openldap ssl/tls not getting started
by Jayavant Patil
Hi,
I am using openldap-2.4.19-4.fc12.x86_64 on fedora 12 machine. I want
to start slapd with ssl/tls enabled. I have followed all the necessary
steps as per specified in admin guide but still slapd not getting started
in ssl/tls mode. Whenever I do ldapsearch with -ZZ option, it shows can't
contact LDAP server(-1).
Can anybody tell me the detailed steps and settings so that I can
match those with my followed steps?
Server file names are as follows:
/etc/openldap/slapd.conf
/etc/openldap/ldap.conf
/etc/ldap.conf
/etc/nsswitch.conf
Client file names are as follows:
/etc/openldap/ldap.conf
/etc/ldap.conf
/etc/nsswitch.conf
--
Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.
9 years, 3 months
Ldap Tree References and Timeouts
by Klemens Kittan
Hello,
I incorporated a subtree in our LDAP tree by reference. This subtree is
offered by two servers. That's why I set the uri parameter to ldap1 and
ldap2. If one of these servers is down, searches take very long (>10
min). The manpage says:
"The URI list is space- or comma-separated. Whenever the server that
responds is not the first one in the list, the list is rearranged and
the responsive server is moved to the head, so that it will be first
contacted the next time a connection needs be created."
Have I missed something here or is there a timeout value to be set?
This is our configuration for that part:
# ----------------------------------------------------------
# --- Specific Backend Directives for ldap -----------------
# ----------------------------------------------------------
backend ldap
# ----------------------------------------------------------
# --- Specific Directives for database ldap (babylon) ------
# ----------------------------------------------------------
database ldap
# --- The base of your directory
suffix "dc=subtree,dc=xyz,dc=de"
uri "ldap://ldap1.xyz.de ldap://ldap2.xyz.de"
# --- Save the time that the entry gets modified
lastmod off
# --- Specify that the current backend database is a subordinate
subordinate
Regards,
Klemens
9 years, 3 months
memory leak
by Paul DiSciascio
We are running a cluster of 2 ldap servers using the syncrepl overlay with
mirror mode. After upgrading from SLES 10 SP2 (openldap 2.4.11) to SLES 11
SP1 (openldap 2.4.20), we have encountered a memory problem. The slapd
process grows unbounded to the point that it uses all of the memory
available to the ldap user on the server, currently 2.5GB, in a matter of
hours. The database only contains around 30,000 records, so this amount of
memory usage seems unusually high. No changes to the server configuration
were made during the upgrade.
In an attempt to address the issue, we upgraded both instances further to
openldap version 2.4.28, but this has not helped. Below is the slapd.conf
(security related pieces have been redacted) that we are using.
~Paul
-------------------BEGIN SLAPD.CONF--------------
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCertificateFile /etc/openldap/cert.pem
TLSCertificateKeyFile /etc/openldap/cert.key
<ACLs go Here>
loglevel none
ServerID 1
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=redacted"
checkpoint 1024 5
cachesize 10000
overlay ppolicy
rootdn "cn=redacted"
sizelimit -1
ppolicy_default "cn=redacted"
ppolicy_use_lockout
directory /var/lib/ldap
# Indices to maintain
index cn,sn,uid eq
index entryUUID eq
index entryCSN eq
index member eq
index objectClass eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
limits dn.exact="uid=replica,ou=redacted" time=unlimited size=unlimited
syncrepl rid=501
provider=ldap://peerhost:389
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=redacted"
attrs="*,+"
scope=sub
bindmethod=simple
binddn="uid=redacted"
credentials=
interval=00:01:00:00
mirrormode on
database monitor
-------------------END SLAPD.CONF--------------
9 years, 3 months
Re: LDAP and file based authentication co-exist
by Daniel Qian
On 11-12-28 8:37 PM, yang feng电话 wrote:
>
> No, i configure /etc/openldap/ldap.conf, need /etc/ldap.conf Also?
>
>
Generally speaking /etc/openldap/ldap.conf is for Ldap application
software/utilities whereas /etc/ldap.conf is for system. Apparently You
need the later for Ldap users to show up in your system.
9 years, 3 months
LDAP and file based authentication co-exist
by 杨峰
It's a strange problem, I settle down LDAP setting and can get correct
ldapsearch result at the mgmt node, but when I use "su" to the user, the
system prompt "the user is not existed".
It seems the LDAP service ( slaped ) is running and the user
authentication goes through /etc/passwd still. How to move the user
authentication to LDAP only?
I had changed /etc/nsswitch.conf to use ldap also.
[root@xcat user]# ldapsearch -x -v -D "cn=root,dc=isilon,dc=cn" -W -b
"ou=People,dc=isilon,dc=cn" "uid=demo"
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
filter: uid=demo
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=isilon,dc=cn> with scope subtree
# filter: uid=demo
# requesting: ALL
#
# demo, People, isilon.cn
dn: uid=demo,ou=People,dc=isilon,dc=cn
uid: demo
cn: demo
sn: demo
mail: demo(a)isilon.cn
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword::
e2NyeXB0fSQ2JHkuMjUwS3hlJE9VZ3BidXJDdlg0UFk2NVFSSXBKNjhtNnpxYVp
OVHdZYnBpZkdJVUJuQk1ZZnlVdmtEMHNwMTZLUmtaQmhoT0xrQ1NZdEhUU2NEUDRhTmhGUnJNSWIv
shadowLastChange: 15334
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 500
homeDirectory: /ifs/home/demo
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@xcat user]# su - demo
su: user demo is not existed
9 years, 3 months
Value of contextCSN not persisted
by Torsten Schlabach (Tascel eG)
Dear list!
We found one issue with a quite simple syncrepl replication; we have one
provider and just one consumer. The consumer got set up about a week ago
and loaded its initial database content from the provider. Then - after a
couple of days - one object got deleted on the provider. So the consumer
had to perform that delete operation as well; which is what it did fine. No
problem so far.
Today we compared the contextCSN values for the provider and the consumer
and first thought we may have a problem, actually, because we found the
contextCSN on the consumer to be newer than on the provider. Here are the
actual values:
consumer
contextCSN: 20111216215531.923716Z#000000#003#000000
provider
contextCSN: 20110124140058.246484Z#000000#003#000000
Looking twice, we found out that on the provider we got the above
contextCSN value (the one which is too small) using slapcat. If we ask the
provider using ldapsearch it actually reports the expectec contextCSN
value, i.e. the same one which we can see on the consumer. (Note: The above
value on the consumer has been taken from slapcat as well.
In other words: The provider's latest contextCSN value has not been
written to the disk until now; actually 4 days since the change.
I guess if the power would fail now for example, the provider would load
it's context CSN from the database, reading the lower value, and thus
replication would get seriously out of sync, wouldn't it.
Also we found that the result of the operation which increased the
contextCSN (deleting an object on the provider) has been written to the
disk, in contrast to the contextCSN value.
Is that epxected behaviour or would we need to configure the flushing to
the disk?
We're using OpenLDAP 2.4.23 on Debian Linux. The backend is a back-hdb.
Regards,
Torsten
9 years, 3 months
memberOf doesn't list members from an autogroup
by Felipe Augusto van de Wiel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello,
I'm using 2.4.23 packaged from Debian (2.4.23-7.2) and I'm trying
to combine autogroup and memberof. autogroup (and dynlist) seems
to be working, but it seems that memberof fails. :-(
In terms of slapd.conf I load the modules memberof, dynlist and
autogroup, the relevant configuration:
overlay memberof
memberof-refint TRUE
overlay dynlist
dynlist-attrset groupOfNames labeledURI member
overlay autogroup
autogroup-attrset groupOfURLs memberURL member
I created the following test group:
dn: cn=TEST,ou=Groups,dc=hpp,dc=org,dc=br
cn: TEST
memberURL: ldap:///ou=People,dc=hpp,dc=org,dc=br?member?sub?(gidnumber=1000)
gidNumber: 12345
objectClass: groupOfURLs
objectClass: top
objectClass: posixGroup
It correctly lists all the users with gidnumber 1000, I'm planning
to change the filter to have a group of users from different groups.
If I try to search per membership:
ldapsearch -LLL -x memberof=cn=TESTE,ou=Groups,dc=hpp,dc=org,dc=b
Nothing returns. :-(
In other groups where I have a member field added statically, the
memberof query works as expected. Am I missing something?
Thanks in advance!
Kind regards,
- --
Felipe Augusto van de Wiel <felipe.wiel(a)hpp.org.br>
Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCgAGBQJO+leVAAoJECCPPxLgxLxPw8oP/29cK3UrBphqpCFp5ce6toQN
Y3JdhxX8brO5ffgv2hWYc/m+MOlsOjlxI5bEuIED0VlpnXtSJloT48GzGVNoTJoF
nKt/tV9ndphJuH4MOYioybOP4aMXaOjvr0TYk4eNWZl2C/RYtR1WtTExHCt30+UV
Iy3/hzNQyLiBURgRiTOR2+qCHMVSqMXJM+TuvwDXQMm89oEoZWiQHJGVZ9HDcMYE
Xg3A7UBZQwPxxXjARVLX8w/n9z2M75yABQxK1p3SnJHX7JxAE5lzzhpQRV3nIXI5
kL41sXarI8Xfa/NyClf54xzOUNqnMBeNBZJQe9SSfn/E9wBw2FRvq1QAJB1Zhgde
2bu3lFPi6gdWJF5inlHVrhT3Q186oa037UljZx0Ey5sxL1XKK6oQEPxVIEbTS13n
nwbEthEFjbpLE7Hgz4S9x/cYDRrVM+dFNZFvOp+1xg+kJnEfL5nkadHN+DU97QQ1
4ZuqZNnJq7GgXE3GyAadc5S2eVn10YmOx5OJf8Yct5kpLWSxRfozxGQgAtj4Zkni
oGTo5w8IgYdhGXYUh1mLgTbW8PZzUCI3uxzyBXYS8uHRlyG88PCa1BtNGpoOrEGz
WKDbib3wLsaaJcvLVrjtp2MO4rII+lgO2O8kei6LQ2nUp0HQxXAyDFbdLzMO3TQR
YNswzdah34WWWdPBQYHE
=sAbW
-----END PGP SIGNATURE-----
9 years, 3 months
[OT] Schema Catalog
by Reinaldo de Carvalho
Hi,
To avoid us create another schema to the same objective, I'd like
consult if exist a website that have a catalog of schemas?
[]s
--
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net
"While not fully understand a software, don't try to adapt this
software to the way you work, but rather yourself to the way the
software works" (myself)
9 years, 3 months
syncrepl: target DIT & directory server compatibility
by Asplund Marko
Hi,
I'm planning on using OpenLDAP syncrepl for replicating a DIT fragment
from Novell eDirectory using pull-based synchronisation.
If i understood correctly synchronisation requires LDAP Sync protocol
support from both the provider and the consumer sides.
Any practical experience synchronising between these two different types
of directory servers?
How do I configure the syncrepl target DIT?
For example if i have a database with suffix "dc=example,dc=com"
and locally managed entries stored in
o=foo,dc=example,dc=com
and i'd like to synchronise a DIT from another server to
o=bar,dc=example,dc=com
How can i configure OpenLDAP to do that?
thanks,
marko
9 years, 3 months
cn=config partial replication
by The Ranger
Hello,
I have multiple v. 2.4.23 and 2.4.26 servers doing the master-slave
replication using syncrepl.
The main server contains multiple subordinate DIT-s that get replicated
to different servers:
* DIT1 from master to server A, B, C
* DIT2 from master to server D, E, F
* DIT3 from master to server G
etc.
Now I would like also to setup the cn=config replication. Actually the
most important for me would be the cn=schema,cn=config since everything
else is rather static.
What would be the best setup with minimal configuration settings/values
duplication?
There are many howtos on the net how to sync only cn=schema,cn=config,
but putting the olcSyncrepl value to olcDatabase={0}config will make the
whole DB shadowed and redirect the database config changes to master
server which is not the reasonable solution.
The best solution would be when the cn=schema,cn=config (and maybe olso
the proper olcDatabase subtree) would be synchronized with the master.
All the rest of the config database should be locally manageable.
I read about the suffixmassage, but this needs ldap server upgrade on
2.4.23 servers (there is no package in debian 6.0.3 for that). And as
far as I understand it also requires separate cn=config,cn=slave
subtrees on the server with duplicated database configuration and acl
definitions etc.
I simply try to find the best solution to hit as much problems at once
as I can and reduce the config overhead as much as possible.
Could you please advise what are my options?
--
rgrds,
Ivari
9 years, 3 months