my thunderbird does not appear to be using back-shell's searchexample.sh..?
i have compiled openldap on a desktop windows xp machine with the
back-shell backend enabled without threads.
slapd.conf is configured as suggested in the file searchexample.conf at
http://tinyurl.com/47t9ets. i have added the file searchexample.sh from
http://tinyurl.com/4823rtf in the appropriate directory. i start up slapd,
/usr/local/libexec/slapd -d 256 -h ldap://localhost
and it appears to fire up:
$ /usr/local/libexec/slapd -d 256 -h ldap://localhost
@(#) $OpenLDAP: slapd 2.4.24 (Feb 14 2011 09:29:58)
WARNING: No dynamic config support for database shell.
i configured thunderbird with a localhost ldap directory server
(localhost, port 389), leaving 'base dn' and 'bind dn' blank.
in attempting to test this searchexample.sh script, i open a new message
and type an entry that i know appears in the /etc/passwd file. i see
output in my cygwin window that is running slapd with lines including
"BIND", "SRCH", "SEARCH RESULT", etc., but the tbird compose message
window's "To:" field shows a "<LDAP server search problem>" which i
click on and produces a pop-up with
"Error code 32: No such object
Verify that the Base DN is correct, and then try again, or else contact
your System Administrator. To verify that the Base DN is correct, from
the Edit menu, choose Preferences, then choose Mail & Newsgroups, and
then choose Addressing. Click Edit Directories, and select the LDAP
server being used. Click Edit to display the Base DN."
however, if i were to include 'base dn' info in tbird, slapd output
reports a 'fatal error' with a stack trace.
meanwhile, the slapd output is as follows:
conn=1002 op=3 SRCH base="" scope=2 deref=0
conn=1002 op=3 SRCH attr=cn mail
conn=1002 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
several questions arise:
1. should 'base dn' and/or 'bind dn' in tbird remain blank for localhost
2. aside from what is noted in searchexample.conf above, are any of the
other lines necessary in slapd.conf (rootdn, index, directory -- slapd
complains if directory is made available, despite the referenced file
3. what else can i do to get tbird to make use of the searchexample.sh
file and report as such in the slapd output?
4. in running slapd, i see the message,
"WARNING: No dynamic config support for database shell"
From this (similar) thread,
do i understand correctly that i should still be able to utilize a shell
my current goal is the following: get slapd to run with a shell backend
and thunderbird on my local desktop. our team's overall goal is to
enable this setup on a linux server: we'd like to eliminate our ldap
server and utilize this slapd+back-shell mechanism to access our oracle
db for our ldap clients. once we are able to get this all working with
back-shell, we'd like to replace the shell role with php scripts. any
guidance on this task in general is greatly appreciated.
my apologies in advance for any silly questions: i am new to playing
with (open)ldap, and have been staring at this problem for much too long.
thank you in advance.
I'm in doubt what design I need to use for openldap
This is the situation;
We have 1200+ customers using LDAP. We want to replicate all these ldap
server to 1 big ldapserver in a datacentre with a multi-master config.
So all the customers are a master-ldap who replicate to the datacentre.
My idea was to build in the datacentre a ldapcluster of about 4 server
My question is:
Will this be stable, because there will be 1200+ ldapservers replicating
to 4 ldapserver in the datacentre.
I know this depends on the number of write actions at the customers. All I
can say is that write actions at the customers isn't THAT much.
I really hope somebody can give me an answer or maybe there's somebody
else with the same config
Hendrik van der Ploeg
I am running a LDAP server on a debian system with a mySQL database as
$OpenLDAP: slapd 2.4.11 (Jul 24 2010 08:14:20)
mysql Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using
Everything is running fine if I am searching the LDAP tree for data
containing only one objectClass (inetOrgPerson). Now I have add a second
auxiliary objectClass (mozillaAbPersonAlpha) to my data via
ldap_entry_objclasses table in the mySQL database, but a search only
results in the three inetOrgPerson fields I have set:
ldapsearch -LLL -s sub -b 'ou=contacts,ou=contacts,dc=...'
'objectclass=*' -D 'cn=USER' -w unsafe-password -x
dn: cn=Name Firstname,ou=contacts,ou=contacts,dc=...
cn: Name Firstname
If I switch the dependency in the ldap_entries table from inetOrgPerson
to the mozilla scheme, I get the mozilla fields but - e.g. in
phpldapadmin - I can not see any data (also in my thunderbird
addressbook). My opinion: mozilla scheme is not structural.
Perhaps this old mailing-list entry gives an answer but - for me myself
- no solution:
Hope, someone has any idea about this problem ... !?
Tanks a lot,
My /etc/ldap/slapd.conf file (parts of it):
access to dn.subtree="ou=contacts,ou=contacts,dc=...
by dn="cn=admin,dc=..." peername.ip=127.0.0.1 write
by dn="cn=user" read
by * none
I thought about ataching my database entries but this could be too long.
If there should be questions about it, please let me know.
On Tue, Feb 15, 2011 at 02:13:40PM -0200, Leonardo Carneiro wrote:
> To: Andrew Findlay <andrew.findlay(a)skills-1st.co.uk>
Please keep replies on the list so that other people can
benefit from the discussion in future.
> > Aha! How many entries did that search return? Was is about the same
> > number that you would expect given your users and groups?
> yep. they are all there.
> > Did you previously have the LDAP server set up to refuse data to
> > anonymous users?
> No, it could bind as anonymous and read any data.
In that case leave the database alone: the problem is in the
configuration. Please post the slapd config. We need to see
all of it except for any passwords.
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
I'm using autogroup overlay (OpenLDAP 2.4.23, autogroup v. 22.214.171.124
but the behaviour was the same with 126.96.36.199) and I'm facing a strange
Operations performed using openldap client tools work as expected. The
same operations performed using a java client do not.
I've restricted the problematic operations to modifications of existing
entries. Using attached slapd.conf and ldap.ldif it's quite simple to
Using openldap ldapmodify client:
modifies the entry AND triggers autogroup modify operation on group
cn=description adding user2 as a member of the group (see slapd.log.ok.add)
The same operation performed with JExplorer modifies the entry but does
NOT triggers autogroup modification (see slapd.log.java.add)
I've compared the two logs and overlay related modifications are
completely skipped in the java client test.
Anyone has an explanation?
Note: adding a new entry or deleting an existing one (if it matches any
of the criteria in memberUrl) works even with Jexplorer.
*Gruppo Partners Associates*
Tel. Milano +39 02 67380435**- Udine +39 0432 689815 - Roma +39 06 54832300
Fax Milano +39 02 67386214 - Udine +39 0432 570120 - Roma +39 06 91659273
Cell. +39 348 0471710
Email: Luca.Scamoni(a)GruppoPA.it <mailto:Luca.Scamoni@GruppoPA.it>
Sito: _www.GruppoPA.it_ <http://www.GruppoPA.it>
Prima di stampare, pensa all'ambiente ** Think about the environment
Like a lot of people I guess, I'm having trouble configuring slapd to work as a proxy server in
front of Microsoft's Active Directory. AD in this case is configured to refuse to allow
anonymous searches but I want to allow anonymous searches on the proxy. Therefore the
configuration I'm hoping for is:
* Anonymous binds to slapd get translated into an authenticated bind to AD.
* Authenticated binds to slapd have their credentials (DN and password) passed through to AD.
Here's what I have so far, based on the documentation. I'm using slapd.conf rather than the
new conf.d directory based config, and I'm currently running openldap 2.4.19:
acl-bind bindmethod=simple binddn="VALID-BIND-DN" credentials="VALID-PASSWORD"
idassert-bind bindmethod=simple binddn="VALID-BIND-DN credentials="VALID-PASSWORD"
access to * by * read
You can assume I've used valid bind DNs, suffixes, server names and passwords in the places
where I've resorted to capitals above. I've tested these binds from the command line directly
against the AD server and they all work.
I have tested the above on OpenLDAP 2.3, it works for anonymous binds if and only if a
successful authenticated bind is done first. The same was reported in this post:
In OpenLDAP 2.4 it fails to recognise the idassert-bind completely, all attempts at anonymous
bind seem to fail. A similar problem was reported while upgrading to 2.3.11 to 2.3.27, here:
Am I using the correct configuration directives to achieve what I want, and if not what should
I be using?
I upgraded my debian machine from lenny to squeeze (the new stable)
that comes with samba 3.5.6 and openldap 2.4.23. this machines works
primarily as a PDC.
i have 3 services authenticating on ldap: samba, apache and redmine.
samba is acting very weird, but it's kinda working, but redmine and
apache aren't working at all.
these services do bind to the server, but it cannot find the users.
also, i cannot execute ldapsearchs via CLI. plus, in the bash, when i
try to change to some user other than root (eg: lscarneiro), the
system does not recognize the user:
fileserver:~# su - lscarneiro
I have no name!@fileserver:~$ whoami
whoami: cannot find name for user ID 1130
i'm very VERY noob on ldap and don't know exactly what kind of info i
should give to you guys to get some help. any help is very welcome
How would you integrate several companies with one mother company?
(where our Linux team and IT is part of)
We need to implement different OpenLDAP servers because of
But I'm not sure how to do this.
Each company needs his own pair of multi-master LDAP servers. (for HA)
Each LDAP server pair belongs to one of the affiliates and there has
to be a 'chinese wall' between those (if possible)
Off course it should not be possible for employees from company A to
authenticate through the LDAP server of company B.
Except for esx, kvm and other virtualization hosts each server belongs
also to only 1 of these subcompanies.
But for me and other admins it should be possible to access and manage
all servers using the same password and tooling (like puppet with LDAP...)
My idea was some combination of chaining, proxy... (or other overlays).
We could use the LDAP server of the mother company as the last part of
The DIT / right structure is also still an issue for me (I'm not an LDAP expert)
Other nice to haves are some AD integration and kerberos, but this has
nothing to do with my question :-)
I'm trying to use the new LDAP_OPT_CONNECT_ASYNC with OpenLDAP 2.4.23 client and I can't see how it can be done.
After creating the connection structure via ldap_initialize() I then call ldap_sasl_bind() to do the bind. That calls down to ldap_new_connection() (ldap_sasl_bind -> ldap_send_initial_request -> ldap_open_defconn -> ldap_new_connection) and that implements the asynchronous connect, setting the lconn_status to LDAP_CONNST_CONNECTING and not calling ldap_int_poll() in ldap_pvt_connect().
So far so good. But ldap_send_initial_request() then gets a good return code from ldap_open_defconn(), and so it goes on to call ldap_send_server_request() to send the bind, and that then calls ldap_int_poll() which waits for the connect to complete, making the whole operation synchronous.
It seems to me that for this to work asynchronously, either:
1. ldap_send_initial_request() should check for lconn_status to LDAP_CONNST_CONNECTING on return from ldap_open_defconn(), and if it is then return, probably with error LDAP_X_CONNECTING. It should then be possible to re-call ldap_sasl_bind() when the connect has completed.
2. Establish the connection via ldap_new_connection() before calling ldap_sasl_bind(). But the functions to do that don't appear to be available on the API. ldap_open() could have probably done it, but it is now deprecated. So this would appear to require a new API function that would simply call ldap_open_defconn() and return LDAP_X_CONNECTING.
Or is there some other way to achieve this?