openldap-technical September 2010

openldap-technical@openldap.org

111 participants
113 discussions

DB_Config issue
by Simon Gao 25 Sep '10

25 Sep '10

Hi, The change I made to DB_CONFIG does not take effect. Berkeley DB still uses default 256K for cache size. Here is set_cachesize line: set_cachesize 0 268435456 1 The DB version is 4.5.20 with patches. After changing DB_CONFIG, I rebuilt the database with: db_recover -h /var/lib/ldap The total cache size remains 256K, instead of 256M. What did I miss? Simon

1 0

N-way multimaster replication trouble
by NUNIN Roberto 24 Sep '10

24 Sep '10

Hello everybody I'm trying to start a two server multimaster installation. OpenLDAP is 2.4.23 built from sources, bdb 4.8.30 Configure options are: --enable-crypt --enable-overlays -enable-ppolicy --enable-memberof (maybe some are unuseful). OS is Centos 5.5, patched, virtual machines. LDAP server are addressed by client thru round-robin DNS registration. Behaviour: when a ldap user connected to a client try to change it's password thru the passwd command, on the LDAP server connected by the client thru the DNS name resolution, userPassword and shadowLastChange are updated, on the other LDAP server the field userPassword disappear (checked with slapcat). I suppose that this happen because on userPassword attribute there are ACL's (reported below) that permit only read action to syncuser. Infact, if I change the syncrepl instances and swap syncuser with admin (rootDN), the password change happens successfully and replica too. Now the question to the list: if I don't want to have rootDN used for replication, I must give the write permissions to syncuser to guarantee the replica, leaving the "bug" to have the a write account password written in clear text in config file ? There's a smarter method to reach the goal ? I apologize if solution is written on the documentation, but I've tried to find without success. Slapd config is still supplied thru slapd.conf. These are acl on bdb instance on userPassword and shadowLastChange attributes: access to attrs=userPassword by dn="cn=admin,dc=somedomain,dc=it" write by dn.base="cn=syncuser,ou=People,dc=somedomain,dc=it" read by anonymous auth by self write by * none access to attrs=shadowLastChange by dn="cn=admin,dc=somedomain,dc=it" write by dn.base="cn=syncuser,ou=People,dc=somedomain,dc=it" read by self write by * read syncrepl is configured as follow: syncrepl rid=000 provider=ldap://server1.somedomain.it:389 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=somedomain,dc=it" attrs="*,+" bindmethod=simple binddn="cn=syncuser,dc=somedomain,dc=it" credentials=syncuser_password syncrepl rid=001 provider=ldap://server2.somedomain.it:389 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=somedomain,dc=it" attrs="*,+" bindmethod=simple binddn="cn=syncuser,dc=somedomain,dc=it" credentials=syncuser_password MirrorMode TRUE Obviously servers are identified as serverID 001 and serverID 002 and both are started to listen only on their FQDN. Thanks to all for attention and support. Roberto Nunin Comifar Service SpA Italy Questo messaggio e' indirizzato esclusivamente al destinatario indicato e potrebbe contenere informazioni confidenziali, riservate o proprietarie. Qualora la presente venisse ricevuta per errore, si prega di segnalarlo immediatamente al mittente, cancellando l'originale e ogni sua copia e distruggendo eventuali copie cartacee. Ogni altro uso e' strettamente proibito e potrebbe essere fonte di violazione di legge. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately, deleting the original and all copies and destroying any hard copies. Any other use is strictly prohibited and may be unlawful.

1 0

Question about slapcat tool
by Ivan Mladenović 24 Sep '10

24 Sep '10

Hi, I have Open LDAP version 2.3 installed on CentOS 5. Open LDAP is installed by using root account. I’m trying to make backup of LDAP data by using slapcat tool. If this tool is running by the root user backup is successfully created. But, if this tool is running by some other user following error is displayed: bdb_db_open: alock package is unstable backend_startup_one: bi_db_open failed! (-1) slap_startup failed I try to allow reading for all files that are in /var/lib/ldap folde, but it did not help. Can I run this tool if I’m logged in by using some other user and how I can do this? Thanks in advance. Best Regards, Ivan

2 1

syncrepl only working in one direction
by Alister Forbes 24 Sep '10

24 Sep '10

All, I have two identical servers (RHEL based VMs, server1 and server3) running 2.4.23 openldap. built with these options: --with-tls --prefix=/etc/operator/openldap --enable-syncprov --enable-syslog --enable-crypt - I have the strangest problem, and am desperate for any insight you might provide If I make a change on server3, then everything is fine, and the change is replicated to server1 If I make a change on server1 then server1 changes, but no changes are seen on server 3. looking at the logs, on server1, Using tcpdump to sniff the connection, when a change is made on server1, it doesn't even attempt to contact server3. As far as I can tell the configs are identical, and I have no clue whats causing this. Any hint at all would be gratefully accepted. Configs from both machines attached. server1 and server3(output of ldapsearch on cn=config) Also attached, logs (olcLogLevel is Sync) of the results when I change a value (olcLogLevel) on the two servers (change-on-server1 and change-on-server3) Thanks in advance for any help you can give. Alister -- Alister Forbes TACSUNS _.|._.|._ Cisco Systems Please avoid sending me Word or PowerPoint attachments. See - http://www.gnu.org/philosophy/no-word-attachments.html

2 6

help, how to maintain the ACL dynamic by C api???
by wu johnson 24 Sep '10

24 Sep '10

If the ACLs are large , how can?

1 1

OpenLDAP session authentication
by Erik Lotspeich 24 Sep '10

24 Sep '10

Hi, I have looked around for the answer to this question and the solution wasn't obvious to me... I have an OpenLDAP installation that I use as an addressbook. I do not use OpenLDAP for authentication on my network. I am using it on an internal network with anonymous read-only access. I would like to require user-level authentication and I would like to authenticate access to the LDAP database using system users in /etc/passwd. Is this possible? For authorization, I would like a few users to have read/write access and others to be read-only. I would like to disallow anonymous access to the database. I have SSL/TLS set up now and that works; I would like to be able to turn off all non-SSL access to the database once the authentication/authorization is set up. Regards, Erik

2 1

Cache size and performance questions.
by Antonio Galindo Castro 23 Sep '10

23 Sep '10

Hi @ll, I have an OpenLDAP 2.4.21 on a Ubuntu Server 10.04. The server is used for auth, when I have more than 20 user logged the server reponds very slow and has hight load. I have my config in this way: for 60000 registers in my db olcDbCheckpoint: 1024 5 olcDbCacheSize: 180000 olcDbConfig: {0}set_cachesize 0 94371840 0 olcDbConfig: {1}set_lk_max_objects 4500 olcDbConfig: {2}set_lk_max_locks 4500 olcDbConfig: {3}set_lk_max_lockers 4500 olcDbIDLcacheSize: 540000 The server is part of a multi master squema (MMR). Where I can found a good documentation for tunning my server in this scenario? Regards. -- Luis Antonio Galindo Castro aka FunkyM0nk3y Fingerprint: 237E EFE1 6055 BCEB ACD0 7A49 30FC A883 0044 A85E

2 2

Invalid credentials (49)
by Claudio Martella 23 Sep '10

23 Sep '10

Hello, I have a windows 2008 server, serving users auth with AD. I have another windows 2003 server, serving other users. I'm trying to access them through openldap and an PHP application. I can easly access my 2003 server with this command: ldapsearch -x -D "cn=cm,cn=TIS,dc=TIS,dc=local" -W -H ldap://192.168.10.206 but when i try to access the 2008 server with the same command i get: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772 in this case my user is "cm" and he is in the "TIS" folder and i can login from a windows client with user TIS\cm successfully. I've tried also with -Z and -ZZ, in that case i get a service unavailable error. Do you have any idea why this would happen? Claudio -- Claudio Martella Digital Technologies Unit Research & Development - Analyst TIS innovation park Via Siemens 19 | Siemensstr. 19 39100 Bolzano | 39100 Bozen Tel. +39 0471 068 123 Fax +39 0471 068 129 claudio.martella(a)tis.bz.it http://www.tis.bz.it

2 1

openldap back-sock
by stefano vital 23 Sep '10

23 Sep '10

Hi, I have a question about a special LDAP setup , I try to use sock backend for bind user that after succesfull bind have to search on another backend, Here my slapd.conf on openldap 2.4.11 access to * by users read ##################BACKEND SOCK################################################# database sock suffix "dc=reg-bus-users-local,dc=it" #catturo le richieste riscritte da rwm bloccando richieste di lettura e scrittura dirette socketpath /tmp/ldapauthorization.sock ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=tfk,dc=tfkdatastore" rootdn "cn=Root,dc=tfk,dc=tfkdatastore" rootpw xxxxx I also made a fake bind in server listening on socket ldapauthorization.sock if ($request eq "BIND\n") { my %req = (); print "RESULT\n"; print "code: 0\n"; print "matched: cn=fratbrother,dc=reg-bus-users-local,dc=it\n"; } my ldapsearch is : ldapsearch -H ldap://localhost:389/ -D "cn=fratbrother,dc=reg-bus-users-local,dc=it" -w xxxx -x -b "dc=tfk,dc=tfkdatastore" "(objectClass=*)" "*" result : ldap_bind: Insufficient access (50) my goal if work , is to make bind = (bind + search attribute) in other ldap server check the validity of attribute and then response bind succesfull, so redirected bind with check on remote attribute , is possible to do that ? is the right usage of backend sock ? Ps : also noted that ldap does not connect to socket but make response directly "insufficient access". Ps : sorry for the bad english Thanks in Advance Stefano Vitali

1 0

problem with replication
by Craig White 23 Sep '10

23 Sep '10

never did replication and certain to be something that I did but this is the type of error I am getting... Sep 15 10:58:44 srv1 slapd[2766]: slap_client_connect: URI=ldap://srv2.ayr1.local DN="cn=admin,cn=config" ldap_sasl_bind_s failed (-1) Sep 15 10:58:44 srv1 slapd[2766]: do_syncrepl: rid=002 rc -1 retrying (4 retries left) Obviously because I didn't tell it NOT to use SASL bind for replication. Is there some simple adjustment to use something other than SASL for credentials when replicating? Craig

2 8

← Newer
1
2
3
4
5
6
7
...
12
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2010