openldap-technical January 2010

openldap-technical@openldap.org

56 participants
66 discussions

OpenLDAP does not seem to start
by sgmayo＠mail.bloomfield.k12.mo.us 22 Jan '10

22 Jan '10

Everything has been running fine for months. We had a power outage this morning and I restarted my servers and things still seemed to be fine. A bit later network drives could not be reached and so on. I tried restarting LDAP and Samba, but it seems after the LDAP daemon was stopped, it could not restart. I decided to reboot the server just in case and now the server just hangs while starting services. This is a Fedora 10, so I booted with the CD to recovery mode so I could see logs. Here is what my message log looks like. Jan 20 11:27:56 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP server ldap://127.0.0.1 Can't contact LDAP server Jan 20 11:27:56 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP server ldap://10.0.0.100 Can't contact LDAP server Jan 20 11:27:56 school1 rpc.statd[1522] nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)... Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP server ldap://127.0.0.1 Can't contact LDAP server Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP server ldap://10.0.0.100 Can't contact LDAP server Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: could not search LDAP server - Server is unavailable Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP server ldap://127.0.0.1 Can't contact LDAP server Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP server ldap://10.0.0.100 Can't contact LDAP server Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Jan 20 11:29:04 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP server ldap://127.0.0.1 Can't contact LDAP server Jan 20 11:29:04 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP server ldap://10.0.0.100 Can't contact LDAP server Jan 20 11:29:04 school1 rpc.statd[1522] nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Jan 20 11:29:12 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP server ldap://127.0.0.1 Can't contact LDAP server Jan 20 11:29:12 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP server ldap://10.0.0.100 Can't contact LDAP server Jan 20 11:29:12 school1 rpc.statd[1522] nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... The 10.0.0.100 and 127.0.0.1 are the same server and is the one that LDAP is sitting on so it is not trying to contact another server with the 10.0.0.100. Is my db corrupted possibly after the electric outage? If so, is there a fix to run on it or will I just have to have a backup of it? Thanks for any info. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon?

7 16

olcaccess question
by Alex Samad 22 Jan '10

22 Jan '10

Hi with cn=config if I have dn: olcDatabase={2}hdb,cn=config olcAccess: to * by * read Does this allow read access to the hdb database ie the * in to is a subset of hdb name space ? is it equal to dn: olcDatabase={2}hdb,cn=config olcAccess: to dn.subtree <hdb tree> by * read alex

1 0

cn=Subschema and acl
by Alex Samad 22 Jan '10

22 Jan '10

Hi I was wonder were do I place acl for cn=Subschema as there doesn;t seems to be a db defined for it or is it the same as cn=schmea ? thanks Alex

4 6

Berkley db error.
by Saha, Indranil 21 Jan '10

21 Jan '10

Hi I have taken the openldap 2.4.11 version.My berkley db is 4.5.20 version.When am running the configure--enable-backends script its telling like checking for db.h... yes checking for Berkeley DB major version... 4 checking for Berkeley DB minor version... 5 checking for Berkeley DB link (-ldb-4.5)... yes checking for Berkeley DB version match... no configure: error: Berkeley DB version mismatch But have checked the configure script ,and its allowing berkley version major >=4 and minor >=2 .Can anyone explain then why am getting this error.Its urgent. Regards Indranil

2 2

problem configuring overlay module and cn=config
by Alex Samad 19 Jan '10

19 Jan '10

Hi I am trying to ldapadd dn: olcOverlay={2}unique,olcDatabase={1}hdb,cn=config changetype: modify add: olcunique_uri olcunique_uri: ldap:///?uid?sub but it fails ldap_modify: Undefined attribute type (17) additional info: olcunique_uri: AttributeDescription contains inappropriate characters not sure what is going wrong I tried changing to base64 and using :: Can't seem to find any examples of using unique in cn=config Thanks

2 2

Best objectClass for an LDAP server?
by Jaap Winius 19 Jan '10

19 Jan '10

Hi folks, Busy again with the configuration of my OpenLDAP 2.4.11 test system, which includes Kerberos, SASL and GSSAPI, I now not only have replication working with Kerberos authentication and encryption), but also SASL proxy authorization, which makes chaining possible (chasing referrals on behalf of clients). For proxy authorization to work, I first had to create an LDAP object to represent the DN that the consumer server was authenticating with -- after the name of its Kerberos principal. Here it is in GSSAPI-format: uid=ldap/ldapks2.example.com,cn=gssapi,cn=auth Not wanting to use the person objectClass for this purpose, I used this instead: dn: cn=ldap/ldapks2.example.com,ou=consumers,dc=example,dc=com cn: ldap/ldapks2.example.com objectClass: simpleSecurityObject objectClass: organizationalRole description: LDAP server2 replicator saslAuthzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$ userPassword: {CRYPT}* Does this look like the best solution? It does force me to include a userPassword attribute, for which I use an invalid hash, but otherwise there are no other unnecessary attributes. Still, I wonder if I could do better. Any opinions? Thanks, Jaap

1 0

Verifying refint
by Peter Mogensen 19 Jan '10

19 Jan '10

Hi, I have a large database which I've migrated from slapd 2.3 (bdb) to slapd 2.4.20 (hdb) with: overlay refint refint_attributes member Unfortunately, after the migration I've experienced at least twice where a Group object had members referring to non-existent objects. The migration was done by stopping slapd 2.3, dumping with slapcat and then loading into 2.4.20. So the LDIF and DIT migrated should be ok. Do I have any way checking my database for other occurrences of refint violations, apart from writing a script to traverse an entire LDIF dump? /Peter

1 0

Some openldap 2.4 questions
by Radosław Antoniuk 19 Jan '10

19 Jan '10

Hi, Three quick issues about slapd 2.4. 1. I'm setting up a syncrepl replication. In the process of testing, I had added three syncprov overlays instead of one, and I ended up with: dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov structuralObjectClass: olcSyncProvConfig entryUUID: 600b89e6-9317-102e-9872-8714c398f98b creatorsName: cn=admin,cn=config createTimestamp: 20100111160900Z entryCSN: 20100111160900.858973Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20100111160900Z dn: olcOverlay={1}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {1}syncprov olcSpCheckpoint: 20 10 structuralObjectClass: olcSyncProvConfig entryUUID: 600ba142-9317-102e-9873-8714c398f98b creatorsName: cn=admin,cn=config createTimestamp: 20100111160900Z entryCSN: 20100111160900.859584Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20100111160900Z dn: olcOverlay={2}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {2}syncprov olcSpSessionlog: 500 structuralObjectClass: olcSyncProvConfig entryUUID: 600badea-9317-102e-9874-8714c398f98b creatorsName: cn=admin,cn=config createTimestamp: 20100111160900Z entryCSN: 20100111160900.859909Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20100111160900Z The thing is, that I cannot delete any of them because cn=config does not support delete operation. Is this ok to leave it as is? or any workaround to get rid of the unwanted ones? 2. About N-Way replication... What's the best authentication to use? Because RootDN is the admin, and in simple authentication I would store cleartext password in the syncrepl configuration, I'm assuming that the best here would be to use some SASL mech? 3. Assuming a running normal replication(master-slave) with refreshAndPersist, is there any method of checking of the status of the replication? like show slave status in MySQL. I have tested it with cutting the transmission by iptables, and ok, it caught up after reconnection, but the master did not complain at all when the connection was not there... -- Best regards, Radosław Antoniuk

6 13

Auth access for search-based mappings?
by Jaap Winius 18 Jan '10

18 Jan '10

Hi folks, Today I've been using my OpenLDAP v2.4.11 lab setup, the config for which includes MIT Kerberos V, SASL and GSSAPI, to experiment with this feature: 15.2.6. Search-based mappings http://www.openldap.org/doc/admin24/sasl.html#Search-based mappings It doesn't seem to difficult, but it's not really working for me either. In particular, I can't get slapd to search beyond the first of several authz-regexp statements, as shown in the "more complex site" example. Then I noticed this statement at the very end of the section: "Note as well that authz-regexp internal search are subject to access controls. Specifically, the authentication identity must have auth access." It sounds important, but I'm not sure what to do with it. Does it mean all users need auth access to the entire DIT? I tried that, but to no avail. Can someone please explain? Thanks, Jaap

4 8

Translucent with syncrepl to Active Directory
by Pascal Lalonde 15 Jan '10

15 Jan '10

Hello, I'm trying to get syncrepl work from a provider that is configured as a back-ldap to an Active Directory with the translucent overlay. Although the master is also an OpenLDAP, since it uses the back-ldap backend to AD, the entryUUID and entryCSN fields are not present, thus preventing syncrepl from working. But I really only need to replicate the local modifications stored in my translucent (HDB). And doing a slapcat shows that the entryUUID and entryCSN are present in the translucent DB. So I'm wondering if there's a way to tell syncrepl to bother only with entries stored in my hdb, and ignore anything that doesn't have the entryUUID/CSN fields (the fields proxied from AD). I'm getting the following error on the slave: syncrepl_entry: rid=100 entry unchanged, ignored (dc=testdomain,dc=org) do_syncrep2: rid=100 got empty syncUUID with LDAP_SYNC_ADD Server in the example (using OpenLDAP 2.4.11 on Debian Lenny): tst-dc01.testdomain.org = Active Directory ldap.tst.testdomain.org = OpenLDAP master ldap-slave.tst.testdomain.org = OpenLDAP slave Master configuration: --------------------- include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/testdomain.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap moduleload back_ldap moduleload back_hdb moduleload translucent moduleload syncprov TLSCACertificateFile /etc/ssl/certs/testdomainca.pem TLSCertificateFile /etc/ldap/ssl/ldap.tst.testdomain.org.crt TLSCertificateKeyFile /etc/ldap/ssl/ldap.tst.testdomain.org.key TLSVerifyClient never defaultsearchbase "dc=testdomain,dc=org" sizelimit unlimited backend hdb backend ldap database hdb directory /var/lib/ldap suffix "dc=testdomain,dc=org" index objectclass,entryCSN,entryUUID eq rootdn cn=ldaproot,dc=testdomain,dc=org rootpw blah overlay translucent uri "ldap://tst-dc01.testdomain.org" idassert-bind bindmethod=simple binddn="CN=readonly,DC=testdomain,DC=org" credentials="pw" mode=none chase-referrals no rebind-as-user yes lastmod on translucent_strict overlay syncprov syncprov-checkpoint 64 30 syncprov-sessionlog 1024 access to dn.subtree="dc=testdomain,dc=org" by * read Slave configuration: -------------------- include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/testdomain.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap moduleload back_ldap moduleload back_hdb moduleload translucent TLSCACertificateFile /etc/ssl/certs/testdomainca.pem TLSCertificateFile /etc/ldap/ssl/ldap-slave.tst.testdomain.org.crt TLSCertificateKeyFile /etc/ldap/ssl/ldap-slave.tst.testdomain.org.key TLSVerifyClient never defaultsearchbase "dc=testdomain,dc=org" sizelimit unlimited backend hdb backend ldap database hdb directory /var/lib/ldap suffix "dc=testdomain,dc=org" index objectclass,entryCSN,entryUUID eq rootdn cn=ldaproot,dc=testdomain,dc=org rootpw blah syncrepl rid=100 provider=ldaps://ldap.tst.testdomain.org type=refreshAndPersist interval=00:00:15:00 retry="300 20 7200 +" searchbase="dc=testdomain,dc=org" attrs="gecos" schemachecking=off bindmethod=simple binddn="CN=repl,DC=testdomain,DC=org" credentials="pw" overlay translucent uri "ldap://tst-dc01.testdomain.org ldap://tst-dc02.testdomain.org" idassert-bind bindmethod=simple binddn="CN=readonly,DC=testdomain,DC=org" credentials="pw" mode=none chase-referrals no rebind-as-user yes lastmod on translucent_strict access to dn.subtree="dc=testdomain,dc=org" by * read Thanks for any info! -- Pascal

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2010