openldap-technical May 2010

openldap-technical@openldap.org

57 participants
66 discussions

ldapmodify chando password
by Márcio Luciano Donada 07 May '10

07 May '10

Hi list, I'm using ldapmodify to change the user password, but I am not able to use the MD5 it. My question is, you can use the encryption method with the ldapmodify? thanks -- Márcio Luciano Donada <mdonada -at- auroraalimentos -dot- com -dot- br> Aurora Alimentos - Cooperativa Central Oeste Catarinense Departamento de T.I.

1 0

Re: bdb_index_read: failed
by Chris Jacobs 07 May '10

07 May '10

Ah, hah. I admit, I hadn't read that far back and made some ass/umptions. Doh. - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ----- Original Message ----- From: Howard Chu <hyc(a)symas.com> To: Chris Jacobs Cc: 'arwin(a)infopact.nl' <arwin(a)infopact.nl>; 'openldap-technical(a)openldap.org' <openldap-technical(a)openldap.org> Sent: Fri May 07 01:06:15 2010 Subject: Re: bdb_index_read: failed Chris Jacobs wrote: > This was all assuming that this was an established service - and if you've > simply taken over an admin role, this could have been going on for a while > and the final 'culprit' may simply be missing indexes. There is no missing index. The index is working correctly, it was simply asked to find a value that does not exist. There's nothing abnormal about that, there's nothing to fix. This whole thread is much ado about nothing. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

1 0

Re: bdb_index_read: failed
by Chris Jacobs 07 May '10

07 May '10

I'd totally forgotten to reply-to-all: Arwin, You'd have to turn log levels up, and/or restrict usage to narrow that down (classic trouble shooting, to the rescue). Personally, I'd ask your staff to start with (devs and IT) and ask what's being done different, or if there are new users of LDAP. I can understand something being done that's 'new' or 'different' could very well be some snoop, but more likely the 'culprit' is going to be something 'ok'. Moving on... See when the events occur and (and perhaps who is authenticating)turn the log levels up during that time - that'll require a restart of slapd if your config is static files (now I really see the beauty of olconfig). Start with just logging auth, whether you find a link there or not, and if you need more detail, log the queries (shudder). Oh, and you'll need some 'spare' disk and cpu if this is a modestly used service. If you get to the latter part, you'll likely crush your box. And back again... Seriously, ask around. It'll likely be easier. This was all assuming that this was an established service - and if you've simply taken over an admin role, this could have been going on for a while and the final 'culprit' may simply be missing indexes. Good luck, - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ----- Original Message ----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org> To: Howard Chu <hyc(a)symas.com> Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org> Sent: Wed May 05 22:33:27 2010 Subject: Re: bdb_index_read: failed Thanks Howard, thats good news. However, I would like to know what or who is causing this. I've tried different loglevels but matchting the error with the query/filter that's causing it is rather challenging to say the least... Any hints on how to find the query responsible? Thanks! Arwin. Howard Chu schreef: > Arwin wrote: >> Hi all, >> >> We are running 1 master server and a couple of slaves, all >> openldap-2.4 on Ubuntu 8.04 lts, syncrepl >> and cn=config configuration. >> The last couple of days we are getting a few of the following errors >> in the slapd logs: >> >> Apr 29 11:03:41 ldapsrvr-1 slapd[6112]: bdb_idl_fetch_key: [b49d1940] >> Apr 29 11:03:41 ldapsrvr-1 slapd[6112]:<= bdb_index_read: failed (-30990) >> Apr 29 11:03:41 ldapsrvr-1 slapd[6112]:<= bdb_equality_candidates: >> id=0, first=0, last=0 >> Apr 29 11:03:41 ldapsrvr-1 slapd[6112]: => bdb_equality_candidates >> (objectClass) >> >> Tried solving it by re-adding the index and running slapindex but the >> errors still remain. >> >> Everything seems to work ok though, replication works, we can add/edit >> entries and user >> authentication of accounts in the dit work just fine. >> >> Can anybody tell me if this (bdb_index_read: failed (-30990)) is >> something that needs to be fixed >> and if so, how? > > No. It's normal, it just means it was looking for the index of a value > that doesn't exist in your DB. > This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

2 1

Re: LDAP_SERVER_DOWN in win32?
by Chris Jacobs 07 May '10

07 May '10

Ummm... I suspect your machine's firewall (likely built in one from Windows) might be blocking it. - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ________________________________ From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org To: openldap-technical(a)openldap.org Sent: Fri May 07 00:30:26 2010 Subject: LDAP_SERVER_DOWN in win32? I try to use openldap in windows xp. there is some implentations of openldap-win32-2.4.x. I have used every one of them, and openldap for linux in debian. the same problem is i can't connect them except the server is in localhost if my client run at win32, even i try to build my client in openldap, novel cldap and winldap. init is ok, bind is ok( i'm sure bind result should be >0 ,not LDAP_SUCCESS), but it report LDAP_SERVER_DOWN when i try to do some operations like search, add ... and the problem do not exist if I run my client(build with openldap or novell cldap) in linux(debian testing ), all server is ok. I try PHPLDAPAdmin and config it use openldap running at some window host, the problem is the same , LDAP_SERVER_DOWN. thanks for help gtalk:freeespeech@gmail.com<mailto:gtalk%3Afreeespeech@gmail.com> ________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

1 0

LDAP_SERVER_DOWN in win32?
by owen nirvana 07 May '10

07 May '10

I try to use openldap in windows xp. there is some implentations of openldap-win32-2.4.x. I have used every one of them, and openldap for linux in debian. the same problem is i can't connect them except the server is in localhost if my client run at win32, even i try to build my client in openldap, novel cldap and winldap. init is ok, bind is ok( i'm sure bind result should be >0 ,not LDAP_SUCCESS), but it report LDAP_SERVER_DOWN when i try to do some operations like search, add ... and the problem do not exist if I run my client(build with openldap or novell cldap) in linux(debian testing ), all server is ok. I try PHPLDAPAdmin and config it use openldap running at some window host, the problem is the same , LDAP_SERVER_DOWN. thanks for help gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>

1 0

testing bind result in slapi pluging
by Gianluigi Nigro 06 May '10

06 May '10

Hi, i'm writing a plugin for SLAPI_PLUGIN_POST_BIND_FN operation: int mia_init(Slapi_PBlock *pb) { ... ... If( slapi_pblock_set(pb, SLAPI_PLUGIN_POST_BIND_FN, (void *)mia_get) != 0) { slapi_log_error(SLAPI_LOG_PLUGIN, "mia_init", "error" ); return -1; } ... return 0; } int mia_get(Slapi_PBlock *pb) { ... int oprc = -1; ... if( slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0 ) { If ( oprc == 0 ) Do something else Do something else } ... } The slapi_pblock_get for SLAPI_PLUGIN_OPRETURN always return 0 even if the bind operation is failed (for example following an error 49 Invalid Credentials ). Is there a way to test if the bind operation is successful or failed ? Tanks Gianluigi Nigro gianluigi.nigro(a)passepartout.sm <mailto:gianluigi.nigro@passepartout.sm> ------------------------------ Passepartout s.a. World Trade Center - Edificio A Via Consiglio dei Sessanta, 99 - 47891 Dogana - RSM tel. 0549 978011 fax 0549 978005 www.passepartout.net <http://www.passepartout.net> -------------------------------------------------------------------- Il contenuto di questo messaggio di posta elettronica e ogni eventuale documento a quest'ultimo allegato puo contenere informazioni la cui riservatezza e' tutelata ed e' rivolto unicamente agli effettivi destinatari i quali prendono atto del carattere non strettamente personale dei messaggi di risposta, che potranno essere noti all'organizzazione aziendale. Sono vietati la riproduzione e l'uso di questo messaggio in mancanza di autorizzazione del destinatario. Se avete ricevuto questo messaggio per errore, vogliate cortesemente chiamarci immediatamente per telefono o fax e distruggere quanto ricevuto (compresi i file allegati) senza farne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti.

1 0

bdb_index_read: failed
by Arwin 05 May '10

05 May '10

Hi all, We are running 1 master server and a couple of slaves, all openldap-2.4 on Ubuntu 8.04 lts, syncrepl and cn=config configuration. The last couple of days we are getting a few of the following errors in the slapd logs: Apr 29 11:03:41 ldapsrvr-1 slapd[6112]: bdb_idl_fetch_key: [b49d1940] Apr 29 11:03:41 ldapsrvr-1 slapd[6112]: <= bdb_index_read: failed (-30990) Apr 29 11:03:41 ldapsrvr-1 slapd[6112]: <= bdb_equality_candidates: id=0, first=0, last=0 Apr 29 11:03:41 ldapsrvr-1 slapd[6112]: => bdb_equality_candidates (objectClass) Tried solving it by re-adding the index and running slapindex but the errors still remain. Everything seems to work ok though, replication works, we can add/edit entries and user authentication of accounts in the dit work just fine. Can anybody tell me if this (bdb_index_read: failed (-30990)) is something that needs to be fixed and if so, how? T.i.a. Arwin.

2 2

cn=monitor attributes (monitorOpInitiated for example) missing in cn=Subschema
by mike 05 May '10

05 May '10

Hi Everyone, I am having an issue accessing attributes that are not in "cn=Subschema" I'm using openldap-stable-20100219.tgz build. When I look at cn=Monitor with browsing tools (like Softerra LDAP browser) I do see entries for monitorOpInitiated and monitorOpCompleted in DN cn=Operations,cn=Monitor. For example from a ldapsearch result: # Modify, Operations, Monitor dn: cn=Modify,cn=Operations,cn=Monitor structuralObjectClass: monitorOperation creatorsName: modifiersName: createTimestamp: 20100421205801Z modifyTimestamp: 20100421205801Z monitorOpInitiated: 39 monitorOpCompleted: 39 entryDN: cn=Modify,cn=Operations,cn=Monitor subschemaSubentry: cn=Subschema hasSubordinates: FALSE When I look at cn=Subschema, I do not see any definitions of these two attributes. Shouldn't they be there? Using (unfortunately) Microsoft's VBScript, ADODB, and ADsDSOOBJECT to access to access cn=Monitor, I can access everything that is defined in the subschema (entryDN, modifyTimestamp, etc); however, I cannot access MonitorOpInitiated and such. Looking at the logs, It looks like the query never gets to the ldap server because MS checks it against the cn=subschema. I saw ITS#4947 and ITS#5576 which sounds like what my problem is (attributes not published). Is there a fix for this and what would that fix be? My OS for the ldap server is Redhat Enterprise 5.4. At the end of this email is my redacted slapd.conf file. I had sent this to the bugs mail-list, but they said to post it here. ---Thanks Mike Cannady [root@vmLDAPdev2 openldap]# cat slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/HTC/iaaa-radius.schema include /usr/local/etc/openldap/HTC/radius.schema include /usr/local/etc/openldap/HTC/users.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 loglevel 0x100 #loglevel any sizelimit unlimited # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org ServerID 002 pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args access to * by dn.one="ou=replicants,ou=admin,dc=htc,dc=com" read by * break access to dn.subtree="dc=htc,dc=com" by dn.one="ou=admin,dc=htc,dc=com" manage by self write by anonymous auth access to * by self write by users read by anonymous auth ####################################################################### # database definitions ####################################################################### database bdb suffix "dc=htc,dc=com" rootdn "cn=Manager,dc=htc,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {xxxxxxx}xxxxxxxxxxxxxxxxxxxxxxxxxx # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data cachesize 50000 dncachesize 50000 idlcachesize 150000 checkpoint 1024 5 # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN eq index entryUUID eq # Replicas of this database syncrepl rid=001 provider=ldap://vmldapdev1.htc.external:389 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=htc,dc=com" attrs="*,+" bindmethod=simple binddn="uid=vmldapdev2,ou=replicants,ou=admin,dc=htc,dc=com" credentials=atest2 mirrormode TRUE overlay syncprov syncprov-checkpoint 1000 1 database monitor [root@vmLDAPdev2 openldap]

2 1

slapo-memberof Usage
by Stuart Cherrington 05 May '10

05 May '10

Hello again, Having successfully upgraded my LDAP install to 2.4.22 on Redhat 5.3 I've been looking at use of the 'slapo-memberof' schema as provided by openldap2.4-server package. The man page for slapo-memberof2.4 indicates I can use the 'memberof-dn' directive. So, I've updated my slapd.conf file to allow the 'moduleload memberof.la' to be used and restarted ldap2.4 services. On the client I have configured my ldap.conf without the memberof directive and it works fine, but when I use memberof I can no longer login. nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com Works fine nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com?sub?memberof-dn=cn=access,ou=auth,dc=ldn,dc=sw,dc=com Fails to log me in. I can see the people and auth OU's from the client using ldapsearch. Questions: What is the correct syntax for using the memberof-dn directive? If the client does NOT have the openldap2.4-server package installed, does it pass the 'memberof-dn' directive to my LDAP server to be parsed? TIA, Stuart. _________________________________________________________________ http://clk.atdmt.com/UKM/go/195013117/direct/01/ We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now

2 1

cross-compiling for different hardware
by Michael Pitcher 05 May '10

05 May '10

Is it possible to use OpenLDAP to cross-compile on a build(host) machine (e.g., little-endian) for a different target (big-endian)? If so, how? I have tried several ways to setup configure but no success. It looks like, for example, liblber generates the same objects (.lo) for the target and also (.o) for the build(host). Is this correct? Pointers, hints would be welcome. Thanks. -- Mike

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2010