openldap-technical July 2008

openldap-technical@openldap.org

67 participants
78 discussions

VMware and mirror/multimaster
by Dave Horsfall 05 Aug '08

05 Aug '08

Has anyone tried mirroring or multimaster under VMware i.e. are the virtual clocks stable enough? We're starting to use VMware to cut down on the number of physical hosts, but I'd like to use the latest 2.4 features as well. -- Dave Horsfall DTM VK2KFU Ph: +61 2 9552-5509 (direct) +61 2 9552-5500 (switch) Corinthian Eng'ng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU

5 11

Creating a "big" database... large LDIF file. automated procedure?
by Brad T Waldorf 04 Aug '08

04 Aug '08

Hi again. Thanks again for your responses to my prior posts. So far, all of my experience with OpenLDAP has been with databases with a minimal number of entries... 200 at the most. I'd like to do some performance experiments with a much larger database, say 10,000 database entries or so. What would you recommend for creating such a database? (Entries don't have to have real, sensible data... maybe the distinguished name is an integer that increases by 1?) Is there an automated way for creating such a database? Thanks,

2 2

Organizational Unit Listing
by Emre Yilmaz 04 Aug '08

04 Aug '08

hi list, We need list to all of organizational unit's in Active Directory with members. Its very important for me. Is there any idea? _________________________________________________________________ Windows Live Spaces – hayatınız, Alanınız. Daha fazlasını öğrenmek için buraya tıklayın. http://get.live.com/spaces/overview

5 5

Replicating between Active Directory and Openldap
by Greg McConnel 01 Aug '08

01 Aug '08

Can anyone refer me to documentation or a site that describes how to replicate user and password information between Active Directory and Openldap. I have found a number of sites but most are a few years old and none seem to provide the necessary instructions and tools. Thanks!

2 1

Re: Understanding TLS SSF
by J Davis 31 Jul '08

31 Jul '08

That was it. I'm using 2.4.11 now compiled against openssl and it's working. Thanks! -Jake On Wed, Jul 30, 2008 at 7:36 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > I doubt that's the SSL that OpenLDAP is compiled against. It looks to me > like it is compiled against GnuTLS, and likely affected by ITS#5585, which > was fixed in OpenLDAP 2.4.11. If that's correct, then the real TLS value > is 256. Have you actually run ldd on slapd to see what libraries it is > linked against for SSL? > > --Quanah > > > --On Wednesday, July 30, 2008 1:16 PM -0400 J Davis <mrsalty0(a)gmail.com> > wrote: > > >> Openssl 0.9.8g-4ubuntu3.3 >> >> Thanks, >> -Jake >> >> >> On Wed, Jul 30, 2008 at 12:02 PM, Buchan Milne >> <bgmilne(a)staff.telkomsa.net> wrote: >> >> >> >> >> On Wednesday 30 July 2008 15:59:52 J Davis wrote: >> >>> Greetings, >>> >>> I'm testing an installation of openldap 2.4.9. I want to enforce TLS for >>> all access to the directory. >>> My problem is that I cannot get the client to meet the ssf restictions I >>> have in place. The documentation I've seen on ssf and tls_ssf is very >>> sparse so I don't really understand what it does. >>> >>> I'm using self signed cert created using the openssl CA.sh script. >>> >>> Relevant portions of the slapd.conf... >>> >>> TLSCACertificateFile /etc/ldap/ssl/cacert.pem >>> TLSCertificateFile /etc/ldap/ssl/servercrt.pem >>> TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem >>> ... >>> access to * >>> by tls_ssf=128 ssf=128 anonymous auth >>> by tls_ssf=128 ssf=128 self write >>> >>> Relevant portions of the lapd.conf... >>> >>> TLS_CACERT /etc/ldap/ssl/cacert.pem >>> >>> With those ACLs in place I get the following error: >>> >>> $ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b >>> "uid=jake,ou=people,dc=example,dc=com" >>> ldap_bind: Invalid credentials (49) >>> >>> And slapd in debug mode shows me that I didn't meet the ssf >>> requirments... >>> >>> connection_read(15): unable to get TLS client DN, error=49 id=0 >>> conn=0 fd=15 TLS established tls_ssf=32 ssf=32 >>> ... >>> <= check a_authz.sai_tls_ssf: ACL 128 > OP 32 >>> >> >> What ssl implementation is your slapd using ? >> >> >> >> > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

Re: translucent overlay with local-only entries
by Sven Ulland 31 Jul '08

31 Jul '08

Gavin Henry wrote: > Did you read the man page? man slapo-translucent I did, but the significance of translucent_local and _remote didn't strike me. Unfortunately it seems that enabling local+remote searching doesn't change the result. I must have a silly bug in my configuration, but I cannot figure out where. Various combinations of translucent_local and _remote give different, but consistent, results: neither local nor remote: only remote entries returned local only: no entries returned remote only: only remote entries returned local and remote: only remote entries returned I use the following in my slapd.conf[1]: translucent_remote uid translucent_local uid The databases on each host seem fine. The main ldap directory contains an ou with a single uid[2]; the branch extension directory contains one attribute modification and one local-only entry[3]. I ran a full debug with 'translucent_local uid' in the configuration file: slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d 65535 The search command I use: ldapsearch -x -W -D 'cn=branchadmin,dc=branch,dc=example,dc=com' \ -H ldap://localhost -b 'dc=example,dc=com' -LLL 'uid=*' uid The output[5] seems to show (on lines 523 and 615, for example), that uid=barney is found, but I'm not able to determine why it is not returned to the client. I also dumped the network packets to verify that uid=barney was not retured. It wasn't. sven [1] Entire /etc/ldap/slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/autofs.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none modulepath /usr/lib/ldap moduleload back_bdb moduleload back_ldap moduleload translucent sizelimit 500 tool-threads 1 backend bdb backend ldap database bdb directory /var/lib/ldap/translucent4 suffix "dc=example,dc=com" rootdn "cn=branchadmin,dc=branch,dc=example,dc=com" rootpw "admin" index objectclass eq index uid eq,sub lastmod off overlay translucent translucent_remote uid translucent_local uid uri "ldap://172.27.27.37" idassert-bind bindmethod=simple binddn="cn=mainadmin,dc=example,dc=com" credentials="admin" mode=none #end [2] slapcat on main ldap: dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization dc: example o: Simple example structuralObjectClass: organization dn: cn=mainadmin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: mainadmin description: LDAP administrator userPassword:: e2NyeXB0fTRUT2NoeFV0M3AyUEU= structuralObjectClass: organizationalRole dn: ou=People,dc=example,dc=com ou: People objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: uid=andrew,ou=People,dc=example,dc=com uid: andrew cn: Andrew sn: Andrewson uidNumber: 401 gidNumber: 501 homeDirectory: /home/andrew structuralObjectClass: person objectClass: person objectClass: posixAccount #end [3] slapcat on local branch, after a) one modification of existing 'description' field for uid=andrew, and b) one new local-only entry for uid=barney. dn: dc=example,dc=com structuralObjectClass: glue objectClass: top objectClass: glue dn: ou=people,dc=example,dc=com structuralObjectClass: glue objectClass: top objectClass: glue dn: uid=andrew,ou=People,dc=example,dc=com description: changed on branch only dn: uid=barney,ou=People,dc=example,dc=com uid: barney cn: Barney sn: Barneyson uidNumber: 402 gidNumber: 502 homeDirectory: /home/barney objectClass: person objectClass: posixAccount description: only exists on branch #end [4] slapd debug output. 1 @(#) $OpenLDAP: slapd 2.4.10 (Jul 17 2008 14:44:35) $ 2 buildd@ninsei:/build/buildd/openldap-2.4.10/debian/build/servers/slapd 3 ldap_pvt_gethostbyname_a: host=debian, r=0 4 daemon_init: <null> 5 daemon_init: listen on ldap:/// 6 daemon_init: 1 listeners to open... 7 ldap_url_parse_ext(ldap:///) 8 daemon: listener initialized ldap:/// 9 daemon_init: 2 listeners opened 10 ldap_create 11 slapd init: initiated server. 12 slap_sasl_init: initialized! 13 reading config file /etc/ldap/slapd.conf 14 line 1 (include /etc/ldap/schema/core.schema) 15 reading config file /etc/ldap/schema/core.schema [several lines of schema debugging removed] 208 line 7 (pidfile /var/run/slapd/slapd.pid) 209 line 8 (argsfile /var/run/slapd/slapd.args) 210 line 9 (loglevel none) 211 line 11 (modulepath /usr/lib/ldap) 212 line 12 (moduleload back_bdb) 213 loaded module back_bdb 214 bdb_back_initialize: initialize BDB backend 215 bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) 216 module back_bdb: null module registered 217 line 13 (moduleload back_ldap) 218 loaded module back_ldap 219 module back_ldap: null module registered 220 line 14 (moduleload translucent) 221 loaded module translucent 222 ==> translucent_initialize 223 module translucent: null module registered 224 line 16 (sizelimit 500) 225 line 17 (tool-threads 1) 226 line 19 (backend bdb) 227 line 20 (backend ldap) 228 line 22 (database bdb) 229 bdb_db_init: Initializing BDB database 230 line 23 (directory /var/lib/ldap/translucent4) 231 line 24 (suffix "dc=example,dc=com") 232 >>> dnPrettyNormal: <dc=example,dc=com> 233 => ldap_bv2dn(dc=example,dc=com,0) 234 <= ldap_bv2dn(dc=example,dc=com)=0 235 => ldap_dn2bv(272) 236 <= ldap_dn2bv(dc=example,dc=com)=0 237 => ldap_dn2bv(272) 238 <= ldap_dn2bv(dc=example,dc=com)=0 239 <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com> 240 line 25 (rootdn "cn=branchadmin,dc=branch,dc=example,dc=com") 241 >>> dnPrettyNormal: <cn=branchadmin,dc=branch,dc=example,dc=com> 242 => ldap_bv2dn(cn=branchadmin,dc=branch,dc=example,dc=com,0) 243 <= ldap_bv2dn(cn=branchadmin,dc=branch,dc=example,dc=com)=0 244 => ldap_dn2bv(272) 245 <= ldap_dn2bv(cn=branchadmin,dc=branch,dc=example,dc=com)=0 246 => ldap_dn2bv(272) 247 <= ldap_dn2bv(cn=branchadmin,dc=branch,dc=example,dc=com)=0 248 <<< dnPrettyNormal: <cn=branchadmin,dc=branch,dc=example,dc=com>, <cn=branchadmin,dc=branch,dc=example,dc=com> 249 line 26 (rootpw ***) 250 line 27 (index objectclass eq) 251 index objectClass 0x0004 252 line 28 (index uid eq,sub) 253 index uid 0x0714 254 line 29 (lastmod off) 255 line 31 (overlay translucent) 256 ==> translucent_db_init 257 line 32 (translucent_local uid) 258 line 33 (uri "ldap://172.27.27.37") 259 ==> translucent_db_config: uri 260 ldap_url_parse_ext(ldap://172.27.27.37) 261 line 38 (idassert-bind ***) 262 ==> translucent_db_config: idassert-bind 263 >>> dnNormalize: <cn=mainadmin,dc=example,dc=com> 264 => ldap_bv2dn(cn=mainadmin,dc=example,dc=com,0) 265 <= ldap_bv2dn(cn=mainadmin,dc=example,dc=com)=0 266 => ldap_dn2bv(272) 267 <= ldap_dn2bv(cn=mainadmin,dc=example,dc=com)=0 268 <<< dnNormalize: <cn=mainadmin,dc=example,dc=com> 269 >>> dnNormalize: <cn=Subschema> 270 => ldap_bv2dn(cn=Subschema,0) 271 <= ldap_bv2dn(cn=Subschema)=0 272 => ldap_dn2bv(272) 273 <= ldap_dn2bv(cn=subschema)=0 274 <<< dnNormalize: <cn=subschema> 275 matching_rule_use_init [schema lines omitted] 302 slapd startup: initiated. 303 backend_startup_one: starting "cn=config" 304 config_back_db_open 305 config_build_entry: "cn=config" 306 config_build_entry: "cn=module{0}" 307 config_build_entry: "cn=schema" 308 config_build_entry: "cn={0}core" 309 config_build_entry: "cn={1}cosine" 310 config_build_entry: "cn={2}nis" 311 config_build_entry: "cn={3}inetorgperson" 312 config_build_entry: "cn={4}autofs" 313 config_build_entry: "olcDatabase={-1}frontend" 314 config_build_entry: "olcDatabase={0}config" 315 config_build_entry: "olcDatabase={1}bdb" 316 config_build_entry: "olcOverlay={0}translucent" 317 ==> translucent_cfadd 318 config_build_entry: "olcDatabase=ldap" 319 backend_startup_one: starting "dc=example,dc=com" 320 bdb_db_open: "dc=example,dc=com" 321 bdb_db_open: database "dc=example,dc=com": dbenv_open(/var/lib/ldap/translucent4). 322 ==> translucent_db_open 323 backend_startup_one: starting "dc=example,dc=com" 324 ldap_back_db_open: URI=ldap://172.27.27.37 325 slapd starting 326 daemon: added 4r listener=(nil) 327 daemon: added 7r listener=0x82f6068 328 daemon: added 8r listener=0x82f6130 329 daemon: epoll: listen=7 active_threads=0 tvp=NULL 330 daemon: epoll: listen=8 active_threads=0 tvp=NULL 331 daemon: activity on 1 descriptor 332 daemon: activity on: 333 daemon: epoll: listen=7 active_threads=0 tvp=NULL 334 daemon: epoll: listen=8 active_threads=0 tvp=NULL 335 daemon: activity on 1 descriptor 336 daemon: activity on: 337 slap_listener_activate(8): 338 >>> slap_listener(ldap:///) 339 daemon: listen=8, new connection on 13 340 daemon: added 13r (active) listener=(nil) 341 conn=0 fd=13 ACCEPT from IP=127.0.0.1:51638 (IP=0.0.0.0:389) 342 daemon: epoll: listen=7 active_threads=0 tvp=NULL 343 daemon: epoll: listen=8 active_threads=0 tvp=NULL 344 daemon: activity on 1 descriptor 345 daemon: activity on: 346 daemon: epoll: listen=7 active_threads=0 tvp=NULL 347 daemon: epoll: listen=8 active_threads=0 tvp=NULL 348 daemon: activity on 1 descriptor 349 daemon: activity on: 13r 350 daemon: read active on 13 351 daemon: epoll: listen=7 active_threads=0 tvp=NULL 352 daemon: epoll: listen=8 active_threads=0 tvp=NULL 353 connection_get(13) 354 connection_get(13): got connid=0 355 connection_read(13): checking for input on id=0 356 ber_get_next 357 ldap_read: want=8, got=8 358 0000: 30 3b 02 01 01 60 36 02 0;...`6. 359 ldap_read: want=53, got=53 360 0000: 01 03 04 2a 63 6e 3d 62 72 61 6e 63 68 61 64 6d ...*cn=branchadm 361 0010: 69 6e 2c 64 63 3d 62 72 61 6e 63 68 2c 64 63 3d in,dc=branch,dc= 362 0020: 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 80 05 example,dc=com.. 363 0030: 61 64 6d 69 6e admin 364 ber_get_next: tag 0x30 len 59 contents: 365 ber_dump: buf=0x83a9dd8 ptr=0x83a9dd8 end=0x83a9e13 len=59 366 0000: 02 01 01 60 36 02 01 03 04 2a 63 6e 3d 62 72 61 ...`6....*cn=bra 367 0010: 6e 63 68 61 64 6d 69 6e 2c 64 63 3d 62 72 61 6e nchadmin,dc=bran 368 0020: 63 68 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 ch,dc=example,dc 369 0030: 3d 63 6f 6d 80 05 61 64 6d 69 6e =com..admin 370 ber_get_next 371 ldap_read: want=8 error=Resource temporarily unavailable 372 conn=0 op=0 do_bind 373 ber_scanf fmt ({imt) ber: 374 ber_dump: buf=0x83a9dd8 ptr=0x83a9ddb end=0x83a9e13 len=56 375 0000: 60 36 02 01 03 04 2a 63 6e 3d 62 72 61 6e 63 68 `6....*cn=branch 376 0010: 61 64 6d 69 6e 2c 64 63 3d 62 72 61 6e 63 68 2c admin,dc=branch, 377 0020: 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f dc=example,dc=co 378 0030: 6d 80 05 61 64 6d 69 6e m..admin 379 ber_scanf fmt (m}) ber: 380 ber_dump: buf=0x83a9dd8 ptr=0x83a9e0c end=0x83a9e13 len=7 381 0000: 00 05 61 64 6d 69 6e ..admin 382 >>> dnPrettyNormal: <cn=branchadmin,dc=branch,dc=example,dc=com> 383 => ldap_bv2dn(cn=branchadmin,dc=branch,dc=example,dc=com,0) 384 <= ldap_bv2dn(cn=branchadmin,dc=branch,dc=example,dc=com)=0 385 => ldap_dn2bv(272) 386 <= ldap_dn2bv(cn=branchadmin,dc=branch,dc=example,dc=com)=0 387 => ldap_dn2bv(272) 388 <= ldap_dn2bv(cn=branchadmin,dc=branch,dc=example,dc=com)=0 389 <<< dnPrettyNormal: <cn=branchadmin,dc=branch,dc=example,dc=com>, <cn=branchadmin,dc=branch,dc=example,dc=com> 390 conn=0 op=0 BIND dn="cn=branchadmin,dc=branch,dc=example,dc=com" method=128 391 do_bind: version=3 dn="cn=branchadmin,dc=branch,dc=example,dc=com" method=128 392 translucent_bind: <cn=branchadmin,dc=branch,dc=example,dc=com> method 128 393 conn=0 op=0: rootdn="cn=branchadmin,dc=branch,dc=example,dc=com" bind succeeded 394 conn=0 op=0 BIND dn="cn=branchadmin,dc=branch,dc=example,dc=com" mech=SIMPLE ssf=0 395 do_bind: v3 bind: "cn=branchadmin,dc=branch,dc=example,dc=com" to "cn=branchadmin,dc=branch,dc=example,dc=com" 396 send_ldap_result: conn=0 op=0 p=3 397 send_ldap_result: err=0 matched="" text="" 398 send_ldap_response: msgid=1 tag=97 err=0 399 ber_flush2: 14 bytes to sd 13 400 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ 401 ldap_write: want=14, written=14 402 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ 403 conn=0 op=0 RESULT tag=97 err=0 text= 404 daemon: activity on 1 descriptor 405 daemon: activity on: 406 daemon: epoll: listen=7 active_threads=0 tvp=NULL 407 daemon: epoll: listen=8 active_threads=0 tvp=NULL 408 daemon: activity on 1 descriptor 409 daemon: activity on: 13r 410 daemon: read active on 13 411 daemon: epoll: listen=7 active_threads=0 tvp=NULL 412 daemon: epoll: listen=8 active_threads=0 tvp=NULL 413 connection_get(13) 414 connection_get(13): got connid=0 415 connection_read(13): checking for input on id=0 416 ber_get_next 417 ldap_read: want=8, got=8 418 0000: 30 33 02 01 02 63 2e 04 03...c.. 419 ldap_read: want=45, got=45 420 0000: 11 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 .dc=example,dc=c 421 0010: 6f 6d 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 om.............. 422 0020: 00 87 03 75 69 64 30 05 04 03 75 69 64 ...uid0...uid 423 ber_get_next: tag 0x30 len 51 contents: 424 ber_dump: buf=0x83aa218 ptr=0x83aa218 end=0x83aa24b len=51 425 0000: 02 01 02 63 2e 04 11 64 63 3d 65 78 61 6d 70 6c ...c...dc=exampl 426 0010: 65 2c 64 63 3d 63 6f 6d 0a 01 02 0a 01 00 02 01 e,dc=com........ 427 0020: 00 02 01 00 01 01 00 87 03 75 69 64 30 05 04 03 .........uid0... 428 0030: 75 69 64 uid 429 ber_get_next 430 ldap_read: want=8 error=Resource temporarily unavailable 431 conn=0 op=1 do_search 432 ber_scanf fmt ({miiiib) ber: 433 ber_dump: buf=0x83aa218 ptr=0x83aa21b end=0x83aa24b len=48 434 0000: 63 2e 04 11 64 63 3d 65 78 61 6d 70 6c 65 2c 64 c...dc=example,d 435 0010: 63 3d 63 6f 6d 0a 01 02 0a 01 00 02 01 00 02 01 c=com........... 436 0020: 00 01 01 00 87 03 75 69 64 30 05 04 03 75 69 64 ......uid0...uid 437 >>> dnPrettyNormal: <dc=example,dc=com> 438 => ldap_bv2dn(dc=example,dc=com,0) 439 <= ldap_bv2dn(dc=example,dc=com)=0 440 => ldap_dn2bv(272) 441 <= ldap_dn2bv(dc=example,dc=com)=0 442 => ldap_dn2bv(272) 443 <= ldap_dn2bv(dc=example,dc=com)=0 444 <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com> 445 SRCH "dc=example,dc=com" 2 0 0 0 0 446 begin get_filter 447 PRESENT 448 ber_scanf fmt (m) ber: 449 ber_dump: buf=0x83aa218 ptr=0x83aa23f end=0x83aa24b len=12 450 0000: 87 03 75 69 64 30 05 04 03 75 69 64 ..uid0...uid 451 end get_filter 0 452 filter: (uid=*) 453 ber_scanf fmt ({M}}) ber: 454 ber_dump: buf=0x83aa218 ptr=0x83aa244 end=0x83aa24b len=7 455 0000: 00 05 04 03 75 69 64 ....uid 456 attrs: uid 457 conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=*)" 458 conn=0 op=1 SRCH attr=uid 459 ==> translucent_search: <dc=example,dc=com> (uid=*) 460 => bdb_search 461 bdb_dn2entry("dc=example,dc=com") 462 => bdb_dn2id("dc=example,dc=com") 463 <= bdb_dn2id: got id=0x1 464 entry_decode: "dc=example,dc=com" 465 <= entry_decode(dc=example,dc=com) 466 => access_allowed: search access to "dc=example,dc=com" "entry" requested 467 <= root access granted 468 => access_allowed: search access granted by manage(=mwrscxd) 469 search_candidates: base="dc=example,dc=com" (0x00000001) scope=2 470 => bdb_dn2idl("dc=example,dc=com") 471 => bdb_filter_candidates 472 AND 473 => bdb_list_candidates 0xa0 474 => bdb_filter_candidates 475 OR 476 => bdb_list_candidates 0xa1 477 => bdb_filter_candidates 478 EQUALITY 479 => bdb_equality_candidates (objectClass) 480 daemon: activity on 1 descriptor 481 daemon: activity on: 482 daemon: epoll: listen=7 active_threads=0 tvp=NULL 483 daemon: epoll: listen=8 active_threads=0 tvp=NULL 484 => key_read 485 bdb_idl_fetch_key: [b49d1940] 486 <= bdb_index_read: failed (-30990) 487 <= bdb_equality_candidates: id=0, first=0, last=0 488 <= bdb_filter_candidates: id=0 first=0 last=0 489 => bdb_filter_candidates 490 PRESENT 491 => bdb_presence_candidates (uid) 492 <= bdb_presence_candidates: (uid) not indexed 493 <= bdb_filter_candidates: id=-1 first=1 last=4 494 <= bdb_list_candidates: id=-1 first=1 last=4 495 <= bdb_filter_candidates: id=-1 first=1 last=4 496 <= bdb_list_candidates: id=-1 first=1 last=4 497 <= bdb_filter_candidates: id=-1 first=1 last=4 498 bdb_search_candidates: id=-1 first=1 last=4 499 entry_decode: "ou=people,dc=example,dc=com" 500 <= entry_decode(ou=people,dc=example,dc=com) 501 => bdb_dn2id("ou=people,dc=example,dc=com") 502 <= bdb_dn2id: got id=0x2 503 entry_decode: "uid=andrew,ou=People,dc=example,dc=com" 504 <= entry_decode(uid=andrew,ou=People,dc=example,dc=com) 505 => bdb_dn2id("uid=andrew,ou=people,dc=example,dc=com") 506 <= bdb_dn2id: got id=0x3 507 is_entry_objectclass("uid=andrew,ou=People,dc=example,dc=com", "2.5.17.0") no objectClass attribute 508 is_entry_objectclass("uid=andrew,ou=People,dc=example,dc=com", "2.16.840.1.113730.3.2.6") no objectClass attribute 509 is_entry_objectclass("uid=andrew,ou=People,dc=example,dc=com", "1.3.6.1.4.1.4203.666.3.4") no objectClass attribute 510 => test_filter 511 PRESENT 512 => access_allowed: search access to "uid=andrew,ou=People,dc=example,dc=com" "uid" requested 513 <= root access granted 514 => access_allowed: search access granted by manage(=mwrscxd) 515 <= test_filter 5 516 bdb_search: 3 does not match filter 517 entry_decode: "uid=barney,ou=People,dc=example,dc=com" 518 <= entry_decode(uid=barney,ou=People,dc=example,dc=com) 519 => bdb_dn2id("uid=barney,ou=people,dc=example,dc=com") 520 <= bdb_dn2id: got id=0x4 521 => test_filter 522 PRESENT 523 => access_allowed: search access to "uid=barney,ou=People,dc=example,dc=com" "uid" requested 524 <= root access granted 525 => access_allowed: search access granted by manage(=mwrscxd) 526 <= test_filter 6 527 ==> translucent_search_cb: uid=barney,ou=People,dc=example,dc=com 528 ldap_create 529 ldap_url_parse_ext(ldap://172.27.27.37) 530 =>ldap_back_getconn: conn=0 op=1: lc=0x83ab8c8 inserted refcnt=1 rc=0 531 ldap_sasl_bind 532 ldap_send_initial_request 533 ldap_new_connection 1 1 0 534 ldap_int_open_connection 535 ldap_connect_to_host: TCP 172.27.27.37:389 536 ldap_new_socket: 16 537 ldap_prepare_socket: 16 538 ldap_connect_to_host: Trying 172.27.27.37:389 539 ldap_pvt_connect: fd: 16 tm: -1 async: 0 540 ldap_open_defconn: successful 541 ldap_send_server_request 542 ber_scanf fmt ({it) ber: 543 ber_dump: buf=0x83b3b90 ptr=0x83b3b90 end=0x83b3bc1 len=49 544 0000: 30 2f 02 01 01 60 2a 02 01 03 04 1e 63 6e 3d 6d 0/...`*.....cn=m 545 0010: 61 69 6e 61 64 6d 69 6e 2c 64 63 3d 65 78 61 6d ainadmin,dc=exam 546 0020: 70 6c 65 2c 64 63 3d 63 6f 6d 80 05 61 64 6d 69 ple,dc=com..admi 547 0030: 6e n 548 ber_scanf fmt ({i) ber: 549 ber_dump: buf=0x83b3b90 ptr=0x83b3b95 end=0x83b3bc1 len=44 550 0000: 60 2a 02 01 03 04 1e 63 6e 3d 6d 61 69 6e 61 64 `*.....cn=mainad 551 0010: 6d 69 6e 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 min,dc=example,d 552 0020: 63 3d 63 6f 6d 80 05 61 64 6d 69 6e c=com..admin 553 ber_flush2: 49 bytes to sd 16 554 0000: 30 2f 02 01 01 60 2a 02 01 03 04 1e 63 6e 3d 6d 0/...`*.....cn=m 555 0010: 61 69 6e 61 64 6d 69 6e 2c 64 63 3d 65 78 61 6d ainadmin,dc=exam 556 0020: 70 6c 65 2c 64 63 3d 63 6f 6d 80 05 61 64 6d 69 ple,dc=com..admi 557 0030: 6e n 558 ldap_write: want=49, written=49 559 0000: 30 2f 02 01 01 60 2a 02 01 03 04 1e 63 6e 3d 6d 0/...`*.....cn=m 560 0010: 61 69 6e 61 64 6d 69 6e 2c 64 63 3d 65 78 61 6d ainadmin,dc=exam 561 0020: 70 6c 65 2c 64 63 3d 63 6f 6d 80 05 61 64 6d 69 ple,dc=com..admi 562 0030: 6e n 563 ldap_result ld 0x83ab908 msgid 1 564 wait4msg ld 0x83ab908 msgid 1 (timeout 100000 usec) 565 wait4msg continue ld 0x83ab908 msgid 1 all 1 566 ** ld 0x83ab908 Connections: 567 * host: 172.27.27.37 port: 389 (default) 568 refcnt: 2 status: Connected 569 last used: Wed Jul 30 14:50:54 2008 570 ** ld 0x83ab908 Outstanding Requests: 571 * msgid 1, origid 1, status InProgress 572 outstanding referrals 0, parent count 0 573 ld 0x83ab908 request count 1 (abandoned 0) 574 ** ld 0x83ab908 Response Queue: 575 Empty 576 ld 0x83ab908 response count 0 577 ldap_chkResponseList ld 0x83ab908 msgid 1 all 1 578 ldap_chkResponseList returns ld 0x83ab908 NULL 579 ldap_int_select 580 read1msg: ld 0x83ab908 msgid 1 all 1 581 ber_get_next 582 ldap_read: want=8, got=8 583 0000: 30 0c 02 01 01 61 07 0a 0....a.. 584 ldap_read: want=6, got=6 585 0000: 01 00 04 00 04 00 ...... 586 ber_get_next: tag 0x30 len 12 contents: 587 ber_dump: buf=0x83b4d08 ptr=0x83b4d08 end=0x83b4d14 len=12 588 0000: 02 01 01 61 07 0a 01 00 04 00 04 00 ...a........ 589 read1msg: ld 0x83ab908 msgid 1 message type bind 590 ber_scanf fmt ({eAA) ber: 591 ber_dump: buf=0x83b4d08 ptr=0x83b4d0b end=0x83b4d14 len=9 592 0000: 61 07 0a 01 00 04 00 04 00 a........ 593 read1msg: ld 0x83ab908 0 new referrals 594 read1msg: mark request completed, ld 0x83ab908 msgid 1 595 request done: ld 0x83ab908 msgid 1 596 res_errno: 0, res_error: <>, res_matched: <> 597 ldap_free_request (origid 1, msgid 1) 598 ldap_free_connection 0 1 599 ldap_free_connection: refcnt 1 600 ldap_parse_result 601 ber_scanf fmt ({iAA) ber: 602 ber_dump: buf=0x83b4d08 ptr=0x83b4d0b end=0x83b4d14 len=9 603 0000: 61 07 0a 01 00 04 00 04 00 a........ 604 ber_scanf fmt (}) ber: 605 ber_dump: buf=0x83b4d08 ptr=0x83b4d14 end=0x83b4d14 len=0 606 ldap_msgfree 607 ldap_search_ext 608 put_filter: "(objectclass=*)" 609 put_filter: simple 610 put_simple_filter: "objectclass=*" 611 ldap_build_search_req ATTRS: * 612 ldap_send_initial_request 613 ldap_send_server_request 614 ber_scanf fmt ({it) ber: 615 ber_dump: buf=0x83b3b90 ptr=0x83b3b90 end=0x83b3bdd len=77 616 0000: 30 4b 02 01 02 63 46 04 26 75 69 64 3d 62 61 72 0K...cF.&uid=bar 617 0010: 6e 65 79 2c 6f 75 3d 70 65 6f 70 6c 65 2c 64 63 ney,ou=people,dc 618 0020: 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 0a =example,dc=com. 619 0030: 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 87 0b ................ 620 0040: 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 objectclass0. 621 ber_scanf fmt ({) ber: 622 ber_dump: buf=0x83b3b90 ptr=0x83b3b95 end=0x83b3bdd len=72 623 0000: 63 46 04 26 75 69 64 3d 62 61 72 6e 65 79 2c 6f cF.&uid=barney,o 624 0010: 75 3d 70 65 6f 70 6c 65 2c 64 63 3d 65 78 61 6d u=people,dc=exam 625 0020: 70 6c 65 2c 64 63 3d 63 6f 6d 0a 01 00 0a 01 00 ple,dc=com...... 626 0030: 02 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 ...........objec 627 0040: 74 63 6c 61 73 73 30 00 tclass0. 628 ber_flush2: 77 bytes to sd 16 629 0000: 30 4b 02 01 02 63 46 04 26 75 69 64 3d 62 61 72 0K...cF.&uid=bar 630 0010: 6e 65 79 2c 6f 75 3d 70 65 6f 70 6c 65 2c 64 63 ney,ou=people,dc 631 0020: 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 0a =example,dc=com. 632 0030: 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 87 0b ................ 633 0040: 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 objectclass0. 634 ldap_write: want=77, written=77 635 0000: 30 4b 02 01 02 63 46 04 26 75 69 64 3d 62 61 72 0K...cF.&uid=bar 636 0010: 6e 65 79 2c 6f 75 3d 70 65 6f 70 6c 65 2c 64 63 ney,ou=people,dc 637 0020: 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 0a =example,dc=com. 638 0030: 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 87 0b ................ 639 0040: 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 objectclass0. 640 ldap_result ld 0x83ab908 msgid 2 641 wait4msg ld 0x83ab908 msgid 2 (infinite timeout) 642 wait4msg continue ld 0x83ab908 msgid 2 all 1 643 ** ld 0x83ab908 Connections: 644 * host: 172.27.27.37 port: 389 (default) 645 refcnt: 2 status: Connected 646 last used: Wed Jul 30 14:50:54 2008 647 ** ld 0x83ab908 Outstanding Requests: 648 * msgid 2, origid 2, status InProgress 649 outstanding referrals 0, parent count 0 650 ld 0x83ab908 request count 1 (abandoned 0) 651 ** ld 0x83ab908 Response Queue: 652 Empty 653 ld 0x83ab908 response count 0 654 ldap_chkResponseList ld 0x83ab908 msgid 2 all 1 655 ldap_chkResponseList returns ld 0x83ab908 NULL 656 ldap_int_select 657 read1msg: ld 0x83ab908 msgid 2 all 1 658 ber_get_next 659 ldap_read: want=8, got=8 660 0000: 30 27 02 01 02 65 22 0a 0'...e". 661 ldap_read: want=33, got=33 662 0000: 01 20 04 1b 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 . ..ou=People,dc 663 0010: 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 04 =example,dc=com. 664 0020: 00 . 665 ber_get_next: tag 0x30 len 39 contents: 666 ber_dump: buf=0x83b4d38 ptr=0x83b4d38 end=0x83b4d5f len=39 667 0000: 02 01 02 65 22 0a 01 20 04 1b 6f 75 3d 50 65 6f ...e".. ..ou=Peo 668 0010: 70 6c 65 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 ple,dc=example,d 669 0020: 63 3d 63 6f 6d 04 00 c=com.. 670 read1msg: ld 0x83ab908 msgid 2 message type search-result 671 ber_scanf fmt ({eAA) ber: 672 ber_dump: buf=0x83b4d38 ptr=0x83b4d3b end=0x83b4d5f len=36 673 0000: 65 22 0a 01 20 04 1b 6f 75 3d 50 65 6f 70 6c 65 e".. ..ou=People 674 0010: 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 ,dc=example,dc=c 675 0020: 6f 6d 04 00 om.. 676 read1msg: ld 0x83ab908 0 new referrals 677 read1msg: mark request completed, ld 0x83ab908 msgid 2 678 request done: ld 0x83ab908 msgid 2 679 res_errno: 32, res_error: <>, res_matched: <ou=People,dc=example,dc=com> 680 ldap_free_request (origid 2, msgid 2) 681 ldap_free_connection 0 1 682 ldap_free_connection: refcnt 1 683 ldap_parse_result 684 ber_scanf fmt ({iAA) ber: 685 ber_dump: buf=0x83b4d38 ptr=0x83b4d3b end=0x83b4d5f len=36 686 0000: 65 22 0a 01 20 04 1b 6f 75 3d 50 65 6f 70 6c 65 e".. ..ou=People 687 0010: 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 ,dc=example,dc=c 688 0020: 6f 6d 04 00 om.. 689 ber_scanf fmt (}) ber: 690 ber_dump: buf=0x83b4d38 ptr=0x83b4d5f end=0x83b4d5f len=0 691 ldap_msgfree 692 send_ldap_result: conn=0 op=1 p=3 693 send_ldap_result: err=0 matched="" text="" 694 send_ldap_response: msgid=2 tag=101 err=0 695 ber_flush2: 14 bytes to sd 13 696 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........ 697 ldap_write: want=14, written=14 698 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........ 699 conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= 700 daemon: activity on 1 descriptor 701 daemon: activity on: 13r 702 daemon: read active on 13 703 daemon: epoll: listen=7 active_threads=0 tvp=NULL 704 daemon: epoll: listen=8 active_threads=0 tvp=NULL 705 connection_get(13) 706 connection_get(13): got connid=0 707 connection_read(13): checking for input on id=0 708 ber_get_next 709 ldap_read: want=8, got=7 710 0000: 30 05 02 01 03 42 00 0....B. 711 ber_get_next: tag 0x30 len 5 contents: 712 ber_dump: buf=0x834fca0 ptr=0x834fca0 end=0x834fca5 len=5 713 0000: 02 01 03 42 00 ...B. 714 ber_get_next 715 ldap_read: want=8, got=0 716 ber_get_next on fd 13 failed errno=0 (Success) 717 connection_read(13): input error=-2 id=0, closing. 718 connection_closing: readying conn=0 sd=13 for close 719 daemon: activity on 1 descriptor 720 daemon: activity on: 721 daemon: epoll: listen=7 active_threads=0 tvp=NULL 722 daemon: epoll: listen=8 active_threads=0 tvp=NULL 723 connection_close: deferring conn=0 sd=13 724 conn=0 op=2 do_unbind 725 conn=0 op=2 UNBIND 726 connection_resched: attempting closing conn=0 sd=13 727 connection_close: conn=0 sd=13 728 translucent_connection_destroy 729 =>ldap_back_conn_destroy: fetching conn 0 730 daemon: removing 13 731 conn=0 fd=13 closed #end

1 0

FTP authentication against openldap
by Aravind Arjunan 31 Jul '08

31 Jul '08

hi, I had configured openldap in RHEL 5 and all my users are in ldap database. My FTP want to authenticate with my ldap users. how to do that, plz help me with this issue. Guide me with any link to configure FTP authentication with ldap.

2 1

slapd 2.4.10 and replication
by Christophe Thibault 31 Jul '08

31 Jul '08

Hi, I have two 2.4.10 slapd servers running on two machines, and I'm trying to setup replication. My problem is that the master dies when the slave try to connect to it (segmentation fault). I don't know where to search, so any help or idea is welcome :) * master configuration: ... syncprov-checkpoint 100 100 syncprov-sessionlog 100 ... * slave configuration: ... syncrepl rid=002 provider=ldap://172.16.0.3 type=refreshOnly interval=00:00:03:00 searchbase="dc=mycorp,dc=com" filter="(objectClass=*)" attrs="*,+" scope=sub schemachecking=off bindmethod=simple binddn="cn=Manager,dc=mycorp,dc=com" credentials=xxxxxx retry="60 +" ... Thanks, chris -- Christophe THIBAULT - Planisware 102 Rue Etienne Dolet 92247 Malakoff Cedex France http://www.planisware.com

2 2

Re: Autofs-OpenLDAP Assistance
by Santosh Balan 31 Jul '08

31 Jul '08

Hi Buchan, The below settings you are saying are to be done on client side. But how would you configure seetings in ldap or the server side. How would the ldif files look like. Also I need it to communicate and authenticate for my qmail users. And my qmail users mails are stored in the /home partition of the Mail server. Then will it not conflict with my mail server's and login user's partition. How will I over come this issue. Can you please revert on the same. Anyways thanks for your reply. Thanks and Regards Santosh Balan +91-9819419509 > ----- Original Message ----- > From: "Buchan Milne" <bgmilne(a)staff.telkomsa.net> > To: openldap-technical(a)openldap.org > Subject: Re: Autofs-OpenLDAP Assistance > Date: Wed, 30 Jul 2008 11:54:25 +0200 > > > On Tuesday 29 July 2008 20:19:33 Sven Ulland wrote: > > Santosh Balan wrote: > > > Can you please guide and provide some appropriate doccumentation or > > > method as how I hv to go about with the installation of OpenLDAP and > > > autofs such that it will authenticate my users and automatically > > > mounts the users partition. > > Depending on how your infrastructure is set up, you could get home directories > automounted for every user with a single automount (wildcard) rule. Unless you > give more details, it is difficult to know how you are associating the need > for home directories and automount rules. > > > To use ldap for login, you need to get nsswitch and pam to talk ldap. > > It is easily done by installing libnss-ldapd (or libnss-ldap -- they > > are functionally equivalent) and libpam-ldap. Package names are likely > > to be different on your platform -- these are from Debian. > > > > First change /etc/nsswitch.conf so that it reads something like this: > > > > passwd: compat ldap > > group: compat ldap > > shadow: compat ldap > > I would avoid compat unless you actually require the features. See the > discussion of compat in nsswitch.conf(5). Additionally, I would avoid adding > ldap to shadow unless you have applications that require access to the > password hash or are intending to use nss_ldap->pam_unix for authentication > (and forego any ldap authorization features). > > > hosts: files dns > > networks: files > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > netgroup: nis > > automount: ldap > > > > Then set up /etc/pam.d/common-{account,auth,password,session} with the > > following *additions*: > > > > common-account: > > account sufficient pam_succeed_if.so uid < 1000 quiet > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > account required pam_permit.so > > I would rather suggest adding: > > account sufficient pam_localuser.so > account sufficient pam_ldap.so > account required pam_deny.so > > otherwise password expiry, host attribute use etc. will most likely not work. > > > common-auth: > > auth requisite pam_succeed_if.so uid >= 1000 quiet > > auth sufficient pam_ldap.so use_first_pass > > auth required pam_deny.so > > > > common-password: > > password sufficient pam_ldap.so use_authtok > > password required pam_deny.so > > > > common-session > > session optional pam_ldap.so > > pam_ldap doesn't implement session as far as I know, pam_mkhomedir would be a > better candidate for the line above. > > > > > (There is probably some silly configuration in the above, but it > > works. I haven't looked into the details of PAM yet.) > > Have you tested every aspect with the configuration above? > > > Next, install autofs5-ldap (or v4 if you want). It is important that > > you understand the structure of autofs entries in ldap. You can get an > > overview here: http://efod.se/blog/archive/2006/06/27/autofs-and-ldap > > > > Finally, make sure that your /etc/ldap.conf (or /etc/ldap/ldap.conf), > > /etc/autofs_ldap_auth.conf and /etc/nss-ldapd.conf are set up to point > > to your ldap directory server. > > > > When things don't work, try running each daemon in debug mode. This > > is particularly true for slapd and the nslcd (that comes in > > libnss-ldapd). Also have a look in /var/log/auth.log or equivalent, to > > see if logins are accepted. > > > And disable nscd while troubleshooting. > > Regards, > Buchan > = -- Powered by Outblaze

1 0

Understanding TLS SSF
by J Davis 30 Jul '08

30 Jul '08

Greetings, I'm testing an installation of openldap 2.4.9. I want to enforce TLS for all access to the directory. My problem is that I cannot get the client to meet the ssf restictions I have in place. The documentation I've seen on ssf and tls_ssf is very sparse so I don't really understand what it does. I'm using self signed cert created using the openssl CA.sh script. Relevant portions of the slapd.conf... TLSCACertificateFile /etc/ldap/ssl/cacert.pem TLSCertificateFile /etc/ldap/ssl/servercrt.pem TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem ... access to * by tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write Relevant portions of the lapd.conf... TLS_CACERT /etc/ldap/ssl/cacert.pem With those ACLs in place I get the following error: $ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b "uid=jake,ou=people,dc=example,dc=com" ldap_bind: Invalid credentials (49) And slapd in debug mode shows me that I didn't meet the ssf requirments... connection_read(15): unable to get TLS client DN, error=49 id=0 conn=0 fd=15 TLS established tls_ssf=32 ssf=32 ... <= check a_authz.sai_tls_ssf: ACL 128 > OP 32 I'm not really sure where to go from here. Any advice about how to increase the SSF of my connection would be greatly appreciated. Thanks, -Jake

6 8

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2008