openldap-technical March 2010

openldap-technical@openldap.org

73 participants
87 discussions

brief tips and tricks for running ldaps on slackware
by Meena Ram 11 Mar '10

11 Mar '10

Dear folks: If any one has a brief tips, tricks or cheatsheet for running slapd with SSL/TLS can you please post it. plain ldap works perfect but ldaps search and related stuff seams to have some issues Cheers!!!!!!!!

2 1

Error code -12 with ldap_sasl_bind
by Thilko Richter 11 Mar '10

11 Mar '10

Hello, In the following debug snippet I make an ldap_intit and an ldap_sasl_bind_s afterwards. In the end an unbind follows. My problem is, that I get an error code '-12' for the ldap_sasl_bind. Does anyone has a clue why the bin doesnt work? Mar 8 12:03:06 matrix slapd[3505]: conn=3 fd=15 ACCEPT from IP=[::1]:56601 (IP=[::]:389) Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on 1 descriptor Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on: Mar 8 12:03:06 matrix slapd[3505]: Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=8 active_threads=0 tvp=zero Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=9 active_threads=0 tvp=zero Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=10 active_threads=0 tvp=zero Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on 1 descriptor Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on: Mar 8 12:03:06 matrix slapd[3505]: 15r Mar 8 12:03:06 matrix slapd[3505]: Mar 8 12:03:06 matrix slapd[3505]: daemon: read active on 15 Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=8 active_threads=0 tvp=zero Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=9 active_threads=0 tvp=zero Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=10 active_threads=0 tvp=zero Mar 8 12:03:06 matrix slapd[3505]: connection_get(15) Mar 8 12:03:06 matrix slapd[3505]: connection_get(15): got connid=3 Mar 8 12:03:06 matrix slapd[3505]: connection_read(15): checking for input on id=3 Mar 8 12:03:06 matrix slapd[3505]: op tag 0x42, time 1268046186 ======== I think here is the problem Mar 8 12:03:06 matrix slapd[3505]: ber_get_next on fd 15 failed errno=0 (Success) Mar 8 12:03:06 matrix slapd[3505]: connection_read(15): input error=-2 id=3, closing. ======== Mar 8 12:03:06 matrix slapd[3505]: connection_closing: readying conn=3 sd=15 for close Mar 8 12:03:06 matrix slapd[3505]: connection_close: deferring conn=3 sd=15 Mar 8 12:03:06 matrix slapd[3505]: conn=3 op=0 do_unbind Mar 8 12:03:06 matrix slapd[3505]: conn=3 op=0 UNBIND Mar 8 12:03:06 matrix slapd[3505]: connection_resched: attempting closing conn=3 sd=15 Mar 8 12:03:06 matrix slapd[3505]: connection_close: conn=3 sd=15 Mar 8 12:03:06 matrix slapd[3505]: daemon: removing 15 Mar 8 12:03:06 matrix slapd[3505]: conn=3 fd=15 closed Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on 1 descriptor Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on: Mar 8 12:03:06 matrix slapd[3505]: Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=8 active_threads=0 tvp=zero Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=9 active_threads=0 tvp=zero Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=10 active_threads=0 tvp=zero Since I try to build up a ruby Binding for OpenLdap with ffi I dont have c code here, but the ruby snippet is: handle = ldap_init "localhost", 389 res = ldap_sasl_bind_s handle, 'cn=admin,ou=users,dc=thilko,dc=net', '', 'x', nil, nil, nil p " the result: #{res}" and the result is '-12'. Note that I am using ffi, so the function 'ldap_sasl_bind_s' is a call to the native function defined in ldap.h. I try to use LDAP_SASL_SIMPLE. I also tried to use a ber_val struct as password and servercred - the same effect. I stepped through some source code in openLdap, but I dont know where the error code '-12' comes from and where to find some documentation. Thx a lot for help, Thilko

1 0

Is there an "authconfig" tool in ubuntu?
by Zengming Zhang 11 Mar '10

11 Mar '10

Hi everyone: In redhat system there is a tool named "authconfig" which is used to configure user authentication method on clients. What I want to know is that is there a similar tool in ubuntu system? I am going to set up a group system and all client computers are running ubuntu linux. I searched something use google, someone said that they are working on it. But the history of ubuntu is not short, someone must use some similar tools to change user authentication method on ubuntu. Anyone knows something about it? Please let me know! Thanks in advance. -- Zengming Zhang <nicegiving(a)gmail.com>

2 2

Problem getting monitor backend and syncrepl overlay to work
by DeMoNs＠web.de 10 Mar '10

10 Mar '10

Hi all, i have a problem getting openldap to run monitor backend AND syncrepl overlay. i'm running freebsd-7.2-release-p6 in combination with openldap-server-2.4.19 with sasl support compiled in. i use the following slapd config: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/ldapns.schema include /usr/local/etc/openldap/schema/radius.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args logfile /var/log/slapd.log password-hash {SSHA} modulepath /usr/local/libexec/openldap moduleload back_bdb moduleload back_monitor access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * by ssf=128 dn="cn=admin,dc=example,dc=de" write by dn="cn=admin,dc=example,dc=de" peername.ip=127.0.0.1 write by ssf=96 dn="cn=nssadmin,dc=example,dc=de" read by dn="cn=nssadmin,dc=example,dc=de" peername.ip=127.0.0.1 read by anonymous auth by * none access to attrs=userPassword by self write by anonymous auth by * none database bdb suffix "dc=example,dc=de" rootdn "dc=example,dc=de" directory /var/db/openldap-data index objectClass,entryCSN,entryUUID eq index uid pres,eq,sub index memberUID eq index uidNumber,gidNumber eq index host eq database monitor rootdn "cn=monitoring,cn=Monitor" rootpw monitoring access to dn.subtree="cn=Monitor" by dn="cn=nssadmin,dc=example,dc=de" by * none syncrepl rid=041 provider=ldap://ldap-master.example.de type=refreshOnly interval=00:00:35:00 searchbase="dc=example,dc=de" schemachecking=off bindmethod=simple starttls=yes binddn="cn=syncuser,dc=example,dc=de" credentials="strongsecretpassword" TLSCertificateFile /usr/local/etc/openldap/ssl/ldap-crt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap-key.pem TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem loglevel 256 now, when i run slaptest i receive following error: /usr/local/etc/openldap/slapd.conf: line 59: database monitor does not support operations required for syncrepl slaptest: bad configuration file! Line 59 corresponds to the credentials option in the synrepl statement. i can't figure out whats wrong, so if anyone can point me in the right direction that would be really helpful. thanks in advance, david

5 4

Steps after Crash
by Jeff Burdon 10 Mar '10

10 Mar '10

Hello, I have two LDAP-Master with refresh and persist configured. Both are located in different countries and the bandwidth between them is only 10Mbit/s. Both masters are used for read and writing entires (writing from the local country), the Setup is running well. But now, somehow one Server is crashing. My application is detecting this and is now writing to the other remote Server in the different country. To recover the crashed server, I stop the slapd with the crashed database, and delete the whole database directory and start the slapd again. The slapd now is syncing with the other remote slapd (present and delete phase). The syncing will take about 1,5 hour. But what will happen during this time. My application is detection that the local slapd is running again and will read an write entires to the this server which is in the syncing state. In this same time, the other server in the remote site is trying to establish the replication to the crashed server who is not fully synchronized, but who may have some new entires. * Can it be, that the remote server now receive false information an gets delete entires during this state? * Do I have (manually) prevent for writing to the syncing server? Can someone help me for this Setup - Especially the recovery procedure? .. Thanx in advance Jeff

1 0

OpenLDAP replicated from Sun One DS 5.2?
by David Jeffress 09 Mar '10

09 Mar '10

Has anyone had any success getting automatic replication working to an openldap from a Sun Directory Server? Our university has a Sun DS that we are not allowed to auth against due to licensing agreements, so we want to replicate that ldap to a secondary ldap to use basically as a provisioning LDAP for all of our external accounts. Has anyone had any success with replicating a Sun DS? Thanks! -- David Jeffress, Applications Analyst Murray State University david.jeffress(a)murraystate.edu

2 1

LDAP_MOD_BVALUES / "Binary option"
by Peter Mogensen 09 Mar '10

09 Mar '10

Hi, I'm trying to make sense of the use of "binary" in misc client API's. Some API's (like perl Net::LDAPapi) seem to offer a "b" option do add/modify operations which controls whether the ";binary" AttributeOption is set on an attribute. For Net::LDAPapi this translates (from what I see in the libldap source) to LDAP_MOD_BVALUES But when reading the sources and RFC it seems to me that LDAP_MOD_BVALUES and ";binary" is two completely different things. (Also ";binary" has been removd from RFC4511). Am I right in concluding that LDAP_MOD_BVALUES (and thus "b" in Net::LDAPapi) only controls which BER type is used and as such is completely orthogonal to whether one chooses to set the ";binary" attributedescription options? ";binary" use often used with jpegPhoto, but does it have any influence on which BER type the server uses to send data to the client? I would assume that it would be completely safe to ignore ";binary" and the only reason to set LDAP_MOD_BVALUES would be if the attribute value data contained "\0" bytes. (which would prevent using a string) Is this correct? /Peter

2 3

getting ca/ca subordinate cert to work with openldap
by Chris Jacobs 09 Mar '10

09 Mar '10

Hello, I'm having a heck of a time getting certs to function correctly. This server is being setup with another server in mirrormode - and currently they cannot talk to each other (or themselves when using ldapsearch). We have a root CA, with a subordinate CA used to sign the cert our ldap server is using. I have both appended to the /etc/pki/tls/certs/ca-bundle.crt file (CentOS5) - root first, sub second. I have both (also in the same order) in the cacert.pem used by slapd.conf. TLS directives: TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/ldapcrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/ldapkey.pem When I test the cacert.pem file or the ldapcrt.pem file using "openssl verify [cert]", everything comes back with OK (I tested removing those from the ca-bundle.crt file and they fail - those are below too). I have those certs available separately and tested them too. ------ Test with CA and Sub-CA in ca-bundle.crt ------ # openssl verify cacert.pem cacert.pem: OK # openssl verify ldapcrt.pem ldapcrt.pem: OK # openssl verify carootcrt.pem carootcrt.pem: OK # openssl verify casubcrt.pem casubcrt.pem: OK ------ Test without CA and Sub-CA in ca-bundle.crt ------ # openssl verify cacert.pem cacert.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA error 18 at 0 depth lookup:self signed certificate OK # openssl verify ldapcrt.pem corp-ldapcrt.pem: [verify specific cert subject snipped] error 20 at 0 depth lookup:unable to get local issuer certificate # openssl verify carootcrt.pem carootcrt.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA error 18 at 0 depth lookup:self signed certificate OK # openssl verify casubcrt.pem casubcrt.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Subordinate CA error 20 at 0 depth lookup:unable to get local issuer certificate I'm using OpenLDAP build: 2.4.21 built with the following options: ./configure --with-tls=openssl \ --enable-crypt \ --enable-dynamic \ --enable-ldap \ --enable-lmpasswd \ --enable-modules \ --enable-overlays \ --enable-spasswd \ --sysconfdir=/etc After loading ldif data from our older 2.2 openldap servers, I verified the data was there using Apache Directory Studio (even got some work done on removing/re-adding/comparing ldifs). Ldapsearch though is another beast all together though. # ldapsearch -H ldaps://localhost/ ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) If you're interested in more details: # ldapsearch -H ldaps://localhost/ -d5 ldap_url_parse_ext(ldaps://localhost/) ldap_create ldap_url_parse_ext(ldaps://localhost:636/??base) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA, issuer: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain). ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) Help? - chris This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

2 1

DNS discovery for OpenLDAP?
by Jaap Winius 08 Mar '10

08 Mar '10

Hi all, In the course of my research into a solution involving Kerberos, OpenLDAP and OpenAFS (a.k.a. the Magic Trio), I've discovered that both Kerberos and OpenAFS support methods of DNS discovery, but that OpenLDAP apparently does not. Is this correct? If so, might there be a reason for this, other than that it has occurred to the developers, but that they just haven't had time yet to create it? It seems to me that it would be great to have. Thanks, Jaap

4 5

Many entries, deletes getting painfully slow
by Peter Mogensen 06 Mar '10

06 Mar '10

Hi, I have a database with close to 11 million entries and lately deletes have started to get painfully slow. I've set up a new server with a lot of improvements, but if anyone have an idea about what the deciding factor for the performance difference is, then I would be grateful. On the old server: -16 cores. 42Gb RAM, entire database in memory -XFS file system on (hw)RAID-1 -Database and BerkeleDB log on same filesystem -some, but not much load (~35 read waiters) -time to delete 157 entries: 9 minutes. New server: -16 cores, 48Gb RAM, entire database in memory -ext3 filesystem on (hw)RAID-10 -Database and log on difference disk -no load. -time to delete the same 157 entries: 6.2 seconds I'm aware that the new server has all the benefits, but even under low load conditions, the old server is only able to delete an entry every 3 seconds and there's orders of magnitude difference between 6 and 540 seconds. My suspicion is that there's one of the above factors (XFS?, db/log on same fs?) which get very pronounced when the database gets above a certain size, since this slowdown for deletes seem to have accelerated with the growth of the database the last few months. /Peter

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2010