openldap-technical January 2010

openldap-technical@openldap.org

56 participants
66 discussions

Standard objectClass for representing web services
by Hung Luu 12 Jan '10

12 Jan '10

Does anyone know of a standard objectClass that is appropriate for representing web services in the directory? I want to represent web services like users in the directory, and assign their DN's to groups for authorization, so I suppose I'm looking for an inetOrgPerson equivalent for web services. Thanks, Hung.

2 2

Multi Master w/ SASL Authentication
by James Dingwall 12 Jan '10

12 Jan '10

Hi, I have been migrating my OpenLDAP 2.3 slapd.conf configuration to a 2.4 slapd.d replacement. Previously I had a single master and two slaves but I have moved it to multi-master with a replicated cn=config and database. I am using Sasl and Heimdal Kerberos with the principles stored in the ldap database. I have managed to almost complete this but I'm now stuck on the following point, I can only get GSSAPI LDAP authentication to work on the host whose name is equal to the value of olcSaslHost. As I have 3 masters and a replicated cn=config this can only be true on one host at a time. i.e. olcSaslHost: ldap1.my.domain ldapsearch -H ldaps://ldap1.my.domain -Y GSSAPI = works ldapsearch -H ldaps://ldap2.my.domain -Y GSSAPI = fails ldapsearch -H ldaps://ldap3.my.domain -Y GSSAPI = fails update olcSaslHost to ldap2.my.domain ldapsearch -H ldaps://ldap1.my.domain -Y GSSAPI = fails ldapsearch -H ldaps://ldap2.my.domain -Y GSSAPI = works ldapsearch -H ldaps://ldap3.my.domain -Y GSSAPI = fails I tried setting olcSaslHost to localhost but then none work so I assume the olcSaslHost value is being used to build a Kerberos principle. Am I missing a trick or do I have to stop replicating cn=config in order to make it work on all 3? I can post configuration files if this will help. Thanks, James This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp

1 0

Directory layout help
by Hung Luu 11 Jan '10

11 Jan '10

Hello, Suppose I have the following DN's: inetOrgPerson: [uid=alice,dc=example,dc=com] organizationalRole: [cn=manager,ou=groups,dc=example,dc=com] [cn=supervisor,ou=groups,dc=example,dc=com] locality: [l=phoenix,ou=division,dc=example,dc=com] [l=portland,ou=division,dc=example,dc=com] How can I store in my directory the fact that Alice is a manger at the Phoenix division, but she is only a supervisor at the Portland division? I know group membership is involved here, but what's the best way to represent that group membership to optimize searches such as: Return all the people with a specific role at a specific locality, or return all the roles and localities for a person. -Hung.

4 6

Syncrepl with Kerberos support
by Jaap Winius 11 Jan '10

11 Jan '10

Hi all, Although I know how to configure syncrepl with the "simple" bindmethod, using a clear-text password exchange and clear-text database replication, and I know how to setup an provider server with MIT Kerberos V encryption support, can anyone explain how to configure a consumer so that syncrepl also uses Kerberos? Thanks, Jaap

3 4

Compiling OpenLDAP 2.4.21 on RHEL 5
by Diego Lima 11 Jan '10

11 Jan '10

Hello all, I've recently installed OpenLDAP 2.4.21 on a couple of Debian servers but I ran into problems while trying to install on some RHEL5 servers: checking db.h usability... yes checking db.h presence... yes checking for db.h... yes checking for Berkeley DB major version in db.h... 4 checking for Berkeley DB minor version in db.h... 3 checking if Berkeley DB version supported by BDB/HDB backends... no configure: error: BerkeleyDB version incompatible with BDB/HDB backends It seems that it doesn't like Red Hat's shipped version of Berkeley DB (Version: 4.3.29). I installed it via yum (yum install db4-devel). How can I get around this problem? Thanks a lot, -- Diego Lima

3 2

overlay "syncprov" not found
by Andrew Debenham 11 Jan '10

11 Jan '10

Hello - I am new to LDAP and I'm trying to setup Sync Replication on a Fedora Core 8 system (2.6.23.9-85.fc8). However, when I start the LDAP service, I get the following error message: Checking configuration files for slapd: [FAILED] overlay "syncprov" not found slaptest: bad configuration file! I've searched the archived threads for this group (as well as many others) and wasn't able to find any postings that matched what I'm seeing. If I missed an old post by mistake, I apologize in advance. I've included a copy of my slapd.conf file below. The interesting thing is that when I comment out the following lines, LDAP will start without any issues: overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 This leads me to believe that the issue is with the replication process, but I can't figure out what I'm doing wrong. I've followed the examples given in the OpenLDAP Admin Guide, but it just doesn't seem to want to work for me. Also, in case anyone asks, here are the packages installed on the server in question: openldap-2.3.39-3.fc8 openldap-devel-2.3.39-3.fc8 openldap-servers-2.3.39-3.fc8 openldap-clients-2.3.39-3.fc8 Any information or recommendations to what is happening would be greatly appreciated. Also, please let me know if I need to supply more information. Thanks in advance. - Andy # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema loglevel -1 # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/lib64/openldap # moduleload accesslog.la # moduleload auditlog.la moduleload back_sql.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=jets,dc=local" write by * none access to * by self write by dn.base="cn=Manager,dc=jets,dc=local" write by * read ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=jets,dc=local" rootdn "cn=Manager,dc=jets,dc=local" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw b0xster rootpw {SSHA}/5PsWrAXNKNKJmhiZAfUPLkMOUcgbtXN # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryUUID,entryCSN eq # Replicas of this database #replogfile /var/lib/ldap/openldap-slave-replog overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 #lastmod on serverID 2 syncrepl rid=002 provider=ldap://10.xx.x.xx type=refreshAndPersist searchbase="dc=jets,dc=local" schemachecking=on bindmethod=simple binddn="cn=mirrormode,dc=jets,dc=local" credentials=mirrormode retry="60 +" #updateref ldap://10.xx.x.xx mirrormode on ________________________________ This email and any attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, the following stipulations govern the use of this information: You may not take any action based upon its contents. You may not copy or show this message or attachments to anyone. You should contact the sender and subsequently delete this message and all attachments. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Special Operations Technology, Incorporated. While antivirus software has been applied, you should perform due diligence to check this email and attachments for the presence of viruses. No warranties or assurances are made in relation to the safety and content of this email and attachments. Special Operations Technology, Incorporated accepts no liability for any damages caused by any virus transmitted by or contained in this email and attachments. No liability is accepted for any consequences arising from this email transmission whatsoever. Special Operations Technology, Incorporated is a premier IT professional services firm focused in the government and law enforcement space.

3 3

OpenLDAP Baseline Security Analyzer
by Inmaculada Bravo 11 Jan '10

11 Jan '10

Hello My name is Inma Bravo, I work at the University of Salamanca (Spain) mainly administrating our OpenLDAP directory. I have done a project called OpenLDAP Baseline Security Analyzer.[1] The project website is written in Spanish and in English. The purpose of this project is to develop a list of criteria that should be taken into account for the initial plan of securing the directory, and to show the most common mistakes that we must try to avoid. It briefly documents the main attacks and threats that we face as directory administrators. It is written to be easy, straightforward, and useful. These criteria are encoded in XML Schema, adhering to OCIL to use the OCIL Interpreter. I presented this project in our technical winter meeting of the institutions that are affiliated with RedIRIS (the Spanish academic and research network) [2], and it was well-received by the technicians. In conclusion, the reason I am writing you is to announce the project and to ask you for suggestions to improve and to correct it. I hope the project will be of your interest. Thanks very much Inmaculada Bravo García [1] http://openldap-bsa.forja.rediris.es/ [2] http://www.rediris.es/

1 0

Problems allowing users to change their own passowrds
by James Hammett 09 Jan '10

09 Jan '10

I know this is an old issue and I've searched on the net and tried those, but haven't had any luck. I'm using openldap 2.3.43. In /etc/openldap/slapd.conf, I have set: access to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none (Of course restarted the slapd), but no luck. Insufficient permissions. The logs shows the account binding successfully, but then: vm001 slapd[pid]: => access_allowed: backend default write access denied to "uid=james,ou=Users,o=dallas" The complete logs are below. As a test I even tried giving global write access to the password, but it still doesn't work. (The only one who is able to change a users password is the Directory administrator) General log: ------------ vm001 slapd[pid]: conn=2 fd=17 ACCEPT from IP=127.0.0.1:36479 (IP=0.0.0.0:389) vm001 slapd[pid]: conn=2 op=0 BIND dn="uid=james,ou=users,o=masprt" method=128 vm001 slapd[pid]: conn=2 op=0 BIND dn="uid=james,ou=users,o=masprt" mech=SIMPLE ssf=0 vm001 slapd[pid]: conn=2 op=0 RESULT tag=97 err=0 text= vm001 slapd[pid]: conn=2 op=1 PASSMOD id="uid=james,ou=users,o=masprt" new vm001 slapd[pid]: conn=2 op=2 UNBIND vm001 slapd[pid]: conn=2 op=1 RESULT oid= err=50 text= vm001 slapd[pid]: conn=2 fd=17 closed With Debuging with ACL Listing: -------------------------------- vm001 slapd[pid]: conn=5 fd=16 ACCEPT from IP=127.0.0.1:47612 (IP=0.0.0.0:389) vm001 slapd[pid]: conn=5 op=0 BIND dn="uid=james,ou=users,o=masprt" method=128 vm001 slapd[pid]: => access_allowed: auth access to "uid=james,ou=Users,o=masprt" "userPassword" requested vm001 slapd[pid]: => access_allowed: backend default auth access granted to "(anonymous)" vm001 slapd[pid]: conn=5 op=0 BIND dn="uid=james,ou=Users,o=masprt" mech=SIMPLE ssf=0 vm001 slapd[pid]: conn=5 op=0 RESULT tag=97 err=0 text= vm001 slapd[pid]: conn=5 op=1 PASSMOD id="uid=james,ou=users,o=masprt" new vm001 slapd[pid]: => access_allowed: backend default write access denied to "uid=james,ou=Users,o=masprt" vm001 slapd[pid]: conn=5 op=1 RESULT oid= err=50 text= vm001 slapd[pid]: conn=5 op=2 UNBIND vm001 slapd[pid]: conn=5 fd=16 closed Any help or idea would be appreciated. thanks, James

2 2

refint_repair: dependent modify failed: 16
by Hung Luu 07 Jan '10

07 Jan '10

Hello, I haven't had any luck getting referential integrity to work with OpenLDAP 2.4.19 (and BerkeleyDB 4.8). Neither delete nor modify operations on DN's are triggering referenced member attributes to be removed as expected. I've tried building the overlays statically into the slapd executable and loading the overlays as dynamic modules - neither way worked for me. Thanks in advance for any help you can provide. *Here's my OpenLDAP configure settings:* env CPPFLAGS="-I/opt/BerkeleyDB.4.8/include" LDFLAGS="-L/opt/BerkeleyDB.4.8/lib" ./configure --prefix=/opt/openldap-2.4.19 --with-tls --enable-crypt --enable-syslog --enable-modules --enable-overlays=mod *Here's my slapd.config:* include /opt/openldap-2.4.19/etc/openldap/schema/core.schema include /opt/openldap-2.4.19/etc/openldap/schema/cosine.schema include /opt/openldap-2.4.19/etc/openldap/schema/inetorgperson.schema moduleload refint.la loglevel 16383 database bdb suffix "dc=phoenix,dc=edu" rootdn "cn=Manager,dc=phoenix,dc=edu" rootpw secret directory /opt/openldap-2.4.19/var/openldap-data/phoenix-edu index default eq index cn,uid,member index objectClass eq cachesize 10000 checkpoint 128 15 overlay refint refint_attributes member refint_nothing "cn=Manager" *Here's the syslog entries - starting with the delete operation and ending with the refint error:* Jan 7 10:00:58 localhost slapd[28030]: conn=0 op=37 *do_delete* Jan 7 10:00:58 localhost slapd[28030]: >>> dnPrettyNormal: <l=Southern Arizona,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu> Jan 7 10:00:58 localhost slapd[28030]: <<< dnPrettyNormal: <l=Southern Arizona,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu>, <l=southern arizona,ou=campuses,l=southwest,ou=regions,dc=phoenix,dc=ed$ Jan 7 10:00:58 localhost slapd[28030]: conn=0 op=37 DEL dn="l=Southern Arizona,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu" Jan 7 10:00:58 localhost slapd[28030]: bdb_dn2entry("l=southern arizona,ou=campuses,l=southwest,ou=regions,dc=phoenix,dc=edu") Jan 7 10:00:58 localhost slapd[28030]: ==> bdb_delete: l=Southern Arizona,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu Jan 7 10:00:58 localhost slapd[28030]: bdb_dn2entry("l=southern arizona,ou=campuses,l=southwest,ou=regions,dc=phoenix,dc=edu") Jan 7 10:00:58 localhost slapd[28030]: => access_allowed: delete access to "ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu" "children" requested Jan 7 10:00:58 localhost slapd[28030]: <= root access granted Jan 7 10:00:58 localhost slapd[28030]: => access_allowed: delete access granted by manage(=mwrscxd) Jan 7 10:00:58 localhost slapd[28030]: => access_allowed: delete access to "l=Southern Arizona,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu" "entry" requested Jan 7 10:00:58 localhost slapd[28030]: <= root access granted Jan 7 10:00:58 localhost slapd[28030]: => access_allowed: delete access granted by manage(=mwrscxd) Jan 7 10:00:58 localhost slapd[28030]: => bdb_dn2id_delete 0x8: "l=southern arizona,ou=campuses,l=southwest,ou=regions,dc=phoenix,dc=edu" Jan 7 10:00:58 localhost slapd[28030]: bdb_idl_delete_key: 8 @l=southern arizona,ou=campuses,l=southwest,ou=regions,dc=phoenix,dc=edu Jan 7 10:00:58 localhost slapd[28030]: bdb_idl_delete_key: 8 %ou=campuses,l=southwest,ou=regions,dc=phoenix,dc=edu Jan 7 10:00:58 localhost slapd[28030]: bdb_idl_delete_key: 8 @ou=campuses,l=southwest,ou=regions,dc=phoenix,dc=edu Jan 7 10:00:58 localhost slapd[28030]: bdb_idl_delete_key: 8 @l=southwest,ou=regions,dc=phoenix,dc=edu Jan 7 10:00:58 localhost slapd[28030]: bdb_idl_delete_key: 8 @ou=regions,dc=phoenix,dc=edu Jan 7 10:00:58 localhost slapd[28030]: <= bdb_dn2id_delete 0x8: 0 Jan 7 10:00:58 localhost slapd[28030]: => index_entry_del( 8, "l=Southern Arizona,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu" ) Jan 7 10:00:58 localhost slapd[28030]: => key_change(DELETE,8) Jan 7 10:00:58 localhost slapd[28030]: bdb_idl_delete_key: 8 [4066d3f2] Jan 7 10:00:58 localhost slapd[28030]: <= key_change 0 Jan 7 10:00:58 localhost slapd[28030]: => key_change(DELETE,8) Jan 7 10:00:58 localhost slapd[28030]: bdb_idl_delete_key: 8 [0096defd] Jan 7 10:00:58 localhost slapd[28030]: <= key_change 0 Jan 7 10:00:58 localhost slapd[28030]: <= index_entry_del( 8, "l=Southern Arizona,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu" ) success Jan 7 10:00:58 localhost slapd[28030]: ====> bdb_cache_delete( 8 ) Jan 7 10:00:58 localhost slapd[28030]: daemon: epoll: listen=7 active_threads=0 tvp=zero Jan 7 10:00:58 localhost slapd[28030]: daemon: epoll: listen=8 active_threads=0 tvp=zero Jan 7 10:00:58 localhost slapd[28030]: daemon: activity on 1 descriptor Jan 7 10:00:58 localhost slapd[28030]: bdb_delete: deleted id=00000008 dn="l=Southern Arizona,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu" Jan 7 10:00:58 localhost slapd[28030]: send_ldap_result: conn=0 op=37 p=3 Jan 7 10:00:58 localhost slapd[28030]: send_ldap_result: err=0 matched="" text="" Jan 7 10:00:58 localhost slapd[28030]: send_ldap_response: msgid=38 tag=107 err=0 Jan 7 10:00:58 localhost slapd[28030]: conn=0 op=37 RESULT tag=107 err=0 text= Jan 7 10:00:58 localhost slapd[28030]: daemon: activity on: Jan 7 10:00:58 localhost slapd[28030]: Jan 7 10:00:58 localhost slapd[28030]: daemon: epoll: listen=7 active_threads=0 tvp=zero Jan 7 10:00:58 localhost slapd[28030]: daemon: epoll: listen=8 active_threads=0 tvp=zero Jan 7 10:00:58 localhost slapd[28030]: => bdb_search Jan 7 10:00:58 localhost slapd[28030]: bdb_dn2entry("dc=phoenix,dc=edu") Jan 7 10:00:58 localhost slapd[28030]: => access_allowed: search access to "dc=phoenix,dc=edu" "entry" requested Jan 7 10:00:58 localhost slapd[28030]: <= root access granted Jan 7 10:00:58 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:58 localhost slapd[28030]: search_candidates: base="dc=phoenix,dc=edu" (0x00000001) scope=2 Jan 7 10:00:58 localhost slapd[28030]: => bdb_dn2idl("dc=phoenix,dc=edu") Jan 7 10:00:58 localhost slapd[28030]: => bdb_filter_candidates Jan 7 10:00:58 localhost slapd[28030]: AND Jan 7 10:00:58 localhost slapd[28030]: => bdb_list_candidates 0xa0 Jan 7 10:00:58 localhost slapd[28030]: => bdb_filter_candidates Jan 7 10:00:58 localhost slapd[28030]: OR Jan 7 10:00:58 localhost slapd[28030]: => bdb_list_candidates 0xa1 Jan 7 10:00:58 localhost slapd[28030]: => bdb_filter_candidates Jan 7 10:00:58 localhost slapd[28030]: EQUALITY Jan 7 10:00:58 localhost slapd[28030]: => bdb_equality_candidates (objectClass) Jan 7 10:00:58 localhost slapd[28030]: => key_read Jan 7 10:00:58 localhost slapd[28030]: bdb_idl_fetch_key: [b49d1940] Jan 7 10:00:58 localhost slapd[28030]: <= bdb_index_read: failed (-30988) Jan 7 10:00:58 localhost slapd[28030]: <= bdb_equality_candidates: id=0, first=0, last=0 Jan 7 10:00:58 localhost slapd[28030]: <= bdb_filter_candidates: id=0 first=0 last=0 Jan 7 10:00:58 localhost slapd[28030]: => bdb_filter_candidates Jan 7 10:00:58 localhost slapd[28030]: OR Jan 7 10:00:58 localhost slapd[28030]: => bdb_list_candidates 0xa1 Jan 7 10:00:58 localhost slapd[28030]: => bdb_filter_candidates Jan 7 10:00:58 localhost slapd[28030]: EXT Jan 7 10:00:58 localhost slapd[28030]: <= bdb_filter_candidates: id=-1 first=1 last=15 Jan 7 10:00:58 localhost slapd[28030]: <= bdb_list_candidates: id=-1 first=1 last=15 Jan 7 10:00:58 localhost slapd[28030]: <= bdb_filter_candidates: id=-1 first=1 last=15 Jan 7 10:00:58 localhost slapd[28030]: <= bdb_list_candidates: id=-1 first=1 last=15 Jan 7 10:00:58 localhost slapd[28030]: <= bdb_filter_candidates: id=-1 first=1 last=15 Jan 7 10:00:58 localhost slapd[28030]: <= bdb_list_candidates: id=-1 first=1 last=15 Jan 7 10:00:58 localhost slapd[28030]: <= bdb_filter_candidates: id=-1 first=1 last=15 Jan 7 10:00:58 localhost slapd[28030]: bdb_search_candidates: id=-1 first=1 last=15 Jan 7 10:00:58 localhost slapd[28030]: => test_filter Jan 7 10:00:58 localhost slapd[28030]: OR Jan 7 10:00:58 localhost slapd[28030]: => test_filter_or Jan 7 10:00:58 localhost slapd[28030]: => test_filter Jan 7 10:00:58 localhost slapd[28030]: EXT Jan 7 10:00:58 localhost slapd[28030]: => access_allowed: search access to "dc=phoenix,dc=edu" "member" requested Jan 7 10:00:58 localhost slapd[28030]: <= root access granted Jan 7 10:00:58 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:58 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:58 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:58 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:58 localhost slapd[28030]: bdb_search: 1 does not match filter Jan 7 10:00:58 localhost slapd[28030]: => test_filter Jan 7 10:00:58 localhost slapd[28030]: OR Jan 7 10:00:58 localhost slapd[28030]: => test_filter_or Jan 7 10:00:58 localhost slapd[28030]: => test_filter Jan 7 10:00:58 localhost slapd[28030]: EXT Jan 7 10:00:58 localhost slapd[28030]: => access_allowed: search access to "ou=people,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:58 localhost slapd[28030]: <= root access granted Jan 7 10:00:58 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:58 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:58 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:58 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:58 localhost slapd[28030]: bdb_search: 2 does not match filter Jan 7 10:00:58 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "ou=groups,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 3 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "ou=regions,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 4 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "l=Southwest,ou=regions,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 5 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 6 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "l=Phoenix,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 7 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "cn=enc,ou=groups,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 9 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "cn=enm,ou=groups,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 10 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "cn=aac,ou=groups,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 11 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "uid=alice,ou=people,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 12 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "uid=bob,ou=people,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 13 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "cn=enm,uid=alice,ou=people,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: >>> dnNormalize: <l=Southwest,ou=regions,dc=phoenix,dc=edu> Jan 7 10:00:59 localhost slapd[28030]: <<< dnNormalize: <l=southwest,ou=regions,dc=phoenix,dc=edu> Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 5 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 5 Jan 7 10:00:59 localhost slapd[28030]: bdb_search: 14 does not match filter Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: OR Jan 7 10:00:59 localhost slapd[28030]: => test_filter_or Jan 7 10:00:59 localhost slapd[28030]: => test_filter Jan 7 10:00:59 localhost slapd[28030]: EXT Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access to "cn=enc,uid=bob,ou=people,dc=phoenix,dc=edu" "member" requested Jan 7 10:00:59 localhost slapd[28030]: <= root access granted Jan 7 10:00:59 localhost slapd[28030]: => access_allowed: search access granted by manage(=mwrscxd) Jan 7 10:00:59 localhost slapd[28030]: >>> dnNormalize: <l=Southern Arizona,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu> Jan 7 10:00:59 localhost slapd[28030]: <<< dnNormalize: <l=southern arizona,ou=campuses,l=southwest,ou=regions,dc=phoenix,dc=edu> Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 6 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter_or 6 Jan 7 10:00:59 localhost slapd[28030]: <= test_filter 6 Jan 7 10:00:59 localhost slapd[28030]: refint_search_cb <cn=enc,uid=bob,ou=people,dc=phoenix,dc=edu> Jan 7 10:00:59 localhost slapd[28030]: refint_search_cb: member: l=Southern Arizona,ou=campuses,l=Southwest,ou=regions,dc=phoenix,dc=edu (#1) Jan 7 10:00:59 localhost slapd[28030]: send_ldap_result: conn=-1 op=0 p=0 Jan 7 10:00:59 localhost slapd[28030]: send_ldap_result: err=0 matched="" text="" Jan 7 10:00:59 localhost slapd[28030]: refint_search_cb <NOTHING> Jan 7 10:00:59 localhost slapd[28030]: bdb_modify: cn=enc,uid=bob,ou=people,dc=phoenix,dc=edu Jan 7 10:00:59 localhost slapd[28030]: bdb_dn2entry("cn=enc,uid=bob,ou=people,dc=phoenix,dc=edu") Jan 7 10:00:59 localhost slapd[28030]: bdb_modify_internal: 0x0000000f: cn=enc,uid=bob,ou=people,dc=phoenix,dc=edu Jan 7 10:00:59 localhost slapd[28030]: <= acl_access_allowed: granted to database root Jan 7 10:00:59 localhost slapd[28030]: bdb_modify_internal: delete member Jan 7 10:00:59 localhost slapd[28030]: dnMatch 0 "l=southern arizona,ou=campuses,l=southwest,ou=regions,dc=phoenix,dc=edu" "l=southern arizona,ou=campuses,l=southwest,ou=regions,dc=phoenix,dc=e$ Jan 7 10:00:59 localhost slapd[28030]: bdb_modify_internal: replace modifiersName Jan 7 10:00:59 localhost slapd[28030]: bdb_modify_internal: delete member Jan 7 10:00:59 localhost slapd[28030]: bdb_modify_internal: 16 modify/delete: member: no such attribute Jan 7 10:00:59 localhost slapd[28030]: bdb_modify: modify failed (16) Jan 7 10:00:59 localhost slapd[28030]: send_ldap_result: conn=-1 op=0 p=0 Jan 7 10:00:59 localhost slapd[28030]: send_ldap_result: err=16 matched="" text="modify/delete: member: no such attribute" Jan 7 10:00:59 localhost slapd[28030]: *refint_repair: dependent modify failed: 16*

1 0

Error configuring monitor database
by Diego Lima 07 Jan '10

07 Jan '10

Hello all, I'm trying to set up monitoring via slapd.conf according to this guide: http://www.openldap.org/devel/admin/monitoringslapd.html However after setting it up and trying to test it I receive the following error message: root@gilead:/opt/fedora-ds# bin/ldapsearch -x -D "cn=Directory Manager,o=xxx,o=xxx,c=br" -W -b 'cn=monitor' -s base '(objectClass=*)' '*' '+' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=monitor> with scope baseObject # filter: (objectClass=*) # requesting: * + # # search result search: 2 result: 32 No such object # numResponses: 1 This is what I've added to my slapd.conf: database monitor access to * by dn.exact="cn=Directory Manager,o=xxx,o=xxx,c=br" by * none I've restarted slapd after adding the entries above. Is there something else that must be done? Thanks! -- Diego Lima

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2010