I need some clarification regarding how permissions of members are taken
care when they login to a client machine. As I understand "gidNumber" that I
give while creating group entry(like "gidNumber" "4" for "qagroup", which
refers to "gid" of "adm" group on a linux machine /etc/group), so
permissions of that group are assigned to members of "qagroup" i.e. ldap1 &
ldap2 when they login to any client. Is that correct?
It is confusing because, members ldap1 & ldap2 belong to posixAccount
objectclass which also requires gidNumber as required attribute. So does
gidNumber values mentioned in member's entry get overwritten by gidNumber
attribute inside their group i.e "qagroup"? What about the case where single
member is added to multiple groups? what permissions does the member get
when he logs on to particular machine?
gidNumber: 500 <=============
gidNumber: 4 <===============
Thanks in advance
I'm using openldap 2.4.17.
slapd -h option specifies the set of local IP addresses for slapd
to listen on. Is there a way to specify client address with
syncrepl mirror mode ? I reviewed syncrepl directive options in
manual and seems there isn't for now.
http://dtpw.pl/buell [ 25th anniversary of Buell - American Motorcycles ]
Linux aleft 22.214.171.124-0.1_lustre.126.96.36.199-default #1 SMP
I'm trying to understand why changes made to SID 1 in my mirror set
while SID 2 is down does not get propagated to SID 2 when it comes up.
I did another test, resulting in SID 2 having two contextCSNs:
However, no changes has been made to server2.
Only to server1.
No entry has the CSN with sid=002.
Is this expected?
I have a small question.
I have here a samba domain authenticating with ldap.
If I now change the password for the regular LDAP user, it would be fine
if the samba password would be changed at the same time. Can I do that
with ldappasswd as well, and if yes, which parameters I need?
Or do I still need smbpasswd to change it?
It would be great to do that 2in1 like..
Thx and regards Marc
I configured my ldap server (debian lenny) to listen on port 636 (ldaps) but it doesn't seems to work when issuing a remote connexion.
Perhaps i did a mistake when generating the certificates ?....
When i try to browse the ldap server from a remote server i get the following message :
root@vmtest:~# ldapsearch -d 1 -Wx -H ldaps://ldapserver.domain.tld -D cn=admin,dc=domain,dc=tld
Enter LDAP Password:
ldap_new_connection 1 1 0
ldap_connect_to_host: TCP ldapserver.domain.tld:636
ldap_connect_to_host: Trying 10.10.48.40:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I generated the certificates with the following command :
# openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout server.pem -days 3650
Then i tried the connexion :
openssl s_client -connect ldapserver.domain.tld:636 -showcerts
verify error:num=18:self signed certificate
No client certificate CA names sent
SSL handshake has read 1107 bytes and written 316 bytes
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Protocol : TLSv1
Cipher : AES256-SHA
Key-Arg : None
Start Time: 1259761586
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
My slapd.conf :
Could you please help me ?
Previously I described problems when using this procedure to bootstrap a
mirrormode pair with a large LDIF. I've reproduced it with a much
smaller subset of the database, and there must be something wrong with
the procedure or a bug.
What I do is:
1) Took an slapcat generated LDIF from a 2.3.x setup
2) Removed all entryCSN and contextCSN lines.
3) Ran "slapadd -S 1 -q -w -l ~/load_noCSN.ldif" on server-1
4) Did a "slapcat > toserver2.ldif" on server-1
5) Started server-1 and let applications create and modify objects.
6) Moved toserver2.ldif to server-2.
7) Ran slapadd -q -l toserver2.ldif on server-2
8) Started server-2
Now - I would expect the objects created on step 5 to appear after a
while on server-2. They are not.
However, objects created on server-1 after both servers has been started
I would suspect a problem with the index created with slapadd,
(olcLinearIndex is FALSE), so syncrepl only finds entries created via
LDAP. But I see no reason why. ldapsearch can read the entries.
I have setup openldap with SSL and i'm using self signed certs. I have
included the following in my slapd.conf.
and in my ldap.conf I have;
When I start the service, I see port 636 is up and I can even telnet to
it. But I cannot perform any ldap operations there.
Any help would be appreciated!
We run 4 2.4.16 servers as 2 provider/consumer pairs, one pair for our
staff systems and one pair for our teaching facilities.
They are all on Solaris10u7 xen virtual hosts.
The staff pair run fine
The consumer on the teaching pair runs fine
The provider on the teaching pair runs fine until it gets hit by a heavy
load, eg start of a lab when ~100 PCs try and authenticate their user. At
this point it refuses to serve LDAP requests. Traffic is still coming in
to the box and existing connections seem OK.
The break point is about 35PCs, below that there isn't a problem.
Restarting slapd cures the problem and off we go until the start of the
next big lab.
I've run at various log levels but not been able to see any obvious
messages. All I see, even when everything is fine, are messages of the
send_search_entry: conn 11639 ber write failed.
connection_read(38): no connection!
The slapd.conf (minux the syncprov bit) is:
index cn,entryCSN,entryUUID,gidNumber,ipHostNumber,memberUid eq
index objectclass,uid,uidNumber,uniqueMember eq
checkpoint 0 60
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self write
by users read
by * read
The only entry in DB_CONFIG is set_cachesize 0 26214400 0
cache hits are at 99%
I'm stumped for a cause/solution, can anyone either give me a pointer as
to what to look for in the logs or suggest a possible cause. Could it be
hitting the 256 open file limit?
Department of Computer Science
University of Leicester
University Road, LEICESTER, LE1 7RH
Phone: +44 (0)116 2523410 Fax: +44 (0)116 2523604
> --On Thursday, December 03, 2009 10:49 AM -0700 Michael March
> <mmarch(a)gmail.com> wrote:
>> ... also from the slapadd man page:
>> "As slapadd is designed to accept LDIF in database order, as produced
>> by slapcat(8), it does not verify that superior entries exist before
>> adding an entry, does not perform all user and system schema checks,
>> and does not maintain operational attributes (such as createTimeStamp
>> and modifiersName). "
> That statement is incorrect, and has been corrected in modern releases
> (2.4.x). Old 2.3.x man pages have the statement, but were not correct.
Yup.. I confirmed this and you are correct.. I'm good now.
I need to move all the data from one OpenLDAP instance to another
(including operational attributes). What is the best way to do that?
My first thought was to tar up all the file in /var/lib/openldap (on
Centos) and move that data over but that doesn't seem to be working.
Specifically, slapd will not start and no errors are spitting out.