openldap-technical June 2010

openldap-technical@openldap.org

104 participants
113 discussions

Unigueness of RID; changing RID
by Nick Urbanik 22 Jun '10

22 Jun '10

Dear Folks, I am trying to improve my understanding of the RID before making many large deployments of syncrepl. My understanding is that the replica ID (RID) is unique within one level of [provider] --> [consumer], [consumer],... relationship. Here, an arrow --> represents replication of one directory tree from provider to consumers, and commas represent consumers at the same level, all replicating from the same provider, and the square brackets [...] represent one machine. 1. If there is a relationship like this, where at least one machine acts simultaneously as consumer and provider [provider] --> [consumer+provider] --> [consumer], [consumer],... does the RID need to be unique within all these consumers at all levels in the propagation of replication? 2. What are the consequences of changing the RID on a consumer? Would this inevitably require a dump and restore? Is the RID stored in the data? Where is it stored, besides in the consumer's syncrepl configuration? -- Nick Urbanik http://nicku.org 808-71011 nick.urbanik(a)optusnet.com.au GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24 I disclaim, therefore I am.

3 4

Regression failure on openldap-2.4.21 stable (test058-syncrepl-asymmetric)
by Mark Cave-Ayland 22 Jun '10

22 Jun '10

Hi folks, I've just been testing a build of openldap-2.4.21 here in preparation for deployment, and have found that test058-syncrepl-asymmetric seems to fail randomly on our test box (on both i386 and amd64). A sample output is given below: >>>>> Starting test058-syncrepl-asymmetric for bdb... running defines.sh Initializing master configurations... Initializing search configurations... Starting central master slapd on TCP/IP port 9011... Using ldapsearch to check that central master slapd is running... Starting site1 master slapd on TCP/IP port 9012... Using ldapsearch to check that site1 master is running... Starting site2 master slapd on TCP/IP port 9013... Using ldapsearch to check that site2 master is running... Starting central search slapd on TCP/IP port 9014... Using ldapsearch to check that central search slapd is running... Starting site1 search slapd on TCP/IP port 9015... Using ldapsearch to check that site1 search slapd is running... Waiting 1 seconds for slapd to start... Starting site2 search slapd on TCP/IP port 9016... Using ldapsearch to check that site2 search slapd is running... Adding schema on ldap://localhost:9011/... Adding backend module on ldap://localhost:9011/... Adding schema on ldap://localhost:9012/... Adding backend module on ldap://localhost:9012/... Adding schema on ldap://localhost:9013/... Adding backend module on ldap://localhost:9013/... Adding schema on ldap://localhost:9014/... Adding backend module on ldap://localhost:9014/... Adding schema on ldap://localhost:9015/... Adding backend module on ldap://localhost:9015/... Adding schema on ldap://localhost:9016/... Adding backend module on ldap://localhost:9016/... Adding database config on central master... Adding database config on site1 master... Adding database config on site2 master... Adding access rules on central master... Adding access rules on site1 master... Adding access rules on site2 master... Adding database config on central search... Adding database config on site1 search... Adding database config on site2 search... Populating central master... Adding syncrepl on site1 master... Adding syncrepl on site2 master... Using ldapsearch to check that site1 master received changes... Using ldapsearch to check that site2 master received changes... Populating site1 master... Populating site2 master... Stopping site1 master... Adding syncrepl on central master... Using ldapsearch to check that central master received site2 entries... Restarting site1 master slapd on TCP/IP port 9012... Using ldapsearch to check that site1 master is running... Using ldapsearch to check that central master received site1 entries... Adding syncrepl consumer on central search... Adding syncrepl consumer on site1 search... Adding syncrepl consumer on site2 search... Using ldapsearch to check that central search received changes... Using ldapsearch to check that site1 search received changes... Using ldapsearch to check that site2 search received changes... Checking contextCSN after initial replication... Using ldapmodify to modify first backend on central master... Using ldapsearch to check replication to central search... Using ldapsearch to check replication to site1 search... Using ldapsearch to check replication to site2 search... Checking contextCSN after modify of first backend on central master... Using ldapmodify to modify second backend on central master... Using ldapsearch to check replication to site2 search... Using ldapsearch to check no replication to site1 master... Using ldapsearch to check no replication to central search... Checking contextCSN after modify of second backend on central master... Using ldapmodify to modify first backend on site1 master... Using ldapsearch to check replication to site1 search... Using ldapsearch to check replication to site2 master... Using ldapsearch to check no replication to site2 search... Using ldapsearch to check no replication to central search... Checking contextCSN after modify of first backend on site1 master... Using ldapmodify to modify second backend on site1 master... Using ldapsearch to check replication to site1 search... Using ldapsearch to check no replication to central master... Checking contextCSN after modify of second backend on site1 master... Using ldapmodify to modify first backend on site2 master... Using ldapsearch to check replication to central master... Using ldapsearch to check replication to site2 search... Using ldapsearch to check no replication to site1 master... Using ldapsearch to check no replication to central search... Checking contextCSN after modify of first backend on site2 master... Using ldapmodify to modify second backend on site2 master... Using ldapsearch to check replication to site2 search... Using ldapsearch to check no replication to central master... Checking contextCSN after modify of second backend on site2 master... Stopping central master and site2 servers to test start with emtpy db... Starting site2 master slapd on TCP/IP port 9013... Using ldapsearch to check that site2 master slapd is running... Starting site2 search slapd on TCP/IP port 9016... Using ldapsearch to check that site2 search slapd is running... Waiting 1 seconds for slapd to start... Waiting 2 seconds for slapd to start... Waiting 3 seconds for slapd to start... Starting central master slapd on TCP/IP port 9011... Using ldapsearch to check that central master slapd is running... Using ldapsearch to check that site2 master received base... Using ldapsearch to check that site2 search received base... Waiting 1 seconds for syncrepl to receive changes... Waiting 2 seconds for syncrepl to receive changes... Checking contextCSN after site2 servers repopulated... Adding syncrepl of second site1 master backend on central master... Using ldapsearch to check that central master received second site1 backend... Waiting 1 seconds for syncrepl to receive changes... Waiting 2 seconds for syncrepl to receive changes... Waiting 3 seconds for syncrepl to receive changes... Waiting 4 seconds for syncrepl to receive changes... Waiting 5 seconds for syncrepl to receive changes... ERROR: Second site1 backend not replicated to central master Restarting central master slapd on TCP/IP port 9011... Using ldapsearch to check that central master slapd is running... Waiting 1 seconds for slapd to start... Using ldapsearch to check that central master received second site1 backend... Using ldapsearch to check that central search received second site1 backend... Waiting 1 seconds for syncrepl to receive changes... Waiting 2 seconds for syncrepl to receive changes... Waiting 3 seconds for syncrepl to receive changes... Waiting 4 seconds for syncrepl to receive changes... Waiting 5 seconds for syncrepl to receive changes... ERROR: Second site1 backend not replicated to central search Restarting central search slapd on TCP/IP port 9014... Using ldapsearch to check that central search slapd is running... Waiting 1 seconds for slapd to start... Using ldapsearch to check that central search received second site1 backend... Running 1 of 10 syncrepl race tests... Stopping central master... Using ldapadd to add entry on site1 master... Starting central master again... Using ldapsearch to check that central master received entry... Using ldapsearch to check that central search received entry... Stopping central master... Using ldapdelete to delete entry on site1 master... Starting central master again... Using ldapsearch to check that entry was deleted on central master... Using ldapsearch to check that entry was deleted on central search... ERROR: Entry not removed on central search! Race error found after 1 of 10 iterations Found 3 errors >>>>>> Exiting with a false success status for now >>>>> /home/build/deb/openldap/2.4.21/openldap_2.4.21.orig/tests/scripts/test058-syncrepl-asymmetric completed OK for bdb. Is this something I should be worried about? One thing to note is that the underlying disk array is being rebuilt with extra disks and so I/O performance is quite poor on this machine at the moment - so I'm wondering whether it's a timing issue with the test script rather than within openldap itself? ATB, Mark. -- Mark Cave-Ayland - Senior Technical Architect PostgreSQL - PostGIS Sirius Corporation plc - control through freedom http://www.siriusit.co.uk t: +44 870 608 0063 Sirius Labs: http://www.siriusit.co.uk/labs

2 3

Re: failed to start slapd & can't create password - please help.
by sam 22 Jun '10

22 Jun '10

Harry Jede wrote: > Am Sonntag, 20. Juni 2010 schrieb sam: > >> Hi, >> >> With the following setup: >> >> hometest:openldap # uname -a >> FreeBSD hometest.ip6.com.au <http://hometest.ip6.com.au> 8.1-RC1 >> FreeBSD 8.1-RC1 #0: Fri Jun 18 >> 15:26:58 EST 2010 >> root@hometest.ip6.com.au:/usr/ >> obj/usr/src/sys/mail.db.java.portal >> i386 >> hometest:openldap # pkg_info | grep -i ldap >> openldap-sasl-client-2.4.22 Open source LDAP client implementation >> with SASL2 support >> openldap-sasl-server-2.4.22 Open source LDAP server implementation >> hometest:openldap # pkg_info | grep -i db >> db46-4.6.21.4 The Berkeley DB package, revision 4.6 >> hometest:openldap # pkg_info | grep -i sasl >> cyrus-sasl-2.1.23 RFC 2222 SASL (Simple Authentication and Security >> Layer) >> cyrus-sasl-saslauthd-2.1.23 SASL authentication server for >> cyrus-sasl2 openldap-sasl-client-2.4.22 Open source LDAP client >> implementation with SASL2 support >> openldap-sasl-server-2.4.22 Open source LDAP server implementation >> >> I can't create password for ldap: >> hometest:openldap # slappasswd -h {MD5} -s password >> Password generation failed for scheme MD5: scheme not recognized >> >> and: >> >> hometest:rc.d # ./slapd start >> Starting slapd. >> ./slapd: WARNING: failed to start slapd >> >> slapd.conf file is shown below: >> >> # >> # See slapd.conf(5) for details on configuration options. >> # This file should NOT be world readable. >> # >> include /usr/local/etc/openldap/schema/core.schema >> >> #X.500 RFC1274 COSINE Pilot Schema >> include /usr/local/etc/openldap/schema/cosine.schema >> #For Addressbooks >> include /usr/local/etc/openldap/schema/inetorgperson.schema >> #For Authentication >> include /usr/local/etc/openldap/schema/nis.schema >> >> TLSCACertificateFile /usr/local/etc/ssl/cacert.pem >> TLSCertificateFile /usr/local/etc/openldap/ssl/portal.ip6.com.au.pem >> TLSCertificateKeyFile /usr/local/etc/openldap/ssl/private/cakey.pem >> TLSCipherSuite HIGH >> >> >> # Define global ACLs to disable default read access. >> >> # Do not enable referrals until AFTER you have a working directory >> # service AND an understanding of referrals. >> #referral ldap://root.openldap.org <http://root.openldap.org> >> >> pidfile /var/run/openldap/slapd.pid >> argsfile /var/run/openldap/slapd.args >> >> # Load dynamic backend modules: >> modulepath /usr/local/libexec/openldap >> moduleload back_bdb >> ##################################################################### >> ## # BDB database definitions >> ##################################################################### >> ## >> >> database bdb >> suffix "dc=ip6,dc=com,dc=au" >> rootdn "cn=Manager,dc=ip6,dc=com,dc=au" >> # Cleartext passwords, especially for the rootdn, should >> # be avoid. See slappasswd(8) and slapd.conf(5) for details. >> # Use of strong authentication encouraged. >> rootpw secret >> # The database directory MUST exist prior to running slapd AND >> # should only be accessible by the slapd and slap tools. >> # Mode 700 recommended. >> directory /var/db/openldap-data >> # Indices to maintain >> index objectClass eq >> >> Can anyone tell me how to start openldap and how to assign password >> to it? >> > I do not know why your slapd is not starting. > Have you added some data to your database? > Who is the owner of /var/db/openldap-data? > > Hi, thanks for the reply regarding to the problem of ldap is not starting. I haven't added any data to the ldap database yet, because I had problem of creating ldap password before. Should I add data to the ldap database before I can start ldap? Thanks agian for your help Sam > Most people do not want the md5-scheme, they need the md5 algo from > crypt. Try this: > > slappasswd -c '$1$%.8s' -s secret > {CRYPT}$1$HlW67YUS$DNY2T6859V9xh8frUpbXJ/ > > Read the man pages of slappasswd and slapd.conf. > > But pay attention, that slappasswd is NOT reading the config file > slpad.conf. This is at least true for my quite old version of slapd in > Debian Lenny (slapd 2.4.11) :-( . > > strace -e trace=file /usr/sbin/slappasswd -s secret 2>&1 | grep > slapd.conf > > returns nothing > > > > >> Your help is very much appreciated. >> >> Thanks >> Sam >> >> - >> > > > >

6 13

Interdomain authentication
by Luiz Marcelo 22 Jun '10

22 Jun '10

Hello everyone, good, someone could tell me if there is a way to configure a client to openLDAP see an entry in the local database and if this entry does not exist, the server performs the query on another remote server? I used the chain module for this purpose, but even if the entry exists in the local base, the query is fired to the remote server. I need the server only see the external base case the entry does not exist in the local base. The goal is to build a scenario for user authentication inter-domains. a user subdomain: "dc=subdomain-A,dc=domain" can authenticate through " dc=subdomain-B,dc=domain" I thought at first replicate data subdomain A for the subdomain B and vice versa, but I believe it would be more interesting the server be able to perform the query directly in the external server. Does anyone have an idea? Thank you. luizmarcelo

2 1

Simple question about LDAP and web authentication.
by Bryan Boone 22 Jun '10

22 Jun '10

Hi everyone. I am a noob to LDAP and I have a question. I am on a team that is building a special server. This server will be running linux with an apache web server with PHP and apache is running a special website that we designed. I need to have the website be able to query LDAP servers for web authentication. So when a user connects to this special web server, they are prompted for a user name and password. Then I want to have the website check the LDAP server to make sure that the user is indeed a user of the website on our special server. So in a sense our special server will be an LDAP client. So my question is??? Is an LDAP client to be run as a Daemon or service? Is this what OpenLDAP provides? Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication? Basically all I need is... The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. The web grants or denies access. The LDAP server connection is closed. No other actions or information from the LDAP server is needed. Do I have the right idea? thanks

7 6

What DN (user name) I should use for connecting to ldap server?
by sam 21 Jun '10

21 Jun '10

Hi, I have ldap server started up in freebsd. I tried to test it with Apache Directory Studio. When I open a New Connection in the Studio, it asks for User name. I entered "root" as user name, then go for the connection... However I got following error message in ldap log file: Jun 21 23:14:51 hometest slapd[2417]: conn=1005 fd=11 ACCEPT from IP=192.168.1.100:57297 (IP=192.168.1.20:389) Jun 21 23:14:51 hometest slapd[2417]: conn=1005 op=0 do_bind: invalid dn (root) Jun 21 23:14:51 hometest slapd[2417]: conn=1005 op=0 RESULT tag=97 err=34 text=invalid DN Jun 21 23:14:51 hometest slapd[2417]: conn=1005 fd=11 closed (connection lost) What value of DN I should enter in the ldap browser (Apache Directory Studio) in order to connect to the ldap server? I have ldap listening to the following ports: hometest:openldap # netstat -an | egrep '389|636' tcp4 0 0 192.168.1.20.636 *.* LISTEN tcp4 0 0 192.168.1.20.389 *.* LISTEN Your help is much appreciated Thanks Sam

6 6

Syncrepl problems
by renski＠exemail.com.au 21 Jun '10

21 Jun '10

Hi, I'm trying to setup replication with syncrepl. I'm having problems with the slave config, I've thrown in the syncrepl config at the end of slapd.conf, but it keeps saying this: /etc/ldap/slapd.conf: line 103: unknown directive <syncrepl rid=100> inside backend database definition. thanks, Rick

4 4

Multi master replication
by Aravind Divakaran 21 Jun '10

21 Jun '10

Hi All, I have configured two servers with multi master replication. Below is my configuration for synrepl on both servers. Server One ------------ serverID 001 overlay syncprov syncprov-checkpoint 100 10 syncrepl rid=000 provider=ldap://192.168.10.100 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=syncuser,dc=example,dc=com" credentials=password mirrormode TRUE Server Two -------------- serverID 002 overlay syncprov syncprov-checkpoint 100 10 syncrepl rid=000 provider=ldap://192.168.10.25 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=syncuser,dc=example,dc=com" credentials=password mirrormode TRUE Today one of user said that he was not able to login. So i checked in the servers in one server i was able to login but on another server i was not able to login with the same password. I have checked the contextCSN on both server they are equal. In the log it is showing this syncrepl_entry: rid=000 entry unchanged, ignored (uid=user,ou=People,dc=example,dc=com) Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000 uid=user,ou=People,dc=example,dc=com Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000 be_add uid=user,ou=People,dc=example,dc=com (68) Apr 28 12:14:17 mails slapd[16595]: dn_callback : entries have identical CSN uid=user,ou=People,dc=example,dc=com 20100422132507.789242Z#000000#002#000000 Can anyone help me why above message is showing in the log files and why the user is not able to login. Rgds, Aravind M D

7 14

Distributed directories using meta backend
by Luiz Marcelo 21 Jun '10

21 Jun '10

Hello everyone. Well, I have a scenario with three LDAP servers. This scenario represents a practical structure of a multi-campus institution. For example: Each server of each campus has the following contexts instantiated name in a backend hdb: Campus 1: dc = a, dc = institution, dc = org Campus 2: dc = b, dc = institution, dc = org Campus 3: dc = c, dc = institution, dc = org Each campus only manages your server, but allows that queries to other remote servers. They must present themselves as a single directory, transparent to user queries. I tried using the backend target with the suffix dc=institution,dc=org to perform a masking of the name. In practice the target backend (server instantiated in the campus) is like this: database meta suffix "dc=institution,dc=org" uri "ldap: / / localhost /dc=a" idassert-bind bindmethod=simple binddn="cn=reader,dc=a" credentials="readera" rebind-as-user yes suffixmassage "dc=institution,dc=org" "dc=a" # Remote Server - b uri "ldap: / /10.0.0.2/dc=b" idassert-bind bindmethod=simple binddn="cn = reader,dc = b" credentials = "leitorb" rebind-as-user yes suffixmassage "dc=institution,dc=org" "dc=b" lastmod off # Remote server - c uri "ldap: / /10.0.0.3/dc=c" idassert-bind bindmethod=simple binddn="cn=reader,dc = c" credentials = "leitorc" rebind-as-user yes suffixmassage "dc=institution,dc = org" "dc=b" lastmod off When performing a general consultation to dc=institution,dc=org all data from the three campuses were merged and the query returned. example: ldapsearch -x -D cn=reader,dc=a -W -b dc=institution,dc=org "cn=reader " the result is: cn = reader, dc = institution, dc = org cn = reader, dc = institution, dc = org cn = reader, dc = institution, dc = org 3 results appear, each encontraddo in three different bases. The problem is that have the same DN. Assuming that this structure is used to authentication user and a user can log in at any institution, be it home or away, if any two users with uid=john (eg: uid=john,dc=a and uid=john,dc=b) when performing a search using the meta backend, duplicate the results appear. Someone with experience in using the meta backend, give me a hint how to implement this scenario without causing an Replication DNs? Suddenly a way to make the server does not store a new entry if it is equal to an existing (masquerading under the proxy target)? The main objective of this implementation is to implement a distributed model that guarantees 1 - administrative independence for each campus (just write in your base, but read all) 2 - Allow users to authenticate to the system, inside or outside their home institution. Finally, it would be possible to use the backend relay, after which the main role of the backend? Thanks in advance. Luizmarceloo!

2 1

failed to start slapd & can't create password - please help.
by sam 20 Jun '10

20 Jun '10

Hi, With the following setup: hometest:openldap # uname -a FreeBSD hometest.ip6.com.au <http://hometest.ip6.com.au> 8.1-RC1 FreeBSD 8.1-RC1 #0: Fri Jun 18 15:26:58 EST 2010 root@hometest.ip6.com.au:/usr/ obj/usr/src/sys/mail.db.java.portal i386 hometest:openldap # pkg_info | grep -i ldap openldap-sasl-client-2.4.22 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.22 Open source LDAP server implementation hometest:openldap # pkg_info | grep -i db db46-4.6.21.4 The Berkeley DB package, revision 4.6 hometest:openldap # pkg_info | grep -i sasl cyrus-sasl-2.1.23 RFC 2222 SASL (Simple Authentication and Security Layer) cyrus-sasl-saslauthd-2.1.23 SASL authentication server for cyrus-sasl2 openldap-sasl-client-2.4.22 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.22 Open source LDAP server implementation I can't create password for ldap: hometest:openldap # slappasswd -h {MD5} -s password Password generation failed for scheme MD5: scheme not recognized and: hometest:rc.d # ./slapd start Starting slapd. ./slapd: WARNING: failed to start slapd slapd.conf file is shown below: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema #X.500 RFC1274 COSINE Pilot Schema include /usr/local/etc/openldap/schema/cosine.schema #For Addressbooks include /usr/local/etc/openldap/schema/inetorgperson.schema #For Authentication include /usr/local/etc/openldap/schema/nis.schema TLSCACertificateFile /usr/local/etc/ssl/cacert.pem TLSCertificateFile /usr/local/etc/openldap/ssl/portal.ip6.com.au.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/private/cakey.pem TLSCipherSuite HIGH # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org <http://root.openldap.org> pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=ip6,dc=com,dc=au" rootdn "cn=Manager,dc=ip6,dc=com,dc=au" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/db/openldap-data # Indices to maintain index objectClass eq Can anyone tell me how to start openldap and how to assign password to it? Your help is very much appreciated. Thanks Sam -

5 6

← Newer
1
2
3
4
5
6
7
8
...
12
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2010