openldap-technical September 2009

openldap-technical@openldap.org

70 participants
72 discussions

Advice/comments on deploying openLDAP in a VirtualBox appliance.
by Arun Khan 23 Sep '09

23 Sep '09

I have completed the prototyping of openldap, samba/pdc, on a VirtualBox appliance. The setup works fine with 4-5 different desktop clients connecting to the services. Appliance details: VirtualBox 3.0.6 - 512MB RAM, 8MB Video RAM, 9GB VDI with 1GB Swap and CentOS 5.3 64bit). I am considering deploying this appliance into production with 1GB RAM. The no. of clients connecting to the server will be approx. 150. Has anyone deployed openLDAP + Samba/PDC in a VirtualBox appliance? I'd appreciate if you could share your experience, gotchas etc with respect to an appliance environment as well as resources allocated to the appliance e.g. amount of RAM. TIA Regards, -- Arun Khan

3 2

rwm-overlay, adding attributes
by Jeroen Berning 23 Sep '09

23 Sep '09

Hi, Can I with the rwm-overlay also introduce new static attribute? (Or change the content of an existing attribute and its name to use it for something new). Or do I need to combine it with the translucent overlay to gets things added? If it can be done and somebody has an example it would be appreciated. Jeroen

1 0

LDAP authentication + replication
by Maxime Gaudreault 22 Sep '09

22 Sep '09

Hi list I configured my 2 tests server to replicate with syncrepl using this website: https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html It works well. If I create a new user on any servers it's immediately replicated to the other. However I have some error in the log files: (these 2 messages appears every 10 seconds on the first server (vmlinux01)) Sep 22 11:53:56 vmlinux01 slapd[12072]: <= bdb_equality_candidates: (entryCSN) not indexed Sep 22 11:53:56 vmlinux01 slapd[12072]: <= bdb_inequality_candidates: (entryCSN) not indexed Sep 22 11:24:51 vmlinux02 slapd[10596]: do_syncrep2: rid=001 (-1) Can't contact LDAP server Sep 22 11:24:51 vmlinux02 slapd[10596]: do_syncrepl: rid=001 retrying (4 retries left) Also, when I configure the server to authenticate using LDAP (pam-auth-update) I can connect to the system using an LDAP account (say maxime) but look at the prompt and whoami result : administrator@vmlinux01:~$ whoami administrator Do I need to create the users on both LDAP and Linux ? Max

2 1

Reg OpenLdap on Ubuntu
by Asimananda Mohanty 22 Sep '09

22 Sep '09

Hi All, I am currently busy configuring OpenLdap on my newly installed Ubuntu 9.04. Here is what I have done till now. I followed the steps defined in https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html and installation was successful. I installed PhpLdapAdmin also. After I created certificate, key etc, I created a .ldif file (enable-ca.ldif) with the following content : *dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/server.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/server.key* Then I executed the command : *ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif* and it was a success. But after this, when I tried to restart slapd, I got errors like the following : *main: TLS init def ctx failed: -1* I noticed that after I executed "ldapmodify -D "cn=admin,cn=config" -x -w 12345678 -f enable-ca.ldif", 3 lines are added to /etc/ldap/slapd.d/cn=config.ldif and when I commented the last two lines like the following, slapd started successfully. *olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem #olcTLSCertificateFile: /etc/ssl/certs/server.crt #olcTLSCertificateKeyFile: /etc/ssl/private/server.key* This looks quite strange. Please help me resolving the same. -Asimananda

6 48

Syncrepl choking on case sensitive DN ?
by Emmanuel Kasper 22 Sep '09

22 Sep '09

Hello I noticed today that my syncrepl consumer was not up to date with the last change contained in the provider. (I am using slapd 2.4.11-1 from debian ) Looking at /var/log/syslog I see Sep 16 13:49:37 ur slapd[8172]: syncrepl_entry: rid=100 be_search (0) Sep 16 13:49:37 ur slapd[8172]: syncrepl_entry: rid=100 dc=webmail,ou=friends.openforce.com,ou=CNAME,dc=openforce.com,ou=private,ou=dns,dc=openforce,dc=com Sep 16 13:49:37 ur slapd[8172]: syncrepl_entry: rid=100 be_modrdn (32) Sep 16 13:49:37 ur slapd[8172]: do_syncrepl: rid=100 quitting and in debug mode bdb_modrdn: new parent "ou=friends.openforce.com,ou=CNAME,dc=openforce.com,ou=private,ou=dns,dc=openforce,dc=com" requested... bdb_dn2entry("ou=friends.openforce.com,ou=cname,dc=openforce.com,ou=private,ou=dns,dc=openforce,dc=com") => bdb_dn2id("ou=friends.openforce.com,ou=cname,dc=openforce.com,ou=private,ou=dns,dc=openforce,dc=com") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990) bdb_modrdn: newSup(ndn=ou=friends.openforce.com,ou=cname,dc=openforce.com,ou=private,ou=dns,dc=openforce,dc=com) not here! see the cname/CNAME case difference ? the provider dn is indeed written CNAME. EK -- openForce Information Technology GesmbH http://www.openforce.com/ It is a book about a Spanish guy called Manual. You should read it. -- Dilbert

2 2

can't bind in subtree
by mkappe 21 Sep '09

21 Sep '09

Hi all, i'm having a problem that i can't understand: i create an openldap tree with a subtree called studenti. when i add an entry in the main tree i can bind correctly. when i insert an entry in the studenti subtree i can't bind. In attachment you will find the log files. What can i do? Thanks Marco

2 1

Proxy from Active Directory to OpenLdap
by Giacomo Calisse 21 Sep '09

21 Sep '09

Hello to everybody, I need an help... I have an Antivirus Server (Appliance) that performs requests to Active Directory. I don't have installed Active Directory but I have installed Open Ldap 2.3, so I have to convert the request from Active Directory format to Open Ldap format. In other words I have to create a Proxy. E.g. The structure where to take the data has this form: # extended LDIF # # LDAPv3 # base <dc=unina,dc=it> with scope subtree # filter: uid=rciotola # requesting: ALL # # xxxx yyyy (xxxx.yyyy(a)unina.it), CSI - CENTRO DI ATENEO PER I SERVIZI INFORMATIVI (295550), ALTRA STRUTTURA (100000), PersonaleT.A., istituzionali , unina.it dn: cn=xxxy yyyy (xxxx.yyyy(a)unina.it),ou=CSI - CENTRO DI ATENEO PER I SE RVIZI INFORMATIVI (295550),ou=ALTRA STRUTTURA (100000),ou=PersonaleT.A.,ou=is tituzionali,dc=unina,dc=it businessCategory: N employeeType: PersonaleTA mailLocalAddress: xxxx.yyyy(a)unina.it givenName: xxxx objectClass: inetOrgPerson objectClass: inetLocalMailRecipient objectClass: posixAccount objectClass: shadowAccount mailRoutingAddress: xxxx.yyyy(a)unina.it ou:: Y2lvdG9sYSByYWZmYWVsZSAocmNpb3RvbGFAdW5pbmEuaXQpIA== departmentNumber: CODICEFISCALE uid: xxxx.yyyy mail: xxxx.yyyy(a)unina.it mail: matzzzzz(a)unina.it mail: otheralias(a)unina.it mail: otheralias2(a)unina.it uidNumber: nnnnn cn:: Y2lvdG9sYSByYWZmYWVsZSAocmNpb3RvbGFAdW5pbmEuaXQpIA== physicalDeliveryOfficeName: 295550 physicalDeliveryOfficeName: CSI - CENTRO DI ATENEO PER I SERVIZI INFORMATIVI loginShell: /bin/false gidNumber: 100 employeeNumber: zzzzzz homeDirectory: /home/xxxx.yyyy sn: yyyy title: Personale tecnico amm.vo # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 These data should be tranformed in Active Directory format and should have the fields sAMAccountName, mail, group and ProxyAddresses; both that concerns data and authentication. I hope that you can help me... cheers Giacomo

2 1

attribute writing: can an overlay do this?
by Stefano Zanmarchi 21 Sep '09

21 Sep '09

Hallo, I hope someone can give me a hand on this issue. I'd like my ldap server to automaitcally set the value of an attribute, based on the value of another. In the simplest version I'd like it to copy the value of an attribute into another attribute, whenever the first one gets modified. Example: my example entry would be: dn: uid=jsmith,ou=people,dc=myorg,dc=com objectClass: myobjectclass 1st_attrib: 18_06_2009 2nd_attrib: 18_06_2009 now with ldapmodify I change *ONLY* 1st_attrib to 24_07_2009 and I'd like the result to be: dn: uid=jsmith,ou=people,dc=myorg,dc=com objectClass: myobjectclass 1st_attrib: 24_07_2009 2nd_attrib: 24_07_2009 with both attributes changed. Even better would be if the second attribute could be written to a value based on the firs one (e.g. automatically adding 7 days to the date). Any help would be gratly appreciated, Stefano

4 5

Configuring OpenLDAP on Ubuntu 8.10
by Parag Kalra 21 Sep '09

21 Sep '09

Hello Folks, I just installed OpenLDAP ('slapd-2.4.11') and 'ldap-utils' on my Ubuntu 8.10 using Synaptic Manager. I have following queries related to configuring LDAP on Ubuntu. First & Foremost I am completely new to LDAP so please don't mind if my questions are really funny 1. After installation the file '/etc/ldap/ldap.conf' doesn't seem to contain the parameters like 'rootpw' & 'rootdn'. Am I seeing the wrong file or is there any other ldap configuration file on Ubuntu? 2. What is my default root node address and how to change it? 3. My machine doesn't have any FQDN. Its name is - 'station3' and I don't intend to give it a FQDN. Now my question can I have my root node address set to 'dc=station3,dc=home'? If yes, then I guess it has to be through 'ldapmodify' but can someone please share the exact syntax? Thanks in Advance.... Cheers, Parag

5 7

Configuring Active Directory to use External LDAP Server for Authentication
by Kamal Pandey 20 Sep '09

20 Sep '09

Hi, Can anybody help in this matter.I want to integrate Active Directory with External LDAP Directory. Means if a user login then user request goes to AD Server if not found it searches from external LDAP Server which might any LDAP Server and gives the user login. Now, send attachments up to 25MB with Yahoo! India Mail. Learn how. http://in.overview.mail.yahoo.com/photos

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2009