openldap-technical October 2010

openldap-technical@openldap.org

99 participants
93 discussions

15 Oct '10

Very interesting Quanah. Thanks for the suggestion! On Fri, Oct 15, 2010 at 3:07 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Thursday, October 14, 2010 8:34 AM -0300 Vitor Braga < > vitor.leitebraga(a)gmail.com> wrote: > > Hello! >> >> First sorry if i'm posting in the wrong place, my question is really >> about JNDI, but I decided to post here also if anyone knows. >> > > I would advise you to use a better API than JNDI, it will make your life a > lot easier, and help you avoid a number of known issues with JNDI. You may > want to look at <http://www.unboundid.com/products/ldapsdk/> > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

JNDI + Openldap
by Vitor Braga 15 Oct '10

15 Oct '10

Hello! First sorry if i'm posting in the wrong place, my question is really about JNDI, but I decided to post here also if anyone knows. I'm having trouble using bind() to insert a user in ldap. Every time I enter, it goes with the type "default", think like a Java object, when actually i want to enter it as normal ldap user, with a few more fields, etc.. I realized that those users who are already in ldap, listing them is "uid = user1", "uid = user2," and when I insert it becomes "cn = test1", "cn = test2", with fewer fields that other type. What I would do was to insert a user with those fields that user to "uid = user1" has. I'll post how I'm doing: If something is wrong, feel free to say! Thanks! Attribute cn = new BasicAttribute( "cn", "test" ); Attribute gidNumber = new BasicAttribute( "gidNumber", "999" ); Attribute homeDirectory = new BasicAttribute( "homeDirectory", "/home/users/test" ); Attribute javaContainer = new BasicAttribute( "javaContainer" ); javaContainer.add( new BasicAttribute( "cn", "test" ) ); Attribute objectClass = new BasicAttribute( "objectClass" ); objectClass.add( "top" ); objectClass.add( "person" ); objectClass.add( "organizationalPerson" ); objectClass.add( "inetOrgPerson" ); objectClass.add( "posixAccount" ); objectClass.add( "shadowAccount" ); objectClass.add( "sambaSamAccount" ); objectClass.add( "user" ); Attribute sambaSID = new BasicAttribute( "sambaSID", "S-1-5-21-450180999-1854538958-2124921490-61212" ); Attribute sn = new BasicAttribute( "sn", "test" ); Attribute uidNumber = new BasicAttribute( "uidNumber", "4566" ); Attribute userName = new BasicAttribute( "uid", "test" ); Attribute userPassword = new BasicAttribute( "userPassword", "test123" ); Attributes entry = new BasicAttributes(); entry.put( cn ); entry.put( gidNumber ); entry.put( homeDirectory ); entry.put( javaContainer ); entry.put( objectClass ); entry.put( sambaSID ); entry.put( sn ); entry.put( uidNumber ); entry.put( userName ); entry.put( userPassword ); try{ ctx.bind( "cn=test,ou=Users", entry ); } catch( Exception e ){ e.printStackTrace(); }

2 1

"slapcat" command removes nssov overlay socket
by Sergei Butakov 15 Oct '10

15 Oct '10

Hi, I'm using OpenLDAP-2.4.23 with nssov overlay and nss-pam-ldapd-0.7.10. Command "slapcat" removes nssov overlay socket "/var/run/nslcd/socket" (it shows "strace slapcat"). Can anyone, who also uses nssov overlay, check it? To avoid this, I commented out in contrib/slapd-modules/nssov/nssov.c file from 890 to 894 lines (in nssov_db_close() function). Now the socket exists even if slapd is stopped. But it seems that it does not interfere with anything. -- Regards, Sergei Butakov

2 2

How to configure overlay unique in cn=config
by Jarek 15 Oct '10

15 Oct '10

Hello! I'm trying to configure unique attribue: unique.ldiff: dn: olcOverlay=unique,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcUniqueConfig olcOverlay: unique olcUniqueAttribute: mail ldapadd -v -Y EXTERNAL -H ldapi:/// -f unique.ldiff ldap_initialize( ldapi:///??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 add objectClass: olcOverlayConfig olcUniqueConfig add olcOverlay: unique add olcUniqueAttribute: mail adding new entry "olcOverlay=unique,olcDatabase={1}hdb,cn=config" ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax What I'm doing wrong ? -- Jarek <jarek(a)poczta.srv.pl>

5 5

indirect autofs maps on LDAP
by Khosrow Ebrahimpour 14 Oct '10

14 Oct '10

Hi List, How many levels of indirection can I use in the autofs maps? For example, can I have a setup like this? /net |-- /server1 |-- /foo with a map defined as below: dn: ou=auto.master,ou=automount,dc=example,dc=org objectClass: top objectClass: automountMap ou: auto.master dn: cn=/net,ou=auto.master,ou=automount,dc=example,dc=org objectClass: automount objectClass: top cn: /net automountInformation: ldap:ou=auto.net,ou=automount,dc=example,dc=org -- timeout=7200 --ghost dn: ou=auto.net,ou=automount,dc=example,dc=org objectClass: automountMap ou: auto.net dn: cn=server1,ou=auto.net,ou=automount,dc=example,dc=org objectClass: automount cn: server1 automountInformation: ldap:ou=server1,ou=automount,dc=example,dc=org dn: ou=server1,ou=automount,dc=example,dc=org objectClass: automountMap ou: server1 dn: cn=server1,ou=server1,ou=cmc,ou=automount,dc=example,dc=org objectClass: automount cn: server1 automountInformation: - fstype=nfs,hard,intr,rsize=8192,wsize=8192,nfsvers=3,proto=tcp server1:/data/foo I went ahead and created this setup, but haven't been able to get it to work. Just wondering if this is allowed in autofs-ldap or if my ldap map syntax is somehow incorrect. Thanks, - Khosrow

1 0

ldapsearch complains about DN having invalid syntax, but same DN works in JXplorer
by John Ragan 14 Oct '10

14 Oct '10

When using ldapsearch as follows: ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b "" -s base I get the following after providing my password: ldap_bind: Invalid DN syntax (34) additional info: invalid DN However, if I use this same DN in JXplorer, I am able to authenticate and login just fine. I have checked the DN numerous times and see nothing obviously wrong. I've retyped things from scratch, removed various options, etc. I commented out all entries in ldap.conf, and my current slapd.conf is set up shown on the bottom page. What am I missing? Thanks in advance for any help! ucdata-path ./ucdata include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema pidfile ./run/slapd.pid argsfile ./run/slapd.args # loglevel none IT DOES NOT SEEM TO LIKE loglevel for some reason access to attrs=userPassword by anonymous auth by self write by * none access to * by self write by * none database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret directory ./data index objectClass,cn eq

2 1

auditlog overlay
by Michael Starling 13 Oct '10

13 Oct '10

Hello. I'm trying to implement the auditlog overlay in my openldap setup. I've configured what I think is the right directives in sladp.conf and restarted LDAP without any erros but nothing gets written to the logfile I specify in slapd.conf. Here's the pertinent info from my slapd.conf. Everything else is working as it should but this one has me stumped. RHEL 5.3 openldap-2.3.43-3 slapd.conf # modules available in openldap-servers-overlays RPM package: # moduleload accesslog.la moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la moduleload smbk5pwd.la # moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la database bdb overlay auditlog auditlog /var/log/audit.log #Password Policy overlay ppolicy ppolicy_default "cn=Default,ou=Policies,dc=sev,dc=lott" ppolicy_hash_cleartext ppolicy_use_lockout #password sync overlay smbk5pwd

2 1

OpenLDAP + Samba , very poor performance
by Becskei Robert 13 Oct '10

13 Oct '10

Dear List, I have CentOS 5.5 64bit (fully updated) , Samba3 3.5.5-43.el5 (SerNETSamba) , openldap-2.3.43-12.el5_5.2 , nss_ldap-253-25.el5 .My Problem is , If I login to the domain and run a program from the Samba3 Server it's slow , if I login from this same machine but this time to the local account, and then I go to the Samba3 server specify domain admin password when asked for it(only once,when accessing the desired share) and run the same program I'm 2-3x times faster. I've googled a bit, and found another guy was having speed problems when runing programs on a Samba3 server with ldap backend. But I must admit I'm no Openldap expert, if you can please take a look at my config and tell me what is wrong with it, it's probably the ldap part... what I did try sofar stoped openldap , and did a slapindex, and started it again but no help. Bellow are my config files : /etc/samba/smb.conf [global] use sendfile = yes read raw = yes write raw = yes #max xmit = 65535 dead time = 30 getwd cache = yes lock spin time = 200 workgroup = CAPRIOLOBIKE netbios name = PDC-SERVER server string = cfile-server log file = /var/log/samba/log.%m max log size = 50 security = user encrypt passwords = yes # Added by moquist obey pam restrictions = No ldap passwd sync = Yes time server = Yes unix password sync = no # Added by moquist log level = 1 syslog = 0 mangling method = hash2 dos charset = 850 unix charset = ISO8859-1 passwd program = /usr/sbin/smbldap-passwd -u %u username map = /etc/samba/smbusers interfaces = bond0 local master = yes os level = 200 domain master = yes preferred master = yes domain logons = yes logon script = scripts\%m.bat # Added by moquist logon drive = X: logon home = \\%L\home\%U passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=capriolobike,dc=com ldap suffix = dc=capriolobike,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap ssl = off ldap delete dn = Yes # use the smbldap-tools scripts add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" logon path = wins support = yes #dns proxy = yes name resolve order = wins bcast hosts #veto oplock files = /*.doc/*.xls/*.mdb/ #============================ Share Definitions ============================== idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no [IPC$] path = /tmp browsable = No [homes] comment = Home Directories valid users = %S browseable = No writable = yes create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes [profiles] comment = Profile Share path = /var/lib/samba/profiles writeable = yes browseable = No create mode = 0600 directory mode = 0700 [backup1] comment = Private Backup 1 path = /share read only = No create mask = 0777 directory mode = 0777 force create mode = 0777 valid users = denes invalid users = bikeclub oplocks = false level2 oplocks = false [storage3] comment = Public Storage 3 path = /share5 read only = No create mask = 0777 directory mode = 0777 force create mode = 077 invalid users = bikeclub oplocks = false level2 oplocks = false [storage2] comment = Public Storage 2 path = /share2 read only = No create mask = 0777 directory mask = 0777 force create mode = 0777 invalid users = bikeclub oplocks = false level2 oplocks = false [storage] comment = Public Storage path = /share3 read only = No create mask = 0777 directory mode = 0777 force create mode = 0777 invalid users = bikeclub oplocks = false level2 oplocks = false [novosti] comment = Novosti path = /share4 read only = No create mask = 0777 directory mode = 0777 force create mode = 0777 invalid users = bikeclub oplocks = false level2 oplocks = false [drivers1] comment = Drivers 1 path = /drivers1 read only = No create mask = 0777 directory mode = 0777 force create mode = 0777 invalid users = bikeclub oplocks = false level2 oplocks = false [drivers2] comment = Drivers 2 path = /drivers2 read only = No create mask = 0777 directory mode = 0777 force create mode = 0777 invalid users = bikeclub oplocks = false level2 oplocks = false [drivers3] comment = Drivers 3 path = /drivers3 read only = No create mask = 0777 directory mode = 0777 force create mode = 0777 invalid users = bikeclub oplocks = false level2 oplocks = false [K] path = /app_capri read only = No create mask = 0777 directory mode = 0777 force create mode = 0777 invalid users = bikeclub oplocks = true level2 oplocks = true [T] path = /app_kripton read only = No create mask = 0777 directory mask = 0777 force create mode = 0777 invalid users = bikeclub oplocks = true level2 oplocks = true [Q] path = /backuppc/WINGS read only = No create mask = 0777 directory mask = 0777 force create mode = 0777 invalid users = bikeclub oplocks = true level2 oplocks = true /etc/openldap/ldap.conf # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. HOST 127.0.0.1 BASE dc=capriolobike,dc=com TLS_CACERTDIR /etc/openldap/cacerts /etc/openldap/slapd.conf # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $ # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. HOST 127.0.0.1 BASE dc=capriolobike,dc=com TLS_CACERTDIR /etc/openldap/cacerts [root@pdc-server openldap]# cat slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /var/run/slapd.pid ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=capriolobike,dc=com" rootdn "cn=Manager,dc=capriolobike,dc=com" rootpw my_secret_code # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub /etc/ldap.conf host 127.0.0.1 base dc=capriolobike,dc=com rootbinddn cn=nssldap,ou=DSA,dc=capriolobike,dc=com timelimit 30 bind_timelimit 30 ssl no pam_password md5 tls_cacertdir /etc/openldap/cacerts bind_policy soft nss_initgroups_ignoreusers ldap /var/lib/ldap/DB_CONFIG # $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.4 2007/12/18 11:51:46 ghenry Exp $ # Example DB_CONFIG file for use with slapd(8) BDB/HDB databases. # # See the Oracle Berkeley DB documentation # <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_co nfig.html> # for detail description of DB_CONFIG syntax and semantics. # # Hints can also be found in the OpenLDAP Software FAQ # <http://www.openldap.org/faq/index.cgi?file=2> # in particular: # <http://www.openldap.org/faq/index.cgi?file=1075> # Note: most DB_CONFIG settings will take effect only upon rebuilding # the DB environment. # one 0.25 GB cache set_cachesize 0 268435456 1 # Data Directory #set_data_dir db # Transaction Log settings set_lg_regionmax 262144 set_lg_bsize 2097152 #set_lg_dir logs # Note: special DB_CONFIG flags are no longer needed for "quick" # slapadd(8) or slapindex(8) access (see their -q option). Sincerely Robert Becskei

1 0

multi-master consumer refresh present problems
by Barry Colston 13 Oct '10

13 Oct '10

I am trying to configure a 2 LDAP directory server system that allows updates to occur (from a user) on server 1 and server 2 with server 1 replicating changes to server 2 via the refresh and persist method of syncrepl. Only a small number of records will be updated by users on server 2 (5,000 records) and the changes will be made only within 2 unique branches of the tree (ounit=system,dc=authentx and permissions=dxy,ounit=permissions,dc=authentx); any records that are updated/added/deleted by users on server 2 must not be replicated to server 1. Replication is one-way from server 1 from server 2. Replication works fine if both the provider and consumer servers are up. The problem I am having occurs when server 2's consumer slapd starts and a refresh present phase occurs (a refresh present phase occurs if changes are made to the provider while the consumer is down and then the provider slapd is bounced (stopped/restarted). In scenario 1, I defined the consumer to replicate everything from the provider. When the refresh present occurs on the consumer, the consumer slapd deletes any records that were previously added by a user at server 2. My understanding is that this is the normal behavior. In scenario 2, I defined the consumer to replicate only certain branches from the provider by specifying a "filter" statement in the "syncrepl" section of the slapd.conf file. When the refresh present occurs on the consumer, the consumer slapd deletes numerous records within some of the branches that were specified in the filter statement. For example, my syncrepl statement is: syncrepl rid=001 provider=ldap://localhost:3891 type=refreshAndPersist retry="30 60 60 +" searchbase="dc=authentx" filter="(|(entrydn:dnSubtreeMatch:=ounit=credentials,dc=authentx) (entrydn:dnSubtreeMatch:=ounit=entities,dc=authentx) (entrydn:dnSubtreeMatch:=permissions=authentx,ounit=permissions,dc=authentx) (entrydn:dnSubtreeMatch:=permissions=hspd12,ounit=permissions,dc=authentx))" scope=sub schemachecking=off bindmethod=simple binddn="cn=xroot,dc=authentx" credentials="SECRET" mirrormode on The consumer slapd did not delete records incorrectly when I tested with a 3,000 record database, but when I tested with a 750,000 record database, when the refresh present occurs on the consumer, the consumer slapd deletes numerous records within some of the branches that were specified in the filter statement (these are deleted by the syncrepl_del_nonpresent() function, based on messages in the slapd log file with sync debug turned on). The 750,000 record database provider has records in the following branches: ounit=credentials,dc=authentx (300,000+ records) ounit=entities,dc=authentx (20,000+ records) permissions=authentx,ounit=permissions,dc=authentx (6 records) permissions=dxy,ounit=permissions,dc=authentx (4,000+ records) permissions=hspd12,ounit=permissions,dc=authentx (50,000+ records) ounit=system,dc=authentx (13 records) After the sync refresh phase occurred on the consumer, the consumer database has records in the following branches: ounit=credentials,dc=authentx (300,000+ records) ounit=entities,dc=authentx (20,000+ records) permissions=authentx,ounit=permissions,dc=authentx (0 records) permissions=dxy,ounit=permissions,dc=authentx (0 records) permissions=hspd12,ounit=permissions,dc=authentx (0 records) ounit=system,dc=authentx (0 records) In scenario 3, I defined the consumer as a multi-master consumer by specifying the "overlay syncprov" section in the slapd.conf file. When a "Refresh Present" phase is performed at a multi-master consumer, objects that were deleted at the provider while the consumer was down are not deleted from the multi-master consumer (if the provider is brought down and back up after the consumer is down). I wrote ITS#6671 for this problem. Does anyone have any suggestions on how I can accomplish my requirements for the 2 servers? Barry Colston

1 0

support for arbitrary PKCS11 pin input method
by Silvan Marco Fin 13 Oct '10

13 Oct '10

Hi! I searched through tls_m.c for means to enter the token PIN for a PKCS11 token. I found a call to PK11_SetPasswordFunc(). The callback is set to tlsm_pin_prompt(), which by itself uses tlsm_get_pin(). tlsm_get_pin() only supports reading the PIN from file or via STDIN. To be usable within any form of gui, there would have to be some method to pass a GUI callback to ask for the PIN. Do you plan on implementing such a feature in the near future or is there a proposed way of setting such a callback method? Kind regards, Silvan

3 4

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2010