openldap-technical April 2010

openldap-technical@openldap.org

66 participants
76 discussions

Support for multiple suffixes in openldap
by Meena Ram 10 Apr '10

10 Apr '10

Hello all: Is there any work around to get multiple suffixes working in openldap for multiple domains I saw this info in one of the links which says you have to add this #define BDB_MULTIPLE_SUFFIXES and then compile. Note: As of OpenLDAP 2.1.2.13, the default configuration will allow only one suffix to be defined for each bdb database. The C preprocessor directive #define BDB_MULTIPLE_SUFFIXES (file: servers/slapd/back-bdb/init.c) may be used if you want to compile in multiple suffix support. If you use it, subtree indexing will slow down by factor of 2. The use of suffixAlias is no longer supported by default in version 2.1.13. Is there any short cut to get multiple suffixes working without having to re-compile everything again. Any shortcuts really appreciated Cheers!!!!!!!!!! Ram

2 1

Slapd-ldap proxy between replica and mirror
by Ubay Dorta 09 Apr '10

09 Apr '10

Hi, We have a similar scenario that the one explained in the post of Javier Manteiga: http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-technical/200907/msg… We have deployed two servers: a master and a replica (delta-syncrepl). We added the chaining configuration that appears in openldap 2.4 administrator's guide (12.3.2) to handle the modifications originated from the replica. Replica slapd.conf: ##################### # Chaining configuration # ##################### overlay chain chain-uri "ldap://192.168.1.10:389" chain-idassert-bind bindmethod="simple" binddn="cn=replicator,dc=example,dc=com" credentials="secret" mode="self" chain-return-error TRUE ########## # Replica # ########## database bdb suffix "dc=example,dc=com" rootdn "cn=Administrator,dc=example,dc=com" rootpw "secret" .... ################## # Syncrepl directives # ################## syncrepl rid=001 provider=ldap://192.168.1.10:389 type=refreshAndPersist retry="60 +" searchbase="dc=example,dc=com" filter="(objectclass=*)" scope=sub attrs="*" schemachecking=on binddn="cn=replicator,dc=example,dc=com" bindmethod=simple credentials=secret sizelimit=unlimited logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog # Refer updates to the master updateref ldap://192.168.1.10:389 The problem appears when we change the single master for a mirrormode configuration (administrator guide 18.3.4.1). In addition, we set up a back-ldap proxy between mirror and replica. back-ldap proxy slapd.conf: ######## # Proxy # ######## database ldap suffix "dc=example,dc=com" rootdn "cn=slapd-ldap" uri "ldap://192.168.1.20:389 ldap://192.168.1.30:389" The IP addresses are: 192.168.1.10 -> Back-ldap proxy 192.168.1.20 -> Mirror mode server 1 192.168.1.30 -> Mirror mode server 2 When we try to modify the password through the replica, we get the following messages in the server where is located the proxy: ldap-proxy[13175]: daemon: activity on 1 descriptor ldap-proxy[13175]: daemon: activity on: ldap-proxy[13175]: 12r ldap-proxy[13175]: ldap-proxy[13175]: daemon: read active on 12 ldap-proxy[13175]: daemon: epoll: listen=7 active_threads=0 tvp=NULL ldap-proxy[13175]: connection_get(12) ldap-proxy[13175]: connection_get(12): got connid=1002 ldap-proxy[13175]: connection_read(12): checking for input on id=1002 ldap-proxy[13175]: op tag 0x66, time 1270632398 ldap-proxy[13175]: conn=1002 op=2 do_modify ldap-proxy[13175]: conn=1002 op=2 do_modify: dn (uid=user,ou=people,dc=example,dc=com) ldap-proxy[13175]: => get_ctrls ldap-proxy[13175]: => get_ctrls: oid="2.16.840.1.113730.3.4.18" (noncritical) ldap-proxy[13175]: parseProxyAuthz: conn 1002 authzid="dn:uid=user,ou=people,dc=example,dc=com" ldap-proxy[13175]: slap_sasl_getdn: conn 1002 id=dn:uid=user,ou=people,dc=example,dc=com [len=38] ldap-proxy[13175]: >>> dnNormalize: <uid=user,ou=people,dc=example,dc=com> ldap-proxy[13175]: <<< dnNormalize: <uid=user,ou=people,dc=example,dc=com> ldap-proxy[13175]: ==>slap_sasl2dn: converting SASL name uid=user,ou=people,dc=example,dc=com to a DN ldap-proxy[13175]: <==slap_sasl2dn: Converted SASL name to <nothing> ldap-proxy[13175]: parseProxyAuthz: conn=1002 "uid=user,ou=people,dc=example,dc=com" ldap-proxy[13175]: ==>slap_sasl_authorized: can cn=replicator,dc=example,dc=com become uid=user,ou=people,dc=example,dc=com? ldap-proxy[13175]: <== slap_sasl_authorized: return 48 ldap-proxy[13175]: <= get_ctrls: n=1 rc=123 err="not authorized to assume identity" ldap-proxy[13175]: send_ldap_result: conn=1002 op=2 p=3 ldap-proxy[13175]: send_ldap_result: err=123 matched="" text="not authorized to assume identity" ldap-proxy[13175]: send_ldap_response: msgid=3 tag=103 err=123 ldap-proxy[13175]: conn=1002 op=2 RESULT tag=103 err=123 text=not authorized to assume identity ldap-proxy[13175]: conn=1002 op=2 do_modify: get_ctrls failed ldap-proxy[13175]: daemon: activity on 1 descriptor ldap-proxy[13175]: daemon: activity on: The authorization is denied for cn=replicator,dc=example,dc=com. Is it the same problem with the propagation of identity? Is there any way to avoid the problem? Thanks in advance. Javier Manteiga wrote: We are trying to set a system with the DIT split in several servers, using the Meta backend to proxy the LDAP requests among them. In the remote servers we would like to check the ACLs using the identity of the client that sent the request, instead of the identity used to create the proxy connections. For this we have configured the idassert parameters in the meta targets as follows: idassert-bind bindmethod=simple binddn="cn=manager,dc=operator,dc=com" (root user of the backend receiving the proxied query) credentials="manager" mode=self iddassert-authzFrom "dn:*" When the first proxy is made everything is OK. The proxyAuthz extension control is added to the LDAP message and the remote server behaves as expected. Our problem is that in some cases we have requests that must be proxied several times. E.g: consider a scenario with three servers in A, B and C. in which the LDAP request sent by the external client is received in A, this server proxies it to B. Finally B proxies it to C. When B tries to set the proxyAuthz control it detects that there is already one and it returns the error "proxyAuthz not allowed within namingContext". Is there anyway in which we can avoid this error and propagate the credentials of the external client to the last server?. No. If you use proxyAuthz to propagate the client's identity to a remote server, then the remote server cannot use the same trick to propagate what it believes the client's identity, while it's actually the first proxy's identity. By design we decided to disallow nested identity assertion. This mechanism requires distributed procedures, where any control like *proxyAuthz would be wrapped by procedure distribution information, thus *allowing nested chaining and so. This was discussed long ago when chaining and identity assertion were first implemented. The I.D. about distributed procedures expired long ago, and was never revitalized, so this functionality is not available. p.

2 1

slapd wont start
by Nick Pappin 09 Apr '10

09 Apr '10

Can someone tell me whats wrong here.. I had a working ldap/samba server and after I restarted the machine due to a power outage the slapd service wont start back up. Here are what the logs show when I try to bring slapd back online: Apr 8 14:06:23 mdc slapd[12286]: @(#) $OpenLDAP: slapd 2.3.43 (Apr 8 2010 13:58:40) $ Apr 8 14:06:23 mdc root@mdc: /var/tmp/portage/net-nds/openldap-2.3.43/work/openldap-2.3.43/servers/slapd Apr 8 14:06:23 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Apr 8 14:06:23 mdc slapd: Last message 'nss_ldap: failed to ' repeated 1 times, supressed by syslog-ng on mdc.mydomain.org Apr 8 14:06:23 mdc slapd[12286]: nss_ldap: reconnecting to LDAP server... Apr 8 14:06:23 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Apr 8 14:06:23 mdc slapd[12286]: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: could not search LDAP server - Server is unavailable Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Apr 8 14:06:24 mdc slapd: Last message 'nss_ldap: failed to ' repeated 1 times, supressed by syslog-ng on mdc.mydomain.org Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: reconnecting to LDAP server... Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... Apr 8 14:06:25 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Apr 8 14:06:25 mdc slapd[12286]: nss_ldap: could not search LDAP server - Server is unavailable Apr 8 14:06:25 mdc slapd[12287]: bdb(dc=mydomain,dc=org): unable to allocate memory for mutex; resize mutex region Apr 8 14:06:25 mdc slapd[12287]: hdb_db_open: Database cannot be opened, err 12. Restore from backup! Apr 8 14:06:25 mdc slapd[12287]: bdb(dc=mydomain,dc=org): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem Apr 8 14:06:25 mdc slapd[12287]: bdb(dc=mydomain,dc=org): txn_checkpoint interface requires an environment configured for the transaction subsystem Apr 8 14:06:25 mdc slapd[12287]: bdb_db_close: txn_checkpoint failed: Invalid argument (22) Apr 8 14:06:25 mdc slapd[12287]: backend_startup_one: bi_db_open failed! (12) Apr 8 14:06:25 mdc slapd[12287]: bdb_db_close: alock_close failed Apr 8 14:06:25 mdc slapd[12287]: slapd stopped. Apr 8 14:06:25 mdc slapd[12287]: connections_destroy: nothing to destroy. Thanks ~ Nick

3 3

group migration to Ldap
by Francis, Steve (IHG) 09 Apr '10

09 Apr '10

I'm tyring to migrate my /etc/group to openldap. I've used the migration tools, but for some reason, I get the following when trying to do the ldapadd for the group.ldif generated . adding new entry "cn=at,ou=Group,dc=zlinux,dc=hiw,dc=com" ldap_add: Object class violation (65) additional info: no structural object class provided Not sure why, as the /etc/passwd migrated just fine. Steve Francis Technical Advisor - zSeries, zLinux, z/OS IHG Alpharetta Data Center Ph: 770-442-7157 Cell: 770-906-3122 IM: francisihg

2 4

ProxyAddresses: attribute undefined Any info on how to fix this
by Meena Ram 09 Apr '10

09 Apr '10

ProxyAddresses: attribute undefined Any info on how to fix this ldap_add: Undefined attribute type (17) additional info: proxyAddresses: attribute type undefined

2 1

link object
by Carlo Pradissitto 09 Apr '10

09 Apr '10

Hi, I would like to link an attribute to an object, so that when I perform a search it returns all attributes related to the object referenced, just like the example below: + resource1 + type: this_type + permission: this_permission + location: this_location + resource2 + type: another_type + permission: another_permission + location: another_location + profile1 + resource1 + resource2 + domain + organization + user1 + profile1 ldapsearch [ options ] cn=user1 dc: domain o: organization cn: user1 ( profile: profile1 ) resource: resource1, this_type, this_permission, this_location resource: resource2, another_type, another_permission, another_location Thanks in advance Carlo

2 2

SYntax for Proxy addresses and attribute to be defined for proxy addresess in LDIF file
by Meena Ram 08 Apr '10

08 Apr '10

Dear folks: If any one has the syntax for adding proxy addresses in the LDIF file along with the normal mail attribute that will be really appreciated if you can share the Syntax. Req: Sample LDIF file with proxy addresses along with mail attribute Cheers!!!!!!!!!! RAM

1 0

Re: Sample Large ldiff file to support 1K users
by Meena Ram 08 Apr '10

08 Apr '10

Dear folks: If any one has the syntax for adding proxy addresses in the LDIF file along with the normal mail attribute that will be really appreciated if you can share the Syntax. This is needed for an openldap set up. Req: Sample LDIF file with proxy addresses along with mail attribute Cheers!!!!!!!!!! RAM

1 0

Re: group in groups
by Chris Jacobs 08 Apr '10

08 Apr '10

You're thinking of dyngroups (Dynamic Groups). - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ----- Original Message ----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org> To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org> Sent: Thu Apr 08 02:10:48 2010 Subject: group in groups Hello list We use our Openldap with a lot of applications like apache, squid, samba ... What for us whould be very usefull is to define in ldap groups with users and other groups therin. Is this possible in Ldap or maybe with the nss-module ? I cant find any documentation. Thank you luis This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

2 1

confusing manpage for slapcat for backup
by hai wu 08 Apr '10

08 Apr '10

I have some questions: When I look at manpage for slapcat from openldap-servers-2.3.27-5 in Centos5.0, it says: LIMITATIONS In general, your slapd(8) should not be running (at least, not in read- write mode) when you do this to ensure consistency of the database. But when I look at its manpage from openldap-servers-2.3.43-3.el5 in Centos5.4, it says: LIMITATIONS For some backend types, your slapd(8) should not be running (at least, not in read-write mode) when you do this to ensure consistency of the database. It is always safe to run slapcat with the slapd-bdb(5), slapd-hdb(5), and slapd-null(5) backends. Question 1: Is it always safe to run slapcat with slapd running even for openldap-servers-2.3.27-5 in Centos5? The administration guide for OpenLDAP 2.4 at http://www.openldap.org/doc/admin24/maintenance.html explains more on this, I quote: "2. Periodically run slapcat and back up the LDIF file: Slapcat can be run while slapd is active. However, one runs the risk of an inconsistent database- not from the point of slapd, but from the point of the applications using LDAP. For example, if a provisioning application performed tasks that consisted of several LDAP operations, and the slapcat took place concurrently with those operations, then there might be inconsistencies in the LDAP database from the point of view of that provisioning application and applications that depended on it. One must, therefore, be convinced something like that won't happen. One way to do that would be to put the database in read-only mode while performing the slapcat. The other disadvantage of this approach is that the generated LDIF files can be rather large and the accumulation of the day's backups could add up to a substantial amount of space. You can use *slapcat*(8) to generate an LDIF file for each of your *slapd*(8) back-bdb or back-hdb databases. slapcat -f slapd.conf -b "dc=example,dc=com" For back-bdb and back-hdb, this command may be ran while slapd(8) is running." Question 2: Is the above also true for openldap-servers-2.3.27-5 in Centos5? Question 3: How to put the database in read-only mode while performing the slapcat? Is there anyone who's doing this just to make sure for consistent backup? Thanks, Hai

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2010