March 2010 - openldap-technical

libldap mutex hang on ldap_int_sasl_mutex

by Jeremiah Martell

I'm using openldap-2.4.18, library libldap_r. I have three windows active directory servers setup: childA.parent.example.com parent.example.com childB.parent.example.com I do a LDAP+GSSAPI bind to childA.parent.example.com. The bind succeeds. I do a search that returns referrals, (I know I need to be referred to parent, and then childB in order to find my result), and I have openldap follow referrals for me. My rebind proc is a function that only calls: ldap_sasl_interactive_bind_s( ld, NULL, NULL, NULL, NULL, LDAP_SASL_AUTOMATIC, sasl_driver, params ); where sasl_driver and params is the same parameters that I used for the initial bind call to childA. After the seach call, the debug it looks like this: > ldap_chase_v3referrals, where ref[0] = parent.example.com > myGSSAPIrebindProc > ldap_sasl_interactive_bind_s < ldap_sasl_interactive_bind_s < myGSSAPIrebindProc < ldap_chase_v3referrals > ldap_chase_v3referrals, where ref[0] = childB.parent.example.com > myGSSAPIrebindProc > ldap_sasl_interactive_bind_s > ldap_chase_v3referrals, where ref[0] = childA.parent.example.com < ldap_chase_v3referrals > ldap_chase_v3referrals, where ref[0] = ForestDnsZones.parent.example.com > myGSSAPIrebindProc > ldap_sasl_interactive_bind_s ... HANG ON MUTEX Since this is hanging on a mutex, that would suggest a code bug. Perhaps the ldap_int_sasl_mutex needs to be a recursive mutex? Or should my rebind proc do something different than call ldap_sasl_interactive_bind_s? Any other ideas appreciated too. Thanks, - Jeremiah

13 years, 2 months

1
0
0 / 0

ldap

by Patrick Mburu

Hi all, I have been trying to work with my .ldif file which looks like below but i get an error: All Services are started in this scenario; My ldif file dn: dc=mycompany,dc=COM objectclass: dcObject objectclass: organization o: mycompany dc: mycompany dn: cn=root,dc=mycompany,dc=COM objectclass: organizationalRole cn: root Error => bdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair already exists (-30996) => bdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996) slapadd: could not add entry dn="dc=mycompnaye,dc=com" (line=6): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996) What am i not getting right, urgent help needed.

13 years, 2 months

2
1
0 / 0

Starting OpenLDAP: slapd - failed: Unrecognized database type (bdb)..Help required!

by Shamika Joshi

I'm a beginner with Openldap & trying to bring up LDAP server on UbuntuServer with Berkleys db-4.8.26 installed gives following error on starting the slapd service. Previously I have done sucessful configuration on RHEL & Fedora but for some reason it is not working for me on Ubuntu server. Could someone throw some light on this? Am I missing something? shamika@ns1:/etc/ldap$ sudo /etc/init.d/slapd start Starting OpenLDAP: slapd - failed: Unrecognized database type (bdb) shamika@ns1:~$ uname -msrnv Linux ns1.cmsqalab.com 2.6.31-14-server #48-Ubuntu SMP Fri Oct 16 15:07:34 UTC 2009 x86_64 Snapshot from /var/log/syslog Mar 29 19:41:47 x6u slapd[17730]: @(#) $OpenLDAP: slapd 2.4.18 (Sep 8 2009 17:47:22) $#012#011buildd@crested :/build/buildd/openldap-2.4.18/debian/build/servers/slapd Mar 29 19:41:49 x6u slapd[17730]: /etc/ldap/slapd.conf: line 88: <database> failed init (bdb) Mar 29 19:41:49 x6u slapd[17730]: slapd stopped. Mar 29 19:41:49 x6u slapd[17730]: connections_destroy: nothing to destroy. Here is my slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema #include /etc/ldap/schema/dnszone.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/lib/openldap # modules available in openldap-servers-overlays RPM package: # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la # moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la access to * by * write # access to * # by self write # by users read ## by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix dc=cmsqalab,dc=com rootdn cn=Manager,dc=cmsqalab,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {SSHA}+1DFJ0tLWAd1u3zDUw04rDtnwPKbEFy9 # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/cmsqalab.com # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub 69,1 91%

13 years, 2 months

2
1
0 / 0

OpenLDAP Manual/ Broken Links.

by Dzmitry Stremkouski

Hello guys. The part of OpenLDAP Manual (wich can be found here - http://www.openldap.org/doc/admin23/schema.html) contains a lot of broken links. Please correct. FE: http://www.alvestrand.no/harald/objectid/ - dead A: http://www.bsa-global.com/ - dead (doesn't look good enough for global OID authority) A: http://www.iana.org/cgi-bin/enterprise.pl - should be (redirect, but futher, IMHO, will be dead, try http://pen.iana.org/pen/PenApplication.page) Thanks. -- <pre> (o_ - Dzmitry Stremkouski. //\ - cel: +7 (916) 090-85-68 V_/_- web: http://mitroko.com </pre>

13 years, 2 months

2
1
0 / 0

Where to start a migration from passwd/shadow/smbpasswd to openldap

by Götz Reinicke - IT-Koordinator

Hi, a couple of weeks ago I started to learn ldap and set up some test servers with the latest openldap for centos 5.4. I learned about schemas, ldif, ldap browsers etc. So I have an advanced basic knowledge about the technical fundamentals. The primary goal is to have the login information for our mail and fileserver system in one place. Right now we do use sendmail, dovecot and samba. After testing some of the migration tools for migrating posix and sambaSam accounts, I was asking myselve: what is the best way to start the migration? Right now the directory is completely empty, so I can start from scratch. Both types of accounts do have different attributes and furthermore I'd like to use some inetOrgPerson/organizationalPerson attributes. So should I first run the smbldaptool or first fill the directory with the migrate_....sh script? Thanks for any suggestion or comment or pointing me to any how to/doc. Best regards, Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke(a)filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium Geschäftsführer: Prof. Thomas Schadt

13 years, 2 months

3
4
0 / 0

Re: Re: Re: Pre-requisites to enable SSL/TLS in OpenLDAP 2.4

by Arun Srinivasan

Thanks, Quanah and Dieter. I was able successfully link TLS/SSL libraries with slapd after installing openssl-devel package. Thanks for your help guys. But I do have one query: when I used the below command, eventhough configure found the openssl libraries, it gave the warning as "Checking gnutls.h ... no" Configure: warning: Could not locate TLS/SSL libraries. Then, when I removed the CPPFLGAS and LDDFLAGS linking openssl libraries, then all worked fine. Is there any reason, why the openldap configure refers the gnutls ?? env CPPFLAGS="-I/usr/local/ssl/include -I/usr/local/BerkeleyDB.4.8/include" LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.8/lib -R/usr/local/BerkeleyDB.4.8/lib -L/usr/local/ssl/lib" LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.8/lib" ./configure --with-tls > Did you actually install the openssl-dev RPM package? You must have > the headers and linking libraries on the system so that OpenLDAP can > actually link against it. And yes, you'll have to rebuild OpenLDAP. > I would suggest just running "configure" until you see that it > successfully found the TLS/SSL headers/libraries.

13 years, 2 months

1
0
0 / 0

Re: Problem with getent passwd

by Tyler Gates

Actually I misspoke earlier -I meant run the command 'setup' from the terminal and select authentication. From there you should see "User Information" and "Authentication" columns. Just check LDAP in "User Information" and you should see getent populate the passwords. That normally does the trick.. pretty simple but if that doesn't work I'd check your /etc/ldap.conf is setup correctly (I mostly have to just add the host information and base dn). Other wise your LDAP server doesn't have the attributes its' expecting from its queries to generate user account information. On 03/24/2010 08:09 AM, Lynn York wrote: > Here is my /etc/pam.d/system-auth file > > > > cat /etc/pam.d/system-auth > > #%PAM-1.0 > > # This file is auto-generated. > > # User changes will be destroyed the next time authconfig is run. > > auth required pam_env.so > > auth sufficient pam_unix.so nullok try_first_pass > > auth requisite pam_succeed_if.so uid >= 500 quiet > > auth sufficient pam_ldap.so use_first_pass > > auth required pam_deny.so > > > > account required pam_unix.so broken_shadow > > account sufficient pam_succeed_if.so uid < 500 quiet > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > account required pam_permit.so > > > > password requisite pam_cracklib.so try_first_pass retry=3 > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > > password sufficient pam_ldap.so use_authtok > > password required pam_deny.so > > > > session optional pam_keyinit.so revoke > > session required pam_limits.so > > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > > session required pam_unix.so > > session optional pam_ldap.so > > > > > > Also, when I ran authconfig, that didn’t help. The server still queries the > ldap server, but the users don’t actually show when I run getent passwd….. > could it be something with the rwm mappings? > > > > *From:* Tyler Gates [mailto:tgates81@gmail.com] > *Sent:* Tuesday, March 23, 2010 8:26 PM > *To:* Lynn York > *Subject:* Re: Problem with getent passwd > > > > Sounds like it's a problem with your client side pam_ldap authentication. > There's a whole buch of steps to get that working, just google it. If you > have a redhat variant authconfig or setup will step you through it. It would > help if you could post your system_auth file. > > On Mar 23, 2010, at 11:40 AM, Lynn York <lynn.york(a)mavenwire.com> wrote: > > Hello, > > > > When I issue “getent passwd” I can see it query the ldap > server for all the information and the server is returning the correct > information. However, “getent passwd” doesn’t actually show the users that > are in ldap. I am not sure where my problem might be. Can anyone offer any > suggestions on where to look? > > > > Lynn York II > > MavenWire Hosting Admin > > www.mavenwire.com > > (866) 343-4870 x717 > > > > MavenWire - We DELIVER > > http://www.mavenwire.com > > > > This e-mail and any attached files may contain confidential and/or > privileged material for the sole use of the intended recipient. Any review, > use, distribution or disclosure by others is strictly prohibited. If you are > not the intended recipient (or authorized to receive this e-mail for the > recipient), you may not review, copy or distribute this message. Please > contact the sender by reply e-mail and delete all copies of this message. > > > > MavenWire - We DELIVER > > http://www.mavenwire.com > > > > This e-mail and any attached files may contain confidential and/or > privileged material for the sole use of the intended recipient. Any > review, use, distribution or disclosure by others is strictly > prohibited. If you are not the intended recipient (or authorized to > receive this e-mail for the recipient), you may not review, copy or > distribute this message. Please contact the sender by reply e-mail > and delete all copies of this message. > > MavenWire - We DELIVER > http://www.mavenwire.com > > This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message. > >

13 years, 2 months

3
6
0 / 0

Problems using OpenLDAP with Active Directory

by Mike Leone

I'm trying to configure lib-nss to use OpenLDAP against my Active Directory. But I seem to be having lots of problems even getting it to search properly. I have Samba all properly configured for AD - it's properly joined to the AD domain, and all seems to be working fine. Now I'd like to investigate using OpenLDAP to authenticate against AD. AD server = 10.0.0.60 AD server name = dim-win2300.dacrib.local AD domain name = DaCrib.local AD Win2003 SP2 (with Services for Unix installed0 Linux server: IP = 10.0.0.20 Ubuntu 9.04 OpenLDAP 2.4.2 (from repository) Here's the /etc/ldap/ldap.conf: ------------------------ host 10.0.0.60 base dc=DaCrib,dc=local binddn CN=Administrator,CN=Users,dc=DaCrib,dc=local bindpw XXXXX # RFC 2307 (AD) mappings # <to> <from> nss_map_attribute userPassword sambaPassword nss_map_attribute gecos name nss_map_attribute uid unixName nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group pam_filter objectclass=User pam_password crypt nss_initgroups_ignoreusers avahi,backup,bin,daemon,dhcp,dovecot,festival,games,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,root,saned,sshd,sync,sys, syslog,uucp,www-data -------------------------- Here's what an "ldapsearch" gives me: (command line will wrap in email) -------------------------- ldapsearch -v -x -H ldap://10.0.0.60 "(objectClass=posixAccount)" sAMAccountName ldap_initialize( ldap://10.0.0.60:389/??base ) filter: (objectClass=posixAccount) requesting: sAMAccountName # extended LDIF # # LDAPv3 # base <dc=DaCrib,dc=local> (default) with scope subtree # filter: (objectClass=posixAccount) # requesting: sAMAccountName # # search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece # numResponses: 1 ---------------------------- So the question is ... why is it failing to bind? No firewalls are running on either server (at the moment). It should bind anonymously (I think). I tried turning up the debug level on the ldapsearch, but that told me nothing I could understand. :-) I tried "-W" so it would prompt for a password, but it says "invalid credentials", even thought I have verified the password of the Administrator account. From Windows, I can run ldp and bind (as administrator) and search with no problems. Similarly, I can use the command line utility "adfind" and search without issues, without binding. So I've got something screwy in my ldap.conf, but I can't figure out where. Thoughts?

13 years, 2 months

2
2
0 / 0

Followup: using OpenLDAP with Active Directory

by Mike Leone

So I've made *some* progress. I created a new user in AD, and used this new account to bind with. And, using simple authentication and password prompting, my search worked correctly: ldapsearch -Hldap://dim-win2300.dacrib.local -tt -x -D "ldap-proxy(a)dacrib.local" -b "dc=dacrib,dc=local" -W -L "(objectClass=user)" dn However, I can't seem to get it to work, if I don't specify the ID and password to bind with: ---------------------------- ldapsearch -v -x -Hldap://dim-win2300.dacrib.local "(objectClass=user)" sAMAccountName ldap_initialize( ldap://dim-win2300.dacrib.local:389/??base ) filter: (objectClass=user) requesting: sAMAccountName # extended LDIF # # LDAPv3 # base <dc=DaCrib,dc=local> (default) with scope subtree # filter: (objectClass=user) # requesting: sAMAccountName # # search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece # numResponses: 1 -------------------------- I thought perhaps the problem was that SASL was interferring, so I tried to turn it off in ldap.conf, but that didn't seem to work. As an aside, where does ldap.conf live, in Ubuntu 9.04? I have 2, one in /etc and one in /etc/ldap. And I don't know which one (if either) is being read ... is there any way to tell which one is in use? ------------------- host 10.0.0.60 base dc=DaCrib,dc=local #binddn CN=ldap-proxy,CN=Users,DC=DaCrib,DC=local binddn ldap-proxy(a)dacrib.local bindpw XXXXXXXX use_sasl off SASL_SECPROPS none SSL no # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) # rootbinddn cn=Administrator,dc=dacrib,dc=local # RFC 2307 (AD) mappings # <to> <from> nss_map_attribute userPassword sambaPassword nss_map_attribute gecos name nss_map_attribute uid unixName nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group pam_filter objectclass=User pam_password crypt nss_initgroups_ignoreusers avahi,backup,bin,daemon,dhcp,dovecot,festival,games,gnats,haldaemon,hplip,irc,klog,li buuid,list,lp,mail,man,messagebus,mysql,news,polkituser,postfix,proxy,root,saned,sshd,sync,sys,syslog,uucp,www-d ata ----------------------- Anyone? I feel I am close, but can't figure out why doing it interactively from the command line binds and searches, and relying on the ldap.conf to supply that information does not ... Thanks

13 years, 2 months

1
0
0 / 0

syncrepl connection / reconnect

by Thorsten Mueller

Hi, I am using two slapd 2.4.20 in mirror mode. Everything seem to work fine. When I shut down slapd_A, I can see the connection retries in the log of B. After restarting A everything is fine. Replication works in both directions. When I switch off the machine hosting A, B does not log anything. After starting machine A, replication only works from B to A and not from A to B. Only after restarting slapd_B the connection is reestablished and the changes are synced. I see the same behavior, if I just do a "ifconfig eth0 down". The remaining slapd seems not to recognize a loss of the network connection. Is this a bug in openldap, or a configuration issue on my side? Thanks, Thorsten

13 years, 2 months

3
5
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2010