Slightly O/T: Duplicating eDirectory server ...
by Garry
I have a customer install that is running a Novell based eDirectory
setup. As of lately, the setup seems to be a bit flakey, but either way
could use a backup server ...
I was wondering, is it possible to pull the schema definitions and plain
(ldif) data out of an eDirectory and import to OpenLDAP? Don't need a
hot standby replication, but daily cron job would suffice ...
Tnx, Garry
13 years, 3 months
ldap rebind proc problem
by Jeremiah Martell
I'm trying to get my code to rebind appropriately when it's
automatically chasing referrals, but I'm running into a strange
problem.
I bind to server A, which returns me a referral to server B.
My rebind proc is called, which tries to bind to server B. That
succeeds, and (accoring to Wireshark) I get a couple referrals.
(DomainDnsZones, ForestDnsZones, and server C).
Then my rebind proc is called to bind to server C, but then
recursively it is called (on the same thread, says pthread_self) to
bind to DomainDnsZones, and
then recursively again it is called to bind to ForestDnsZones, which
is where my code hangs for at least 5 minutes before I kill it.
My rebind proc is calling ldap_sasl_bind_s, which seems to be what is
then re-calling my rebind proc in each case.
The problem is that my code hangs in one of the ldap_sasl_bind_s
calls, and never returns, but Wireshark shows that it successfully
binds to all thee of the referred servers.
I'm using openldap-2.3.24.
My questions are:
- Is my rebind proc correct? It seems that calling ldap_sasl_bind_s is
correct and allowed.
- Was there a bug that has been fixed since 2.3.24 in direct regard to
rebinding?
- Any tips or hints on what could be hanging up the code?
Thanks,
- Jeremiah
13 years, 3 months
Too many open files?
by Jaap Winius
Hi all,
My latest test system includes a Kerberos server that uses OpenLDAP
via IPC as its back-end database. It usually works, but not always.
For example, recently, after failing to get kadmin to add a new
principal to the Kerberos database, I found this error in the
provider's syslog:
Feb 10 22:37:29 kls1 slapd[1722]: bdb_db_cache: db_open(entryUUID)
failed: Too many open files (24)
Feb 10 22:37:29 kls1 slapd[1722]: bdb_index_read: Could not open DB entryUUID
Feb 10 22:37:29 kls1 slapd[1722]: conn=4 op=13 RESULT tag=105 err=80
text=index generation failed
A restart of the Kerberos KDC and admin servers seemed to solve the
problem, but obviously that's not ideal. Later on, I had a look at the
numbers of open files on the system:
~# lsof -i |grep slapd
slapd 1722 openldap 8u IPv6 4603 TCP *:ldap (LISTEN)
slapd 1722 openldap 9u IPv4 4604 TCP *:ldap (LISTEN)
slapd 1722 openldap 545u IPv4 12823 TCP
kls1.example.com:ldap->kls2.example.com:51555 (ESTABLISHED)
slapd 1722 openldap 744u IPv4 8899 TCP
kls1.example.com:ldap->kls2.example.com:49100 (ESTABLISHED)
545 and 745u!? A restart of the Kerberos servers didn't make a
difference, although restarting slapd brought these values down to 8
and 9u respectively. However, I have no idea what caused these numbers
to rise. See my provider/master server's config files below.
Does anyone have an idea what might be going on and how I might
prevent this situation from occurring again?
Thanks,
Jaap
==/etc/ldap/slapd.conf================
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/kerberos.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
authz-regexp
uid=admin,cn=example.com,cn=gssapi,cn=auth
cn=admin,dc=example,dc=com
authz-regexp
uid=ldap/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth
cn=$1,ou=consumers,dc=example,dc=com
authz-regexp
uid=([^,]+),cn=example.com,cn=gssapi,cn=auth
uid=$1,ou=people,dc=example,dc=com
sasl-realm EXAMPLE.COM
authz-policy to
backend hdb
database hdb
suffix "dc=example,dc=com"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
index uid eq
index krbPrincipalName eq,pres,sub
index entryUUID eq
index entryCSN eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=example,dc=com" write
by dn="cn=kls2,ou=consumers,dc=example,dc=com" read
by anonymous auth
by self write
by * none
access to dn.subtree="ou=krb5,dc=example,dc=com"
by dn="cn=admin,dc=example,dc=com" write
by dn="cn=adm-srv,ou=krb5,dc=example,dc=com" write
by dn="cn=kdc-srv,ou=krb5,dc=example,dc=com" read
by dn="cn=kls2,ou=consumers,dc=example,dc=com" read
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=example,dc=com" write
by * read
moduleload syncprov
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
======================================
==/etc/default/slapd==================
SLAPD_CONF=
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLAPD_SERVICES="ldap:/// ldapi:///"
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
export KRB5_KTNAME=/etc/krb5.keytab
SLAPD_OPTIONS=""
======================================
==/etc/krb5.conf======================
[libdefaults]
default_realm = EXAMPLE.COM
forwardable = true
proxiable = true
[realms]
EXAMPLE.COM = {
kdc = kls1.example.com
admin_server = kls.example.com
database_module = openldap_ldapconf
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[login]
krb4_convert = true
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com
ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=example,dc=com
ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=example,dc=com
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_conns_per_server = 5
}
[logging]
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/kadmin.log
default = FILE:/var/log/krb5/klib.log
======================================
Note: "ldap_servers" option omitted, as the default is to use IPC.
======================================
13 years, 3 months
openldap proxy of Windows Server 2003
by Nicolas Michel
Hello experts,
I'm searching a way to set up an openldap proxy for an AD Windows Server
2003. I want to authenticate some clients on the openldap with Windows
Server Users.
I'm trying doing it for some days with no success...
If someone would have some hints or a wonderfull tuto, or even a great
paper book which talk about that topic, it would be really nice to tell
me! ;)
Thank you,
nm
13 years, 3 months
OID for private objectclasses and attributes
by Stefan Palme
Hi all,
I want to extend the schema of an OpenLDAP server installation
by some own objectclasses and attributetypes. Now I am not sure
which range of OIDs I can safely use for this purposes.
I've something calles "Internet Private Enterprise Numbers" with
OIDs of the form 1.3.6.1.4.1.X
As far as I've understood, the "private" subtree is 1.3.6.1.4,
where the ".1" sub-subtree of this is "reserved" for enterprise
use.
So I think, for my very private and personal solution OID like
1.3.6.1.4.10.1.1 (for an objectclass) and 1.3.6.1.4.10.2.1 (for
an attributetype) would be absolutely ok.
Any comments?
Thanks and regards
-stefan-
13 years, 3 months
dynlist (at least for me) strange behaviour
by Benjamin Griese
Hello Mailinglist,
for some days/weeks now, I try to figure out, how dynlist is meant to be
used and how it is to be used.
But it is hard for one to get in the game, who is neither familiar with
openLDAP at all. :)
I tried to build the, I guess, popular 'dynamic posixgroups'.
Some older ML posts helped me to build the default structure for the dynlist
overlay.
i.e. this one
http://www.openldap.org/lists/openldap-technical/200912/msg00005.html
and this http://www.openldap.org/faq/data/cache/1209.html
# getent group
testgroup1:*:1011:test1,test2
testgroup2:*:1012:test1,test2
this looks good to me, as expected.
# id test1
uid=1011(test1) gid=1011(testgroup1) Gruppen=1011(testgroup1)
# id test2
uid=1012(test2) gid=1012(testgroup2) Gruppen=1012(testgroup2)
but this isn't what it is expected to be, too bad its not only a display
problem, the permissions of testgroup1 and testgroup2 vice versa are really
missing.
# id test1
uid=1011(test1) gid=1011(testgroup1) Gruppen=1011(testgroup1),
1012(testgroup2)
# id test2
uid=1012(test2) gid=1012(testgroup2) Gruppen=1012(testgroup2),
1011(testgroup1)
thats what I wish it would be
If I delete the Attribute labeledURI and set the memberUid for test1 and
test2 by hand, everything works as expected, but it would be nice to have it
dynamically managed :)
Any help, guide and/or howto is highly appreciated.
Thank you for your time reading this :)
bye, Benjamin.
--------------------------------------------------
my general config:
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exa
mple,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to * by dn="cn=admin,dc=example,dc=com" write by * read
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: memberUid pres,eq
olcDbIndex: uniquemember pres,eq
olcDbIndex: gidnumber pres,eq
olcDbIndex: uid pres,eq
olcDbIndex: uidnumber pres,eq
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:
olcSuffix: dc=example,dc=com
dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
objectClass: olcDynamicList
olcOverlay: {0}dynlist
olcDlAttrSet: {0}posixGroup labeledURI memberUid:uid
dn: olcOverlay={1}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {1}ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=example,dc=com
olcPPolicyHashCleartext: TRUE
my testgroups:
dn: cn=testgroup1,ou=People,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: labeledURIObject
cn: testgroup1
gidNumber: 1011
labeledURI: ldap:///ou=test,ou=Users,dc=example,dc=com?uid?sub?(objectClass
=Posixaccount)
memberUid: test1 (dynamically set)
memberUid: test2 (dynamically set)
dn: cn=testgroup2,ou=People,ou=Groups,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: labeledURIObject
cn: testgroup2
gidNumber: 1012
labeledURI: ldap:///ou=test,ou=Users,dc=example,dc=com?uid?sub?(objectClass
=Posixaccount)
memberUid: test1 (dynamically set)
memberUid: test2 (dynamically set)
my testusers:
dn: uid=test1,ou=test,ou=Users,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: top
cn: test1
gidNumber: 1011
homeDirectory: /home/test1
sn: test1
uid: test1
uidNumber: 1011
userPassword:
dn: uid=test2,ou=test,ou=Users,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: top
cn: test2
gidNumber: 1012
homeDirectory: /home/test2
sn: test2
uid: test2
uidNumber: 1012
userPassword:
some log entries with ACL logging enabled:
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access
to "dc=example,dc=com" "entry" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr entry
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (entry)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"dc=example,dc=com", attr "entry" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to all values by "",
(=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access
to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (objectClass)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access
to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "uid" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uid
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (uid)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uid" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "entry" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr entry
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (entry)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "entry" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to all values by "",
(=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (objectClass)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (objectClass)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (objectClass)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (objectClass)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "cn" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr cn
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (cn)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "cn" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "homeDirectory" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr homeDirectory
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (homeDirectory)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "homeDirectory"
requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "userPassword" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [1] attr userPassword
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (userPassword)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "userPassword"
requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: anonymous
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
auth(=xd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: auth(=xd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read
access denied by auth(=xd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: no more rules
Feb 14 16:58:13 openldaphost slapd[8673]: send_search_entry: conn 366 access
to attribute userPassword, value #0 not allowed
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "uidNumber" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uidNumber
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (uidNumber)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uidNumber" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "uid" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uid
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (uid)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uid" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access
granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to
"uid=test1,ou=test,ou=Users,dc=example,dc=com" "gidNumber" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr gidNumber
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not
in cache (gidNumber)
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry
"uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "gidNumber" requested
Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0)
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: *
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask:
read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read
access granted by read(=rscxd)
Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access
granted by read(=rscxd)
--
Charles de Gaulle<http://www.brainyquote.com/quotes/authors/c/charles_de_gaulle.html>
- "The better I get to know men, the more I find myself loving dogs."
13 years, 3 months
Expiration of root CA
by Philippe Bloix
Hi,
My root CA will expire soon. What is the best method to avoid break between
ldap server and ldap client communication?
If i create a new root CA, then i will have to copy this new root CA on each
ldap client (several hundred). In this case, is it possible to switch from
the old root CA to the new root CA without a break between server and
client? How?
Regards
Philippe
13 years, 3 months
Re: Where is DB_CONFIG file?
by Echedey Lorenzo
Hi,
The method suggested by Quanah worked perfectly. I also find very useful the
information given by Dieter since I'll take of creating a DB_CONFIG file in
new deployments. My last question has to be with db_checkpoint. Should I
call it periodically or will Berkeley delete logs by its own?
Thanks a lot
2010/2/12 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On Thursday, February 11, 2010 7:21 PM +0100 Dieter Kluenter <
> dieter(a)dkluenter.de> wrote:
>
> Quanah Gibson-Mount <quanah(a)zimbra.com> writes:
>>
>> ----- Echedey Lorenzo <echedey(a)gmail.com> wrote:
>>>
>>>> I think the best option, as you suggest, is to recreate
>>>> everything. Is it enough to remove all /var/lib/ldap contents,
>>>> restart the ldap service, and populate all again? My intention is to
>>>> have 8M entries as max.
>>>>
>>>> Thanks for your help
>>>>
>>>>
>>> There is zero need to recreate everything. Dieter is wrong. Simply
>>> stop slapd, create the DB_CONFIG file, run db_recover to regenerate
>>> the bdb database profile, then start slapd. This has been the standard
>>> way to do this since OpenLDAP 2.1. Dieter should know this.
>>>
>>
>> I have experienced some problems in the past, that's why I prefer a
>> clean recreation.
>>
>
> Then you should have collected data and filed an ITS. I've never had a
> problem in nearly 10 years of configuring and modifying DB_CONFIG files back
> to 2.1.4 when it's done correctly.
>
> --Quanah
>
> --
>
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
--------------------------------------------
| Echedey Lorenzo Arencibia |
--------------------------------------------
13 years, 3 months
Brining up replication with an already live server?
by Adam Tauno Williams
I have two DSAs of the same version (2.4.20). One is empty and the
other is stand-alone. I want to configure multi-master; can I add the
syncrepl directives to the live server and then bring up the other
server and add the syncrepl directives - will the second server then
syncronize with the live server (which already contains configuration,
etc...). Or do I need to start with two empty DSAs?
--
Adam Tauno Williams <awilliam(a)whitemice.org> LPIC-1, Novell CLA
<http://www.whitemiceconsulting.com>
OpenGroupware, Cyrus IMAPd, Postfix, Samba
13 years, 3 months
Where is DB_CONFIG file?
by Echedey Lorenzo
Hi,
I'm new to this mailing list. I have a simple question... I have deployed a
huge subscriber ldap database with more than 400 000 entries in a SUSE
machine installing OpenLDAP with Yast.
I've found huge log files in /var/lib/ldap that I cannot delete. Google says
that I should tune my DB_CONFIG file to optimize the use of the the Berkeley
backend, but I don't find this file. Should I create it?
Thanks a lot
--
--------------------------------------------
| Echedey Lorenzo Arencibia |
--------------------------------------------
13 years, 3 months