openldap-technical February 2009

openldap-technical@openldap.org

63 participants
67 discussions

olcSyncprovConfig not converted for cn=config
by Oliver Liebel 20 Feb '09

20 Feb '09

using openldap 2.4.14 (compiled from openldap.org source-package) i have noticed the following, reproducable behaviour when converting a slapd.conf to slapd.d: olcSyncprovConfig is generated during conversion for the hdb-context, but not for cn=config, although "overlay syncprov" is set for database config tested the conversion several times with slaptest and slapd, with the following simple example-slapd.conf. the result seems always to be the same. --- include /usr/local/etc/openldap/schema/core.schema access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * by * read ##################################### database config rootdn cn=config rootpw {SSHA}4PvZLcpQ7s1CyQG+yworyl5DcrFTn78q overlay syncprov ##################################### database hdb suffix "dc=local,dc=site" checkpoint 1024 5 cachesize 10000 rootdn "cn=ldapadmin,dc=local,dc=site" rootpw {SSHA}4PvZLcpQ7s1CyQG+yworyl5DcrFTn78q directory /var/lib/ldap index objectClass eq index entryUUID,entryCSN eq overlay syncprov syncprov-checkpoint 10 1 syncprov-sessionlog 100 --- any ideas? thanks and greetings, oliver

2 2

Syncrepl master/master on RedHat4 Update 5 - wheres library?
by Mathew Rowley 19 Feb '09

19 Feb '09

I am trying to test the master/master replication architecture. When following the documentation from: http://www.openldap.org/doc/admin24/replication.html it shows: olcModulePath: /usr/local/libexec/openldap olcModuleLoad: syncprov.la When looking on my system, that file, nor the directory exists. I then looked into the slapd.conf file to see where the other libraries were: # modulepath /usr/sbin/openldap # moduleload back_bdb.la Again that directory, nor the module exist. I then thought there may be some option in the source that needs to be enabled to build the syncprov library, but I found nothing. I do see that there is a patch for syncrepl-uuid¹ which would make me think that the package is being built with syncrepl capability. How do I move forward? Do I need that library loaded? I did find this: https://bugzilla.redhat.com/show_bug.cgi?id=466937 which states: syncprov is compiled statically into slapd daemon to keep backward compatibility, I forgot to remove it from the config file. Does that mean the library is loaded by default, and doesn¹t explicitly need to be set to load? Thanks for any help. -- MAT

2 1

N-way multimaster replication with 2 masters
by Adrien Futschik 19 Feb '09

19 Feb '09

Hy again ! Still testing n-way multimaster replication with 2 masters. I encountered a situation where my two masters where out of sync. Here is the deal : I have M1(serverID=1) & M2(serverID=2) synced and I am performing adds/modify to both M1 & M2. 1) I stop M2 and make a backup of it with slapcat. 2) I then restart M2. 3) I continue to make updates on M1 & M2. 4) I then stop (kill -INT PID) M2 5) I continue to make updates on M1 6) I then delete all *.bdb etc.. files from M2 7) I use the LDIF backup(see 1)) to restore M2 and then restart it. 8) restart M2 9) all entries modified/added during phase 5) are successfuly replicated to M2, but all entries modified/added on M2 dunring phase 3) are not replicated on M2. This is because those entries have an entryCSN menchening that theses entries where last modified/created on M2 (ex: entryCSN: 20090219091852.789559Z#000000#002#000000) So M1 doesn't send them back to M2 even though they aren't present on M2. The trick I used to force M1 to send these entries to M2 is to change the serverID of M2. In fact, it is like setting up a whole new master. So I changed cn=config olcServerID from M1 before restarting M2 (before 8)) and I modify /appli/projects/m2/openldap_2.4.14/conf/slapd.d/cn=config.ldif also This is the only way I found to make sure that M1 & M2 are really the same again. Any other suggestions ? I didn't found anything in the documentation about that, maybe I missed-it. Adrien

1 0

N-way multimaster error code 53 - shadow context
by Adrien Futschik 19 Feb '09

19 Feb '09

Hy ! it's me again :) I am still testing n-way multi master replication with OpenLDAP 2.4.14. I don't know why I could modify my olcSyncrepl attribute from my data bdb. I am binding with cn=config, and I can modify the olcSyncrepl attribute from olcDatabase={0}config, but not from olcDatabase={1}bdb ! I am getting this error : 08:57:25: Failed to update entry olcDatabase={1}bdb, cn=config Reason: [LDAP: error code 53 - shadow context; no update referral] This appends on both masters. Is this supposed to be like that ? I have configured cn=config to replicate, this should work right ? Adrien

2 3

Usermod problems with ldap
by okossuth＠antel.com.uy 19 Feb '09

19 Feb '09

hi I'm having a problem dealing with usermod and groups stored on my openldap 2.3 server. when I try to change the supplementary group of a user I do: vmlx-jboss-desa:/home # usermod -D 'cn=admin,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy' -G mysql okossuth Enter LDAP Password: LDAP information update failed: Object class violation usermod: User not added to LDAP group `mysql'. vmlx-jboss-desa:/home # I looked into the log of my ldap server and I saw this error: Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify: cn=mysql,ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: add member Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: replace entryCSN Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: replace modifiersName Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: replace modifyTimestamp Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: Entry (cn=mysql,ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy), attribute 'member' not allowed Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: entry failed schema check: attribute 'member' not allowed Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: send_ldap_result: err=65 matched="" text="attribute 'member' not allowed" Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: connection_get(40) Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: connection_get(35) The groups that I have created on the ldap server don't have the member attribute, only the memberUid... Any ideas on how to solve this problem with usermod??? thanks. Saludos, Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.

2 12

DO script IF ldap-useraccount GETS LOCKED ...
by Axel Werner 19 Feb '09

19 Feb '09

Hi Gurus out there! Is there a Way to have OpenLDAP start a script that kicks in whenever a LDAP User-Object got locked down ?? (through manual lock OR more important, through a intruder detection / x failed logon attempts ) My Problem is that whenever a LDAP Account got locked because of exceeding max. failed logon attempts the corresponding SAMBA Account (same LDAP Object) is still "unlocked". So when however the user cannot log back in to LDAP, he is still able to log in on Windows-workstation (samba) and reset his password. But reseting his SAMBA Password through Windows PC does also reset his LDAP Password through Password-Syncronisation. That means that his Locked LDAP Account is again "unlocked" because Samba's LDAP-Admin reseted the Password of my locked LDAP User. So i want to make sure that if he fucks up his LDAP account , his SAMBA account will also be disabled. Some Hook for a custom script would be fine. But is there something like that ? Any other Ideas how to manage that ? greetings Axel

1 0

Re: N-way replication "dn_callback : entries have identical CSN"
by Jonathan Clarke 18 Feb '09

18 Feb '09

Le Mer 18 février 2009 09:24, Adrien Futschik a écrit : > I then switched to OpenLDAP 2.4.14 and did not have the problem anymore > (same > configuration). I guess this was a bug form 2.4.11. > > Still, I had a few of theses messages in the log : > conn=9 op=1 => bdb_dn2id_add > dn="cn=M2client2(a)laposte.net,ou=clients,o=edf,c=fr" ID=0xb: put failed: > DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock -30995 > > but I also got a few of theses : > dn_callback : entries have identical CSN > cn=M2client20(a)laposte.net,ou=clients,o=edf,c=fr > 20090217155418.854085Z#000000#002#000000 > syncrepl_entry: rid=004 be_search (0) > syncrepl_entry: rid=004 cn=M2client20(a)laposte.net,ou=clients,o=edf,c=fr > syncrepl_entry: rid=004 entry unchanged, ignored > (cn=M2client20(a)laposte.net,ou=clients,o=edf,c=fr) > do_syncrep2: cookie=rid=004,sid=002 > syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) > > Can anyone explain to me why ? is this normal ? > The dn_callback message comes from the master log-file where > "cn=M2client20(a)laposte.net,ou=clients,o=edf,c=fr" was inserted. I don't know about the DB_LOCK_DEADLOCK message, but "entries have identical CSN" means that your syncrepl consumer received an entry that is identical to one already present in your DB. This may happen when resynching a database, or it could be that your multi-master setup is causing each server to feed updates back to itself. Make sure the URLs in your syncrepl declarations match the listener URLs to slapd (-h option). Jonathan

2 3

Re: N-way multi-master replication
by Gavin Henry 18 Feb '09

18 Feb '09

----- "Adrien Futschik" <adrien.futschik(a)atosorigin.com> wrote: > I am testing Multi-master replication with two masters. > > If I stop one of them and don't restart it before the end of retry > interval, > the replication process doesn't work anymore. (looks like it is > stopped). > > exemple : > - M1 & M2 are synchronised. > - stop M2 > - add entries to M1 > - wait for retry to fail (retry="5 5 300 5") > - restart M2 > - previously added entries to M1 are replicated to M2 > - modifying M2 (attributes) are not replicated to M1 > > It look like M1 -> M2 : OK and M2 -> M1 : broken > > Is there a way to restart replication after configured retry are over > ? The > solution I found was to restart M1. After that everything seems to > work fine. > > I could set up retry so that the number of retry is very hight, but I > was > wondering if there was a way to restart synchronisation online. "If an error occurs during replication, the consumer will attempt to reconnect according to the retry parameter which is a list of the <retry interval> and <# of retries> pairs. For example, retry="60 10 300 3" lets the consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next 3 times before stop retrying. The '+' in <# of retries> means indefinite number of retries until success. If no retry was specified, by default syncrepl retries every hour forever." Why not just change it to retry="60 +" ? -- Kind Regards, Gavin Henry. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

3 6

LDAP + PAM + NSS with groups local and in LDAP
by John Kane 18 Feb '09

18 Feb '09

I am using LDAP + PAM + NSS on Linux, and am trying to use groups defined locally as well as in LDAP. These groups are for (critical) apps that run on the Linux systems. I want to define the group locally as to not have issues when and if LDAP is unavailable. But to manage group members, I want to define the same groups (and gids) in LDAP. The problem is that the group members cannot 'newgrp' to groups in which they are members (LDAP defined) if the groups exists locally. It appears that when the group is defined locally, the server does not check LDAP for group members. In the following example, user 'tester' is a member of groups 'postgres' and 'testgrp' (defined in LDAP), and the group 'testgrp' is also defined locally: [tester]$ groups postgres testgrp [tester]$ grep testgrp /etc/group [tester]$ getent group testgrp testgrp:x:110:tester [tester]$ grep postgres /etc/group postgres:x:110: [tester]$ grep postgres /etc/gshadow postgres:!:: [tester]$ getent group postgres postgres:x:101: As you can see, 'getent group' shows 'tester' is NOT a member of postgres, although 'groups' shows he is. My /etc/nsswitch.conf has: passwd: files ldap shadow: files ldap group: files ldap PAM /etc/pam.d/system-auth has: # testing for groups local and in ldap - 022809 auth required /lib/security/$ISA/pam_group.so debug use_first_pass # auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok nodelay auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so And, in LDAP: [tester]$ ldapsearch -x -b 'ou=groups,o=partner_x,dc=example,dc=net' 'cn=postgres' # extended LDIF # # LDAPv3 # base <ou=groups,o=partner_x,dc= example,dc=net> with scope subtree # filter: cn=postgres # requesting: ALL # # postgres, groups, partner_x, example.net dn: cn=postgres,ou=groups,o=partner_x,dc=example,dc=net objectClass: top objectClass: posixGroup cn:: cG9zdGdyZXMg gidNumber: 110 memberUid: tester description: Postgres DB Group Thanks in advance for any help. John This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.

1 0

password encryption question
by Mike Simonton 18 Feb '09

18 Feb '09

Hello, I want to change the default 'secret' password in the slapd.conf file to something that's encrypted in some way to hide the clear text password for the Manager account. What's the best and easiest way to go about doing this? Is slappasswd the way to not only do this but change passwords for any users in the database, or is ldappasswd the way to go? One other question - does anyone have an example slapd.conf file that uses the /etc/passwd and /etc/shadow files to manage the passwords for openldap, particularly for the Manager account? Thank you for your help! Mike

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2009