libldap mutex hang on ldap_int_sasl_mutex
by Jeremiah Martell
I'm using openldap-2.4.18, library libldap_r.
I have three windows active directory servers setup:
childA.parent.example.com
parent.example.com
childB.parent.example.com
I do a LDAP+GSSAPI bind to childA.parent.example.com.
The bind succeeds.
I do a search that returns referrals, (I know I need to be referred to
parent, and then childB in order to find my result),
and I have openldap follow referrals for me.
My rebind proc is a function that only calls:
ldap_sasl_interactive_bind_s( ld, NULL, NULL, NULL, NULL,
LDAP_SASL_AUTOMATIC, sasl_driver, params );
where sasl_driver and params is the same parameters that I used for
the initial bind call to childA.
After the seach call, the debug it looks like this:
> ldap_chase_v3referrals, where ref[0] = parent.example.com
> myGSSAPIrebindProc
> ldap_sasl_interactive_bind_s
< ldap_sasl_interactive_bind_s
< myGSSAPIrebindProc
< ldap_chase_v3referrals
> ldap_chase_v3referrals, where ref[0] = childB.parent.example.com
> myGSSAPIrebindProc
> ldap_sasl_interactive_bind_s
> ldap_chase_v3referrals, where ref[0] = childA.parent.example.com
< ldap_chase_v3referrals
> ldap_chase_v3referrals, where ref[0] =
ForestDnsZones.parent.example.com
> myGSSAPIrebindProc
> ldap_sasl_interactive_bind_s ... HANG ON MUTEX
Since this is hanging on a mutex, that would suggest a code bug.
Perhaps the ldap_int_sasl_mutex needs to be a recursive mutex?
Or should my rebind proc do something different than call
ldap_sasl_interactive_bind_s?
Any other ideas appreciated too.
Thanks,
- Jeremiah
13 years, 2 months
ldap
by Patrick Mburu
Hi all,
I have been trying to work with my .ldif file which looks like below but i get an error: All Services are started in this scenario;
My ldif file
dn: dc=mycompany,dc=COM
objectclass: dcObject
objectclass:
organization
o: mycompany
dc: mycompany
dn:
cn=root,dc=mycompany,dc=COM
objectclass: organizationalRole
cn: root
Error
=> bdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair already exists (-30996)
=> bdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry dn="dc=mycompnaye,dc=com" (line=6): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
What am i not getting right, urgent help needed.
13 years, 2 months
Starting OpenLDAP: slapd - failed: Unrecognized database type (bdb)..Help required!
by Shamika Joshi
I'm a beginner with Openldap & trying to bring up LDAP server on
UbuntuServer with Berkleys db-4.8.26 installed gives following error on
starting the slapd service. Previously I have done sucessful configuration
on RHEL & Fedora but for some reason it is not working for me on Ubuntu
server.
Could someone throw some light on this? Am I missing something?
shamika@ns1:/etc/ldap$ sudo /etc/init.d/slapd start
Starting OpenLDAP: slapd - failed:
Unrecognized database type (bdb)
shamika@ns1:~$ uname -msrnv
Linux ns1.cmsqalab.com 2.6.31-14-server #48-Ubuntu SMP Fri Oct 16 15:07:34
UTC 2009 x86_64
Snapshot from /var/log/syslog
Mar 29 19:41:47 x6u slapd[17730]: @(#) $OpenLDAP: slapd 2.4.18 (Sep 8 2009
17:47:22) $#012#011buildd@crested
:/build/buildd/openldap-2.4.18/debian/build/servers/slapd
Mar 29 19:41:49 x6u slapd[17730]: /etc/ldap/slapd.conf: line 88: <database>
failed init (bdb)
Mar 29 19:41:49 x6u slapd[17730]: slapd stopped.
Mar 29 19:41:49 x6u slapd[17730]: connections_destroy: nothing to destroy.
Here is my slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
#include /etc/ldap/schema/dnszone.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib/openldap
# modules available in openldap-servers-overlays RPM package:
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
access to * by * write
# access to *
# by self write
# by users read
## by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix dc=cmsqalab,dc=com
rootdn cn=Manager,dc=cmsqalab,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}+1DFJ0tLWAd1u3zDUw04rDtnwPKbEFy9
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap/cmsqalab.com
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
69,1 91%
13 years, 2 months
Where to start a migration from passwd/shadow/smbpasswd to openldap
by Götz Reinicke - IT-Koordinator
Hi,
a couple of weeks ago I started to learn ldap and set up some test
servers with the latest openldap for centos 5.4. I learned about
schemas, ldif, ldap browsers etc. So I have an advanced basic knowledge
about the technical fundamentals.
The primary goal is to have the login information for our mail and
fileserver system in one place.
Right now we do use sendmail, dovecot and samba.
After testing some of the migration tools for migrating posix and
sambaSam accounts, I was asking myselve: what is the best way to start
the migration? Right now the directory is completely empty, so I can
start from scratch.
Both types of accounts do have different attributes and furthermore I'd
like to use some inetOrgPerson/organizationalPerson attributes.
So should I first run the smbldaptool or first fill the directory with
the migrate_....sh script?
Thanks for any suggestion or comment or pointing me to any how to/doc.
Best regards,
Götz
--
Götz Reinicke
IT-Koordinator
Tel. +49 7141 969 420
Fax +49 7141 969 55 420
E-Mail goetz.reinicke(a)filmakademie.de
Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de
Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner
Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium
Geschäftsführer:
Prof. Thomas Schadt
13 years, 2 months
Re: Re: Re: Pre-requisites to enable SSL/TLS in OpenLDAP 2.4
by Arun Srinivasan
Thanks, Quanah and Dieter. I was able successfully link TLS/SSL libraries with slapd after installing openssl-devel package. Thanks for your help guys.
But I do have one query: when I used the below command, eventhough configure found the openssl libraries, it gave the warning as "Checking gnutls.h ... no"
Configure: warning: Could not locate TLS/SSL libraries.
Then, when I removed the CPPFLGAS and LDDFLAGS linking openssl libraries, then all worked fine.
Is there any reason, why the openldap configure refers the gnutls ??
env CPPFLAGS="-I/usr/local/ssl/include -I/usr/local/BerkeleyDB.4.8/include" LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.8/lib -R/usr/local/BerkeleyDB.4.8/lib -L/usr/local/ssl/lib" LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.8/lib" ./configure --with-tls
> Did you actually install the openssl-dev RPM package? You must have > the headers and linking libraries on the system so that OpenLDAP can > actually link against it. And yes, you'll have to rebuild OpenLDAP. > I would suggest just running "configure" until you see that it
> successfully found the TLS/SSL headers/libraries.
13 years, 2 months
Re: Problem with getent passwd
by Tyler Gates
Actually I misspoke earlier -I meant run the command 'setup' from the
terminal and select authentication. From there you should see "User
Information" and "Authentication" columns. Just check LDAP in "User
Information" and you should see getent populate the passwords.
That normally does the trick.. pretty simple but if that doesn't work
I'd check your /etc/ldap.conf is setup correctly (I mostly have to just
add the host information and base dn). Other wise your LDAP server
doesn't have the attributes its' expecting from its queries to generate
user account information.
On 03/24/2010 08:09 AM, Lynn York wrote:
> Here is my /etc/pam.d/system-auth file
>
>
>
> cat /etc/pam.d/system-auth
>
> #%PAM-1.0
>
> # This file is auto-generated.
>
> # User changes will be destroyed the next time authconfig is run.
>
> auth required pam_env.so
>
> auth sufficient pam_unix.so nullok try_first_pass
>
> auth requisite pam_succeed_if.so uid >= 500 quiet
>
> auth sufficient pam_ldap.so use_first_pass
>
> auth required pam_deny.so
>
>
>
> account required pam_unix.so broken_shadow
>
> account sufficient pam_succeed_if.so uid < 500 quiet
>
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>
> account required pam_permit.so
>
>
>
> password requisite pam_cracklib.so try_first_pass retry=3
>
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
>
> password sufficient pam_ldap.so use_authtok
>
> password required pam_deny.so
>
>
>
> session optional pam_keyinit.so revoke
>
> session required pam_limits.so
>
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
>
> session required pam_unix.so
>
> session optional pam_ldap.so
>
>
>
>
>
> Also, when I ran authconfig, that didn’t help. The server still queries the
> ldap server, but the users don’t actually show when I run getent passwd…..
> could it be something with the rwm mappings?
>
>
>
> *From:* Tyler Gates [mailto:tgates81@gmail.com]
> *Sent:* Tuesday, March 23, 2010 8:26 PM
> *To:* Lynn York
> *Subject:* Re: Problem with getent passwd
>
>
>
> Sounds like it's a problem with your client side pam_ldap authentication.
> There's a whole buch of steps to get that working, just google it. If you
> have a redhat variant authconfig or setup will step you through it. It would
> help if you could post your system_auth file.
>
> On Mar 23, 2010, at 11:40 AM, Lynn York <lynn.york(a)mavenwire.com> wrote:
>
> Hello,
>
>
>
> When I issue “getent passwd” I can see it query the ldap
> server for all the information and the server is returning the correct
> information. However, “getent passwd” doesn’t actually show the users that
> are in ldap. I am not sure where my problem might be. Can anyone offer any
> suggestions on where to look?
>
>
>
> Lynn York II
>
> MavenWire Hosting Admin
>
> www.mavenwire.com
>
> (866) 343-4870 x717
>
>
>
> MavenWire - We DELIVER
>
> http://www.mavenwire.com
>
>
>
> This e-mail and any attached files may contain confidential and/or
> privileged material for the sole use of the intended recipient. Any review,
> use, distribution or disclosure by others is strictly prohibited. If you are
> not the intended recipient (or authorized to receive this e-mail for the
> recipient), you may not review, copy or distribute this message. Please
> contact the sender by reply e-mail and delete all copies of this message.
>
>
>
> MavenWire - We DELIVER
>
> http://www.mavenwire.com
>
>
>
> This e-mail and any attached files may contain confidential and/or
> privileged material for the sole use of the intended recipient. Any
> review, use, distribution or disclosure by others is strictly
> prohibited. If you are not the intended recipient (or authorized to
> receive this e-mail for the recipient), you may not review, copy or
> distribute this message. Please contact the sender by reply e-mail
> and delete all copies of this message.
>
> MavenWire - We DELIVER
> http://www.mavenwire.com
>
> This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
>
>
13 years, 2 months
Problems using OpenLDAP with Active Directory
by Mike Leone
I'm trying to configure lib-nss to use OpenLDAP against my Active
Directory. But I seem to be having lots of problems even getting it to
search properly. I have Samba all properly configured for AD - it's
properly joined to the AD domain, and all seems to be working fine. Now
I'd like to investigate using OpenLDAP to authenticate against AD.
AD server = 10.0.0.60
AD server name = dim-win2300.dacrib.local
AD domain name = DaCrib.local
AD Win2003 SP2 (with Services for Unix installed0
Linux server:
IP = 10.0.0.20
Ubuntu 9.04
OpenLDAP 2.4.2 (from repository)
Here's the /etc/ldap/ldap.conf:
------------------------
host 10.0.0.60
base dc=DaCrib,dc=local
binddn CN=Administrator,CN=Users,dc=DaCrib,dc=local
bindpw XXXXX
# RFC 2307 (AD) mappings
# <to> <from>
nss_map_attribute userPassword sambaPassword
nss_map_attribute gecos name
nss_map_attribute uid unixName
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
pam_filter objectclass=User
pam_password crypt
nss_initgroups_ignoreusers
avahi,backup,bin,daemon,dhcp,dovecot,festival,games,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,root,saned,sshd,sync,sys,
syslog,uucp,www-data
--------------------------
Here's what an "ldapsearch" gives me: (command line will wrap in email)
--------------------------
ldapsearch -v -x -H ldap://10.0.0.60 "(objectClass=posixAccount)"
sAMAccountName
ldap_initialize( ldap://10.0.0.60:389/??base )
filter: (objectClass=posixAccount)
requesting: sAMAccountName
# extended LDIF
#
# LDAPv3
# base <dc=DaCrib,dc=local> (default) with scope subtree
# filter: (objectClass=posixAccount)
# requesting: sAMAccountName
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, vece
# numResponses: 1
----------------------------
So the question is ... why is it failing to bind?
No firewalls are running on either server (at the moment). It should
bind anonymously (I think). I tried turning up the debug level on the
ldapsearch, but that told me nothing I could understand. :-) I tried
"-W" so it would prompt for a password, but it says "invalid
credentials", even thought I have verified the password of the
Administrator account.
From Windows, I can run ldp and bind (as administrator) and search with
no problems. Similarly, I can use the command line utility "adfind" and
search without issues, without binding.
So I've got something screwy in my ldap.conf, but I can't figure out where.
Thoughts?
13 years, 2 months
Followup: using OpenLDAP with Active Directory
by Mike Leone
So I've made *some* progress. I created a new user in AD, and used this
new account to bind with. And, using simple authentication and password
prompting, my search worked correctly:
ldapsearch -Hldap://dim-win2300.dacrib.local -tt -x -D
"ldap-proxy(a)dacrib.local" -b "dc=dacrib,dc=local" -W -L
"(objectClass=user)" dn
However, I can't seem to get it to work, if I don't specify the ID and
password to bind with:
----------------------------
ldapsearch -v -x -Hldap://dim-win2300.dacrib.local "(objectClass=user)"
sAMAccountName
ldap_initialize( ldap://dim-win2300.dacrib.local:389/??base )
filter: (objectClass=user)
requesting: sAMAccountName
# extended LDIF
#
# LDAPv3
# base <dc=DaCrib,dc=local> (default) with scope subtree
# filter: (objectClass=user)
# requesting: sAMAccountName
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform
this operation a successful bind must be completed on the connection.,
data 0, vece
# numResponses: 1
--------------------------
I thought perhaps the problem was that SASL was interferring, so I tried
to turn it off in ldap.conf, but that didn't seem to work.
As an aside, where does ldap.conf live, in Ubuntu 9.04? I have 2, one in
/etc and one in /etc/ldap. And I don't know which one (if either) is
being read ... is there any way to tell which one is in use?
-------------------
host 10.0.0.60
base dc=DaCrib,dc=local
#binddn CN=ldap-proxy,CN=Users,DC=DaCrib,DC=local
binddn ldap-proxy(a)dacrib.local
bindpw XXXXXXXX
use_sasl off
SASL_SECPROPS none
SSL no
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
# rootbinddn cn=Administrator,dc=dacrib,dc=local
# RFC 2307 (AD) mappings
# <to> <from>
nss_map_attribute userPassword sambaPassword
nss_map_attribute gecos name
nss_map_attribute uid unixName
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
pam_filter objectclass=User
pam_password crypt
nss_initgroups_ignoreusers
avahi,backup,bin,daemon,dhcp,dovecot,festival,games,gnats,haldaemon,hplip,irc,klog,li
buuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,root,saned,sshd,sync,sys,syslog,uucp,www-d
ata
-----------------------
Anyone? I feel I am close, but can't figure out why doing it
interactively from the command line binds and searches, and relying on
the ldap.conf to supply that information does not ...
Thanks
13 years, 2 months
syncrepl connection / reconnect
by Thorsten Mueller
Hi,
I am using two slapd 2.4.20 in mirror mode. Everything seem to work fine. When I shut down slapd_A, I can see the connection retries in the log of B. After restarting A everything is fine. Replication works in both directions.
When I switch off the machine hosting A, B does not log anything. After starting machine A, replication only works from B to A and not from A to B. Only after restarting slapd_B the connection is reestablished and the changes are synced. I see the same behavior, if I just do a "ifconfig eth0 down". The remaining slapd seems not to recognize a loss of the network connection.
Is this a bug in openldap, or a configuration issue on my side?
Thanks,
Thorsten
13 years, 2 months