openldap-technical February 2009

openldap-technical@openldap.org

63 participants
67 discussions

User to administrate a OU
by Leandro Repolho 10 Feb '09

10 Feb '09

Hello, i don't know if is it possible to do it but i would like to create a User inside an OU of my OpenLDAP server and when this user connects to a ldap manager like phpLdapAdmin he needs to see all objects inside his OU and manage them. Is it possible to do it? Thank you very much, -- Leandro Cascino Repolho

2 1

help in ldap and webmin
by Sufyan Aqtam 10 Feb '09

10 Feb '09

Hi all I have a problem in openldap server. I configured an ldap server with bdb that contains about 25000 user. It works perfect to answer the authentication requests and modifying existing users. I am using the webmin "LDAP Users and Groups" module to create new users. When I fill the information for a new user and click on create button it takes a very long time to create the user. I check the log file of ldap server and I find that it starts access all users in the database. The messages in the log file as below and it is repeated for all users: conn=19 op=1 ENTRY dn="uid=testuser,ou=users,dc=example,dc=com" Feb 7 10:38:42 testserver slapd[25075]: <= send_search_entry: conn 19 exit. Feb 7 10:38:42 testserver slapd[25075]: entry_decode: "uid=testuser,ou=Users,dc=example,dc=com" Feb 7 10:38:42 testserver slapd[25075]: <= entry_decode(uid=testuser,ou=Users,dc=example,dc=com) Feb 7 10:38:42 testserver slapd[25075]: => bdb_dn2id("uid=testuser,ou=users,dc=example,dc=com") Feb 7 10:38:42 testserver slapd[25075]: <= bdb_dn2id: got id=0x24 Feb 7 10:38:42 testserver slapd[25075]: => test_filter Feb 7 10:38:42 testserver slapd[25075]: EQUALITY Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: search access to "uid=testuser,ou=Users,dc=example,dc=com" "objectClass" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: <= test_filter 6 Feb 7 10:38:42 testserver slapd[25075]: => send_search_entry: conn 19 dn="uid=testuser,ou=Users,dc=example,dc=com" Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "entry" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "uid" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "cn" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "objectClass" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "userPassword" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "shadowLastChange" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "shadowMax" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "shadowWarning" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "loginShell" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "uidNumber" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "gidNumber" requested Feb 7 10:38:42 testserver slapd[25075]: <= root access granted Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to "uid=testuser,ou=Users,dc=example,dc=com" "homeDirectory" requested Feb 7 10:38:43 testserver slapd[25075]: <= root access granted I hope to help me with many thanks to your efforts. Regards

2 4

Unable to logon to any server as a locally defined user if the OpenLDAP server is unavailable.
by Sean Leinart 10 Feb '09

10 Feb '09

Greetings OpenLDAP Technical Mailing List, I would generally consider myself at the newb status when it comes to LDAP in the Linux environment. I have acquired a network from a previous admin and my issue is that if the LDAP server is offline I can not authenticate locally on any of my servers, which is obviously a huge problem. The version of Open LDAP is: [user@server:/usr/sbin]slapd -VV @(#) $OpenLDAP: slapd 2.2.13 (Jul 11 2008 09:16:05) $ mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd The Linux Version is: [user@server:/]uname -a Linux server.host.local 2.6.9-42.0.10.ELsmp #1 SMP Tue Feb 27 10:11:19 EST 2007 i686 i686 i386 GNU/Linux I have read several items regarding the fact that this can be a common issue when using LDAP authentication. I have read to check the settings in the nsswitch.conf file on the systems in question to verify that "Files" are being looked at first etc. and all of these settings appear to be correct. I am looking for guidance on what would be the best thing to do in this case, and why is it broken when the ldap server is not available. What happens is, if the LDAP server is not available, and you attempt to logon to a server locally, you enter the userid and password and you will have no activity for a minute or so then the prompt goes directly back to the login prompt. The userid and password that is being used is locally defined on the server. Also PAM LDAP is being utilized. Any help or ideas on what to look for would be greatly appreciated. Is there a way to just turn off the LDAP authentication on the servers. I feel that the answer to this is probably no. That would simply be too easy. Thanks in advance for any responses. sean sleinart(a)fscarolina.com No virus found in this outgoing message. Checked by AVG. Version: 7.5.552 / Virus Database: 270.10.19/1941 - Release Date: 2/9/2009 6:50 AM

2 1

Re: How to set BDB "read-only" before slapcat command ?
by Andrew Hall 09 Feb '09

09 Feb '09

Thanks all for your comments / answers / criticisms on this issue. It's been helpful and informative and is much appreciated. Andy.

1 0

N-way replication config file help
by Mike Simonton 09 Feb '09

09 Feb '09

Hello everyone, I'm trying to convert my two node replicated OpenLDAP pair to a three-way pair and am having trouble with configuring the slapd.conf files. Can anyone tell me what I need to add here? Below is my newly modified slapd.conf file with the system03 addition: ----- slapd.conf on system01 replicating to system02 and system03 ----- include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/promptu.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args serverID 001 ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=mydomain,dc=local" rootdn "cn=Manager,dc=mydomain,dc=local" rootpw secret directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq index entryCSN eq index entryUUID eq syncrepl rid=0 provider=ldap://sys02 type=refreshAndPersist interval=00:00:00:30 retry="5 5 300 +" searchbase="dc=mydomain,dc=local" filter="(objectClass=*)" attrs="*,+" scope=sub schemachecking=off bindmethod=simple binddn="cn=Manager,dc=mydomain,dc=local" credentials="secret" updateref ldap://sys02 syncrepl rid=0 provider=ldap://sys03 type=refreshAndPersist interval=00:00:00:30 retry="5 5 300 +" searchbase="dc=mydomain,dc=local" filter="(objectClass=*)" attrs="*,+" scope=sub schemachecking=off bindmethod=simple binddn="cn=Manager,dc=mydomain,dc=local" credentials="secret" updateref ldap://sys03 mirrormode TRUE overlay syncprov syncprov-checkpoint 100 10 Thank you for your help! Mike

2 3

Re: How to set BDB "read-only" before slapcat command ?
by Andrew Hall 09 Feb '09

09 Feb '09

2009/2/9 Quanah Gibson-Mount <quanah(a)zimbra.com>: > I'm not sure why you feel it is necessary to set the server read-only before > you run slapcat anyway. It was purely in relation to point 18.1.2 in this doc... http://www.openldap.org/doc/admin24/maintenance.html To quote... "Slapcat can be run while slapd is active. However, one runs the risk of an inconsistent database- not from the point of slapd, but from the point of the applications using LDAP. For example, if a provisioning application performed tasks that consisted of several LDAP operations, and the slapcat took place concurrently with those operations, then there might be inconsistencies in the LDAP database from the point of view of that provisioning application and applications that depended on it. One must, therefore, be convinced something like that won't happen. One way to do that would be to put the database in read-only mode while performing the slapcat."

2 1

Re: How to set BDB "read-only" before slapcat command ?
by William Jojo 09 Feb '09

09 Feb '09

---- Original message ---- >Date: Mon, 09 Feb 2009 08:08:32 -0800 >From: Quanah Gibson-Mount <quanah(a)zimbra.com> >Subject: Re: How to set BDB "read-only" before slapcat command ? >To: Andrew Hall <whippyhubbles(a)googlemail.com>,Michael Ströder <michael(a)stroeder.com> >Cc: openldap-technical(a)openldap.org > >--On Monday, February 09, 2009 3:44 PM +0000 Andrew Hall ><whippyhubbles(a)googlemail.com> wrote: > > >> The possible problem I see with that setup is what happens if the >> slapcat occurs during an update from the provider to the consumer ? > > >I'm not sure why you feel it is necessary to set the server read-only >before you run slapcat anyway. Do you actually have a process that knows >exactly what changes occurred in any given second, so that, if say, your >backup starts at 1:00:00, you can then replay all the changes from that >point in time? > >If you do, then it doesn't matter whether or not it was in read-only. >Simply replay the changes. If you don't, then it doesn't matter whether or >not it was in read-only, because you don't know what changes happened after >that point. > >I honestly am not aware of anyone who bothers to put their DB into >read-only before slapcatting, although they may be out there. > Admittedly we stop one slapd in our group of servers (usually a master) to take a point in time snapshot with slapcat, then simply restart it. It is used solely as part of our disaster recovery. In the event of BDB corruption that is unrecoverable, we can build a new server from the full-text export. Just basic DBA paranoia policy. :-) :-) Cheers, Bill

2 1

Re: How to set BDB "read-only" before slapcat command ?
by Andrew Hall 09 Feb '09

09 Feb '09

2009/2/9 Michael Ströder <michael(a)stroeder.com>: > No matter what you do at the LDAP server's side it could happen in > between a series of related write operations leading to inconsistent > state of data (from the application's point of view). > > If you want better hints then you have to provide more details about > your deployment. > > Ciao, Michael. We have a primary "hidden" master and two replicating secondaries which both get queried in a round-robin DNS fashion. Applications such as phpLDAPadmin are configured to connect to these secondaries which pass writes to the primary via an updateref chain overlay. At the moment I am using slapcat on the primary for backups but am open to other suggestions. Perhaps I should just create a third read-only replicating secondary which no applications connect to and backup from that ? The possible problem I see with that setup is what happens if the slapcat occurs during an update from the provider to the consumer ?

2 1

LDAP - Password and userId length
by yukti kaura 09 Feb '09

09 Feb '09

Hi, I required to perform length validation on the credential used to log in to LDAP. Could you please help me with the *length *of userId & password used to log in to LDAP Thanks for all your help Yukti

2 1

Re: How to set BDB "read-only" before slapcat command ?
by Andrew Hall 09 Feb '09

09 Feb '09

Dieter KlÃnter writes... > man slapd.conf(5), readonly on Thanks for the info. So I would need to edit the .conf file and restart the service for this to take effect ? Is there no "on the fly" solution similar to "FLUSH TABLES WITH READ LOCK;" for example ? Thanks.

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2009