openldap-technical August 2010

openldap-technical@openldap.org

83 participants
85 discussions

Supported formats of server/client certificate
by Ondrej Moriš 27 Aug '10

27 Aug '10

Hi, I am wondering what formats of server/client x.509 certificates are supported by OpenLDAP? I see that PEM is supported, but what about other formats like binary DER, PKCS#7, PKCS#12? I've tried to find answer in documentation, but it said that CA cert should be given in PEM and nothing about server/client certs. Any help greatly appreciated! -- Ondrej Moriš

2 1

Re: replicate two branches?
by Marc Patermann 27 Aug '10

27 Aug '10

Isaac, Isaac Hailperin schrieb am 27.08.2010 12:49 Uhr: > On 08/27/2010 11:12 AM, Marc Patermann wrote: >> Isaac Hailperin schrieb am 25.08.2010 17:44 Uhr: >> >>> I was wondering whether there is a way to replicate more then one >>> branch. I tried to replicate two branches using two syncrepl sections in >>> slapd.conf with different rid, but that got me an error >>> "syncrepl: database already shadowed" >>> So I suppose its at least not that easy. >> You are speaking about the provider, right? > No, the error occured on the slave side, after I put two syncrepl > directives in slapd.conf. > >> If you have o=foo with branch a ou=a,o=foo and branch b in ou=b,o=foo, >> what do you want to achieve then? Replicate branch a to server a and >> branch b to server b, or what? > I have dc=foo with ou=bar,dc=foo ou=rab,dc=foo and ou=oof,dc=foo. > I want to replicate ou=bar and ou=rab to another server, but not ou=oof. Where syncrpl is a database option, you could define a database for each branch in the consumer and define the searchbase corresponding to each branch (if you cannot reduce the replication data to a branch by setting a filter, where "dn= ..." is not a valid filter). database bdb suffix "ou=bar,dc=foo" syncrepl rid=1 searchbase=ou=bar,dc=foo ... directory ... database bdb suffix "ou=rab,dc=foo" syncrepl rid=1 searchbase=ou=rab,dc=foo ... directory ... Marc

1 0

Re: replicate two branches?
by Marc Patermann 27 Aug '10

27 Aug '10

Isaac, Isaac Hailperin schrieb am 25.08.2010 17:44 Uhr: > I was wondering whether there is a way to replicate more then one > branch. I tried to replicate two branches using two syncrepl sections in > slapd.conf with different rid, but that got me an error > "syncrepl: database already shadowed" > So I suppose its at least not that easy. You are speaking about the provider, right? If you have o=foo with branch a ou=a,o=foo and branch b in ou=b,o=foo, what do you want to achieve then? Replicate branch a to server a and branch b to server b, or what? You may have to describe your problem a bit more in detail. Marc

2 1

Getting Solaris to use Openldap
by Stuart Cherrington 27 Aug '10

27 Aug '10

Hi, I Have an OpenLDAP 2.4.18 server on RHEL 5.3. I can get Linux clients to use the master by use of the /etc/ldap.conf file. I'm now trying to get a SOlaris 10 client to use the master by initialising with the default profileName. If I run: ldapclient -v init -a proxypassword=xxxxx -a proxydn=cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -a domainname=ldn.sw.com 10.2.250.15 This errors with Parsing proxypassword=5wap5proxy Parsing proxydn=cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com Parsing domainname=ldn.sw.com Arguments parsed: domainName: ldn.sw.com proxyDN: cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com proxyPassword: xxxxx defaultServerList: 10.2.250.15 Handling init option About to configure machine by downloading a profile No profile specified. Using "default" findBaseDN: begins findBaseDN: ldap not running findBaseDN: calling __ns_ldap_default_config() found 1 namingcontexts findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=ldn.sw.com))" rootDN[0] dc=ldn,dc=sw,dc=com NOTFOUND:Could not find the nisDomainObject for DN dc=ldn,dc=sw,dc=com found_cxt = -1 findBaseDN: Err exit Failed to find defaultSearchBase for domain ldn.sw.com So the 2 errors are the NOTFOUND nisDomainObject which is there when I check on the master: [root@msldap01 openldap2.4]# ldapsearch2.4 -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxx-b dc=ldn,dc=sw,dc=com -s base # extended LDIF # # LDAPv3 # base <dc=ldn,dc=sw,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # ldn.sw.com dn: dc=ldn,dc=sw,dc=com dc: ldn o: ldn associatedDomain: ldn.sw.com nisDomain: ldn.sw.com objectClass: dcObject objectClass: organization objectClass: domainRelatedObject objectClass: nisDomainObject objectClass: top # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 The other error is 'Failed to find defaultSearchBase for domain ldn.sw.com' [root@msldap01 openldap2.4]# ldapsearch2.4 -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w 5wap5proxy -b cn=default,ou=profile,dc=ldn,dc=sw,dc=com -s base # extended LDIF # # LDAPv3 # base <cn=default,ou=profile,dc=ldn,dc=sw,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # default, profile, ldn.sw.com dn: cn=default,ou=profile,dc=ldn,dc=sw,dc=com defaultSearchBase: dc=ldn,dc=sw,dc=com authenticationMethod: simple followReferrals: TRUE profileTTL: 43200 searchTimeLimit: 30 objectClass: DUAConfigProfile defaultServerList: 10.2.250.15 credentialLevel: proxy cn: default defaultSearchScope: one # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Obviously I've missed something, anyhelp would be appreciated. Thanks, Stuart.

1 0

tnsnames in openldap
by Stuart Cherrington 26 Aug '10

26 Aug '10

Hi, I was wondering if anyone here has had a good/bad experience of getting Openldap to provision tnsnames lookup for Oracle Databases? We're thinking of removing our current OID implementation which is very old and as I'm already running OpenLDAP 2.4 is makes sense to just roll it from there. I found a VERY useful article at http://oracle-cookies.blogspot.com/2007/01/get-tnsnamesora-from-openldap.ht… which I think will help enormously. Thanks, STuart. _________________________________________________________________ http://clk.atdmt.com/UKM/go/195013117/direct/01/

3 2

Re: OpenLDAP as a proxy for Active Directory (missing attributes)
by Marius Flage 26 Aug '10

26 Aug '10

On 08/26/2010 11:10 PM, Mike Olivieri wrote: > However, when I try to search for that same user using ldapsearch, I get > no results. > ldapsearch -x \ > -a always \ > -h fqa-ldap \ > -p 9389 \ > -D "CN=mike0,OU=Service Accounts,dc=myco_ad,dc=mycompany,dc=com" \ > -w "password" \ > -b "DC=MYCO_AD,dc=mycompany,dc=com" \ > "(sAMAccountName=mikeo)" Try omitting the search filter '(sAMAccountName)', do you get any results then? If so, then you need to add the attribute declaration for sAMAccountName to your schema: attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) That's my only guess to this and I'll leave it to the experts if that's not the solution :) - Marius

1 0

access control, groups/organizationalRole
by Frederik Bosch 26 Aug '10

26 Aug '10

Hello, I am trying to setup an access control rule, but failed. All occupants of the objectClass organizationalRole which has a certain location may have read access. How do I setup this rule in slapd.conf? This is my line at the moment. This matches the dn of the occupant. But how do I match the location attribute of the organizationalRole? access to * by group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com" read Thanks in advance, Frederik

2 9

Problem with persistent search in OpenLDAP 2.4.23
by Tom Leach 26 Aug '10

26 Aug '10

I'm trying to write a perl script using PersistentSearch from Net::LDAP::Control::PersistentSearch against a freshly compiled OpenLDAP 2.4.23 server. I've configured/compiled the server with --enable-syncprov=yes and I have N-way multimaster setup and working. In the directory that I'm querying, I have syncrepl and mirrormode configured for the suffix dc=coas,dc=oregonstate,dc=edu. But, when I run the perl script using PersistentSearch I'm getting the following in my slapd log file when I search for something in the base ou=People,dc=coas,dc=oregonstate,dc=edu: slap_global_control: unrecognized control: 2.16.840.1.113730.3.4.3 I'm under the impression that PersistentSearch is enabled by the syncprov overlay so why would I be getting the unknown control message? Any help would be appreciated, I'm hitting dead ends everywhere I look. Tom Leach leach(a)coas.oregonstate.edu

4 11

Re: multi / standby master: incomplete replication after downtime (?) [SOLVED]
by Elmar Marschke 26 Aug '10

26 Aug '10

On 18.08.2010 17:16, Rein Tollevik wrote: > On 08/18/2010 04:28 PM, Elmar Marschke wrote: > >> Here's the logfile of MASTER: >> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> ===_BEGIN_CHANGES_WHILE_BOTH_UP_=== >> Aug 18 15:30:04 ldapmaster slapd[8017]: slap_queue_csn: queing >> 0x7f00f317b580 20100818133004.663851Z#000000#000#000000 > > Your ServerID setting is incorrect, and you are using the default > ServerID=0 on both systems. The ServerID is included in the csn value, > the second to last number (#000# here). Ensure that the ServerID URL is > the exact hostname of the systems it runs on, or that slapd is able to > select the correct sid based on its -h listener argument. > > Start slapd with -d config and verify that both logs lines with > differing SID= values. > > Rein > Hi all, thanks to your hints i think i got it working now :) Several details had to be changed. Perhaps someone has similar problems, so in the following i give a detailed description what had to be done in my case. Everything was executed on two freshly out-of-the-box installed openSuSE 11.3 x86_64 with SuSE-shipped openldap 2.4.21. First; according the inaccurate time on my testmachines: i deleted the openSuSE ntp.conf and additionally now i use other ntp servers as timesync source. Complete ntp.conf on ldapmaster and ldapslave now is: ----------------------------------------------------- server ptbtime1.ptb.de prefer server ptbtime2.ptb.de tinker panic 0 driftfile /var/lib/ntp/drift/ntp.drift This results in less different offset values: --------------------------------------------- ldapmaster:/etc/openldap # ntpq -p; ssh ldapslave ntpq -p remote refid offset ======================================== *ptbtime1.ptb.de .PTB. -1.218 +ptbtime2.ptb.de .PTB. -1.305 remote refid offset ========================================== *ptbtime1.ptb.de .PTB. -0.381 +ptbtime2.ptb.de .PTB. 0.203 ldapmaster:/etc/openldap # Second problem: the missing or wrong serverID in the csn values. To make clear what obviously helped i will describe how i create(d) my slapd.d/ online configuration. (My original slapd.conf was taken from the "openldap 2.4" book by Oliver Liebel & John Martin Ungar -- thanks Oliver :)! ------------------------------------------------------------ ldapmaster:/etc/openldap # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ hdb_db_open: database "dc=local,dc=site": db_open(/var/lib/ldap//id2entry.bdb) failed: No such file or directory (2). backend_startup_one (type=hdb, suffix="dc=local,dc=site"): bi_db_open failed! (2) slap_startup failed (test would succeed using the -u switch) ------------------------------------------------------------ The following rcldap start every time resulted in: -------------------------------------------------- ldapmaster:/etc/openldap # rcldap start Starting ldap-serverstartproc: exit status of parent of /usr/lib/openldap/slapd: 1 failed ------------------------------------- and in /var/log/messages was written: -------------------------------------- Aug 26 15:47:22 ldapmaster slapd[7805]: @(#) $OpenLDAP: slapd 2.4.21 (Jul 5 2010 13:35:22) $#012#011abuild@build16:/usr/src/packages/BUILD/openldap-2.4.21/servers/slapd Aug 26 15:47:22 ldapmaster slapd[7805]: olcSyncrepl: value #0: <olcSyncrepl> invalid URL Aug 26 15:47:22 ldapmaster slapd[7805]: config error processing olcDatabase={0}config,cn=config: <olcSyncrepl> invalid URL Aug 26 15:47:22 ldapmaster slapd[7805]: slapd stopped. Aug 26 15:47:22 ldapmaster slapd[7805]: connections_destroy: nothing to destroy. I greped for "olcSyncrepl" in slapd.d: --------------------------------------- ldapmaster:/etc/openldap # grep -r olcSyncrepl slapd.d/ slapd.d/cn=config/cn=schema.ldif:olcAttributeTypes: ( OLcfgDbAt:0.11 NAME 'olcSyncrepl' EQUALITY caseIgnoreMatc slapd.d/cn=config/cn=schema.ldif: olcSizeLimit $ olcSyncUseSubentry $ olcSyncrepl $ olcTimeLimit $ olcUpdateDN slapd.d/cn=config/olcDatabase={0}config.ldif:olcSyncrepl: rid=003 provider=ldap://ldapmaster.local.site uri="" bindmethod=s slapd.d/cn=config/olcDatabase={0}config.ldif:olcSyncrepl: rid=004 provider=ldap://ldapslave.local.site uri="" bindmethod=si slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcSyncrepl: rid=001 provider=ldap://ldapmaster.local.site uri="" bindmethod=s slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcSyncrepl: rid=002 provider=ldap://ldapslave.local.site uri="" bindmethod=si ldapmaster:/etc/openldap # Some internet research told me, that the empty uri="" should be the problem, and that it would help to remove it. BEFORE i always removed it; and right; starting of openldap worked then. BUT apparently this also leads to the missing serverID in my csn values (respectively that they all had default "000"). NOW i changed those config.ldif and hdb.ldif files from slapd.d (in which grep found the string "olcSyncrepl"), to give uri an appropriate value. Open each file, search for "uri". It's found two times in every file. Before each occurence there's a variable "provider", which is set to something. For example in slapd.d/cn=config/olcDatabase={0}config.ldif : provider=ldap://ldapmaster.local.site uri="" and provider=ldap://ldapslave.local.site uri="" The value of provider ALSO has to be put into uri, that afterwards it looks like: provider=ldap://ldapmaster.local.site uri="ldap://ldapmaster.local.site" and provider=ldap://ldapslave.local.site uri="ldap://ldapslave.local.site" I did it on every machine (no file copy from one to another). After that; "rcldap start" (also) works without problems. But that still was not enough... Third thing to do: additionally on each machine make slapd start with "-h" parameter correctly set; like Rein and Jonathan wrote. According to the SuSE-way of configuration (like it or not, but in this case i don't have a choice ;)) this can be done in /etc/sysconfig/openldap: set OPENLDAP_SLAPD_PARAMS correctly on every machine; e.g. on master: OPENLDAP_SLAPD_PARAMS="-h ldap://ldapmaster.local.site" And, by the way, to make sure that ONLY online configuration style (slapd.d) is used; one can set OPENLDAP_CONFIG_BACKEND from "" to: OPENLDAP_CONFIG_BACKEND="ldap" This all together seems to solve the problem. Now LDAP-Objects can be altered, removed and added on one of both machines while the other one is down; and all changes are replicated as soon as the "downed" machine comes back up again. (At least in my tests until now ;))! Thanks for your time, and best regards.. elmar

1 0

OpenLDAP and Load Balance F5 issue
by Matheus Morais 26 Aug '10

26 Aug '10

Hi there, We were having some performance troubles using OpenLDAP and F5 load balance solution from BigIP at a high concurrent enviroment. We faced the problem for one month after I discovered that those problems didn't happen when applications was pointed directly to OpenLDAP server instead of load balance VIP. After a tcpdump analysis of the packages we realize that are too many ACK comming from each request. Last week we solved the problem unsetting Nagle's algorithm on the load balance virtual server which was causing this issue. So, if you look yourself on a similiar situation, please check the Nagle's algorithm on the F5 configuration! Thanks, Matheus Morais

3 4

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2010