openldap-technical February 2010

openldap-technical@openldap.org

59 participants
64 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

tls private key
by Alex Samad 25 Mar '10

25 Mar '10

Hi I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted. the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt the file start slapd and then remove the un encrypted file ? Alex

4 5

OpenLdap mirrormode cluster with 2 slaves.
by Jan Hugo Prins 04 Mar '10

04 Mar '10

Hello, I have the following setup that gives me some issues at the moment. I have 2 servers running Fedora 10 with OpenLDAP 2.4.19 that are running in Mirrormode. The sync between those 2 servers works just fine. Besides that we have 2 frontend servers that rely heavily on ldap for mail delivery and mail transfers. To make this workable we thought about creating a readonly replica on these servers and tell the sendmail to use the local ldap as primary. When we had an old version on these servers (I think 2.4.12) everything worked fine. We now upgraded all servers to 2.4.19 and the configuration moved to slapd.d format, and now it looks like those 2 servers don't see the updates on the mirrormode backend anymore. I have to following config's, this was from before the migration to slapd.d: ================== master 1 ================== overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 3 # # Configure a replication consumer # syncrepl rid=1 provider=ldap://server2:389 type=refreshAndPersist retry="60 10 300 +" interval=00:00:05:00 searchbase="dc=domain,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncrepl,dc=domain,dc=com" credentials=password mirrormode on ================== master 2 ================== overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 4 # # Configure a replication consumer # syncrepl rid=1 provider=ldap://server1:389 type=refreshAndPersist retry="60 10 300 +" interval=00:00:05:00 searchbase="dc=domain,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncrepl,dc=domain,dc=com" credentials=password mirrormode on =================== slaves =================== overlay syncprov syncprov-checkpoint 100 10 # # Configure a replication consumer # syncrepl rid=1 provider=ldap://ldap:389 type=refreshOnly retry="60 1 120 1" interval=00:00:05:00 searchbase="dc=domain,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncrepl,dc=domain,dc=com" credentials=password updateref ldap://ldap.svc.be.nl:389 updateref ldap://ldap.lan.domain.com:389 ============================================ When I empty the DIT on a slave and start it again it gets the full DIT just fine and I checked this. But after that it is not updated anymore. Does anyone see here some obvious things I'm missing in these slave or master configs? Thanks a lot, Jan Hugo Prins

1 2

OpenLDAP client configuration with CentOS 5.3
by Cool The Breezer 01 Mar '10

01 Mar '10

Hi All, We have a dedicated LDAP server and I would like to configure OpenLDAP client in our linux boxes running on centOS 5.3. I have installed openldap client and changed /etc/openldap/ldap.conf with folllowing info BASE dc=my, dc=net URI ldap://10.122.12.13 But when I try to run ldapsearch, I get following error SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: The objective is anybody having ldap id can login to linux box. At present, I am manually creating individual ids which we want to integrate with LDAP authentication. I would appreciate your help - RB

6 19

Nssov Problem Since 2.4.19
by Chris Breneman 28 Feb '10

28 Feb '10

Hi, For the last few days, I've been trying to get nssov to work. I've mainly been working with OpenLDAP 2.4.21, but this issue is present in all releases since and including 2.4.19. It works fine in 2.4.18. Everything compiles fine as expected, and the module loads (it seems), but when I try to add configuration for the module with ldapadd, I get this error: ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcOverlay> handler exited with 1 Using the same build instructions, configuration, and everything, 2.4.18 works without this error. Some more details are below. I'd try to fix it myself, but I don't really know where to start. I'd appreciate it if someone could point me in the right direction. Thanks, Chris Breneman More details: Process for building OpenLDAP (done as root): cd openldap-2.4.21 ./configure --enable-modules --enable-overlays make depend make -j2 make install cd contrib/slapd-modules/nssov/nss-ldapd ./configure # Make complains about missing something unless ./configure is executed in nss-ldapd first cd .. make make install libtool --finish /usr/local/lib # As per instructions from the make output Relevant slapd configuration: dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/local/libexec/openldap olcModuleLoad: /usr/local/libexec/openldap/nssov.la Listing of modules: $ ls /usr/local/libexec/openldap/ nssov.a nssov.la nssov.so nssov.so.0 nssov.so.0.0.0 Command to add nssov configuration: ldapadd -H ldap://localhost -x -D 'cn=config' -w <password> LDIF for nssov configuration: dn: olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcNssOvConfig olcOverlay: {0}nssov olcNssSsd: passwd ldap:///ou=people,dc=cluenet,dc=org??one ldapadd output: adding new entry "olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcOverlay> handler exited with 1 Relevant output from running slapd with -d -1 on startup: loaded module /usr/local/libexec/openldap/nssov.la module /usr/local/libexec/openldap/nssov.la: null module registered Relevant output from running slapd with -d -1 on ldapadd command: >>> dnPrettyNormal: <olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config> => ldap_bv2dn(olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config,0) <= ldap_bv2dn(olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config)=0 <<< dnPrettyNormal: <olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config>, <olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config> conn=1000 op=1 ADD dn="olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config" => access_allowed: add access to "olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config" "entry" requested <= root access granted => access_allowed: add access granted by manage(=mwrscxd) <= acl_access_allowed: granted to database root oc_check_required entry (olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config), objectClass "olcNssOvConfig" oc_check_allowed type "objectClass" oc_check_allowed type "olcOverlay" oc_check_allowed type "olcNssSsd" oc_check_allowed type "structuralObjectClass" slap_queue_csn: queing 0xb5d52ab2 20100228195617.582000Z#000000#000#000000 => access_allowed: add access to "olcDatabase={1}bdb,cn=config" "children" requested <= root access granted => access_allowed: add access granted by manage(=mwrscxd) olcOverlay: value #0: <olcOverlay> handler exited with 1! send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=80 matched="" text="<olcOverlay> handler exited with 1" send_ldap_response: msgid=2 tag=105 err=80

2 2

RE: Trouble with memberOf Overlay
by masarati＠aero.polimi.it 28 Feb '10

28 Feb '10

> > I thank you for your response, but I'm not exactly certian I understand. > This is a new LDAP install and a everything is fresh. I am not working > with an existing database. Are you saying I should move the > configurations that is specific to the memberOf overlay to the top of my > db.ldif config file? Please reply to the mailing list, not to me directly. No, I'm not saying anything like that. Since yours is a fresh setup, then your error (or the bug) must be somewhere else. I have no clue at the moment; replying to the list might allow someone not as clueless to provide support. p.

1 0

Trouble with memberOf Overlay
by Bill Keirskie 28 Feb '10

28 Feb '10

I was looking through list archives and a few weeks ago, someone posted some configurations for the memberOf overlay. I modified the configurations slightly and it looks like everything is installed (with no errors) and working, but when run an ldapsearch, it does not return the memberOf. Below is the install and configuration method. Any guidance on what to change or error logs to look at? Thx Bill ##MY RESULTS## server-1# ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=test1)" -b dc=example,dc=com memberOf SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 version: 1 dn: uid=test1,ou=People,dc=example,dc=com ##INSTALL AND CONFIG## sudo apt-get -y install slapd ldap-utils cd /etc/ldap sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo vi db.ldif # Load dynamic backend modules dn: cn=module{0},cn=config objectClass: olcModuleList cn: module {0} olcModulepath: /usr/lib/ldap olcModuleload: {0}back_hdb olcModuleload: {1}memberof.la # Create the database dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=admin,dc=example,dc=com olcRootPW: password olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbIndex: uid pres,eq olcDbIndex: cn,sn,mail pres,eq,approx,sub olcDbIndex: objectClass eq dn: olcOverlay={1}memberof,olcDatabase={1}hdb,cn=config objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {1}memberof structuralObjectClass: olcMemberOf :wq! sudo ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif sudo slappasswd -h {MD5} ##note: 1234 = {MD5}gdyb21LQTcIANtvYMT7QVQ== sudo vi base.ldif dn: dc=example,dc=com objectClass: dcObject objectclass: organization o: example.com dc: example description: My LDAP Root dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword: {MD5}gdyb21LQTcIANtvYMT7QVQ== description: LDAP administrator :wq! sudo ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif sudo vi config.ldif dn: cn=config changetype: modify delete: olcAuthzRegexp dn: olcDatabase={-1}frontend,cn=config changetype: modify delete: olcAccess dn: olcDatabase={0}config,cn=config changetype: modify delete: olcRootDN dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootDN olcRootDN: cn=admin,cn=config dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {MD5}gdyb21LQTcIANtvYMT7QVQ== dn: olcDatabase={0}config,cn=config changetype: modify delete: olcAccess :wq! sudo ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif sudo vi acl.ldif dn: olcDatabase={1}hdb,cn=config add: olcAccess olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read :wq! sudo ldapmodify -x -D cn=admin,cn=config -W -f acl.ldif #Add one group, add two users, place one user in group ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=test1)" -b dc=example,dc=com memberOf _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/201469229/direct/01/

2 1

Read Waiters growing
by Peter Mogensen 26 Feb '10

26 Feb '10

Hi, I see a strange thing in cn=Monitor. Suggestions needed. I have a huge database, and performance is great as long as olcReadOnly is TRUE. But a soon as I enable writes, the number of Read Waiters are growing, even though there's no or very few Write waiters. # Read, Waiters, Monitor dn: cn=Read,cn=Waiters,cn=Monitor monitorCounter: 311 # Write, Waiters, Monitor dn: cn=Write,cn=Waiters,cn=Monitor monitorCounter: 0 # Current, Connections, Monitor dn: cn=Current,cn=Connections,cn=Monitor monitorCounter: 210 I have idletime=120 and connections do around 30 reads each before they are retired, but not many writes. Like this: # Connection 5389, Connections, Monitor dn: cn=Connection 5389,cn=Connections,cn=Monitor monitorConnectionNumber: 5389 monitorConnectionOpsReceived: 32 monitorConnectionOpsExecuting: 0 monitorConnectionOpsPending: 0 monitorConnectionOpsCompleted: 32 monitorConnectionGet: 32 monitorConnectionRead: 32 monitorConnectionWrite: 0 It's slapd 2.4.21, BDB 4.8.26 and back_bdb. Any hint to what could cause that many read-waiters, but only while writing is enabled and even though there's not that many writes? /Peter

2 3

overlay chain and TLS/SSL
by Ralf Zimmermann 26 Feb '10

26 Feb '10

Hi all, I think I have a problem with the overlay chain and tls. We have one physical master and two slaves in VMware Vsphere4. Our configuration runs normally fine, but sometimes we can't modify entries like passwords to the master. Then we must restart the slapd at the slaves. After restarting slapd all works fine. Then slapd works fine the wholy day. We can change entries or set passwords on the slaves. Next morning we must restart the slapd again, because we can't modify entries from the slaves. But we can query the slapd and syncrepl works fine. Only things over the overlay chains doesn't work. I have the problem not only with Version 2.4.20. I tested more Versions and actually 2.4.21 from pysically hardware. If I can't set entries on the slave I don't see any tcp packets from the slave to the master. DNS, time and so on looks fine and everything else is working. And if we restart slapd everything is working. Does anybody know what is going wrong and if there exits a workaround. I read some things abount /dev/random, /dev/urandom and kernel 2.6 in VMware. Can this be the problem? Here the overlay chain configuration. <snip slapd.conf> overlay chain chain-uri "ldap://eisenherz.camelot.de/" chain-idassert-bind bindmethod=simple binddn="cn=ldapadmin,dc=camelot,dc=de" credentials="xxxxxx" mode="self" chain-rebind-as-user TRUE chain-return-error TRUE chain-tls start </snip slapd.conf> Any help is appreciated. Regards Ralf Zimmermann -- .''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen Tel.: +49 271 68193 13 Fax.: +49 271 68193 29 Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen

2 1

posixGroup and groupofNames
by Siddhartha Jain 26 Feb '10

26 Feb '10

Hi, Running CentOS 5.4 with stock OpenLDAP distro 2.3.43. Both classes, posixgroup and groupofnames are structural causing conflicts if one wants to use both. And while RFC2307bis is deleted by IETF, RFC2307 doesn't seem to have the same traction (or, does it)? So, what's a good option? Simply switch posixgroup to AUX in /etc/openldap/schema/nis.schema? Thanks, Siddhartha

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2010