openldap-technical October 2009

openldap-technical@openldap.org

62 participants
53 discussions

Map attributes to access LDAP addressbook with thunderbird too
by Matthias Fechner 19 Oct '09

19 Oct '09

Hi, I have written a small web application some time ago which stores all information inside a openldap directory. When I access now information via thunderbird it displays some value, but some values are not shown. I searched now a little why and it seems that thunderbird asks his own fields like mozillaHomeStreet, mozillaHomeUrl and so on. But i stored my information in homepostaladdress and some other field the schema file give you. My question now is: Is it possible that when tunderbird ask for the field mozillaHomeStreet return there the field homepostaladdress? Thanks a lot for answers Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook

2 2

how difference x509 attribute and extensions
by owen nirvana 19 Oct '09

19 Oct '09

sorry , I am a newbie. I could not know how to use x509 attribute, maybe do not. in x509.h, all functions about x509 attribute are not related with other parts. and if I might add an unstandard attribute to x509 certificate, so , why I need x509 extentions gtalk:freeespeech@gmail.com

2 1

ldap_bind error
by Mburu, Patrick 19 Oct '09

19 Oct '09

When i use this command; /usr/bin/ldapadd -x -D 'uid=root,dc=fedora,dc=directory,dc=server' -W -f /tmp/domain.ldif after entering the LDAP password i get this error: ldap_bind cannot contact ldap server. Any help or guideline will be appreciated. Regards, -- Patrick Mburu | Systems Engineer OPENWORLD LTD | Kenindia House |2nd Floor | P.O. Box 10918 00100 GPO NAIROBI Tel: 020 6750212, 2210772/3 | Fax: 020 2210772 Cell: 0725 550 906 - 0770 078 804 Email: pmburu(a)openworld.co.ke Web: www.openworld.co.ke Awards: CSK ' Open Source Solution Provider of the Year 2006 Award'

3 2

sasl binding with ssl encryption
by Xu, Qiang (FXSGSC) 19 Oct '09

19 Oct '09

Hi, all: My LDAP SASL binding is successful, but when I want to channel the traffic over SSL, it fails: ===================================================================== qxu@durian(pts/0):/etc[201]$ kinit XCTEST100(a)XCIPV6.COM Password for XCTEST100(a)XCIPV6.COM: ... qxu@durian(pts/0):/etc[203]$ klist Ticket cache: FILE:/tmp/krb5cc_20153 Default principal: XCTEST100(a)XCIPV6.COM Valid starting Expires Service principal 10/19/09 10:31:28 10/19/09 20:28:25 krbtgt/XCIPV6.COM(a)XCIPV6.COM renew until 10/20/09 10:31:28 ... qxu@durian(pts/0):/etc[204]$ ldapsearch -Y GSSAPI -H ldap://13.198.97.42:389 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started SASL username: XCTEST100(a)XCIPV6.COM SASL SSF: 56 SASL installing layers dn: CN=XCTEST100,CN=Users,DC=XCIPV6,DC=COM mail: XCTEST100(a)xcipv6.com # refldap://ForestDnsZones.XCIPV6.COM/DC=ForestDnsZones,DC=XCIPV6,DC=COM # refldap://DomainDnsZones.XCIPV6.COM/DC=DomainDnsZones,DC=XCIPV6,DC=COM # refldap://XCIPV6.COM/CN=Configuration,DC=XCIPV6,DC=COM ... qxu@durian(pts/0):/etc[205]$ ldapsearch -Y GSSAPI -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771 ... qxu@durian(pts/0):/etc[206]$ ldapsearch -Y GSSAPI -O maxssf=0 -H ldaps://13.198.97.42:636 -b dc=xcipv6,dc=com -s sub -LLL cn=XCTEST100 mail SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Server is unwilling to perform (53) additional info: 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771 ===================================================================== Someone has mentioned that in order to do sasl binding over ssl, the security property " -O maxssf=0" must be set. However, this still fails. Any suggestions? Thanks, Xu Qiang

1 1

Database corruption revisited.
by Cliff Pratt 18 Oct '09

18 Oct '09

In an email of 5 August 2009 Howard Chu says "If your disks are working and haven't run out of space, database corruption pretty much never happens. You probably should describe the situation that leads you to believe there was a corruption. You should also list the versions of software in use." We have been plagued over the years with instances where the database appears to have been corrupted. I'm quite happy to be proved wrong, and would be pleased, very pleased to find a solution. As I said this has happened over the years, on ancient Debian systems, through RedHat's RHEL3, RHEL4, and maybe RHEL5. I'm not sure of the last. Every three or four months the application that uses OpenLDAP stops responding. We then run 'slapcat' against the LDAP datastore and if it hangs we stop slapd, run a recovery on the BDB and start everything up again. Now and then slapd refuses to start and we have to restore from a backup (also taken by slapcat). As I said, this has happened on many versions of OpenLDAP and on different operating systems. The latest version that I am sure it has happened on is RHEL 4.2 and OpenLDAP 2.2.13-4 (I think that is the version - I'm not able to access the servers at present so I'm going by memory). I'd be very pleased, ecstatic even, to find a solution to this. It's been a thorn in my side for many years. What information would be useful in pointing me at a solution? I'd only add that I am not an LDAP or OpenLDAP expert - the systems only get touched when an upgrade is necessary. Any advice would be appreciated. Cheers, hoping for a solution, or at least pointers to one. Cliff

4 6

2.4.18 refint getting "no such attribute" in bdb_modify_internal with removal; works with rename
by Andreas Hasenack 17 Oct '09

17 Oct '09

Hi, I'm using the refint overlay with a few attributes, but I can't get it to work with krbPwdPolicyReference from MIT kerberos 1.7. I get the error from the subject when deleting the entry this attribute references. If, however, I *rename* the entry, the krbPwdPolicyReference attribute gets updated correctly. It seems to fail only when I remove the entry. This is the config: dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config objectClass: olcRefintConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: krbObjectReferences olcRefintAttribute: member olcRefintAttribute: krbPwdPolicyReference olcRefintNothing: cn=localroot,cn=config This is the entry which has the attribute pointing to the entry I will remove (some attributes omitted for brevity): dn: krbPrincipalName=andreas(a)EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos Realms,dc= example,dc=com krbPrincipalName: andreas(a)EXAMPLE.COM objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux krbObjectReferences: uid=andreas,ou=people,dc=example,dc=com krbPwdPolicyReference: cn=default,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example ,dc=com This is the entry I'm deleting. I would expect the krbPwdPolicyReference attribute from my entry above to be deleted. If I rename this cn=default, then krbPwdPolicyReference gets updated correctly. dn: cn=default,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example,dc=com cn: default objectClass: krbPwdPolicy krbMaxPwdLife: 36000 krbMinPwdLife: 0 krbPwdMinDiffChars: 1 krbPwdMinLength: 1 krbPwdHistoryLength: 1 These are the relevant logs (level 16383): Oct 7 16:55:33 maestro slapd[6381]: refint_search_cb <NOTHING> Oct 7 16:55:33 maestro slapd[6381]: ==> unique_modify <krbPrincipalName=andreas(a)EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example,dc=com> Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: ndn: "krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: oc: "(null)", at: "(null)" Oct 7 16:55:33 maestro slapd[6381]: bdb_dn2entry("krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com") Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: found entry: "krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: bdb_entry_get: rc=0 Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: ndn: "krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: oc: "(null)", at: "(null)" Oct 7 16:55:33 maestro slapd[6381]: bdb_dn2entry("krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com") Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: found entry: "krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: bdb_entry_get: rc=0 Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: ndn: "cn=default,ou=password policies,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: oc: "(null)", at: "(null)" Oct 7 16:55:33 maestro slapd[6381]: bdb_dn2entry("cn=default,ou=password policies,dc=example,dc=com") Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: found entry: "cn=default,ou=password policies,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: bdb_entry_get: rc=0 Oct 7 16:55:33 maestro slapd[6381]: hdb_modify: krbPrincipalName=andreas(a)EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example,dc=com Oct 7 16:55:33 maestro slapd[6381]: bdb_dn2entry("krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos realms,dc=example,dc=com") Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: 0x00000042: krbPrincipalName=andreas(a)EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example,dc=com Oct 7 16:55:33 maestro slapd[6381]: <= acl_access_allowed: granted to database root Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: delete krbPwdPolicyReference Oct 7 16:55:33 maestro slapd[6381]: dnMatch 0#012#011"cn=default,cn=example.com,ou=kerberos realms,dc=example,dc=com"#012#011"cn=default,cn=example.com,ou=kerberos realms,dc=example,dc=com" Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: replace modifiersName Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: delete krbPwdPolicyReference Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: 16 modify/delete: krbPwdPolicyReference: no such attribute Oct 7 16:55:33 maestro slapd[6381]: hdb_modify: modify failed (16) Oct 7 16:55:33 maestro slapd[6381]: send_ldap_result: conn=-1 op=0 p=0 Oct 7 16:55:33 maestro slapd[6381]: send_ldap_result: err=16 matched="" text="modify/delete: krbPwdPolicyReference: no such attribute" Oct 7 16:55:33 maestro slapd[6381]: refint_repair: dependent modify failed: 16 Any hints?

2 1

ldap_search: LDAP Adminstration Limit Error
by Parag Kalra 16 Oct '09

16 Oct '09

Hello Friends, I am using a 'ldapsearch' command from Ubuntu machine to fetch entries from SunOne directory server hosted on Windows machine. I am able to retrieve the records but not all. At one stage it aborts abruptly and throws following error - ldap_search: LDAP Adminstration Limit Error Any pointers on what this error is all about and how can I get rid of it? Cheers, Parag

5 7

OpenLDAP 2.4.16: LDAP entry deletions not propaged in certain syncrepl multimaster scenario
by Alvin Wong 16 Oct '09

16 Oct '09

Hi I've encounter a problem in OpenLDAP 2.4.16 on 2 LDAP servers system setup with syncrepl multimaster and all data are synchronized. If server A is down and LDAP entries (leaf or subtree) are deleted on server B, when server A comes up, those LDAP entries are not removed from server A by syncrepl. If LDAP operations are done on either servers while both are up, syncrepl correctly propagates them to the other server. Below are the slapd.conf files for both server A and B. Is there something wrong with the way they are configured or is this a known issue? Thanks in advance. ========= SERVER A SLAPD.CONF ============== ucdata-path "C:/Program Files/MyApp/database" include "C:/Program Files/MyApp/schemaconf/core.schema" include "C:/Program Files/MyApp/schemaconf/corba.schema" include "C:/Program Files/MyApp/schemaconf/cosine.schema" include "C:/Program Files/MyApp/schemaconf/inetorgperson.schema" include "C:/Program Files/MyApp/schemaconf/nis.schema" include "C:/Program Files/MyApp/schemaconf/spanlink.schema" pidfile "C:/Program Files/MyApp/bin/slapd.pid" argsfile "C:/Program Files/MyApp/bin/slapd.args" idletimeout 300 sizelimit unlimited allow bind_v2 conn_max_pending_auth 2000 access to dn.subtree="ou=People,o=Spanlink Communications" by dn="cn=user,ou=People,o=Spanlink Communications" read by * read access to * by dn="cn=user,ou=People,o=Spanlink Communications" write by dn="cn=replication1,ou=People,o=Spanlink Communications" write by dn="cn=replication2,ou=People,o=Spanlink Communications" write by * read ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "o=Spanlink Communications" rootdn "cn=super,ou=People,o=Spanlink Communications" checkpoint 10 1 cachesize 50000 searchstack 8 rootpw secret directory "C:/Program Files/MyApp/database" # Indices to maintain index objectClass eq index entryCSN eq # for sync repl serverID 1 syncrepl rid=123 searchbase="o=Spanlink Communications" provider=ldap://10.10.10.75:38983 type=refreshAndPersist retry="5 5 300 +" schemachecking=on attrs=* bindmethod=simple binddn="cn=replication1,ou=People,o=Spanlink Communications" credentials=secret mirrormode true overlay syncprov syncprov-checkpoint 100 1 ========= SERVER B SLAPD.CONF ============== ucdata-path "C:/Program Files/MyApp/database" include "C:/Program Files/MyApp/schemaconf/core.schema" include "C:/Program Files/MyApp/schemaconf/corba.schema" include "C:/Program Files/MyApp/schemaconf/cosine.schema" include "C:/Program Files/MyApp/schemaconf/inetorgperson.schema" include "C:/Program Files/MyApp/schemaconf/nis.schema" include "C:/Program Files/MyApp/schemaconf/spanlink.schema" pidfile "C:/Program Files/MyApp/bin/slapd.pid" argsfile "C:/Program Files/MyApp/bin/slapd.args" idletimeout 300 sizelimit unlimited allow bind_v2 conn_max_pending_auth 2000 access to dn.subtree="ou=People,o=Spanlink Communications" by dn="cn=user,ou=People,o=Spanlink Communications" read by * read access to * by dn="cn=user,ou=People,o=Spanlink Communications" write by dn="cn=replication1,ou=People,o=Spanlink Communications" write by dn="cn=replication2,ou=People,o=Spanlink Communications" write by * read ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "o=Spanlink Communications" rootdn "cn=super,ou=People,o=Spanlink Communications" checkpoint 10 1 cachesize 50000 searchstack 8 rootpw secret directory "C:/Program Files/MyApp/database" # Indices to maintain index objectClass eq index entryCSN eq # for sync repl serverID 2 syncrepl rid=123 searchbase="o=Spanlink Communications" provider=ldap://10.10.10.196:38983 type=refreshAndPersist retry="5 5 300 +" schemachecking=on attrs=* bindmethod=simple binddn="cn=replication2,ou=People,o=Spanlink Communications" credentials=secret mirrormode true overlay syncprov syncprov-checkpoint 100 1 [cid:image001.gif@01CA4E62.2F0CA5C0] ALVIN WONG SENIOR SOFTWARE ENGINEER DIRECT +1 (763).795.7752 alvin.wong(a)calabrio.com<mailto:alvin.wong@calabrio.com> Download vCard File Products<http://www.calabrio.com/products.asp> | Partners<http://www.calabrio.com/partners.asp> | Contact Us<http://www.calabrio.com/contact.asp> This message is confidential, and any unauthorized disclosure, use or dissemination (either whole or in part) is prohibited. If you are not the intended recipient of the message please notify the sender immediately and delete the message from your system.

1 0

ipv6 support in openldap
by Bad Guy 16 Oct '09

16 Oct '09

Dear sir, I want to ask whether openldap support ipv6, if yes, which version of openldap support it ? Thanks _________________________________________________________________ 隨身的 Windows Live Messenger 和 Hotmail，不限時地掌握資訊盡在指間 — Windows Live for Mobile http://3c.msn.com.tw/mobile/

3 2

Replication
by Márcio Luciano Donada 15 Oct '09

15 Oct '09

Hi People My LDAP server (master) is debian Lenny with 2.4.11-1 version, I am implementing a server that will be in a unit of the company, I need to replicate the LDAP, but because of the hardware I am using CentOS 5.3 with ldap version openldap-servers-2.3.43-3.el5. This will be a problem for replication or can do do otherwise? -- Márcio Luciano Donada <mdonada at auroraalimentos dot com dot br> Aurora Alimentos - Cooperativa Central Oeste Catarinense Departamento de T.I.

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2009