openldap-technical September 2010

openldap-technical@openldap.org

111 participants
113 discussions

Re: How to slapadd cn=config
by Torsten Schlabach (Tascel eG) 21 Sep '10

21 Sep '10

Hi Ondrej! You're right, it's a classic RTFM: >From the slapadd man page: -n dbnum Add entries to the dbnum-th database listed in the configuration file. The -n cannot be used in conjunction with the -b option. To populate the config database slapd-config(5), use -n 0 as it is always the first database. It must physically exist on the filesystem prior to this, however. I tried -b 'cn=config' instead of -n 0, which is semantically the same, but not technially. Problem solved, I think. Regards, Torsten On Tue, 21 Sep 2010 14:45:33 +0200, Ondrej Kuznik <ondrej.kuznik(a)acision.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/21/2010 02:23 PM, Torsten Schlabach (Tascel eG) wrote: >> Hi Robert! >> >>> Slapd, etc. needs an /etc/openldap/slapd.conf file >> >> Well, either an /etc/openldap/slapd.conf file *or* a cn=config database, >> I >> guess. >> >> Ok, maybe a possible trick is to have a minimal slapd.conf file which >> just >> declares a cn=config database to be able to load it that way. >> >> In that case, a cut & paste example somewhere would come in handy. >> >> But I understand that in OpenLDAP 2.5 they think about doing away with >> slapd.conf entirely. This would then break your approach again. >> >> Maybe Howard will explain a bit better what he meand by "slapadd the same >> way you slapcat". > > I asked a similar question on the #openldap irc channel some time ago, > the advice was to use: > slapadd -n0 -l slapdconfig.ldif -F /path/to/new/slapd.d > > (the directory /path/to/new/slapd.d must already exist and should be > an empty directory) > > That way you need no prior configuration in the form of slapd.conf. > > Ondra > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkyYqO0ACgkQ9GWxeeH+cXv1QACdHgrI5G/W760M2QCJ1PKiHbNM > lIIAn0wiPptdEEcCftO5gBDPk01dQcMi > =h2Z3 > -----END PGP SIGNATURE----- > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you.

1 0

Automate Create Home Directory
by Alejandro Rodriguez Luna 21 Sep '10

21 Sep '10

Hi, i'm testing a new openldap server, and i have everything set, i can add users, groups, and log on in differents machines with the same user. Everything works fine. but i have a problem, i have to create the home directory for each new user on each new machine that I log on. is there a way that this process can be automatic?. Ideas?

4 3

Forcing UID attribute
by Marco Pizzoli 20 Sep '10

20 Sep '10

Hi list, I need to populate an entry in OL having DN uid=pippo,ou=people,dc=mycorp. I need to force this entry to have a uid attribute *different* from uid appearing in the name. Example: I need "uid: pluto". ldapadd-ing the entry I have the entry with 2 uid attributes populated: - uid: pippo - uid: pluto Is there a way to NOT have "uid: pippo" populated even if the entry is called in that way? Thanks in advance Marco -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

2 2

Configuring AD using OpenLDAP
by Vinay Kalkoti 20 Sep '10

20 Sep '10

Hi, Is it possible to use OpenLDAP client to authenticate against Active Directory without using Samba or SUF ? Thanks, Vinay

4 4

No connection! Some Ideas
by Márcio Luciano Donada 17 Sep '10

17 Sep '10

That night, I had a problem with stopping the LDAP, the only thing I have in the log is this: connection_read(42): no connection! my version OpenLDAP is: @(#) $OpenLDAP: slapd 2.4.11 (Jul 24 2010 08:14:20) $#012#011@murphy:/build/buildd-openldap_2.4.11-1+lenny2-i386-H5BDjb/open ldap-2.4.11/debian/build/servers/slapd Debian Lenny 5. after the restart ldap I have the following message: connection_input: conn=32 deferring operation: pending operations I honestly do not know what happens, I have this problem and sometimes for my system for some reason not yet know what it is, and debugging of slapd.conf is 256 and as I passed the e-mail that is the only information I have. Can anyone help me? Thanks -- Márcio Luciano Donada <mdonada -at- auroraalimentos -dot- com -dot- br> Aurora Alimentos - Cooperativa Central Oeste Catarinense Departamento de T.I.

2 3

Loglevel for authentication problem
by Darouichi, Aziz 17 Sep '10

17 Sep '10

Hi, We are working with a vendor of a hosted application, and we are using openldap-2.2.13-12.el4 for authentication. We are not able to login to the hosted application. This is what the vendor is getting for error message: message] [09-14-2010T10:27:30] Attempting to bind to xx.xxx.xxx.xxxx:389 [message] [09-14-2010T10:27:30] Binding as 'uid=pperson,ou=People,dc=college,dc=edu' [message] [09-14-2010T10:27:31] Bind successful [system ] [09-14-2010T10:27:31] Checking R25 WS user [message] [09-14-2010T10:27:31] Executing query (&(objectClass=user)(sAMAccountName=test)) [message] [09-14-2010T10:27:31] Building field mappings for query (&(objectClass=user)(sAMAccountName=test)) [message] [09-14-2010T10:27:31] Search path: OU=Group,DC=college,DC=edu [error ] [09-14-2010T10:27:32] Search error: [10061] Connection refused [message] [09-14-2010T10:27:32] Search path: OU=People,DC=college,DC=edu [error ] [09-14-2010T10:27:33] Search error: [10061] Connection refused [message] [09-14-2010T10:27:33] Search path: OU=Users,DC=college,DC=edu [error ] [09-14-2010T10:27:34] Search error: [10061] Connection refused [error ] [09-14-2010T10:27:34] Query (&(objectClass=user)(sAMAccountName=test)) returned no results We have log level 64 enabled, if we increase log level it slows the machine. This what We are getting in the log: Sep 16 09:31:01 ldap1 last message repeated 8 times Sep 16 09:32:06 ldap1 last message repeated 2 times Sep 16 09:33:07 ldap1 slapd[3288]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Sep 16 09:34:26 ldap1 last message repeated 4 times Sep 16 09:35:36 ldap1 last message repeated 4 times Sep 16 09:36:39 ldap1 last message repeated 4 times Sep 16 09:37:14 ldap1 last message repeated 4 times Sep 16 09:37:23 ldap1 slapd[3288]: connection_read(26): no connection! Sep 16 09:37:26 ldap1 slapd[3288]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Sep 16 09:38:15 ldap1 last message repeated 2 times Sep 16 09:39:16 ldap1 last message repeated 5 times Sep 16 09:40:28 ldap1 last message repeated 3 times Sep 16 09:40:56 ldap1 last message repeated 5 times Sep 16 09:41:10 ldap1 slapd[3288]: connection_read(34): no connection! Sep 16 09:41:17 ldap1 slapd[3288]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) I have a test server I can use to troubleshoot this problem if I know what log level should I use? Thanks, Aziz

2 2

Stitching two LDAP databases together using chaining?
by Michael Smith 17 Sep '10

17 Sep '10

Hi, Let's say I have a database with base DN dc=parent. On a particular server, dc=parent is a read-only syncrepl slave. On the same server, I have a separate read-write database, dc=child,dc=parent. Is there a way to make it so searches of dc=parent also search the database in dc=child,dc=parent? I'm thinking a referral plus the chain overlay might do the trick, but I can't create a referral object with name "dc=child,dc=parent" within the dc=parent database because the server knows dc=child,dc=parent already exists (as the other database). I get "Already exists (68)" from the server. I figure I'm missing something simple, or doing something stupid. Thanks, Mike

2 2

accesslog anomaly in drop/re-import (was Searched Attr=1.1)
by Marco Pizzoli 17 Sep '10

17 Sep '10

I re-post this help request using a more appropriate subject . Thanks in advance Marco ---------- Forwarded message ---------- From: Marco Pizzoli <marco.pizzoli(a)gmail.com> Date: Thu, Sep 16, 2010 at 1:07 PM Subject: Re: Searched Attr=1.1 To: Dieter Kluenter <dieter(a)dkluenter.de> Cc: openldap-technical(a)openldap.org Hi Dieter, thanks for your answer. I came to this evidence in investigating an anomaly that I'm having with my accesslog database. Symptom I was having was continuous high cpu spot. I suspected it was due to my accesslog database. - I made a slapcat of my entire log database. - I erased my log database - I tried a slapadd of my log database I had this problem: /usr/sbin/slapadd -b "cn=log,dc=mycorp.it" -l /srv/bck/dump_db_log.ldif.20100916 . 0.00% eta 08h35m elapsed spd 90.2 k/s str2entry: invalid value for attributeType reqControls #0 (syntax 1.3.6.1.4.1.4203.666.11.5.3.1) slapadd2.4: could not parse entry (line=4907) - 0.01% eta 05h58m elapsed spd 205.7 k/s Closing DB... I went to that line and found this entry: dn: reqStart=20100913065628.000008Z,cn=log,dc=mycorp.it objectClass: auditSearch structuralObjectClass: auditSearch reqStart: 20100913065628.000008Z reqEnd: 20100913065628.000009Z reqType: search reqSession: 1129 reqAuthzID: cn=syncrepl-ldap04,ou=utenze_tecniche_openldap,ou=Gestori,dc= mycorp.it reqControls: {0}{1.3.6.1.4.1.4203.1.9.1.1 controlValue "30440K0103043M7269643N 3030332M7369643N3030342M63736O3N32303130303931333036353130362O3932343735355K2 330303030303023303033233030303030300001PP"} reqControls: {1}{2.16.840.1.113730.3.4.2 criticality TRUE} reqDN: dc=mycorp.it reqResult: 0 reqScope: base reqDerefAliases: never reqAttrsOnly: TRUE reqFilter: (objectclass=*) reqAttr: 1.1 reqEntries: 0 reqTimeLimit: -1 reqSizeLimit: 1 entryUUID: 2beb0bd0-ba32-4a00-93da-748ef2177cc7 creatorsName: cn=Manager,cn=log,dc=mycorp.it createTimestamp: 20100913065628Z entryCSN: 20100913065628.167225Z#000000#003#000000 modifiersName: cn=Manager,cn=log,dc=mycorp.it modifyTimestamp: 20100913065628Z Can someone tell me why this entry result not accepted to my openldap system? I'm using OL 2.4.23 with password policy overlay defined. The entry I posted is related to an access made by a specific syncrepl-user. Replica configured in mirror-mode. Other OL systems are 2.4.22. Deleting this entry and re-slapadding I had another similar problem. /usr/sbin/slapadd2.4 -b "cn=log,dc=mycorp.it" -l /tmp/dump_db_log.ldif.20100916_Corrected " 4.69% eta 01h07m elapsed 03m19s spd 542.3 k/s str2entry: invalid value for attributeType reqRespControls #0 (syntax 1.3.6.1.4.1.4203.666.11.5.3.1) slapadd2.4: could not parse entry (line=3099715) * 4.70% eta 01h07m elapsed 03m20s spd 979.8 k/s Closing DB... The entry affected is this one: dn: reqStart=20100913093021.000000Z,cn=log,dc=mycorp.it objectClass: auditBind structuralObjectClass: auditBind reqStart: 20100913093021.000000Z reqEnd: 20100913093021.000001Z reqType: bind reqSession: 2746 reqAuthzID: reqControls: {0}{1.3.6.1.4.1.42.2.27.8.5.1} reqRespControls: {0}{1.3.6.1.4.1.42.2.27.8.5.1 controlValue "3000"} reqDN: uid=pe1597,ou=People,dc=mycorp.it reqResult: 0 reqVersion: 3 reqMethod: SIMPLE entryUUID: 192cbddf-4b5c-431d-a92e-c2f84fa4b7be creatorsName: cn=Manager,cn=log,dc=mycorp.it createTimestamp: 20100913093021Z entryCSN: 20100913093021.411398Z#000000#003#000000 modifiersName: cn=Manager,cn=log,dc=mycorp.it modifyTimestamp: 20100913093021Z Any help is appreciated. Thanks Marco On Thu, Sep 16, 2010 at 12:27 PM, Dieter Kluenter <dieter(a)dkluenter.de>wrote: > Marco Pizzoli <marco.pizzoli(a)gmail.com> writes: > > > Hi list, > > I found some entries in my OL logs about searches for attribute "1.1". > I've > > seen that the requester is the user used for the replication (syncrepl). > > > > Can anyone explain to me what this kind of attribute is this? > > > > conn=0 op=3 SRCH attr=1.1 > > oid 1.1 is just 'no attributes' > > -Dieter > > -- > Dieter Klünter | Systemberatung > sip: 7770535(a)sipgate.de > http://www.dpunkt.de/buecher/2104.html > GPG Key ID:8EF7B6C6 > -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

1 0

Re: How to bootstrap in mirror mode with cn=config
by Torsten Schlabach (Tascel eG) 16 Sep '10

16 Sep '10

Hi Brett! I see your point, and actually, this is what we are doing anyway. But I could ask my question in a different way as well: How would I turn a single server in to a mirror mode pair? > restoring > a server2 backup avoids problems with serverId etc. You know, I am asking because I want to understand those problems. Regards, Torsten P.S.: The list doesn't have the reply-tp header properly set. Make sure manually to reply tot he list. On Thu, 16 Sep 2010 19:52:01 +1000, "Brett @Google" <brett.maxfield(a)gmail.com> wrote: > I'd suggest a less complex approach. > > Restore server2 from backup, but make sure you emit a backup ldif > somewhere on a backed up filesystem daily or whatever. > > After restoring your server 2 ldif, you will be configured, and will > recover data quicker if you have some relatively static data sets. > > Building a replica with syncrepl can be slower than slapcat, restoring > a server2 backup avoids problems with serverId etc., even with newer > openldap versions. > > > On 9/16/10, Torsten Schlabach (Tascel eG) <tschlabach(a)tascel.net> wrote: >> Dear list! >> >> I am currently chasing some replication problems and I am trying to get >> my >> mind around a couple of questions. >> >> Let's assume this: >> >> We have two LDAP servers, server 1 and server 2, which are supposed to be >> mirrors of each other. >> The both have their cn=config database and a database with actual data, >> let's assume it's the dc=example,dc=com database. >> I want to run not only dc=example,dc=com but also cn=config in mirror >> mode >> to make sure that I keep the config in sync and that any changes to the >> config (e.g. ACls) can be done on one of the servers and will replicate >> to >> the other one. >> >> Let's assume this was all working well. >> >> Not server 2 fails and needs a complete reinstall. So I sit there with a >> slapd binary and no configuration at all. >> >> My idea would be (please tell me if I am on the right path) : >> >> 1. I could give server 2 a minimal config which does not contain anything >> else but "replicate your cn=config from server1". Let's call this a >> bootstrap config. >> 2. Once server 2 starts with that bootstrap config, it will fetch >> cn=config from server1. >> 3. It will learn from the replicated config that it has to have an >> dc=example,dc=com database, create it and replicate its content from >> server1 as well. >> 4. I would be back in business. >> >> Unfortunately, when I tried, what happened was: >> >> The contextCSN of the bootstrap config on server 2 is newer / higher than >> the one on server 1 which has not been touched for a while. So server 2 >> did >> not fetch the config from server 1 but vice versa, which was not exactly >> the result I intended. Though it's very consequent and logical behaviour. >> >> My question: >> >> Am I on the complete wrtong track? >> >> Would I have to do the slapcat -> slapadd thing between server 1 and >> server 2 first (with server 2 offline) and start server 2 only after >> that? >> >> When I do the slapcat / slapadd thing from server 1 to server 2, do I >> have >> to remove any contextCSN / entryCSN entries (as some postings such as >> http://www.mail-archive.com/openldap-technical@openldap.org/msg00109.html) >> suggest or would that be just wrong? >> >> Regards, >> Torsten >> >>

2 1

Attribute modification via alias
by Echedey Lorenzo 16 Sep '10

16 Sep '10

Hi, I wonder if it is possible to modify an attribute parsing to the request a dn which has an alias to the real entry where the attribute is placed. Thanks for your help -- -------------------------------------------- | Echedey Lorenzo Arencibia | --------------------------------------------

1 0

← Newer
1
2
3
4
5
6
7
8
9
...
12
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2010