openldap-technical July 2008

openldap-technical@openldap.org

67 participants
78 discussions

ldap changes
by Daniel Lamb 08 Jul '08

08 Jul '08

Hi I was wondering if there is a simple way to clear out the data within ldap, the first time I do an install it asked for a password but even if I try and reconfigure it, it does not ask for the password again, I have installed it using "apt-get install slapd ldap-utils migrationtools" on Ubuntu 8.04, the reason I would like to clear it out is so I can make a distro which has the software installed and only needs the config files changed. Cheers, Daniel

2 1

nss_ldap error
by GanGan 08 Jul '08

08 Jul '08

hello all, I have a ldap server and tls (all command on local in the server ldap) [root@srvtest3 /]# ldapsearch -x -H ldap://srvtest3.test.org -ZZ '*' # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: * # # midian.org dn: dc=midian,dc=org objectClass: top objectClass: dcObject objectClass: organization o: Midian dc: midian [...] # search result search: 3 result: 0 Success # numResponses: 13 # numEntries: 12 tls is ok ? non ? ps -ef | grep slapd : root 32279 1 0 00:42 ? 00:00:02 /usr/sbin/slapd -4 in my log sshd : July 08 10:13:11 srvtest3 sshd[1482]: nss_ldap: could not search LDAP server - Server is unavailable I do not see what side look -- gangan

1 0

Real idletimeout more than configured idletimeout
by Eric Déchaux 07 Jul '08

07 Jul '08

Dear openldap gurus, I am hitting some strange behavior with the idle sessions timeout feature. In my configuration this timeout is set to 60 seconds on 4 slaves that are behind a load balancer. This load balancer times-out idle sessions after 90 seconds, which should be fine. Openldap version is the stable one from Debian Etch r3. I however encounter random connection issues that have been traced to the load balancer timeouting and idle session *before* the ldap slave. I have straced the slapd process and I found out the applyed idletimeout was way above the configured one, please check the two following strace output : Output 1 futex(0x603428, FUTEX_WAKE, 1) = 1 select(16, [4 6 7], NULL, NULL, {300, 0}) = 1 (in [6], left {238, 132000}) accept(6, {sa_family=AF_INET, sin_port=htons(34103), sin_addr=inet_addr("192.168.1.1")}, [4647729933731233808]) = 12 setsockopt(12, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(12, SOL_TCP, TCP_NODELAY, [1], 4) = 0 open("/etc/hosts.allow", O_RDONLY) = 15 fstat(15, {st_mode=S_IFREG|0644, st_size=677, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaccb3000 read(15, "# /etc/hosts.allow: list of host"..., 4096) = 677 read(15, "", 4096) = 0 close(15) = 0 munmap(0x2aaaaccb3000, 4096) = 0 open("/etc/hosts.deny", O_RDONLY) = 15 fstat(15, {st_mode=S_IFREG|0644, st_size=901, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaccb3000 read(15, "# /etc/hosts.deny: list of hosts"..., 4096) = 901 read(15, "", 4096) = 0 close(15) = 0 munmap(0x2aaaaccb3000, 4096) = 0 fcntl(12, F_GETFL) = 0x2 (flags O_RDWR) fcntl(12, F_SETFL, O_RDWR|O_NONBLOCK) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2945, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2945, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2945, ...}) = 0 sendto(3, "<167>Jul 1 09:14:14 slapd[2765]"..., 102, MSG_NOSIGNAL, NULL, 0) = 102 select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 1 (in [12], left {15, 0}) read(12, "0b\2\1\1`]\2", 8) = 8 [ some uninteresting ldap stuff ] futex(0x603428, FUTEX_WAKE, 1) = 1 read(12, 0x6f30ff, 8) = -1 EAGAIN (Resource temporarily unavailable) futex(0x2b0db3b35dc8, FUTEX_WAKE, 1) = 1 select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) write(5, "0", 1) = 1 shutdown(12, 2 /* send and receive */) = 0 close(12) = 0 Here, we can see 5 select system calls for a real idletimeout is 75 seconds instead of 60. Output 2 futex(0x603428, FUTEX_WAKE, 1) = 1 select(16, [4 6 7], NULL, NULL, {300, 0}) = 1 (in [6], left {230, 828000}) accept(6, {sa_family=AF_INET, sin_port=htons(51692), sin_addr=inet_addr("192.168.1.1")}, [4647729933731233808]) = 12 setsockopt(12, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 setsockopt(12, SOL_TCP, TCP_NODELAY, [1], 4) = 0 open("/etc/hosts.allow", O_RDONLY) = 15 fstat(15, {st_mode=S_IFREG|0644, st_size=677, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaccb3000 read(15, "# /etc/hosts.allow: list of host"..., 4096) = 677 read(15, "", 4096) = 0 close(15) = 0 munmap(0x2aaaaccb3000, 4096) = 0 open("/etc/hosts.deny", O_RDONLY) = 15 fstat(15, {st_mode=S_IFREG|0644, st_size=901, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2aaaaccb3000 read(15, "# /etc/hosts.deny: list of hosts"..., 4096) = 901 read(15, "", 4096) = 0 close(15) = 0 munmap(0x2aaaaccb3000, 4096) = 0 fcntl(12, F_GETFL) = 0x2 (flags O_RDWR) fcntl(12, F_SETFL, O_RDWR|O_NONBLOCK) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2945, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2945, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2945, ...}) = 0 sendto(3, "<167>Jul 1 09:19:21 slapd[2765]"..., 102, MSG_NOSIGNAL, NULL, 0) = 102 select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 1 (in [12], left {15, 0}) read(12, "0b\2\1\1`]\2", 8) = 8 [ some uninteresting ldap stuff ] futex(0x2b0db3b35dc8, FUTEX_WAKE, 1) = 1 select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) select(16, [4 6 7 12], NULL, NULL, {15, 0}) = 0 (Timeout) write(5, "0", 1) = 1 shutdown(12, 2 /* send and receive */) = 0 close(12) = 0 Here, we can see 5 select system call for a real idletimeout is 75 Here we have 6 select system calls for a real idletimeout of 90 seconds which is enough for the session to expire on the load balancer. I have checked the source code and the logic that choose either to idletimeout the session or go into a "SLAP_EVENT_WAIT" (select) call is the following : from server/slap/daemon.c now = slap_get_time(); if ( ( global_idletimeout > 0 ) && difftime( last_idle_check + global_idletimeout/SLAPD_IDLE_CHECK_LIMIT, now ) < 0 ) { connections_timeout_idle( now ); last_idle_check = now; } As I understand this, no connection should be tested against the idletimeout before any "event wait loop" takes more time than the idletimeout parameter / 4. In my case, I need the "event wait loop" to last more than 15 seconds for connections to be checked against aging. If I am not mistaken, as the difftime call compares seconds, I need the loop to last a least for 16 seconds for the connections_timeout_idle procedure to be called. Am I understanding everything the right way ? If it is the case, shouldn't the difftime call be tested <= 0 to help idle sessions to be cleaned sonner ? Many thanks. -- Eric Déchaux Ingénieur Kébabiste Sun Microsystems Services France

2 3

Identifying replicas behind a load balancer
by Sean Burford 06 Jul '08

06 Jul '08

Hi, To help with troubleshooting I would like to identify my replicas through an ldap search, even when they are behind a load balancer. I was wondering what method and attribute other people generally use for this purpose. The RootDSE may be unique for each host, I can add a RootDSE config line to slapd.conf to insert an ldif into the root DSE, so it seems to be the ideal spot for per server identification. Other spots include cn=monitor, cn=config, cn=Subschema or the main directory tree. The monitorConnectionPeerAddress attribute in cn=monitor isn't useable for identifying the server, since the address appears as IP=0.0.0.0:389. cn=config isn't generally accessible so also isn't suitable. The subschema could conceivably be twisted for this purpose. The main directory tree is replicated so is not suitable for identifying unique servers. The RootDSE schema specifies that it may have a cn. OpenLDAP does not provide one by default. Is it safe to use cn=hostname.domain.name? It seems easiest to use CN for the host name, if it isn't earmarked for something else in the RootDN. The alternative would be to supplement the rootDSE with one or more new attributes. I've had a look at how Active Directory and Novell Directory Service identify servers. They both use attributes with similar names and definitions. Active Directory has three attributes that are used in the root DSE to identify the host. Novell Directory Service has the same three attributes with very similar names and equivalent descriptions/usage. The attributes are: * dnsHostName: The DNS name of this DC. * serverName: DN for the server object for this directory server as defined in the Configuration container. * ldapServiceName: The UPN (User Principal Name) of the domain controller hosting this instance of RootDSE. Computer objects are just special forms of User objects, so they can have UPNs. The dollar sign is Microsoft shorthand dating back to classic NT and SAM. It indicates a hidden or secret object. eg: $ ldapsearch -x -W -D unix.gurus(a)example.com -H ldaps://dc.example.com -b "" -s base serverName dnsHostName ldapServiceName dnsHostName: dc.example.com serverName: CN=DC,CN=Servers,CN=Configuration,DC=example,DC=com ldapServiceName: example.com:dc$@EXAMPLE.COM The schema for these attributes is described in various places. The existing schema is somewhat unsatisfactory with the dnsHostName OID (1.2.840.113556.1.4.619) being a duplicate of the lazy commit control OID and serverName syntax being a Directory String rather than a Distinguished Name. For my testing I've defined the following non standard attributes. There doesn't seem to be a need for an equality matching rule since these are single valued rootDSE attributes: # Non standard AD dNSHostName attribute (defines a max length in the syntax) attributetype ( 1.2.840.113556.1.4.619 NAME 'dNSHostName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15{256}' DESC 'DNS name of the directory server hosting this RootDSE.' SINGLE-VALUE ) # Non standard AD serverName attribute (DN syntax instead of Directory String) attributetype ( 1.2.840.113556.1.4.223 NAME 'serverName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' DESC 'DN for the server object for this directory server.' SINGLE-VALUE ) -- Thanks, Sean Burford

2 1

Trouble setting password
by Fred Zinsli 05 Jul '08

05 Jul '08

Hello everyone Newby here. I am having trouble getting started with my new ldap install. I got it installed on FC8 and am now attempting to configure it. I am attempting to setup the default password and I am getting this message. [root@dofiss ~]# ldappasswd SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database This is my second day on trying to sort this out so any comments would be most helpful. Regards Fred

2 2

[ldap with tls] installation problem
by GanGan 04 Jul '08

04 Jul '08

Hello all, I try to install tls for ldap but without success :( I make a CA (compiled openssl) when i start ldap with : service ldap start i have this logs : May 27 20:39:29 srvtest3 slapd[19546]: @(#) $OpenLDAP: slapd 2.3.27 (Jun 27 2007 08:48:26) $ brewbuilder@ls20-bc1-13.build.redhat.com:/builddir/build/BUIL D/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd May 27 20:39:29 srvtest3 slapd[19546]: nss_ldap: could not search LDAP server - Server is unavailable May 27 20:39:29 srvtest3 slapd[19546]: nss_ldap: could not search LDAP server - Server is unavailable May 27 20:39:29 srvtest3 slapd[19546]: /etc/openldap/slapd.conf: line 39: rootdn is always granted unlimited privileges. May 27 20:39:29 srvtest3 slapd[19546]: /etc/openldap/slapd.conf: line 44: rootdn is always granted unlimited privileges. May 27 20:39:29 srvtest3 slapd[19546]: main: TLS init def ctx failed: -1 May 27 20:39:29 srvtest3 slapd[19546]: slapd stopped. May 27 20:39:29 srvtest3 slapd[19546]: connections_destroy: nothing to destroy. my /etc/openldap/slapd.conf is : include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # logs loglevel 4 # needed for login_ldap allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=midian,dc=org" rootdn "cn=god,dc=midian,dc=org" rootpw {SSHA}EkM4ViGxzWnZQ2n5hKBBcfffFMTcCO-0E4 directory /var/lib/ldap index objectClass eq # ACL access to attrs=userPassword by self write by anonymous auth by dn="cn=god,dc=midian,dc=org" write by * none access to * by self write by dn="cn=god,dc=midian,dc=org" write by * read # CA signed certificate and server cert entries: # TLS & SSL TLSCertificateFile /etc/openldap/cacerts/srvtest3.test.org.pem TLSCertificateKeyFile /etc/openldap/cacerts/srvtest3.test.org.key TLSCACertificateFile /etc/ssl/cacert.pem TLSVerifyClient never my /etc/openldap/ldap.conf base dc=midian,dc=org uri ldap//srvtest3.test.org/ ldap_version 3 TLS_CACERT /etc/ssl/cacert.pem TLS_REQCERT demand my /etc/ldap.conf # SSL & TLS ssl start_tls #ssl on #tls_checkpeer yes # Afin que le client puisse valider l'identitéu serveur, on doit le fournir la cléublique # du CA avec laquelle il pourra éblir que le certificat du serveur a bien é signéar # la clérivéde cette mê CA. TLS_CACERT /etc/openldap/cacerts/ldap.crt # On demande élement au client de toujours valider l'identitéu serveur. TLS_REQCERT demand # IP du serveur ldap #host 127.0.0.1 uri ldap://srvtest3.test.org/ # Le DN de base pour effectuer les recherches base dc=midian,dc=org # Optimisation de recherche dans la base scope=one # Pour que le poste demarre meme si le server ldap ne repond pas bind_policy soft # Version du protocole utilise ldap_version 3 # Port ecoute serveur port 389 # Filtres de validation dun utilisateur pam_filter objectclass=account pam_filter host=srvtest3.test.org # Attribut compare avec lindentifiant de connexion de lutilisateur pam_login_attribute uid # Verification attribut host pam_check_host_attr yes # DN groupe auquel il faut appartenir pour acces machine locale pam_groupdn ou=group,dc=midian,dc=org # Definit lattribut dappartenance au groupe pam_member_attribute member # password envoi serveur pam_password crypt # Parametres nss-ldap de recherche nss_base_passwd ou=user,dc=midian,dc=org?sub nss_base_shadow ou=user,dc=midian,dc=org?sub nss_base_group ou=group,dc=midian,dc=org?sub nss_base_hosts ou=machines,dc=midian,dc=org?sub if someone could help me it would be nice sorry for my bad english - GanGan -

2 1

Performance - keep connection open between operations?
by k bah 03 Jul '08

03 Jul '08

I have some code that connects do LDAP, and between LDAP operations for a connection made, I have to contact other server (not LDAP), I wanna know if closing the connection to LDAP and then making it again (and of course a new bind) will take more time (I guess so) than wait for the "other" server to respond, and keep the connection to LDAP open. On some tests, the whole code (connect to the other server, closing that connection, and after that connecting to LDAP), with similar operations (operations performed on the "other" server and on the LDAP server) take no more than 1 second. The test was made with a *test* LDAP server, serves just me, but the "other" server, is a production one, that "almost 1 second group of operations" was made on a test LDAP server, and a real "other" server(busy), our company has a huge network and that server is clustered, thousands of connections/minute. I think it's best to connect to LDAP, bind, make operations on LDAP server, keep the connection open, query the "other" server, then get back with the LDAP operations, and just then close the connection to the LDAP server, what do you think? thanks = Home Business Miracle Discover How I Made $72,144.13. Last Month Giving Away Free Training. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=650f274a600e14d771ac3ee… -- Powered by Outblaze

2 1

Integrate openldap with postfix
by Aravind Arjunan 03 Jul '08

03 Jul '08

hi, I had configured postfix for my mail server which is working fine. I had configured openldap on the same server and added many entries in that. It is also working fine.when i use ldapsearch i can able to view the entries etc. The users which i had created in ldap is already there in OS for postfix. I had integrated openldap with postfix, to fetch the mail infromation from openldap. like mailid,mailQuota,mailbox location etc. But when i send mail to user it is fetching from openldap at all. It is strainght away delivering to mailbox.plz help me with this issue This is my main.cf file parameters. [root@master ~]# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, *ldap:aliases *command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = panafnet.com myhostname = master.panafnet.com mynetworks = 192.168.117.0/24, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relay_domains = $mydestination relayhost = $mydomain sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop unknown_local_recipient_reject_code = 550 *aliases_server_host = localhost aliases_server_port = 389 aliases_search_base = dc=panafnet,dc=com aliases_scope = sub aliases_bind = no aliases_query_filter = (&(objectClass=qmailUser)(mail=%s)) aliases_result_attribute = mailMessageStore aliases_timeout = 10 aliases_version = 3*

2 4

[ldap with tls] installation problem
by GanGan 03 Jul '08

03 Jul '08

1 0

Quota and groupOfUniqueNames
by AlexanDER Franca 03 Jul '08

03 Jul '08

Hi all. I have a Linux + ext3 system and I'm stuck in a situtation that I can't configure any quota of groups because all my groups are groupOfUniqueNames. I'm using Plone/Zope, so, now it's essential to use groupOfUniqueNames (and not posixGroup). Is there any way to fix this mess? Maybe I'm telling stupid things (like it's not possible use groupOfUniqueNames and group quota), I really don't know. Must I change schemas or something like that? []'s Alexander Brazil - Rio de Janeiro

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2008