openldap-technical April 2009

openldap-technical@openldap.org

71 participants
79 discussions

Question on how to setup OpenLDAP according to RFC2307
by Bryan Boone 06 Apr '09

06 Apr '09

Hi everyone, I am a noobie on LDAP. Here is my problem. I have a tape library that has a web UI that is able to authenticate with and LDAP server. I downloaded and installed OpenLDAP. I have also created some test accounts on the LDAP to make sure it is working properly, and it is. The library documentation says that it is only able to authenticate with LDAP that complys with RFC2307. I read the RFC document and I see that OpenLDAP is already RFC2307 compliant. But I still cannot authenticate the library web UI. So my question is... Is there a structure that the LDAP server should follow in order to comply with RFC2307? For instance, do I need users under certain groups? I used a posixAccount and a posixGroup. Is this correct? Here is my LDIF below. Do I have this setup correct? thanks dn: dc=ibm,dc=com objectClass: dcObject objectClass: organization o: IBM dc: ibm dn: cn=employees,dc=ibm,dc=com objectClass: posixGroup cn: employees gidNumber: 253 dn: cn=bryan,cn=employees,dc=ibm,dc=com cn: bryan uid: bbryan uidNumber: 1 gidNumber: 10 homeDirectory: /home/bryan objectClass: account objectClass: posixAccount userPassword: {crypt}ecVLdK/k7KQMg dn: cn=kenny,cn=employees,dc=ibm,dc=com cn: kenny uid: qkenny uidNumber: 5 gidNumber: 11 homeDirectory: /home/kenny objectClass: account objectClass: posixAccount userPassword: {CRYPT}RuY5yfDjlajGo dn: cn=groups,dc=ibm,dc=com objectClass: posixGroup cn: groups gidNumber: 250 dn: cn=library_a,cn=groups,dc=ibm,dc=com cn: library_a gidNumber: 251 objectClass: posixGroup memberUid: qkenny dn: cn=administrators,cn=groups,dc=ibm,dc=com cn: administrators gidNumber: 252 objectClass: posixGroup memberUid: bbryan _________________________________________________________________ Rediscover Hotmail®: Get quick friend updates right in your inbox. http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Up…

1 0

Re: openldap-technical Digest, Vol 17, Issue 4
by mario ramirez cervera 06 Apr '09

06 Apr '09

Hello as usuairo admnistador could have a read-only 2009/4/4 <openldap-technical-request(a)openldap.org> > Send openldap-technical mailing list submissions to > openldap-technical(a)openldap.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.openldap.org/lists/mm/listinfo/openldap-technical > or, via email, send a message with subject or body 'help' to > openldap-technical-request(a)openldap.org > > You can reach the person managing the list at > openldap-technical-owner(a)openldap.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openldap-technical digest..." > > > Send openldap-technical mailing list submissions to > openldap-technical(a)openldap.org > When replying, please edit your Subject: header so it is more specific than > "Re: openldap-technical digest..." > > Today's Topics: > > 1. smbk5pwd for openldap 2.3 (Daniel Spannbauer) > 2. Unable to auth on replica (Marcio Merlone) > 3. How to Secure openLdap nss_ldap > (Matthew.GARRETT(a)external.total.com) > 4. TLS/Certificate Problem Openldap (Steffen Knauf) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 02 Apr 2009 12:02:17 +0200 > From: Daniel Spannbauer <ds(a)marco.de> > Subject: smbk5pwd for openldap 2.3 > To: openldap-technical(a)openldap.org > Message-ID: <49D48D29.5010809(a)marco.de> > Content-Type: text/plain; charset=ISO-8859-15; format=flowed > > Hello, > > I'm using the distro opensuse 10.2. > I'm missing the module smbk5pwd. > Can I build this module for openldap 2.3? > > Regards > > Daniel > > -- > Daniel Spannbauer Software Entwicklung > marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 > Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 > http://www.marco.de/ Email ds(a)marco.de > Gesch?ftsf?hrer Martin Reuter HRB 171775 Amtsgericht M?nchen > > > ------------------------------ > > Message: 2 > Date: Thu, 02 Apr 2009 09:10:32 -0300 > From: Marcio Merlone <marcio.merlone(a)a1.ind.br> > Subject: Unable to auth on replica > To: OpenLDAP <openldap-technical(a)openldap.org> > Message-ID: <49D4AB38.7070403(a)a1.ind.br> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hello, > > I have set two Ubuntu 8.04 servers running OpenLDAP > 2.4.9-0ubuntu0.8.04.2. I have set replication as per the docs. On the > slave, I start with an empty /var/lib/ldap, and when I start the replica > the dir is populated with the files, I am able to anon search, etc. > Great, except my clients are able to auth on the provider but not on the > replica. > > Both provider and consumer have the same acls, and the diff from one > conf to another is: > > --- slapd.conf 2009-04-02 09:04:42.000000000 -0300 > +++ slapd.conf.replica 2009-04-02 09:05:47.000000000 -0300 > @@ -60,19 +61,13 @@ > # 'database' directive occurs > database hdb > > -overlay syncprov > -syncprov-checkpoint 100 10 > -syncprov-sessionlog 100 > - > -# Let the replica DN have limitless searches > -limits dn.exact="cn=syncrepl,dc=a1,dc=ind" time.soft=unlimited > time.hard=unlimited size.soft=unlimited size.hard=unlimited > - > # The base of your directory in database #1 > suffix "dc=a1,dc=ind" > > # rootdn directive for specifying a superuser on the database. This is > needed > # for syncrepl. > -# rootdn "cn=admin,dc=a1,dc=ind" > +rootdn "cn=admin,dc=a1,dc=ind" > + > > # Where the database file are physically stored for database #1 > directory "/var/lib/ldap" > @@ -112,6 +108,21 @@ > # Where to store the replica logs for database #1 > # replogfile /var/lib/ldap/replog > > +syncrepl rid=3 > + provider=ldap://192.168.0.201:389 > + type=refreshAndPersist > + interval=01:00:00:00 > + searchbase="dc=a1,dc=ind" > + scope=sub > + schemachecking=off > + bindmethod=simple > + binddn="cn=syncrepl,dc=a1,dc=ind" > + credentials=xxxxx > + > + > +# updateref ldap://192.168.0.201:389 > + > + > # The userPassword by default can be changed > # by the entry owning it if they are authenticated. > # Others should not be able to see it, except the > > > Any idea on what could be wrong? Thanks in advance for any hint or help. > > > -- > Marcio Merlone > > > > ------------------------------ > > Message: 3 > Date: Thu, 2 Apr 2009 14:43:12 +0100 > From: Matthew.GARRETT(a)external.total.com > Subject: How to Secure openLdap nss_ldap > To: openldap-technical(a)openldap.org > Message-ID: > < > OF428EEFBC.05C17E8A-ON8025758C.004897FD-8025758C.004B5DD3(a)total.com> > Content-Type: text/plain; charset="utf-8" > > Folks > > Note sure if this is the right list ? > > I have a new OpenLdap (version 2.3) Server that uses Kerberos for Password > Authentication, which is going to be a Replacement for NIS (YP) > All Normal access works fine and users can login , access automount maps > etc > > However there are 2 types of Ldap binding > > Simple > TLS > > At the moment any body can run the following > ldapsearch -x > > I would like to try and disable Simple Binding > But if I select "disallow bind_anon" in slapd.conf file > Things start to break like authentication stops working. > /var/log/messages > > Apr 1 15:42:15 apricot sudo[31515]: pam_ldap: error trying to bind > (Inappropriate authentication) > Apr 1 15:42:18 apricot sudo[31515]: pam_ldap: error trying to bind > (Inappropriate authentication) > Apr 1 15:42:25 apricot sudo[31515]: pam_ldap: ldap_result Can't contact > LDAP server > > How do I get a Machine to authenticate to Ldap ? > > I think the problem lies with nss_ldap ? > When I add the following line to /etc/ldap.conf > > ssl start_tls > > I start to get the following error's > Apr 2 14:09:11 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server > (sleeping 4 seconds)... > Apr 2 14:09:15 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server > (sleeping 8 seconds)... > Apr 2 14:09:18 bruce nscd: nss_ldap: reconnecting to LDAP server > (sleeping 16 seconds)... > Apr 2 14:27:06 bruce sshd: pam_ldap: ldap_starttls_s: Operations error > Apr 2 14:27:06 bruce sshd(pam_unix)[11233]: authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=apricot.uk.ad.ep.corp.local > user=mgarrett > Apr 2 14:27:06 bruce sshd[11233]: pam_krb5[11233]: authentication > succeeds for'mgarrett' (mgarrett(a)UK.AD.EP.CORP.LOCAL) > > /etc/ldap.conf > > base dc=unix,dc=total > bind_timelimit 120 > idle_timelimit 3600 > ldap_version 3 > pam_password md5 > scope sub > ssl start_tls > timelimit 120 > tls_cacertdir /etc/openldap/cacerts > tls_checkpeer no > > Can any body point me in the right direction > > > Thanks > > Matthew > > Server is RedHat 5.3 > Clients are RedHat 4.7 > > Copy of slapd.conf > pwcheck_method: saslauthd > mech_list: gssapi > sizelimit unlimited > > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/redhat/autofs.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/krb5-kdc.schema > > # Allow LDAPv2 client connections. This is NOT the default. > allow bind_v2 > > > TLSCACertificateFile /etc/openldap/cacerts/cacert.pem > TLSCertificateFile /etc/openldap/slapd.pem > TLSCertificateKeyFile /etc/openldap/slapd.key > > ## security - other directives > ## prevents anonymous access to > ## any connection > #disallow bind_anon > ## forces a bind operation before DIT access > #require bind > ## Use of reads on ldaps only port forces use > ## of TLS/SSL but not a minimum value > ## this directive forces a minimum value > #security simple_bind=128 > > sasl-secprops noanonymous,noplain,noactive > > # Map SASL authentication DNs to LDAP DNs > # This leaves "username/admin" principals untouched > sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth > uid=$1,ou=people,dc=unix,dc=total > # This should be a ^ plus, not a star, but slapd won't accept it > > # Default read access for everything else except anonymous users who have > no access but does not work. ! > access to * > by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write > by * read > > > #by anonymous none > > > > > Matthew Garrett > Senior IS Technical Analyst > Tel: 01224 297889 > Fax: 01224 296806 > Email: Matthew.Garrett(a)total.com > Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG > Registered in England and Wales No.811900????????? > Registered Office 33 Cavendish Square, London W1G 0PW > This e-mail and any attachments are intended only for the person or entity > to whom it is addressed and may contain confidential or privileged > information.? If you are not the addressee, any disclosure, reproduction, > copying, distribution, or use of this communication is strictly prohibited. > If you are not the intended recipient or person responsible for delivering > this message to the named addressee, please notify us immediately and > delete > this e-mail. > It is the responsibility of the addressee to scan this email and any > attachments for computer viruses or other defects. The sender does not > accept liability for any loss or damage of any nature, however caused, > which may result directly or indirectly from this email or any file > attached. >

1 0

posixGroup integrated with linux via nss
by Scott Classen 02 Apr '09

02 Apr '09

I have a happily running LDAP installation (2.4.15) running on Fedora 8 with numerous other linux machines using it as a source of authentication and name services. I have a problem with group permissions. Most of my groups have less than 10 members, but I have a few super users that need to belong to many groups (100-200) so that they can help individual users process their data. I can easily add the super users to each group using ldapmodify or GQ, and when I type "groups" or "id" in a terminal window as the super user I see that they belong to all the groups. The problem come when I try to read the contents of a directory that is owned by one of these secondary groups. Maybe its a Fedora/Linux thing, but the super user only has read permissions for the first 16 groups. The super user can not do an "ls -la /home/userwhoisin17thgroup" What is up with that? Also can anyone recommend another way to achieve the one user/many groups scenario using LDAP? Thanks, Scott

3 2

unable to get openldap to bind to AD
by Kyle Pike 02 Apr '09

02 Apr '09

It might be easier to read all of this on here: http://www.linuxquestions.org/questions/linux-server-73/unable-to-get-ldap-… I am able to bind and search AD with ldapsearch, but am unable to get openldap to use it as a backend db. I am able to search for a user in active directory by using the following: ldapsearch -v -H ldap://charizard.company. internal -x -b "dc=company,dc=internal" -D "cn=ldap proxy,cn=Users,dc=company,dc=internal" -w 'passwd' -LLL "(sAMAccountName=testuser)" My slapd.conf looks like: slapd.conf ----------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel 1024 database ldap suffix "cn=Users,dc=company,dc=internal" rootdn "cn=ldap proxy" uri "ldap://charizard.company.internal" binddn "cn=ldap proxy,cn=Users,dc=company,dc=internal" bindpw "passwd" rwm-rewriteEngine on rwm-map objectclass account user rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail userPrincipalName rwm-map attribute * lastmod off chase-referrals no access to * by * read ----------------------------- When I try and search on my openldap host, I recive.. [kylec@localhost ~]$ ldapsearch -v -H ldap://localhost -x -b "cn=Users,dc=company,dc=internal" ldap_initialize( ldap://localhost ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <cn=Users,dc=company,dc=internal> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece # numResponses: 1 -------------------------------- In slapd debug log I can see the following... backend_startup_one: starting "cn=Users,dc=corpedia,dc=internal" ldap_back_db_open: URI=ldap://charizard.corpedia.internal slapd starting ldap_pvt_gethostbyname_a: host=heracross.corpedia.local, r=0 connection_get(9): got connid=0 connection_read(9): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 12 contents: ber_get_next ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable) do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> do_bind: version=3 dn="" method=128 send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 9 do_bind: v3 anonymous bind connection_get(9): got connid=0 connection_read(9): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 69 contents: ber_get_next ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable) do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <cn=Users,dc=corpedia,dc=internal> <<< dnPrettyNormal: <cn=Users,dc=corpedia,dc=internal>, <cn=users,dc=corpedia,dc=internal> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: ==> limits_get: conn=0 op=1 dn="[anonymous]" ldap_create ldap_url_parse_ext(ldap://charizard.corpedia.internal) =>ldap_back_getconn: conn 0x8ad8a88 inserted refcnt=1 binding=1 ldap_search_ext put_filter: "(objectClass=*)" put_filter: simple put_simple_filter: "objectClass=*" ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP charizard.corpedia.internal:389 ldap_new_socket: 10 ldap_prepare_socket: 10 ldap_connect_to_host: Trying 10.0.0.6:389 ldap_connect_timeout: fd: 10 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 73 bytes to sd 10 ldap_result ld 0x8ad0860 msgid 1 ldap_chkResponseList ld 0x8ad0860 msgid 1 all 0 ldap_chkResponseList returns ld 0x8ad0860 NULL wait4msg ld 0x8ad0860 msgid 1 (timeout 100000 usec) wait4msg continue ld 0x8ad0860 msgid 1 all 0 ** ld 0x8ad0860 Connections: * host: charizard.corpedia.internal port: 389 (default) refcnt: 2 status: Connected last used: Fri Mar 27 16:23:13 2009 ** ld 0x8ad0860 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8ad0860 Response Queue: Empty ldap_chkResponseList ld 0x8ad0860 msgid 1 all 0 ldap_chkResponseList returns ld 0x8ad0860 NULL ldap_int_select read1msg: ld 0x8ad0860 msgid 1 all 0 ber_get_next ber_get_next: tag 0x30 len 167 contents: read1msg: ld 0x8ad0860 msgid 1 message type search-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8ad0860 0 new referrals read1msg: mark request completed, ld 0x8ad0860 msgid 1 request done: ld 0x8ad0860 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=1 ber_flush: 163 bytes to sd 9 connection_get(9): got connid=0 connection_read(9): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next ber_get_next on fd 9 failed errno=0 (Success) connection_read(9): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=9 for close do_unbind connection_close: deferring conn=0 sd=9 connection_resched: attempting closing conn=0 sd=9 connection_close: conn=0 sd=9 =>ldap_back_conn_destroy: fetching conn 0 connection_get(9): connection not used connection_read(9): no connection! Any help would be much appreciated :-)

2 2

TLS/Certificate Problem Openldap
by Steffen Knauf 02 Apr '09

02 Apr '09

Hello, i try to configure openldap with TLS/SASL. But i only get the same Error ( TLS certificate verification: Error, unable to get local issuer certificate) Perhaps someone have an idea what wrong with the certificate. Version : $OpenLDAP: slapd 2.3.43 OS: SuseLinux Enterprise 10 Ldap Server Output: ----------------------------------------------------------- connection_read(12): checking for input on id=31 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(12): got connid=31 connection_read(12): checking for input on id=31 TLS certificate verification: depth: 0, err: 20, subject: /DC=liga01/ST=Deutschland/L=Munich/O=it/CN=schmidt.muc.liga01, issuer: /DC=liga01/ST=Deutschland/O=it/CN=schmidt.muc.liga01 TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned s3_srvr.c:2482 connection_read(12): TLS accept failure error=-1 id=31, closing connection_closing: readying conn=31 sd=12 for close connection_close: conn=31 sd=12 ----------------------------------------------------------- I create the certs like the following tutorial: http://www.openldap.org/faq/index.cgi?_highlightWords=tls&file=185 /etc/openldap/slapd.conf: ----------------------------------------------------------- TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3 TLSCertificateFile /etc/ssl/zertifikate/servercrt.pem TLSCertificateKeyFile /etc/ssl/zertifikate/serverkey.pem TLSCACertificateFile /etc/ssl/zertifikate/demoCA/cacert.pem TLSVerifyClient demand ----------------------------------------------------------- /etc/openldap/ldap.conf: ----------------------------------------------------------- TLS_CACERT /etc/ssl/zertifikate/demoCA/cacert.pem TLS_REQCERT demand ----------------------------------------------------------- /etc/ldap.conf: ----------------------------------------------------------- ssl start_tls ----------------------------------------------------------- greets Steffem

1 0

sasl issue - but I don't want sasl atm
by Da Rock 02 Apr '09

02 Apr '09

I know the security implications of this, but I just want to stage this procedure and take one problem at a time; trouble is the system wants me to bite more than I can chew at a given time! I have setup an ldap server, ldap admin programs can connect to it, but when I run say ldapsearch it says it can't connect with the following error: > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) Sure, eventually I'd like to secure things more, but I simply need to test things at this point. It also gets in the way of other things which I'm just looking in to right now. I kinda understand the error code, but I'm not entirely sure what the -2 is; I've been working on the premise that it can't connect because the security service isn't setup (sasl or krb principal), so I'm trying to work out how to setup the system to do a simple bind (through ldap.conf? either /etc/ or openldap/) but I can't for the life of me get it to cooperate. Any help? What info is needed here to resolve this? Cheers

4 8

Unable to auth on replica
by Marcio Merlone 02 Apr '09

02 Apr '09

Hello, I have set two Ubuntu 8.04 servers running OpenLDAP 2.4.9-0ubuntu0.8.04.2. I have set replication as per the docs. On the slave, I start with an empty /var/lib/ldap, and when I start the replica the dir is populated with the files, I am able to anon search, etc. Great, except my clients are able to auth on the provider but not on the replica. Both provider and consumer have the same acls, and the diff from one conf to another is: --- slapd.conf 2009-04-02 09:04:42.000000000 -0300 +++ slapd.conf.replica 2009-04-02 09:05:47.000000000 -0300 @@ -60,19 +61,13 @@ # 'database' directive occurs database hdb -overlay syncprov -syncprov-checkpoint 100 10 -syncprov-sessionlog 100 - -# Let the replica DN have limitless searches -limits dn.exact="cn=syncrepl,dc=a1,dc=ind" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited - # The base of your directory in database #1 suffix "dc=a1,dc=ind" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. -# rootdn "cn=admin,dc=a1,dc=ind" +rootdn "cn=admin,dc=a1,dc=ind" + # Where the database file are physically stored for database #1 directory "/var/lib/ldap" @@ -112,6 +108,21 @@ # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog +syncrepl rid=3 + provider=ldap://192.168.0.201:389 + type=refreshAndPersist + interval=01:00:00:00 + searchbase="dc=a1,dc=ind" + scope=sub + schemachecking=off + bindmethod=simple + binddn="cn=syncrepl,dc=a1,dc=ind" + credentials=xxxxx + + +# updateref ldap://192.168.0.201:389 + + # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the Any idea on what could be wrong? Thanks in advance for any hint or help. -- Marcio Merlone

1 0

smbk5pwd for openldap 2.3
by Daniel Spannbauer 02 Apr '09

02 Apr '09

Hello, I'm using the distro opensuse 10.2. I'm missing the module smbk5pwd. Can I build this module for openldap 2.3? Regards Daniel -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email ds(a)marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München

1 0

syncrepl issue
by Oliver Henriot 02 Apr '09

02 Apr '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear list users, I have a master openldap 2.3 server which is replicated via syncrepl on half a dozen other servers (2.3 too). Due to a legacy application from which I have to import passwords once a day, the master server is stopped, erased and re-built from scratch once every day... I have noticed that all the replicas have recovered only a partial subset of the entries and the strange thing is that all the replicas have the same subset. They are all missing a few hundred entries. When I stop the replicas, erase their data and start them anew, they replicate just fine and are consistent with the master server. I was wondering : could this be due to the fact that the replicas have problems erasing the old entries and replacing them with the new set of entries? Would increasing syncprov-checkpoint <ops> and syncprov-sessionlog <size> values improve the situation? I also recall reading something about a specific configuration directive to improve delete replication but I have a feeling it was 2.4 specific... Thanks, Cheers - -- Oliver Henriot B.Sc. Ph.D. | Technicien de Maintenance Moyens Informatiques et Multimédia | UMS MI2S | http://mi2s.imag.fr/ Domaine universitaire BP53 | 38041 Grenoble cedex 9 | France tel.: +33 4 76 51 43 48 | fax: +33 4 76 51 47 15 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknQo4MACgkQSWuBJnHIHdKr5gCgl4i6UHIebD5npfmzS+c3bp5O SOcAoLb+T7NtNTg9XIs17MgS7EkENpT9 =YEot -----END PGP SIGNATURE-----

4 10

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2009