openldap-technical February 2010

openldap-technical@openldap.org

59 participants
64 discussions

Syncrepl in OpenLDAP-2.4.20
by Ralf Zimmermann 22 Feb '10

22 Feb '10

Hi all, today I have made tests with Version 2.4.21 and my 2.4.20 configuration. When I start slapd I get following error message: config error processing olcDatabase={1}hdb,cn=config: <olcSyncrepl> invalid URL olcSyncrepl: value #0: <olcSyncrepl> invalid URL In the slapd.conf is a syncrepl section. If I add a 'uri=ldap://<server>' to the syncrepl directive and I create a online configuration with 'slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d' the olc ldif file contains a uri with 'uri=ldap://<server>'. If I didn't define uri in slapd.conf syncrepl directive the uri in the olc ldif file was empty and slapd is not starting. I have take a look to the CHANGES and the man pages, but I didn't found anything about the uri parameter in the syncrepl section. Why is this parameter not documented or where is my problem? regards Ralf Zimmermann -- .''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen Tel.: +49 271 68193 13 Fax.: +49 271 68193 29 Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen

2 1

objectclass not found inetorgperson?
by Ray Carrender 21 Feb '10

21 Feb '10

I keep getting a ldap_add: Invalid syntax (21) additional info: objectclass: value #0 invalid per syntax (ldif) dn: cn=Charlton Heston,ou=people,dc=afranius,dc=com cn: Charlton sn: Heston mail: heston(a)actor.com telephoneNumber:508-555-1212 objectclass: inetOrgPerson slapd.conf's include /usr/local/etc/oplenldap/schema/core.schema include /usr/local/etc/oplenldap/schema/cosine.schema include /usr/local/etc/oplenldap/schema/inetorgperson.schema it successfully added the two objects prior to this, do you guys have any ideas what might be going on? Thanks! *Ray*

2 1

idea for access rules #2
by Stefan Palme 21 Feb '10

21 Feb '10

Hi again, Have a subtree like this: ou=users cn=me ou=data ou=data1 cn=fact1 cn=fact2, owner=cn=me,ou=users ou=data2 cn=fact3 cn=fact4 So this time, some child elements of a dataX-subtree are "owned" by certain users. What I want: when a user (cn=me) traverses the LDAP tree, (s)he should only see the dataX-subtrees with at least one child owned by this user. For the example above, the user cn=me should get read access to "ou=data1" and to "cn=fact2,ou=data1", but he should NOT get read access to ou=data2 and its children. Specifying the access to the "cn=factX" entries is already solved, now the only problem is to deny access to some of the "ou=dataX" subtrees: My current idea is something like this: access to dn.regex="(ou=[^,]+,ou=data)" by set.expand="([ldap://127.0.0.1?base=$1?scope=sub]/owner) & user" which should find all entries in a dataX subtree, collect their owners and "compare" them with the current user. But this does not look "nice" to me because of the additional required LDAP search. Is there a more straightforward solution for this? If not: is this search operation really EXECUTED? Which bind DN is used to execute the search? The "current" one? I guess, to find the search results for the LDAP query all access rules for the current user apply? Thanks and regards -stefan-

1 0

idea for access rules
by Stefan Palme 21 Feb '10

21 Feb '10

Hi all, maybe this is not the right list for this question, in this case I apologize for this post.. I have no idea to define access rules for the following case. Have an LDAP tree like this: ou=users cn=me ou=data ou=data1, owner=cn=me,ou=users cn=fact1 cn=fact2 ou=data2, owner=cn=somebodyelse,ou=users cn=fact3 cn=fact4 (one line represents one LDAP entry with some of its attributes, the level of indentation represents the tree structure) The point is the subtree starting at "ou=data1". The root node of this subtree (ou=data1) has an attribute "owner" with a DN of a user account which can be used to bind to the LDAP server (cn=me,ou=users). Now I want to define, that this specific user has write access to some attributes of cn=fact1,ou=data1 and cn=fact2,ou=data2 etc... I am searching for a rule like this: access to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3" by dnattr="owner of node ou=data1,ou=data" write Obviously, this dnattr syntax is not valid, but I guess you see what I want. Any ideas how to realize this? Thanks for any hints Regards -stefan-

2 6

attributes order
by Mihamina Rakotomandimby 20 Feb '10

20 Feb '10

Manao ahoana, Hello, Bonjour, Hi all I have 3 custom attributes: - actionDate - commentContent - commentId I populated my OpenLDAP with a shell script and "ldapadd", and when searching with "ldapsearch", attributes are displayed all in the order: - actionDate - commentContent - commentId Now I use the Ocaml LDAP binding (ocamldap) to add several entries. While searching again, entries added with shell+ldap has the same atribute order display, but the ones added through the Ocaml binding are displayed in a different order. That mean while displaying all the objects (stricly of the same objectClass), I have a mixed attribute order display. How could I force openLDAP to always display attributes in the same order for one objectClass? Misaotra, Thanks, Merci. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34 / +261 33 11 207 36

2 1

password change hangs: bug?
by Stefano Zanmarchi 19 Feb '10

19 Feb '10

Hi, I'm running slapd 2.4.9 on Solaris10. I searched with no result: does anyone know if there is a bug on 2.4.9 regarding password changes? I'd like to know if newer releases have bug fixes specifically for this issue This is what happened to me. I have a client performing many password changes, which usually results in my logs like this: ... Feb 19 12:17:33 db1 slapd[49]: [ID 848112 local4.debug] conn=591 fd=22 ACCEPT from IP=192.168.2.253:49108 (IP=0.0.0.0:12312) Feb 19 12:17:33 db1 slapd[49]: [ID 215403 local4.debug] conn=591 op=0 BIND dn="uid=mario.rossi(a)unipd.it,ou=people,dc=unipd,dc=it" method=128 Feb 19 12:17:33 db1 slapd[49]: [ID 600343 local4.debug] conn=591 op=0 BIND dn="uid=mario.rossi(a)unipd.it,ou=people,dc=unipd,dc=it" mech=SIMPLE ssf=0 Feb 19 12:17:33 db1 slapd[49]: [ID 588225 local4.debug] conn=591 op=0 RESULT tag=97 err=0 text= Feb 19 12:17:33 db1 slapd[49]: [ID 270379 local4.debug] conn=591 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 Feb 19 12:17:33 db1 slapd[49]: [ID 461300 local4.debug] conn=591 op=1 PASSMOD new Feb 19 12:17:33 db1 slapd[49]: [ID 875301 local4.debug] conn=591 op=1 RESULT oid= err=0 text= Feb 19 12:17:33 db1 slapd[49]: [ID 218904 local4.debug] conn=591 op=2 UNBIND Feb 19 12:17:33 db1 slapd[49]: [ID 952275 local4.debug] conn=591 fd=22 closed ... Always went fine, but yesterday this happened: ... Feb 18 22:45:41 db1 slapd[21872]: [ID 848112 local4.debug] conn=3186 fd=22 ACCEPT from IP=192.168.2.253:49820 (IP=0.0.0.0:12312) Feb 18 22:45:41 db1 slapd[21872]: [ID 215403 local4.debug] conn=3186 op=0 BIND dn="uid=maria.verdi(a)unipd.it,ou=people,dc=unipd,dc=it" method=128 Feb 18 22:45:41 db1 slapd[21872]: [ID 600343 local4.debug] conn=3186 op=0 BIND dn="uid=maria.verdi(a)unipd.it,ou=people,dc=unipd,dc=it" mech=SIMPLE ss f=0 Feb 18 22:45:41 db1 slapd[21872]: [ID 588225 local4.debug] conn=3186 op=0 RESULT tag=97 err=0 text= Feb 18 22:45:41 db1 slapd[21872]: [ID 270379 local4.debug] conn=3186 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 Feb 18 22:45:41 db1 slapd[21872]: [ID 461300 local4.debug] conn=3186 op=1 PASSMOD new ... that is, no "RESULT" for PASSMD and the client performing the password change received no answer (hung), and this has caused us many problems. Could it possibly be an openldap bug? Thank you very much, Stefano

2 1

Server-Side Sort Overlay ordering problems
by Diego Lima 19 Feb '10

19 Feb '10

Hello, I have enabled the server-side sorting overlay and I received the following error on a search: sssvlv: no ordering rule specified and no default ordering rule for attribute uid <= get_ctrls: n=1 rc=18 err="serverSort control: No ordering rule" send_ldap_result: conn=1000 op=7 p=3 send_ldap_response: msgid=8 tag=101 err=18 ber_flush2: 50 bytes to sd 13 ldap_write: want=50, written=50 0000: 30 30 02 01 08 65 2b 0a 01 12 04 00 04 24 73 65 00...e+......$se 0010: 72 76 65 72 53 6f 72 74 20 63 6f 6e 74 72 6f 6c rverSort control 0020: 3a 20 4e 6f 20 6f 72 64 65 72 69 6e 67 20 72 75 : No ordering ru 0030: 6c 65 le conn=1000 op=7 do_search: get_ctrls failed Where should I specify the ordering rule for the uid attribute? The core schema? Thank you -- Diego Lima

6 6

ppolicy & sambaNTPassword
by Ralf Zimmermann 17 Feb '10

17 Feb '10

Hi all, I have a problem with overlay ppolicy and samba. My samba backend is openldap-2.4.20. I have a default ppolicy and a pwdCheckModule. If I change the userPassword all works fine. I read the slapo-ppolicy man page and I know that the only pwdAttribute is userPassword. If I change the userPassword with smbpasswd the policy works also fine. But if I want to change the Password with a Windows client the problem begins. The sambaNTPassword is set everytime to the new Password because the ppolicy overlay checks only the userPassword. So the both Passwords are different and there is no control for the sambaNTPassword. Exists any solution or a workaround for this problem. Any help is appreciated. Mit freundlichen Gruessen Ralf Zimmermann -- .''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen Tel.: +49 271 68193 13 Fax.: +49 271 68193 29 Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen

3 11

Problem with nss-ldap using GSSAPI
by Wojtek Polcwiartek 17 Feb '10

17 Feb '10

Hello, we use ldap as name source in our system (libnss-ldap). Until now we used anonymous bind with LDAP and it worked fine. Now we want to switch to GSSAPI (MIT Krb5), but getting names ('getent passwd <name>') does not work: no result is returned/printed. Strange is that, when we run the query in debug-mode (debug 7 in /etc/ldap.conf), you can see the correct result in the debug part (in "hexes") but at the end no result is printed . The only error message we could see is: res_errno: 14, res_error: <SASL(0): successful result: >, res_matched: <> Querying LDAP with ldapsearch still works fine. Do You have any idea how to get closer to the source of the problem? We use Ubuntu Karmic as client (repo package) and Solaris10 (with OpenLdap 2.4.16) as server. Greetings! -- Wojtek Polcwiartek ------ tubIT TU-Berlin Web : www.tubit.tu-berlin.de Email : tubit(a)tu-berlin.de Tel : +49.30.314.28000

2 3

binding to an alias entry?
by Stefan Palme 17 Feb '10

17 Feb '10

Hi, I have two ldap entries: dn:cn=me,ou=users,dc=kapott,dc=org objectclass:person cn:me userPassword:... dn:cn=me,ou=imap,ou=groups,dc=kapott,dc=org objectclass:alias objectclass:extensibleObject aliasedObjectName:cn=me,ou=users,dc=kapott,dc=org cn:me I can use the first DN to successfully bind to the LDAP server, but not the second one. It would be nice to be able to use "cn=me,ou=imap,ou=groups,dc=kapott,dc=org" as bind DN too, but without duplicating the whole "person" entry with the userPassword. Is this possible? Thanks and regards -stefan-

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2010