openldap-technical February 2011

openldap-technical@openldap.org

96 participants
102 discussions

seeking guidance with back-shell setup
by Elle Y Suzuki 16 Feb '11

16 Feb '11

hello, my thunderbird does not appear to be using back-shell's searchexample.sh..? i have compiled openldap on a desktop windows xp machine with the back-shell backend enabled without threads. slapd.conf is configured as suggested in the file searchexample.conf at http://tinyurl.com/47t9ets. i have added the file searchexample.sh from http://tinyurl.com/4823rtf in the appropriate directory. i start up slapd, /usr/local/libexec/slapd -d 256 -h ldap://localhost and it appears to fire up: $ /usr/local/libexec/slapd -d 256 -h ldap://localhost @(#) $OpenLDAP: slapd 2.4.24 (Feb 14 2011 09:29:58) . . . WARNING: No dynamic config support for database shell. slapd starting i configured thunderbird with a localhost ldap directory server (localhost, port 389), leaving 'base dn' and 'bind dn' blank. in attempting to test this searchexample.sh script, i open a new message and type an entry that i know appears in the /etc/passwd file. i see output in my cygwin window that is running slapd with lines including "BIND", "SRCH", "SEARCH RESULT", etc., but the tbird compose message window's "To:" field shows a "<LDAP server search problem>" which i click on and produces a pop-up with "Error code 32: No such object Verify that the Base DN is correct, and then try again, or else contact your System Administrator. To verify that the Base DN is correct, from the Edit menu, choose Preferences, then choose Mail & Newsgroups, and then choose Addressing. Click Edit Directories, and select the LDAP server being used. Click Edit to display the Base DN." however, if i were to include 'base dn' info in tbird, slapd output reports a 'fatal error' with a stack trace. meanwhile, the slapd output is as follows: conn=1002 op=3 SRCH base="" scope=2 deref=0 filter="(|(cn=suzuki*)(mail=suzuki*) (sn=suzuki*))" conn=1002 op=3 SRCH attr=cn mail conn=1002 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text= several questions arise: 1. should 'base dn' and/or 'bind dn' in tbird remain blank for localhost ldap? 2. aside from what is noted in searchexample.conf above, are any of the other lines necessary in slapd.conf (rootdn, index, directory -- slapd complains if directory is made available, despite the referenced file existing). 3. what else can i do to get tbird to make use of the searchexample.sh file and report as such in the slapd output? 4. in running slapd, i see the message, "WARNING: No dynamic config support for database shell" From this (similar) thread, http://tinyurl.com/457tra6 do i understand correctly that i should still be able to utilize a shell backend, then? my current goal is the following: get slapd to run with a shell backend and thunderbird on my local desktop. our team's overall goal is to enable this setup on a linux server: we'd like to eliminate our ldap server and utilize this slapd+back-shell mechanism to access our oracle db for our ldap clients. once we are able to get this all working with back-shell, we'd like to replace the shell role with php scripts. any guidance on this task in general is greatly appreciated. my apologies in advance for any silly questions: i am new to playing with (open)ldap, and have been staring at this problem for much too long. thank you in advance.

2 2

ldap design
by Hendrik van der Ploeg 16 Feb '11

16 Feb '11

Hello People, I'm in doubt what design I need to use for openldap This is the situation; We have 1200+ customers using LDAP. We want to replicate all these ldap server to 1 big ldapserver in a datacentre with a multi-master config. So all the customers are a master-ldap who replicate to the datacentre. My idea was to build in the datacentre a ldapcluster of about 4 server My question is: Will this be stable, because there will be 1200+ ldapservers replicating to 4 ldapserver in the datacentre. I know this depends on the number of write actions at the customers. All I can say is that write actions at the customers isn't THAT much. I really hope somebody can give me an answer or maybe there's somebody else with the same config Best Regards -- Hendrik van der Ploeg

4 3

ldap not respoding
by Prathyush 16 Feb '11

16 Feb '11

HI, Will huge size of slapd.log cause slapd service to hang -- *Regards, Prathyush*

1 0

search LDAP back-sql entry with two objectclasses (structural and auxiliary)
by Andreas Härtel 16 Feb '11

16 Feb '11

Hello, I am running a LDAP server on a debian system with a mySQL database as backend. slapd-version: $OpenLDAP: slapd 2.4.11 (Jul 24 2010 08:14:20) $@murphy:/build/buildd-openldap_2.4.11-1+lenny2-i386-H5BDjb/openldap-2.4.11/debian/build/servers/slapd mysql-version: mysql Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2 Everything is running fine if I am searching the LDAP tree for data containing only one objectClass (inetOrgPerson). Now I have add a second auxiliary objectClass (mozillaAbPersonAlpha) to my data via ldap_entry_objclasses table in the mySQL database, but a search only results in the three inetOrgPerson fields I have set: ldapsearch -LLL -s sub -b 'ou=contacts,ou=contacts,dc=...' 'objectclass=*' -D 'cn=USER' -w unsafe-password -x dn: ou=contacts,ou=contacts,dc=... objectClass: organizationalUnit objectClass: inetOrgPerson objectClass: mozillaAbPersonAlpha ou: contacts dn: cn=Name Firstname,ou=contacts,ou=contacts,dc=... objectClass: inetOrgPerson cn: Name Firstname sn: Name givenName: Firstname If I switch the dependency in the ldap_entries table from inetOrgPerson to the mozilla scheme, I get the mozilla fields but - e.g. in phpldapadmin - I can not see any data (also in my thunderbird addressbook). My opinion: mozilla scheme is not structural. Perhaps this old mailing-list entry gives an answer but - for me myself - no solution: http://www.openldap.org/lists/openldap-software/200403/msg00303.html Hope, someone has any idea about this problem ... !? Tanks a lot, Andreas My /etc/ldap/slapd.conf file (parts of it): ################################################################# include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/extension.schema include /etc/ldap/schema/mozillaAbPersonAlpha.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 modulepath /usr/lib/ldap moduleload back_hdb moduleload back_sql sizelimit 500 tool-threads 1 backend hdb backend sql database sql suffix "ou=contacts,ou=contacts,dc=... dbname contacts dbhost localhost dbuser myuser dbpasswd mypassword lastmod off has_ldapinfo_dn_ru no upper_func "upper" access to dn.subtree="ou=contacts,ou=contacts,dc=... by dn="cn=admin,dc=..." peername.ip=127.0.0.1 write by dn="cn=user" read by * none ################################################################# I thought about ataching my database entries but this could be too long. If there should be questions about it, please let me know.

1 1

Re: ldap auth does not works after openldap upgrade
by Andrew Findlay 15 Feb '11

15 Feb '11

On Tue, Feb 15, 2011 at 02:13:40PM -0200, Leonardo Carneiro wrote: > To: Andrew Findlay <andrew.findlay(a)skills-1st.co.uk> Please keep replies on the list so that other people can benefit from the discussion in future. > > Aha! How many entries did that search return? Was is about the same > > number that you would expect given your users and groups? > yep. they are all there. > > Did you previously have the LDAP server set up to refuse data to > > anonymous users? > No, it could bind as anonymous and read any data. In that case leave the database alone: the problem is in the configuration. Please post the slapd config. We need to see all of it except for any passwords. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

2 3

Autogroup strange behaviour
by Luca Scamoni 15 Feb '11

15 Feb '11

Hi, I'm using autogroup overlay (OpenLDAP 2.4.23, autogroup v. 1.2.2.11 but the behaviour was the same with 1.2.2.6) and I'm facing a strange situation. Operations performed using openldap client tools work as expected. The same operations performed using a java client do not. I've restricted the problematic operations to modifications of existing entries. Using attached slapd.conf and ldap.ldif it's quite simple to reproduce it. Using openldap ldapmodify client: cn=user2,ou=people,dc=example,dc=com add: description description: test modifies the entry AND triggers autogroup modify operation on group cn=description adding user2 as a member of the group (see slapd.log.ok.add) The same operation performed with JExplorer modifies the entry but does NOT triggers autogroup modification (see slapd.log.java.add) I've compared the two logs and overlay related modifications are completely skipped in the java client test. Anyone has an explanation? Note: adding a new entry or deleting an existing one (if it matches any of the criteria in memberUrl) works even with Jexplorer. thanks -- /Luca Scamoni / *Gruppo Partners Associates* Tel. Milano +39 02 67380435**- Udine +39 0432 689815 - Roma +39 06 54832300 Fax Milano +39 02 67386214 - Udine +39 0432 570120 - Roma +39 06 91659273 Cell. +39 348 0471710 Email: Luca.Scamoni(a)GruppoPA.it <mailto:Luca.Scamoni@GruppoPA.it> Sito: _www.GruppoPA.it_ <http://www.GruppoPA.it> Prima di stampare, pensa all'ambiente ** Think about the environment before printing

2 2

slapd.conf for proxy to AD
by Del 15 Feb '11

15 Feb '11

Hi, Like a lot of people I guess, I'm having trouble configuring slapd to work as a proxy server in front of Microsoft's Active Directory. AD in this case is configured to refuse to allow anonymous searches but I want to allow anonymous searches on the proxy. Therefore the configuration I'm hoping for is: * Anonymous binds to slapd get translated into an authenticated bind to AD. * Authenticated binds to slapd have their credentials (DN and password) passed through to AD. Here's what I have so far, based on the documentation. I'm using slapd.conf rather than the new conf.d directory based config, and I'm currently running openldap 2.4.19: -- database ldap chase-referrals no suffix "MY-AD-SUFFIX-HERE" uri "ldaps://MY-AD-SERVER-HERE/" cancel abandon acl-bind bindmethod=simple binddn="VALID-BIND-DN" credentials="VALID-PASSWORD" idassert-bind bindmethod=simple binddn="VALID-BIND-DN credentials="VALID-PASSWORD" mode=legacy flags=non-prescriptive idassert-authzFrom "dn.regex:.*" access to * by * read -- You can assume I've used valid bind DNs, suffixes, server names and passwords in the places where I've resorted to capitals above. I've tested these binds from the command line directly against the AD server and they all work. I have tested the above on OpenLDAP 2.3, it works for anonymous binds if and only if a successful authenticated bind is done first. The same was reported in this post: http://www.openldap.org/lists/openldap-technical/200907/msg00043.html In OpenLDAP 2.4 it fails to recognise the idassert-bind completely, all attempts at anonymous bind seem to fail. A similar problem was reported while upgrading to 2.3.11 to 2.3.27, here: http://www.openldap.org/lists/openldap-software/200701/msg00055.html Am I using the correct configuration directives to achieve what I want, and if not what should I be using? Thanx, -- Del

6 6

ldap auth does not works after openldap upgrade
by Leonardo Carneiro 15 Feb '11

15 Feb '11

Hello everyone, I upgraded my debian machine from lenny to squeeze (the new stable) that comes with samba 3.5.6 and openldap 2.4.23. this machines works primarily as a PDC. i have 3 services authenticating on ldap: samba, apache and redmine. samba is acting very weird, but it's kinda working, but redmine and apache aren't working at all. these services do bind to the server, but it cannot find the users. also, i cannot execute ldapsearchs via CLI. plus, in the bash, when i try to change to some user other than root (eg: lscarneiro), the system does not recognize the user: fileserver:~# su - lscarneiro I have no name!@fileserver:~$ whoami whoami: cannot find name for user ID 1130 i'm very VERY noob on ldap and don't know exactly what kind of info i should give to you guys to get some help. any help is very welcome

3 7

big company with different affiliates, how to integrate?
by Pieter Baele 15 Feb '11

15 Feb '11

How would you integrate several companies with one mother company? (where our Linux team and IT is part of) We need to implement different OpenLDAP servers because of policies...yeaha... ;-) But I'm not sure how to do this. My opinion: Each company needs his own pair of multi-master LDAP servers. (for HA) Each LDAP server pair belongs to one of the affiliates and there has to be a 'chinese wall' between those (if possible) Off course it should not be possible for employees from company A to authenticate through the LDAP server of company B. Except for esx, kvm and other virtualization hosts each server belongs also to only 1 of these subcompanies. But for me and other admins it should be possible to access and manage all servers using the same password and tooling (like puppet with LDAP...) My idea was some combination of chaining, proxy... (or other overlays). We could use the LDAP server of the mother company as the last part of some chain. The DIT / right structure is also still an issue for me (I'm not an LDAP expert) Other nice to haves are some AD integration and kerberos, but this has nothing to do with my question :-) -- Sincerely, Pieter Baele www.pieterb.be

2 1

How to use LDAP_OPT_CONNECT_ASYNC?
by Ian Puleston 14 Feb '11

14 Feb '11

Hi, I'm trying to use the new LDAP_OPT_CONNECT_ASYNC with OpenLDAP 2.4.23 client and I can't see how it can be done. After creating the connection structure via ldap_initialize() I then call ldap_sasl_bind() to do the bind. That calls down to ldap_new_connection() (ldap_sasl_bind -> ldap_send_initial_request -> ldap_open_defconn -> ldap_new_connection) and that implements the asynchronous connect, setting the lconn_status to LDAP_CONNST_CONNECTING and not calling ldap_int_poll() in ldap_pvt_connect(). So far so good. But ldap_send_initial_request() then gets a good return code from ldap_open_defconn(), and so it goes on to call ldap_send_server_request() to send the bind, and that then calls ldap_int_poll() which waits for the connect to complete, making the whole operation synchronous. It seems to me that for this to work asynchronously, either: 1. ldap_send_initial_request() should check for lconn_status to LDAP_CONNST_CONNECTING on return from ldap_open_defconn(), and if it is then return, probably with error LDAP_X_CONNECTING. It should then be possible to re-call ldap_sasl_bind() when the connect has completed. 2. Establish the connection via ldap_new_connection() before calling ldap_sasl_bind(). But the functions to do that don't appear to be available on the API. ldap_open() could have probably done it, but it is now deprecated. So this would appear to require a new API function that would simply call ldap_open_defconn() and return LDAP_X_CONNECTING. Or is there some other way to achieve this? Ian

3 8

← Newer
1
2
3
4
5
6
7
8
9
10
11
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2011