openldap-technical July 2010

openldap-technical@openldap.org

103 participants
126 discussions

openldap 2.4.22 crash
by Marco Pizzoli 14 Jul '10

14 Jul '10

Hi all, I'm using Buchan's package of openldap2.4.22 x86_64 on RHEL5.3. I'm able to reproduce a crash renaming an entry in my tree. I'm doing this by using phpldapadmin. When I restart the engine I can see the entry with the name changed. I'm trying to produce a core dump and subsequently file an ITS, but I''m not able to have the core generated. I changed /etc/security/limits for the ldap user and some other RHEL specifics to not limit the size of the core. If I look to /proc/<slapd_pid>/limits I can see the following: [root@ldap04 14527]# cat limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 10485760 unlimited bytes *Max core file size unlimited unlimited bytes * Max resident set unlimited unlimited bytes Max processes 65536 65536 processes Max open files 1024 1024 files Max locked memory 32768 32768 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 65536 65536 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 After that I do the rename, the slapd crashes and the core dump isn't there... Any idea? Thanks in advance Marco -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

2 2

Adding rfc schema clashes
by Stuart Cherrington 14 Jul '10

14 Jul '10

Hi, Running OpenLDAP 2.4 on RHEL 5. In order for my SOlaris 10 clients to start using the OpenLDAP service I need the objectclass 'nisDomainObject' to be declared. I found this objecttype in the 'rfc2307bis.schema' file so I've added it into the slapd.conf and now LDAP fails to restart with /usr/share/openldap2.4/schema/nis.schema: line 53 attributetype: Duplicate attributeType: "1.3.6.1.1.1.1.2" slaptest2.4: bad configuration file! I did a quick check the and "1.3.6.1.1.1.1.2" is declared in the nis.schema for the gecos attributetype. Can I alter the number within the rfc schema? Thanks, Stuart. _________________________________________________________________ http://clk.atdmt.com/UKM/go/197222280/direct/01/ Do you have a story that started on Hotmail? Tell us now

3 4

Max length of the attribute in UID attribute
by Bryan Boone 13 Jul '10

13 Jul '10

Hi everyone. How or where do I find out the max string length that I can have in the UID attribute in the inetorgperson objectclass. I assume that the length is set by the limitations of the DB, but I cannot seem to find that information anywhere. Or is the length defined in RFC 2798 somewhere? thanks

2 1

SHA2 in openldap 2.4.22
by Vernon Reilly 13 Jul '10

13 Jul '10

Have anyone managed to compile SHA2 slapd-module in openldap version 2.4.22 I am getting all sorts of errors trying to compile it after modifying the Makefile as per the README file inside: contrib/slapd-modules/passwd/sha2/ I think this code was for version 2.3 and should not be packaged with version 2.4. Anyways, any help would be appreciated. Thanks _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969

2 1

bdb/hdb cachesize calculation
by openldap-ml＠stresst.net 13 Jul '10

13 Jul '10

Attached to this message you'll find a quick and dirty bash script that should determine the cachesize for an in-production bdb/hdb backend by taking dn2id and id2entry as well as all existing indexes into account. Internally the script calls the db_stat tool in combination with the formulas found in the 2.4 admin guide under: http://www.openldap.org/doc/admin24/tuning.html#Caching Based on our local production database files (run by slapd 2.4.21, bdb 4.5) which contain round about 460.000 (small) entries... # du -h dn2id.bdb id2entry.bdb 48M dn2id.bdb 755M id2entry.bdb # du -h *.bdb | grep -v dn2id | grep -v id2entry 12M cn.bdb 20M entryCSN.bdb 14M entryUUID.bdb 1.1M loginDisabled.bdb 8.6M mail.bdb 5.4M objectClass.bdb ...the attached script produces the following results: DB Cachesize Results (dn2id.bdb and id2entry.bdb): Overall DB Cachesize: 1871872 bytes Index Cachesize Results: Overall Index Cachesize: 245760 bytes (50% Index HitRatio) Overall Index Cachesize: 491520 bytes Resulting Overall Cachesize (DB and Indexes): Overall Cache Size: 2117632 bytes (50% Index HitRatio) Overall Cache Size: 2363392 bytes Including +15% bytes for growth: Overall Cache Size: 2435276.80 bytes (50% Index HitRatio) Overall Cache Size: 2717900.80 bytes Do the above results (2.4 - 2.7 MBytes?!) sound reasonable in comparison to the above bdb file sizes? As I'm currently unsure whether the result is correct or not I would appreciate your feedback for example whether the script's result makes sense within your environment or not. Thanks a lot!

3 4

2.4.22 mirrormode syncrepl credential password encryption
by Vernon Reilly 13 Jul '10

13 Jul '10

Hi, I have version 2.4.22 running with mirrormode enabled and it is working well. I have a question regarding the credentials field in the syncrepl part in slapd.conf. Must this be cleartext or can it be encrypted and what is considered good practise regarding which binddn to use. (e.g. should I create a user with cleartext password specifically for replication?) Up to now I have used the same binddn as my rootdn but I can only get this to work with a cleartext password and I don't want to have my rootpw as cleartext in slapd.conf. Here is my current slapd.conf snippet database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" moduleload syncprov overlay syncprov syncprov-checkpoint 1 1 syncprov-sessionlog 100 # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass eq syncrepl rid=123 provider=ldap://server:389 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=Manager,dc=uniscope,dc=jp" credentials=secret mirrormode on Any help would be appreciated. Thanks. _________________________________________________________________ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969

3 2

Recommended way to modify cn=schema entries?
by Ian Collins 13 Jul '10

13 Jul '10

I would like to re-order two schema entries to resolve a dependency issue (our local schema, included before dyngroup.schema, now references memberURL). However deleting a schema entry with ldapmodify does not appear to be supported: dn: cn={8}dyngroup,cn=schema,cn=config changetype: delete deleting entry "cn={8}dyngroup,cn=schema,cn=config" ldap_delete: Server is unwilling to perform (53) Any suggestions? -- Ian.

3 3

ldap falls without logs
by Márcio Luciano Donada 13 Jul '10

13 Jul '10

Hi list, I'm using debian lenny,[1], with openldap 2.4.11 and in many cases simply to LDAP, while not log information. My slapd.conf is: # Global Directives: # Features to permit allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/qmail.schema include /etc/ldap/schema/authldap.schema include /etc/ldap/schema/RADIUS-LDAPv3.schema include /etc/ldap/schema/ppolicy.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 256 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload syncprov moduleload back_monitor moduleload back_bdb moduleload ppolicy moduleload unique moduleload back_ldap # TLS TLSVerifyClient demand TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 16 threads 32 ####################################################################### # Specific Backend Directives for hdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type hdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database monitor database bdb # The base of your directory in database #1 suffix "dc=xxx,dc=com,dc=br" rootdn "cn=suporte,dc=xxx,dc=com,dc=br" rootpw blablabla overlay unique unique_uri ldap:///?mail?sub? overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # Where the database file are physically stored for database #1 directory "/var/lib/ldap" idletimeout 30 checkpoint 128 15 cachesize 100000 lastmod on sizelimit unlimited index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uniqueMember eq index uidNumber eq index gidNumber eq index memberUID eq index mailAlternateAddress eq index MailForwardingAddress eq index mail pres,sub,eq index default sub index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index sambaSIDList,sambaGroupType eq index givenName pres,sub,eq index homePhone eq index shadowExpire,shadowLastChange,shadowMax,shadowWarning eq index entryCSN,entryUUID eq # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. # ACLs access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read P.S. note that the loglevel is 256 and I have no record of trouble. [1]. Linux ldap 2.6.26-2-686 #1 SMP Wed Aug 19 06:06:52 UTC 2009 i686 GNU/Linux -- Márcio Luciano Donada <mdonada -at- auroraalimentos -dot- com -dot- br> Aurora Alimentos - Cooperativa Central Oeste Catarinense Departamento de T.I.

2 1

DN failed to copy
by Stuart Cherrington 13 Jul '10

13 Jul '10

Hi, Not sure if this is an issue with phpLDAPadmin 1.0.1 or Openldap2.4 (on rhel 5.3). I've created posixGroup's within my openLDAP and can see these within phpLDAPadmin, I was trying to copy the objects within my 'dc' prior to some invasive work, but I cannot copy the posixGroups. I have done copies of all other objects but posixGroup copy errors with: 'Failed to copy DN: cn=copydba,ou=group,dc=ldn,dc=sw,dc=com LDAP said: Object class violation Error number: 0x41 (LDAP_OBJECT_CLASS_VIOLATION) Description: You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.' Having looked through countless web pages it suggests that the posixGroup definition in the rfc2037bis.schema should have a MUST clause but it already has this: objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY DESC 'Abstraction of a group of accounts' MUST gidNumber MAY ( userPassword $ memberUid $ description ) ) Any advice would be great. Thanks, Stuart. _________________________________________________________________ http://clk.atdmt.com/UKM/go/197222280/direct/01/ We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now

1 0

Re: Another question about LDAP over SSL
by Chris Jacobs 12 Jul '10

12 Jul '10

Bryan, Please reply-to-all. :) Moving on: I'm NOT a dev (I'm a sysadmin), but my take is: 1) Use OpenSSL libraries to see if the cert is 'trusted' by the local OS (signed by a trusted CA - whether by an internal CA or an external CA). If a non-linux based client, then you'll need to explore other options (Windows has it's own mechanism for example). 2) If not, and user responds with 'trust this cert' then you'll need to add the cert to the whatever your app uses (whether a cert file it manages, or the local OS - it's up to how you write it). My take: if it's not already trusted by the local cert library (managed per OS install) then use a single file managed by your app. Or, add it to the list of locally trusted CA's, but I don't think that's a great idea. Perhaps it's not trusted by design? Perhaps your app won't have permission? That can turn into a support nightmare... As for OpenSUSE, perhaps it's ldap.conf doesn't specify to require a trusted cert... I don't know - never used it. I do not believe there is an OpenLDAP library/API/etc to handle untrusted certs and make them trusted. I recommend you play around with getting an OS to trust a CA you create to see how this works. Then see what it takes to get that OS to use the OpenLDAP server for auth. You'll learn quite a bit... Course, the source code may be more enlightening - but I'm not a dev. Bash or PERL is more my style :p. Warning: there are two ldap.conf files in most linux distros: /etc/ldap.conf : used by PAM /etc/openldap/ldap.conf : used by OpenLDAP tools. Primarily on OpenLDAP servers (whether masters or slaves - now referred to as providers and consumers). - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ________________________________ From: Bryan Boone <v_1bboon(a)yahoo.com> To: Chris Jacobs Sent: Mon Jul 12 20:23:18 2010 Subject: Re: Another question about LDAP over SSL Hi Chris thanks for the reply. Here is my problem. I have two LDAP browsers that I am testing on a PC. One is called JXplorer and the other is called LDAPEditor. You probably heard of jxplorer but LDAPEditor is old and probably out of support. Anyway JXplorer you have to manually transfer the SSL cert and load it into the program before you can connect to LDAP over SSL. When I use LDAPEditor to connect to my openLDAP server via SSL. The program prompts me to accept the server cert. I do not have to manually upload the cert into the program. So my question is... How do I accomplish this in the client I am writting? How can I use the openLDAP library to prompt a customer that asks them if they want to accept the server cert or not? Does this make sense? Also built into OpenSUSE is an LDAP browser. It gives the option to connect to LDAP over SSL as well. On this one you do not have to manually load the cert before hand. thanks ________________________________ From: Chris Jacobs <Chris.Jacobs(a)apollogrp.edu> To: "v_1bboon(a)yahoo.com" <v_1bboon(a)yahoo.com>; "openldap-technical(a)openldap.org" <openldap-technical(a)openldap.org> Sent: Mon, July 12, 2010 7:26:54 PM Subject: Re: Another question about LDAP over SSL This really is a basic 'cert' issue. There's a ton of non-openldap coverage of this topic (self-signed and CA purchased certs). In a nutshell, you'll need to provide a way for your customer's to use a cert of their choosing, and let them sort out how to get their clients to trust the signer of that cert. - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ________________________________ From: openldap-technical-bounces(a)OpenLDAP.org <openldap-technical-bounces(a)OpenLDAP.org> To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org> Sent: Mon Jul 12 19:20:58 2010 Subject: Another question about LDAP over SSL Hi everyone. I have another "duh" question. I am writing software for a proprietary piece of hardware. I will be using the C libraries for openldap. I need to write some functions for LDAP so that the UI of the software has the option to authenticate a user via LDAP and LDAP over SSL. Basically it will just act like a client that will Simple Bind to the LDAP server for authentication. I read the document here. http://www.openldap.org/faq/data/cache/185.html I followed the instructions on the website to generate the SSL certs. My question is, on the website above it says.... "You must also install a copy of the CA certificate on all of your client machines. Configuration is done in /usr/local/etc/openldap/ldap.conf:" Does this mean I need to provide a way to the customer to manually transfer his/her CA cert the proprietary hardware, if they want to use LDAP over SSL??? Or when I use the Start TLS function, do the certs automatically get transfered behind the scene? thanks ________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system. ________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

1 0

← Newer
1
...
5
6
7
8
9
10
11
12
13
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2010