openldap-technical December 2009

openldap-technical@openldap.org

59 participants
67 discussions

gidNumber attribute inside group & member
by Shamika Joshi 07 Dec '09

07 Dec '09

Hi all, I need some clarification regarding how permissions of members are taken care when they login to a client machine. As I understand "gidNumber" that I give while creating group entry(like "gidNumber" "4" for "qagroup", which refers to "gid" of "adm" group on a linux machine /etc/group), so permissions of that group are assigned to members of "qagroup" i.e. ldap1 & ldap2 when they login to any client. Is that correct? It is confusing because, members ldap1 & ldap2 belong to posixAccount objectclass which also requires gidNumber as required attribute. So does gidNumber values mentioned in member's entry get overwritten by gidNumber attribute inside their group i.e "qagroup"? What about the case where single member is added to multiple groups? what permissions does the member get when he logs on to particular machine? ldif input: dn: uid=ldap1,ou=Users,dc=test,dc=com objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person homeDirectory: /home/ldap1 loginShell: /bin/bash cn: ldap1 uidNumber: 10000 gidNumber: 500 <============= sn: ldap1 mobile: 987777787 physicalDeliveryOfficeName: ravi userPassword: ldap1 uid: ldap1 dn: cn=qagroup,ou=Groups,dc=test,dc=com cn: qagroup gidNumber: 4 <=============== objectClass: posixGroup memberUid: uid=ldap1,ou=Users,dc=test,dc=com memberUid: uid=ldap2,ou=Users,dc=test,dc=com Thanks in advance Shamika

2 2

listener question
by DT Piotr Wadas 05 Dec '09

05 Dec '09

Hello, I'm using openldap 2.4.17. slapd -h option specifies the set of local IP addresses for slapd to listen on. Is there a way to specify client address with syncrepl mirror mode ? I reviewed syncrepl directive options in manual and seems there isn't for now. Regards, DT -- http://dtpw.pl/buell [ 25th anniversary of Buell - American Motorcycles ] Linux aleft 2.6.27.29-0.1_lustre.1.8.1.1-default #1 SMP drbd 8.3.6-(api:88/proto:86-91) pacemaker 1.0.6-cebe2b6ff49b36b29a3bd7ada1c4701c7470febe

3 2

Two contextCSNs
by Peter Mogensen 05 Dec '09

05 Dec '09

I'm trying to understand why changes made to SID 1 in my mirror set while SID 2 is down does not get propagated to SID 2 when it comes up. I did another test, resulting in SID 2 having two contextCSNs: root object: entryCSN: 20091204151327.370998Z#000000#001#000000 contextCSN: 20091204151327.735435Z#000000#001#000000 contextCSN: 20091204151430.680725Z#000000#002#000000 However, no changes has been made to server2. Only to server1. No entry has the CSN with sid=002. Is this expected? /Peter

4 12

changing samba and ldap password at the same time
by Marc Mertes 04 Dec '09

04 Dec '09

Hi everybody, I have a small question. I have here a samba domain authenticating with ldap. If I now change the password for the regular LDAP user, it would be fine if the samba password would be changed at the same time. Can I do that with ldappasswd as well, and if yes, which parameters I need? Or do I still need smbpasswd to change it? It would be great to do that 2in1 like.. Thx and regards Marc

3 4

Authentication failed with ldaps configuration
by smainklh＠free.fr 04 Dec '09

04 Dec '09

Hi everyone, I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion. Perhaps i did a mistake when generating the certificates ?.... When i try to browse the ldap server from a remote server i get the following message : ---------- root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld ldap_url_parse_ext(ldaps://ldapserver.domain.tld) ldap_create ldap_url_parse_ext(ldaps://ldapserver.domain.tld:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldapserver.domain.tld:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.10.48.40:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ----------- I generated the certificates with the following command : # openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650 ----------- Then i tried the connexion : openssl s_client -connect ldapserver.domain.tld:636 -showcerts CONNECTED(00000003) depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify error:num=18:self signed certificate verify return:1 depth=0 /C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld verify return:1 --- Certificate chain 0 s:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld i:/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld -----BEGIN CERTIFICATE----- MIIDDTCCAnagAwIBAgIJAM7IwuTIzhwqMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNV BAYTAkZSMRMwEQYDVQQIEwpTb21lLVN0YXRlMQ4wDAYDVQQHEwVQYXJpczELMAkG A1UEChMCQlQxIjAgBgNVBAMTGWlwb2MwMS5pcG9jLmJ0c2VydmljZXMuZnIwHhcN MDkxMTI0MTUwMTUxWhcNMTkxMTIyMTUwMTUxWjBjMQswCQYDVQQGEwJGUjETMBEG A1UECBMKU29tZS1TdGF0ZTEOMAwGA1UEBxMFUGFyaXMxCzAJBgNVBAoTAkJUMSIw IAYDVQQDExlpcG9jMDEuaXBvYy5idHNlcnZpY2VzLmZyMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCm5FrQ3dN1Jkxj2SZsPr+vkYDlwVnvqDCxnAs3O5NJ/1uY F9/mwsCVdAnp04Eywo3BCbvP6tlzsF3JbAlqMLTb85ZTHOqRQncXGfVZ7bMnR071 tQ70/b3vF/TuMYiOU7vXf2h863aRi11tT9xHD17wFfFaXBtRIIOioc3UpJWWPwID AQABo4HIMIHFMB0GA1UdDgQWBBREqX/HQEzU5TCDrBsbttUxa44fnDCBlQYDVR0j BIGNMIGKgBREqX/HQEzU5TCDrBsbttUxa44fnKFnpGUwYzELMAkGA1UEBhMCRlIx EzARBgNVBAgTClNvbWUtU3RhdGUxDjAMBgNVBAcTBVBhcmlzMQswCQYDVQQKEwJC VDEiMCAGA1UEAxMZaXBvYzAxLmlwb2MuYnRzZXJ2aWNlcy5mcoIJAM7IwuTIzhwq MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAd0Le1JyJF8zBs0RYvEn7 c1nhVbsdD8FDBTa4IaNvkbIt8al6G7bBpfyDxcMVtgFc8zHt/+sYfTxWuHh7m+b1 yjJtD9vMjIigbaZq4VJOz11JEWsQHc8wo3So+G+CelTz4HXPoGh5vqRtTkupjedz 0DDsA1jd9F4KpYSOkzxosdc= -----END CERTIFICATE----- --- Server certificate subject=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld issuer=/C=FR/ST=Some-State/L=Paris/O=firm/CN=ldapserver.domain.tld --- No client certificate CA names sent --- SSL handshake has read 1107 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 9EF5F2D4FD72A0D1161C8334537F1ADF60C8B790A3F699B6DC52557E3C95D427 Session-ID-ctx: Master-Key: 015D50D6D93F502E37EDB577691F05D157E80A439A2B129B370EEA24E651E828A172E43B3F6D29174BF33B96193202F0 Key-Arg : None Start Time: 1259761586 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- ------------------ My ldap.conf ----------------- BASE dc=domain,dc=tld URI ldaps://ldapserver.domain.tld/ TLS_REQCERT allow My slapd.conf : ---------------- ... TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem ... ------------------ My /etc/default/slapd.conf ... SLAPD_SERVICES="ldaps://ldapserver.domain.tld" ... Could you please help me ?

4 6

bootstrapping mirrormode
by Peter Mogensen 04 Dec '09

04 Dec '09

Previously I described problems when using this procedure to bootstrap a mirrormode pair with a large LDIF. I've reproduced it with a much smaller subset of the database, and there must be something wrong with the procedure or a bug. What I do is: 1) Took an slapcat generated LDIF from a 2.3.x setup 2) Removed all entryCSN and contextCSN lines. 3) Ran "slapadd -S 1 -q -w -l ~/load_noCSN.ldif" on server-1 4) Did a "slapcat > toserver2.ldif" on server-1 5) Started server-1 and let applications create and modify objects. 6) Moved toserver2.ldif to server-2. 7) Ran slapadd -q -l toserver2.ldif on server-2 8) Started server-2 Now - I would expect the objects created on step 5 to appear after a while on server-2. They are not. However, objects created on server-1 after both servers has been started are replicated. I would suspect a problem with the index created with slapadd, (olcLinearIndex is FALSE), so syncrepl only finds entries created via LDAP. But I see no reason why. ldapsearch can read the entries. /Peter

2 8

OpenLDAP with SSL
by Chamith Kumarage 04 Dec '09

04 Dec '09

Hi Folks, I have setup openldap with SSL and i'm using self signed certs. I have included the following in my slapd.conf. TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem TLSVerifyClient demand and in my ldap.conf I have; HOST <my_ip> PORT 636 TLS_REQCERT /etc/ldap/ssl/server.pem When I start the service, I see port 636 is up and I can even telnet to it. But I cannot perform any ldap operations there. Any help would be appreciated! Thanks, ~Chamith

4 4

OpenLDAP 2.4.16 hanging - ideas welcome
by J. Landamore 03 Dec '09

03 Dec '09

We run 4 2.4.16 servers as 2 provider/consumer pairs, one pair for our staff systems and one pair for our teaching facilities. They are all on Solaris10u7 xen virtual hosts. The staff pair run fine The consumer on the teaching pair runs fine The provider on the teaching pair runs fine until it gets hit by a heavy load, eg start of a lab when ~100 PCs try and authenticate their user. At this point it refuses to serve LDAP requests. Traffic is still coming in to the box and existing connections seem OK. The break point is about 35PCs, below that there isn't a problem. Restarting slapd cures the problem and off we go until the start of the next big lab. I've run at various log levels but not been able to see any obvious messages. All I see, even when everything is fine, are messages of the form send_search_entry: conn 11639 ber write failed. connection_read(38): no connection! The slapd.conf (minux the syncprov bit) is: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/duaconf.schema include /usr/local/etc/openldap/schema/local.schema pidfile /var/openldap/run/slapd.pid argsfile /var/openldap/run/slapd.args conn_max_pending 200 idletimeout 60 sizelimit 2000 loglevel 256 database bdb suffix "dc=my,dc=domain" rootdn "cn=me,dc=my,dc=domain" rootpw {SSHA}guess directory /var/openldap/openldap-data index cn,entryCSN,entryUUID,gidNumber,ipHostNumber,memberUid eq index objectclass,uid,uidNumber,uniqueMember eq cachefree 16 cachesize 1500 checkpoint 0 60 dncachesize 1500 idlcachesize 3000 access to attrs=userPassword by self write by anonymous auth by dn.base="cn=fred,ou=Profile,dc=my,dc=domain" read by * none access to * by self write by users read by * read The only entry in DB_CONFIG is set_cachesize 0 26214400 0 cache hits are at 99% I'm stumped for a cause/solution, can anyone either give me a pointer as to what to look for in the logs or suggest a possible cause. Could it be hitting the 256 open file limit? Thanks -- John Landamore Department of Computer Science University of Leicester University Road, LEICESTER, LE1 7RH J.Landamore(a)mcs.le.ac.uk Phone: +44 (0)116 2523410 Fax: +44 (0)116 2523604

2 1

Re: How to Clone / move an OpenLDAP instance?
by Michael March 03 Dec '09

03 Dec '09

> --On Thursday, December 03, 2009 10:49 AM -0700 Michael March > <mmarch(a)gmail.com> wrote: > > >> ... also from the slapadd man page: >> >> "As slapadd is designed to accept LDIF in database order, as produced >> by slapcat(8), it does not verify that superior entries exist before >> adding an entry, does not perform all user and system schema checks, >> and does not maintain operational attributes (such as createTimeStamp >> and modifiersName). " > > That statement is incorrect, and has been corrected in modern releases > (2.4.x). Old 2.3.x man pages have the statement, but were not correct. > > <http://www.openldap.org/software/man.cgi?query=slapadd&apropos=0&sektion=0&…> Yup.. I confirmed this and you are correct.. I'm good now. thanks!

1 0

How to Clone / move an OpenLDAP instance?
by Michael March 03 Dec '09

03 Dec '09

I need to move all the data from one OpenLDAP instance to another (including operational attributes). What is the best way to do that? My first thought was to tar up all the file in /var/lib/openldap (on Centos) and move that data over but that doesn't seem to be working. Specifically, slapd will not start and no errors are spitting out. Any ideas? Thanks!

8 10

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2009