openldap-technical September 2009

openldap-technical@openldap.org

70 participants
72 discussions

ppolicy and ACLs of pwdAccountLockedTime?
by chantra 06 Sep '09

06 Sep '09

Hi all, I have exactly the same issue. My repro config is within the .tgz attached to this email. admin user is cn=admin,dc=example,dc=com and test user is uid=chantra,ou=users,dc=example,dc=com password for both of them is "foobarcode". To reproduce, on Debian Lenny, * untar the archive * cd ldaps * ./install.sh (WARNING: ONLY DO THIS ON A TEST MACHINE, current setup/db will be ERASED). That will stop slapd, override the config with the repro config, erase the current database, inject the testing one with slapadd, give credential to /var/lib/ldap to openldap user, start slapd Then, run: for i in {1..10}; do ./ldapauth.sh $i; sleep 2; done; ./ldaps.sh which will perform 10 failed authentication, with a pause of 2 seconds. Finally, ldaps.sh will output the details of user uid=chantra,ou=users,dc=example,dc=com @Jiri, have you found a solution yet? In my repro, here is the result after the 10 failed auth: # chantra, users, example.com dn: uid=chantra,ou=users,dc=example,dc=com structuralObjectClass: inetOrgPerson entryUUID: 2e93af32-2d8d-102e-8fab-21ae2aafa5d0 creatorsName: createTimestamp: 20090904105519Z entryCSN: 20090904105519.875933Z#000000#000#000000 modifiersName: modifyTimestamp: 20090904105519Z pwdFailureTime: 20090904105614Z pwdFailureTime: 20090904105616Z pwdFailureTime: 20090904105618Z pwdFailureTime: 20090904105620Z entryDN: uid=chantra,ou=users,dc=example,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE Again, here, we see only 4 pwdFailureTime (the 5th should have locked user ). Output of syslog is in the attached file called: pwdaccountlockout.txt but, the main part might be: Sep 4 12:53:11 lenny32-tpl slapd[4079]: bdb_modify_internal: 0x00000004: uid=chantra,ou=users,dc=example,dc=com Sep 4 12:53:11 lenny32-tpl slapd[4079]: => access_allowed: delete access to "uid=chantra,ou=users,dc=example,dc=com" "pwdAccountLockedTime" requested Sep 4 12:53:11 lenny32-tpl slapd[4079]: => dn: [2] Sep 4 12:53:11 lenny32-tpl slapd[4079]: => acl_get: [3] attr pwdAccountLockedTime Sep 4 12:53:11 lenny32-tpl slapd[4079]: => slap_access_allowed: result not in cache (pwdAccountLockedTime) Sep 4 12:53:11 lenny32-tpl slapd[4079]: => acl_mask: access to entry "uid=chantra,ou=users,dc=example,dc=com", attr "pwdAccountLockedTime" requested Sep 4 12:53:11 lenny32-tpl slapd[4079]: => acl_mask: to all values by "", (=0) Sep 4 12:53:11 lenny32-tpl slapd[4079]: <= check a_dn_pat: cn=admin,dc=example,dc=com Sep 4 12:53:11 lenny32-tpl slapd[4079]: <= check a_dn_pat: * Sep 4 12:53:11 lenny32-tpl slapd[4079]: <= acl_mask: [2] applying read(=rscxd) (stop) Sep 4 12:53:11 lenny32-tpl slapd[4079]: <= acl_mask: [2] mask: read(=rscxd) Sep 4 12:53:11 lenny32-tpl slapd[4079]: => slap_access_allowed: delete access denied by read(=rscxd) Sep 4 12:53:11 lenny32-tpl slapd[4079]: => access_allowed: no more rules Sep 4 12:53:11 lenny32-tpl slapd[4079]: hdb_modify: modify failed (50) Same here, changing: access to * by dn="cn=admin,dc=example,dc=com" write by * read to access to * by dn="cn=admin,dc=example,dc=com" write by * write will write pwdAccountLockedtime, but then, users or even anonymous will get far too much credentials :s I also tried with the settings of openldap-2.4.17/tests/data/slapd-ppolicy.conf, e.g: access to attrs=userpassword by self write by * auth access to * by self write by * read to no avail. Michael mentioned to try 2.4.17 which as changes that might affect pwdLockout (actually, ITS#6168 was because users where locked out while pwdLockout was set to FALSE, AFAICS), to no avail Then, I tried the setting from the archive on Fedora11, and Debian Etch, same issue... There is surely something that I am missing here, but shouldn't pwdAccountLockedTime being handled by the daemon? no access rule should be set ( except the for the fact that the admin user can write/delete it). What rule am I missing here? If needed, I can provide a VMDK of the repro, let me know and I will upload it somewhere. Cheers, chantra > Hi, > > I am having troubles making the ppolicy overlay to prevent password > guessing attacks with pwdLockout with slapd-2.4.11-1 in Debian Lenny. > > I set pwdMaxFailure to 3. In the user object I am testing with, I never get > more than two entries for pwdFailureTime and pwdAccountLockedTime is never > added at all. > > I tracked the problem down to the ACL settings in slapd.conf. With my default > access to * > by dn="cn=admin,dc=example,dc=net" write > by * read > , I get the above result. When I rewrite the last line to "by * write", it works. > > The pwdFailureTime is updated, because it is defined as > NO-USER-MODIFICATION, which bypasses te ACL checks for write. > The problem happens when pwdMaxFailure failed logins are reached, > and ppolicy.c tries to update pwdFailureTime and pwdAccountLockedTime > in a single request. > > How is this supposed to work? > - Shouldn't pwdAccountLockedTime also be defined with NO-USER-MODIFICATION? > > - couldn't the update request in ppolicy.c be executed with higher > privileges? I tried to set up an non-anonymous bind in > pam_ldap but this did not help. > > - is there some recommended ACL setting to grant the necessary privileges so that > ppolicy.c can update pwdAccountLockedTime, but users can't? > I am a splapd newbie, so maybe I don't see something obvious, but in > the log below, I see: "acl_mask: to all values by "", (=0)" -- that > looks like an anonymous bind, right? Allowing write for the > pwdAccountLockedTime attribute to anyone does not seem a good idea ;-) > > > > Thanks for any insight! > > > Jiri > > > > P.S.: some detailed notes from my debugging are attached below: > > I am authenticating with pam-ldap. When I mis-type the password > of a user and do a search on the user object (with a +, to see > the operational attributes), the pwdFailureTime is created. This > is good. > > When I preform the bad login again, I get a second value for > pwdFailureTime. Still good. > > But on the next login, instead of getting a third value for > pwdFailureTime and an updated value for pwdAccountLockedTime, nothing > happens. I put some more debug info into ppolicy_bind_response() like > this: > > ----- > * We only count those failures > * which are not due to expire. > */ > Debug(LDAP_DEBUG_ANY, "xxx: counting pwdFailureTime %i/%d\n", i, fc, 0); > } > } > if ((ppb->pp.pwdMaxFailure > 0) && > (fc >= ppb->pp.pwdMaxFailure - 1)) { > Debug(LDAP_DEBUG_ANY, "xxx: trying to insert pwdAccountLockedTime\n", 0, 0, 0); > ----- > > ... in the logs (with loglevel 65535), I really see: > > ------ > Aug 8 00:05:42 localhost slapd[15416]: xxx: counting pwdFailureTime 0/1 > Aug 8 00:05:42 localhost slapd[15416]: xxx: counting pwdFailureTime 1/2 > Aug 8 00:05:42 localhost slapd[15416]: xxx: trying to insert pwdAccountLockedTime > [snip] > Aug 8 00:05:42 localhost slapd[15416]: => access_allowed: delete access to "uid=j.bohac,ou=users,dc=example,dc=net" "pwdAccountLockedTime" requested > Aug 8 00:05:42 localhost slapd[15416]: => acl_get: [2] attr pwdAccountLockedTime > Aug 8 00:05:42 localhost slapd[15416]: => slap_access_allowed: result not in cache (pwdAccountLockedTime) > Aug 8 00:05:42 localhost slapd[15416]: => acl_mask: access to entry "uid=j.bohac,ou=users,dc=example,dc=net", attr "pwdAccountLockedTime" requested > Aug 8 00:05:42 localhost slapd[15416]: => acl_mask: to all values by "", (=0) > Aug 8 00:05:42 localhost slapd[15416]: <= check a_dn_pat: cn=admin,dc=example,dc=net > Aug 8 00:05:42 localhost slapd[15416]: <= check a_dn_pat: * > Aug 8 00:05:42 localhost slapd[15416]: <= acl_mask: [2] applying read(=rscxd) (stop) > Aug 8 00:05:42 localhost slapd[15416]: <= acl_mask: [2] mask: read(=rscxd) > Aug 8 00:05:42 localhost slapd[15416]: => slap_access_allowed: delete access denied by read(=rscxd) > Aug 8 00:05:42 localhost slapd[15416]: => access_allowed: no more rules > ------ > !DSPAM:4aa1064790404668414040!

1 1

Bizzar Behaviour from openldap-2.4.16 on Centos
by sysadmin＠shakenbake.net 05 Sep '09

05 Sep '09

Hi, Forgive me if this is an obvious one, as i'm new to openldap. I have setup Openldap 2.4.16 from source with db-4.7.25 on Centos 5.3 x64, running on a VMWARE-ESXI Server. #Installed with following options export CPPFLAGS="-I/usr/local/db-4.7.25/include" export LDFLAGS="-L/usr/local/db-4.7.25/lib -R/usr/local/db-4.7.25/lib" export LD_LIBRARY_PATH="/data/extracted/db-4.7.25/build_unix/.libs/" ./configure --prefix=/usr/local/openldap-2.4.16 make depend make make install ### cd db-4.7.25/build_unix ../dist/configure --prefix=/usr/local/db-4.7.25 make make install ### # The behaviour is very odd, the process appears to start up but doesn't show up in netstat properly and basic ldapadd commands stall after the first entry.Firewall & selinux is turned off. I can't seem to see too many errors? ldapadd -v -W -x -D "cn=admin,dc=labs,dc=example,dc=com,dc=au" -W -f <base ldiff file here> ldap_initialize( <DEFAULT> ) Enter LDAP Password: add dc: labs add o: example add objectClass: top domain adding new entry "dc=labs,dc=example,dc=com,dc=au" ########## QUERY PAUSES HERE ###### #### #tail from syslog with loglevel -1 ### Sep 4 23:50:25 safevm-ldap slapd[2684]: slap_listener_activate(8): Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=8 busy Sep 4 23:50:25 safevm-ldap slapd[2684]: >>> slap_listener(ldap:///) Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: listen=8, new connection on 14 Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: added 14r (active) listener=(nil) Sep 4 23:50:25 safevm-ldap slapd[2684]: conn=3 fd=14 ACCEPT from IP=127.0.0.1:48114 (IP=0.0.0.0:389) Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on: Sep 4 23:50:25 safevm-ldap slapd[2684]: Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on: Sep 4 23:50:25 safevm-ldap slapd[2684]: 14r Sep 4 23:50:25 safevm-ldap slapd[2684]: Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: read active on 14 Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Sep 4 23:50:25 safevm-ldap slapd[2684]: connection_get(14) Sep 4 23:50:25 safevm-ldap slapd[2684]: connection_get(14): got connid=3 Sep 4 23:50:25 safevm-ldap slapd[2684]: connection_read(14): checking for input on id=3 Sep 4 23:50:25 safevm-ldap slapd[2684]: conn=3 op=0 do_bind Sep 4 23:50:25 safevm-ldap slapd[2684]: >>> dnPrettyNormal: <cn=admin,dc=labs,dc=example,dc=com,dc=au> Sep 4 23:50:25 safevm-ldap slapd[2684]: <<< dnPrettyNormal: <cn=admin,dc=labs,dc=example,dc=com,dc=au>, <cn=admin,dc=labs,dc=example,dc=com,dc=au> Sep 4 23:50:25 safevm-ldap slapd[2684]: conn=3 op=0 BIND dn="cn=admin,dc=labs,dc=example,dc=com,dc=au" method=128 Sep 4 23:50:25 safevm-ldap slapd[2684]: do_bind: version=3 dn="cn=admin,dc=labs,dc=example,dc=com,dc=au" method=128 Sep 4 23:50:25 safevm-ldap slapd[2684]: ==> bdb_bind: dn: cn=admin,dc=labs,dc=example,dc=com,dc=au Sep 4 23:50:25 safevm-ldap slapd[2684]: conn=3 op=0 BIND dn="cn=admin,dc=labs,dc=example,dc=com,dc=au" mech=SIMPLE ssf=0 Sep 4 23:50:25 safevm-ldap slapd[2684]: do_bind: v3 bind: "cn=admin,dc=labs,dc=example,dc=com,dc=au" to "cn=admin,dc=labs,dc=example,dc=com,dc=au" Sep 4 23:50:25 safevm-ldap slapd[2684]: send_ldap_result: conn=3 op=0 p=3 Sep 4 23:50:25 safevm-ldap slapd[2684]: send_ldap_result: err=0 matched="" text="" Sep 4 23:50:25 safevm-ldap slapd[2684]: send_ldap_response: msgid=1 tag=97 err=0 Sep 4 23:50:25 safevm-ldap slapd[2684]: conn=3 op=0 RESULT tag=97 err=0 text= Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on: Sep 4 23:50:25 safevm-ldap slapd[2684]: Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on: Sep 4 23:50:25 safevm-ldap slapd[2684]: 14r Sep 4 23:50:25 safevm-ldap slapd[2684]: Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: read active on 14 Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Sep 4 23:50:26 safevm-ldap slapd[2684]: connection_get(14) Sep 4 23:50:26 safevm-ldap slapd[2684]: connection_get(14): got connid=3 Sep 4 23:50:26 safevm-ldap slapd[2684]: connection_read(14): checking for input on id=3 Sep 4 23:50:26 safevm-ldap slapd[2684]: conn=3 op=1 do_add Sep 4 23:50:26 safevm-ldap slapd[2684]: conn=3 op=1 do_add: dn (dc=labs,dc=example,dc=com,dc=au) Sep 4 23:50:26 safevm-ldap slapd[2684]: >>> dnPrettyNormal: <dc=labs,dc=example,dc=com,dc=au> Sep 4 23:50:26 safevm-ldap slapd[2684]: <<< dnPrettyNormal: <dc=labs,dc=example,dc=com,dc=au>, <dc=labs,dc=example,dc=com,dc=au> Sep 4 23:50:26 safevm-ldap slapd[2684]: conn=3 op=1 ADD dn="dc=labs,dc=example,dc=com,dc=au" Sep 4 23:50:26 safevm-ldap slapd[2684]: bdb_dn2entry("dc=labs,dc=example,dc=com,dc=au") Sep 4 23:50:26 safevm-ldap slapd[2684]: => bdb_dn2id("dc=labs,dc=example,dc=com,dc=au") Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: activity on: Sep 4 23:50:26 safevm-ldap slapd[2684]: Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: activity on: Sep 4 23:51:21 safevm-ldap slapd[2684]: 14r Sep 4 23:51:21 safevm-ldap slapd[2684]: Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: read active on 14 Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_get(14) Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_get(14): got connid=3 Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_read(14): checking for input on id=3 Sep 4 23:51:21 safevm-ldap slapd[2684]: ber_get_next on fd 14 failed errno=0 (Success) Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_read(14): input error=-2 id=3, closing. Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_closing: readying conn=3 sd=14 for close Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: activity on: Sep 4 23:51:21 safevm-ldap slapd[2684]: Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_close: deferring conn=3 sd=14 cya Craig

2 2

perl module to read ldif
by William Bryan 05 Sep '09

05 Sep '09

I was once told that there is an add on to perl that would allow you to read an ldif just like it was a slapd directory. I guess that calls to ldapsearch get rerouted to search the ldif. Does anyone know the package and/or details. thank you

2 1

Creating Structural Objects Under User Records
by Tim Gustafson 03 Sep '09

03 Sep '09

I'd like to be able to create "sub-objects" inside each user object. So, my account is: uid=tjg,ou=People,dc=soe,dc=ucsc,dc=edu I'd like to be able to create an object like: cn=foo,uid=tjg,ou=People,dc=soe,dc=ucsc,dc=edu This object would be of objectClass "soeDegree", which I've defined as follows: attributetype ( 1.1.2.1.32 NAME 'soeDegreeYear' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetype ( 1.1.2.1.33 NAME 'soeDegreeType' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetype ( 1.1.2.1.34 NAME 'soeDegreeDepartment' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetype ( 1.1.2.1.35 NAME 'soeDegreeThesisTitle' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetype ( 1.1.2.1.36 NAME 'soeDegreeThesisURL' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) objectclass ( 1.1.2.1.997 NAME 'soeDegree' DESC 'Jack Baskin School of Engineering Degree' SUP top STRUCTURAL MUST ( cn ) MAY ( soeDegreeYear $ soeDegreeType $ soeDegreeDepartment $ soeDegreeThesisTitle $ soeDegreeThesisURL )) However, when I attempt to add the sub-object, the server returns: 0x35 (LDAP_UNWILLING_TO_PERFORM) How can I tell OpenLDAP to allow me to create child objects inside accounts like this? Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg(a)soe.ucsc.edu 831-459-5354

2 2

syncrepl "modified by peer" question
by Robert Hanson 02 Sep '09

02 Sep '09

(verson 2.4.17) This code is in syncrepl.c /* Don't send changed entries back to the originator */ if ( sid == srs->sr_state.sid && srs->sr_state.numcsns ) { Debug( LDAP_DEBUG_SYNC, "Entry %s changed by peer, ignored\n", rs->sr_entry->e_name.bv_val, 0, 0 ); return LDAP_SUCCESS; Can someone explain to me what the intention of this code is? I can read the comment, but it looks to me like the condition for the if is broken. I think it is saying - if (the system id of the modification is "this system") and (there was a sync cookie found at startup) then discard the update The longer I look at this, the less I'm convinced that the condition check matches what the comment says it does. Any comments?

2 1

labeledURI search result objectClass restriction
by Torsten Rehn 02 Sep '09

02 Sep '09

Hi, it appears that a search triggered from a labeledURIObjects search URI can't have any results that are the same objectClass as the triggering object. I had one groupOfNames that was looking for other groups to be added as members. Debugging told me OpenLDAP came up with this when doing the internal search: put_filter: "(&(!(objectClass=groupOfNames))(objectClass=groupOfNames))" while I had of course specified only (objectClass=groupOfNames) as a filter. Can anyone please explain this behavior and/or provide a workaround? Thanks, -- Torsten Rehn

1 0

OpenLDAP client authentication against JDS 6.3.1 server
by Cannon, Andrew C 02 Sep '09

02 Sep '09

Dear list members, I've been fighting with this problem on and off for 6 months now (you can see some of my queries if you Google for me...) and I cannot for the life of me figure out what is going on. We are trying to get a Fedora 9 test box to authenticate against a Solaris 10 (SPARC) Sun Java Directory Server 6.3.1 box using anonymous binding and no SSL (we are on an internal, trusted network). The JDS is running the NIS-to-LDAP script that Sun provide and can get information from the directory. The Fedora box is running OpenLDAP client (version: openldap-clients-2.4.10-2.fc9.x86_64) and can't get any infromation from the directory after I switch to LDAP authentication from NIS authentication using system-config-authentication. NIS on the Fedora box works fine, so it isn't a network issue. An extract from the access log on the server shows the following: [01/Sep/2009:11:11:24 +0100] conn=2618 op=-1 msgId=-1 - fd=47 slot=47 LDAP connection from 172.28.1.172:46682 to 172.28.1.173 [01/Sep/2009:11:11:24 +0100] conn=2618 op=0 msgId=1 - BIND dn="" method=128 version=3 [01/Sep/2009:11:11:24 +0100] conn=2618 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="" [01/Sep/2009:11:11:24 +0100] conn=2618 op=1 msgId=2 - SRCH base="ou=people,dc=example,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=dmm))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [01/Sep/2009:11:11:24 +0100] conn=2618 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0 [01/Sep/2009:11:11:42 +0100] conn=2618 op=2 msgId=0 - RESULT err=80 tag=120 nentries=0 etime=0 [01/Sep/2009:11:11:42 +0100] conn=2618 op=-1 msgId=-1 - closing from 172.28.1.172:46682 - A1 - Client aborted connection - [01/Sep/2009:11:11:42 +0100] conn=2618 op=-1 msgId=-1 - closed. [01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - SRCH base="ou=hosts,dc=example=com" scope=1 filter="(&(objectClass=ipHost)(cn=lin05))" attrs=ALL [01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - SORT cn uid (1) [01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - VLV 0:49999:0:0 1:1 (0) [01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - RESULT err=0 tag=101 nentries=1 etime=0 notes=U [01/Sep/2009:11:12:25 +0100] conn=4 op=4167 msgId=4168 - SRCH base="automountkey=userf,automountmapname=auto_home,dc=example,dc=com" scope=0 filter="(objectClass=automount)" attrs=ALL [01/Sep/2009:11:12:25 +0100] conn=4 op=4167 msgId=4168 - RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - SRCH base="ou=people,dc=example=com" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=254))" attrs=ALL [01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - SORT cn uid (1) [01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - VLV 0:49999:0:0 1:1 (0) [01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - RESULT err=0 tag=101 nentries=1 etime=0 notes=U Connection 2618 is from the Fedora box and is unsuccessful. Connection 4 is the NIS-to-LDAP service on the Solaris box and is successful. I have a number of questions, but, chiefly, am I actually using anonymous binding? If I need to set a bind DN, what should it be? Can I modify the search base so that it looks more like the search given in msgid 4168? I'm sorry for the newbie questions (especially about a JDS server) but I am really tearing my hair out over this. I hope some of you can help. Thanks in advance. Andy -- This email contains confidential information. The contents must not be disclosed to anyone else except with the authority of the sender. Unauthorised recipients are requested to maintain this confidentiality and immediately advise the sender of any error or misdirection in transmission. The following notice applies to emails originating in the UK. E-mails sent on behalf of AMEC are sent on behalf of the relevant AMEC company below. These are registered in England and Wales with registered office at Booths Park, Chelford Road, Knutsford, Cheshire WA16 8QZ and number as shown: AMEC plc 01675285, AMEC Group Limited 04612748, AMEC Capital Projects Limited 02804109, AMEC Earth and Environmental UK Limited 04987981, AMEC Nuclear Holdings Limited 03725076, AMEC Nuclear M & O Limited 05664844, AMEC Nuclear UK Limited 01120437, AMEC Nuclear International Limited 03260477, AMEC Nuclear Projects Limited 05664962 and National Nuclear Corporation Limited 02290928 --

1 0

Sycrepl cookie question
by Robert Hanson 01 Sep '09

01 Sep '09

(2.4.17; linux, bdb 4.5 backend; two nodes in a multi-master configuration) When I start up a slapd server, it reads the contextCSN from the database. There are some synchronization issues I'm dealing with (see the email I sent yesterday to this group). The question of the day is, what are the implications if I delete this from the database before I start up? That is: Assume that in a 2-node multi-master scenario, both sides are completely in sync. One of the nodes goes down; assume that the remaining node gets some updates. The down node comes back up. If the down node does not have this synchronization cookie, will it still sync correctly with the other node?

2 1

PADL migration tools / NIS to LDAP
by Ivan De Masi 01 Sep '09

01 Sep '09

Hello, I'm fairly new to LDAP and testing for migration (NIS to LDAP). I found the PADL migration tools http://www.padl.com/OSS/MigrationTools.html which are great and now im testing the export of data-sources to *.ldif files. When exporting the passwd-file for example, I have all system-accounts like "daemon", "bin", "sys", etc. (let's say everything with the uid below 1000) in the ldif file. Do I need this all these accounts in LDAP? I see that there is "krbName" for all exported entrys/accounts. That's good for some services and kerberos, but do I really need *all* system accounts in LDAP? Thanks! Regards, Ivan

1 0

Slow LDAP
by sgmayo＠mail.bloomfield.k12.mo.us 01 Sep '09

01 Sep '09

Is there some way to speed up LDAP? I am guessing this has to do with it searching the database on ldap? This is a new server and my old one did not take that long. It is not as slow if just one or two people are logging in with ldap, but when many login, it seems to bring ldap to a bottle neck, I guess while searching the directory for all the names. There are probably about 1000 users in my LDAP. Is that too large? I assume it isn't since most of the other schools around have AD which is basically Microsoft LDAP if I understand correctly and they have no problems and have many more users than I have. Can multiple schema's in the config file cause this? I know that on my old server I had the following in slapd.conf: core cosine inetorgperson nis samba On my new one it has the above plus: corba duaconf dyngroup java misc openldap ppolicy collective Those were just in there when I installed it so I left them. Should I take them out or would that not have any affect on logins at all? I am guessing that they wont' affect anything and it is more related to some sort of configuration in my ldap configs. Is there something else I need in a config? Here are my configs. slapd.conf include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema loglevel -1 sizelimit -1 allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=school,dc=bloomfield.k12.mo.us" checkpoint 1024 15 rootdn "cn=Manager,dc=school,dc=bloomfield.k12.mo.us" rootpw ***** directory /var/lib/ldap index objectClass eq index cn,sn,uid,displayName eq,pres,sub index uidNumber,gidNumber eq index memberUid eq index sambaSID,sambaPrimaryGroupSID eq index sambaDomainName eq index default sub database monitor ldap.conf SIZELIMIT 200 HOST 127.0.0.1 10.0.0.5 BASE dc=school,dc=bloomfield.k12.mo.us I have a DB_CONFIG file that contains the following, but not sure if it needs anything else or not: set_cachesize 0 268435456 1 set_lg_regionmax 262144 set_lg_bsize 2097152 Thanks for any info. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon?

3 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2009