OpenLDAP does not seem to start
by sgmayo@mail.bloomfield.k12.mo.us
Everything has been running fine for months. We had a power outage this
morning and I restarted my servers and things still seemed to be fine. A
bit later network drives could not be reached and so on. I tried
restarting LDAP and Samba, but it seems after the LDAP daemon was stopped,
it could not restart. I decided to reboot the server just in case and now
the server just hangs while starting services. This is a Fedora 10, so I
booted with the CD to recovery mode so I could see logs. Here is what my
message log looks like.
Jan 20 11:27:56 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP
server ldap://127.0.0.1 Can't contact LDAP server
Jan 20 11:27:56 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP
server ldap://10.0.0.100 Can't contact LDAP server
Jan 20 11:27:56 school1 rpc.statd[1522] nss_ldap: reconnecting to LDAP
server (sleeping 64 seconds)...
Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP
server ldap://127.0.0.1 Can't contact LDAP server
Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP
server ldap://10.0.0.100 Can't contact LDAP server
Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: could not search LDAP
server - Server is unavailable
Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP
server ldap://127.0.0.1 Can't contact LDAP server
Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP
server ldap://10.0.0.100 Can't contact LDAP server
Jan 20 11:29:00 school1 rpc.statd[1522] nss_ldap: reconnecting to LDAP
server (sleeping 4 seconds)...
Jan 20 11:29:04 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP
server ldap://127.0.0.1 Can't contact LDAP server
Jan 20 11:29:04 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP
server ldap://10.0.0.100 Can't contact LDAP server
Jan 20 11:29:04 school1 rpc.statd[1522] nss_ldap: reconnecting to LDAP
server (sleeping 8 seconds)...
Jan 20 11:29:12 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP
server ldap://127.0.0.1 Can't contact LDAP server
Jan 20 11:29:12 school1 rpc.statd[1522] nss_ldap: failed to bind to LDAP
server ldap://10.0.0.100 Can't contact LDAP server
Jan 20 11:29:12 school1 rpc.statd[1522] nss_ldap: reconnecting to LDAP
server (sleeping 16 seconds)...
The 10.0.0.100 and 127.0.0.1 are the same server and is the one that LDAP
is sitting on so it is not trying to contact another server with the
10.0.0.100.
Is my db corrupted possibly after the electric outage? If so, is there a
fix to run on it or will I just have to have a backup of it?
Thanks for any info.
--
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669 FA: 573-568-4565
Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?
13 years, 10 months
olcaccess question
by Alex Samad
Hi
with cn=config
if I have
dn: olcDatabase={2}hdb,cn=config
olcAccess: to *
by * read
Does this allow read access to the hdb database ie the * in to is a
subset of hdb name space ?
is it equal to
dn: olcDatabase={2}hdb,cn=config
olcAccess: to dn.subtree <hdb tree>
by * read
alex
13 years, 10 months
cn=Subschema and acl
by Alex Samad
Hi
I was wonder were do I place acl for cn=Subschema as there doesn;t seems
to be a db defined for it or is it the same as cn=schmea ?
thanks
Alex
13 years, 10 months
Berkley db error.
by Saha, Indranil
Hi
I have taken the openldap 2.4.11 version.My berkley db is 4.5.20 version.When am running the configure--enable-backends
script its telling like
checking for db.h... yes
checking for Berkeley DB major version... 4
checking for Berkeley DB minor version... 5
checking for Berkeley DB link (-ldb-4.5)... yes
checking for Berkeley DB version match... no
configure: error: Berkeley DB version mismatch
But have checked the configure script ,and its allowing berkley version major >=4 and minor >=2 .Can anyone explain then why am getting this error.Its urgent.
Regards
Indranil
13 years, 10 months
problem configuring overlay module and cn=config
by Alex Samad
Hi
I am trying to ldapadd
dn: olcOverlay={2}unique,olcDatabase={1}hdb,cn=config
changetype: modify
add: olcunique_uri
olcunique_uri: ldap:///?uid?sub
but it fails
ldap_modify: Undefined attribute type (17)
additional info: olcunique_uri: AttributeDescription contains
inappropriate characters
not sure what is going wrong I tried changing to base64 and using ::
Can't seem to find any examples of using unique in cn=config
Thanks
13 years, 10 months
Best objectClass for an LDAP server?
by Jaap Winius
Hi folks,
Busy again with the configuration of my OpenLDAP 2.4.11 test system,
which includes Kerberos, SASL and GSSAPI, I now not only have
replication working with Kerberos authentication and encryption), but
also SASL proxy authorization, which makes chaining possible (chasing
referrals on behalf of clients).
For proxy authorization to work, I first had to create an LDAP object
to represent the DN that the consumer server was authenticating with
-- after the name of its Kerberos principal. Here it is in
GSSAPI-format:
uid=ldap/ldapks2.example.com,cn=gssapi,cn=auth
Not wanting to use the person objectClass for this purpose, I used
this instead:
dn: cn=ldap/ldapks2.example.com,ou=consumers,dc=example,dc=com
cn: ldap/ldapks2.example.com
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP server2 replicator
saslAuthzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$
userPassword: {CRYPT}*
Does this look like the best solution? It does force me to include a
userPassword attribute, for which I use an invalid hash, but otherwise
there are no other unnecessary attributes. Still, I wonder if I could
do better.
Any opinions?
Thanks,
Jaap
13 years, 10 months
Verifying refint
by Peter Mogensen
Hi,
I have a large database which I've migrated from slapd 2.3 (bdb) to
slapd 2.4.20 (hdb) with:
overlay refint
refint_attributes member
Unfortunately, after the migration I've experienced at least twice where
a Group object had members referring to non-existent objects.
The migration was done by stopping slapd 2.3, dumping with slapcat and
then loading into 2.4.20. So the LDIF and DIT migrated should be ok.
Do I have any way checking my database for other occurrences of refint
violations, apart from writing a script to traverse an entire LDIF dump?
/Peter
13 years, 10 months
Some openldap 2.4 questions
by Radosław Antoniuk
Hi,
Three quick issues about slapd 2.4.
1. I'm setting up a syncrepl replication. In the process of testing, I had
added three syncprov overlays instead of one, and I ended up with:
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
structuralObjectClass: olcSyncProvConfig
entryUUID: 600b89e6-9317-102e-9872-8714c398f98b
creatorsName: cn=admin,cn=config
createTimestamp: 20100111160900Z
entryCSN: 20100111160900.858973Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100111160900Z
dn: olcOverlay={1}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {1}syncprov
olcSpCheckpoint: 20 10
structuralObjectClass: olcSyncProvConfig
entryUUID: 600ba142-9317-102e-9873-8714c398f98b
creatorsName: cn=admin,cn=config
createTimestamp: 20100111160900Z
entryCSN: 20100111160900.859584Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100111160900Z
dn: olcOverlay={2}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {2}syncprov
olcSpSessionlog: 500
structuralObjectClass: olcSyncProvConfig
entryUUID: 600badea-9317-102e-9874-8714c398f98b
creatorsName: cn=admin,cn=config
createTimestamp: 20100111160900Z
entryCSN: 20100111160900.859909Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20100111160900Z
The thing is, that I cannot delete any of them because cn=config does not
support delete operation.
Is this ok to leave it as is? or any workaround to get rid of the unwanted
ones?
2. About N-Way replication... What's the best authentication to use? Because
RootDN is the admin, and in simple authentication I would store cleartext
password in the syncrepl configuration, I'm assuming that the best here
would be to use some SASL mech?
3. Assuming a running normal replication(master-slave) with
refreshAndPersist, is there any method of checking of the status of the
replication? like show slave status in MySQL. I have tested it with cutting
the transmission by iptables, and ok, it caught up after reconnection, but
the master did not complain at all when the connection was not there...
--
Best regards,
Radosław Antoniuk
13 years, 10 months
Auth access for search-based mappings?
by Jaap Winius
Hi folks,
Today I've been using my OpenLDAP v2.4.11 lab setup, the config for
which includes MIT Kerberos V, SASL and GSSAPI, to experiment with
this feature:
15.2.6. Search-based mappings
http://www.openldap.org/doc/admin24/sasl.html#Search-based mappings
It doesn't seem to difficult, but it's not really working for me
either. In particular, I can't get slapd to search beyond the first of
several authz-regexp statements, as shown in the "more complex site"
example. Then I noticed this statement at the very end of the section:
"Note as well that authz-regexp internal search are subject
to access controls. Specifically, the authentication identity
must have auth access."
It sounds important, but I'm not sure what to do with it. Does it mean
all users need auth access to the entire DIT? I tried that, but to no
avail.
Can someone please explain?
Thanks,
Jaap
13 years, 10 months
Translucent with syncrepl to Active Directory
by Pascal Lalonde
Hello,
I'm trying to get syncrepl work from a provider that is configured as a
back-ldap to an Active Directory with the translucent overlay. Although
the master is also an OpenLDAP, since it uses the back-ldap backend to
AD, the entryUUID and entryCSN fields are not present, thus preventing
syncrepl from working.
But I really only need to replicate the local modifications stored in my
translucent (HDB). And doing a slapcat shows that the entryUUID and
entryCSN are present in the translucent DB. So I'm wondering if there's
a way to tell syncrepl to bother only with entries stored in my hdb, and
ignore anything that doesn't have the entryUUID/CSN fields (the fields
proxied from AD).
I'm getting the following error on the slave:
syncrepl_entry: rid=100 entry unchanged, ignored (dc=testdomain,dc=org)
do_syncrep2: rid=100 got empty syncUUID with LDAP_SYNC_ADD
Server in the example (using OpenLDAP 2.4.11 on Debian Lenny):
tst-dc01.testdomain.org = Active Directory
ldap.tst.testdomain.org = OpenLDAP master
ldap-slave.tst.testdomain.org = OpenLDAP slave
Master configuration:
---------------------
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/testdomain.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_ldap
moduleload back_hdb
moduleload translucent
moduleload syncprov
TLSCACertificateFile /etc/ssl/certs/testdomainca.pem
TLSCertificateFile /etc/ldap/ssl/ldap.tst.testdomain.org.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldap.tst.testdomain.org.key
TLSVerifyClient never
defaultsearchbase "dc=testdomain,dc=org"
sizelimit unlimited
backend hdb
backend ldap
database hdb
directory /var/lib/ldap
suffix "dc=testdomain,dc=org"
index objectclass,entryCSN,entryUUID eq
rootdn cn=ldaproot,dc=testdomain,dc=org
rootpw blah
overlay translucent
uri "ldap://tst-dc01.testdomain.org"
idassert-bind bindmethod=simple
binddn="CN=readonly,DC=testdomain,DC=org"
credentials="pw"
mode=none
chase-referrals no
rebind-as-user yes
lastmod on
translucent_strict
overlay syncprov
syncprov-checkpoint 64 30
syncprov-sessionlog 1024
access to dn.subtree="dc=testdomain,dc=org"
by * read
Slave configuration:
--------------------
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/testdomain.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_ldap
moduleload back_hdb
moduleload translucent
TLSCACertificateFile /etc/ssl/certs/testdomainca.pem
TLSCertificateFile /etc/ldap/ssl/ldap-slave.tst.testdomain.org.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldap-slave.tst.testdomain.org.key
TLSVerifyClient never
defaultsearchbase "dc=testdomain,dc=org"
sizelimit unlimited
backend hdb
backend ldap
database hdb
directory /var/lib/ldap
suffix "dc=testdomain,dc=org"
index objectclass,entryCSN,entryUUID eq
rootdn cn=ldaproot,dc=testdomain,dc=org
rootpw blah
syncrepl rid=100
provider=ldaps://ldap.tst.testdomain.org
type=refreshAndPersist
interval=00:00:15:00
retry="300 20 7200 +"
searchbase="dc=testdomain,dc=org"
attrs="gecos"
schemachecking=off
bindmethod=simple
binddn="CN=repl,DC=testdomain,DC=org"
credentials="pw"
overlay translucent
uri "ldap://tst-dc01.testdomain.org
ldap://tst-dc02.testdomain.org"
idassert-bind bindmethod=simple
binddn="CN=readonly,DC=testdomain,DC=org"
credentials="pw"
mode=none
chase-referrals no
rebind-as-user yes
lastmod on
translucent_strict
access to dn.subtree="dc=testdomain,dc=org"
by * read
Thanks for any info!
--
Pascal
13 years, 10 months
