openldap-technical November 2011

openldap-technical@openldap.org

80 participants
91 discussions

Re: MDB name
by Brett ＠Google 14 Nov '11

14 Nov '11

FDB (fast db?) - off the top of my head, seems unique enough On Sun, Nov 13, 2011 at 5:17 PM, Howard Chu <hyc(a)symas.com> wrote: > What's in a name... Apparently "MDB" is already a well-known suffix for > Microsoft Access database files. "mdb" is also the name of a debugger tool > in Solaris. To avoid confusion with those unrelated items, it might be a > good idea to rename our MDB to something else. Now, before the next > OpenLDAP release is published. Comments? > -- *The only thing that interferes with my learning is my education.* * Albert Einstein*

3 4

Re: ACL using Group
by Rakesh Aggarwal 11 Nov '11

11 Nov '11

That was just an example I wrote while writing the email. Actual one does have a "by". The ACLs parse without warning (except the catch-all where dn=*). This is the real one in my slapd config: access to dn.regex="^[^,]+,ou=resources,(ou=[^,]+,ou=MyNs,dc=MyCompany,dc=com)$" attrs="entry,@MyResourceClasss" by group/groupOfNames/member.expand="cn=admins,ou=groups,$1" +w continue by * break Thanks -Rakesh On Fri, Nov 11, 2011 at 11:58 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Friday, November 11, 2011 11:40 AM -0800 Rakesh Aggarwal < > rakesh.aggarwal(a)gmail.com> wrote: > > >> Hi folks! >> >> I am using OpenLdap 2.4.23 on RedHat, and using Apache Directory Studio >> as the client on a different machine. >> >> I am having issues trying to setup ACL using Group. The only non-standard >> aspect in my schema design is that the groups container is located in a >> organization specific sub-tree of DIT and not under DIT root, e.g. >> >> access to dn.subtree="ou=resources,ou=**dept1,ou=ns1,dc=example,dc=** >> com" >> attrs = "entry,@myResourceClass" >> group.exact="cn=myadmin,ou=**groups,ou=dept1,ou=ns1,dc=**example,dc=com" >> write continue >> by * break >> >> access to * by * read >> > > What you pasted is not a valid ACL statement. I expect it to fail. You > may want to try adding the word "by" in front of "group.exact". > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

ACL using Group
by Rakesh Aggarwal 11 Nov '11

11 Nov '11

Hi folks! I am using OpenLdap 2.4.23 on RedHat, and using Apache Directory Studio as the client on a different machine. I am having issues trying to setup ACL using Group. The only non-standard aspect in my schema design is that the groups container is located in a organization specific sub-tree of DIT and not under DIT root, e.g. * access to dn.subtree="ou=resources,ou=dept1,ou=ns1,dc=example,dc=com" attrs = "entry,@myResourceClass" group.exact="cn=myadmin,ou=groups,ou=dept1,ou=ns1,dc=example,dc=com" write continue by * break* *access to * by * read* I am logging in with a user who is a member to this group but not getting the desired write access to the entry. Is the location of the group entries in DIT really matter for ACL to work? Thanks -Rakesh

2 1

Setting userPassword and pwdChangedTime together with Relax Rules Control
by Michael Ströder 11 Nov '11

11 Nov '11

HI! I've implemented a sync job which has to also sync passwords with a password modification timestamp from an Oracle DB to OpenLDAP. There's a latency in this password sync so the exact password modification timestamp has to be copied from the source DB to attribute pwdChangedTime in OpenLDAP. Setting the pwdChangedTime alone with the Relax Rules control is no problem. But when the add or modify request also contains the userPassword attribute slapo-ppolicy also wants to add a (later) value for pwdChangedTime and this results in: Constraint violation: attribute 'pwdChangedTime' cannot have multiple values Any chance to achieve this in a single add/modify request? I think this scenario is not so unusual in the real world. So slapo-ppolicy should not generate 'pwdChangedTime' if it's already in the write request in case of Relax Rules control enabled. Ciao, Michael.

2 1

Re: Help needed chaining to active directory for authentication - not quite there yet
by Gabriella Turek 10 Nov '11

10 Nov '11

Hello, One thing that stopped working since I introduced the new directives which fixed the authentication problem is being able to peruse the directories using Apache Directory Studio. I can still see the AD branches but when I try to look at them I get an error which in the server logs is reported as res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <> ldap_free_request (origid 2, msgid 2) So I must still be missing something in my configuration. Thanx Gaby >On 09/11/11 19:34 +0000, Gabriella Turek wrote: >>Hi Dan, >> >>The way I got it to work (by pure chance mind you , I just happened on a >>blog entry somewhere) was to add this entry to the slapd.config file: >> >> >># Configure slapd-ldap back end to connect to AD >>database ldap >>suffix "ou=user accounts,dc=niwa,dc=local" >>subordinate >>rebind-as-user >>uri "ldap://aucwdfp01.niwa.local:389" >>chase-referrals yes >> >>Nowhere in any documentation did I see this mentioned, and yet it worked >>immediately, >>So I don't know what to think. >>Gaby >> >> >> >> >>On 10/11/11 6:37 AM, "Dan White" <dwhite(a)olp.net> wrote: >> >>>On 07/11/11 21:57 +0000, Gabriella Turek wrote: >>>>Hello, I've set up an openLDAP server (2.4.23) which chains to an >>>>Active Directory (2008). I can successfully search for users, it will >>>>find them in Active Directory if they are not in openLDAP, but I >>>>cannot >>>>authenticate the Active Directory users. >>>>The error is "Invalid credentials (49)" >>>>Everything is currently configured with clear text >>>>ldapSearch works fine when pointed directly to the Active Directory. >>>> >>>>The chaining configuration in the slapd.conf is: >>>> >>>>overlay chain >>>>chain-uri ldap://aucwdfp01.niwa.local:389 >>>>chain-rebind-as-user TRUE >>>>chain-idassert-bind bindmethod="simple" >>>> binddn="cn=SDT Tester,ou=NIWA Staff >>>>Accounts,ou=User Accounts, dc=niwa,dc=local" >>>> credentials=xxxxxxx >>>> mode="self" >>>> flags=non-prescriptive >>>>chain-return-error TRUE >>> >>>Does mode="none" work? If my reading of slapd-ldap(5) is correct, with >>>any >>>config other than 'none', slapd will attempt to assert the proxyAuthz >>>control. >>> >>>I checked our local AD server (2003) and it does not appear to support >>>that >>>control: >>> >>>ldapsearch -LLL -x -H ldap://<AD.ip> -s "base" -b "" supportedControl >>>dn: >>>supportedControl: 1.2.840.113556.1.4.319 >>>supportedControl: 1.2.840.113556.1.4.801 >>>supportedControl: 1.2.840.113556.1.4.473 >>>supportedControl: 1.2.840.113556.1.4.528 >>>supportedControl: 1.2.840.113556.1.4.417 >>>supportedControl: 1.2.840.113556.1.4.619 >>>supportedControl: 1.2.840.113556.1.4.841 >>>supportedControl: 1.2.840.113556.1.4.529 >>>supportedControl: 1.2.840.113556.1.4.805 >>>supportedControl: 1.2.840.113556.1.4.521 >>>supportedControl: 1.2.840.113556.1.4.970 >>>supportedControl: 1.2.840.113556.1.4.1338 >>>supportedControl: 1.2.840.113556.1.4.474 >>>supportedControl: 1.2.840.113556.1.4.1339 >>>supportedControl: 1.2.840.113556.1.4.1340 >>>supportedControl: 1.2.840.113556.1.4.1413 >>>supportedControl: 2.16.840.1.113730.3.4.9 >>>supportedControl: 2.16.840.1.113730.3.4.10 >>>supportedControl: 1.2.840.113556.1.4.1504 >>>supportedControl: 1.2.840.113556.1.4.1852 >>>supportedControl: 1.2.840.113556.1.4.802 >>>supportedControl: 1.2.840.113556.1.4.1907 >>>supportedControl: 1.2.840.113556.1.4.1948 >>> >>> >>>proxyAuthz control == 2.16.840.1.113730.3.4.18 (RFC 4370) >>> >>>-- >>>Dan White >> >> > >-- >Dan White >BTC Broadband >Ph 918.366.0248 (direct) main: (918)366-8000 >Fax 918.366.6610 email: dwhite(a)olp.net >http://www.btcbroadband.com

1 0

proxy authentication
by LALOT Dominique 10 Nov '11

10 Nov '11

Hello, We would like to setup a kind of replica. We don't want to replicate some attributes like userpassword, lmpassword, ntpassword. How can we configure the replica to proxy the authentication somewhere else. Is there a way to do that via an overlay or something else? Thanks Dom -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot

3 2

Searches causing disk writes
by Adam Wale 10 Nov '11

10 Nov '11

Hi, I'm observing an issue where a large number of searches against an openldap server results in a large amount of disk writes occurring. I have 10 hosts performing the same workload, the hosts are running slapd 2.4.21 under Ubuntu Lucid. If I stop searching against one of the hosts I see disk write activity from that host drop dramatically. I initially noticed the high write activity in the VMware stats for the hosts and have used iostat on the hosts to gather further info. The hosts being searched are slaves in a slurpd replication environment; they do not have replication logging enabled, the directory is using a hdb backend. Over a 5 minute period the average disk write activity is 8517KB/s when being searched, and 41KB/s when not being searched; over the same time period the average disk read activity is 8KB/s. When performing searches against a host an average workload is 300 searches/second, average entry size is 450bytes, and average entries returned is 30. The hosts have plenty of free RAM and are not using any swap. I have disabled the monitor backend but haven't seen much of an improvement by doing this, given the monitor database is instantiated at startup is this stored in memory? (if not, why not make that an option?) Does anyone have any ideas as to why reading from the directory would be causing disk writes at such a high rate? Thanks, Adam

7 10

Accesslog overlay access
by Hugo Deprez 10 Nov '11

10 Nov '11

Dear community, I configured accesslog overlay on a test server. Everything is working fine. But when I use my LDAP client (aka Ldap Admin) I get an error : "Size Limit Exceeded" The thing is I specified in the slapd.conf configuration file to rotate the data after 30 days. Does this message occur because there is too much data in the database ? Regards, Hugo

2 1

ldap_search: No such object
by Aaron Roberts 10 Nov '11

10 Nov '11

Hi all, I am trying to get openldap working with a mysql backend. Unfortunately, I always get "ldap_search: No such object" when I try to query. I am not familiar with LDAP and I am trying to get a simple phone directory up and running from a very small existing DB. I can see from my mysql query log that slapd is working with the first entry from the ldap_entries table and then never requesting any subsequent rows. I'm not sure what information will be needed for debugging this, I have start with debug output from slapd taken when running a search. Many thanks for any assistance, Aaron [root@test ~]# /usr/lib/mozldap/ldapsearch -x -b 'o=sql,c=RU' '(cn=*)' ldap_search: No such object /usr/sbin/slapd -d -1 -u ldap -h ldap:/// daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(8): daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 busy >>> slap_listener(ldap:///) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: listen=8, new connection on 9 daemon: added 9r (active) listener=(nil) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=0 fd=9 ACCEPT from IP=127.0.0.1:51444 (IP=0.0.0.0:389) daemon: activity on 1 descriptor daemon: activity on: 9r daemon: read active on 9 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(9) connection_get(9): got connid=0 connection_read(9): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 26 02 01 01 63 21 04 0&...c!. ldap_read: want=32, got=32 0000: 0a 6f 3d 73 71 6c 2c 63 3d 52 55 0a 01 02 0a 01 .o=sql,c=RU..... 0010: 00 02 01 00 02 01 00 01 01 00 87 02 63 6e 30 00 ............cn0. ber_get_next: tag 0x30 len 38 contents: ber_dump: buf=0x96cb690 ptr=0x96cb690 end=0x96cb6b6 len=38 0000: 02 01 01 63 21 04 0a 6f 3d 73 71 6c 2c 63 3d 52 ...c!..o=sql,c=R 0010: 55 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 00 U............... 0020: 87 02 63 6e 30 00 ..cn0. ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL do_search ber_scanf fmt ({miiiib) ber: ber_dump: buf=0x96cb690 ptr=0x96cb693 end=0x96cb6b6 len=35 0000: 63 21 04 0a 6f 3d 73 71 6c 2c 63 3d 52 55 0a 01 c!..o=sql,c=RU.. 0010: 02 0a 01 00 02 01 00 02 01 00 01 01 00 87 02 63 ...............c 0020: 6e 30 00 n0. >>> dnPrettyNormal: <o=sql,c=RU> => ldap_bv2dn(o=sql,c=RU,0) <= ldap_bv2dn(o=sql,c=RU)=0 => ldap_dn2bv(272) <= ldap_dn2bv(o=sql,c=RU)=0 => ldap_dn2bv(272) <= ldap_dn2bv(o=sql,c=ru)=0 <<< dnPrettyNormal: <o=sql,c=RU>, <o=sql,c=ru> SRCH "o=sql,c=RU" 2 0 0 0 0 begin get_filter PRESENT ber_scanf fmt (m) ber: ber_dump: buf=0x96cb690 ptr=0x96cb6b0 end=0x96cb6b6 len=6 0000: 87 02 63 6e 30 00 ..cn0. end get_filter 0 filter: (cn=*) ber_scanf fmt ({M}}) ber: ber_dump: buf=0x96cb690 ptr=0x96cb6b4 end=0x96cb6b6 len=2 0000: 00 00 .. attrs: conn=0 op=0 SRCH base="o=sql,c=RU" scope=2 deref=0 filter="(cn=*)" ==> limits_get: conn=0 op=0 dn="[anonymous]" ==>backsql_search(): base="o=sql,c=ru", filter="(cn=*)", scope=2, deref=0, attrsonly=0, attributes to load: all ==>backsql_get_db_conn() ==>backsql_open_db_conn(0) <==backsql_open_db_conn(0) backsql_open_db_conn(0): connected, adding to tree. <==backsql_get_db_conn() ==>backsql_dn2id("o=sql,c=ru") matched expected backsql_dn2id("o=sql,c=ru"): id_query "SELECT id,keyval,oc_map_id,dn FROM ldap_entries WHERE dn LIKE CONCAT('%,',?)" backsql_dn2id("o=sql,c=ru"): id=800 keyval=800 oc_id=1 dn=cn=Facsimile,o=sql,c=RU >>> dnPrettyNormal: <cn=Facsimile,o=sql,c=RU> => ldap_bv2dn(cn=Facsimile,o=sql,c=RU,0) <= ldap_bv2dn(cn=Facsimile,o=sql,c=RU)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=Facsimile,o=sql,c=RU)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=facsimile,o=sql,c=ru)=0 <<< dnPrettyNormal: <cn=Facsimile,o=sql,c=RU>, <cn=facsimile,o=sql,c=ru> <==backsql_dn2id("o=sql,c=ru"): err=0 ==>backsql_id2entry() backsql_id2entry(): retrieving all attributes ==>backsql_get_attr_vals(): oc="person" attr="cn" keyval=800 backsql_get_attr_vals(): number of values in query: 1 <==backsql_get_attr_vals() ==>backsql_get_attr_vals(): oc="person" attr="sn" keyval=800 backsql_get_attr_vals(): number of values in query: 1 <==backsql_get_attr_vals() ==>backsql_get_attr_vals(): oc="person" attr="objectClass" keyval=800 backsql_get_attr_vals(): number of values in query: 1 <==backsql_get_attr_vals() ==>backsql_get_attr_vals(): oc="person" attr="telephoneNumber" keyval=800 backsql_get_attr_vals(): number of values in query: 1 <==backsql_get_attr_vals() <==backsql_id2entry() send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=32 matched="" text="" send_ldap_response: msgid=1 tag=101 err=32 ber_flush: 14 bytes to sd 9 0000: 30 0c 02 01 01 65 07 0a 01 20 04 00 04 00 0....e... .... daemon: activity on 1 descriptor daemon: activity on: 9r daemon: read active on 9 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(9) ldap_write: want=14, written=14 0000: 30 0c 02 01 01 65 07 0a 01 20 04 00 04 00 0....e... .... connection_get(9): got connid=0 connection_read(9): checking for input on id=0 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 02 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x96ed058 ptr=0x96ed058 end=0x96ed05d len=5 0000: 02 01 02 42 00 ...B. ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 9 failed errno=0 (Success) connection_read(9): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=9 for close daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_close: deferring conn=0 sd=9 do_unbind conn=0 op=1 UNBIND connection_resched: attempting closing conn=0 sd=9 connection_close: deferring conn=0 sd=9 conn=0 op=0 SEARCH RESULT tag=101 err=32 nentries=0 text= <==backsql_search() connection_resched: attempting closing conn=0 sd=9 connection_close: conn=0 sd=9 ==>backsql_connection_destroy() ==>backsql_free_db_conn() backsql_free_db_conn(): closing db connection 0 (0x96b8458) ==>backsql_close_db_conn(0) <==backsql_close_db_conn(0) <==backsql_free_db_conn() <==backsql_connection_destroy() daemon: removing 9 conn=0 fd=9 closed

2 2

Compile Error for ldapc++ library
by sim123 10 Nov '11

10 Nov '11

I am trying to compile ldapc++ library distributed with openldap-2.4.26 and getting following error during make: ../src/LDAPAsynConnection.h: In function ‘int main(int, char**)’: ../src/LDAPAsynConnection.h:310: error: ‘LDAPAsynConnection::LDAPAsynConnection(const LDAPAsynConnection&)’ is private startTls.cpp:43: error: within this context make[1]: *** [startTls.o] Error 1 make[1]: Leaving directory `/opt/source/openldap-2.4.26/contrib/ldapc++/examples' make: *** [all-recursive] Error 1 I am attaching my config log as well, is there anything which I am missing here? Another thing, I would like to know does this library have Referral Chasing capability during bind, also is it thread safe or its caller's responsibility to make it thread safe? Thanks for the help, I appreciate it very much.

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2011