openldap-technical July 2009

openldap-technical@openldap.org

68 participants
73 discussions

ACL processing performance
by Christian Manal 24 Jul '09

24 Jul '09

Hi, I've got a question regarding ACLs and their processing performance. I use the NIS-schema to store userinformation and the likes in OpenLDAP (using the maps passwd, group, services, ethers, hosts, automount stuff etc.) plus samba-schema plus some self defined stuff. I have ACLs defined for some special attributes, like userPassword, and for each OU (People, Groups, ...). If I start multiple searches without a filter (so everythin accessible will be displayed) anonymously or with some user, I can get the CPU load of my servers up to 80-90%. It's definitely the ACLs, since I have no problems when using the rootDN or if I reduce the ACLs. What I'd like to know now is, what is so damn expensive in my ACLs and how I could reduce the cost without lessening the access restrictions... OpenLDAP version is 2.4.17 using back-hdb with BDB 4.4 from opencsw respository on Solaris 10 (SunOS 5.10 Generic_139556-08). There are around 30k entries in my database. I have one master and four slaves using delta-syncrepl for replication. Configuration files can be found here: http://www.informatik.uni-bremen.de/~moenoel/ldap/ Thanks in advance. Regards, Christian Manal

3 2

Use of syncprov overlay in slave
by rommel＠buxit.nl 24 Jul '09

24 Jul '09

I am wondering whether it is possible to use the syncprov overlay in the slave database? The configuration at hand consists of two masters in mirror-mode and n-replica's in syncrepl-mode. The client application connects to one of the replica's and attempt to use the SyncControl to monitor the replica for changes. Both the master's and replica's have been configured with 'overlay syncprov'. When the client application connects to one of the masters and a changes in made in the other master, the application gets notified about the change through the SyncControl. However when I connect the client application to one of the replica's and make a change in one of the master's the client does not get notified about the change. When I look into the replica database directly the change made on the master is visible though. So I'm wondering is it possible to use the syncprov overlay in the slave database? And what would be the correct configuration to achieve this? The version of openldap I'm using is 2.4.13 Any help is appreciated. /Rob

3 2

openldap and dadlauthd
by Olivier Nicole 24 Jul '09

24 Jul '09

Hi, I have problems to get saslauthd to work with my openldap server: - saslauthd binds/autneticates if I connect to the non SSL port ldap://ldap.cs.ait.ac.th/ - saslauthd fails to bind/autneticate if I connect to the SSL port ldaps://ldap.cs.ait.ac.th/ Jul 23 12:02:00 ldap slapd[41289]: conn=22 fd=19 ACCEPT from IP=192.41.170.50:62502 (IP=192.41.170.6:636) Jul 23 12:02:00 ldap slapd[41289]: connection_closing: readying conn=22 sd=19 for close Jul 23 12:02:00 ldap slapd[41289]: connection_close: conn=22 sd=-1 Jul 23 12:02:00 ldap slapd[41289]: conn=22 fd=19 closed (TLS negotiation failure) I really don't know where to look. TIA, Olivier

2 7

Help with slurpd referral error
by phamp008＠yahoo.com 23 Jul '09

23 Jul '09

Hi, I am new to Openldap + Keberos project. I am setting up slurpd from ldap1(master) to ldap2(replica). I am hopping someone can give me some suggestion to troubleshoot this. I ran into this error when slurpd attempt to add new DN to ldap2. This is the error when I run slurpd -d 4 begin replication thread for ldap2.test.domain:389 Initializing session to ldap2.test.domain:389 request done: ld 0x9b27778 msgid 1 bind to ldap2.test.domain as host/krbmaster.test.domain(a)TEST.DOMAIN via GSSAPI (SASL) request done: ld 0x9b27778 msgid 2 request done: ld 0x9b27778 msgid 3 request done: ld 0x9b27778 msgid 4 replica ldap2.test.domain:389 - add dn "uid=ppham4,ou=people,dc=test,dc=domain" request done: ld 0x9b27778 msgid 5 Error: ldap_add_s failed adding DN "uid=ppham4,ou=people,dc=test,dc=domain": Referral Error: ldap operation failed, data written to "/var/lib/ldap/replica/ldap2.test.domain:389.rej Here's the slapd.conf on ldap1(master) include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org disallow bind_simple #security tls=1 #require authc # Create a replication log in /var/lib/ldap for use by slurpd. # REPLICA: Comment this out on the replicas replogfile /var/lib/ldap/master-slapd.replog TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/slapd1-cert.pem TLSCertificateKeyFile /etc/openldap/slapd1.key sasl-secprops noanonymous,noplain,noactive # Map SASL authentication DNs to LDAP DNs # This leaves "username/admin" principals untouched saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=domain # This should be a ^ plus, not a star, but slapd won't accept it # REPLICA: # On replica servers replace the first line of each section below (the # line that allows /admin principals to write to things) with the # following line (allowing the primary server to write instead). Thus # admins can make changes on the primary server, and the primary # server can push changes to the replicas. #by dn.exact="uid=host/foo.example.com,cn=GSSAPI,cn=auth" write # Users with /admin principals can change anything # Users can change their shell, anyone else can see it access to attrs=loginShell by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by self write by * read # Only the user can see their employeeNumber access to attrs=employeeNumber by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by self read by * none # Default read access for everything else access to * by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by * read sizelimit 5000 threads 8 loglevel 256 # Allow LDAPv2 for Mozilla's address book #allow bind_v2 database bdb suffix "dc=test,dc=domain" cachesize 10000 checkpoint 256 15 # Uncomment these only for the initial load, then comment them back # out and restart slapd. rootdn "cn=Manager,dc=test,dc=domain" rootpw Secret! # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial # REPLICA: Comment this out on replicas replica host=ldap2.test.domain:389 tls=critical bindmethod=sasl saslmech=GSSAPI authcId=host/krbmaster.test.domain(a)TEST.DOMAIN Here's the copy of my slapd.conf on replica ldap2 server: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema #referral ldap://root.openldap.org #pidfile /var/run/slapd.pid #argsfile /var/run/slapd.args # Create a replication log in /var/lib/ldap for use by slurpd. # REPLICA: Comment this out on the replicas #replogfile /var/lib/ldap/master-slapd.replog TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateFile /etc/openldap/slapd1-cert.pem TLSCertificateKeyFile /etc/openldap/slapd1.key sasl-secprops noanonymous,noplain,noactive saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=domain access to attrs=loginShell by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write by self write by * read # Only the user can see their employeeNumber access to attrs=employeeNumber by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write by self read by * none # Default read access for everything else access to * by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write sizelimit 5000 threads 8 idletimeout 14400 loglevel 256 # Allow LDAPv2 for Mozilla's address book allow bind_v2 database bdb suffix "dc=test,dc=domain" # Increase the size of slapd's entry cache. Note that this is a cachesize 10000 checkpoint 256 15 # Uncomment these only for the initial load, then comment them back # out and restart slapd. rootdn "cn=Manager,dc=test,dc=domain" rootpw Secret! # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial # The purpose of the updatedn is to tell slapd not to send the updateref # if that DN tries to make changes. Any other user which attempts to # submit a change will be refered to the master LDAP server found in # updateref. # REPLICA: Uncomment these on replicas updatedn "uid=host/krbmaster.test.domain" updateref ldaps://ldap1.test.domain/ Greatly appreciate any help. Thanks Phil

2 1

error in SSLv3 read client certificate
by Jittinan Suwanrueangsri 23 Jul '09

23 Jul '09

Dear all After I execute command " ldapsearch -x -W -D 'cn=admin,dc=example,dc=com' -ZZ '(uid=david)' " I get following log portion(debug at level 1): slapd starting slap_listener_activate(8): >>> slap_listener(ldap:///) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 29 contents: ber_get_next conn=0 op=0 do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush2: 14 bytes to sd 13 connection_get(13): got connid=0 connection_read(13): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data /TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A/ connection_get(13): got connid=0 connection_read(13): checking for input on id=0 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data /connection_read(13): unable to get TLS client DN, error=49 id=0/ connection_get(13): got connid=0 connection_read(13): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 44 contents: ber_get_next conn=0 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>> dnPrettyNormal: <cn=admin,dc=example,dc=com> <<< dnPrettyNormal: <cn=admin,dc=example,dc=com>, <cn=admin,dc=example,dc=com> do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128 do_bind: v3 bind: "cn=admin,dc=example,dc=com" to "cn=admin,dc=example,dc=com" send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=97 err=0 ber_flush2: 14 bytes to sd 13 connection_get(13): got connid=0 connection_read(13): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 55 contents: ber_get_next conn=0 op=2 do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <dc=example,dc=com> <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: => hdb_search bdb_dn2entry("dc=example,dc=com") => hdb_dn2id("dc=example,dc=com") <= hdb_dn2id: got id=0x1 entry_decode: "" <= entry_decode() search_candidates: base="dc=example,dc=com" (0x00000001) scope=2 => hdb_dn2idl("dc=example,dc=com") => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0 => bdb_equality_candidates (uid) <= bdb_equality_candidates: (uid) not indexed bdb_search_candidates: id=-1 first=1 last=11 hdb_search: 1 does not match filter entry_decode: "" <= entry_decode() hdb_search: 2 does not match filter entry_decode: "" <= entry_decode() hdb_search: 3 does not match filter entry_decode: "" <= entry_decode() hdb_search: 4 does not match filter entry_decode: "" <= entry_decode() hdb_search: 5 does not match filter entry_decode: "" <= entry_decode() hdb_search: 6 does not match filter entry_decode: "" <= entry_decode() hdb_search: 7 does not match filter entry_decode: "" <= entry_decode() hdb_search: 8 does not match filter entry_decode: "" <= entry_decode() hdb_search: 9 does not match filter entry_decode: "" <= entry_decode() => send_search_entry: conn 0 dn="uid=david,ou=Users,dc=example,dc=com" ber_flush2: 199 bytes to sd 13 <= send_search_entry: conn 0 exit. entry_decode: "" <= entry_decode() hdb_search: 11 does not match filter send_ldap_result: conn=0 op=2 p=3 send_ldap_response: msgid=3 tag=101 err=0 ber_flush2: 14 bytes to sd 13 connection_get(13): got connid=0 connection_read(13): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 13 failed errno=0 (Success) conn=0 op=3 do_unbind connection_close: conn=0 sd=13 TLS trace: SSL3 alert write:warning:close notify What cause these errors? ,What do these errors mean? /TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A //connection_read(13): unable to get TLS client DN, error=49 id=0 /How can I fix these problems? Thankyou Jittinan Suwanrueangsri/ /

2 1

adding/modifying local attributes with translucent overlay
by Hart, Brian R. 22 Jul '09

22 Jul '09

Hey everyone - I have an openldap server setup using the translucent overlay and pulling entries from a remote ldap server (running Fedora DS). I seem to have gotten the translucent overlay configured correctly as I can perform searches and obtain entries from the remote ldap server by way of the local one. I can even add local attributes for users and groups in the local server and perform searches and obtain the results with the local attributes. However when I try to change or modify anything that has been stored in the local ldap server I either get 'ldapadd: already exists (68)' or 'ldapmodify: no such object (32)'. I'm using openldap 2.4.16 on RHEL5. When I'm trying to make these changes I'm using an ldif file just like I did when I added the attributes to begin with. I've tried just modifying the ldif file and re-adding as if it didn't already exist and I've tried writing the ldif as if it was for a modify with a changetype: modify line in the file. If I need to post the configuration file I can I just thought I'd hold off on putting all of that here if it wasn't necessary. I hope somebody can help - thanks in advance! Sincerely, Brian Hart

1 0

slow search and connection problem
by mukim pathan 22 Jul '09

22 Jul '09

Hi, I am using openldap2.4.16 with bdb 4.5. I am doing search in database using java. When I am doing search for first time, it is connecting and giving response in 4-5 milliseconds. But then its is taking around 100-150ms for search.I don't know what might be the problem. I searched online for this but could not find any solution. Following are my ldap configuration files. slapd.conf : include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/xxx.schema allow bind_v2 concurrency 3 threads 3 database bdb suffix "dc=xxx,dc=com" rootdn "cn=Manager,dc=xxx,dc=com" rootpw xxx directory /usr/local/var/openldap-data index objectClass eq index attr1 eq index attr2 eq index attr3 eq checkpoint 1024 60 cachesize 1000000 DBCONFIG: set_cachesize 2 268435456 1 set_lg_dir /opt2/logs set_data_dir /opt2/db set_flags DB_LOG_AUTOREMOVE Please help me with any improvements i must do to get fast search result. Regards, Mukim Pathan

3 3

LdapErr: DSID-0C090627 with translucent proxy and AD
by Petteri Heinonen 22 Jul '09

22 Jul '09

Hello list, I've been trying to setup a translucent proxy to display a modified version of our ActiveDirectory (Server 2003) to Linux clients. The ultimate goal is to be able to transparently add UID, default shell etc. parameters missing in AD by default. Usage of Services for Unix is not possible this time because of "company policies". Config file is like this: # Default realm sasl-realm company.com # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 504 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload back_ldap moduleload accesslog moduleload translucent # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 backend hdb database hdb # The base of your directory in database #1 suffix "dc=company,dc=com" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=company,dc=com" rootpw {SSHA}blaablaa # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod off overlay translucent uri ldap://ad1.company.com:389 acl-bind binddn="CN=ldapuser,OU=tools,DC=company,DC=com" credentials="verysecure" Now, if I do a search with rootdn cn=admin,dc=company,dc=com, proxy binds to AD as ldapuser and search is successful. But, if I use a user existing in AD only, for example like this: ldapsearch -x -W -D "CN=Some User,OU=Users,DC=company,DC=com" -b "CN=Some User,OU=Users,DC=company,DC=com" I get: # extended LDIF # # LDAPv3 # base <CN=Some User,OU=Users,DC=company,DC=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece # numResponses: 1 I monitored the traffic using wireshark, and from there I can see that binding is actually successful. What fails is the search request after that: 0.000361 10.65.31.26 -> 10.65.26.34 LDAP bindRequest(1) "cn=Some User,ou=Users,dc=company,dc=com" simple 0.002285 10.65.26.34 -> 10.65.31.26 LDAP bindResponse(1) success 0.002297 10.65.31.26 -> 10.65.26.34 TCP 43898 > ldap [ACK] Seq=79 Ack=23 Win=5888 Len=0 TSV=67497094 TSER=69277767 0.003840 10.65.31.26 -> 10.65.26.34 LDAP searchRequest(4) "Some User,ou=Users,dc=company,dc=com" wholeSubtree 0.004067 10.65.26.34 -> 10.65.31.26 LDAP searchResDone(4) operationsError (00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece) OpenLDAP version is the one with Debian Lenny: slapd/lenny uptodate 2.4.11-1 Any suggestions how to continue? Is this some AD related quirk or possibly a problem problem related to how OpenLDAP does binding? Regards, Petteri Heinonen

1 0

Fwd: OpenLdap manual howto available
by Gavin Henry 21 Jul '09

21 Jul '09

Will take a look too. ---------- Forwarded message ---------- From: Lukasz Szybalski <szybalski(a)gmail.com> Date: Mon, 20 Jul 2009 11:45:15 -0500 Subject: OpenLdap manual howto available To: Debian User List <debian-user(a)lists.debian.org> Just an FYI. I'm working on openldap howto for Debian. http://lucasmanual.com/mywiki/OpenLdap This manual shows how to setup openldap and gives a workaround to some of the known bugs that prevent openldap to be reconfigured, and migration tools from finish migration. The setting up of openldap is fairly easy, but without few key instructions that I've listed its almost impossible for new user to finish. Took me 2 weeks but after reading above OpenLdap Manual howto you will setup ldap server in as little as 10minutes. Enjoy. (More content coming as days go by) Contents 1. OpenLDAP 1. What is required 2. Install 3. Authentication 4. Connect to openldap 5. Simple addressbook 1. Thunderbird 2. Outlook 2. Linux integration with LDAP 1. libnss-ldap 1. migrationtools 2. libpam 3. Troubleshooting 1. result: 32 No such object 4. References -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org -- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com

1 0

Suggestion for 2 domains samba+ldap and Windows AD
by Alberto Moreno 20 Jul '09

20 Jul '09

Hi people. I want to know if this is possible. I have right now 3 domains in my network. Dom A = Samba 3.0.33 Gentoo + LDAP. This serve to a domain of 10 users at location 1. Dom B = Windows 2003 AD serving 8 users at location 2. Dom C = WinNT + samba as client serving most of the users(35) at location 2. As u can see, the NT is the most busy, I need to remove that domain, is in the same location as "Dom B", my path is to move all the users from "Dom C" to "Dom B" most of the machines are windows boxes. This is easy, the only issue I was having before is my 2 samba boxes, I could not make possible to be part of the "Dom B", but last week I made that possible, them I can make this move. Well, the main reason of this email is because, after I remove the NT server, at location 2 I would just have a Window 2k3 AD domain working, on the other site (location 1) I would have a domain running samba+ldap working. Right now, if I'm at location 1 I cannot see location 2 the "Dom B"(Win 2k3), the same thing happen at location 2. There is a way to make this possible, can a domain with samba+ldap see a domain with win 2k3? Is possible to share users? I was think to setup another server at location 2 with samba+ldap and sync users but I still have the users of the win 2k3 domain...? Hope to be clear, if someone have some experience here at will appreciated, thanks for your time!!! P.S. my samba serves at location 2 are Centos 5.x Samba 3.0.33. -- LIving the dream...

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2009