
Thomas De Reyck
15 years, 4 months
n-way multi master setup
by Joshua Miller
Good morning,
I am attempting to follow the admin guide in setting up n-way
multi-master replication.
re:
http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master
I'm running OpenLDAP 2.4.7, from Buchan Milne's RPMs, DB 4.6 on CentOS 5.1.
I have setup a working directory on both nodes, then removed all data to
start fresh, converting my slapd.conf to a slapd.d with slaptest.
ie,
# /etc/init.d/ldap stop
# rm -rf /var/lib/ldap/*
# slaptest -f slapd.conf -F slapd.d
# /etc/init.d/ldap start
Since I already had cn=config setup from my slapd.conf file, I skipped
that part of the admin guide's instructions. I then modified the
directory with the following LDIF, replacing the URI and credential
values with my environment specific ones:
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldapserver1
olcServerID: 2 ldap://ldapserver2
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldapserver2
binddn="cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://ldapserver1
binddn="cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
I received no errors on running the modify command to add the changes
from this LDIF.
I then attempted to make a change and have it replicated, very simple to
start with, using the following LDIF:
dn: cn=config
changetype: modify
replace: olcSecurity
olcSecurity: ssf=256
Once I successfully made this change on ldapserver1, I received the
following errors in the logs of ldapserver2 (continuously repeating):
ldapserver2 slapd2.4[12172]: conn=15 op=0 EXT oid=1.3.6.1.4.1.1466.20037
ldapserver2 slapd2.4[12172]: conn=15 op=0 STARTTLS
ldapserver2 slapd2.4[12172]: conn=15 op=0 RESULT oid= err=0 text=
ldapserver2 slapd2.4[12172]: conn=15 fd=17 ACCEPT from
IP=10.12.2.25:4174 (IP=0.0.0.0:389)
ldapserver2 slapd2.4[12172]: conn=15 fd=17 TLS established tls_ssf=256
ssf=256
ldapserver2 slapd2.4[12172]: conn=15 op=1 BIND dn="cn=config" method=128
ldapserver2 slapd2.4[12172]: conn=15 op=1 BIND dn="cn=config"
mech=SIMPLE ssf=0
ldapserver2 slapd2.4[12172]: conn=15 op=1 RESULT tag=97 err=0 text=
ldapserver2 slapd2.4[12172]: conn=15 op=2 SRCH base="cn=config" scope=2
deref=0 filter="(cn=config)"
ldapserver2 slapd2.4[12172]: conn=15 op=2 SEARCH RESULT tag=101 err=0
nentries=1 text=
ldapserver2 slapd2.4[12172]: conn=15 op=3 UNBIND
ldapserver2 slapd2.4[12172]: conn=15 fd=17 closed
ldapserver2 slapd2.4[12172]: olcServerID: value #1: <olcServerID>
unknown factor <80>A<C2>
ldapserver2 slapd2.4[12172]: olcServerID: value #1: <olcServerID>
unknown factor <D0>A<C2>
ldapserver2 slapd2.4[12172]: null_callback : error code 0x50
ldapserver2 slapd2.4[12172]: syncrepl_entry: rid=002 be_modify failed (80)
ldapserver2 slapd2.4[12172]: do_syncrepl: rid=002 retrying (4 retries left)
ldapserver2 slapd2.4[12172]: olcServerID: value #1: <olcServerID>
unknown factor
ldapserver2 slapd2.4[12172]: olcServerID: value #1: <olcServerID>
unknown factor
ldapserver2 slapd2.4[12172]: null_callback : error code 0x50
Any idea what I may have done wrong here?
Thanks!
Josh Miller, RHCE
15 years, 4 months
Remote LDAP servers and parallel queries
by Julien Cassignol
Hi,
I recently tried to build a setup as follows :
Tree : dc=mycompany,dc=com
Subtree 1 : dc=subtree1,dc=mycompany,dc=com
Subtree 2 : dc=subtree2,dc=mycompany,dc=com
Assuming that my needs are to store subtrees 1 and 2 in separate and
remote LDAP servers, I used the LDAP backend.
It worked pretty fine, and then I tried to check what was the
behaviour if a link went down, or a remote server was unavailable.
Testing, I saw that if I have a 10 seconds timeout for each server, if
they're both down, my server spends 20 seconds waiting for the
timeouts. I assume that's because the queries are done sequentially
and not in parallel.
Is there any way to be able to parallelize the queries and build a
"buffer" for each remote backend in order to reconstruct it later,
allowing a user not only to use each remote server, but also to find
which subtree a user belongs to, without having those kind of problems
?
My test case is pretty simple, but as the final implementation I want
to build involves a lot more remote LDAP servers, and as I can't
modify the architecture, I'm wondering what are the available
solutions.
Thanks,
--
Julien Cassignol
15 years, 4 months