Re: contextCSN
by Guillaume Arteta
Hello,
Sorry for my English google:)
I'm put into production 2 openldap masters, and I asked the same question
João Alfredo.
*
So, if the resultt of this search is the same on all master's this mean that
all servers are consistents, right ?*
Ok, the ldapsearch (ldapsearch-x-h Master1 ... and ldapsearch-x-h master2
...) displays the same values of contextCSN for server ID, but what it
proves that they are synchronized?
The question is, why master node, the ldapsearch ContextCSN displays of 2
servers (001 & 002)
Can be put in place a monitoring system to test the replication by
performing 2 ldapsearchs, if even then synchronized values.
Merci
------
Arteta.
14 years, 3 months
Cache/Proxy/Replicating a distant, slow LDAP server
by Morten Mikkelsen
Hi.
I work at a rather large company that has a rather slow LDAP server
that impacts the performance on a wiki-server, I am using.
I am playing with the idea of setting up a cache or replication of the
company LDAP server locally to reduce time spent performing ldap
lookups, but as I am quite new to the world of LDAP and openldap, I
have a hard time getting the set-up right.
I would like to set up a server that does not impose any requirements
on the existing (slow) server at all. I only need a read-only server -
updates are made on the slow 'master' - and only a few percent of the
records are interesting to our wiki.
Having looked at caching and proxying, I ended up at setting my mind
on replication. As the master is out-of-bounds except for ldap queries
(no slurping-logs), the syncrepl-option seems to be the way to go.
I just can't get my head around the configuration.
The master LDAP has the following structure (as I see it)
o=company.com -> ou=commondirectory -> c=xx
Under commondirectory, all countries (such as 'dk', 'us' and a whole
bunch of others) are represented with the employees residing in them
listed below.
o=company.com -> ou=companygroups -> ou=groupmembers contain groups
that are used for controlling access to the wiki pages.
So what I need to have on my replicated server is: The groups and
people in the countries 'us' and 'dk'.
To start off easy, I try to replicate the c=dk at first - I've tried
adding the following to /etc/ldap/slapd.conf
syncrepl rid=111
provider=ldap://ldap.company.com:389
type=refreshOnly
interval=00:12:00:00
searchbase="c=dk,ou=commondirectory,o=company.com"
scope=one
updatedn="c=dk,ou=commondirectory,o=company.com"
which make the server start without errormessages, but when I query with
ldapsearch -x -h 127.0.0.1 -b "c=dk,ou=commondirectory,o=company.com"
'(objectClass=*)' I get no result: "result: 32 No such object"
What am I doing wrong?
--
/Morten
14 years, 3 months
OpenLDAP coredumps on startup (Solaris 10)
by Daniel Hoffend
Hello
I'm setting up an openldap directory server (2.4.13) including a 2nd one
for as backup/failover partner. After i compiled everything, installing,
configuring everything (database, sync, schema, etc) and imported the
basic LDAP Layout (ou=Users,ou=Groups, etc), I wanted to use this
directory as Userdirectory for Userauthentication on ldap.
I was switching user/group lookups using the 'ldapclient' command and
modified to /etc/nsswitch.conf to refer for "files ldap" for passwd and
group.
Everything seems to work. 'genent passwd' and 'getent group' is listing
my ldap user and groups. But when i try to restart the slapd server it
crashes sometimes with a coredump.
----------------------------------------------------------------------
# /usr/local/libexec/slapd -d 65535 -u openldap -g openldap
@(#) $OpenLDAP: slapd 2.4.13 (Jan 30 2009 12:02:48) $
root@ldapserver:/usr/local/src/openldap-2.4.13/servers/slapd
ldap_pvt_gethostbyname_a: host=ldapserver, r=0
daemon_init: <null>
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 2 listeners opened
ldap_create
Bus Error (core dumped)
----------------------------------------------------------------------
Not everytime, sometimes several times in a row, sometimes after a 2nd
start. I've no clue what it could be.
In the ldap logfile, i found the 2 following lines
----------------------------------------------------------------------
an 30 16:26:56 ldapserver slapd[9494]: [ID 555073 local4.error] tid= 1:
multiple threads per connection not supported
Jan 30 16:26:56 ldapserver slapd[9494]: [ID 555073 local4.error] tid= 1:
multiple threads per connection not supported
----------------------------------------------------------------------
I started to run the slapd server using "truss" to see when the server
starts to coredump.
----------------------------------------------------------------------
# truss /usr/local/libexec/slapd -d 65535 -u openldap -g openldap
[...]
open("/etc/nsswitch.conf", O_RDONLY|O_LARGEFILE) = 9
fcntl(9, F_DUPFD, 0x00000100) Err#22 EINVAL
read(9, " #\n # C o p y r i g h".., 1024) = 1024
read(9, " g u r e i t o u t ".., 1024) = 245
read(9, 0xFF092400, 1024) = 0
close(9) = 0
fstat(3, 0xFFBFCAE8) = 0
time() = 1233329411
getpid() = 9512 [9511]
putmsg(3, 0xFFBFC1A0, 0xFFBFC194, 0) = 0
open("/var/run/syslog_door", O_RDONLY) = 9
door_info(9, 0xFFBFC0D8) = 0
getpid() = 9512 [9511]
door_call(9, 0xFFBFC0C0) = 0
close(9) = 0
fstat(3, 0xFFBFCB88) = 0
time() = 1233329411
getpid() = 9512 [9511]
putmsg(3, 0xFFBFC240, 0xFFBFC234, 0) = 0
open("/var/run/syslog_door", O_RDONLY) = 9
door_info(9, 0xFFBFC178) = 0
getpid() = 9512 [9511]
door_call(9, 0xFFBFC160) = 0
close(9) = 0
Incurred fault #5, FLTACCESS %pc = 0x0008E1FC
siginfo: SIGBUS BUS_ADRALN addr=0x00000191
Received signal #10, SIGBUS [default]
siginfo: SIGBUS BUS_ADRALN addr=0x00000191
----------------------------------------------------------------------
It looks like after reading nsswitch.conf, the server starts to crash. I
changed the following lines in the nsswitch.conf and the server starts
fine without any further problems. (even 20x in a row)
----------------------------------------------------------------------
Before: group files ldap
After: group files
----------------------------------------------------------------------
Another thing is: If the server could startup without problems, it never
crashed again. It's only sometimes during the initial startup.
I would be happy if anyone could help me or point me what i could
adjust. If needed i could provide more information.
--
Best regards
Daniel Hoffend
14 years, 3 months
supportedSASLMechanisms not Work in Debian Lenny
by Jarbas Peixoto Júnior
I have two servers:
* Server A: Debian Etch - Works Fine
* Server B: Debian Lenny - Do not Works supportedSASLMechanisms EXTERNAL
In Server A I have:
# ldapsearch -v -H ldap://server-Etch -b "" -LLL -s base supportedSASLMechanisms
-ZZ
ldap_initialize( ldap://server-Etch )
SASL/EXTERNAL authentication started
SASL username: emailAddress=jarbas.peixoto(a)previdencia.gov.br,CN=jarbas.peixoto,OU=DATAPREV,O=Previdencia
Social,L=Campo Grande,ST=Mato Grosso do Sul,C=BR
SASL SSF: 0
filter: (objectclass=*)
requesting: supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: EXTERNAL
In Server B I have:
# ldapsearch -v -H ldap://server-Lenny -b "" -LLL -s base
supportedSASLMechanisms -ZZ
ldap_initialize( ldap://server-Lenny:389/??base )
ldap_start_tls: Connect error (-11
# ldapsearch -v -H ldap://server-Lenny -b "" -LLL -s base
supportedSASLMechanisms -ZZ -d 1
ldap_url_parse_ext(ldap://server-Lenny)
ldap_create
ldap_url_parse_ext(ldap://server-Lenny:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP server-Lenny:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.82.0.234:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x9d73280 msgid 1
wait4msg ld 0x9d73280 msgid 1 (infinite timeout)
wait4msg continue ld 0x9d73280 msgid 1 all 1
** ld 0x9d73280 Connections:
* host: www-mmldap port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 29 18:17:22 2009
** ld 0x9d73280 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x9d73280 request count 1 (abandoned 0)
** ld 0x9d73280 Response Queue:
Empty
ld 0x9d73280 response count 0
ldap_chkResponseList ld 0x9d73280 msgid 1 all 1
ldap_chkResponseList returns ld 0x9d73280 NULL
ldap_int_select
read1msg: ld 0x9d73280 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x9d73280 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x9d73280 0 new referrals
read1msg: mark request completed, ld 0x9d73280 msgid 1
request done: ld 0x9d73280 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_start_tls: Connect error (-11)
In the /var/log/syslog I have:
Jan 29 18:17:22 server-Lenny slapd[12945]: conn=99 fd=21 ACCEPT from
IP=10.82.0.234:50441 (IP=0.0.0.0:389)
Jan 29 18:17:22 server-Lenny slapd[12945]: conn=99 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jan 29 18:17:22 server-Lenny slapd[12945]: conn=99 op=0 STARTTLS
Jan 29 18:17:22 server-Lenny slapd[12945]: conn=99 op=0 RESULT oid= err=0 text=
Jan 29 18:17:22 server-Lenny slapd[12945]: conn=99 fd=21 closed (TLS negotiation
failure)
This is very important for use openldap with user certificates.
Anybody have a help for me?
Tanks!
14 years, 4 months
RE: ldap_bind fails in vpn tunnel
by Christopher Barry
> -----Original Message-----
> From: Shankhadeep Sen [mailto:shanks.iit@gmail.com]
> Sent: Friday, January 30, 2009 1:25 PM
> To: Christopher Barry
> Subject: Re: ldap_bind fails in vpn tunnel
>
> Hi Christopher,
>
> Thanks for your email.It seems that
> without TLS , the search works first but next when I initiate
> a TLS session, the ldap api says "SERVER DOWN".I must mention
> that the bandwidth is very low in that VPN tunnel and there
> is only one route.
>
> Now I used tcpdump to check the packets on port 389 , it
> seems that there are a lot of packets being exchanged.My
> guess is that because of the low b/w even if one packet gets
> dropped because of router overflow, the SSL handshake will be
> terminated.
>
> What do you think?
>
> Thanks,
>
> Sankhadip
>
>
> On Fri, Jan 30, 2009 at 9:05 AM, Christopher Barry
> <christopher.barry(a)qlogic.com> wrote:
>
>
> > -----Original Message-----
> > From:
> > openldap-technical-bounces+christopher.barry=qlogic.com@openld
> > ap.org
> > [mailto:openldap-technical-bounces+christopher.barry
> <mailto:openldap-technical-bounces%2Bchristopher.barry> =qlogic.co
> > m(a)openldap.org] On Behalf Of Sankhadip Sengupta
> > Sent: Friday, January 30, 2009 9:34 AM
> > To: openldap-technical(a)openldap.org
> > Subject: ldap_bind fails in vpn tunnel
> >
> > Hi,
> >
> > In a VPN tunnel, using TLS, ldap_search works but the
> > ldap_bind fails with error :Can't contact LDAP server(-1).
> >
> > Can any one help me? I am using the openldap sdk.
> >
> > Thanks,
> >
> > Sankhadip
> >
>
>
> You might try putting the LDAP server's name and IP
> address in the hosts file of the client.
>
> -C
>
>
>
>
>
Is this link helpful to you?
http://www.openldap.org/lists/openldap-software/200201/msg00625.html
14 years, 4 months
ldap_bind fails in vpn tunnel
by Sankhadip Sengupta
Hi,
In a VPN tunnel, using TLS, ldap_search works but the ldap_bind fails with error :Can't contact LDAP server(-1).
Can any one help me? I am using the openldap sdk.
Thanks,
Sankhadip
14 years, 4 months
Sudo Access
by Paul bob
Hi!
I need to give some of ldap users to sudo access. I am not sure how to
configure SUDO access in LDAP. Your valuable suggestion appreciated!
Thanks in Advance!
-
14 years, 4 months
LDAP password information update failed: Insufficient access
by Paul bob
I am experiencing a problem trying to configure a ldap server for
users authentication.
Basically, I am at a point where users can login properly, but they
can not change their password. Some info for troubleshooting:
slapd.conf access info
access to attr=userPassword
access to *
by self write
by users read
by anonymous auth
I would appreciate your help!
Thanks,
bob
14 years, 4 months
Hello
by Donny George
Hello
I have been trying to set up an Ldap server with openssl certificates. the
certificates were generated and the ldap were given access to them but once
slapd restart was put it, we received an error
*main*: *TLS init def ctx failed*: -207
does some one have a clue as to why this comes up ?
--
Donny George
14 years, 4 months
Syslog and symas openldap
by ian.g.fox@bt.com
Hi,
I am using Symas' OpenLDAP s/w on a solaris 10 box. The package I have
installed is symas-openldap-silver-2.4.12.0.sun4u.pkg.
# pkginfo -l symas-openldap-silver
PKGINST: symas-openldap-silver
NAME: Symas OpenLDAP Silver
CATEGORY: application
ARCH: sun4u
VERSION: Dev Release 10/17/2008
BASEDIR: /
PSTAMP: gamba20081017182137
INSTDATE: Dec 09 2008 16:36
STATUS: completely installed
FILES: 279 installed pathnames
24 directories
72 executables
60155 blocks used (approx)
I want to get syslogging from slapd out to a file. I have configured
/etc/syslog.conf with the following lines:
# LDAP logging
local4.debug /var/log/slapd.log
The file /var/log/slapd.log exists:
# ls -l /var/log/slapd.log
-rw-r--r-- 1 root root 0 Dec 10 09:25 /var/log/slapd.log
and I have restarted syslog:
# svcadm restart svc:/system/system-log
In /opt/symas/etc/openldap/slapd.conf I have included a line:
loglevel -1
and restarted my slapd server using:
/opt/symas/etc/solserver restart
Having done all this I am still not getting anything written out to
/var/log/slapd.log.
Does anyone know what I need to do to get this working please?
My regards
Ian G Fox
14 years, 4 months
