openldap-technical December 2011

openldap-technical@openldap.org

88 participants
101 discussions

openldap ssl/tls not getting started
by Jayavant Patil 02 Jan '12

02 Jan '12

Hi, I am using openldap-2.4.19-4.fc12.x86_64 on fedora 12 machine. I want to start slapd with ssl/tls enabled. I have followed all the necessary steps as per specified in admin guide but still slapd not getting started in ssl/tls mode. Whenever I do ldapsearch with -ZZ option, it shows can't contact LDAP server(-1). Can anybody tell me the detailed steps and settings so that I can match those with my followed steps? Server file names are as follows: /etc/openldap/slapd.conf /etc/openldap/ldap.conf /etc/ldap.conf /etc/nsswitch.conf Client file names are as follows: /etc/openldap/ldap.conf /etc/ldap.conf /etc/nsswitch.conf -- Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.

2 1

Ldap Tree References and Timeouts
by Klemens Kittan 29 Dec '11

29 Dec '11

Hello, I incorporated a subtree in our LDAP tree by reference. This subtree is offered by two servers. That's why I set the uri parameter to ldap1 and ldap2. If one of these servers is down, searches take very long (>10 min). The manpage says: "The URI list is space- or comma-separated. Whenever the server that responds is not the first one in the list, the list is rearranged and the responsive server is moved to the head, so that it will be first contacted the next time a connection needs be created." Have I missed something here or is there a timeout value to be set? This is our configuration for that part: # ---------------------------------------------------------- # --- Specific Backend Directives for ldap ----------------- # ---------------------------------------------------------- backend ldap # ---------------------------------------------------------- # --- Specific Directives for database ldap (babylon) ------ # ---------------------------------------------------------- database ldap # --- The base of your directory suffix "dc=subtree,dc=xyz,dc=de" uri "ldap://ldap1.xyz.de ldap://ldap2.xyz.de" # --- Save the time that the entry gets modified lastmod off # --- Specify that the current backend database is a subordinate subordinate Regards, Klemens

1 0

memory leak
by Paul DiSciascio 28 Dec '11

28 Dec '11

We are running a cluster of 2 ldap servers using the syncrepl overlay with mirror mode. After upgrading from SLES 10 SP2 (openldap 2.4.11) to SLES 11 SP1 (openldap 2.4.20), we have encountered a memory problem. The slapd process grows unbounded to the point that it uses all of the memory available to the ldap user on the server, currently 2.5GB, in a matter of hours. The database only contains around 30,000 records, so this amount of memory usage seems unusually high. No changes to the server configuration were made during the upgrade. In an attempt to address the issue, we upgraded both instances further to openldap version 2.4.28, but this has not helped. Below is the slapd.conf (security related pieces have been redacted) that we are using. ~Paul -------------------BEGIN SLAPD.CONF-------------- # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/ppolicy.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # Load dynamic backend modules: modulepath /usr/lib/openldap/modules TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCertificateFile /etc/openldap/cert.pem TLSCertificateKeyFile /etc/openldap/cert.key <ACLs go Here> loglevel none ServerID 1 ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=redacted" checkpoint 1024 5 cachesize 10000 overlay ppolicy rootdn "cn=redacted" sizelimit -1 ppolicy_default "cn=redacted" ppolicy_use_lockout directory /var/lib/ldap # Indices to maintain index cn,sn,uid eq index entryUUID eq index entryCSN eq index member eq index objectClass eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 limits dn.exact="uid=replica,ou=redacted" time=unlimited size=unlimited syncrepl rid=501 provider=ldap://peerhost:389 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=redacted" attrs="*,+" scope=sub bindmethod=simple binddn="uid=redacted" credentials= interval=00:01:00:00 mirrormode on database monitor -------------------END SLAPD.CONF--------------

2 1

Re: LDAP and file based authentication co-exist
by Daniel Qian 28 Dec '11

28 Dec '11

On 11-12-28 8:37 PM, yang feng电话 wrote: > > No, i configure /etc/openldap/ldap.conf, need /etc/ldap.conf Also? > > Generally speaking /etc/openldap/ldap.conf is for Ldap application software/utilities whereas /etc/ldap.conf is for system. Apparently You need the later for Ldap users to show up in your system.

1 0

LDAP and file based authentication co-exist
by 杨峰 28 Dec '11

28 Dec '11

It's a strange problem, I settle down LDAP setting and can get correct ldapsearch result at the mgmt node, but when I use "su" to the user, the system prompt "the user is not existed". It seems the LDAP service ( slaped ) is running and the user authentication goes through /etc/passwd still. How to move the user authentication to LDAP only? I had changed /etc/nsswitch.conf to use ldap also. [root@xcat user]# ldapsearch -x -v -D "cn=root,dc=isilon,dc=cn" -W -b "ou=People,dc=isilon,dc=cn" "uid=demo" ldap_initialize( <DEFAULT> ) Enter LDAP Password: filter: uid=demo requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=People,dc=isilon,dc=cn> with scope subtree # filter: uid=demo # requesting: ALL # # demo, People, isilon.cn dn: uid=demo,ou=People,dc=isilon,dc=cn uid: demo cn: demo sn: demo mail: demo(a)isilon.cn objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e2NyeXB0fSQ2JHkuMjUwS3hlJE9VZ3BidXJDdlg0UFk2NVFSSXBKNjhtNnpxYVp OVHdZYnBpZkdJVUJuQk1ZZnlVdmtEMHNwMTZLUmtaQmhoT0xrQ1NZdEhUU2NEUDRhTmhGUnJNSWIv shadowLastChange: 15334 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 501 gidNumber: 500 homeDirectory: /ifs/home/demo # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@xcat user]# su - demo su: user demo is not existed

2 1

Value of contextCSN not persisted
by Torsten Schlabach (Tascel eG) 27 Dec '11

27 Dec '11

Dear list! We found one issue with a quite simple syncrepl replication; we have one provider and just one consumer. The consumer got set up about a week ago and loaded its initial database content from the provider. Then - after a couple of days - one object got deleted on the provider. So the consumer had to perform that delete operation as well; which is what it did fine. No problem so far. Today we compared the contextCSN values for the provider and the consumer and first thought we may have a problem, actually, because we found the contextCSN on the consumer to be newer than on the provider. Here are the actual values: consumer contextCSN: 20111216215531.923716Z#000000#003#000000 provider contextCSN: 20110124140058.246484Z#000000#003#000000 Looking twice, we found out that on the provider we got the above contextCSN value (the one which is too small) using slapcat. If we ask the provider using ldapsearch it actually reports the expectec contextCSN value, i.e. the same one which we can see on the consumer. (Note: The above value on the consumer has been taken from slapcat as well. In other words: The provider's latest contextCSN value has not been written to the disk until now; actually 4 days since the change. I guess if the power would fail now for example, the provider would load it's context CSN from the database, reading the lower value, and thus replication would get seriously out of sync, wouldn't it. Also we found that the result of the operation which increased the contextCSN (deleting an object on the provider) has been written to the disk, in contrast to the contextCSN value. Is that epxected behaviour or would we need to configure the flushing to the disk? We're using OpenLDAP 2.4.23 on Debian Linux. The backend is a back-hdb. Regards, Torsten

3 7

memberOf doesn't list members from an autogroup
by Felipe Augusto van de Wiel 27 Dec '11

27 Dec '11

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, I'm using 2.4.23 packaged from Debian (2.4.23-7.2) and I'm trying to combine autogroup and memberof. autogroup (and dynlist) seems to be working, but it seems that memberof fails. :-( In terms of slapd.conf I load the modules memberof, dynlist and autogroup, the relevant configuration: overlay memberof memberof-refint TRUE overlay dynlist dynlist-attrset groupOfNames labeledURI member overlay autogroup autogroup-attrset groupOfURLs memberURL member I created the following test group: dn: cn=TEST,ou=Groups,dc=hpp,dc=org,dc=br cn: TEST memberURL: ldap:///ou=People,dc=hpp,dc=org,dc=br?member?sub?(gidnumber=1000) gidNumber: 12345 objectClass: groupOfURLs objectClass: top objectClass: posixGroup It correctly lists all the users with gidnumber 1000, I'm planning to change the filter to have a group of users from different groups. If I try to search per membership: ldapsearch -LLL -x memberof=cn=TESTE,ou=Groups,dc=hpp,dc=org,dc=b Nothing returns. :-( In other groups where I have a member field added statically, the memberof query works as expected. Am I missing something? Thanks in advance! Kind regards, - -- Felipe Augusto van de Wiel <felipe.wiel(a)hpp.org.br> Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/ T: +55 41 3310 1747 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJO+leVAAoJECCPPxLgxLxPw8oP/29cK3UrBphqpCFp5ce6toQN Y3JdhxX8brO5ffgv2hWYc/m+MOlsOjlxI5bEuIED0VlpnXtSJloT48GzGVNoTJoF nKt/tV9ndphJuH4MOYioybOP4aMXaOjvr0TYk4eNWZl2C/RYtR1WtTExHCt30+UV Iy3/hzNQyLiBURgRiTOR2+qCHMVSqMXJM+TuvwDXQMm89oEoZWiQHJGVZ9HDcMYE Xg3A7UBZQwPxxXjARVLX8w/n9z2M75yABQxK1p3SnJHX7JxAE5lzzhpQRV3nIXI5 kL41sXarI8Xfa/NyClf54xzOUNqnMBeNBZJQe9SSfn/E9wBw2FRvq1QAJB1Zhgde 2bu3lFPi6gdWJF5inlHVrhT3Q186oa037UljZx0Ey5sxL1XKK6oQEPxVIEbTS13n nwbEthEFjbpLE7Hgz4S9x/cYDRrVM+dFNZFvOp+1xg+kJnEfL5nkadHN+DU97QQ1 4ZuqZNnJq7GgXE3GyAadc5S2eVn10YmOx5OJf8Yct5kpLWSxRfozxGQgAtj4Zkni oGTo5w8IgYdhGXYUh1mLgTbW8PZzUCI3uxzyBXYS8uHRlyG88PCa1BtNGpoOrEGz WKDbib3wLsaaJcvLVrjtp2MO4rII+lgO2O8kei6LQ2nUp0HQxXAyDFbdLzMO3TQR YNswzdah34WWWdPBQYHE =sAbW -----END PGP SIGNATURE-----

1 0

[OT] Schema Catalog
by Reinaldo de Carvalho 27 Dec '11

27 Dec '11

Hi, To avoid us create another schema to the same objective, I'd like consult if exist a website that have a catalog of schemas? []s -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "While not fully understand a software, don't try to adapt this software to the way you work, but rather yourself to the way the software works" (myself)

1 0

syncrepl: target DIT & directory server compatibility
by Asplund Marko 27 Dec '11

27 Dec '11

Hi, I'm planning on using OpenLDAP syncrepl for replicating a DIT fragment from Novell eDirectory using pull-based synchronisation. If i understood correctly synchronisation requires LDAP Sync protocol support from both the provider and the consumer sides. Any practical experience synchronising between these two different types of directory servers? How do I configure the syncrepl target DIT? For example if i have a database with suffix "dc=example,dc=com" and locally managed entries stored in o=foo,dc=example,dc=com and i'd like to synchronise a DIT from another server to o=bar,dc=example,dc=com How can i configure OpenLDAP to do that? thanks, marko

2 1

cn=config partial replication
by The Ranger 24 Dec '11

24 Dec '11

Hello, I have multiple v. 2.4.23 and 2.4.26 servers doing the master-slave replication using syncrepl. The main server contains multiple subordinate DIT-s that get replicated to different servers: * DIT1 from master to server A, B, C * DIT2 from master to server D, E, F * DIT3 from master to server G etc. Now I would like also to setup the cn=config replication. Actually the most important for me would be the cn=schema,cn=config since everything else is rather static. What would be the best setup with minimal configuration settings/values duplication? There are many howtos on the net how to sync only cn=schema,cn=config, but putting the olcSyncrepl value to olcDatabase={0}config will make the whole DB shadowed and redirect the database config changes to master server which is not the reasonable solution. The best solution would be when the cn=schema,cn=config (and maybe olso the proper olcDatabase subtree) would be synchronized with the master. All the rest of the config database should be locally manageable. I read about the suffixmassage, but this needs ldap server upgrade on 2.4.23 servers (there is no package in debian 6.0.3 for that). And as far as I understand it also requires separate cn=config,cn=slave subtrees on the server with duplicated database configuration and acl definitions etc. I simply try to find the best solution to hit as much problems at once as I can and reduce the config overhead as much as possible. Could you please advise what are my options? -- rgrds, Ivari

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2011