openldap-technical March 2009

openldap-technical@openldap.org

64 participants
69 discussions

sasl issue - but I don't want sasl atm
by Da Rock 02 Apr '09

02 Apr '09

I know the security implications of this, but I just want to stage this procedure and take one problem at a time; trouble is the system wants me to bite more than I can chew at a given time! I have setup an ldap server, ldap admin programs can connect to it, but when I run say ldapsearch it says it can't connect with the following error: > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) Sure, eventually I'd like to secure things more, but I simply need to test things at this point. It also gets in the way of other things which I'm just looking in to right now. I kinda understand the error code, but I'm not entirely sure what the -2 is; I've been working on the premise that it can't connect because the security service isn't setup (sasl or krb principal), so I'm trying to work out how to setup the system to do a simple bind (through ldap.conf? either /etc/ or openldap/) but I can't for the life of me get it to cooperate. Any help? What info is needed here to resolve this? Cheers

4 8

syncrepl issue
by Oliver Henriot 02 Apr '09

02 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear list users, I have a master openldap 2.3 server which is replicated via syncrepl on half a dozen other servers (2.3 too). Due to a legacy application from which I have to import passwords once a day, the master server is stopped, erased and re-built from scratch once every day... I have noticed that all the replicas have recovered only a partial subset of the entries and the strange thing is that all the replicas have the same subset. They are all missing a few hundred entries. When I stop the replicas, erase their data and start them anew, they replicate just fine and are consistent with the master server. I was wondering : could this be due to the fact that the replicas have problems erasing the old entries and replacing them with the new set of entries? Would increasing syncprov-checkpoint <ops> and syncprov-sessionlog <size> values improve the situation? I also recall reading something about a specific configuration directive to improve delete replication but I have a feeling it was 2.4 specific... Thanks, Cheers - -- Oliver Henriot B.Sc. Ph.D. | Technicien de Maintenance Moyens Informatiques et Multimédia | UMS MI2S | http://mi2s.imag.fr/ Domaine universitaire BP53 | 38041 Grenoble cedex 9 | France tel.: +33 4 76 51 43 48 | fax: +33 4 76 51 47 15 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknQo4MACgkQSWuBJnHIHdKr5gCgl4i6UHIebD5npfmzS+c3bp5O SOcAoLb+T7NtNTg9XIs17MgS7EkENpT9 =YEot -----END PGP SIGNATURE-----

4 10

open-source admin tools
by Raul Libório 31 Mar '09

31 Mar '09

Hello, I wonder which of you are the best open-source tools to maintain a database, which currently are the best if they leave ... I want to integrate environment, leave everything tied in (LDAP proxy, samba, e-mail clients, asterisk, joomla!) I see much talk of phpldapadmin, it is that all who speak it? ------ Raul Libório http://rauhmaru.blogspot.com/ rauhmarutsªhotmailºcom Linux user#4444581 Brazil "The bug is on the table."

5 5

Unable to get openldap to use active directory as ldap backend but am able to search using ldapsearch
by Kyle Pike 30 Mar '09

30 Mar '09

It might be easier to read all of this on here: http://www.linuxquestions.org/questions/linux-server-73/unable-to-get-ldap-… I am able to bind and search AD with ldapsearch, but am unable to get openldap to use it as a backend db. I am able to search for a user in active directory by using the following: ldapsearch -v -H ldap://charizard.company.internal -x -b "dc=company,dc=internal" -D "cn=ldap proxy,cn=Users,dc=company,dc=internal" -w 'passwd' -LLL "(sAMAccountName=testuser)" My slapd.conf looks like: slapd.conf ----------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 1024 database ldap suffix "cn=Users,dc=company,dc=internal" rootdn "cn=ldap proxy" uri "ldap://charizard.company.internal" binddn "cn=ldap proxy,cn=Users,dc=company,dc=internal" bindpw "passwd" rwm-rewriteEngine on rwm-map objectclass account user rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail userPrincipalName rwm-map attribute * lastmod off chase-referrals no access to * by * read ----------------------------- When I try and search on my openldap host, I recive.. [kylec@localhost ~]$ ldapsearch -v -H ldap://localhost -x -b "cn=Users,dc=company,dc=internal" ldap_initialize( ldap://localhost ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <cn=Users,dc=company,dc=internal> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece # numResponses: 1 -------------------------------- In slapd debug log I can see the following... backend_startup_one: starting "cn=Users,dc=corpedia,dc=internal" ldap_back_db_open: URI=ldap://charizard.corpedia.internal slapd starting ldap_pvt_gethostbyname_a: host=heracross.corpedia.local, r=0 connection_get(9): got connid=0 connection_read(9): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 12 contents: ber_get_next ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable) do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> do_bind: version=3 dn="" method=128 send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 9 do_bind: v3 anonymous bind connection_get(9): got connid=0 connection_read(9): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 69 contents: ber_get_next ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable) do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <cn=Users,dc=corpedia,dc=internal> <<< dnPrettyNormal: <cn=Users,dc=corpedia,dc=internal>, <cn=users,dc=corpedia,dc=internal> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: ==> limits_get: conn=0 op=1 dn="[anonymous]" ldap_create ldap_url_parse_ext(ldap://charizard.corpedia.internal) =>ldap_back_getconn: conn 0x8ad8a88 inserted refcnt=1 binding=1 ldap_search_ext put_filter: "(objectClass=*)" put_filter: simple put_simple_filter: "objectClass=*" ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP charizard.corpedia.internal:389 ldap_new_socket: 10 ldap_prepare_socket: 10 ldap_connect_to_host: Trying 10.0.0.6:389 ldap_connect_timeout: fd: 10 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 73 bytes to sd 10 ldap_result ld 0x8ad0860 msgid 1 ldap_chkResponseList ld 0x8ad0860 msgid 1 all 0 ldap_chkResponseList returns ld 0x8ad0860 NULL wait4msg ld 0x8ad0860 msgid 1 (timeout 100000 usec) wait4msg continue ld 0x8ad0860 msgid 1 all 0 ** ld 0x8ad0860 Connections: * host: charizard.corpedia.internal port: 389 (default) refcnt: 2 status: Connected last used: Fri Mar 27 16:23:13 2009 ** ld 0x8ad0860 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8ad0860 Response Queue: Empty ldap_chkResponseList ld 0x8ad0860 msgid 1 all 0 ldap_chkResponseList returns ld 0x8ad0860 NULL ldap_int_select read1msg: ld 0x8ad0860 msgid 1 all 0 ber_get_next ber_get_next: tag 0x30 len 167 contents: read1msg: ld 0x8ad0860 msgid 1 message type search-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8ad0860 0 new referrals read1msg: mark request completed, ld 0x8ad0860 msgid 1 request done: ld 0x8ad0860 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=1 ber_flush: 163 bytes to sd 9 connection_get(9): got connid=0 connection_read(9): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next ber_get_next on fd 9 failed errno=0 (Success) connection_read(9): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=9 for close do_unbind connection_close: deferring conn=0 sd=9 connection_resched: attempting closing conn=0 sd=9 connection_close: conn=0 sd=9 =>ldap_back_conn_destroy: fetching conn 0 connection_get(9): connection not used connection_read(9): no connection! Any help would be much appreciated :-)

1 0

OpenLDAP Load balancing.
by William Jojo 30 Mar '09

30 Mar '09

Under 2.4.x I would like to have 4 replicas of a master or perhaps just use 4 masters in multi-master replication. What is more important is I would like to provide one IP for LDAP queries. I have seen PEN and POUND and other types of TCP "load balancers" for simple TCP and was wondering what the OpenLDAP community recommends for doing such tasks and the implications of TLS/SSL on these tools. I thought about DNS round robin, but that doesn't take into account a missing or non-responsive server, whereas a product like PEN seems to do so. I looked at some older threads regarding this but there don't seem to be any definitive recommendation(s) by the OpenLDAP community whom I feel is the best source for such solutions. :-) Cheers, Bill

1 0

Syncrepl doesn't delete entries?
by Jordi Espasa Clofent 30 Mar '09

30 Mar '09

Hi all, In provider: # provider moduleload syncprov overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 index entryCSN eq index entryUUID eq and ... ldap01:~# ldapsearch -x -b 'dc=mydomain,dc=com' '(objectclass=*)' | grep javi # javi, CAT, Tecnic, mydomain.com dn: cn=javi,ou=CAT,ou=Tecnic,dc=mydomain,dc=com cn: javi # javi, CAT, Tecnic, mydomain.com dn: uid=javi,ou=CAT,ou=Tecnic,dc=domain,dc=com uid: javi cn: javi homeDirectory: /usr/local/home/javi but in the consumer: # consumer index objectclass,entryCSN,entryUUID eq syncrepl rid=125 provider=ldap://192.168.10.10:389 type=refreshAndPersist searchbase="dc=mydomain,dc=com" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=Manager,dc=mydomain,dc=com" credentials=<password> ldap02:/var/lib# ldapsearch -x -b 'dc=mydomain,dc=com' '(objectclass=*)' | grep javi # javi, Tecnic, mydomain.com dn: uid=javi,ou=Tecnic,dc=mydomain,dc=com uid: javi cn: javi homeDirectory: /usr/local/home/javi # javi, CAT, Tecnic, mydomain.com dn: cn=javi,ou=CAT,ou=Tecnic,dc=mydomain,dc=com cn: javi # javi, CAT, Tecnic, mydomain.com dn: uid=javi,ou=CAT,ou=Tecnic,dc=mydomain,dc=com uid: javi cn: javi homeDirectory: /usr/local/home/javi It seems that the info in provider and consumer is diferent. If I try, for example, to change the password in provider I see that the value in consumer change automatically. Good. But it seems if I delete some entries in consumer, these changes are not reflected in consumer. ¿Where is the problem? ¿How can I debug t? -- Thanks, Jordi Espasa Clofent

1 0

Require object classes in an OU
by Troy Knabe 29 Mar '09

29 Mar '09

We have a custom schema and we would like to require that all entries in ou=Group have that objectClass in order to be added. Can someone point me in the direction that I should be looking? Thanks -Troy

2 1

mirrormode replication issues
by Jonas Haskins 29 Mar '09

29 Mar '09

Hello friends, I've been trying to setup Mirror Mode replication, using the openldap.org docs and others from googling.. and am having some interesting results. I am new to this so this has been an enlightening experience to say the least, but perhaps if someone on the list might be able to answer a few questions that would be awesome... I have 2 nodes, and want to get mirror mode running for high availibility .. and will add samba to auth ( later ) Basically it seems that mirror mode is sort of working.. i can see the syncRep talking back and forth .. However .. I cannot write to either nodes once replication is running. Below example is me trying to add a user account: error is : ( phpldapadmin reports ) LDAP said: Server is unwilling to perform Error number: 0x35 (LDAP_UNWILLING_TO_PERFORM) Description: The LDAP server refused to perform the operation. log file reports in detail: Mar 26 13:14:38 ldap01 slapd[1433]: >>> dnPrettyNormal: <cn=joepreston,dc=foobar,dc=com> Mar 26 13:14:38 ldap01 slapd[1433]: <<< dnPrettyNormal: <cn=joepreston,dc=foobar,dc=com>, <cn=joepreston,dc=foobar,dc=com> Mar 26 13:14:38 ldap01 slapd[1433]: do_add: dn (cn=joepreston,dc=foobar,dc=com) Mar 26 13:14:38 ldap01 slapd[1433]: conn=14 op=1 ADD dn="cn=joepreston,dc=foobar,dc=com" Mar 26 13:14:38 ldap01 slapd[1433]: bdb_dn2entry("cn=joepreston,dc=foobar,dc=com") Mar 26 13:14:38 ldap01 slapd[1433]: => bdb_dn2id("cn=joepreston,dc=foobar,dc=com") Mar 26 13:14:38 ldap01 slapd[1433]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Mar 26 13:14:38 ldap01 slapd[1433]: bdb_referrals: op=104 target="cn=joepreston,dc=foobar,dc=com" matched="dc=foobar,dc=com" Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_result: conn=14 op=1 p=3 Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_result: err=53 matched="" text="shadow context; no update referral" Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_response: msgid=2 tag=105 err=53 Mar 26 13:14:38 ldap01 slapd[1433]: conn=14 op=1 RESULT tag=105 err=53 text=shadow context; no update referral Mar 26 13:14:38 ldap01 slapd[1433]: daemon: activity on 1 descriptor Ma so:: text="shadow context; no update referral" using mirrormode, i should be able to write to the db correct? initally, i used ldapadd to add my ldif files on node 1 ( with syncRep commented out ) then useds slapcat/slapadd to populate the db on node 2, then uncommented syncRep on both nodes and restarted both.. ( this was because i was trying to troubleshoot the DB_NOTFOUND error above ... the result was it still errored ) however, it seems the text=shadow context; no update referral may be the real issue. am i missing something in these configs in reguards to mirrormode? logs seem to indicate syncRep is talking, and access is allowed, but no write, and if i ldap add to node 1 ( with Rep commented out ) then uncomment and restart both ( so node 1 has data but node2 does not, i can see syncRep talking, but node2 never picks up the changes ) ok whew, sorry about all of that.. any ideas? using: openldap-2.3.27 CentOS 5.2 2.6.18-92.el5 64 db-4.7.25 smbldap-tools-0.9.5-1 was going to upgrade to the latest, but there are a ton of deps , so i though i'd ask forst.. many many thanks! node1: slapd.conf # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/sudo.schema include /etc/openldap/schema/samba.schema loglevel -1 # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/lib64/openldap moduleload back_bdb.la moduleload back_ldap.la moduleload back_ldbm.la moduleload back_passwd.la moduleload back_shell.la TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/slapdcert.pem TLSCertificateKeyFile /etc/openldap/slapdkey.pem access to * by dn.base="cn=Manager,dc=foobar,dc=com" read by * break ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=foobar,dc=com" rootdn "cn=Manager,dc=foobar,dc=com" rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXX directory /var/lib/ldap index objectclass,entryCSN,entryUUID eq index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index memberUid,mail,givenname eq,subinitial overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # Global section serverID 1 # database section # syncrepl directive syncrepl rid=001 provider=ldap://ldap02.hq.foobar.com bindmethod=simple binddn="cn=Manager,dc=foobar,dc=com" credentials=morefoo searchbase="dc=foobar,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on node2: # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/sudo.schema include /etc/openldap/schema/samba.schema loglevel -1 # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/lib64/openldap moduleload back_bdb.la moduleload back_ldap.la moduleload back_ldbm.la moduleload back_passwd.la moduleload back_shell.la TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/slapdcert.pem TLSCertificateKeyFile /etc/openldap/slapdkey.pem access to * by dn.base="cn=Manager,dc=foobar,dc=com" read by * break ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=foobar,dc=com" rootdn "cn=Manager,dc=foobar,dc=com" rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXX directory /var/lib/ldap index objectclass,entryCSN,entryUUID eq index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index memberUid,mail,givenname eq,subinitial overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # Global section serverID 2 # database section # syncrepl directive syncrepl rid=001 provider=ldap://ldap01.hq.foobar.com bindmethod=simple binddn="cn=Manager,dc=foobar,dc=com" credentials=morefoo searchbase="dc=foobar,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on -- Jonas Haskins Sr Network Administrator jhaskins(a)adready.com (206)792-5184 AdReady INC

4 3

configuring SSL certificate chains for slapd
by Marc Ochs 27 Mar '09

27 Mar '09

Please forgive me if this should be clear, but could someone please point me to info on how to configure a SSL certificate chain for ldaps in slapd? My CA of choice requires a chain cert and I'm having trouble finding this information in the fine documentation. Thanks much, Marc

2 1

Proxy to Active Directory: lost field
by Bogdan B. Rudas 26 Mar '09

26 Mar '09

Hello. I use OpenLDAP as proxy for M$ AD. The problem is: I can set filter only by some fileds like CN or Name. I can't query AD by sAMAccountName via proxy Also I can't see many AD-specific fileds while browsing AD via OpenLDAP proxy. Request to proxy: ldapsearch -M -LLL -H ldap://localhost:389 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(sAMAccountName=bogdan.rudas)' sAMAccountName Return nothing. Request directly to AD LDAP: ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(sAMAccountName=bogdan.rudas)' cn Returns: dn: CN=Bogdan Rudas.......skipped.... cn: Bogdan Rudas Yet another request to proxy: ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D "cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w password -x -b "dc=domain,dc=company,dc=com" '(name=Bogdan Rudas)' cn sAMAccountName dn: cn=Bogdan Rudas.......skip..... cn: Bogdan Rudas SAMACCOUNTNAME: bogdan.rudas Slapd version 2.4.11-1 Running on Debian 5.0 amd64 OpenLDAP config: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap moduleload back_ldap access to dn.base="" by * read access to * by self read by users read by anonymous auth loglevel 256 ###################################################### # database definitions ###################################################### database ldap suffix "dc=intra,dc=nival,dc=com" uri "ldap://ADserver.domain.company.com:1234" acl-bind bindmethod=simple binddn="cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" credentials=password chase-referrals yes

3 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2009