openldap-technical October 2011

openldap-technical@openldap.org

85 participants
99 discussions

slapcat -n 0 and slapadd
by Craig White 26 Oct '11

26 Oct '11

Having migrated to dynamic config, I'm looking for a reasonable way to restore in the event of a disaster. The discussion last week got me curious and though I can slapcat -n 0 -l $SOME_FILE I can't slapadd this same file because it complains that I don't have a slapd.conf file, which of course is true... I haven't needed it with the dynamic configuration backend. What's the minimum that I would need in a slapd.conf file so I can simply 'rm -fr /var/lib/ldap/* && slapadd -l $SLAPD_BACKUP' ? -- Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.white(a)ttiltd.com 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help!

3 8

OpenLDAP documentation Doxygen
by Johan Jakus 26 Oct '11

26 Oct '11

Hi everyone! While working on my overlay, I add real hard time trying to understand the structure used by OpenLDAP. To help me out, I used Doxygen that automatically generates a map of the structures (and much more) from the source code. You can check this out on my website ( http://www.dataworld.be/johan/openldap/doxygen/). I would highly recommend you to use this tool so that future developers can easily find their way in your structures. The best solution would be to add this kind of documentation to the OpenLDAP website, so that everyone could easily access it. I don't want to judge your way of doing things, I just want to share something that helped me out allot! Best regards, Johan Jakus

1 0

RE: Overlays : Cache - Entry - AttributeDescription
by Hallvard B Furuseth 26 Oct '11

26 Oct '11

A correction to my last message: > If you want to free the entry yourself, instead you can do > > rs_replace_entry(entry_dup(rs->sr_entry)); e = rs->sr_entry; .... send the entry, or whatever... entry_free(e); /* instead of entry_free(rs->sr_entry); */ I don't quite remember, but I think when rs->sr_flags does not assert ownership of the entry, some other module may change the sr_entry pointer. So entry_free(rs->sr_entry) could free the wrong entry. Johan Jakus writes: > I'd like to make the attributes I merged in the entry > "read-only". Because the clients will receive an attribute from the > parents of an object, and I don't want them to to be able to save that > attribute in the object,when for example they change other attributes > values and click on the modify button in a program. Would You have any > idea on how to make that possible? Don't know, but try access controls to prevent user modifications, then bypass that for the mods done by the overlay with <Modifications>.sml_flags |= SLAP_MOD_INTERNAL; Maybe something like objectclass ( <oid> NAME 'jakusAddedAttrs' AUXILIARY MAY ( managed_attr1 $ managed_attr2 $ ... ) ) ... access to filter=(objectclass=jakusAddedAttrs) attrs=@jakusAddedAttrs by * read The alternative would be to intercept update operations and return (prohibited mod ? LDAP_UNWILLING_TO_PERFORM : SLAP_CB_CONTINUE). -- Hallvard

2 1

Cannot confirm uidNumber 1001 is free: checking for the next on
by Juan Diego Calle 25 Oct '11

25 Oct '11

Hi, I have an issue with openldap and smbldap-tools. Maybe I am wrong, and it has nothing to do with openldap. At first I notice that for some reason when I was trying to create users with phpldapadmin all my users had the same ID, 1001, so I tried to create users with smbldap-useradd and found the following warnings: I know Cannot confirm uidNumber 1001 is free: checking for the next on .... Cannot confirm uidNumber 2670 is free: checking for the next on So after hours of looking at the code in php of phpldapadmin, and looking to i think it doesn't find the right number, for some weird reason in my configuration. It seems like this problems are related since for some reason the UID of the users is not easy to confirm. Could it be that I added the ids from my backup and some posix accounts users already had those ids and since then the rest of my UID got screwed. Has anyone had any similar problem in the past. Thanks

1 0

SLAPI plugins do not load
by Dimitri 24 Oct '11

24 Oct '11

Hi, Seems like loading SLAPI plugins is broken. I tried to play with addrdnvalues.c from the distribution, compiled it like it was recommended in the README: gcc -shared -I../../../include -Wall -g -o libaddrdnvalues-plugin.so addrdnvalues.c and tried to load from slapd.conf: plugin preoperation /usr/local/lib/libaddrdnvalues-plugin.so addrdnvalues_preop_init Here is what I've got running slapd: ================================================================================ [root@localhost ~]# /usr/local/libexec/slapd -u ldap -g ldap -d stats -f /etc/openldap/slapd.conf 4e9e21b0 @(#) $OpenLDAP: slapd 2.X (Oct 19 2011 02:18:15) $ mitya@localhost.localdomain:/usr/local/libexec/slapd failed to load plugin /usr/local/lib/libaddrdnvalues-plugin.so: file not found 4e9e21b0 slapd stopped. 4e9e21b0 connections_destroy: nothing to destroy. ================================================================================ The file /usr/local/lib/libaddrdnvalues-plugin.so exists and is readable; strace shows that it is in fact being opened successfully. Putting it into /usr/lib, /usr/lib/openldap and other locations does not help. This "file not found" message in fact is a well-known libltdl issue: lt_dlerror() reports "file not found" in any case of unsuccessful library loading attempt, including missing dependencies and unresolved symbols. Libtoolizing this plugin and supplying a .la file instead of .so does not help either. I am running current git master under Mandriva 2010.2 with libtool 2.2.6b, tried libtool 2.4 with the same result. Linking the plugin with explicit -lldap -lslapi (to satisfy potentially unresolved symbols) does not help. libslapi.so is in the library path. Statically linked slapd (with slapi_, ldap_ and ber_ functions) works the same way. Any suggestions? Dimitri

4 10

Need filter that allows members of specific group to authenticate, not sure how to build it
by Josh Cole 24 Oct '11

24 Oct '11

I am attempting to configure OpenVPN to use openldap to authenticate our Active Directory users who are a member of our VPN group in AD. Here is my ldap config for OpenVPN. Specifically I need the filter string to allow enabled users who are a member of the _VPN group. The one you see below is from an example script I found that explains how to configure LDAP for openvpn. SearchFilter "(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))" Any help is appreciated! <LDAP> # LDAP server URL URL ldap://172.16.1.70 # Bind DN (If your LDAP server doesn't support anonymous binds) BindDN CN=ldapusername,OU=LDAP,DC=example,DC=local # Bind Password cn=vmail password Password ******* # Network timeout (in seconds) Timeout 15 </LDAP> <Authorization> # Base DN BaseDN "dc=example,dc=local" # User Search Filter SearchFilter "(&(objectClass=mailUser)(accountStatus=active)(enabledService=vpn))" # Require Group Membership RequireGroup false </Authorization> Josh Cole Network and Systems Engineer Fresno Pacific University (559) 453-3414

1 0

Logging region out of memory; you may need to increase its size
by Frank Bonnet 24 Oct '11

24 Oct '11

Hello I have a problem when trying to perform the command : slapcat -l toto.ldif I get this error message bdb_db_open: database "dc=xxxx,dc=fr": unclean shutdown detected; attempting recovery. bdb_db_open: database "dc=xxxx,dc=fr": recovery skipped in read-only mode. Run manual recovery if errors are encountered. bdb(dc=xxxx,dc=fr): Logging region out of memory; you may need to increase its size bdb_db_open: database "dc=xxxx,dc=fr": db_open(/var/db/openldap-data/id2entry.bdb) failed: Cannot allocate memory (12). backend_startup_one (type=bdb, suffix="dc=xxxx,dc=fr"): bi_db_open failed! (12) slap_startup failed I use berkeley DB 4.6 on a FreeBSD 8.1 system Thanks for any info

1 0

Can I use LDAP_VALID within my app/library?
by Khaled Blah 24 Oct '11

24 Oct '11

Hello to all, I would like to ask whether there is a way which allows me to use the macro "LDAP_VALID" in my own code. I would like to be able to check an LDAP* handle for its validity before I use that handle on any of the LDAP operation functions. Regards, Khaled

3 5

Abwesenheit: openldap-technical Digest, Vol 47, Issue 23
by tkircht＠ipodion.at 23 Oct '11

23 Oct '11

Ich bin vom 21.10.2011 bis einschließlich 2.11.2011 nicht in Wien. Ich werde meine Mailbox in dieser Zeit nur sporadisch abfragen können. Bitte wenden Sie sich mit Ihren Anfragen in dieser Zeit an unser Büro unter office(a)ipodion.at bzw. der Telefonnummer 01/21632985-00. Vielen Dank Thomas Kirchtag

1 0

Re: Patching openldap?
by Christian Manal 22 Oct '11

22 Oct '11

Am 11.10.2011 22:12, schrieb NetNinja: > I tryed your command today. I still can't get it to work. I listed all > the files I have edited. Can you look over it and tell if I'm missing > anything. Thanks for your help. Please keep your replies on the list. Others might run into similar problems and find this helpful. > I ran this: > ldapclient manual -v > -a defaultSearchBase="dc=test,dc=net" > -a domainName="test.net" > -a authenticationMethod="simple" > -a defaultServerList="10.0.0.2" > -a preferredServerList="10.0.0.2" > -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net" > -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net" > 10.0.0.2 > > I don't have TLS, automount or netgroups setup yet. > > bash-3.00# ldapclient list > NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= 10.0.0.2 > NS_LDAP_SEARCH_BASEDN= dc=test,dc=net > NS_LDAP_CACHETTL= 0 > NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net > NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=test,dc=net > > I tried to add more lines but I was getting a lot of errors. What kind of errors? > /etc/nsswitch.conf > passwd: files ldap > group: files ldap > host: files ldap Are you sure you want to resolve hostnames via LDAP and not DNS? > what i have running on RHEL > ldapsearch -x <snip> > ---------------- I have added a proxy entry before I have not done so > yet. Do I still need one if I'm useing manual and not init? If your data can be accessed anonymously, you don't need proxy credentials. > My PAM file > > # login service (explicit because of pam_dial_auth) > # > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth sufficient pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > login auth required pam_ldap.so.1 My "auth" blocks look like this: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth sufficient pam_ldap.so.1 use_first_pass ignore_unknown_user login auth required pam_unix_auth.so.1 > # > # rlogin service (explicit because of pam_rhost_auth) > # > rlogin auth sufficient pam_rhosts_auth.so.1 > rlogin auth requisite pam_authtok_get.so.1 > rlogin auth required pam_dhkeys.so.1 > rlogin auth required pam_unix_cred.so.1 > rlogin auth sufficient pam_unix_auth.so.1 > rlogin auth required pam_ldap.so.1 > # > # Kerberized rlogin service > # > krlogin auth required pam_unix_cred.so.1 > krlogin auth required pam_krb5.so.1 > # > # rsh service (explicit because of pam_rhost_auth, > # and pam_unix_auth for meaningful pam_setcred) > # > rsh auth sufficient pam_rhosts_auth.so.1 > rsh auth required pam_unix_cred.so.1 > # > # Kerberized rsh service > # > krsh auth required pam_unix_cred.so.1 > krsh auth required pam_krb5.so.1 > # > # Kerberized telnet service > # > ktelnet auth required pam_unix_cred.so.1 > ktelnet auth required pam_krb5.so.1 > # > # PPP service (explicit because of pam_dial_auth) > # > ppp auth requisite pam_authtok_get.so.1 > ppp auth required pam_dhkeys.so.1 > ppp auth required pam_unix_cred.so.1 > ppp auth sufficient pam_unix_auth.so.1 > ppp auth required pam_dial_auth.so.1 > ppp auth required pam_ldap.so.1 > # > # Default definitions for Authentication management > # Used when service name is not explicitly mentioned for authentication > # > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_unix_auth.so.1 > other auth required pam_dial_auth.so.1 > other auth required pam_ldap.so.1 > # > # passwd command (explicit because of a different authentication module) > # > passwd auth sufficient pam_passwd_auth.so.1 > passwd auth required pam_ldap.so.1 > # > # cron service (explicit because of non-usage of pam_roles.so.1) > # > cron account required pam_unix_account.so.1 > # > # Default definition for Account management > # Used when service name is not explicitly mentioned for account management > # > other account sufficient pam_ldap.so.1 > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 You can omit pam_ldap here. It only produces error messages in the logs for me. > # > # Default definition for Session management > # Used when service name is not explicitly mentioned for session management > # > other session required pam_unix_session.so.1 > # > # Default definition for Password management > # Used when service name is not explicitly mentioned for password management > # > other password required pam_dhkeys.so.1 > other password requisite pam_authtok_get.so.1 > other password requisite pam_authtok_check.so.1 > other password required pam_authtok_store.so.1 > # > > > On Sun, Oct 9, 2011 at 10:31 AM, Christian Manal > <moenoel(a)informatik.uni-bremen.de> wrote: >> Am 09.10.2011 14:33, schrieb NetNinja: >>> On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal >>> <moenoel(a)informatik.uni-bremen.de> wrote: >>>> Am 07.10.2011 23:58, schrieb NetNinja: >>>>> Ok that's good to know. >>>>> I was reading in the book "Solaris 10 System Administration Essential" >>>>> and it says on pg 365 that the openldap server needs to be patched so >>>>> that the ldapclient init utility will configure properly. >>>>> >>>>> Do you happen to remeber how you setup the Solaris Native client? This >>>>> my current issue, I installed openldap on a RHEL 5.5 server and have all >>>>> the Linux servers working with the ldap server but the Solaris servers >>>>> won't let me login as a ldap user. I can do a ldapsearch, id, getent and >>>>> get info on ldap users. I am in the process of troubleshooting the issue >>>>> and I'm not sure what I'm doing wrong? My setup is very basic, no TLS, >>>>> uatomount or replication. I will add these later when I know what i'm doing. >>>>> >>>>> Anyway thanks for your help. If you have any advice on ldapclient setup >>>>> let me know. >>>>> >>>>> On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal >>>>> <moenoel(a)informatik.uni-bremen.de >>>>> <mailto:moenoel@informatik.uni-bremen.de>> wrote: >>>>> >>>>> Am 07.10.2011 20:25, schrieb NetNinja: >>>>> > Hello, >>>>> > I have been reading up on OpenLDAP. I have installed it on RHEL >>>>> 5.5 but >>>>> > I have seen documention saying that openldap needs to be patched >>>>> to work >>>>> > with Solaris. Can someone tell me if this still the case and if so >>>>> where >>>>> > to get the patch. If not any info you can provide wold be great. >>>>> > >>>>> > Thanks >>>>> > >>>>> > >>>>> >>>>> Hi, >>>>> >>>>> I've been running OpenLDAP on Solaris 10 for years now. It works out of >>>>> the tarball, no patches needed. >>>>> >>>>> >>>>> Regards, >>>>> Christian Manal >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> Here's an example of an ldapclient invocation that works for me: >>>> >>>> ldapclient manual \ >>>> -a authenticationMethod="tls:simple" \ >>>> -a credentialLevel="proxy" \ >>>> -a defaultSearchBase="dc=example,dc=org" \ >>>> -a defaultSearchScope="sub" \ >>>> -a defaultServerList="ldap1.example.org,ldap2.example.org" \ >>>> -a domainName="example.org" \ >>>> -a preferredServerList="ldap1.example.org,ldap2.example.org" \ >>>> -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \ >>>> -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \ >>>> -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \ >>>> -a >>>> serviceSearchDescriptor="auto_home:ou=auto_home,ou=Mounts,dc=example,dc=org" >>>> \ >>>> -a attributeMap="auto_home:automountMapName=ou" \ >>>> -a attributeMap="auto_home:automountKey=cn" \ >>>> -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \ >>>> -a proxyPassword="foobar" >>>> >>>> >>>> Before you invoke that, you need to modify /etc/nsswitch.ldap to your >>>> needs (ldapclient will copy that to /etc/nsswitch.conf). You also need >>>> to put your TLS certs into /var/ldap in NSS format (you can >>>> generate/convert them with certutil[1]) and edit /etc/pam.conf for LDAP >>>> authentication. >>>> >>>> >>>> Regards, >>>> Christian Manal >>>> >>>> >>>> [1] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html >>>> >>> >>> Thanks, >>> >>> I will try your command. Since you used ldapclient manual and not >>> ldapclient init I don't need to add a profile of proxy ldif file to >>> the ldap server, right? >> >> Right. It's possible to deposit most of those infos in a profile in the >> DIT, but since I have a script for configuring LDAP clients it doesn't >> make any difference for me. I have only one set of settings for Solaris >> boxes. Though, it might be worth looking into for you, if you have >> different setups. >> >> >>> I have been using examples like the one you >>> just gave me and I can only get the info from the server. The password >>> seems to not work. I get the same erros on the prompt that I would get >>> if the password or username where wrong. Though I have not tried the >>> command with the serviceSearchDescriptor before maybe this is what I'm >>> missing. >> >> You replaced the credentials with existing ones from your DIT, right? Do >> they work with ldapsearch? Does the DN have read access to the user and >> group data in your DIT? >> >> You might want to call ldapclient with '-v' to get some debugging info. >> >> >>> I'm also not using TLS or automount can I leave these out, for now? >>> Sotls:simple would be simple, right. >> >> Right. >> >> >>> Also could Solaris 10 not want to >>> work because I'm not using TLS? >> >> I don't think so. It shouldn't make any difference. Though, I'd >> recommend adding TLS support before putting anything in production. >> >> >>> Anyway thanks for your time. I will let you know if it works. >>> >> >> >> Regards, >> Christian Manal >> >> > > >

2 3

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2011