openldap-technical February 2010

openldap-technical@openldap.org

59 participants
64 discussions

Slightly O/T: Duplicating eDirectory server ...
by Garry 16 Feb '10

16 Feb '10

I have a customer install that is running a Novell based eDirectory setup. As of lately, the setup seems to be a bit flakey, but either way could use a backup server ... I was wondering, is it possible to pull the schema definitions and plain (ldif) data out of an eDirectory and import to OpenLDAP? Don't need a hot standby replication, but daily cron job would suffice ... Tnx, Garry

2 1

ldap rebind proc problem
by Jeremiah Martell 15 Feb '10

15 Feb '10

I'm trying to get my code to rebind appropriately when it's automatically chasing referrals, but I'm running into a strange problem. I bind to server A, which returns me a referral to server B. My rebind proc is called, which tries to bind to server B. That succeeds, and (accoring to Wireshark) I get a couple referrals. (DomainDnsZones, ForestDnsZones, and server C). Then my rebind proc is called to bind to server C, but then recursively it is called (on the same thread, says pthread_self) to bind to DomainDnsZones, and then recursively again it is called to bind to ForestDnsZones, which is where my code hangs for at least 5 minutes before I kill it. My rebind proc is calling ldap_sasl_bind_s, which seems to be what is then re-calling my rebind proc in each case. The problem is that my code hangs in one of the ldap_sasl_bind_s calls, and never returns, but Wireshark shows that it successfully binds to all thee of the referred servers. I'm using openldap-2.3.24. My questions are: - Is my rebind proc correct? It seems that calling ldap_sasl_bind_s is correct and allowed. - Was there a bug that has been fixed since 2.3.24 in direct regard to rebinding? - Any tips or hints on what could be hanging up the code? Thanks, - Jeremiah

1 0

Too many open files?
by Jaap Winius 15 Feb '10

15 Feb '10

Hi all, My latest test system includes a Kerberos server that uses OpenLDAP via IPC as its back-end database. It usually works, but not always. For example, recently, after failing to get kadmin to add a new principal to the Kerberos database, I found this error in the provider's syslog: Feb 10 22:37:29 kls1 slapd[1722]: bdb_db_cache: db_open(entryUUID) failed: Too many open files (24) Feb 10 22:37:29 kls1 slapd[1722]: bdb_index_read: Could not open DB entryUUID Feb 10 22:37:29 kls1 slapd[1722]: conn=4 op=13 RESULT tag=105 err=80 text=index generation failed A restart of the Kerberos KDC and admin servers seemed to solve the problem, but obviously that's not ideal. Later on, I had a look at the numbers of open files on the system: ~# lsof -i |grep slapd slapd 1722 openldap 8u IPv6 4603 TCP *:ldap (LISTEN) slapd 1722 openldap 9u IPv4 4604 TCP *:ldap (LISTEN) slapd 1722 openldap 545u IPv4 12823 TCP kls1.example.com:ldap->kls2.example.com:51555 (ESTABLISHED) slapd 1722 openldap 744u IPv4 8899 TCP kls1.example.com:ldap->kls2.example.com:49100 (ESTABLISHED) 545 and 745u!? A restart of the Kerberos servers didn't make a difference, although restarting slapd brought these values down to 8 and 9u respectively. However, I have no idea what caused these numbers to rise. See my provider/master server's config files below. Does anyone have an idea what might be going on and how I might prevent this situation from occurring again? Thanks, Jaap ==/etc/ldap/slapd.conf================ include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/kerberos.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap moduleload back_hdb sizelimit 500 tool-threads 1 authz-regexp uid=admin,cn=example.com,cn=gssapi,cn=auth cn=admin,dc=example,dc=com authz-regexp uid=ldap/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth cn=$1,ou=consumers,dc=example,dc=com authz-regexp uid=([^,]+),cn=example.com,cn=gssapi,cn=auth uid=$1,ou=people,dc=example,dc=com sasl-realm EXAMPLE.COM authz-policy to backend hdb database hdb suffix "dc=example,dc=com" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq index uid eq index krbPrincipalName eq,pres,sub index entryUUID eq index entryCSN eq lastmod on checkpoint 512 30 access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by dn="cn=kls2,ou=consumers,dc=example,dc=com" read by anonymous auth by self write by * none access to dn.subtree="ou=krb5,dc=example,dc=com" by dn="cn=admin,dc=example,dc=com" write by dn="cn=adm-srv,ou=krb5,dc=example,dc=com" write by dn="cn=kdc-srv,ou=krb5,dc=example,dc=com" read by dn="cn=kls2,ou=consumers,dc=example,dc=com" read by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=example,dc=com" write by * read moduleload syncprov overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 ====================================== ==/etc/default/slapd================== SLAPD_CONF= SLAPD_USER="openldap" SLAPD_GROUP="openldap" SLAPD_PIDFILE= SLAPD_SERVICES="ldap:/// ldapi:///" SLAPD_SENTINEL_FILE=/etc/ldap/noslapd export KRB5_KTNAME=/etc/krb5.keytab SLAPD_OPTIONS="" ====================================== ==/etc/krb5.conf====================== [libdefaults] default_realm = EXAMPLE.COM forwardable = true proxiable = true [realms] EXAMPLE.COM = { kdc = kls1.example.com admin_server = kls.example.com database_module = openldap_ldapconf } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [login] krb4_convert = true [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kerberos_container_dn = ou=krb5,dc=example,dc=com ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=example,dc=com ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=example,dc=com ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_conns_per_server = 5 } [logging] kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/kadmin.log default = FILE:/var/log/krb5/klib.log ====================================== Note: "ldap_servers" option omitted, as the default is to use IPC. ======================================

2 7

openldap proxy of Windows Server 2003
by Nicolas Michel 15 Feb '10

15 Feb '10

Hello experts, I'm searching a way to set up an openldap proxy for an AD Windows Server 2003. I want to authenticate some clients on the openldap with Windows Server Users. I'm trying doing it for some days with no success... If someone would have some hints or a wonderfull tuto, or even a great paper book which talk about that topic, it would be really nice to tell me! ;) Thank you, nm

3 3

OID for private objectclasses and attributes
by Stefan Palme 14 Feb '10

14 Feb '10

Hi all, I want to extend the schema of an OpenLDAP server installation by some own objectclasses and attributetypes. Now I am not sure which range of OIDs I can safely use for this purposes. I've something calles "Internet Private Enterprise Numbers" with OIDs of the form 1.3.6.1.4.1.X As far as I've understood, the "private" subtree is 1.3.6.1.4, where the ".1" sub-subtree of this is "reserved" for enterprise use. So I think, for my very private and personal solution OID like 1.3.6.1.4.10.1.1 (for an objectclass) and 1.3.6.1.4.10.2.1 (for an attributetype) would be absolutely ok. Any comments? Thanks and regards -stefan-

2 1

dynlist (at least for me) strange behaviour
by Benjamin Griese 14 Feb '10

14 Feb '10

Hello Mailinglist, for some days/weeks now, I try to figure out, how dynlist is meant to be used and how it is to be used. But it is hard for one to get in the game, who is neither familiar with openLDAP at all. :) I tried to build the, I guess, popular 'dynamic posixgroups'. Some older ML posts helped me to build the default structure for the dynlist overlay. i.e. this one http://www.openldap.org/lists/openldap-technical/200912/msg00005.html and this http://www.openldap.org/faq/data/cache/1209.html # getent group testgroup1:*:1011:test1,test2 testgroup2:*:1012:test1,test2 this looks good to me, as expected. # id test1 uid=1011(test1) gid=1011(testgroup1) Gruppen=1011(testgroup1) # id test2 uid=1012(test2) gid=1012(testgroup2) Gruppen=1012(testgroup2) but this isn't what it is expected to be, too bad its not only a display problem, the permissions of testgroup1 and testgroup2 vice versa are really missing. # id test1 uid=1011(test1) gid=1011(testgroup1) Gruppen=1011(testgroup1), 1012(testgroup2) # id test2 uid=1012(test2) gid=1012(testgroup2) Gruppen=1012(testgroup2), 1011(testgroup1) thats what I wish it would be If I delete the Attribute labeledURI and set the memberUid for test1 and test2 by hand, everything works as expected, but it would be nice to have it dynamically managed :) Any help, guide and/or howto is highly appreciated. Thank you for your time reading this :) bye, Benjamin. -------------------------------------------------- my general config: dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exa mple,dc=com" write by anonymous auth by self write by * none olcAccess: {1}to * by dn="cn=admin,dc=example,dc=com" write by * read olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: cn,sn,mail pres,eq,approx,sub olcDbIndex: objectClass eq olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub olcDbIndex: memberUid pres,eq olcDbIndex: uniquemember pres,eq olcDbIndex: gidnumber pres,eq olcDbIndex: uid pres,eq olcDbIndex: uidnumber pres,eq olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcRootPW: olcSuffix: dc=example,dc=com dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top objectClass: olcDynamicList olcOverlay: {0}dynlist olcDlAttrSet: {0}posixGroup labeledURI memberUid:uid dn: olcOverlay={1}ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcPPolicyConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyDefault: cn=default,ou=Policies,dc=example,dc=com olcPPolicyHashCleartext: TRUE my testgroups: dn: cn=testgroup1,ou=People,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: labeledURIObject cn: testgroup1 gidNumber: 1011 labeledURI: ldap:///ou=test,ou=Users,dc=example,dc=com?uid?sub?(objectClass =Posixaccount) memberUid: test1 (dynamically set) memberUid: test2 (dynamically set) dn: cn=testgroup2,ou=People,ou=Groups,dc=example,dc=com objectClass: posixGroup objectClass: top objectClass: labeledURIObject cn: testgroup2 gidNumber: 1012 labeledURI: ldap:///ou=test,ou=Users,dc=example,dc=com?uid?sub?(objectClass =Posixaccount) memberUid: test1 (dynamically set) memberUid: test2 (dynamically set) my testusers: dn: uid=test1,ou=test,ou=Users,dc=example,dc=com objectClass: posixAccount objectClass: inetOrgPerson objectClass: shadowAccount objectClass: top cn: test1 gidNumber: 1011 homeDirectory: /home/test1 sn: test1 uid: test1 uidNumber: 1011 userPassword: dn: uid=test2,ou=test,ou=Users,dc=example,dc=com objectClass: posixAccount objectClass: inetOrgPerson objectClass: shadowAccount objectClass: top cn: test2 gidNumber: 1012 homeDirectory: /home/test2 sn: test2 uid: test2 uidNumber: 1012 userPassword: some log entries with ACL logging enabled: Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access to "dc=example,dc=com" "entry" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr entry Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (entry) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to all values by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "uid" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uid Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (uid) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uid" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: search access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "entry" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr entry Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (entry) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "entry" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to all values by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr objectClass Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (objectClass) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "objectClass" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "cn" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr cn Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (cn) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "cn" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "homeDirectory" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr homeDirectory Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (homeDirectory) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "homeDirectory" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "userPassword" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [1] attr userPassword Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (userPassword) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "userPassword" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: anonymous Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying auth(=xd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: auth(=xd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access denied by auth(=xd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: no more rules Feb 14 16:58:13 openldaphost slapd[8673]: send_search_entry: conn 366 access to attribute userPassword, value #0 not allowed Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "uidNumber" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uidNumber Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (uidNumber) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uidNumber" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "uid" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr uid Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (uid) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "uid" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access to "uid=test1,ou=test,ou=Users,dc=example,dc=com" "gidNumber" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_get: [2] attr gidNumber Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: result not in cache (gidNumber) Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: access to entry "uid=test1,ou=test,ou=Users,dc=example,dc=com", attr "gidNumber" requested Feb 14 16:58:13 openldaphost slapd[8673]: => acl_mask: to value by "", (=0) Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: cn=admin,dc=example,dc=com Feb 14 16:58:13 openldaphost slapd[8673]: <= check a_dn_pat: * Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] applying read(=rscxd) (stop) Feb 14 16:58:13 openldaphost slapd[8673]: <= acl_mask: [2] mask: read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => slap_access_allowed: read access granted by read(=rscxd) Feb 14 16:58:13 openldaphost slapd[8673]: => access_allowed: read access granted by read(=rscxd) -- Charles de Gaulle<http://www.brainyquote.com/quotes/authors/c/charles_de_gaulle.html> - "The better I get to know men, the more I find myself loving dogs."

1 0

Expiration of root CA
by Philippe Bloix 12 Feb '10

12 Feb '10

Hi, My root CA will expire soon. What is the best method to avoid break between ldap server and ldap client communication? If i create a new root CA, then i will have to copy this new root CA on each ldap client (several hundred). In this case, is it possible to switch from the old root CA to the new root CA without a break between server and client? How? Regards Philippe

2 2

Re: Where is DB_CONFIG file?
by Echedey Lorenzo 12 Feb '10

12 Feb '10

Hi, The method suggested by Quanah worked perfectly. I also find very useful the information given by Dieter since I'll take of creating a DB_CONFIG file in new deployments. My last question has to be with db_checkpoint. Should I call it periodically or will Berkeley delete logs by its own? Thanks a lot 2010/2/12 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Thursday, February 11, 2010 7:21 PM +0100 Dieter Kluenter < > dieter(a)dkluenter.de> wrote: > > Quanah Gibson-Mount <quanah(a)zimbra.com> writes: >> >> ----- Echedey Lorenzo <echedey(a)gmail.com> wrote: >>> >>>> I think the best option, as you suggest, is to recreate >>>> everything. Is it enough to remove all /var/lib/ldap contents, >>>> restart the ldap service, and populate all again? My intention is to >>>> have 8M entries as max. >>>> >>>> Thanks for your help >>>> >>>> >>> There is zero need to recreate everything. Dieter is wrong. Simply >>> stop slapd, create the DB_CONFIG file, run db_recover to regenerate >>> the bdb database profile, then start slapd. This has been the standard >>> way to do this since OpenLDAP 2.1. Dieter should know this. >>> >> >> I have experienced some problems in the past, that's why I prefer a >> clean recreation. >> > > Then you should have collected data and filed an ITS. I've never had a > problem in nearly 10 years of configuring and modifying DB_CONFIG files back > to 2.1.4 when it's done correctly. > > --Quanah > > -- > > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- -------------------------------------------- | Echedey Lorenzo Arencibia | --------------------------------------------

2 1

Brining up replication with an already live server?
by Adam Tauno Williams 12 Feb '10

12 Feb '10

I have two DSAs of the same version (2.4.20). One is empty and the other is stand-alone. I want to configure multi-master; can I add the syncrepl directives to the live server and then bring up the other server and add the syncrepl directives - will the second server then syncronize with the live server (which already contains configuration, etc...). Or do I need to start with two empty DSAs? -- Adam Tauno Williams <awilliam(a)whitemice.org> LPIC-1, Novell CLA <http://www.whitemiceconsulting.com> OpenGroupware, Cyrus IMAPd, Postfix, Samba

2 2

Where is DB_CONFIG file?
by Echedey Lorenzo 11 Feb '10

11 Feb '10

Hi, I'm new to this mailing list. I have a simple question... I have deployed a huge subscriber ldap database with more than 400 000 entries in a SUSE machine installing OpenLDAP with Yast. I've found huge log files in /var/lib/ldap that I cannot delete. Google says that I should tune my DB_CONFIG file to optimize the use of the the Berkeley backend, but I don't find this file. Should I create it? Thanks a lot -- -------------------------------------------- | Echedey Lorenzo Arencibia | --------------------------------------------

3 8

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2010