Having migrated to dynamic config, I'm looking for a reasonable way to restore in the event of a disaster.
The discussion last week got me curious and though I can slapcat -n 0 -l $SOME_FILE I can't slapadd this same file because it complains that I don't have a slapd.conf file, which of course is true... I haven't needed it with the dynamic configuration backend.
What's the minimum that I would need in a slapd.conf file so I can simply 'rm -fr /var/lib/ldap/* && slapadd -l $SLAPD_BACKUP' ?
Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.white(a)ttiltd.com
1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com
Need help communicating between generations at work to achieve your desired success? Let us help!
While working on my overlay, I add real hard time trying to understand the
structure used by OpenLDAP.
To help me out, I used Doxygen that automatically generates a map of the
structures (and much more) from the source code.
You can check this out on my website (
I would highly recommend you to use this tool so that
future developers can easily find their way in your structures.
The best solution would be to add this kind of documentation to the
OpenLDAP website, so that everyone could easily access it.
I don't want to judge your way of doing things, I just want to share
something that helped me out allot!
A correction to my last message:
> If you want to free the entry yourself, instead you can do
e = rs->sr_entry;
.... send the entry, or whatever...
entry_free(e); /* instead of entry_free(rs->sr_entry); */
I don't quite remember, but I think when rs->sr_flags does not assert
ownership of the entry, some other module may change the sr_entry
pointer. So entry_free(rs->sr_entry) could free the wrong entry.
Johan Jakus writes:
> I'd like to make the attributes I merged in the entry
> "read-only". Because the clients will receive an attribute from the
> parents of an object, and I don't want them to to be able to save that
> attribute in the object,when for example they change other attributes
> values and click on the modify button in a program. Would You have any
> idea on how to make that possible?
Don't know, but try access controls to prevent user modifications,
then bypass that for the mods done by the overlay with
<Modifications>.sml_flags |= SLAP_MOD_INTERNAL;
Maybe something like
objectclass ( <oid> NAME 'jakusAddedAttrs' AUXILIARY
MAY ( managed_attr1 $ managed_attr2 $ ... ) )
access to filter=(objectclass=jakusAddedAttrs) attrs=@jakusAddedAttrs
by * read
The alternative would be to intercept update operations and return
(prohibited mod ? LDAP_UNWILLING_TO_PERFORM : SLAP_CB_CONTINUE).
I have an issue with openldap and smbldap-tools. Maybe I am wrong, and it has nothing to do with openldap.
At first I notice that for some reason when I was trying to create users with phpldapadmin all my users had the same ID, 1001, so I tried to create users with smbldap-useradd and found the following warnings:
Cannot confirm uidNumber 1001 is free: checking for the next on
Cannot confirm uidNumber 2670 is free: checking for the next on
So after hours of looking at the code in php of phpldapadmin, and looking to i think it doesn't find the right number, for some weird reason in my configuration.
It seems like this problems are related since for some reason the UID of the users is not easy to confirm.
Could it be that I added the ids from my backup and some posix accounts users already had those ids and since then the rest of my UID got screwed.
Has anyone had any similar problem in the past.
Seems like loading SLAPI plugins is broken. I tried to play with
addrdnvalues.c from the distribution, compiled it like it was
recommended in the README:
gcc -shared -I../../../include -Wall -g -o libaddrdnvalues-plugin.so
and tried to load from slapd.conf:
plugin preoperation /usr/local/lib/libaddrdnvalues-plugin.so
Here is what I've got running slapd:
[root@localhost ~]# /usr/local/libexec/slapd -u ldap -g ldap -d stats
4e9e21b0 @(#) $OpenLDAP: slapd 2.X (Oct 19 2011 02:18:15) $
failed to load plugin /usr/local/lib/libaddrdnvalues-plugin.so: file not
4e9e21b0 slapd stopped.
4e9e21b0 connections_destroy: nothing to destroy.
The file /usr/local/lib/libaddrdnvalues-plugin.so exists and is
readable; strace shows that it is in fact being opened successfully.
Putting it into /usr/lib, /usr/lib/openldap and other locations does not
help. This "file not found" message in fact is a well-known libltdl
issue: lt_dlerror() reports "file not found" in any case of unsuccessful
library loading attempt, including missing dependencies and unresolved
symbols. Libtoolizing this plugin and supplying a .la file instead
of .so does not help either. I am running current git master under
Mandriva 2010.2 with libtool 2.2.6b, tried libtool 2.4 with the same
result. Linking the plugin with explicit -lldap -lslapi (to satisfy
potentially unresolved symbols) does not help. libslapi.so is in the
library path. Statically linked slapd (with slapi_, ldap_ and ber_
functions) works the same way. Any suggestions?
I am attempting to configure OpenVPN to use openldap to authenticate our Active Directory users who are a member of our VPN group in AD. Here is my ldap config for OpenVPN. Specifically I need the filter string to allow enabled users who are a member of the _VPN group. The one you see below is from an example script I found that explains how to configure LDAP for openvpn.
Any help is appreciated!
# LDAP server URL
# Bind DN (If your LDAP server doesn't support anonymous binds)
# Bind Password cn=vmail password
# Network timeout (in seconds)
# Base DN
# User Search Filter
# Require Group Membership
Network and Systems Engineer
Fresno Pacific University
I have a problem when trying to perform the command : slapcat -l toto.ldif
I get this error message
bdb_db_open: database "dc=xxxx,dc=fr": unclean shutdown detected;
bdb_db_open: database "dc=xxxx,dc=fr": recovery skipped in read-only
mode. Run manual recovery if errors are encountered.
bdb(dc=xxxx,dc=fr): Logging region out of memory; you may need to
increase its size
bdb_db_open: database "dc=xxxx,dc=fr":
db_open(/var/db/openldap-data/id2entry.bdb) failed: Cannot allocate
backend_startup_one (type=bdb, suffix="dc=xxxx,dc=fr"): bi_db_open
I use berkeley DB 4.6 on a FreeBSD 8.1 system
Thanks for any info
Hello to all,
I would like to ask whether there is a way which allows me to use the
macro "LDAP_VALID" in my own code. I would like to be able to check an
LDAP* handle for its validity before I use that handle on any of the
LDAP operation functions.
Ich bin vom 21.10.2011 bis einschließlich 2.11.2011 nicht in Wien. Ich werde meine Mailbox in dieser Zeit nur sporadisch abfragen können. Bitte wenden Sie sich mit Ihren Anfragen in dieser Zeit an unser Büro unter office(a)ipodion.at bzw. der Telefonnummer 01/21632985-00.
Am 11.10.2011 22:12, schrieb NetNinja:
> I tryed your command today. I still can't get it to work. I listed all
> the files I have edited. Can you look over it and tell if I'm missing
> anything. Thanks for your help.
Please keep your replies on the list. Others might run into similar
problems and find this helpful.
> I ran this:
> ldapclient manual -v
> -a defaultSearchBase="dc=test,dc=net"
> -a domainName="test.net"
> -a authenticationMethod="simple"
> -a defaultServerList="10.0.0.2"
> -a preferredServerList="10.0.0.2"
> -a serviceSearchDescriptor="passwd:ou=People,dc=test,dc=net"
> -a serviceSearchDescriptor="group:ou=Group,dc=test,dc=net"
> I don't have TLS, automount or netgroups setup yet.
> bash-3.00# ldapclient list
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= 10.0.0.2
> NS_LDAP_SEARCH_BASEDN= dc=test,dc=net
> NS_LDAP_CACHETTL= 0
> NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net
> NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Group,dc=test,dc=net
> I tried to add more lines but I was getting a lot of errors.
What kind of errors?
> passwd: files ldap
> group: files ldap
> host: files ldap
Are you sure you want to resolve hostnames via LDAP and not DNS?
> what i have running on RHEL
> ldapsearch -x
> ---------------- I have added a proxy entry before I have not done so
> yet. Do I still need one if I'm useing manual and not init?
If your data can be accessed anonymously, you don't need proxy credentials.
> My PAM file
> # login service (explicit because of pam_dial_auth)
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth sufficient pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
> login auth required pam_ldap.so.1
My "auth" blocks look like this:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth sufficient pam_ldap.so.1 use_first_pass
login auth required pam_unix_auth.so.1
> # rlogin service (explicit because of pam_rhost_auth)
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth sufficient pam_unix_auth.so.1
> rlogin auth required pam_ldap.so.1
> # Kerberized rlogin service
> krlogin auth required pam_unix_cred.so.1
> krlogin auth required pam_krb5.so.1
> # rsh service (explicit because of pam_rhost_auth,
> # and pam_unix_auth for meaningful pam_setcred)
> rsh auth sufficient pam_rhosts_auth.so.1
> rsh auth required pam_unix_cred.so.1
> # Kerberized rsh service
> krsh auth required pam_unix_cred.so.1
> krsh auth required pam_krb5.so.1
> # Kerberized telnet service
> ktelnet auth required pam_unix_cred.so.1
> ktelnet auth required pam_krb5.so.1
> # PPP service (explicit because of pam_dial_auth)
> ppp auth requisite pam_authtok_get.so.1
> ppp auth required pam_dhkeys.so.1
> ppp auth required pam_unix_cred.so.1
> ppp auth sufficient pam_unix_auth.so.1
> ppp auth required pam_dial_auth.so.1
> ppp auth required pam_ldap.so.1
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth sufficient pam_unix_auth.so.1
> other auth required pam_dial_auth.so.1
> other auth required pam_ldap.so.1
> # passwd command (explicit because of a different authentication module)
> passwd auth sufficient pam_passwd_auth.so.1
> passwd auth required pam_ldap.so.1
> # cron service (explicit because of non-usage of pam_roles.so.1)
> cron account required pam_unix_account.so.1
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> other account sufficient pam_ldap.so.1
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
You can omit pam_ldap here. It only produces error messages in the logs
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> other session required pam_unix_session.so.1
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password management
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password required pam_authtok_store.so.1
> On Sun, Oct 9, 2011 at 10:31 AM, Christian Manal
> <moenoel(a)informatik.uni-bremen.de> wrote:
>> Am 09.10.2011 14:33, schrieb NetNinja:
>>> On Sat, Oct 8, 2011 at 4:54 AM, Christian Manal
>>> <moenoel(a)informatik.uni-bremen.de> wrote:
>>>> Am 07.10.2011 23:58, schrieb NetNinja:
>>>>> Ok that's good to know.
>>>>> I was reading in the book "Solaris 10 System Administration Essential"
>>>>> and it says on pg 365 that the openldap server needs to be patched so
>>>>> that the ldapclient init utility will configure properly.
>>>>> Do you happen to remeber how you setup the Solaris Native client? This
>>>>> my current issue, I installed openldap on a RHEL 5.5 server and have all
>>>>> the Linux servers working with the ldap server but the Solaris servers
>>>>> won't let me login as a ldap user. I can do a ldapsearch, id, getent and
>>>>> get info on ldap users. I am in the process of troubleshooting the issue
>>>>> and I'm not sure what I'm doing wrong? My setup is very basic, no TLS,
>>>>> uatomount or replication. I will add these later when I know what i'm doing.
>>>>> Anyway thanks for your help. If you have any advice on ldapclient setup
>>>>> let me know.
>>>>> On Fri, Oct 7, 2011 at 3:41 PM, Christian Manal
>>>>> <mailto:email@example.com>> wrote:
>>>>> Am 07.10.2011 20:25, schrieb NetNinja:
>>>>> > Hello,
>>>>> > I have been reading up on OpenLDAP. I have installed it on RHEL
>>>>> 5.5 but
>>>>> > I have seen documention saying that openldap needs to be patched
>>>>> to work
>>>>> > with Solaris. Can someone tell me if this still the case and if so
>>>>> > to get the patch. If not any info you can provide wold be great.
>>>>> > Thanks
>>>>> I've been running OpenLDAP on Solaris 10 for years now. It works out of
>>>>> the tarball, no patches needed.
>>>>> Christian Manal
>>>> Here's an example of an ldapclient invocation that works for me:
>>>> ldapclient manual \
>>>> -a authenticationMethod="tls:simple" \
>>>> -a credentialLevel="proxy" \
>>>> -a defaultSearchBase="dc=example,dc=org" \
>>>> -a defaultSearchScope="sub" \
>>>> -a defaultServerList="ldap1.example.org,ldap2.example.org" \
>>>> -a domainName="example.org" \
>>>> -a preferredServerList="ldap1.example.org,ldap2.example.org" \
>>>> -a serviceSearchDescriptor="passwd:ou=People,dc=example,dc=org" \
>>>> -a serviceSearchDescriptor="group:ou=Group,dc=example,dc=org" \
>>>> -a serviceSearchDescriptor="netgroup:ou=Netgroup,dc=example,dc=org" \
>>>> -a attributeMap="auto_home:automountMapName=ou" \
>>>> -a attributeMap="auto_home:automountKey=cn" \
>>>> -a proxyDN="uid=proxyauth,ou=people,dc=example,dc=org" \
>>>> -a proxyPassword="foobar"
>>>> Before you invoke that, you need to modify /etc/nsswitch.ldap to your
>>>> needs (ldapclient will copy that to /etc/nsswitch.conf). You also need
>>>> to put your TLS certs into /var/ldap in NSS format (you can
>>>> generate/convert them with certutil) and edit /etc/pam.conf for LDAP
>>>> Christian Manal
>>>>  http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
>>> I will try your command. Since you used ldapclient manual and not
>>> ldapclient init I don't need to add a profile of proxy ldif file to
>>> the ldap server, right?
>> Right. It's possible to deposit most of those infos in a profile in the
>> DIT, but since I have a script for configuring LDAP clients it doesn't
>> make any difference for me. I have only one set of settings for Solaris
>> boxes. Though, it might be worth looking into for you, if you have
>> different setups.
>>> I have been using examples like the one you
>>> just gave me and I can only get the info from the server. The password
>>> seems to not work. I get the same erros on the prompt that I would get
>>> if the password or username where wrong. Though I have not tried the
>>> command with the serviceSearchDescriptor before maybe this is what I'm
>> You replaced the credentials with existing ones from your DIT, right? Do
>> they work with ldapsearch? Does the DN have read access to the user and
>> group data in your DIT?
>> You might want to call ldapclient with '-v' to get some debugging info.
>>> I'm also not using TLS or automount can I leave these out, for now?
>>> Sotls:simple would be simple, right.
>>> Also could Solaris 10 not want to
>>> work because I'm not using TLS?
>> I don't think so. It shouldn't make any difference. Though, I'd
>> recommend adding TLS support before putting anything in production.
>>> Anyway thanks for your time. I will let you know if it works.
>> Christian Manal