I am currently busy configuring OpenLdap on my newly installed Ubuntu 9.04.
Here is what I have done till now.
I followed the steps defined in
installation was successful. I installed PhpLdapAdmin also.
After I created certificate, key etc, I created a .ldif file
(enable-ca.ldif) with the following content :
Then I executed the command :
*ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif*
and it was a success.
But after this, when I tried to restart slapd, I got errors like the
*main: TLS init def ctx failed: -1*
I noticed that after I executed "ldapmodify -D "cn=admin,cn=config" -x -w
12345678 -f enable-ca.ldif", 3 lines are added to
and when I commented the last two lines like the following, slapd started
This looks quite strange.
Please help me resolving the same.
I've got openLDAP running and installed the pam and nss libraries so it
would also control the Linux passwords. I'm trying to sign onto my server
using ssh - but once I enter my username and password, I get
WARNING: Your password has expired.
You must change your password now and login again!
Enter login(LDAP) password:
Now being a bad security person, I always use the exact same username /
password combination and they don't work.
If a use either nothing (just hit Enter) or if I put in the standard
password I get
passwd: Authentication information cannot be recovered
passwd: password unchanged
Connection to ubuntu closed.
If I enter in some nonsensical string I get
LDAP Password incorrect: try again
Enter login(LDAP) password:
However, that is the only root level user on the machine and I have TONS of
stuff on it. How do I fix? Is this an openLDAP issue or something else?
Is there some way to speed up LDAP? I am guessing this has to do with it
searching the database on ldap? This is a new server and my old one did
not take that long. It is not as slow if just one or two people are
logging in with ldap, but when many login, it seems to bring ldap to a
bottle neck, I guess while searching the directory for all the names.
There are probably about 1000 users in my LDAP. Is that too large? I
assume it isn't since most of the other schools around have AD which is
basically Microsoft LDAP if I understand correctly and they have no
problems and have many more users than I have.
Can multiple schema's in the config file cause this? I know that on my
old server I had the following in slapd.conf:
On my new one it has the above plus:
Those were just in there when I installed it so I left them. Should I
take them out or would that not have any affect on logins at all? I am
guessing that they wont' affect anything and it is more related to some
sort of configuration in my ldap configs.
Is there something else I need in a config? Here are my configs.
checkpoint 1024 15
index objectClass eq
index cn,sn,uid,displayName eq,pres,sub
index uidNumber,gidNumber eq
index memberUid eq
index sambaSID,sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
HOST 127.0.0.1 10.0.0.5
I have a DB_CONFIG file that contains the following, but not sure if it
needs anything else or not:
set_cachesize 0 268435456 1
Thanks for any info.
Scott Mayo - System Administrator
PH: 573-568-5669 FA: 573-568-4565
Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?
I am having a problems with using openldap and samba. We have been having issues with samba passwords expiring and I have tried several things to resolve the issues. The ldap server was setup using the smbldap-tools. When the password expires the only thing I have been able to do is to reset the password. I have tried the smbldap-usemod -B -1 &username to disable the SambaPwdMustChange. Also tried to set the SambaAcctFlags to UX. We set this ldap server up in hurry and did not have a chance to implement a proper password policy. This is using the stock version of Samba that came with RHEL5.
Senior Systems Administrator
Turbo, division of OHL
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051 fax: (770) 531-7878
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
I have an issue when adding entries to DB. for some reason im getting this
[root@ldap]# slapadd -f /etc/openldap/slapd.conf -l
/home/tculjaga/export.ldif -q -c
str2entry: entry -1 has multiple DNs
slapadd: could not parse entry (line=1727833)
str2entry: entry -1 has multiple DNs "lbsID=100,uniqueID=385138" and
slapadd: could not parse entry (line=10487774)
str2entry: entry -1 has multiple DNs
slapadd: could not parse entry (line=10895623)
Can someone please explain whats wrong ?
also, i went to lines listed above and found nothing strange at all ...
any help ?
I have a number of objects scattered around my DIT that I want to
dynamically "tag" for access by a certain user by giving them a memberOf
attribute pointing to that user. Now here's the fun part: Is it possible
to also give that user access to the subtree starting at the "tagged"
E.g. I have an office manager who manages a random number of rooms
around the building. I assign the rooms to him via memberOf, but the
rooms also have people in them that he should have access to.
For that I would need something like this:
access to filter.subtree="(memberOf=managerguy)" by managerguy read
Is there any way to do this today? Otherwise make it a feature request :)
Im tuning my LDAP DB (BDB type).
Im reading at
#(Number of hash buckets + number of overflow pages + number of duplicate
pages) * page size / 2
#The objectClass index for my example database is 5.9MB and
uses 3 hash buckets and 656 duplicate pages. So:
# ( 3 + 656 ) * 4KB / 2 =~ 1.3MB.
#With only this index enabled, I'd figure at least a 4MB cache for this
backend. (Of course you're using a single cache shared among all of the
database files, so the cache pages will most likely #get used for something
other than what you accounted for, but this gives you a fighting chance.)
I understand that: with each index ( in this case only objectclass is
indexed), we must calculate their cache size individually and sum every
- I can specify Number of hash buckets & Cache Size (2)by command
Shell> db_stat-4.4 -m | head -n 25
32771 Number of hash buckets used for page location
Pool file: <index>.bdb
<number> page size
- I can specify Number of overflow pages & Number of duplicate
pages by command
Shell> db_stat-4.4 -d *.bdb (3)
0 Number of tree duplicate page
0 Number of tree overflow pages
(1) Did I understand right?
(2) Which page size will we use, some of index file use 4K page size,
others use 16K page size?
(3) Do must I run for each index or *.bdb is still ok?
Could anyone help me? This chapter is not clearly huh?
Thank for reading
I am trying to add localized users into ldap i.e LANG=ja_JP.SJIS
while creating ldif file i am converting SJIS chars into UTF-8 format.
if i give value attribute "gecos:" in ldif file in localized format
I am not able add the user its giving me following error
additional info: gecos: value #0 invalid per syntax
If i am giving rest of the attributes in localized format it works fine
Only problem is with gecos field
can anyone tell is this the desired behavior or Am i missing something?
O.S: RHEL 4.3
Thanks in advance