memberOf attributes not working through slapd-ldap backend
by Liam Gretton
Hi,
Main LDAP server is 2.4 on openSUSE. The memberof overlay is in use.
On any openSUSE clients (also OpenLDAP 2.4), ldapsearch on a uid with a
'+' for the attribute arguments correctly returns the memberOf
attributes as created by the overlay.
On Scientific Linux 5.4 I have a build of OpenLDAP 2.4 (not mine,
supplied by our vendor which repackages some components). I've setup a
proxy server there which uses slapd-ldap to proxy connections back to
the openSUSE LDAP server.
On the SL system, ldapsearch talking directly to the openSUSE server
correctly returns the memberOf attributes when using '+'. But when going
through the local proxy server, they don't appear. The server log says
"PROXIED attributeDescription "MEMBEROF" inserted"; if I specify the
attribute explicitly (e.g. ldapsearch uid=liam memberof) the memberOf
attributes are displayed, but all in capitals, as if there's a schema
missing.
One possibly important point: we're using the rfc2307bis schema on our
main server, and this isn't supplied with the SL distribution of
OpenLDAP, so I've just copied it over to the SL system.
I think this suggests a broken build of OpenLDAP 2.4 supplied by our
vendor, but is there anything I might be doing wrong? The proxy server's
slapd.conf file is as so:
include /cm/local/apps/openldap/etc/schema/core.schema
include /cm/local/apps/openldap/etc/schema/cosine.schema
include /cm/local/apps/openldap/etc/schema/inetorgperson.schema
include /cm/local/apps/openldap/etc/schema/rfc2307bis.schema
include /cm/local/apps/openldap/etc/schema/rcsperson.schema
argsfile /var/run/openldap/slapd.args
pidfile /var/run/openldap/slapd.pid
database ldap
monitoring off
uri ldap://opensuse.ldapserver.example.com
tls start tls_cacertdir=/etc/openldap/certs
suffix dc=example,dc=com
rootdn "cn=admin,dc=example,dc=com"
--
Liam Gretton liam.gretton(a)le.ac.uk
HPC Architect http://www.le.ac.uk/its/
IT Services Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
13 years, 6 months
ldapsearch issue
by Derek Yarnell
Hi,
So I was trying to do the following search,
(&(automountMapName=auto*)(objectClass=automountMap))
It logs the following though,
slapd[5205]: conn=258105 op=9 SRCH base="ou=automount,ou=system,dc=XXX,dc=XXX,dc=XXX" scope=2 deref=2 filter="(&(?automountMapName=auto*)(objectClass=automountMap))"
If you do this search
(&(automountMapName=*)(objectClass=automountMap))
slapd[5205]: conn=258174 op=1 SRCH base="ou=automount,ou=system,dc=XXX,dc=XXX,dc=XXX" scope=2 deref=0 filter="(&(automountMapName=*)(objectClass=automountMap))"
This is the schema definition on the server (rfc2307bis),
attributeType (
1.3.6.1.1.1.1.31 NAME 'automountMapName'
DESC 'automount Map Name'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
)
My feeling is that caseExactIA5SubstringsMatch is doing something very wrong here. Shouldn't slapd be returning a error not injecting a ? in my search.
Thanks,
derek
Derek Yarnell
UNIX Systems Administrator
University of Maryland
Institute for Advanced Computer Studies
13 years, 6 months
Replication problem - segfault
by Marcio Merlone
Hi all,
I am upgrading my servers from Ubuntu 8.04 to 10.04 one by one. I took
the opportunity to test and migrate slapd.conf to cn=config. I got the
first new server running 10.04 (slapd 2.4.21-0ubuntu5), which is called
'haumea', and set everything up, smooth run. Then, I got to test
replication with another server running Ubuntu 8.04 (slapd
2.4.9-0ubuntu0.8.04.3) - this one is 'venus'.
So, in short, I am testing a multi-master replication with slapd
2.4.21-0ubuntu5 and slapd 2.4.9-0ubuntu0.8.04.3.
At first, it successfully replicated one attr (olcLogLevel) from haumea
to venus, but later on, when I try to modify 'olcMonitoring' of 'dn:
olcDatabase={0}config,cn=config' same way, slapd process dies on the
older server (venus):
'May 28 11:41:47 venus kernel: [511798.502592] slapd[3966]: segfault at
00000140 eip b7fa5634 esp b67658a0 error 4'
Are there any issues regarding slapd 2.4.21-0ubuntu5 or replication
between different versions?
Does anyone know where can I get pre-compiled binary packages to upgrade
Ubuntu 8.04 to slapd 2.4.21?
Please let me know if you need further information.
Thanks and best regards.
--
Marcio Merlone
13 years, 6 months
Slapd service does not start - Gentoo Linux ...
by Christopher Kurtis Koeber
Hello,
I recently installed OpenLDAP 2.4.19 on a Gentoo Linux system. The
installation completed without issue but the service slapd will not start.
I loaded the initial entry and ran slaptest, which came back clean.
Below is the output for "slaptest -d 25" and attached is my config file.
Also attached is the output of the following command:
/usr/lib/openldap/slapd -F /etc/openldap/ -d 65535
Any ideas as to why the service will not start while the system is starting
up?
Thank you for your time.
----Begin Output----
slaptest -d 25
slaptest init: initiated tool.
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Berkeley DB 4.7.25: (2010-05-20)
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Berkeley DB 4.7.25: (2010-05-20)
>>> dnNormalize: <>
<<< dnNormalize: <>
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
hdb_db_init: Initializing HDB database
>>> dnPrettyNormal: <dc=wesleyseminary,dc=edu>
<<< dnPrettyNormal: <dc=wesleyseminary,dc=edu>, <dc=wesleyseminary,dc=edu>
>>> dnPrettyNormal: <cn=Manager,dc=wesleyseminary,dc=edu>
<<< dnPrettyNormal: <cn=Manager,dc=wesleyseminary,dc=edu>,
<cn=manager,dc=wesleyseminary,dc=edu>
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: (
1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $
olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $
olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $
olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $
olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth
$ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $
olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $
olcDbShmKey $ olcSpSessionlog $ olcChainMaxReferralDepth $
olcDbProtocolVersion $ olcDbConnectionPoolMax $ mailPreferenceOption $
shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive
$ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $
oncRpcNumber ) )
1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: (
1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES (
supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $
olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $
olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $
olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $
olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth
$ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $
olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $
olcDbShmKey $ olcSpSessionlog $ olcChainMaxReferralDepth $
olcDbProtocolVersion $ olcDbConnectionPoolMax $ mailPreferenceOption $
shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive
$ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $
oncRpcNumber ) )
1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $
olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $
mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $
gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $
ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $
nisMapEntry ) )
1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: (
1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $
olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $
mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $
gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $
ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $
nisMapEntry ) )
2.5.13.39 (certificateListMatch): 2.5.13.38
(certificateListExactMatch): matchingRuleUse: ( 2.5.13.38 NAME
'certificateListExactMatch' APPLIES ( authorityRevocationList $
certificateRevocationList $ deltaRevocationList ) )
2.5.13.35 (certificateMatch): 2.5.13.34 (certificateExactMatch):
matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES (
userCertificate $ cACertificate ) )
2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: (
2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES (
supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $
supportedApplicationContext ) )
2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29
NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $
entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $
olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $
olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $
olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $
olcSpSessionlog $ olcChainMaxReferralDepth $ olcDbProtocolVersion $
olcDbConnectionPoolMax $ mailPreferenceOption $ shadowLastChange $
shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $
shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME
'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) )
2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24
NAME 'protocolInformationMatch' APPLIES protocolInformation )
2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME
'uniqueMemberMatch' APPLIES uniqueMember )
2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22
NAME 'presentationAddressMatch' APPLIES presentationAddress )
2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME
'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $
pager ) )
2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME
'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) )
2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME
'bitStringMatch' APPLIES x500UniqueIdentifier )
2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME
'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $
gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $
olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $
olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $
olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $
olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $
olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $
olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $
olcSpSessionlog $ olcChainMaxReferralDepth $ olcDbProtocolVersion $
olcDbConnectionPoolMax $ mailPreferenceOption $ shadowLastChange $
shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $
shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME
'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP
$ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $
olcReverseLookup $ olcDbChecksum $ olcDbNoSync $ olcDbDirtyRead $
olcDbLinearIndex $ olcSpNoPresent $ olcSpReloadHint $ olcChainCacheURI $
olcChainReturnError $ olcDbRebindAsUser $ olcDbChaseReferrals $
olcDbProxyWhoAmI $ olcDbSingleConn $ olcDbUseTemporaryConn $ olcDbNoRefs $
olcDbNoUndefFilter ) )
2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME
'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $
homePostalAddress ) )
2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME
'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME
'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $
dnQualifier ) )
2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME
'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $
dnQualifier ) )
2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME
'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows
$ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $
olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $
olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $
olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE
$ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $
olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $
olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile
$ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $
olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $
olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $
olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode
$ olcSpCheckpoint $ olcChainingBehavior $ olcDbURI $ olcDbStartTLS $
olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $
olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout
$ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $
olcDbQuarantine $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $
street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $
physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $
generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym
$ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $
documentIdentifier $ documentTitle $ documentVersion $ documentLocation $
personalTitle $ co $ uniqueIdentifier $ organizationalStatus $
buildingName $ documentPublisher $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ preferredLanguage $
ipServiceProtocol $ nisMapName ) )
2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME
'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator
$ dnQualifier ) )
2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME
'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $
dnQualifier ) )
2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME
'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $
vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $
olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $
olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $
olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows
$ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $
olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $
olcObjectClasses $ olcObjectIdentifier $ olcOverlay $
olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $
olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $
olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE
$ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $
olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $
olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $
olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile
$ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $
olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $
olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $
olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode
$ olcSpCheckpoint $ olcChainingBehavior $ olcDbURI $ olcDbStartTLS $
olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $
olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout
$ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $
olcDbQuarantine $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $
street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $
physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $
generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym
$ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $
documentIdentifier $ documentTitle $ documentVersion $ documentLocation $
personalTitle $ co $ uniqueIdentifier $ organizationalStatus $
buildingName $ documentPublisher $ carLicense $ departmentNumber $
displayName $ employeeNumber $ employeeType $ preferredLanguage $
ipServiceProtocol $ nisMapName ) )
1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1
(distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME
'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $
subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $
dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $
olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcDbACLAuthcDn $
olcDbIDAssertAuthcDn $ member $ owner $ roleOccupant $ manager $
documentAuthor $ secretary $ associatedName $ dITRedirect ) )
2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME
'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $
supportedFeatures $ supportedApplicationContext ) )
slaptest startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=module{0}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}inetorgperson"
config_build_entry: "cn={3}nis"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}hdb"
backend_startup_one: starting "dc=wesleyseminary,dc=edu"
hdb_db_open: database "dc=wesleyseminary,dc=edu":
dbenv_open(/var/lib/openldap-data).
config file testing succeeded
slaptest shutdown: initiated
====> bdb_cache_release_all
slaptest destroy: freeing system resources.
---End Output---
Regards,
Christopher Kurtis Koeber
(W): (202) 885-8654
(C): (301) 467-8417
http://www.chriskoeber.com <http://www.chriskoeber.com/>
13 years, 6 months
Re: ppolicy master/slave issue (currently "forward ppolicy updates" OR "authenticate")
by Chris Jacobs
Whew! And I thought I was really off my rocker for a bit there - it made no sense to me (still doesn't, really).
One of the reasons for our LDAP upgrade was the pwdpolicy (and less out-of-sync slaves; an issue with our 2.3 boxes) - going to have to re-think our implementation - I really preferred the 'slave servers in remote locations' model, but if the ppolicy overlay works best in a multi master model (replicating pwdfailures and authenticate - for real), I'll have to convince mgmt of the new model.
Thanks for checking Sidhartha!
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs(a)apollogrp.edu
________________________________
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org
To: openldap-technical(a)openldap.org
Sent: Tue May 25 17:16:00 2010
Subject: RE: ppolicy master/slave issue (currently "forward ppolicy updates" OR "authenticate")
I replicated the setup and issues with slapd.d configuration.
Running OpenLDAP 2.4.21 on CentOS x64.
1. Master and slave setup with ppolicy overlay.
2. When client points to master, pwdFailures are duly recorded and respected. Password auth works as expected.
3. When clients points to slave with chaining disabled, password auth and changes work fine but obviously pwdFailures are not recorded anywhere - neither on slave or master.
4. When client points to slave with chaining enabled, password auth breaks meaning user can type any string and still get a successful auth. Interestingly, in this case, pwdFailures get recorded on slave and master.
Why or how a bind succeeds with a wrong password is weird. With slapd.d type config, the chain directives go under "frontendconfig" so I suspect the solution must lie there.
As a sidenote, I am thinking of doing without slaves and just creating more primaries in multi-mode replication. Seems less complicated in terms of configuration and maintenance.
Thanks,
- Siddhartha
> -----Original Message-----
> From: openldap-technical-bounces+sjain=silverspringnet.com(a)openldap.org
> [mailto:openldap-technical-
> bounces+sjain=silverspringnet.com(a)openldap.org] On Behalf Of Chris
> Jacobs
> Sent: Tuesday, May 25, 2010 9:16 AM
> To: openldap-technical(a)openldap.org
> Subject: RE: ppolicy master/slave issue (currently "forward ppolicy
> updates" OR "authenticate")
>
> Haven't heard anything on this yet...
>
> If someone could point me to some documentation, or better, graphic
> illustration, of how OpenLDAP 'works', perhaps I can figure this out on
> my own.
>
> Thanks,
> - chris
>
> -----Original Message-----
> From: openldap-technical-
> bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org [mailto:openldap-
> technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org] On Behalf Of
> Chris Jacobs
> Sent: Thursday, May 06, 2010 11:45 AM
> To: openldap-technical(a)openldap.org
> Subject: RE: ppolicy master/slave issue (currently "forward ppolicy
> updates" OR "authenticate")
>
> Anyone?
>
> I can't be the only person trying to implement ppolicy_forward_updates
> and have user's actually authenticate...
>
> I've been poring over the documentation:
>
> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
> http://www.symas.com/blog/?page_id=66
> http://www.openldap.org/software/man.cgi?query=slapo-
> ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release
> Which indicates: "This setting is only useful on a replication
> consumer, and also requires the updateref setting and chain overlay to
> be appropriately configured."
>
> I tried "chain-rebind-as-user" and that didn't seem to help (you can
> see it in the configs below) - at least, how I tried it. Perhaps I
> misunderstand something (I'm hoping at least)
>
> I'm totally at a loss here...
>
> - chris
>
> -----Original Message-----
> From: openldap-technical-
> bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org [mailto:openldap-
> technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org] On Behalf Of
> Chris Jacobs
> Sent: Monday, May 03, 2010 9:07 AM
> To: openldap-technical(a)openldap.org
> Subject: RE: ppolicy master/slave issue
>
> Really, I think this comes down to how to:
> * ppolicy_forward_updates requiring priviledges
> * authentication NOT requiring priviledges
>
> How do I split the two? Let ppolicy forward updates, which requires
> priviledges, and NOT specify any authentication while user's are
> authenticating?
>
> Thanks,
> - chris
>
> -----Original Message-----
> From: openldap-technical-
> bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org [mailto:openldap-
> technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org] On Behalf Of
> Chris Jacobs
> Sent: Thursday, April 29, 2010 2:55 PM
> To: openldap-technical(a)openldap.org
> Subject: ppolicy master/slave issue
>
> Hello again,
>
> I'm having an odd issue with ppolicy and my master/slave config.
>
> First, my goals
> General use:
> Slave handles all reads locally.
> Writes get forwarded to the master by the slave.
>
> Password policy:
> When password failures happen on clients using slave ldap servers,
> the failures, etc, get passed to the master to get replicated to the
> slaves.
> I understand this would be done using the ppolicy option:
> ppolicy_forward_updates
>
> Authentication:
> Actually authenticate (more later).
>
> To the problem:
> ---------------
> When I leave the section in the chain bit of SLAVE slapd.conf below
> marked by lines intact (which bind as root):
> * ppolicy_forward_updates seems to work great - the master shows
> matching "pwdFailureTime" attributes.
> * Regardless of password entered, you get a shell. User/bad password =
> get a shell! This being a problem should be obvious.
> I suspect that's due to the chain overlay section...
>
> If I comment out the lines in the SLAVE slapd.conf:
> * authentication actually requires authentication (bad password = no
> authentication)
> * ppolicy_forward_updates don't work (no updates to master)
>
> It's possible that from my description some may already know my issue -
> however, just to be sure, I've pasted below 'bare' versions of the:
> * a master slapd.conf (sans schema includes)
> * a slave slapd.conf (sans schema includes)
> * /etc/ldap.conf (using slave)
> * /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard -
> they are NOT the same)
> * /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac
> for all types).
>
> Thanks for any help (and, likely, pointing out any 'stupids' below),
> - chris
>
> PS: Feel free to critique - you won't hurt my feelings.
>
> MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over)
> ----------------------------------------------------------------------
> serverID 1
> loglevel 0
> pidfile /usr/local/var/openldap-data/run/slapd.pid
> argsfile /usr/local/var/openldap-data/run/slapd.args
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
> TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
> TLSVerifyClient never
> password-hash {MD5}
> sizelimit size.soft=500 size.hard=unlimited
> timelimit time.soft=3600 time.soft=unlimited
> database bdb
> suffix "dc=example,dc=net"
> rootdn "cn=root,dc=example,dc=net"
> rootpw "secret"
> directory "/usr/local/var/openldap-data"
> include /etc/openldap/slapd.access.conf
> index uid,cn,gidNumber,uidNumber,memberUid eq
> index objectClass pres,eq
> index operatingSystem pres,eq
> index host pres,eq
> index rack eq
> index entryUUID eq
> index uniqueMember eq
> index entryCSN eq
> index site eq
> overlay ppolicy
> ppolicy_hash_cleartext
> ppolicy_use_lockout
> overlay syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 10
> syncrepl rid=2
> provider=ldaps://ldapmaster2.corp.example.net
> type=refreshAndPersist
> interval=00:00:10:00
> searchbase="dc=example,dc=net"
> bindmethod=simple
> binddn="cn=root,dc=example,dc=net"
> credentials="secret"
> retry="15 20 60 +"
> mirrormode on
> database monitor
>
> SLAVE slapd.conf:
> -----------------
> serverID 13
> loglevel 0
> pidfile /usr/local/var/openldap-data/run/slapd.pid
> argsfile /usr/local/var/openldap-data/run/slapd.args
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
> TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
> TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
> TLSVerifyClient never
> password-hash {MD5}
> sizelimit size.soft=500 size.hard=unlimited
> timelimit time.soft=3600 time.soft=unlimited
> overlay chain
> chain-uri ldaps://ldap-vip.corp.example.net/
> chain-rebind-as-user TRUE
> vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
> vvvvvv
> chain-idassert-bind bindmethod="simple"
> binddn="cn=root,dc=example,dc=net"
> credentials="secret"
> mode="self"
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> ^^^^^^
> chain-tls ldaps
> chain-return-error TRUE
> database bdb
> suffix "dc=example,dc=net"
> rootdn "cn=root,dc=example,dc=net"
> rootpw "secret"
> directory "/usr/local/var/openldap-data"
> include /etc/openldap/slapd.access.conf
> index uid,cn,gidNumber,uidNumber,memberUid eq
> index objectClass pres,eq
> index operatingSystem pres,eq
> index host pres,eq
> index rack eq
> index entryUUID eq
> index uniqueMember eq
> index entryCSN eq
> index site eq
> overlay ppolicy
> ppolicy_hash_cleartext
> ppolicy_use_lockout
> ppolicy_forward_updates
> syncrepl rid=1
> provider=ldaps://ldap-vip.corp.example.net
> type=refreshAndPersist
> interval=00:00:10:00
> searchbase="dc=example,dc=net"
> bindmethod=simple
> binddn="cn=root,dc=example,dc=net"
> credentials="secret"
> retry="15 20 60 +"
> updateref "ldaps://ldap-vip.corp.example.net"
> database monitor
>
> /etc/openldap/ldap.conf: (same on all LDAP servers)
> ---------------------------------------------------
> uri ldaps://localhost
> base dc=example,dc=net
> network_timeout 0
> sizelimit 0
> timelimit 0
> tls_cacert /etc/openldap/cacerts/cacert.pem
> tls_reqcert demand
>
> /etc/ldap.conf: (on client using slave)
> ---------------------------------------
> uri ldaps://ldap-vip.dc1.example.net
> timelimit 10
> bind_timelimit 10
> bind_policy soft
> base dc=example,dc=net
> scope sub
> ssl on
> tls_checkpeer no
> tls_cacertfile /etc/openldap/cacert.pem (contents same as
> /etc/openldap/cacerts/cacert.pem)
> pam_login_attribute uid
> pam_lookup_policy yes
> pam_password exop
>
> /etc/pam.d/system-auth-ac:
> --------------------------
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so sha256 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_mkhomedir.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
>
>
>
> This message is private and confidential. If you have received it in
> error, please notify the sender and remove it from your system.
>
>
>
>
> This message is private and confidential. If you have received it in
> error, please notify the sender and remove it from your system.
>
>
>
>
> This message is private and confidential. If you have received it in
> error, please notify the sender and remove it from your system.
>
________________________________
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
13 years, 6 months
ppolicy + user notification
by Allgood, John
Hello All
I have finally got ppolicy working correctly except for some interesting behavior. When I set the pwdMaxAge to say 3 days just for testing and when I log into the system shortly after changing my password. The systems notifies me that my password will expire in 2 days. On the 3rd day I don't get any notifications from the system. I have also defined in my policy a grace period for logins which does work but I don't get any notifications of that either. Also I am trying to build check_password.c to provide additional checking but when I try to compile the program I get missing headers files portable.h and slap.h. I have searched the entire system and can't locate them. I thought they would be part of the development RPMS which I installed. Any ideas on any of this.?
Thanks
John Allgood
Senior Systems Administrator
OHL Transportation Services
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051 fax: (770) 531-7878
jallgood(a)ohl.com<mailto:jallgood@ohl.com>
www.ohl.com<http://www.ohl.com>
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
13 years, 6 months
ldap search hangs forever
by Jeremiah Martell
I'm using openldap-2.4.18 as a client to bind and asynchronously search an
active directory server.
I have a domain, example.com, that has two domain controllers:
one.example.com, and two.example.com.
The ip of one.example.com is 12.34.56.1
The ip of two.example.com is 12.34.56.2
The reverse mapping of 12.34.56.1 is one.example.com
The reverse mapping of 12.34.56.2 doesn't exist
-----
/ nslookup one.example.com
Server: 12.34.56.99
Address 1: 12.34.56.99 dns1.example.com
Name: one.example.com
Address 1: 12.34.56.1 one.example.com
/ nslookup two.example.com
Server: 12.34.56.99
Address 1: 12.34.56.99 dns1.example.com
Name: two.example.com
Address 1: 12.34.56.2
/ nslookup example.com
Server: 12.34.56.99
Address 1: 12.34.56.99 dns1.example.com
Name: example.com
Address 1: 12.34.56.2
Address 2: 12.34.56.1 one.example.com
/ nslookup 12.34.56.2
Server: 12.34.56.99
Address 1: 12.34.56.99 dns1.example.com
Name: 12.34.56.2
Address 1: 12.34.56.2
/ nslookup 12.34.56.1
Server: 12.34.56.99
Address 1: 12.34.56.99 dns1.example.com
Name: 12.34.56.1
Address 1: 12.34.56.1 one.example.com
/
-----
I have given openldap a "rebind proc" to use when chasing the referrals.
I do a sasl gssapi bind to one.example.com, which succeeds.
I do a search, which returns three referrals:
DomainDnsZones.example.com
ForestDnsZones.example.com
example.com
openldap looks up these three names and gets 12.34.56.2, which doesn't
reverse map to anything.
Then I get error messages for each referral:
May 27 16:26:18 xyz: GSSAPI Error: Miscellaneous failure (see text) (Server
(krbtgt/23.56.2(a)EXAMPLE.COM) unknown)
May 27 16:26:18 xyz: GSSAPI Error: Miscellaneous failure (see text) (Server
(krbtgt/23.56.2(a)EXAMPLE.COM) unknown)
May 27 16:26:18 xyz: GSSAPI Error: Miscellaneous failure (see text) (Server
(krbtgt/23.56.2(a)EXAMPLE.COM) unknown)
Then openldap hangs forever; I never get a LDAP_RES_SEARCH_RESULT.
-----
If I modify my DNS server to return 12.34.56.1 first instead of 12.34.56.2,
then everything works perfectly.
If I don't chase referrals, then everything works perfectly minus chasing
referrals of course.
If I use "normal" binding instead of sasl gssapi, then everything works
perfectly.
If I use openldap's syncronous search instead of asyncronously polling with
ldap_result, then the call times out and returns.
I half-expected openldap to not be able to bind to the referrals, but still
fail quickly and return.
I don't understand why the ldap search never finishes. (I never get a
LDAP_RES_SEARCH_RESULT)
I did get a LDAP_RES_SEARCH_REFERENCE and a LDAP_NO_RESULTS_RETURNED, but
those dont signify the search has finished, right?
I've attached the ldap debugging. You'll see at the end the repeated calls
to ldap_result with timeouts of 10 seconds.
I don't know how to read them exactly, but the status seems to be
"RequestCompleted" ?
-----
17:20:50.530 ldap_result ld 0x10097060 msgid 5
17:20:50.530 wait4msg ld 0x10097060 msgid 5 (timeout 10000000 usec)
17:20:50.530 wait4msg continue ld 0x10097060 msgid 5 all 2
17:20:50.530 ** ld 0x10097060 Connections:
17:20:50.530 * host: one.example.com port: 389 (default)
17:20:50.530 refcnt: 1 status: Connected
17:20:50.530 last used: Wed May 26 17:19:59 2010
17:20:50.530
17:20:50.530 ** ld 0x10097060 Outstanding Requests:
17:20:50.530 * msgid 5, origid 5, status RequestCompleted
17:20:50.530 outstanding referrals 0, parent count 0
17:20:50.530 ld 0x10097060 request count 1 (abandoned 0)
17:20:50.530 ** ld 0x10097060 Response Queue:
17:20:50.530 Empty
17:20:50.530 ld 0x10097060 response count 0
17:20:50.530 ldap_chkResponseList ld 0x10097060 msgid 5 all 2
17:20:50.530 ldap_chkResponseList returns ld 0x10097060 NULL
17:20:50.530 ldap_int_select
-----
I got the latest 2.4.22 release and grabbed the majority of the changes, but
the hang remains.
You can see the full debugging information in the attached txt file.
I'm asking if the forever hang could be a bug in openldap, or perhaps I'm
doing something wrong?
Thanks,
- Jeremiah
13 years, 6 months
Replication via cn=config
by Marcio Merlone
Hi all,
I am setting a pair of multi-master replicated servers (venus and
haumea) using Ubuntu 10.04 and OpenLDAP 2.4.21-0ubuntu5. I am following
the docs at http://www.openldap.org/doc/admin24/replication.html and
when I get to the part for this ldif:
dn: olcDatabase={1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {1}frontend
olcSuffix: dc=tld
olcDbDirectory: ./db
olcRootDN: cn=admin,dc=tld
olcRootPW: secret
olcLimits: dn.exact="cn=admin,dc=tld" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcSyncRepl: rid=003 provider=ldap://haumea.tld binddn="cn=admin,dc=tld"
bindmethod=simple
credentials=secret searchbase="dc=tld" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=004 provider=ldap://venus.tld binddn="cn=admin,dc=tld"
bindmethod=simple
credentials=secret searchbase="dc=tld" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
I get htis error:
root@haumea:/etc/ldap# ldapadd -x -H ldap://localhost/ -D
"cn=admin,cn=config" -W -f replica.ldif
Enter LDAP Password:
adding new entry "olcDatabase={1}frontend,cn=config"
ldap_add: Object class violation (65)
additional info: attribute 'olcDbDirectory' not allowed
root@haumea:/etc/ldap#
I googled for this but got very few useless results. Can someone point
me the right direction?
Thanks and best regards.
--
Marcio Merlone
13 years, 6 months
Re: Q: status of component matching?
by Lehnert, Hartmut
Hi Dieter!
Thank you very much! I used CFLAGS=-DLDAP_COMP_MATCH when configuring
the slapd and now it's able to load our component match module.
But some problems are still left: When running the following LDAP search
command using component matching filter
/home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p
9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s children
"(userCertificate:componentFilterMatch:=item:{ component
\"toBeSigned.serialNumber\", rule integerMatch, value 449 })"
against slapd it terminates:
/home/openldap/openldap-2.4.21-install/libexec/slapd: symbol lookup
error:
/home/openldap/openldap-2.4.21-install/libexec/openldap/compmatch.so.0:
undefined symbol: GenBufFreeBuf
In the source code of both snacc and component match module no
definition for function "GenBufFreeBuf" can be found. Where can I get
it?
Regards,
Hartmut
13 years, 6 months
WG: Q: status of component matching?
by Lehnert, Hartmut
Hello Dieter!
Nevertheless I generated a core dump in the mean time - but this was only possible by adding the GenBufFreeBuf function as a dummy to init.c file of the comp match module:
void GenBufFreeBuf (void *p)
{
}
The back trace of the core:
(gdb) bt
#0 0x080e17d4 in slap_sl_free (ptr=0xb6f981d2, ctx=0x82d01a8) at sl_malloc.c:487
#1 0x0809ecf1 in ch_free (ptr=0xb6f981d2) at ch_malloc.c:137
#2 0x080dedae in mra_free (op=0x82cfde8, mra=0xb6f98288, freeit=1) at mra.c:43
#3 0x0808273f in filter_free_x (op=0x82cfde8, f=0xb6f982c8, freeme=1) at filter.c:556
#4 0x08080834 in do_search (op=0x82cfde8, rs=0xb7499134) at search.c:230
#5 0x0807da51 in connection_operation (ctx=0xb7499220, arg_v=0x82cfde8) at connection.c:1109
#6 0x0807df99 in connection_read_thread (ctx=0xb7499220, argv=0xb) at connection.c:1245
#7 0x08162082 in ldap_int_thread_pool_wrapper ()
#8 0xb7cc11b5 in start_thread () from /lib/libpthread.so.0
#9 0xb7da738e in clone () from /lib/libc.so.6
(gdb)
Does this cover any new information?
Thank you.
Regards,
Hartmut
-----Ursprüngliche Nachricht-----
Von: Lehnert, Hartmut
Gesendet: Mittwoch, 26. Mai 2010 10:10
An: openldap-technical(a)openldap.org
Betreff: AW: Q: status of component matching?
Hi Dieter!
I built slapd and the comp match module with CFLAGS=-g option but a core dump isn't generated.
I don't think that a core dump analysis is necessary to solve the problem because the slapd output
/home/openldap/openldap-2.4.21-install/libexec/slapd: symbol lookup error: /home/openldap/openldap-2.4.21-install/libexec/openldap/compmatch.so.0: undefined symbol: GenBufFreeBuf
is clear enough: the symbol GenBufFreeBuf is simply missing in the source code and binary of the comp match module. So once again: do you know where I can get the missing source code?
Thank you for looking at this problem.
Regards,
Hartmut
-----Ursprüngliche Nachricht-----
Von: openldap-technical-bounces+hartmut.lehnert=secunet.com(a)OpenLDAP.org [mailto:openldap-technical-bounces+hartmut.lehnert=secunet.com@OpenLDAP.org] Im Auftrag von Dieter Kluenter
Gesendet: Dienstag, 25. Mai 2010 17:38
An: openldap-technical(a)openldap.org
Betreff: Re: Q: status of component matching?
Am Tue, 25 May 2010 15:51:40 +0200
schrieb "Lehnert, Hartmut" <Hartmut.Lehnert(a)secunet.com>:
> Hi Dieter!
>
>
>
> Thank you very much! I used CFLAGS=-DLDAP_COMP_MATCH when configuring
> the slapd and now it's able to load our component match module.
>
> But some problems are still left: When running the following LDAP
> search command using component matching filter
>
>
>
> /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p
> 9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s children
> "(userCertificate:componentFilterMatch:=item:{ component
> \"toBeSigned.serialNumber\", rule integerMatch, value 449 })"
>
>
>
> against slapd it terminates:
>
>
>
> /home/openldap/openldap-2.4.21-install/libexec/slapd: symbol lookup
> error:
> /home/openldap/openldap-2.4.21-install/libexec/openldap/compmatch.so.0:
> undefined symbol: GenBufFreeBuf
>
>
>
> In the source code of both snacc and component match module no
> definition for function "GenBufFreeBuf" can be found. Where can I get
> it?
The function is called in comp_match/init.c, could you please build
slapd with debugging symbols enabled (-g) and when installing don't
strip, that is 'make install STRIP=" "', If possible create a core dump
and run core and slapd in gdb in order to create a backtrace?
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
13 years, 6 months