VMware and mirror/multimaster
by Dave Horsfall
Has anyone tried mirroring or multimaster under VMware i.e. are the
virtual clocks stable enough? We're starting to use VMware to cut down on
the number of physical hosts, but I'd like to use the latest 2.4 features
as well.
--
Dave Horsfall DTM VK2KFU Ph: +61 2 9552-5509 (direct) +61 2 9552-5500 (switch)
Corinthian Eng'ng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU
14 years, 9 months
Creating a "big" database... large LDIF file. automated procedure?
by Brad T Waldorf
Hi again. Thanks again for your responses to my prior posts.
So far, all of my experience with OpenLDAP has been with databases with a
minimal number of entries... 200 at the most. I'd like to do some
performance experiments with a much larger database, say 10,000 database
entries or so. What would you recommend for creating such a database?
(Entries don't have to have real, sensible data... maybe the distinguished
name is an integer that increases by 1?) Is there an automated way for
creating such a database?
Thanks,
14 years, 10 months
Organizational Unit Listing
by Emre Yilmaz
hi list,
We need list to all of organizational unit's in Active Directory with members. Its very important for me.
Is there any idea?
_________________________________________________________________
Windows Live Spaces – hayatınız, Alanınız. Daha fazlasını öğrenmek için buraya tıklayın.
http://get.live.com/spaces/overview
14 years, 10 months
Replicating between Active Directory and Openldap
by Greg McConnel
Can anyone refer me to documentation or a site that describes how to
replicate user and password information between Active Directory and
Openldap. I have found a number of sites but most are a few years old and
none seem to provide the necessary instructions and tools.
Thanks!
14 years, 10 months
Re: Understanding TLS SSF
by J Davis
That was it.
I'm using 2.4.11 now compiled against openssl and it's working.
Thanks!
-Jake
On Wed, Jul 30, 2008 at 7:36 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> I doubt that's the SSL that OpenLDAP is compiled against. It looks to me
> like it is compiled against GnuTLS, and likely affected by ITS#5585, which
> was fixed in OpenLDAP 2.4.11. If that's correct, then the real TLS value
> is 256. Have you actually run ldd on slapd to see what libraries it is
> linked against for SSL?
>
> --Quanah
>
>
> --On Wednesday, July 30, 2008 1:16 PM -0400 J Davis <mrsalty0(a)gmail.com>
> wrote:
>
>
>> Openssl 0.9.8g-4ubuntu3.3
>>
>> Thanks,
>> -Jake
>>
>>
>> On Wed, Jul 30, 2008 at 12:02 PM, Buchan Milne
>> <bgmilne(a)staff.telkomsa.net> wrote:
>>
>>
>>
>>
>> On Wednesday 30 July 2008 15:59:52 J Davis wrote:
>>
>>> Greetings,
>>>
>>> I'm testing an installation of openldap 2.4.9. I want to enforce TLS for
>>> all access to the directory.
>>> My problem is that I cannot get the client to meet the ssf restictions I
>>> have in place. The documentation I've seen on ssf and tls_ssf is very
>>> sparse so I don't really understand what it does.
>>>
>>> I'm using self signed cert created using the openssl CA.sh script.
>>>
>>> Relevant portions of the slapd.conf...
>>>
>>> TLSCACertificateFile /etc/ldap/ssl/cacert.pem
>>> TLSCertificateFile /etc/ldap/ssl/servercrt.pem
>>> TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem
>>> ...
>>> access to *
>>> by tls_ssf=128 ssf=128 anonymous auth
>>> by tls_ssf=128 ssf=128 self write
>>>
>>> Relevant portions of the lapd.conf...
>>>
>>> TLS_CACERT /etc/ldap/ssl/cacert.pem
>>>
>>> With those ACLs in place I get the following error:
>>>
>>> $ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b
>>> "uid=jake,ou=people,dc=example,dc=com"
>>> ldap_bind: Invalid credentials (49)
>>>
>>> And slapd in debug mode shows me that I didn't meet the ssf
>>> requirments...
>>>
>>> connection_read(15): unable to get TLS client DN, error=49 id=0
>>> conn=0 fd=15 TLS established tls_ssf=32 ssf=32
>>> ...
>>> <= check a_authz.sai_tls_ssf: ACL 128 > OP 32
>>>
>>
>> What ssl implementation is your slapd using ?
>>
>>
>>
>>
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
14 years, 10 months
Re: translucent overlay with local-only entries
by Sven Ulland
Gavin Henry wrote:
> Did you read the man page? man slapo-translucent
I did, but the significance of translucent_local and _remote didn't
strike me. Unfortunately it seems that enabling local+remote searching
doesn't change the result. I must have a silly bug in my
configuration, but I cannot figure out where.
Various combinations of translucent_local and _remote give different,
but consistent, results:
neither local nor remote: only remote entries returned
local only: no entries returned
remote only: only remote entries returned
local and remote: only remote entries returned
I use the following in my slapd.conf[1]:
translucent_remote uid
translucent_local uid
The databases on each host seem fine. The main ldap directory contains
an ou with a single uid[2]; the branch extension directory contains
one attribute modification and one local-only entry[3].
I ran a full debug with 'translucent_local uid' in the configuration
file:
slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d 65535
The search command I use:
ldapsearch -x -W -D 'cn=branchadmin,dc=branch,dc=example,dc=com' \
-H ldap://localhost -b 'dc=example,dc=com' -LLL 'uid=*' uid
The output[5] seems to show (on lines 523 and 615, for example), that
uid=barney is found, but I'm not able to determine why it is not
returned to the client. I also dumped the network packets to verify
that uid=barney was not retured. It wasn't.
sven
[1] Entire /etc/ldap/slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/autofs.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload back_ldap
moduleload translucent
sizelimit 500
tool-threads 1
backend bdb
backend ldap
database bdb
directory /var/lib/ldap/translucent4
suffix "dc=example,dc=com"
rootdn "cn=branchadmin,dc=branch,dc=example,dc=com"
rootpw "admin"
index objectclass eq
index uid eq,sub
lastmod off
overlay translucent
translucent_remote uid
translucent_local uid
uri "ldap://172.27.27.37"
idassert-bind
bindmethod=simple
binddn="cn=mainadmin,dc=example,dc=com"
credentials="admin"
mode=none
#end
[2] slapcat on main ldap:
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: example
o: Simple example
structuralObjectClass: organization
dn: cn=mainadmin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: mainadmin
description: LDAP administrator
userPassword:: e2NyeXB0fTRUT2NoeFV0M3AyUEU=
structuralObjectClass: organizationalRole
dn: ou=People,dc=example,dc=com
ou: People
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
dn: uid=andrew,ou=People,dc=example,dc=com
uid: andrew
cn: Andrew
sn: Andrewson
uidNumber: 401
gidNumber: 501
homeDirectory: /home/andrew
structuralObjectClass: person
objectClass: person
objectClass: posixAccount
#end
[3] slapcat on local branch, after a) one modification of existing
'description' field for uid=andrew, and b) one new local-only entry
for uid=barney.
dn: dc=example,dc=com
structuralObjectClass: glue
objectClass: top
objectClass: glue
dn: ou=people,dc=example,dc=com
structuralObjectClass: glue
objectClass: top
objectClass: glue
dn: uid=andrew,ou=People,dc=example,dc=com
description: changed on branch only
dn: uid=barney,ou=People,dc=example,dc=com
uid: barney
cn: Barney
sn: Barneyson
uidNumber: 402
gidNumber: 502
homeDirectory: /home/barney
objectClass: person
objectClass: posixAccount
description: only exists on branch
#end
[4] slapd debug output.
1 @(#) $OpenLDAP: slapd 2.4.10 (Jul 17 2008 14:44:35) $
2 buildd@ninsei:/build/buildd/openldap-2.4.10/debian/build/servers/slapd
3 ldap_pvt_gethostbyname_a: host=debian, r=0
4 daemon_init: <null>
5 daemon_init: listen on ldap:///
6 daemon_init: 1 listeners to open...
7 ldap_url_parse_ext(ldap:///)
8 daemon: listener initialized ldap:///
9 daemon_init: 2 listeners opened
10 ldap_create
11 slapd init: initiated server.
12 slap_sasl_init: initialized!
13 reading config file /etc/ldap/slapd.conf
14 line 1 (include /etc/ldap/schema/core.schema)
15 reading config file /etc/ldap/schema/core.schema
[several lines of schema debugging removed]
208 line 7 (pidfile /var/run/slapd/slapd.pid)
209 line 8 (argsfile /var/run/slapd/slapd.args)
210 line 9 (loglevel none)
211 line 11 (modulepath /usr/lib/ldap)
212 line 12 (moduleload back_bdb)
213 loaded module back_bdb
214 bdb_back_initialize: initialize BDB backend
215 bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003)
216 module back_bdb: null module registered
217 line 13 (moduleload back_ldap)
218 loaded module back_ldap
219 module back_ldap: null module registered
220 line 14 (moduleload translucent)
221 loaded module translucent
222 ==> translucent_initialize
223 module translucent: null module registered
224 line 16 (sizelimit 500)
225 line 17 (tool-threads 1)
226 line 19 (backend bdb)
227 line 20 (backend ldap)
228 line 22 (database bdb)
229 bdb_db_init: Initializing BDB database
230 line 23 (directory /var/lib/ldap/translucent4)
231 line 24 (suffix "dc=example,dc=com")
232 >>> dnPrettyNormal: <dc=example,dc=com>
233 => ldap_bv2dn(dc=example,dc=com,0)
234 <= ldap_bv2dn(dc=example,dc=com)=0
235 => ldap_dn2bv(272)
236 <= ldap_dn2bv(dc=example,dc=com)=0
237 => ldap_dn2bv(272)
238 <= ldap_dn2bv(dc=example,dc=com)=0
239 <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com>
240 line 25 (rootdn "cn=branchadmin,dc=branch,dc=example,dc=com")
241 >>> dnPrettyNormal: <cn=branchadmin,dc=branch,dc=example,dc=com>
242 => ldap_bv2dn(cn=branchadmin,dc=branch,dc=example,dc=com,0)
243 <= ldap_bv2dn(cn=branchadmin,dc=branch,dc=example,dc=com)=0
244 => ldap_dn2bv(272)
245 <= ldap_dn2bv(cn=branchadmin,dc=branch,dc=example,dc=com)=0
246 => ldap_dn2bv(272)
247 <= ldap_dn2bv(cn=branchadmin,dc=branch,dc=example,dc=com)=0
248 <<< dnPrettyNormal: <cn=branchadmin,dc=branch,dc=example,dc=com>,
<cn=branchadmin,dc=branch,dc=example,dc=com>
249 line 26 (rootpw ***)
250 line 27 (index objectclass eq)
251 index objectClass 0x0004
252 line 28 (index uid eq,sub)
253 index uid 0x0714
254 line 29 (lastmod off)
255 line 31 (overlay translucent)
256 ==> translucent_db_init
257 line 32 (translucent_local uid)
258 line 33 (uri "ldap://172.27.27.37")
259 ==> translucent_db_config: uri
260 ldap_url_parse_ext(ldap://172.27.27.37)
261 line 38 (idassert-bind ***)
262 ==> translucent_db_config: idassert-bind
263 >>> dnNormalize: <cn=mainadmin,dc=example,dc=com>
264 => ldap_bv2dn(cn=mainadmin,dc=example,dc=com,0)
265 <= ldap_bv2dn(cn=mainadmin,dc=example,dc=com)=0
266 => ldap_dn2bv(272)
267 <= ldap_dn2bv(cn=mainadmin,dc=example,dc=com)=0
268 <<< dnNormalize: <cn=mainadmin,dc=example,dc=com>
269 >>> dnNormalize: <cn=Subschema>
270 => ldap_bv2dn(cn=Subschema,0)
271 <= ldap_bv2dn(cn=Subschema)=0
272 => ldap_dn2bv(272)
273 <= ldap_dn2bv(cn=subschema)=0
274 <<< dnNormalize: <cn=subschema>
275 matching_rule_use_init
[schema lines omitted]
302 slapd startup: initiated.
303 backend_startup_one: starting "cn=config"
304 config_back_db_open
305 config_build_entry: "cn=config"
306 config_build_entry: "cn=module{0}"
307 config_build_entry: "cn=schema"
308 config_build_entry: "cn={0}core"
309 config_build_entry: "cn={1}cosine"
310 config_build_entry: "cn={2}nis"
311 config_build_entry: "cn={3}inetorgperson"
312 config_build_entry: "cn={4}autofs"
313 config_build_entry: "olcDatabase={-1}frontend"
314 config_build_entry: "olcDatabase={0}config"
315 config_build_entry: "olcDatabase={1}bdb"
316 config_build_entry: "olcOverlay={0}translucent"
317 ==> translucent_cfadd
318 config_build_entry: "olcDatabase=ldap"
319 backend_startup_one: starting "dc=example,dc=com"
320 bdb_db_open: "dc=example,dc=com"
321 bdb_db_open: database "dc=example,dc=com": dbenv_open(/var/lib/ldap/translucent4).
322 ==> translucent_db_open
323 backend_startup_one: starting "dc=example,dc=com"
324 ldap_back_db_open: URI=ldap://172.27.27.37
325 slapd starting
326 daemon: added 4r listener=(nil)
327 daemon: added 7r listener=0x82f6068
328 daemon: added 8r listener=0x82f6130
329 daemon: epoll: listen=7 active_threads=0 tvp=NULL
330 daemon: epoll: listen=8 active_threads=0 tvp=NULL
331 daemon: activity on 1 descriptor
332 daemon: activity on:
333 daemon: epoll: listen=7 active_threads=0 tvp=NULL
334 daemon: epoll: listen=8 active_threads=0 tvp=NULL
335 daemon: activity on 1 descriptor
336 daemon: activity on:
337 slap_listener_activate(8):
338 >>> slap_listener(ldap:///)
339 daemon: listen=8, new connection on 13
340 daemon: added 13r (active) listener=(nil)
341 conn=0 fd=13 ACCEPT from IP=127.0.0.1:51638 (IP=0.0.0.0:389)
342 daemon: epoll: listen=7 active_threads=0 tvp=NULL
343 daemon: epoll: listen=8 active_threads=0 tvp=NULL
344 daemon: activity on 1 descriptor
345 daemon: activity on:
346 daemon: epoll: listen=7 active_threads=0 tvp=NULL
347 daemon: epoll: listen=8 active_threads=0 tvp=NULL
348 daemon: activity on 1 descriptor
349 daemon: activity on: 13r
350 daemon: read active on 13
351 daemon: epoll: listen=7 active_threads=0 tvp=NULL
352 daemon: epoll: listen=8 active_threads=0 tvp=NULL
353 connection_get(13)
354 connection_get(13): got connid=0
355 connection_read(13): checking for input on id=0
356 ber_get_next
357 ldap_read: want=8, got=8
358 0000: 30 3b 02 01 01 60 36 02 0;...`6.
359 ldap_read: want=53, got=53
360 0000: 01 03 04 2a 63 6e 3d 62 72 61 6e 63 68 61 64 6d ...*cn=branchadm
361 0010: 69 6e 2c 64 63 3d 62 72 61 6e 63 68 2c 64 63 3d in,dc=branch,dc=
362 0020: 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 80 05 example,dc=com..
363 0030: 61 64 6d 69 6e admin
364 ber_get_next: tag 0x30 len 59 contents:
365 ber_dump: buf=0x83a9dd8 ptr=0x83a9dd8 end=0x83a9e13 len=59
366 0000: 02 01 01 60 36 02 01 03 04 2a 63 6e 3d 62 72 61 ...`6....*cn=bra
367 0010: 6e 63 68 61 64 6d 69 6e 2c 64 63 3d 62 72 61 6e nchadmin,dc=bran
368 0020: 63 68 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 ch,dc=example,dc
369 0030: 3d 63 6f 6d 80 05 61 64 6d 69 6e =com..admin
370 ber_get_next
371 ldap_read: want=8 error=Resource temporarily unavailable
372 conn=0 op=0 do_bind
373 ber_scanf fmt ({imt) ber:
374 ber_dump: buf=0x83a9dd8 ptr=0x83a9ddb end=0x83a9e13 len=56
375 0000: 60 36 02 01 03 04 2a 63 6e 3d 62 72 61 6e 63 68 `6....*cn=branch
376 0010: 61 64 6d 69 6e 2c 64 63 3d 62 72 61 6e 63 68 2c admin,dc=branch,
377 0020: 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f dc=example,dc=co
378 0030: 6d 80 05 61 64 6d 69 6e m..admin
379 ber_scanf fmt (m}) ber:
380 ber_dump: buf=0x83a9dd8 ptr=0x83a9e0c end=0x83a9e13 len=7
381 0000: 00 05 61 64 6d 69 6e ..admin
382 >>> dnPrettyNormal: <cn=branchadmin,dc=branch,dc=example,dc=com>
383 => ldap_bv2dn(cn=branchadmin,dc=branch,dc=example,dc=com,0)
384 <= ldap_bv2dn(cn=branchadmin,dc=branch,dc=example,dc=com)=0
385 => ldap_dn2bv(272)
386 <= ldap_dn2bv(cn=branchadmin,dc=branch,dc=example,dc=com)=0
387 => ldap_dn2bv(272)
388 <= ldap_dn2bv(cn=branchadmin,dc=branch,dc=example,dc=com)=0
389 <<< dnPrettyNormal: <cn=branchadmin,dc=branch,dc=example,dc=com>, <cn=branchadmin,dc=branch,dc=example,dc=com>
390 conn=0 op=0 BIND dn="cn=branchadmin,dc=branch,dc=example,dc=com" method=128
391 do_bind: version=3 dn="cn=branchadmin,dc=branch,dc=example,dc=com" method=128
392 translucent_bind: <cn=branchadmin,dc=branch,dc=example,dc=com> method 128
393 conn=0 op=0: rootdn="cn=branchadmin,dc=branch,dc=example,dc=com" bind succeeded
394 conn=0 op=0 BIND dn="cn=branchadmin,dc=branch,dc=example,dc=com" mech=SIMPLE ssf=0
395 do_bind: v3 bind: "cn=branchadmin,dc=branch,dc=example,dc=com" to "cn=branchadmin,dc=branch,dc=example,dc=com"
396 send_ldap_result: conn=0 op=0 p=3
397 send_ldap_result: err=0 matched="" text=""
398 send_ldap_response: msgid=1 tag=97 err=0
399 ber_flush2: 14 bytes to sd 13
400 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
401 ldap_write: want=14, written=14
402 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
403 conn=0 op=0 RESULT tag=97 err=0 text=
404 daemon: activity on 1 descriptor
405 daemon: activity on:
406 daemon: epoll: listen=7 active_threads=0 tvp=NULL
407 daemon: epoll: listen=8 active_threads=0 tvp=NULL
408 daemon: activity on 1 descriptor
409 daemon: activity on: 13r
410 daemon: read active on 13
411 daemon: epoll: listen=7 active_threads=0 tvp=NULL
412 daemon: epoll: listen=8 active_threads=0 tvp=NULL
413 connection_get(13)
414 connection_get(13): got connid=0
415 connection_read(13): checking for input on id=0
416 ber_get_next
417 ldap_read: want=8, got=8
418 0000: 30 33 02 01 02 63 2e 04 03...c..
419 ldap_read: want=45, got=45
420 0000: 11 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 .dc=example,dc=c
421 0010: 6f 6d 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 om..............
422 0020: 00 87 03 75 69 64 30 05 04 03 75 69 64 ...uid0...uid
423 ber_get_next: tag 0x30 len 51 contents:
424 ber_dump: buf=0x83aa218 ptr=0x83aa218 end=0x83aa24b len=51
425 0000: 02 01 02 63 2e 04 11 64 63 3d 65 78 61 6d 70 6c ...c...dc=exampl
426 0010: 65 2c 64 63 3d 63 6f 6d 0a 01 02 0a 01 00 02 01 e,dc=com........
427 0020: 00 02 01 00 01 01 00 87 03 75 69 64 30 05 04 03 .........uid0...
428 0030: 75 69 64 uid
429 ber_get_next
430 ldap_read: want=8 error=Resource temporarily unavailable
431 conn=0 op=1 do_search
432 ber_scanf fmt ({miiiib) ber:
433 ber_dump: buf=0x83aa218 ptr=0x83aa21b end=0x83aa24b len=48
434 0000: 63 2e 04 11 64 63 3d 65 78 61 6d 70 6c 65 2c 64 c...dc=example,d
435 0010: 63 3d 63 6f 6d 0a 01 02 0a 01 00 02 01 00 02 01 c=com...........
436 0020: 00 01 01 00 87 03 75 69 64 30 05 04 03 75 69 64 ......uid0...uid
437 >>> dnPrettyNormal: <dc=example,dc=com>
438 => ldap_bv2dn(dc=example,dc=com,0)
439 <= ldap_bv2dn(dc=example,dc=com)=0
440 => ldap_dn2bv(272)
441 <= ldap_dn2bv(dc=example,dc=com)=0
442 => ldap_dn2bv(272)
443 <= ldap_dn2bv(dc=example,dc=com)=0
444 <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com>
445 SRCH "dc=example,dc=com" 2 0 0 0 0
446 begin get_filter
447 PRESENT
448 ber_scanf fmt (m) ber:
449 ber_dump: buf=0x83aa218 ptr=0x83aa23f end=0x83aa24b len=12
450 0000: 87 03 75 69 64 30 05 04 03 75 69 64 ..uid0...uid
451 end get_filter 0
452 filter: (uid=*)
453 ber_scanf fmt ({M}}) ber:
454 ber_dump: buf=0x83aa218 ptr=0x83aa244 end=0x83aa24b len=7
455 0000: 00 05 04 03 75 69 64 ....uid
456 attrs: uid
457 conn=0 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(uid=*)"
458 conn=0 op=1 SRCH attr=uid
459 ==> translucent_search: <dc=example,dc=com> (uid=*)
460 => bdb_search
461 bdb_dn2entry("dc=example,dc=com")
462 => bdb_dn2id("dc=example,dc=com")
463 <= bdb_dn2id: got id=0x1
464 entry_decode: "dc=example,dc=com"
465 <= entry_decode(dc=example,dc=com)
466 => access_allowed: search access to "dc=example,dc=com" "entry" requested
467 <= root access granted
468 => access_allowed: search access granted by manage(=mwrscxd)
469 search_candidates: base="dc=example,dc=com" (0x00000001) scope=2
470 => bdb_dn2idl("dc=example,dc=com")
471 => bdb_filter_candidates
472 AND
473 => bdb_list_candidates 0xa0
474 => bdb_filter_candidates
475 OR
476 => bdb_list_candidates 0xa1
477 => bdb_filter_candidates
478 EQUALITY
479 => bdb_equality_candidates (objectClass)
480 daemon: activity on 1 descriptor
481 daemon: activity on:
482 daemon: epoll: listen=7 active_threads=0 tvp=NULL
483 daemon: epoll: listen=8 active_threads=0 tvp=NULL
484 => key_read
485 bdb_idl_fetch_key: [b49d1940]
486 <= bdb_index_read: failed (-30990)
487 <= bdb_equality_candidates: id=0, first=0, last=0
488 <= bdb_filter_candidates: id=0 first=0 last=0
489 => bdb_filter_candidates
490 PRESENT
491 => bdb_presence_candidates (uid)
492 <= bdb_presence_candidates: (uid) not indexed
493 <= bdb_filter_candidates: id=-1 first=1 last=4
494 <= bdb_list_candidates: id=-1 first=1 last=4
495 <= bdb_filter_candidates: id=-1 first=1 last=4
496 <= bdb_list_candidates: id=-1 first=1 last=4
497 <= bdb_filter_candidates: id=-1 first=1 last=4
498 bdb_search_candidates: id=-1 first=1 last=4
499 entry_decode: "ou=people,dc=example,dc=com"
500 <= entry_decode(ou=people,dc=example,dc=com)
501 => bdb_dn2id("ou=people,dc=example,dc=com")
502 <= bdb_dn2id: got id=0x2
503 entry_decode: "uid=andrew,ou=People,dc=example,dc=com"
504 <= entry_decode(uid=andrew,ou=People,dc=example,dc=com)
505 => bdb_dn2id("uid=andrew,ou=people,dc=example,dc=com")
506 <= bdb_dn2id: got id=0x3
507 is_entry_objectclass("uid=andrew,ou=People,dc=example,dc=com", "2.5.17.0") no objectClass attribute
508 is_entry_objectclass("uid=andrew,ou=People,dc=example,dc=com", "2.16.840.1.113730.3.2.6") no objectClass attribute
509 is_entry_objectclass("uid=andrew,ou=People,dc=example,dc=com", "1.3.6.1.4.1.4203.666.3.4") no objectClass attribute
510 => test_filter
511 PRESENT
512 => access_allowed: search access to "uid=andrew,ou=People,dc=example,dc=com" "uid" requested
513 <= root access granted
514 => access_allowed: search access granted by manage(=mwrscxd)
515 <= test_filter 5
516 bdb_search: 3 does not match filter
517 entry_decode: "uid=barney,ou=People,dc=example,dc=com"
518 <= entry_decode(uid=barney,ou=People,dc=example,dc=com)
519 => bdb_dn2id("uid=barney,ou=people,dc=example,dc=com")
520 <= bdb_dn2id: got id=0x4
521 => test_filter
522 PRESENT
523 => access_allowed: search access to "uid=barney,ou=People,dc=example,dc=com" "uid" requested
524 <= root access granted
525 => access_allowed: search access granted by manage(=mwrscxd)
526 <= test_filter 6
527 ==> translucent_search_cb: uid=barney,ou=People,dc=example,dc=com
528 ldap_create
529 ldap_url_parse_ext(ldap://172.27.27.37)
530 =>ldap_back_getconn: conn=0 op=1: lc=0x83ab8c8 inserted refcnt=1 rc=0
531 ldap_sasl_bind
532 ldap_send_initial_request
533 ldap_new_connection 1 1 0
534 ldap_int_open_connection
535 ldap_connect_to_host: TCP 172.27.27.37:389
536 ldap_new_socket: 16
537 ldap_prepare_socket: 16
538 ldap_connect_to_host: Trying 172.27.27.37:389
539 ldap_pvt_connect: fd: 16 tm: -1 async: 0
540 ldap_open_defconn: successful
541 ldap_send_server_request
542 ber_scanf fmt ({it) ber:
543 ber_dump: buf=0x83b3b90 ptr=0x83b3b90 end=0x83b3bc1 len=49
544 0000: 30 2f 02 01 01 60 2a 02 01 03 04 1e 63 6e 3d 6d 0/...`*.....cn=m
545 0010: 61 69 6e 61 64 6d 69 6e 2c 64 63 3d 65 78 61 6d ainadmin,dc=exam
546 0020: 70 6c 65 2c 64 63 3d 63 6f 6d 80 05 61 64 6d 69 ple,dc=com..admi
547 0030: 6e n
548 ber_scanf fmt ({i) ber:
549 ber_dump: buf=0x83b3b90 ptr=0x83b3b95 end=0x83b3bc1 len=44
550 0000: 60 2a 02 01 03 04 1e 63 6e 3d 6d 61 69 6e 61 64 `*.....cn=mainad
551 0010: 6d 69 6e 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 min,dc=example,d
552 0020: 63 3d 63 6f 6d 80 05 61 64 6d 69 6e c=com..admin
553 ber_flush2: 49 bytes to sd 16
554 0000: 30 2f 02 01 01 60 2a 02 01 03 04 1e 63 6e 3d 6d 0/...`*.....cn=m
555 0010: 61 69 6e 61 64 6d 69 6e 2c 64 63 3d 65 78 61 6d ainadmin,dc=exam
556 0020: 70 6c 65 2c 64 63 3d 63 6f 6d 80 05 61 64 6d 69 ple,dc=com..admi
557 0030: 6e n
558 ldap_write: want=49, written=49
559 0000: 30 2f 02 01 01 60 2a 02 01 03 04 1e 63 6e 3d 6d 0/...`*.....cn=m
560 0010: 61 69 6e 61 64 6d 69 6e 2c 64 63 3d 65 78 61 6d ainadmin,dc=exam
561 0020: 70 6c 65 2c 64 63 3d 63 6f 6d 80 05 61 64 6d 69 ple,dc=com..admi
562 0030: 6e n
563 ldap_result ld 0x83ab908 msgid 1
564 wait4msg ld 0x83ab908 msgid 1 (timeout 100000 usec)
565 wait4msg continue ld 0x83ab908 msgid 1 all 1
566 ** ld 0x83ab908 Connections:
567 * host: 172.27.27.37 port: 389 (default)
568 refcnt: 2 status: Connected
569 last used: Wed Jul 30 14:50:54 2008
570 ** ld 0x83ab908 Outstanding Requests:
571 * msgid 1, origid 1, status InProgress
572 outstanding referrals 0, parent count 0
573 ld 0x83ab908 request count 1 (abandoned 0)
574 ** ld 0x83ab908 Response Queue:
575 Empty
576 ld 0x83ab908 response count 0
577 ldap_chkResponseList ld 0x83ab908 msgid 1 all 1
578 ldap_chkResponseList returns ld 0x83ab908 NULL
579 ldap_int_select
580 read1msg: ld 0x83ab908 msgid 1 all 1
581 ber_get_next
582 ldap_read: want=8, got=8
583 0000: 30 0c 02 01 01 61 07 0a 0....a..
584 ldap_read: want=6, got=6
585 0000: 01 00 04 00 04 00 ......
586 ber_get_next: tag 0x30 len 12 contents:
587 ber_dump: buf=0x83b4d08 ptr=0x83b4d08 end=0x83b4d14 len=12
588 0000: 02 01 01 61 07 0a 01 00 04 00 04 00 ...a........
589 read1msg: ld 0x83ab908 msgid 1 message type bind
590 ber_scanf fmt ({eAA) ber:
591 ber_dump: buf=0x83b4d08 ptr=0x83b4d0b end=0x83b4d14 len=9
592 0000: 61 07 0a 01 00 04 00 04 00 a........
593 read1msg: ld 0x83ab908 0 new referrals
594 read1msg: mark request completed, ld 0x83ab908 msgid 1
595 request done: ld 0x83ab908 msgid 1
596 res_errno: 0, res_error: <>, res_matched: <>
597 ldap_free_request (origid 1, msgid 1)
598 ldap_free_connection 0 1
599 ldap_free_connection: refcnt 1
600 ldap_parse_result
601 ber_scanf fmt ({iAA) ber:
602 ber_dump: buf=0x83b4d08 ptr=0x83b4d0b end=0x83b4d14 len=9
603 0000: 61 07 0a 01 00 04 00 04 00 a........
604 ber_scanf fmt (}) ber:
605 ber_dump: buf=0x83b4d08 ptr=0x83b4d14 end=0x83b4d14 len=0
606 ldap_msgfree
607 ldap_search_ext
608 put_filter: "(objectclass=*)"
609 put_filter: simple
610 put_simple_filter: "objectclass=*"
611 ldap_build_search_req ATTRS: *
612 ldap_send_initial_request
613 ldap_send_server_request
614 ber_scanf fmt ({it) ber:
615 ber_dump: buf=0x83b3b90 ptr=0x83b3b90 end=0x83b3bdd len=77
616 0000: 30 4b 02 01 02 63 46 04 26 75 69 64 3d 62 61 72 0K...cF.&uid=bar
617 0010: 6e 65 79 2c 6f 75 3d 70 65 6f 70 6c 65 2c 64 63 ney,ou=people,dc
618 0020: 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 0a =example,dc=com.
619 0030: 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 87 0b ................
620 0040: 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 objectclass0.
621 ber_scanf fmt ({) ber:
622 ber_dump: buf=0x83b3b90 ptr=0x83b3b95 end=0x83b3bdd len=72
623 0000: 63 46 04 26 75 69 64 3d 62 61 72 6e 65 79 2c 6f cF.&uid=barney,o
624 0010: 75 3d 70 65 6f 70 6c 65 2c 64 63 3d 65 78 61 6d u=people,dc=exam
625 0020: 70 6c 65 2c 64 63 3d 63 6f 6d 0a 01 00 0a 01 00 ple,dc=com......
626 0030: 02 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 ...........objec
627 0040: 74 63 6c 61 73 73 30 00 tclass0.
628 ber_flush2: 77 bytes to sd 16
629 0000: 30 4b 02 01 02 63 46 04 26 75 69 64 3d 62 61 72 0K...cF.&uid=bar
630 0010: 6e 65 79 2c 6f 75 3d 70 65 6f 70 6c 65 2c 64 63 ney,ou=people,dc
631 0020: 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 0a =example,dc=com.
632 0030: 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 87 0b ................
633 0040: 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 objectclass0.
634 ldap_write: want=77, written=77
635 0000: 30 4b 02 01 02 63 46 04 26 75 69 64 3d 62 61 72 0K...cF.&uid=bar
636 0010: 6e 65 79 2c 6f 75 3d 70 65 6f 70 6c 65 2c 64 63 ney,ou=people,dc
637 0020: 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 0a =example,dc=com.
638 0030: 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 87 0b ................
639 0040: 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 objectclass0.
640 ldap_result ld 0x83ab908 msgid 2
641 wait4msg ld 0x83ab908 msgid 2 (infinite timeout)
642 wait4msg continue ld 0x83ab908 msgid 2 all 1
643 ** ld 0x83ab908 Connections:
644 * host: 172.27.27.37 port: 389 (default)
645 refcnt: 2 status: Connected
646 last used: Wed Jul 30 14:50:54 2008
647 ** ld 0x83ab908 Outstanding Requests:
648 * msgid 2, origid 2, status InProgress
649 outstanding referrals 0, parent count 0
650 ld 0x83ab908 request count 1 (abandoned 0)
651 ** ld 0x83ab908 Response Queue:
652 Empty
653 ld 0x83ab908 response count 0
654 ldap_chkResponseList ld 0x83ab908 msgid 2 all 1
655 ldap_chkResponseList returns ld 0x83ab908 NULL
656 ldap_int_select
657 read1msg: ld 0x83ab908 msgid 2 all 1
658 ber_get_next
659 ldap_read: want=8, got=8
660 0000: 30 27 02 01 02 65 22 0a 0'...e".
661 ldap_read: want=33, got=33
662 0000: 01 20 04 1b 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 . ..ou=People,dc
663 0010: 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d 04 =example,dc=com.
664 0020: 00 .
665 ber_get_next: tag 0x30 len 39 contents:
666 ber_dump: buf=0x83b4d38 ptr=0x83b4d38 end=0x83b4d5f len=39
667 0000: 02 01 02 65 22 0a 01 20 04 1b 6f 75 3d 50 65 6f ...e".. ..ou=Peo
668 0010: 70 6c 65 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 ple,dc=example,d
669 0020: 63 3d 63 6f 6d 04 00 c=com..
670 read1msg: ld 0x83ab908 msgid 2 message type search-result
671 ber_scanf fmt ({eAA) ber:
672 ber_dump: buf=0x83b4d38 ptr=0x83b4d3b end=0x83b4d5f len=36
673 0000: 65 22 0a 01 20 04 1b 6f 75 3d 50 65 6f 70 6c 65 e".. ..ou=People
674 0010: 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 ,dc=example,dc=c
675 0020: 6f 6d 04 00 om..
676 read1msg: ld 0x83ab908 0 new referrals
677 read1msg: mark request completed, ld 0x83ab908 msgid 2
678 request done: ld 0x83ab908 msgid 2
679 res_errno: 32, res_error: <>, res_matched: <ou=People,dc=example,dc=com>
680 ldap_free_request (origid 2, msgid 2)
681 ldap_free_connection 0 1
682 ldap_free_connection: refcnt 1
683 ldap_parse_result
684 ber_scanf fmt ({iAA) ber:
685 ber_dump: buf=0x83b4d38 ptr=0x83b4d3b end=0x83b4d5f len=36
686 0000: 65 22 0a 01 20 04 1b 6f 75 3d 50 65 6f 70 6c 65 e".. ..ou=People
687 0010: 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 ,dc=example,dc=c
688 0020: 6f 6d 04 00 om..
689 ber_scanf fmt (}) ber:
690 ber_dump: buf=0x83b4d38 ptr=0x83b4d5f end=0x83b4d5f len=0
691 ldap_msgfree
692 send_ldap_result: conn=0 op=1 p=3
693 send_ldap_result: err=0 matched="" text=""
694 send_ldap_response: msgid=2 tag=101 err=0
695 ber_flush2: 14 bytes to sd 13
696 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........
697 ldap_write: want=14, written=14
698 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........
699 conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
700 daemon: activity on 1 descriptor
701 daemon: activity on: 13r
702 daemon: read active on 13
703 daemon: epoll: listen=7 active_threads=0 tvp=NULL
704 daemon: epoll: listen=8 active_threads=0 tvp=NULL
705 connection_get(13)
706 connection_get(13): got connid=0
707 connection_read(13): checking for input on id=0
708 ber_get_next
709 ldap_read: want=8, got=7
710 0000: 30 05 02 01 03 42 00 0....B.
711 ber_get_next: tag 0x30 len 5 contents:
712 ber_dump: buf=0x834fca0 ptr=0x834fca0 end=0x834fca5 len=5
713 0000: 02 01 03 42 00 ...B.
714 ber_get_next
715 ldap_read: want=8, got=0
716 ber_get_next on fd 13 failed errno=0 (Success)
717 connection_read(13): input error=-2 id=0, closing.
718 connection_closing: readying conn=0 sd=13 for close
719 daemon: activity on 1 descriptor
720 daemon: activity on:
721 daemon: epoll: listen=7 active_threads=0 tvp=NULL
722 daemon: epoll: listen=8 active_threads=0 tvp=NULL
723 connection_close: deferring conn=0 sd=13
724 conn=0 op=2 do_unbind
725 conn=0 op=2 UNBIND
726 connection_resched: attempting closing conn=0 sd=13
727 connection_close: conn=0 sd=13
728 translucent_connection_destroy
729 =>ldap_back_conn_destroy: fetching conn 0
730 daemon: removing 13
731 conn=0 fd=13 closed
#end
14 years, 10 months
FTP authentication against openldap
by Aravind Arjunan
hi,
I had configured openldap in RHEL 5 and all my users are in ldap database.
My FTP want to authenticate with my ldap users.
how to do that,
plz help me with this issue.
Guide me with any link to configure FTP authentication with ldap.
14 years, 10 months
slapd 2.4.10 and replication
by Christophe Thibault
Hi,
I have two 2.4.10 slapd servers running on two machines, and I'm trying
to setup replication.
My problem is that the master dies when the slave try to connect to it
(segmentation fault).
I don't know where to search, so any help or idea is welcome :)
* master configuration:
...
syncprov-checkpoint 100 100
syncprov-sessionlog 100
...
* slave configuration:
...
syncrepl rid=002
provider=ldap://172.16.0.3
type=refreshOnly
interval=00:00:03:00
searchbase="dc=mycorp,dc=com"
filter="(objectClass=*)"
attrs="*,+"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=mycorp,dc=com"
credentials=xxxxxx
retry="60 +"
...
Thanks,
chris
--
Christophe THIBAULT - Planisware
102 Rue Etienne Dolet
92247 Malakoff Cedex
France
http://www.planisware.com
14 years, 10 months
Re: Autofs-OpenLDAP Assistance
by Santosh Balan
Hi Buchan,
The below settings you are saying are to be done on client side. But how would you configure seetings in ldap or the server side. How would the ldif files look like. Also I need it to communicate and authenticate for my qmail users. And my qmail users mails are stored in the /home partition of the Mail server. Then will it not conflict with my mail server's and login user's partition. How will I over come this issue.
Can you please revert on the same. Anyways thanks for your reply.
Thanks and Regards
Santosh Balan
+91-9819419509
> ----- Original Message -----
> From: "Buchan Milne" <bgmilne(a)staff.telkomsa.net>
> To: openldap-technical(a)openldap.org
> Subject: Re: Autofs-OpenLDAP Assistance
> Date: Wed, 30 Jul 2008 11:54:25 +0200
>
>
> On Tuesday 29 July 2008 20:19:33 Sven Ulland wrote:
> > Santosh Balan wrote:
> > > Can you please guide and provide some appropriate doccumentation or
> > > method as how I hv to go about with the installation of OpenLDAP and
> > > autofs such that it will authenticate my users and automatically
> > > mounts the users partition.
>
> Depending on how your infrastructure is set up, you could get home directories
> automounted for every user with a single automount (wildcard) rule. Unless you
> give more details, it is difficult to know how you are associating the need
> for home directories and automount rules.
>
> > To use ldap for login, you need to get nsswitch and pam to talk ldap.
> > It is easily done by installing libnss-ldapd (or libnss-ldap -- they
> > are functionally equivalent) and libpam-ldap. Package names are likely
> > to be different on your platform -- these are from Debian.
> >
> > First change /etc/nsswitch.conf so that it reads something like this:
> >
> > passwd: compat ldap
> > group: compat ldap
> > shadow: compat ldap
>
> I would avoid compat unless you actually require the features. See the
> discussion of compat in nsswitch.conf(5). Additionally, I would avoid adding
> ldap to shadow unless you have applications that require access to the
> password hash or are intending to use nss_ldap->pam_unix for authentication
> (and forego any ldap authorization features).
>
> > hosts: files dns
> > networks: files
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> > netgroup: nis
> > automount: ldap
> >
> > Then set up /etc/pam.d/common-{account,auth,password,session} with the
> > following *additions*:
> >
> > common-account:
> > account sufficient pam_succeed_if.so uid < 1000 quiet
> > account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> > account required pam_permit.so
>
> I would rather suggest adding:
>
> account sufficient pam_localuser.so
> account sufficient pam_ldap.so
> account required pam_deny.so
>
> otherwise password expiry, host attribute use etc. will most likely not work.
>
> > common-auth:
> > auth requisite pam_succeed_if.so uid >= 1000 quiet
> > auth sufficient pam_ldap.so use_first_pass
> > auth required pam_deny.so
> >
> > common-password:
> > password sufficient pam_ldap.so use_authtok
> > password required pam_deny.so
> >
> > common-session
> > session optional pam_ldap.so
>
> pam_ldap doesn't implement session as far as I know, pam_mkhomedir would be a
> better candidate for the line above.
>
> >
> > (There is probably some silly configuration in the above, but it
> > works. I haven't looked into the details of PAM yet.)
>
> Have you tested every aspect with the configuration above?
>
> > Next, install autofs5-ldap (or v4 if you want). It is important that
> > you understand the structure of autofs entries in ldap. You can get an
> > overview here: http://efod.se/blog/archive/2006/06/27/autofs-and-ldap
> >
> > Finally, make sure that your /etc/ldap.conf (or /etc/ldap/ldap.conf),
> > /etc/autofs_ldap_auth.conf and /etc/nss-ldapd.conf are set up to point
> > to your ldap directory server.
> >
> > When things don't work, try running each daemon in debug mode. This
> > is particularly true for slapd and the nslcd (that comes in
> > libnss-ldapd). Also have a look in /var/log/auth.log or equivalent, to
> > see if logins are accepted.
>
>
> And disable nscd while troubleshooting.
>
> Regards,
> Buchan
>
=
--
Powered by Outblaze
14 years, 10 months
Understanding TLS SSF
by J Davis
Greetings,
I'm testing an installation of openldap 2.4.9. I want to enforce TLS for all
access to the directory.
My problem is that I cannot get the client to meet the ssf restictions I
have in place. The documentation I've seen on ssf and tls_ssf is very sparse
so I don't really understand what it does.
I'm using self signed cert created using the openssl CA.sh script.
Relevant portions of the slapd.conf...
TLSCACertificateFile /etc/ldap/ssl/cacert.pem
TLSCertificateFile /etc/ldap/ssl/servercrt.pem
TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem
...
access to *
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
Relevant portions of the lapd.conf...
TLS_CACERT /etc/ldap/ssl/cacert.pem
With those ACLs in place I get the following error:
$ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b
"uid=jake,ou=people,dc=example,dc=com"
ldap_bind: Invalid credentials (49)
And slapd in debug mode shows me that I didn't meet the ssf requirments...
connection_read(15): unable to get TLS client DN, error=49 id=0
conn=0 fd=15 TLS established tls_ssf=32 ssf=32
...
<= check a_authz.sai_tls_ssf: ACL 128 > OP 32
I'm not really sure where to go from here. Any advice about how to increase
the SSF of my connection would be greatly appreciated.
Thanks,
-Jake
14 years, 10 months