Support for multiple suffixes in openldap
by Meena Ram
Hello all:
Is there any work around to get multiple suffixes working in openldap for multiple domains
I saw this info in one of the links which says you have to add this #define BDB_MULTIPLE_SUFFIXES and then compile.
Note: As of OpenLDAP 2.1.2.13, the default configuration will allow only one suffix to be defined for each bdb database. The C preprocessor directive #define BDB_MULTIPLE_SUFFIXES (file: servers/slapd/back-bdb/init.c) may be used if you want to compile in multiple suffix support. If you use it, subtree indexing will slow down by factor of 2. The use of suffixAlias is no longer supported by default in version 2.1.13.
Is there any short cut to get multiple suffixes working without having to re-compile everything again. Any shortcuts really appreciated
Cheers!!!!!!!!!!
Ram
11 years
Slapd-ldap proxy between replica and mirror
by Ubay Dorta
Hi,
We have a similar scenario that the one explained in the post of Javier
Manteiga:
http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-technical/200907/m...
We have deployed two servers: a master and a replica (delta-syncrepl). We
added the chaining configuration that appears in openldap 2.4
administrator's guide (12.3.2) to handle the modifications originated from
the replica.
Replica slapd.conf:
#####################
# Chaining configuration #
#####################
overlay chain
chain-uri "ldap://192.168.1.10:389"
chain-idassert-bind bindmethod="simple"
binddn="cn=replicator,dc=example,dc=com"
credentials="secret"
mode="self"
chain-return-error TRUE
##########
# Replica #
##########
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Administrator,dc=example,dc=com"
rootpw "secret"
....
##################
# Syncrepl directives #
##################
syncrepl rid=001
provider=ldap://192.168.1.10:389
type=refreshAndPersist
retry="60 +"
searchbase="dc=example,dc=com"
filter="(objectclass=*)"
scope=sub
attrs="*"
schemachecking=on
binddn="cn=replicator,dc=example,dc=com"
bindmethod=simple
credentials=secret
sizelimit=unlimited
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog
# Refer updates to the master
updateref ldap://192.168.1.10:389
The problem appears when we change the single master for a mirrormode
configuration (administrator guide 18.3.4.1). In addition, we set up a
back-ldap proxy between mirror and replica.
back-ldap proxy slapd.conf:
########
# Proxy #
########
database ldap
suffix "dc=example,dc=com"
rootdn "cn=slapd-ldap"
uri "ldap://192.168.1.20:389 ldap://192.168.1.30:389"
The IP addresses are:
192.168.1.10 -> Back-ldap proxy
192.168.1.20 -> Mirror mode server 1
192.168.1.30 -> Mirror mode server 2
When we try to modify the password through the replica, we get the following
messages in the server where is located the proxy:
ldap-proxy[13175]: daemon: activity on 1 descriptor
ldap-proxy[13175]: daemon: activity on:
ldap-proxy[13175]: 12r
ldap-proxy[13175]:
ldap-proxy[13175]: daemon: read active on 12
ldap-proxy[13175]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
ldap-proxy[13175]: connection_get(12)
ldap-proxy[13175]: connection_get(12): got connid=1002
ldap-proxy[13175]: connection_read(12): checking for input on id=1002
ldap-proxy[13175]: op tag 0x66, time 1270632398
ldap-proxy[13175]: conn=1002 op=2 do_modify
ldap-proxy[13175]: conn=1002 op=2 do_modify: dn
(uid=user,ou=people,dc=example,dc=com)
ldap-proxy[13175]: => get_ctrls
ldap-proxy[13175]: => get_ctrls: oid="2.16.840.1.113730.3.4.18"
(noncritical)
ldap-proxy[13175]: parseProxyAuthz: conn 1002
authzid="dn:uid=user,ou=people,dc=example,dc=com"
ldap-proxy[13175]: slap_sasl_getdn: conn 1002
id=dn:uid=user,ou=people,dc=example,dc=com [len=38]
ldap-proxy[13175]: >>> dnNormalize: <uid=user,ou=people,dc=example,dc=com>
ldap-proxy[13175]: <<< dnNormalize: <uid=user,ou=people,dc=example,dc=com>
ldap-proxy[13175]: ==>slap_sasl2dn: converting SASL name
uid=user,ou=people,dc=example,dc=com to a DN
ldap-proxy[13175]: <==slap_sasl2dn: Converted SASL name to <nothing>
ldap-proxy[13175]: parseProxyAuthz: conn=1002
"uid=user,ou=people,dc=example,dc=com"
ldap-proxy[13175]: ==>slap_sasl_authorized: can
cn=replicator,dc=example,dc=com become uid=user,ou=people,dc=example,dc=com?
ldap-proxy[13175]: <== slap_sasl_authorized: return 48
ldap-proxy[13175]: <= get_ctrls: n=1 rc=123 err="not authorized to assume
identity"
ldap-proxy[13175]: send_ldap_result: conn=1002 op=2 p=3
ldap-proxy[13175]: send_ldap_result: err=123 matched="" text="not authorized
to assume identity"
ldap-proxy[13175]: send_ldap_response: msgid=3 tag=103 err=123
ldap-proxy[13175]: conn=1002 op=2 RESULT tag=103 err=123 text=not authorized
to assume identity
ldap-proxy[13175]: conn=1002 op=2 do_modify: get_ctrls failed
ldap-proxy[13175]: daemon: activity on 1 descriptor
ldap-proxy[13175]: daemon: activity on:
The authorization is denied for cn=replicator,dc=example,dc=com.
Is it the same problem with the propagation of identity?
Is there any way to avoid the problem?
Thanks in advance.
Javier Manteiga wrote:
We are trying to set a system with the DIT split in several servers,
using the Meta backend to proxy the LDAP requests among them. In the
remote servers we would like to check the ACLs using the identity of the
client that sent the request, instead of the identity used to create the
proxy connections. For this we have configured the idassert parameters
in the meta targets as follows:
idassert-bind bindmethod=simple
binddn="cn=manager,dc=operator,dc=com" (root user of the
backend receiving the proxied query)
credentials="manager"
mode=self
iddassert-authzFrom "dn:*"
When the first proxy is made everything is OK. The proxyAuthz extension
control is added to the LDAP message and the remote server behaves as
expected.
Our problem is that in some cases we have requests that must be proxied
several times. E.g: consider a scenario with three servers in A, B and
C. in which the LDAP request sent by the external client is received in
A, this server proxies it to B. Finally B proxies it to C. When B tries
to set the proxyAuthz control it detects that there is already one and
it returns the error "proxyAuthz not allowed within namingContext".
Is there anyway in which we can avoid this error and propagate the
credentials of the external client to the last server?.
No. If you use proxyAuthz to propagate the client's identity to a remote
server, then the remote server cannot use the same trick to propagate what
it believes the client's identity, while it's actually the first proxy's
identity. By design we decided to disallow nested identity assertion. This
mechanism requires distributed procedures, where any control like *proxyAuthz
would be wrapped by procedure distribution information, thus *allowing
nested chaining and so. This was discussed long ago when chaining and
identity assertion were first implemented. The I.D. about distributed
procedures expired long ago, and was never revitalized, so this
functionality is not available.
p.
11 years
slapd wont start
by Nick Pappin
Can someone tell me whats wrong here.. I had a working ldap/samba server and
after I restarted the machine due to a power outage the slapd service wont
start back up.
Here are what the logs show when I try to bring slapd back online:
Apr 8 14:06:23 mdc slapd[12286]: @(#) $OpenLDAP: slapd 2.3.43 (Apr 8 2010
13:58:40) $
Apr 8 14:06:23 mdc root@mdc:
/var/tmp/portage/net-nds/openldap-2.3.43/work/openldap-2.3.43/servers/slapd
Apr 8 14:06:23 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Apr 8 14:06:23 mdc slapd: Last message 'nss_ldap: failed to ' repeated 1
times, supressed by syslog-ng on mdc.mydomain.org
Apr 8 14:06:23 mdc slapd[12286]: nss_ldap: reconnecting to LDAP server...
Apr 8 14:06:23 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Apr 8 14:06:23 mdc slapd[12286]: nss_ldap: reconnecting to LDAP server
(sleeping 1 seconds)...
Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: could not search LDAP server -
Server is unavailable
Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Apr 8 14:06:24 mdc slapd: Last message 'nss_ldap: failed to ' repeated 1
times, supressed by syslog-ng on mdc.mydomain.org
Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: reconnecting to LDAP server...
Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Apr 8 14:06:24 mdc slapd[12286]: nss_ldap: reconnecting to LDAP server
(sleeping 1 seconds)...
Apr 8 14:06:25 mdc slapd[12286]: nss_ldap: failed to bind to LDAP server
ldap://127.0.0.1/: Can't contact LDAP server
Apr 8 14:06:25 mdc slapd[12286]: nss_ldap: could not search LDAP server -
Server is unavailable
Apr 8 14:06:25 mdc slapd[12287]: bdb(dc=mydomain,dc=org): unable to
allocate memory for mutex; resize mutex region
Apr 8 14:06:25 mdc slapd[12287]: hdb_db_open: Database cannot be opened,
err 12. Restore from backup!
Apr 8 14:06:25 mdc slapd[12287]: bdb(dc=mydomain,dc=org):
DB_ENV->lock_id_free interface requires an environment configured for the
locking subsystem
Apr 8 14:06:25 mdc slapd[12287]: bdb(dc=mydomain,dc=org): txn_checkpoint
interface requires an environment configured for the transaction subsystem
Apr 8 14:06:25 mdc slapd[12287]: bdb_db_close: txn_checkpoint failed:
Invalid argument (22)
Apr 8 14:06:25 mdc slapd[12287]: backend_startup_one: bi_db_open failed!
(12)
Apr 8 14:06:25 mdc slapd[12287]: bdb_db_close: alock_close failed
Apr 8 14:06:25 mdc slapd[12287]: slapd stopped.
Apr 8 14:06:25 mdc slapd[12287]: connections_destroy: nothing to destroy.
Thanks
~ Nick
11 years
group migration to Ldap
by Francis, Steve (IHG)
I'm tyring to migrate my /etc/group to openldap. I've used the
migration tools, but for some reason, I get the following when trying to
do the ldapadd for the group.ldif generated .
adding new entry "cn=at,ou=Group,dc=zlinux,dc=hiw,dc=com"
ldap_add: Object class violation (65)
additional info: no structural object class provided
Not sure why, as the /etc/passwd migrated just fine.
Steve Francis
Technical Advisor - zSeries, zLinux, z/OS
IHG
Alpharetta Data Center
Ph: 770-442-7157
Cell: 770-906-3122
IM: francisihg
11 years
link object
by Carlo Pradissitto
Hi,
I would like to link an attribute to an object, so that when I perform a
search it returns all attributes related to the object referenced, just like
the example below:
+ resource1
+ type: this_type
+ permission: this_permission
+ location: this_location
+ resource2
+ type: another_type
+ permission: another_permission
+ location: another_location
+ profile1
+ resource1
+ resource2
+ domain
+ organization
+ user1
+ profile1
ldapsearch [ options ] cn=user1
dc: domain
o: organization
cn: user1
( profile: profile1 )
resource: resource1, this_type, this_permission, this_location
resource: resource2, another_type, another_permission, another_location
Thanks in advance
Carlo
11 years
Re: Sample Large ldiff file to support 1K users
by Meena Ram
Dear folks:
If any one has the syntax for adding proxy addresses in the LDIF file along with the normal mail attribute that will be really appreciated if you can share the Syntax. This is needed for an openldap set up.
Req: Sample LDIF file with proxy addresses along with mail attribute
Cheers!!!!!!!!!!
RAM
11 years
Re: group in groups
by Chris Jacobs
You're thinking of dyngroups (Dynamic Groups).
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs(a)apollogrp.edu
----- Original Message -----
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org>
To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Thu Apr 08 02:10:48 2010
Subject: group in groups
Hello list
We use our Openldap with a lot of applications like apache, squid, samba ...
What for us whould be very usefull is to define in ldap groups with
users and other groups therin.
Is this possible in Ldap or maybe with the nss-module ?
I cant find any documentation.
Thank you
luis
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
11 years
confusing manpage for slapcat for backup
by hai wu
I have some questions:
When I look at manpage for slapcat from openldap-servers-2.3.27-5 in
Centos5.0, it says:
LIMITATIONS
In general, your slapd(8) should not be running (at least, not in
read-
write mode) when you do this to ensure consistency of the database.
But when I look at its manpage from openldap-servers-2.3.43-3.el5 in
Centos5.4, it says:
LIMITATIONS
For some backend types, your slapd(8) should not be running (at
least,
not in read-write mode) when you do this to ensure consistency of
the
database. It is always safe to run slapcat with the
slapd-bdb(5),
slapd-hdb(5), and slapd-null(5) backends.
Question 1: Is it always safe to run slapcat with slapd running even for
openldap-servers-2.3.27-5 in Centos5?
The administration guide for OpenLDAP 2.4 at
http://www.openldap.org/doc/admin24/maintenance.html explains more on this,
I quote:
"2. Periodically run slapcat and back up the LDIF file:
Slapcat can be run while slapd is active. However, one runs the risk of an
inconsistent database- not from the point of slapd, but from the point of
the applications using LDAP. For example, if a provisioning application
performed tasks that consisted of several LDAP operations, and the slapcat
took place concurrently with those operations, then there might be
inconsistencies in the LDAP database from the point of view of that
provisioning application and applications that depended on it. One must,
therefore, be convinced something like that won't happen. One way to do that
would be to put the database in read-only mode while performing the slapcat.
The other disadvantage of this approach is that the generated LDIF files can
be rather large and the accumulation of the day's backups could add up to a
substantial amount of space.
You can use *slapcat*(8) to generate an LDIF file for each of your *slapd*(8)
back-bdb or back-hdb databases.
slapcat -f slapd.conf -b "dc=example,dc=com"
For back-bdb and back-hdb, this command may be ran while slapd(8) is
running."
Question 2: Is the above also true for openldap-servers-2.3.27-5 in Centos5?
Question 3: How to put the database in read-only mode while performing the
slapcat? Is there anyone who's doing this just to make sure for consistent
backup?
Thanks,
Hai
11 years