June 2009 - openldap-technical

by Josir Gomes

Hi folks, I just installed a openldap server and I want to test backup/restore routines. I have two machines, one is a clone of the second one.The first one I add several users and then my test is to restore those users in the new machine. To backup, it was easy: slapcat -l /path/to/your/backup.ldif But when I tried to restore, I shutdown the samba/ldap service with: /etc/init.d/ebox samba stop /etc/init.d/ebox slapd stop And then I issue: slapadd -l /path/to/your/backup.ldif => hdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair already exists (-30996) => hdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996) slapadd: could not add entry dn="dc=ebox" (line=1): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996) I understand that there are other records and I can't replace them. Do I have to erase everything ? Or is there a merge option ? I know that there is a replication service but those two servers will not be on the same network (ie. one server will not communicate with the other) so I think this approach does not apply. Any tip or suggestion will be very welcome. Thanks in advance, Josir Gomes

11 years, 9 months

4
5
0 / 0

Re: ldap not finding internal CA?

by gruntler-ldap＠yahoo.com

--- On Wed, 6/17/09, Mathias Gug <mathiaz(a)ubuntu.com> wrote: > From: Mathias Gug <mathiaz(a)ubuntu.com> > Subject: Re: ldap not finding internal CA? > To: "Kurt Yoder" <ktyopenldap(a)yoderhome.com> > Cc: openldap-technical(a)openldap.org > Date: Wednesday, June 17, 2009, 9:13 PM > > [...] > >> My openldap is version 2.4.15 on Ubuntu Jaunty. Interestingly, I >> had the same message about self-signed certificates on previous >> Ubuntu versions, but querying ldap with "TLS_REQCERT demand" works >> fine. > > As Howard mentioned this should have been fixed in 2.4.16. However > could you try to put both the CA certificate *and* the server > certificate in the cert.file used by the slapd server - (that way > the whole CA chain is sent to the client by gnutls) ? Hi Mathias, How exactly does one do that? I've tried simply appending the contents of the CA file to the server certificate file and restarting slapd and it has no effect. I've tried other various combinations as well but testing against Jaunty still fails while Intrepid works. Meanwhile I built OpenLDAP 2.4.16 on Jaunty with no Ubuntu patches added to OpenLDAP and it works: gruntler@jaunty-64:~/src/openldap-2.4.16/clients/tools$ ./ldapsearch -x -V ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.16 (Jun 22 2009 17:04:33) $ gruntler@jaunty-64:/home/gruntler/src/openldap-2.4.16/clients/tools (LDAP library: OpenLDAP 20416) # extended LDIF # # LDAPv3 # base <dc=abcd, dc=efgh, dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # ... snip ... ldap.conf settings: BASE dc=abcd, dc=efgh, dc=com URI ldaps://auth01-test ldaps://auth02-test TLS_CACERT /etc/ssl/cacerts/my-org.cert.pem TLS_REQCERT demand TIMEOUT 4 NETWORK_TIMEOUT 2 ----- Meanwhile... gruntler@jaunty-64:~/src/openldap-2.4.16/clients/tools$ /usr/bin/ldapsearch -x -V ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.15 (Mar 19 2009 10:07:04) $ buildd@yellow:/build/buildd/openldap-2.4.15/debian/build/clients/tools (LDAP library: OpenLDAP 20415) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

11 years, 9 months

1
0
0 / 0

proxy cache not really caching?

by Tyler Gates

Hello, I've been running my openldap 2.4 proxy directory server using back_ldap and pcache in front of two masters for a few days and have been a little confused about why I'm not getting more "QUERY ANSWERED" messages in the logs considering all the "QUERY CACHED" messages. According to the script I wrote to parse the log file for certain key words, I'm seeing data like this: ******************************* QUERIES ANSWERED: 26901 QUERIES NOT ANSWERED: 142386 QUERIES CACHEABLE: 114491 QUERIES NOT CACHEABLE: 27895 ------------------------------- TOTAL QUERIES: 169287 QUERIES ADDED: 114080 QUERIES STORED: 7 QUERY HIT: %15.8907653866 ******************************* As you can see my templates are catching a good majority of the queries and they appear to be added to cache. For example I see messages like this: 'Added query expires at 1244899436 (NEGATIVE)' But even though I've tried bumping the ttl up, I'm still seeing a lot of QUERY NOT ANSWERABLE messages fly by about queries that should have been in cache before. For example, this snippet below appears to cache querystr '(&(objectClass=posixGroup)(memberUid=xfs))' but then one query later the exact same query comes up and it says its not answerable and adds it to cache again. Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=99 op=1658 SRCH base="dc=castlebranch,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=xfs))" Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=99 op=1658 SRCH attr=gidNumber Jun 13 09:08:56 directory-proxy slapd2.4[20842]: query template of incoming query = (&(objectClass=)(memberUid=)) Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Entering QC, querystr = (&(objectClass=posixGroup)(memberUid=xfs)) Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Lock QC index = 0x8354560 Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Not answerable: Unlock QC index=0x8354560 Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY NOT ANSWERABLE Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY CACHEABLE Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Added query expires at 1244899436 (NEGATIVE) Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Lock AQ index = 0x8354560 Jun 13 09:08:56 directory-proxy slapd2.4[20842]: TEMPLATE 0x8354560 QUERIES++ 1 Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Unlock AQ index = 0x8354560 Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=99 op=1658 SEARCH RESULT tag=101 err=0 nentries=0 text= Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=86 op=1661 SRCH base="dc=castlebranch,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=xfs))" Jun 13 09:08:56 directory-proxy slapd2.4[20842]: query template of incoming query = (&(objectClass=)(uid=)) Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY NOT ANSWERABLE Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY NOT CACHEABLE Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=86 op=1661 SEARCH RESULT tag=101 err=0 nentries=0 text= Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=86 op=1662 SRCH base="dc=castlebranch,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=xfs))" Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=86 op=1662 SRCH attr=gidNumber Jun 13 09:08:56 directory-proxy slapd2.4[20842]: query template of incoming query = (&(objectClass=)(memberUid=)) Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Entering QC, querystr = (&(objectClass=posixGroup)(memberUid=xfs)) Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Lock QC index = 0x8354560 Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Not answerable: Unlock QC index=0x8354560 Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY NOT ANSWERABLE Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY CACHEABLE Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Added query expires at 1244899436 (NEGATIVE) Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Lock AQ index = 0x8354560 Jun 13 09:08:56 directory-proxy slapd2.4[20842]: TEMPLATE 0x8354560 QUERIES++ 1 Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Unlock AQ index = 0x8354560 According to the logs I currently have 7 cached queries and about a %15.8 hit rate which seems ridiculous given all the 'added query' messages I'm getting. Is there something wrong with my caching engine on the directory server or am I missing something with how the caching mechanism works? Thanks, Tyler

11 years, 9 months

2
5
0 / 0

Howto setup OpenLDAP as ACL for Servers?

by openbsd shen

I have many Windows 2003/Linux Server, and a OpenLDAP server as auth server, I want setup ACL in OpenLDAP server, maybe user A allowed to login in windows-1 server and Linux-1 server, and user B allowed to login in windows-2 server and Linux-2 server. How to setup it in OpenLDAP server?

11 years, 9 months

3
2
0 / 0

Database error 22

by Olivier Nicole

Hi, After a reboot this morning I had the error: Jun 23 06:47:47 ldap slapd[512]: @(#) $OpenLDAP: slapd 2.3.40 (Jan 29 2008 12:27:46) $ root@fbsd35.cs.ait.ac.th:/usr/ports/net/openldap23-server/work/openldap-2.3.40/servers/slapd Jun 23 06:47:49 ldap slapd[522]: bdb_db_open: Database cannot be opened, err 22. Restore from backup! Jun 23 06:47:49 ldap slapd[522]: bdb(dc=cs,dc=ait,dc=ac,dc=th): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem Jun 23 06:47:49 ldap slapd[522]: bdb(dc=cs,dc=ait,dc=ac,dc=th): txn_checkpoint interface requires an environment configured for the transaction subsystem Jun 23 06:47:49 ldap slapd[522]: bdb_db_close: txn_checkpoint failed: Invalid argument (22) Jun 23 06:47:49 ldap slapd[522]: backend_startup_one: bi_db_open failed! (22) Jun 23 06:47:49 ldap slapd[522]: bdb_db_close: alock_close failed Jun 23 06:47:49 ldap slapd[522]: slapd stopped. Jun 23 06:47:49 ldap slapd[522]: connections_destroy: nothing to destroy. Yesterday I think I cleanly halted the LDAP server before the UPS ran out of battery (major power failure). This morning when I restarted the machine I find the above error. 1) What could cause this error? 2) How to do clean and regular backups? Best regards, Olivier

11 years, 9 months

2
1
0 / 0

(no subject)

by Sai

Hi all, You can consider I am fairly new to LDAP Server, let alone OPENLDAP. But I went through most of the documentation and configured openldap for our Web Site almost year and half to 2 ago. Now I am required to configure passive fail over for this. I am trying to understand and weigh my options. 1) What I want to configure? Two LDAP servers, with their content being in sync at all times. 2) What should I use? Slurpd or syncrepl or some other configuration. 3) What version we are running on? 2.2.13. Sadly but truly, the project does not have the time and resources to update to the latest one. 4) How are we going to use this replication configuration? a. Currently the Web App points to server A. b. In case of a catastrophic failure of server A (Machine down, power plug pulled, disk failure, etc), they will point the Web App to server B. c. Fix server A. d. Point Web App back to server A (I know there is no harm in leaving it pointed to B but that is the way they want. "Return every thing back to how it was"). I think in order to satisfy 4.b (any updates while pointed to server B while server A is down), both the servers should be Master-Master (N-Way master). What I am trying to understand is question 2. I am currently going through chapter 14 and 15 of openldap documentation. I noticed there are some slight differences and I want to get your expert opinion so that I am on the right track and not doing my own little weird configuration. Any help in helping me understand this and decide what to use is much appreciated. Thanks, -Sai

11 years, 9 months

2
3
0 / 0

control rules

by olivier morel

hy when I try to find a contact with outlook I see all computeur of my area of the ou=machines i would like to ban the route of the ou=machines for just to see the people how can i do . thank you very mutch for your help ------------------------- Olivier Morel - Service Informatique 4 allée de Seine - 93285 Saint Denis Cedex E-mail : olivier.morel(a)panoranet.com

11 years, 9 months

3
2
0 / 0

Mirror Mode question

by Ivan Ordonez

Hi, I am trying to setup mirror mode on two identical machines. Previously, these two machine were setup as PDC and BDC, using syncrepl provider and comsumer method. All changes are done through the PDC, and will sync to BDC. We decided to use mirror mode for high availability but having issue getting it to work. When I try to create an account, I will get an error message regarding smbldap-tools. See below. Error: shadow context; no update referral at /usr/sbin//smbldap_tools.pm line 1083, <DATA> line 466. Is there anything on smbldap.conf that I need to change? I made sure that the master were pointing to each other. Below is my mirror mode configuration. Machine 1 - IP Address 192.0.0.201 ServerID 1 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=001 provider=ldap://192.0.0.202:389 type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" searchbase="dc=my,dc=domain,dc=com" scope=sub schemachecking=on bindmethod=simple binddn="cn=Manager,dc=my,dc=domain,dc=com" credentials=mypassword mirrormode on Machine 2 - IP Address 192.0.0.202 ServerID 2 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=001 provider=ldap://192.0.0.201:389 type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" searchbase="dc=my,dc=domain,dc=com" scope=sub schemachecking=on bindmethod=simple binddn="cn=Manager,dc=my,dc=domain,dc=com" credentials=mypassword mirrormode on Thanks in advance.

11 years, 10 months

4
11
0 / 0

Update schema

by Olivier Nicole

Hi, I have an openldap server running and being used day to day for authentication. I developped a small schema, and all is working fine. Only I just noticed that in the definition of the object class, I ussed the OID 9999 instead of my own enterprise number: objectclass ( 1.3.6.1.4.1.9999.2.1.1 Should be objectclass ( 1.3.6.1.4.1.26754.4.1.1 I beleive I cannot just stop slapd, correct the schema and restart slapd. What would be the clean way to proceed to a schema upgrade? As this is a production server, I cannot afford to break it. Bestregards, Olivier

11 years, 10 months

2
3
0 / 0

puzzling Open LDAP dn errors

by Frizzell, Ryan

Hi all, I'm trying to setup and ldap proxy and I'm running into a bunch of bad dn errors in my endeavors. Currently, my slapd.conf file looks like: Database ldap Suffix "" Uri "ldap://myLdapIP:389" Idassert-bind bindmethod=simple Binddn="cn=privilagedAcct" Credentials="privPass" Trying to keep it simple as this is only a sandbox setup. The issues I'm running into are when I try to change the suffix dn to something useful like Suffix "dc=mydomain,dc=net" Changing suffix to that will produce slaptest errors of "<suffix> invalid DN 21 (invalid syntax)" I can connect to my ldap server and perform searchs with: Ldapsearch -LLL "uid=mytestuser" -x -H "ldap://myLdapIP:389" -D "cn=privilagedAcct,OU=test,dc=mydomain,dc=net" -b "dc=mydomain,dc=net" -W I've also tired to change the binddn to cn=privilagedAcct,OU=test,dc=mydomain,dc=net slaptest will then produce Invalid bind config value binddn=cn=privilagedAcct,OU=test,dc=mydomain,dc=net I've worked quite a bit with DNs in the past and I can't seem to see anything wrong with the DNs especially since the ldapsearch commands will complete on the running ldap server. I'm guessing I'm overlooking something very simple. Any ideas? Thanks, Ryan

11 years, 10 months

2
2
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2009