openldap-technical November 2011

openldap-technical@openldap.org

80 participants
91 discussions

smbk5pwd not respecting olcSmbK5PwdEnable on 64-bit platforms
by David Adam 06 Nov '11

06 Nov '11

There are a few threads on the web [1][2] where people are running into problems with smbk5PwdEnable being set to 'samba' but the smbk5pwd module still insisting on loading all the Kerberos configuration regardless, which fails if you aren't actually using Kerberos at all. We have also been experiencing this but I have noticed (and confirmed by spinning up two brand-new Debian VMs) that it is only a problem on 64-bit machines; 32-bit architectures respect the attribute's value. I suspect this has something to do with the call to verbs_to_mask() in smbk5pwd_cf_func (under the case PC_SMB_ENABLE)[3] - my very basic printf() debugging shows that m is set correctly on 32-bit architectures but on 64-bit architectures returns a varying and strangely-numbered value (4511419, -1407332384, 353253328 in subsequent runs). The problem goes away if the m variable is initialised to 0 before the call to verbs_to_mask(). I wonder if verbs_to_mask() is possibly not 64-bit clean but my C foo is not strong enough to confirm or deny this. Any ideas? For the moment I'm simply using case PC_SMB_ENABLE: { - slap_mask_t mode = pi->mode, m; + slap_mask_t mode = pi->mode, m = 0; but I'm not sure if this could have unintended consequences. Thanks, David Adam zanchey(a)ucc.gu.uwa.edu.au [1]: http://www.openldap.org/lists/openldap-technical/201105/msg00136.html [2]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631120 [3]: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=contrib/sl…

2 1

Special characters in bindpw
by Alex Moen 05 Nov '11

05 Nov '11

Hi all, Say that my bindpw is d!ffs3r^ (it, of course, is not). What is the proper way to use this passwd in ldap.conf or nslcd.conf so that the special characters are not interpreted incorrectly? Thanks! Alex

2 2

ACL issue for unix authentication
by Olivier 04 Nov '11

04 Nov '11

I have a weired ACL issue using my ldap server for authentication. My plan was to use a "proxyuser" to forbid "anonymous" queries to the ldap directory, but it sounds like pam needs in all cases to perform anonymous retreivals before any other binding, even if the "rootbinddn" directive is correctly configured for pam in /etc/pam_ldap.conf. Where is my mistake ? (see below) I have configured this first olcAccess to allow password self changed : {0}to attrs=userPassword,shadowLastChange,loginShell by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read by self write by anonymous auth by * none The issue comes with this second ACL. THIS DOESN'T WORK : If I configure this : {1}to * by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read by users read by anonymous auth by * none I CAN'T log in ( ssh guillard@client ) weither or not I configure rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr in /etc/pam_ldap.conf on the client side. I get a "Permission denied" and I see this in logs, on the client side : tail -f /var/log/secure Nov 4 16:33:21 ldap2 sshd[22730]: Invalid user guillard from 10.1.86.93 Nov 4 16:33:21 ldap2 sshd[22731]: input_userauth_request: invalid user guillard on the ldap server side I see this : tail -f /var/log/ldap.log | grep BIND returns NOTHING TO MAKE IT WORK : I must authorize anonymous to read everything to be able to log in, if I change the previous ACL for this one on the ldap server : {1}to * by dn.base="cn=proxyuser,ou=system,dc=example,dc=fr" read by users read by anonymous auth by * READ ^^^^^ Then I can log in properly weither or nor I add rootbinddn in /etc/pam_ldap.conf : rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr If I configure rootbinddn cn=proxyuser,ou=system,dc=example,dc=fr in /etc/pam_ldap.conf, I have this on the client side tail -f /var/log/secure : Nov 4 16:43:15 ldap2 sshd[22813]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fouine.tech.prive.example.fr user=guillard Nov 4 16:43:15 ldap2 sshd[22813]: Accepted password for guillard from 10.1.x.x port 44953 ssh2 Nov 4 16:43:15 ldap2 sshd[22813]: pam_unix(sshd:session): session opened for user guillard by (uid=0) tail -f /var/log/ldap.log | grep BIND Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=1 BIND dn="cn=proxyuser,ou=system,dc=example,dc=fr" method=128 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=1 BIND dn="cn=proxyuser,ou=system,dc=example,dc=fr" mech=SIMPLE ssf=0 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=3 BIND anonymous mech=implicit ssf=0 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=3 BIND dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" method=128 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=3 BIND dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" mech=SIMPLE ssf=0 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=4 BIND anonymous mech=implicit ssf=0 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=4 BIND dn="cn=proxyuser,ou=system,dc=example,dc=fr" method=128 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=4 BIND dn="cn=proxyuser,ou=system,dc=example,dc=fr" mech=SIMPLE ssf=0 Nov 4 16:39:36 ldap1 slapd[11600]: conn=1616 op=5 UNBIND If I don't configure rootbinddn I have the some logs on the client side tail -f /var/log/secure : Nov 4 16:49:47 ldap2 sshd[22863]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fouine.tech.prive.example.fr user=guillard Nov 4 16:49:47 ldap2 sshd[22863]: Accepted password for guillard from 10.1.x.x port 45639 ssh2 Nov 4 16:49:47 ldap2 sshd[22863]: pam_unix(sshd:session): session opened for user guillard by (uid=0) and this slighty different one on the server side : tail -f /var/log/ldap.log | grep BIND Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=1 BIND dn="" method=128 Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=3 BIND dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" method=128 Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=3 BIND dn="uid=guillard,ou=staff,ou=people,dc=example,dc=fr" mech=SIMPLE ssf=0 Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=4 BIND anonymous mech=implicit ssf=0 Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=4 BIND dn="" method=128 Nov 4 16:51:23 ldap1 slapd[11600]: conn=1622 op=5 UNBIND >From what I see in my logs, I don't manage to do what I want, and BTW, I don't see neither any interest to use a proxyuser : Any idea ? --- Olivier

2 1

Per server cn=config parameter in multi-master mode
by Jens Thomas 03 Nov '11

03 Nov '11

Hi, i am playing around with a multi-master setup. The documentation suggests to start with replication of the cn=config database, so that all member server have the same configuration. To solve the problem of the unique server ID we list all member server with their ID and their URL, so that every server can determine his own server ID on the basis of his own URL. OK. But how i can handle all the individual parameter like olcThreads, olcTLS* and all the other parameter, that may differ from server to server? With kind regards Jens -- linux systeme thomas Jens Thomas Völklinger Straße 9 42285 Wuppertal Telefon: +49.202.3097507 Mobil: +49.177.9301386 eFax: +49.202.85064329 Web: http://linux-systeme-thomas.de USt-ID: DE250711901

1 0

delta-syncrepl based N-way MMR/Mirror mode replication
by Meike Stone 03 Nov '11

03 Nov '11

Hello, a second question I have. I read in the list, that OpenLDAP 2.4.27 will support delta-syncrepl based N-way MMR/Mirror mode replication setups. That would solve my problem with a small WAN line and the MM replication between my two LDAP-Servers. 1) Is it reliable enough, to configure this in a production setup? 2) Does it need more CPU and/or RAM than the full replication on the servers? Thanks Meike

2 1

Configuring shared memory / memory mapped files
by Meike Stone 03 Nov '11

03 Nov '11

Hello, time ago, we installed a Linux Guest with OpenLDAP (db size appox. 650MByte / ) server in a ESXi environment. Maybe because of a read/write ratio 100:1, the hard discs where heavy used by writing bdb backends memory mapped files. The CPU in that Linux system had iowait (top) between 80% and 100% and the other VMs on the ESXi went slow down. After changing to shared memory (shm_key), all problems with disc IO where gone. I read in the mailing list and on "OpenLDAP performance tuning" guide, that it does not matter if using memory mapped files or shared memory until the database is over 8GB. But why we had such problems? Please note, the OpenLDAP was operating very fast with the memory mapped files, because of using indexes and proper caching. Now, I want install more than one OpenLDAP server on one Linux system (now real Hardware). Every OpenLDAP server will be bind on a separate IP and DNS host name. So in this scenario it is hard to calculate the shared memory and assign each LDAP server to the right shared memory region (key). Therefore I want go back to memory mapped files. Are there any recommendation for sizing the Linux system like: - type of file system (ext3, ext4, xfs, ..) - parameters of file system (syncing -> commit=nrsec, data=*, ... ) - swap using (swappiness, dirty_background_ratio) - ??? Thanks for any help. Meike

5 10

OpenLDAP Replication configuration error!
by pradyumna dash 03 Nov '11

03 Nov '11

Hi, I am facing an issue with multi master replication in Redhat Enterprise linux 5.7 with Openldap 2.3.43-12.el5_6.7 When am trying to delete or create any user , in the log it says : "err=53 text=shadow context; no update referral." My Configuration file is attached, in the other node i have changed the ServerID and the refereal server IP. Please help me to fix this issue. Regards, Neo

1 0

problem changing {0}config
by Christopher Wood 03 Nov '11

03 Nov '11

Question: What is happening that I can turn a multimaster replica into a "shadow context"? (I'm more or less fine with the behaviour since I don't mind stopping the multimaster slapd's to do a password change, but I'm concerned that I may have missed some underlying problem in my setup.) I've found that issuing a particular set of changes to one or both cn=config multimaster replicas means that I cannot issue any more changes to cn=config until I restart slapd. The ldif I paste into my ldapmodify session is this (changed the hostname and credentials from the real ones): dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: {0}rid=1 provider=ldap://ldap-supplier-lab-01.company.com binddn="cn=config" bindmethod=simple credentials=newpw searchbase="cn=config" type=refreshAndPersist retry="5 5 30 +" timeout=5 olcSyncrepl: {1}rid=2 provider=ldap://ldap-supplier-lab-02.company.com binddn="cn=config" bindmethod=simple credentials=newpw searchbase="cn=config" type=refreshAndPersist retry="5 5 30 +" timeout=5 - replace: olcRootPW olcRootPW: newpw I get this output: modifying entry "olcDatabase={0}config,cn=config" Then I observe the following behaviour: I can ldapsearch with the new password and get the expected result (ldif output of the cn=config database). When I ldapmodify with the new password I get this output: modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral After I restart slapd I get the expected behaviours with both ldapsearch (get ldif output) and ldapmodify (can change cn=config). Further, I've diffed the ldif output of directories before and after this change, and I do not see any difference apart from the attributes that I've changed.

3 4

SyncRepl for subtree
by sim123 03 Nov '11

03 Nov '11

Hi All, I am trying to setup syncrepl, and consumer needs only one subtree from provider and I want to create another subtrees in consumer side, something like this mentioned in this post: http://www.openldap.org/lists/openldap-software/200610/msg00126.html and I am getting same error with openldap-2.4.26, just wanted to check if its possible now? I can't update provider so updateref is not a solution for me. I would greatly appreciate any help. Thanks

2 1

Password policy complexity
by Hugo Deprez 03 Nov '11

03 Nov '11

Dear community, I would like to specify the complexity of the password for users. For exemple a password must contain : one specific character such as : !£"$%^&*()-_+=:;'@~#?<> one capital letter etc... The password policy overlay only authorize to specify the number of character. Is that possible ? Regards, Hugo

2 4

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2011