openldap-technical July 2008

openldap-technical@openldap.org

67 participants
78 discussions

Troubleshooting syncrepl
by John Oliver 30 Jul '08

30 Jul '08

I've set up a pair of OpenLDAP servers to work with, so that I can figure out my SSL problem without worrying about breaking my currently-working LDAP server. I got the producer up and running in about two minutes. I expected to get the consumer up just as fast, but ran into a problem... the sunchronization isn't succeeding. So I started logging and got: Consumer: Jul 30 08:55:32 unix-services2 slapd[8041]: slapd starting Jul 30 08:55:32 unix-services2 slapd[8041]: daemon: added 4r Jul 30 08:55:32 unix-services2 slapd[8041]: daemon: added 7r Jul 30 08:55:32 unix-services2 slapd[8041]: daemon: select: listen=7 active_threads=0 tvp=zero Jul 30 08:55:32 unix-services2 slapd[8041]: =>do_syncrepl Jul 30 08:55:32 unix-services2 slapd[8041]: do_syncrep1: ldap_sasl_bind_s failed (49) Jul 30 08:55:32 unix-services2 slapd[8041]: daemon: shutdown requested and initiated. Jul 30 08:55:32 unix-services2 slapd[8041]: daemon: closing 7 Jul 30 08:55:32 unix-services2 slapd[8041]: slapd shutdown: waiting for 0 threads to terminate Producer: Jul 30 08:55:18 test1 slapd[4919]: connection_get(13) Jul 30 08:55:18 test1 slapd[4919]: connection_get(13): got connid=0 Jul 30 08:55:18 test1 slapd[4919]: connection_read(13): checking for input on id=0 Jul 30 08:55:18 test1 slapd[4919]: ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable) Jul 30 08:55:18 test1 slapd[4919]: daemon: select: listen=7 active_threads=0 tvp=NULL Jul 30 08:55:18 test1 slapd[4919]: daemon: select: listen=8 active_threads=0 tvp=NULL Jul 30 08:55:18 test1 slapd[4919]: do_bind Jul 30 08:55:18 test1 slapd[4919]: >>> dnPrettyNormal: <cn=syncuser,dc=mydomain,dc=com> Jul 30 08:55:18 test1 slapd[4919]: <<< dnPrettyNormal: <cn=syncuser,dc=mydomain,dc=com>, <cn=syncuser,dc=mydomain,dc=com> Jul 30 08:55:18 test1 slapd[4919]: do_bind: version=3 dn="cn=syncuser,dc=mydomain,dc=com" method=128 Jul 30 08:55:18 test1 slapd[4919]: conn=0 op=0 BIND dn="cn=syncuser,dc=mydomain,dc=com" method=128 Jul 30 08:55:18 test1 slapd[4919]: ==> bdb_bind: dn: cn=syncuser,dc=mydomain,dc=com Jul 30 08:55:18 test1 slapd[4919]: bdb_dn2entry("cn=syncuser,dc=mydomain,dc=com") Jul 30 08:55:18 test1 slapd[4919]: => bdb_dn2id("cn=syncuser,dc=mydomain,dc=com") Jul 30 08:55:18 test1 slapd[4919]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Jul 30 08:55:18 test1 slapd[4919]: send_ldap_result: conn=0 op=0 p=3 Jul 30 08:55:18 test1 slapd[4919]: send_ldap_result: err=49 matched="" text="" Jul 30 08:55:18 test1 slapd[4919]: send_ldap_response: msgid=1 tag=97 err=49 Jul 30 08:55:18 test1 slapd[4919]: conn=0 op=0 RESULT tag=97 err=49 text= Googling for do_syncrep1: ldap_sasl_bind_s failed (49) indicates that this is likely to be an authentication issue with my syncuser. I double-checked the password, and verified that it's set as cleartext in slapd.conf I then tried to log on to a machine using the producer as the authentication server, since there's nothing (that I can think of) that makes this user in any way special. It logs on... and about a half second later is booted back out. No logs on the client machine indicate why. Googling bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) led to many mentions of this almost certainly being a permissions issue, but: [root@test1 ~]# ls -l /var/lib/ldap/ total 69816 -rw-r--r-- 1 ldap ldap 2048 Jul 30 08:54 alock -rw------- 1 ldap ldap 28672 Jul 29 15:45 cn.bdb -rw------- 1 ldap ldap 24576 Jul 29 15:45 __db.001 -rw------- 1 ldap ldap 80019456 Jul 29 15:45 __db.002 -rw------- 1 ldap ldap 335552512 Jul 29 15:45 __db.003 -rw------- 1 ldap ldap 2359296 Jul 29 15:45 __db.004 -rw------- 1 ldap ldap 352256 Jul 29 15:45 __db.005 -rw------- 1 ldap ldap 24576 Jul 29 15:45 __db.006 -rw-r----- 1 ldap ldap 886 Jul 29 15:41 DB_CONFIG -rw------- 1 ldap ldap 24576 Jul 29 15:45 dn2id.bdb -rw------- 1 ldap ldap 8192 Jul 29 15:45 gidNumber.bdb -rw------- 1 ldap ldap 20480 Jul 29 15:45 givenName.bdb -rw------- 1 ldap ldap 98304 Jul 30 08:54 id2entry.bdb -rw------- 1 ldap ldap 10485760 Jul 30 08:54 log.0000000001 -rw------- 1 ldap ldap 8192 Jul 29 15:45 loginShell.bdb -rw------- 1 ldap ldap 8192 Jul 29 15:45 mail.bdb -rw------- 1 ldap ldap 20480 Jul 29 15:45 memberUid.bdb -rw------- 1 ldap ldap 8192 Jul 29 15:45 objectClass.bdb -rw------- 1 ldap ldap 8192 Jul 29 15:45 ou.bdb -rw------- 1 ldap ldap 20480 Jul 29 15:45 sn.bdb -rw------- 1 ldap ldap 20480 Jul 29 15:45 uid.bdb -rw------- 1 ldap ldap 8192 Jul 29 15:45 uidNumber.bdb They look OK to me. What can I do to further troubleshoot this issue? I want to make 100% sure that my underlying LDAP is working before I tackle the SSL part. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************

1 1

role based access to various systems
by amit vyas 30 Jul '08

30 Jul '08

Hi All, I am little bit new to LDAP directory system. Presently, i am using OpenLDAP to authenticate users. Now i want authorization for various system(Like versioning system, bug tracking system etc.) So want to store the access rights corresponding to different roles in LDAP (Read, Write, Update, Delete permissions). Can anybody give me sample .ldif for the same or any other useful information. It will be very useful......... Regards Amit Download prohibited? No problem. CHAT from any browser, without download. Go to http://in.webmessenger.yahoo.com/

2 1

Autofs-OpenLDAP Assistance
by Santosh Balan 30 Jul '08

30 Jul '08

Hi Friends, I am new to this LDAP community. I am haivng redhat evironment on my servers and my clients are also linux based thin clients or redhat linux based clients. I am trying to configure LDAP to authenticate my user to login to the machine and then automatically mount a partition to the user's machine. I have searched through the net and unable to find an appropriate doccumentation on the same. Can you please guide and provide some appropriate doccumentation or method as how I hv to go about with the installation of OpenLDAP and autofs such that it will authenticate my users and automatically mounts the users partition. Thanks and Regards Santosh Balan +91-9819419509 = -- Powered by Outblaze

3 2

Re: N-way multimaster
by Miguel Jinez 29 Jul '08

29 Jul '08

Sure In this case the process was: master B and master C are without service master A performs a delete restart masters A B C Master A: # 20080729212056.000003Z, accesslog dn: reqStart=20080729212056.000003Z,cn=accesslog objectClass: auditDelete reqStart: 20080729212056.000003Z reqEnd: 20080729212056.000004Z reqType: delete reqSession: 33 reqAuthzID: cn=admin,dc=ar reqDN: cn=pbo101,dc=dominio,dc=ar reqResult: 0 Master B: # 20080729212438.000000Z, accesslog dn: reqStart=20080729212438.000000Z,cn=accesslog objectClass: auditModify reqStart: 20080729212438.000000Z reqEnd: 20080729212438.000001Z reqType: modify reqSession: 4294967295 reqAuthzID: cn=admin,dc=ar reqDN: dc=ar reqResult: 0 reqMod: contextCSN:= 20080728211620.143999Z#000000#003#000000 reqMod: contextCSN:= 20080729212056.356833Z#000000#001#000000 reqMod: contextCSN:= 20080728211533.044990Z#000000#002#000000 Master C: # 20080729212911.000000Z, accesslog dn: reqStart=20080729212911.000000Z,cn=accesslog objectClass: auditModify reqStart: 20080729212911.000000Z reqEnd: 20080729212911.000002Z reqType: modify reqSession: 4294967295 reqAuthzID: cn=admin,dc=ar reqDN: dc=ar reqResult: 0 reqMod: contextCSN:= 20080728211620.143999Z#000000#003#000000 reqMod: contextCSN:= 20080729212056.356833Z#000000#001#000000 reqMod: contextCSN:= 20080728211533.044990Z#000000#002#000000 Migue 2008/7/29 Gavin Henry <ghenry(a)openldap.org> > <quote who="Miguel Jinez"> > > Hi I have test from zero and I have test with historical information, I > > have > > found my old configuration and the logs are different, here master A: > > Can we see your actual logs, not the accesslog ones after the test when/i > fit fails. > > Thanks. > > -- > Kind Regards, > > Gavin Henry. > OpenLDAP Engineering Team. > > E ghenry(a)OpenLDAP.org > > Community developed LDAP software. > > http://www.openldap.org/project/ >

1 0

translucent overlay with local-only entries
by Sven Ulland 29 Jul '08

29 Jul '08

I'm trying to extend an ldap directory using the translucent overlay, like many before me: http://www.openldap.org/lists/openldap-software/200802/msg00128.html http://www.openldap.org/lists/openldap-software/200802/msg00267.html http://www.openldap.org/lists/openldap-software/200511/msg00216.html http://www.openldap.org/lists/openldap-software/200707/msg00471.html Before version 2.4.8, this wasn't possible. Howard Chu seems to have fixed this in rev 1.40 (before release 2.4.8) of translucent.c: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/overlays/translucent… (http://www.openldap.org/lists/openldap-bugs/200712/msg00109.html) Although it seems to have been fixed, I cannot get it to work on my setup. I use the packaged v2.4.10 in Debian testing. My config: # Config start include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none modulepath /usr/lib/ldap moduleload back_hdb moduleload back_ldap moduleload translucent sizelimit 500 tool-threads 1 backend hdb backend ldap database hdb directory /var/lib/ldap/translucent suffix "dc=example,dc=com" rootdn "cn=admin,dc=mybranch,dc=example,dc=com" rootpw "admin" overlay translucent uri "ldap://172.27.27.37" idassert-bind bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials="admin" mode=none idassert-authzFrom "dn.subtree:dc=example,dc=com" # Config end This works perfectly fine for searches where the entry is remote. Changing entries works fine well, with the results stored in the local translucent db. Adding new entries works, but they are not returned on searches. I check this by running slapcat. So, it boils down to these questions: * Does Howard's patch not fully implement the searching? * Is my config wrong? * There is probably other ways to do this, perhaps using a meta ldap backend. With multiple backends, what determines where writes go? Probably where the object is based, but what about new objects? * Is it cleaner to keep my "branch" of the tree under a subdomain, such as mybranch.example.com using rwm, or should they all be on the main example.com domain? * Examples for exotic overlays are very scarce. It would be very helpful if anyone could provide their configuration file. sven

1 0

Modifying every entry in an LDAP address book
by Carr, Chris 29 Jul '08

29 Jul '08

Hi All, Apologies if this is a stupid question, but I can't find the answer via Google. I need to make the same modification to every entry in my address book. Can I do this with a single ldapmodify command? If so, what is the syntax for the mod file? I'm assuming something like this: dn: ?? changetype: modify add: objectClass objectClass: evolutionPerson ... but I can't think what the DN would be, since I don't really understand how wildcards work in DNs, if at all. The entries I want to modify are all in ou=addressbook,dc=mydomain, but all have different cns. Second, some of the entries already have that object class - will this cause a problem? Will ldapmodify simply ignore those entries, or create a duplicate identical objectClass, or crash? Many thanks in advance, CC This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer

3 3

Client says Can't contact LDAP server, but it can!
by John Oliver 29 Jul '08

29 Jul '08

What can I do to troubleshoot this? OpenLDAP client says ldap_simple_bind Can't contact LDAP server but it can resolve the name, ping the server, connect to port 636... and I have no details as to why it thinks it cannot contact the server. Many other clients authenticate to the same server, and I'm using the same ldap.conf, nsswitch.conf, and pam.d/system-auth files. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************

7 21

Re: Client says Can't contact LDAP server, but it can!
by Gustavo Mendes de Carvalho 28 Jul '08

28 Jul '08

Hi There, I use self signed certificates with OpenLDAP, and everything works fine. Check bellow which commands I used to create this certificate ===> Self signed certificate generation (I am using RHAS 4 Up6) cd /usr/share/ssl rm -fr demoCA /usr/share/ssl/misc/CA -newca openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem /usr/share/ssl/misc/CA -sign ===> putting certificate files to correct place cp demoCA/cacert.pem /etc/openldap/cacerts/cacert.pem cp newcert.pem /etc/openldap/cacerts/servercrt.pem cp newreq.pem /etc/openldap/cacerts/serverkey.pem chmod 0400 /etc/openldap/cacerts/serverkey.pem chown -R ldap:ldap /etc/openldap/cacerts /etc/init.d/ldap restart ===> putting public certificate files in ldap client machines scp /etc/openldap/cacerts/cacert.pem root@<ip_client>:/etc/openldap/cacerts/. And set in ldap config files (in ldap client machine) the correct path When generating certificate file, be sure to specify in hostname field "hostname -f" output command. You can try using localhost too I hope it helps you --- Gustavo Mendes de Carvalho email: gmcarvalho(a)gmail.com Date: Mon, 28 Jul 2008 09:20:23 +0200 From: Buchan Milne <bgmilne(a)staff.telkomsa.net> Subject: Re: Client says Can't contact LDAP server, but it can! To: openldap-technical(a)openldap.org Cc: John Oliver <joliver(a)john-oliver.net> Message-ID: <200807280920.33142.bgmilne(a)staff.telkomsa.net> Content-Type: text/plain; charset="iso-8859-1" On Friday 25 July 2008 17:16:12 John Oliver wrote: > On Fri, Jul 25, 2008 at 10:20:55AM +0200, Buchan Milne wrote: > > On Friday 25 July 2008 01:13:37 John Oliver wrote: > > > On Thu, Jul 24, 2008 at 04:04:10PM -0700, Quanah Gibson-Mount wrote: > > > > Any client will need to know about the CA that signed your > > > > self-signed cert. > > > > > > I created my certificate with: > > > > > > openssl req -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout > > > /etc/openldap/ssl/ldap.pem -days 3650 > > > > > > In slapd.conf I have: > > > > > > TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile > > > /etc/openldap/ssl/ldap.pem TLSCACertificateFile /etc/ssl/ldap.pem > > > > > > What do I need to do differently? > > > > Configure the *client* ??? > > The clients work perfectly with the working server. Why would they > have to have a different configuration to talk to the backup LDAP server? They don't necessarily need a different configuration, but it being valid for one server doesn't guarantee it will be valid for another server, especially when it comes to ssl, certificate validation etc. > At the moment, I'm far more interested in getting the second LDAP > server working than I am in having perfect security. Then it's easy, turn off SSL. If you don't want to do that, turn of certificate validation. It's better than exposing keys. Or, ensure that the "CA certificate" that the clients use contains the certificates of the issuer of both of the server certificates, and that the value of the subject CN on both certificates matches the name you use to connect to the servers. Regards, Buchan

1 0

Re: N-way multimaster
by Miguel Jinez 28 Jul '08

28 Jul '08

Hi I have test from zero and I have test with historical information, I have found my old configuration and the logs are different, here master A: # 20080728211533.000002Z, accesslog dn: reqStart=20080728211533.000002Z,cn=accesslog objectClass: auditDelete reqStart: 20080728211533.000002Z reqEnd: 20080728211533.000003Z reqType: delete reqSession: 387 reqAuthzID: cn=admin,dc=ar reqDN: cn=user1000,dc=osde1,dc=ar reqResult: 0 Here master B # 20080728211533.000002Z, accesslog dn: reqStart=20080728211533.000002Z,cn=accesslog objectClass: auditDelete reqStart: 20080728211533.000002Z reqEnd: 20080728211533.000003Z reqType: delete reqSession: 387 reqAuthzID: cn=admin,dc=ar reqDN: cn=user1000,dc=osde1,dc=ar reqResult: 0 I am just using accesslog to look what is happening Greetings 2008/7/28 Gavin Henry <ghenry(a)openldap.org> > Hi, > > I meant originally. To test for me: > > 1. Emtpy both databases, including the accesslogs (accesslog not needed > here) > 2. Add original data to one node only, with the other switched off. > 3. Bring the other one up and let it pull data from the first node. > 4. Test they are the same and then try your delete situation. > > I think you've either added fresh data to each node so their *CSN values > are different so the deletes won't work. > > Please test and report back. > > -- > Kind Regards, > > Gavin Henry. > OpenLDAP Engineering Team. > > E ghenry(a)OpenLDAP.org > > Community developed LDAP software. > > http://www.openldap.org/project/ > > >

1 1

Re: N-way multimaster
by Miguel Jinez 28 Jul '08

28 Jul '08

Hi With my configuration at this time I have in one side: # 20080728202600.000001Z, accesslog dn: reqStart=20080728202600.000001Z,cn=accesslog objectClass: auditDelete reqStart: 20080728202600.000001Z reqEnd: 20080728202600.000002Z reqType: delete reqSession: 604 reqAuthzID: cn=admin,dc=ar reqDN: cn=user100,dc=osde1,dc=ar reqResult: 0 and nothing in the other side, let me try olds configurations to show you the mofify message 2008/7/26 Gavin Henry <ghenry(a)openldap.org> > <quote who="Miguel Jinez"> > > Yes, deletes are performed in one node > > How did you original load the data on each node? > > Can you show the failed delete logs? > > -- > Kind Regards, > > Gavin Henry. > OpenLDAP Engineering Team. > > E ghenry(a)OpenLDAP.org > > Community developed LDAP software. > > http://www.openldap.org/project/ >

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2008