openldap-technical June 2010

openldap-technical@openldap.org

104 participants
113 discussions

ldaprc with ldaps:// and ldap:// fallback
by manu＠netbsd.org 27 Jun '10

27 Jun '10

Hello I would like to setup a ldaprc so that an application uses: - a localhost-base slapd without authentification (just relying on filesystem permission on the slapd socket) - if it is not available, a remote slapd, authenticating using client certificate Here is the desired ldaprc: BASE dc=example,dc=net URI ldapi:/// ldaps://ldap.example.net TLS_CACERT /etc/openssl/ca.crt TLS_CERT /etc/openssl/host.crt TLS_KEY /etc/openssl/host.key SASL_MECH EXTERNAL TLS_REQCERT demand Of course it will not work, as the ldapi:/// connection will present a certificate. I have the feeling the setup I am looking for cannot be configured. Is that right? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

5 14

openldap mysqlcluster and FreeRadius Schema
by Levent ILDENIZ 26 Jun '10

26 Jun '10

Hi, i have a problem about openldap with mysqlcluster and with free radius schema i inserted freeradius schema statement in my slapd.conf when i create any user with radiusprofile, i see below failure messages * /"ndb_oc_create: CREATE TABLE radiusprofile failed, Row size too large. The maximum row size for the used table type, not counting BLOBs, is 8052. You have to change some columns to TEXT or BLOBs (1118) ndb_back_add: ndb_entry_put_data failed (80) Tuple did not exist(626)/"* how can i fix this? -- Levent ILDENIZ Bu mesaj ve onunla iletilen tum ekler gonderildigi kisi ya da kuruma ozel, gizlilik yukumlulugu tasiyor olabilir. Bu mesaj, hicbir sekilde, herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz; mesajin yetkili alicisi veya alicisina iletmekten sorumlu kisi degilseniz, mesaj icerigini ya da eklerini kopyalamayiniz, yayinlamayiniz, baska kisilere yonlendirmeyiniz ve mesaji gonderen kisiyi derhal uyararak bu mesaji siliniz. Bu mesajin bilinen viruslere karsi kontrolleri yapilmistir. ISTANBUL UNIVERSITESI http://www.istanbul.edu.tr This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary,privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product.If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. ISTANBUL UNIVERSITY http://www.istanbul.edu.tr

2 1

Re: How to change openldap database directory
by Mail Admin 26 Jun '10

26 Jun '10

Thanks Quanah/Mauricio/Chris for the reply. In fact, that is the first thing I did, I get the following error when I start ldap service. Checking configuration files for slapd: bdb_db_open: Cannot access database directory /var/vamail/ldap/mydomain.com (13) Backend_startup_one: bi_db_open failed! (-1) Slap_startup failed (test would succeed using the –u switch) [FAILED] Stale lock files may be present in /var/vmail/ldap/mydomain.com [WARNING] Permission looks exactly the same. Any idea why this error?

2 1

RE: Can password-hash be database specific? also, storing and verifying cleartext passwords
by masarati＠aero.polimi.it 26 Jun '10

26 Jun '10

>> -----Original Message----- >> Is the 'password-hash' configuration function a server-wide setting >> only >> or can it be set to different values for separate databases? >> I'm trying to add MAC-auth RADIUS functionality to my LDAP server >> (openldap-2.4.21) and I need to store the password for the MAC >> addresses >> in cleartext. I also use the LDAP server for user login which I don't >> want to keep in cleartext. So, my thought was to have 'password-hash >> {SSHA}' for the users database, and 'password-hash {CLEARTEXT}' for the >> RADIUS database, but it appears that it's a global so I'm pretty sure >> this won't work. > > Yes, each database can have a different hashing mechanism set. > http://www.openldap.org/software/man.cgi?query=slapd-config&apropos=0&sekti… I'm afraid that man page is incorrect. As far as I know, that directive is global, not database specific. That's what I get from the code (and what I remembered). You can check yourself by adding the directive and inspecting the content of cn=config. We need at least to fix the manpage. p.

2 3

OpenLDAP to replace Oracle Internet Directory
by Matheus Morais 25 Jun '10

25 Jun '10

Hi there, I would like to share with this list my experiences with OpenLDAP implementation at one financial company, which is currently my job, and they use Oracle Internet Directory as their solution for LDAP service. This is my third year at the company and in my early days I was responsible to make the 'dirty work' in order to keep OID (I will use acronym from now because the name of the software is too large for keep writing :) working when the senior analysts were too busy with other projects to fix or request a fix for OID problems. At some day those senior analysts left the company and I was blessed as the 'LDAP guy' by the managers. From that day I started to think by my own on that and as a free software enthusiast plus my previous small experiences with LDAP infrastructure turned my ideas for an obvious project, the OpenLDAP. I will talk more about OpenLDAP later. They have an interesting LDAP tree which has some design problems but in a general way it is useful and support the company business process. From infrastructure perspective its painful and the main reason is because the replication technique which is absolutely inefficient in almost every aspect, from performance to scalability. OID by itself is also a great problem, it didn't respect RFC, has tons of stupid bugs that take an eternity to get resolved, has a relational database as 'backend' and the installation process is even worst. The replication is based on OID changelog at database level and small applications, called agents written in Java, are responsible to take that changes from database and replicate the modifications across the slaves. So for each slave we have an java agent querying Master and some thousand aditional rows at OID database. I don't know much about why they decided to write their own replication tool instead of using from OID but the old guys told me that Oracle replication software (DIP) didn't work well and was a very bad piece of softaware, just as OID BTW. With that architecture we basically started to suffer from the following problems: 1 - Performance with the Master 2 - Slave scalability 3 - Information integrity The performance problem with Master was generated by the replication agents which consume database resources to perform the replication. This first problem also generates the second because we couldn't increase the number of salves due to performance problems. OID bugs was also generating a increadible number of inconsistencies in the tree. >From that point I started a small project with first objetctive to avoid the performance problems with Master. The project was based on OpenLDAP adoption as replacements for OID slaves, an OpenLDAP Master would be created with two more OpenLDAP slaves using Delta-syncrepl to replication. With OpenLDAP slaves we could shutdown some replication agents and also the OID slaves giving more 'air' to Master database breath. The first OpenLDAP tests showed an unbelievable perfomance, 23560 entries returned from a search in exaclty 4 seconds in average. The same operation search against OID returned in 30 seconds average. The machine configuration is almost the same, the only difference is that OID infrastructure require two machines, one for oidldapd and other for Oracle DB and we also need a DBA support BTW. We've made a presentation to the managers showing the quality of OpenLDAP, the overlay concept and how we could use that to improve in service reliability and availability. We showed everything on our performance comparisions and asked them to support us in that 'migration' project. Two weeks ago we replaced the first OID infrastructure for OpenLDAP 2.4.22 and everyone here is enjoying how fast is the system response and how stable is delta-syncrepl. I have evaluated with current numbers, that we will be able to replace 4 OID to just 1 OpenLDAP infrastructure and that is really pleasant. The entire migration is planned to happen in next november. I want thank every one responsible to keep OpenLDAP project with that high level of quality and I am really proud about that kind of quality has been produced by a free software project (free as in freedom). Thanks, Matheus Morais

1 0

Fwd: ldapsearch using entryCSN
by Pierre Laporte 25 Jun '10

25 Jun '10

Hi, I'm trying to search entries in an OpenLDAP (v2.4.7) directory using their last modification date as a criteria. Digging in the schemas, I couldn't find an attribute that contained such a value. The only thing I found was the internal attribute "entryCSN" used by OpenLDAP to manage synchronization. I tried to do several ldapsearch queries, but I couldn't manage to obtain a decent result. Using "(&(objectClass=groupOfUniqueNames))" => I get every group of the directory. I can see that lots of them were modified in 2009 Related problem : Using "(&(objectClass=groupOfUniqueNames)(entryCSN<=20091224))" => The slapd2.4 process stops without returning anything. Using "(&(objectClass=groupOfUniqueNames)(entryCSN <= 20091224))" (The same query with spaces) => I don’t get any result. Shouldn't I retrieve the entries modified before 2010/12/24 ? Using "(&(objectClass=groupOfUniqueNames)(entryCSN >= 20091224))" => I don’t get any result. Shouldn't I retrieve the entries modified after 2010/12/24 ? - Does anyone know how to filter entries using their entryCSN? - Btw, is it even possible? Best regards -- Pierre Laporte

5 6

Migration from Novell eDirectory to OpenLDAP
by Stefan-Michael Guenther 25 Jun '10

25 Jun '10

Hello, has anyone on this list migrated the data of a Novell eDirectory into an OpenLDAP Server? Our first problem is that the schemas files of the eDirectoy contains nearly the same information as the schema files of OpenLDAP, but the structure of these files is completly different. Thanks for any hints or suggestions, Stefan -- ******************************************** in-put GbR - Das Linux-Systemhaus Stefan-Michael Guenther Geschaeftsfuehrer Moltkestrasse 49 D-76133 Karlsruhe Tel./Fax : +49 (0)721 / 6 80 32 88 - 0 / 3 http://www.in-put.de/ ******************************************** Schulungen Installationen Beratung Support Voice-over-IP-Loesungen ********************************************

3 2

limits based on the base being searched (rather than doing the searching)
by Francis Swasey 25 Jun '10

25 Jun '10

I have been requested to open up a specific branch of our DIT to allow more than the default number of entries to be returned for searches by anyone that get results from that branch. My reading of the slapd.conf manual page indicates the requested limits adjustment is not possible in the currently available OpenLDAP software (I am running 2.4.22). Have I missed something in my reading? Thanks, -- Frank Swasey | http://www.uvm.edu/~fcs Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900)

1 0

Windows 7 users's authentication with openldap ?
by Frank Bonnet 25 Jun '10

25 Jun '10

Hello Anyone knows if it is possible to authenticate users of a windows 7 client machine as we do with UNIX clients with pam_ldap + nss_ldap to our openldap server ? Thank you. F

4 5

How to change openldap database directory
by Mail Admin 24 Jun '10

24 Jun '10

Hello Team, I am very new to Linux and Openldap. We have setup a mail server on CentOS, Postfix, Dovecot, etc witth OpenLDAP as backend. 1) We want to change the daabase directory of Openldap from /var/lib/ldap to /var/vmail/ldap . Could someone please let me know the settings I need to make to achieve this? 2) I tried to creae /var/lib/ldap as a linked folder (actual database located under /var/vmail/ldap). Permissions to the files and folders under this were set exactly the same. when I start ldap service, i get the following error: backend_startup_one: bi_db_open failed! (-1) slap_startup failed (test would succeed using the -u switch) [FAILED] stale lock files may be present in /var/lib/ldap/dbname [WARNING] If I remove the linked folder and copy the contents to /var/lib/ldap, everything works perfectly fine. Is linked folder not going to work for ldap? or am I missing something here? (Please note that the folder /var/vmail is a separate LUN in the SAN). I would like to achieve any one of the scinario mentioned above. Any help on this would be highly appreciated. Best Regards PineMail Admin

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2010