Hi, I'm trying to migrate my directory from one server to another (I'm
building a replacement server and want to test everything before changing
The old server is FreeBSD 5 with openldap-server-2.3.39
The new one is FreeBSD 7.1 with openldap-server-2.3.43
I thought I would be able to use ldapsearch to dump the contents of the old
server to an ldif file and then import it into the new one using ldapadd.
That seemed to work, but when I tried to login on a workstation which is
configured to use ldap authentication (and works fine when attached to the
old server), my login fails. If I change my password to what it's supposed to
be and then try to login, it works.
So it appears that the passwords for user objects are not being transferred
correctly from the old system to the new (all the other information seems
I'm using md5 passwords on both systems (the freebsd default) and I've checked
that the new server & the workstation are set to use md5.
I also tried using slapcat to create the ldif file, but that made no
difference. If I look at the encrypted password before and after resetting
it, the password hashes are different, even though they are supposedly the
same password. I've tried this several times and can't get it to work.
Do I need to do something else to transfer passwords correctly from one server
gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc
I need to enforce the password quality check. I've set all the the requirement on the slapd.conf created default policies profile. Unfortunately, the pwdMinLength and pwdCheckQuality are not working. I also try to compile the cracklib with check_password.c and the Makefile. The instruction was not very clear. Does anyone have a procedure to install the check_password.so module? Please help me with this. See my below setting. I omitted all the other parts from slapd.conf..
# default, policies, arc.nasa.gov
sn: default policy
we use OpenLDAP 2.4.11 on CentOS 5 for OS user PAM authentication in
Xen-based HA cluster of 2 nodes. We are using MirrorMode replication so that
databases are synchronised if change occurs on any node and there is no
issue if one node goes down - each node maintains its own database. We use
non-TLS local LDAP access (127.0.0.1) on Dom0 and TLS from virtual machines
As soon as LDAP replication is set up in non-TLS way, everything works fine.
But we are trying to set up TLS also for replication to bring more security
into the system. However, it seems like there is a principial issue here -
one cannot specify client access config for local access and for remote
replication at the same time. Or can we?
If we define client config to use TLS for the peer, then each local request
goes to peer node. If the peer is down, the request will fail and user
cannot log in into the OS. It looks like syncrepl requires client
configuration to the peer.
We tried to use "start_tls" option in syncrepl section but we still fail to
connect to peer node. From the replies on the list I assume, TLS options in
syncrepl section are just supposed to overwrite default settings, not to
specify explicit option for it.
- Is it possible to use local LDAP database locally together with
TLS-enabled replication in a cluster?
- Is anybody running such or similar setup successfully?
- What would you suggest, if it is not possible?
I have a technical hurdle to overcome and I'm hoping openldap is the answer.
I have contacts in a sql db, I'm wanting to make them available in
outlook, blackberries, and other clients such as thunderbird. What I'm
currently thinking is to setup an openldap server and import the data
I'm not expecting much trouble getting the data into LDAP. But how much
effort/time is normally involved in the actual implementation of hooking
these devices/applications to an openldap directory so non-technical
users can use it? If anyone else has done this, how did it go? Has it
I've read over the FAQ and what google offers, it seems mostly dealing
with overcoming specific technical issues, I haven't found much on how
well it works overall.
Thank you for your time,
Does anyone have good luck on compiling a module like check_password.so for pwdCheckQuality?
Also, what are the configuration for check_password.conf ? I'm having a harding time compiling the cracklib using check_password Makefile. Anyone have for the Makefile? What is the -lcrack ?
# Comment out this line if you do NOT want to use the cracklib.
# You may have to add an -Ldirectory if the libcrak is not in a standard
Hy everyone !
I am facing a major issued for the second time with OpenLDAP 2.3.11.
I am aware it is a pretty old version of OpenLDAP, but, it has been working in
production for almost a year now without any problem.
Here is the setup :
Master -> Slave
For some strange reason, the contextCSN stops updating and therefore the Slave
is not updated anymore. The strange thing is that the Master continues to
successfully update/add data !
We are using a OpenLDAP 2.3.11, Berkeley DB 4.4.16 & OpenSSL 0.9.8a all
running on Solaris 10.
Restarting the master solved the problem once, but now that it as failed
again, I am very woried, because, restarting isn't a solution, considering
that the application is in production.
Please see in attachement the configuration files for Master & Slave.
I have no log on the master, and only "syncrepl logging" on the slave.
We consider restarting the master with "enable all logging" to see if wee can
grab some informations....
Is this a bug of OpenLDAP, BerkleyDB or something else ?
Thanks in advance,
Hi everyone,Using ldap_msgfree() needs after ldap_result() , as per man page it is to be used, is resulting in abort , but using the same after search result is working fineldap_init(ldap_host, LDAP_PORT))ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version)id = ldap_simple_bind(ld, root_dn, root_pw) // ldap_perror(ld, "ldap_set_option"); printf("My ID=%d\n",id);result = ldap_result(ld, id, 1, NULL, &msg); printf("Ldap_Result=%d\n",result);result = ldap_result2error(ld, msg, 1); printf("Ldap_Result2error=%d\n",result); ldap_msgfree(msg);Output:ldap_bind: Success (0)My ID=1Ldap_Result=97Ldap_Result2error=0ldap_search_async: io.c:190: ber_free_buf: Assertion `((ber)->ber_opts.lbo_valid==0x2)' failed.Is there a way to get around while seeing the fucnction implemeted ldap_msgfree() is calling ber_free_element() , which checks BerElement is it valid .in the above program it goes to invalid this causing program to abort , does removing this check causes problem , i'm not aware about the importance of the check. ThanksSantosh Kumar9881481468
I have the fax in my sldap.conf as the following:
index facsimileTelephoneNumber eq,pres,sub
index telephoneNumber eq,pres,sub
But slaptest will report error as:
equality index of attribute "facsimileTelephoneNumber" disallowed
slaptest: bad configuration file!
Any help will be appreciated.
I have a somewhat strange question.
We are using OpenLDAP (openldap-server-2.4.11-bdb) and Berkley DB
in a project.
LDAP is used to store subscribernumbers and the address of the ippbx
subscriber is registered. Typically every subscriber have a separate
DN in the
LDAP-database. We have a serverfunction that do ldap-searches for
subscribernumbers to retrieve the ippbx-address. This part is going
working as is.
Now we want to be able to have a "wildcard"-entry in LDAP, that
points to an
address also. This entry shall respond to any ldap-search matching
Let me give an example:
We have, let's say four ippbx's with prefixes 111, 222, 333 & 444. A
number consist of the prefix and five more digits. Each subscriber
can be registered
in any ippbx and still be reachable. The prefix indicates the
Now we want to use a gateway to another telephone-system. We don't
have all of the subscribers from that system registered in LDAP, so
a "wildcard"-entry saying that if you dial 99912345 LDAP should have
999xxxx pointing to the gateway for the subscribers in the other
The response to the ldap-search should contain the the gateway
address to the
telephone-system regardless of the number entered. So if I dial
should get the same response as if I dial 99967890.
The response shall have the same format as in the ippbx-solution. We
want the ldap
DIT to look the same for the wildcard and the others - the DN shall
look the same.
We don't want to change the serverfunction we are using today.
So - finally my question:
Would it be possible to solve this with OpenLDAP and if so - how can
it be done?
Looking forward to your suggestions!