I'm attempting to configure a slapd server in a very simple transparent
proxy configuration. I'm having a problem where clients for this proxy have
a (objectClass=user) filter defined. This filter is being replaced with
(!(objectClass=*)) when the searchRequest is relayed to the backend LDAP
I believe this is something missing in the schema, though I'm very new to
LDAP. I've already included an AD schema in my slapd.conf to resolve some AD
specific filters I had trouble with.
I've attempted to uncomment and modify the core.schema's definition of
attributetype NAME objectClass, and commented out what I suspected was the
conflicting duplicate attributeType NAME supportedApplicationContext.
But I can't get slapd to start. I keep getting a duplicate attribute type
error in the config.
hdb_back_initialize: Sleepycat Software: Berkeley DB 4.4.20: (January 10,
/etc/openldap/schema/core.schema: line 66: Duplicate attributeType:
slapd-ldap destroy: freeing system resources.
connections_destroy: nothing to destroy.
I would appreciate any guidance to help resolve my problem. All I want is
the filter (objectClass=user) to be relayed correctly from the slapd service
to the LDAP proxy backend.
Thanks in advance!
I've browsed the configuration page for slapd and it mentions that,
for starting from version 2.3, "The LDAP configuration engine allows all
of slapd's configuration options to be changed on the fly, generally
without requiring a server restart for the changes to take effect."
What is the user and password required to update the LDAP configuration
I'm using slapd 2.4.23-7 on a Debian Squeeze (testing). I've tried using
the admin user (cn=admin,dc=...,dc=...) and it fails. This link
mentions using the cn=admin,dc=config account and a password found in
ldap.secret. I've not found that file and don't know what is the
password for the cn=admin,dc=config account.
I changed recently from sluprd to syncrepl. And I saw that the syncrepl
do not preserve the order of the value on multivalued attribute (I dont
know if it is a bug) .
Entry on LDAP master/slave:
When I do this modify on master:
The result is:
The slave server keep the old order.
Someone knows if this is a replication bug ?
Some time back I implemented an OpenLDAP-based LDAP client in a network appliance that uses code based on the tools for LDAP searches etc. I used the tool code because it gave me a nice easy LDIF-based API, but the downside was that each search operation was totally synchronous, so I'm now working on updating it to support asynchronous searches.
I have a daemon task that listens for replies from the server after a request is set, and that then calls ldap_result, ldap_parse_result, etc. - basically all the things that ldap_do_search does synchronously. The daemon task, being ouside of OpenLDAP, gets the socket to listen on for each request via ldap_get_option with LDAP_OPT_SOCKBUF. This is working well.
The problem is when new connections are opened when a referral/reference is followed. In this case the daemon needs to listen for replies on these too, but there is no way that I can see to get at its socket from outside the OpenLDAP core.
LDAP_OPT_SOCKBUF gets the socket for the primary connection and there is no equivalent mechanism to get the sockets for the referral connections.
What I've had to do is to add a new LDAP_OPT_REF_SOCKBUFS in my local OpenLDAP code to return a list of the socket buffers for additional connections opened for referrals.
I am using an oldish version - 2.3.32 so:
- am I missing any alternate way to get these sockets to listen on?
- has anything been added in more recent versions that will help with this?
- if not would this new option LDAP_OPT_REF_SOCKBUFS be a useful addition? If so I could submit it via the bug reporting.
Is there any way to craft a search filter that checks for an attribute with two or more values?
For example, how could I construct a query to search for users with two passwords?
(where userPassword would be the user's first password attribute)
Baskin School of Engineering
UC Santa Cruz
Recently I ran into the olcDbURI bug that was mentioned earlier on this
It turned out to be part of ITS #6540 and I've found that the issue was
resolved and patch was submitted sometime in Nov, 2010.
I am currently running ubuntu 10.04 with the following openldap packages :
What I'm wondering is, if there's a minor release that I can install on
my servers. I've searched the official Ubuntu repositories and they
don't seem to offer an updated package, so I realize that building the
package is my only option.
Your input is highly appreciated.
Is there a way of creating an attribute which can be assigned a value which auto increments using an external file.
In other words, say I use the employeeNumber attribute but I want the value to be entered by picking the next value from a file.
In my file, I might have
Then when I run an ldap connection from my remote application, it would pick the next number if it doesn't exist on any account.
The next problem is I don't know how ldap works in terms of keeping track of things.
When I sync my application database with ldap, does it, or can it, check all of the users to see if a value is assigned or is that beyond it's functions? Or, would keeping track of the values be something which needs to be done on the application side? The programmers tell me that there is no means of going back to ldap to identify if a user has been assigned a value, therefore, assign the next.
I've setup a master and slave ldap service for failover; however, I'd like
some advice on how to keep the ldap clients cached with the ldap creds if
ever the master and slave ldap server goes. I've tried to extend the time
of the caching on nscd - name server caching daemon - but it doesnt work
when I add ldap users to certain groups. I've also tried pam caching
credentials but doesn't work that well either. Finally, I also tried sssd
but couldn't get it to work on my Ubuntu 10.10 clients. Anyone have simple
solution that works when slave and master ldap servers get out of
commission? I've thought about getent passwd >> /etc/passwd cron job, etc.
I recieved my first of these errrors from openldap server today.
slapd: warning: cannot open /etc/hosts.deny: Too many open files
The faqomatic suggest that I do the following:
Is there anyway I can set this without having to build openldap again?
15-16 Margaret Street
London W1W 8RW
Tel: +44 207 637 5575
Mob: +44 7984 278 483
I'm trying to setup a translucent proxy which is populating his local
database as a syncrepl consumer.
It works fine, changes on the master are replicated to the translucent,
but i get an error in logs.
Here is the extract from logs :
bdb_modify: updated id=0000010d
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=0 matched="" text=""
syncrepl_entry: rid=002 be_modify
slap_queue_csn: queing 0x801de5670
==> translucent_modify: dc=domain,dc=local
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=32 matched="" text="attempt to modify
nonexistent local record"
syncrepl_updateCookie: rid=002 be_modify failed (32)
How can i solve this ?