openldap-technical November 2009

openldap-technical@openldap.org

51 participants
58 discussions

Same entry twice in ldapsearch output
by Peter Mogensen 26 Nov '09

26 Nov '09

Hi, It seems weird results are popping up faster than I can assemble test-setups to reproduce. I ran a test in mirrormode were I: 1) Took an slapcat generated LDIF from a 2.3.x setup 2) Removed all entryCSN and contextCSN lines. 3) Ran "slapadd -S 1 -q -w -l ~/load_noCSN.ldif" on server-1 4) Did a "slapcat > toserver2.ldif" on server-1 5) Started server-1 and let applications create and modify objects. 6) Moved toserver2.ldif to server-2. 7) Ran slapadd -q -l toserver2.ldif on server-2 8) Started server-2 Now - I would expect the objects created on step 5 to appear after a while on server-2. They are not. The reason seems to be that the contextCSN has not been updated properly on server-1. The contextCSN in the "toserver2.ldif" file from step 4 is: 20091118173357.690685Z#000000#001#000000 The contextCSN on both servers are now: 20091119140605.714382Z#000000#001#000000 The entry on server-1 having that entryCSN is a modified object, however, the change has not been replicated to server-2. Likewise, the entryCSN for one created object in step 5 is: 20091119094729.719193Z#000000#001#000000 It is not present on server-2, but it appears TWICE in a the result from an ldapsearch (scope sub) on its parent object on server-1. ?!?! .. I'm lost. From all I know this should not happen on a healthy setup - unless there's something badly wrong with the procedure I've described above. It's slapd 2.4.19 with BDB4.8 /Peter

2 3

Re: UPN in BIND request
by Siddharth Sehjpal 25 Nov '09

25 Nov '09

Hi Jonathan, I am working in a test environment where I have dummy accounts in AD and OpenLDAP, I happen to see that AD schema has userPrincipalname attribute and this is missing in OpenLDAP, The application I am trying with is strictly using UPN names so integration with OpenLDAP is not going to work unless UPN is added in the OpenLDAP schema, Can you please guide me in right direction. Regards, Sidharth Sehjpal On Tue, Nov 24, 2009 at 10:40 PM, Jonathan Clarke <jonathan(a)phillipoux.net > wrote: > On 24/11/2009 10:17, Siddharth Sehjpal wrote: > >> Is it possible to use UPN (user principal name) in the bind request, My >> application works fine with Microsoft AD but is giving invalid dn with >> openldap. >> > > UPN is an attribute specific to Microsoft AD. Unless you have explicitly > added it to your OpenLDAP schema, and created entries that use it, then it > can't work. > > What are you trying to achieve? Does your OpenLDAP server contain the same > accounts ad your Microsoft AD? > > Regards, > Jonathan > -- > -------------------------------------------------------------- > Jonathan Clarke - jonathan(a)phillipoux.net > -------------------------------------------------------------- > Ldap Synchronization Connector (LSC) - http://lsc-project.org > -------------------------------------------------------------- >

2 1

UPN in BIND request
by Siddharth Sehjpal 25 Nov '09

25 Nov '09

Is it possible to use UPN (user principal name) in the bind request, My application works fine with Microsoft AD but is giving invalid dn with openldap.

2 1

Openldap compilation with Cyrus SASL in MAC OS X
by Dhruva T S 24 Nov '09

24 Nov '09

Hi list, I have compiled Cyrus SASL 2.1.23 as ./configure --prefix=/Desktop/sasl and OpenLDAP 2.4.19 as env CPPFLAGS="-I/Desktop/sasl/include/sasl" LDFLAGS="-L/Desktop/sasl/lib -R/Desktop/sasl/lib" ./configure --disable-slapd --disable-slurpd --with-ssl --with-cyrus-sasl The compilation is successful and ldapsearch is working. But if I copy the same OpenLDAP libs along with the Cyrus SASL libs to another system and try to use them, I am getting "ldap_sasl_interactive_bind_s : No such Mechanisms available" Is there a way to give relative paths specific to a folder for CPPFLAGS and LDFLAGS? Is it necessary to compile again in the second system? I am using MAC OS X Leopard (10.5). Please help me. Thanks, Dhruva

2 1

Correct way to load LDIF in mirrormode
by Peter Mogensen 22 Nov '09

22 Nov '09

Hi, I have huge LDIF file from openldap 2.3.30, which I try to load in a 2.4.19 mirrormode setup. I've tried different ways to load it. 1) Load the LDIF on server 1 and wait for server 2 to replicate it. - it takes several days and server-2 never seems to get all the way and catch up with server 1. 2) Load the LDIF on both servers and start slapd. - Afterwards not all entries created on server 1 is replicated to server-2. So the first thing to rule out would be to ensure that I've loaded the LDIF correctly: The entryCSN from the 2.3.30 server is in this format: 20071214130312Z#000000#00#000000 The two servers (server1/server2) in the 2.4.19 setup have sid 1, 2 and rid 3,4 (cn=config replication has rid 1,2). I loaded the LDIF like this on both servers: $ slapadd -q -w -l backup-2.3.30.ldif Is that enough to make replication start from a known state? Could someone please exemplify a scenario where the -S option for slapadd is needed? /Peter

6 19

Fwd: [Mitkc-announce] Kerberos Conference Slides, Release 1.8
by Howard Chu 22 Nov '09

22 Nov '09

My slides from last month's Kerberos Conference are now available online. The files used in my demo are attached here: cf.ldif - a basic slapd configuration: use with slapadd -F <path/to>/slapd.d -l cf.ldif -n0 kerberos.ldif - the MIT KDC schema addkrb.sh - simple steps to load KDC schema into slapd /etc/krb5.conf - config file for MIT Kerberos initkdc.sh - commands to initialize the KDC addprinc.sh - commands to add Kerberos attributes to an LDAP user It took about 5 minutes to walk through these steps during the presentation; most of that time was spent explaining the steps... Actually doing the work is about 30 seconds. -------- Original Message -------- Subject: [Mitkc-announce] Kerberos Conference Slides, Release 1.8 Date: Thu, 19 Nov 2009 14:19:43 -0500 From: Stephen Buckley <sbuckley(a)mit.edu> To: mitkc-announce(a)mit.edu Hello all, We have put the slides from our Kerberos Conference up on our web site at: http://www.kerberos.org/events/2009conf/ Keynoters included Kim Cameron, Chief Architect for Identity at Microsoft. Also, the 1.8 release feature set is now complete and documented at: http://k5wiki.kerberos.org/wiki/Release_1.8 We are on track to deliver 1.8 in March 2010. We also started a blog http://blog.kerberos.org/ Lastly, a reminder that we try to provide some useful documentation and links: http://www.kerberos.org/docs/ Kind regards, s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Executive Director MIT Kerberos Consortium http://www.kerberos.org

1 0

Binding with an e-mail address
by Willie Gillespie 22 Nov '09

22 Nov '09

Perhaps someone can point me in the right direction here. Using just simple binds (for now), I am trying to allow users to bind with just a username or e-mail address and have OpenLDAP rewrite their bind to a more complex DN for them before checking against userPassword. Is there a way to do this? I have tried playing with olcAuthIDRewrite and olcRwmRewrite but I must be doing something incorrectly. Thanks! Willie

3 5

Re: Objects with with no parent objects...
by Dave Smith 22 Nov '09

22 Nov '09

Thanks, we ended taking your second suggestion. When we tried to create the parent objects, we were given an error that they already existed. when we tried to query,modify or delete them it returned an error that the did not exist. (bizarre) The exported LDIF's did not contain any of these branches, and we were recover OK. --DS 2009/11/20 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Friday, November 20, 2009 6:13 PM -0500 Dave Smith <dave.smith.to@ > gmail.com> wrote: > > I hope someone can help... >> >> As I say we need to quickly remove these objects. Can anyone give some >> suggestions? >> > > Create the parents, delete the children, delete the parents? > > Or, slapcat, fix the LDIF, reload. > > > --Quanah > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

olcAuthIDRewrite
by Willie Gillespie 21 Nov '09

21 Nov '09

Using OpenLDAP 2.4.18: Anytime I try to put something/anything in the attribute olcAuthIDRewrite for dn: cn=config I get: conn=1 op=8 MOD dn="cn=config" conn=1 op=8 MOD attr=olcAuthIDRewrite conn=1 op=8 RESULT tag=103 err=80 text=<olcAuthIDRewrite> handler exited with 1 Am I putting in the wrong data? I've tried all sorts of combinations, even simply: {0}authid-rewriteEngine "on" I can't seem to find much documentation on the whole thing either. Thanks for any pointers. Willie

2 7

Objects with with no parent objects...
by Dave Smith 21 Nov '09

21 Nov '09

I hope someone can help... We have an directory with a few objects that don't seem to have parents. We're not sure how they got in there. They could have been added using ldapmodify, or our application could have added them via JNDI. This is one of the DN's: ifastProfileId=P_SUPER,ou=profile,ou=prod,ou=ifast,ou=ifastbase,dc=ifdsgroup,dc=com We are fairly sure the organizational units ou=profile,ou=prod never existed, yet the P_SUPER object was create, and is returned in a search. We need to remove these entries in a hurry so I put together this LDIF... DN: ifastProfileId=P_SUPER,ou=profile,ou=prod,ou=ifast,ou=ifastbase,dc=ifdsgroup,dc=com changetype:delete DN: ifastProfileId=P_SSII,ou=profile,ou=prod,ou=ifast,ou=ifastbase,dc=ifdsgroup,dc=com changetype:delete DN: ifastProfileId=P_SSBL,ou=profile,ou=prod,ou=ifast,ou=ifastbase,dc=ifdsgroup,dc=com changetype:delete but the ldifmodify gives this error... deleting entry "ifastProfileId=P_SUPER,ou=profile,ou=prod,ou=ifast,ou=ifastbase,dc=ifdsgroup,dc=com" ldap_delete: Other (e.g., implementation specific) error (80) additional info: could not locate parent of entry As I say we need to quickly remove these objects. Can anyone give some suggestions? Thanks, --DS

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2009