openldap-technical April 2009

openldap-technical@openldap.org

71 participants
79 discussions

Directory migration
by Ian Moore 21 Apr '09

21 Apr '09

Hi, I'm trying to migrate my directory from one server to another (I'm building a replacement server and want to test everything before changing over). The old server is FreeBSD 5 with openldap-server-2.3.39 The new one is FreeBSD 7.1 with openldap-server-2.3.43 I thought I would be able to use ldapsearch to dump the contents of the old server to an ldif file and then import it into the new one using ldapadd. That seemed to work, but when I tried to login on a workstation which is configured to use ldap authentication (and works fine when attached to the old server), my login fails. If I change my password to what it's supposed to be and then try to login, it works. So it appears that the passwords for user objects are not being transferred correctly from the old system to the new (all the other information seems correct). I'm using md5 passwords on both systems (the freebsd default) and I've checked that the new server & the workstation are set to use md5. I also tried using slapcat to create the ldif file, but that made no difference. If I look at the encrypted password before and after resetting it, the password hashes are different, even though they are supposedly the same password. I've tried this several times and can't get it to work. Do I need to do something else to transfer passwords correctly from one server to another? -- Ian gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc

3 2

Need help on pwdCheckQuality
by Dat Duong 20 Apr '09

20 Apr '09

Hi, I need to enforce the password quality check. I've set all the the requirement on the slapd.conf created default policies profile. Unfortunately, the pwdMinLength and pwdCheckQuality are not working. I also try to compile the cracklib with check_password.c and the Makefile. The instruction was not very clear. Does anyone have a procedure to install the check_password.so module? Please help me with this. See my below setting. I omitted all the other parts from slapd.conf.. slapd.conf file: ..... ..... include /usr/local/etc/openldap/schema/ppolicy.schema ..... overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout ..... # default, policies, arc.nasa.gov dn: cn=default,ou=policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top objectClass: pwdPolicyChecker pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdExpireWarning: 180 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 24 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 15768000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 12 pwdMustChange: TRUE pwdSafeModify: FALSE sn: default policy pwdCheckModule: check_password.so pwdCheckQuality: 2 THANKS!!!

1 0

TLS vs. MirrorMode replication
by Maros Timko 19 Apr '09

19 Apr '09

Hi all, we use OpenLDAP 2.4.11 on CentOS 5 for OS user PAM authentication in Xen-based HA cluster of 2 nodes. We are using MirrorMode replication so that databases are synchronised if change occurs on any node and there is no issue if one node goes down - each node maintains its own database. We use non-TLS local LDAP access (127.0.0.1) on Dom0 and TLS from virtual machines to LDAP. As soon as LDAP replication is set up in non-TLS way, everything works fine. But we are trying to set up TLS also for replication to bring more security into the system. However, it seems like there is a principial issue here - one cannot specify client access config for local access and for remote replication at the same time. Or can we? If we define client config to use TLS for the peer, then each local request goes to peer node. If the peer is down, the request will fail and user cannot log in into the OS. It looks like syncrepl requires client configuration to the peer. We tried to use "start_tls" option in syncrepl section but we still fail to connect to peer node. From the replies on the list I assume, TLS options in syncrepl section are just supposed to overwrite default settings, not to specify explicit option for it. Questions: - Is it possible to use local LDAP database locally together with TLS-enabled replication in a cluster? - Is anybody running such or similar setup successfully? - What would you suggest, if it is not possible? Thanks

2 1

Integration
by A Gilmore 18 Apr '09

18 Apr '09

Hello, I have a technical hurdle to overcome and I'm hoping openldap is the answer. I have contacts in a sql db, I'm wanting to make them available in outlook, blackberries, and other clients such as thunderbird. What I'm currently thinking is to setup an openldap server and import the data into that. I'm not expecting much trouble getting the data into LDAP. But how much effort/time is normally involved in the actual implementation of hooking these devices/applications to an openldap directory so non-technical users can use it? If anyone else has done this, how did it go? Has it been 'quirky'? I've read over the FAQ and what google offers, it seems mostly dealing with overcoming specific technical issues, I haven't found much on how well it works overall. Thank you for your time, - Adrien

2 2

Compile module for pwdCheckQuality
by Dat Duong 18 Apr '09

18 Apr '09

Does anyone have good luck on compiling a module like check_password.so for pwdCheckQuality? Also, what are the configuration for check_password.conf ? I'm having a harding time compiling the cracklib using check_password Makefile. Anyone have for the Makefile? What is the -lcrack ? # Comment out this line if you do NOT want to use the cracklib. # You may have to add an -Ldirectory if the libcrak is not in a standard # location # CRACKLIB_LIB=-lcrack

1 0

Context CSN not updated on OpenLDAP 2.3.11
by Adrien Futschik 17 Apr '09

17 Apr '09

Hy everyone ! I am facing a major issued for the second time with OpenLDAP 2.3.11. I am aware it is a pretty old version of OpenLDAP, but, it has been working in production for almost a year now without any problem. Here is the setup : Master -> Slave For some strange reason, the contextCSN stops updating and therefore the Slave is not updated anymore. The strange thing is that the Master continues to successfully update/add data ! We are using a OpenLDAP 2.3.11, Berkeley DB 4.4.16 & OpenSSL 0.9.8a all running on Solaris 10. Restarting the master solved the problem once, but now that it as failed again, I am very woried, because, restarting isn't a solution, considering that the application is in production. Please see in attachement the configuration files for Master & Slave. I have no log on the master, and only "syncrepl logging" on the slave. We consider restarting the master with "enable all logging" to see if wee can grab some informations.... Is this a bug of OpenLDAP, BerkleyDB or something else ? Thanks in advance, Adrien Futschik

4 11

lda_msgfree causing aborting program
by Santosh Kumar 16 Apr '09

16 Apr '09

Hi everyone,Using ldap_msgfree() needs after ldap_result() , as per man page it is to be used, is resulting in abort , but using the same after search result is working fineldap_init(ldap_host, LDAP_PORT))ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version)id = ldap_simple_bind(ld, root_dn, root_pw) //  ldap_perror(ld, "ldap_set_option");  printf("My ID=%d\n",id);result = ldap_result(ld, id, 1, NULL, &msg);    printf("Ldap_Result=%d\n",result);result = ldap_result2error(ld, msg,  1);    printf("Ldap_Result2error=%d\n",result); ldap_msgfree(msg);Output:ldap_bind: Success (0)My ID=1Ldap_Result=97Ldap_Result2error=0ldap_search_async: io.c:190: ber_free_buf: Assertion `((ber)->ber_opts.lbo_valid==0x2)' failed.Is there a way to get around while seeing the fucnction implemeted  ldap_msgfree() is calling ber_free_element() , which checks BerElement is it valid .in the above program it goes to invalid  this causing program to abort , does removing this check causes problem , i'm not aware about the importance of the check. ThanksSantosh Kumar9881481468

1 0

Fax can't have equality index?
by Min 15 Apr '09

15 Apr '09

Hello, I have the fax in my sldap.conf as the following: index facsimileTelephoneNumber eq,pres,sub index telephoneNumber eq,pres,sub But slaptest will report error as: equality index of attribute "facsimileTelephoneNumber" disallowed slaptest: bad configuration file! Any help will be appreciated. Thanks,

2 1

problem with a lot of databases in openldap 2.3
by Patrick Kaufmann 15 Apr '09

15 Apr '09

Patrick Kaufmann schrieb am 06.04.2009 14:13 Hi, We experience some serious problems with our openldap. We got about 50 databases in our openldap. If I now request single databases everything works fine until I request the 30st database. >From there on every database which I haven't already requested will just return an internal error. After some further investigation I finally figured out that the bdb backend somehow has some problems. If I start the sldap with d -1 I get following error: bdb_locker_id: Not enough space(12) We use openLDAP 2.3 together with DBD 4.2.52 Whole error message: daemon: activity on 1 descriptor daemon: activity on: 4052r daemon: read activity on 4052 daemon: select: listen=1912 active_threads=0 tvp=NULL connection_get(4052) connection_get(4052): got connid=0 connection_read(4052): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 35 02 01 6e 63 30 04 05..nc0. ldap_read: want=47, got=47 0000: 0f 6f 3d 74 65 73 74 2e 6d 61 69 6c 34 2e 63 68 .o=test.domain 0010: 0a 01 00 0a 01 00 02 02 03 e8 02 01 1e 01 01 00 ................ 0020: 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 ..objectclass0. ber_get_next: tag 0x30 len 53 contents: ber_dump: buf=086F29D8 ptr=086F29D8 end=086F2A0D len=53 0000: 02 01 6e 63 30 04 0f 6f 3d 74 65 73 74 2e 6d 61 ..nc0..o=test.ma 0010: 69 6c 34 2e 63 68 0a 01 00 0a 01 00 02 02 03 e8 il4.ch.......... 0020: 02 01 1e 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c ........objectcl 0030: 61 73 73 30 00 ass0. ber_get_next ldap_read: want=8 error=Unknown error daemon: activity on 1 descriptor daemon: waked daemon: select: listen=1912 active_threads=0 tvp=NULL do_search ber_scanf fmt ({miiiib) ber: ber_dump: buf=086F29D8 ptr=086F29DB end=086F2A0D len=50 0000: 63 30 04 0f 6f 3d 74 65 73 74 2e 6d 61 69 6c 34 c0..o=test.mail4 0010: 2e 63 68 0a 01 00 0a 01 00 02 02 03 e8 02 01 1e .ch............. 0020: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .....objectclass 0030: 30 00 0. >>> dnPrettyNormal: <o=test.domain> => ldap_bv2dn(o=test.domain,0) <= ldap_bv2dn(o=test.domain)=0 => ldap_dn2bv(272) <= ldap_dn2bv(o=test.domain)=0 => ldap_dn2bv(272) <= ldap_dn2bv(o=test.domain)=0 <<< dnPrettyNormal: <o=test.domain>, <o=test.domain> SRCH "o=test.domain" 0 0 1000 30 0 begin get_filter PRESENT ber_scanf fmt (m) ber: ber_dump: buf=086F29D8 ptr=086F29FE end=086F2A0D len=15 0000: 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 00 ..objectclass0. end get_filter 0 filter: (objectClass=*) ber_scanf fmt ({M}}) ber: ber_dump: buf=086F29D8 ptr=086F2A0B end=086F2A0D len=2 0000: 00 00 .. attrs: conn=0 op=109 SRCH base="o=test.domain" scope=0 deref=0 filter="(objectClass=*)" ==> limits_get: conn=0 op=109 dn="[anonymous]" => bdb_search bdb_locker_id: err Not enough space(12) send_ldap_result: conn=0 op=109 p=3 send_ldap_result: err=80 matched="" text="internal error" send_ldap_response: msgid=110 tag=101 err=80 ber_flush: 28 bytes to sd 4052 0000: 30 1a 02 01 6e 65 15 0a 01 50 04 00 04 0e 69 6e 0...ne...P....in 0010: 74 65 72 6e 61 6c 20 65 72 72 6f 72 ternal error ldap_write: want=28, written=28 0000: 30 1a 02 01 6e 65 15 0a 01 50 04 00 04 0e 69 6e 0...ne...P....in 0010: 74 65 72 6e 61 6c 20 65 72 72 6f 72 ternal error conn=0 op=109 SEARCH RESULT tag=101 err=80 nentries=0 text=internal error Any help is appreciated. Thanks Patrick Patrick Kaufmann Softwareentwicklung Hauptsitz: Hardstrasse 72 CH - 5430 Wettingen Tel. +41 56 437 80 40 Fax + 41 56 437 80 59 pkaufmann(a)zubler.ch<mailto:pkaufmann@zubler.ch> www.zubler.ch<http://www.zubler.ch> [cid:aussenstelle.jpg]

3 10

OpenLDAP and "reverse" wildcards
by Kjell Gustafsson 15 Apr '09

15 Apr '09

Hi I have a somewhat strange question. We are using OpenLDAP (openldap-server-2.4.11-bdb) and Berkley DB (db-4.6.21) in a project. LDAP is used to store subscribernumbers and the address of the ippbx where the subscriber is registered. Typically every subscriber have a separate DN in the LDAP-database. We have a serverfunction that do ldap-searches for subscribernumbers to retrieve the ippbx-address. This part is going to remain working as is. Now we want to be able to have a "wildcard"-entry in LDAP, that points to an address also. This entry shall respond to any ldap-search matching the wildcard. Let me give an example: We have, let's say four ippbx's with prefixes 111, 222, 333 & 444. A subscriber- number consist of the prefix and five more digits. Each subscriber can be registered in any ippbx and still be reachable. The prefix indicates the subscribers "home-location". Now we want to use a gateway to another telephone-system. We don't want to have all of the subscribers from that system registered in LDAP, so we want a "wildcard"-entry saying that if you dial 99912345 LDAP should have an entry 999xxxx pointing to the gateway for the subscribers in the other telephonesystem. The response to the ldap-search should contain the the gateway address to the telephone-system regardless of the number entered. So if I dial 99912345 I should get the same response as if I dial 99967890. The response shall have the same format as in the ippbx-solution. We want the ldap DIT to look the same for the wildcard and the others - the DN shall look the same. We don't want to change the serverfunction we are using today. So - finally my question: Would it be possible to solve this with OpenLDAP and if so - how can it be done? Looking forward to your suggestions! /Kjell

3 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2009