March 2011 - openldap-technical

by Joe Tseng

I recently set up a file server using Fedora and I configured it to run as a PDC with Samba and OpenLDAP. It had been running very smoothly until just last night when I discovered when I tried to restart the slapd service it would just sit there for a few minutes. After it did start I looked in /var/log/messages to see if I could glean some clues; it seems as part of "service slapd start" the system would request information from slapd in order to restart slapd. Seems pretty circular to me... I did not note any type of success message when slapd finally did wake up from suspended animation. I did not set slapd to generate a log file previously but after I put in that parameter in slapd.conf and restarted the service I still didn't get any output. I did get this from /var/log/messages: $ sudo tail -f /var/log/messages Feb 28 21:00:11 server0 slapd: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Feb 28 21:00:15 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:00:15 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:00:15 server0 slapd: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Feb 28 21:00:23 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:00:23 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:00:23 server0 slapd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Feb 28 21:00:39 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:00:39 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:00:39 server0 slapd: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)... Feb 28 21:01:11 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:01:11 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:01:11 server0 slapd: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)... Feb 28 21:02:15 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:02:15 server0 slapd: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:02:15 server0 slapd: nss_ldap: could not search LDAP server - Server is unavailable Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:02:15 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:02:19 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:02:27 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:02:43 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)... Feb 28 21:02:50 server0 smbd_audit: jtseng|10.1.0.106|create_file|fail (Is a directory)|0x20089|pictures Feb 28 21:02:50 server0 smbd_audit: jtseng|10.1.0.106|create_file|fail (Is a directory)|0x20089|pictures/porsche918 Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:03:15 server0 slapd[5555]: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)... Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://hda.at.home: Can't contact LDAP server Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: failed to bind to LDAP server ldap://127.0.0.1/: Can't contact LDAP server Feb 28 21:04:19 server0 slapd[5555]: nss_ldap: could not search LDAP server - Server is unavailable I stopped the log when slapd was up and running: $ sudo service slapd restart Stopping slapd: [ OK ] Starting slapd: [ OK ] $ sudo service slapd status slapd (pid 5726) is running... $ ps -ef | grep slapd ldap 5726 1 0 21:04 ? 00:00:00 /usr/sbin/slapd -h ldap:/// -u ldap jtseng 5756 5501 0 21:05 pts/2 00:00:00 grep slapd My includes for slapd are as follows: include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/autofs.schema include /etc/openldap/schema/ldapns.schema I imagine I won't need all of those but aside from core, inetorgperson, openldap, samba, autofs and ldapns I wouldn't know what I can discard. I know including various schemas can add to the boot time but this has not shown itself to be a problem in the recent past. As far as users are concerned it's just me, the wife, my son and three workstations. I hope someone can clue me in... Thanks. - Joe

10 years, 9 months

3
3
0 / 0

OpenLDAP, Kerberos, Samba, PAM, How Do They Work Together?

by Nan Meng

Dear list members, I hope amateur questions could be tolerated. I would make it professional if I could. I'm a newbie to OpenLDAP and probably even Linux, but I have to take care of an office network (Linux servers with Linux and PC workstations) that features email server, domain control, file/printer sharing, user account management, web servers and so forth, on my own without anyone's help. Yesterday morning the power went down and so did our servers. After I turned the servers back on, the account information system was no longer working. Users weren't able to login with their credentials anymore, even the root. What I did was I logged in the server (the Samba PDC, LDAP server, Kerberos server, domain controller, email server) with single mode, reseted the root password, and added accounts for other individual users on the server. I know it was a bad idea. Although I got some things working (emails, file/printer sharing), but there are still other problems (PHP ldap_bind() from web servers fails, domain user accounts and profiles fail to load correctly). I know there is a centralized mechanism that handles user accounts with the help of OpenLDAP, Kerberos, Samba, BerkeleyDB (and possibly other things), but I don't have a clue of how they work together. I've been trying to learn from docs and books for a long time before this power issue, but not very successful. My greatest problem is that I don't know how these things are working together on my system. I believe I also lack some fundamental system knowledge. I've been reading the docs available, but they're so abstract to me and none of them seems to match our system configuration. I'm hoping that I can get some help from here. Maybe some one can give me some suggestions on how to troubleshoot in such a scenario as a newbie, or an entry point that I can follow in order to explore the system. I believe you can tell that I'm totally confused here without being able to give much useful information about the problem and the system. I'm sorry for my ignorance, but I really tried to deal with it myself. If this thread turns out to be annoying or ridiculous, please ignore, and I do apologize. However, while I'm still struggling on the problem, if anyone could help, I would really appreciate it. Thank you so much. N.M.

10 years, 9 months

3
2
0 / 0

slapd 2.2.24 will not start as non root user

by Iain M Conochie

Good Afternoon, I am attempting to upgrade my openldap 2.4.x installation to the latest release 2.4.24. I am compiling from source. I can start slapd as the root user but I am unable to start as a non-root user (e.g. ldap). I am receiving the following error message: /opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXXX.XXXXXXXX.XXX slapd: sbind.c:76: ldap_simple_bind: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed. Aborted Is the server attempting to bind to another ldap server? This is the "secondary" server on the network an I have the main LDAP server in /etc/ldap.conf. Running an strace I do see slapd referencing this file: open("/etc/ldap.conf", O_RDONLY) = 8 fstat64(8, {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 fstat64(8, {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fa1000 read(8, "#\n# LDAP Defaults\n#\n\n# See ldap."..., 4096) = 919 read(8, "", 4096) = 0 close(8) = 0 munmap(0xb7fa1000, 4096) = 0 stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 geteuid32() = 0 brk(0x82b2000) = 0x82b2000 stat64("/etc/ldap.conf", {st_mode=S_IFREG|0644, st_size=919, ...}) = 0 geteuid32() = 0 write(2, "slapd: sbind.c:76: ldap_simple_b"..., 95slapd: sbind.c:76: ldap_simple_bind: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed. ) = 95 rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 tgkill(9691, 9691, SIGABRT) = 0 --- SIGABRT (Aborted) @ 0 (0) --- +++ killed by SIGABRT +++ Process 9691 detached Does anyone have any ideas here? Regards Iain M Conochie

10 years, 9 months

4
10
0 / 0

openldap does not want to write log files?

by Mauricio Tavares

I am feeling rather confused here. I installed openldap in a solaris10/sparc box but I do not seem to persuade it to write to a log file. FYI, right now I am running slapd as root so permissions AFAIk should not be the issue. FYI, syslog here is the old, non-rsyslog/syslog-ng variety. So, in the /etc/syslog.conf file I have: local4.info /var/log/ldap.log local4.err /var/log/ldap.log local4.notice /var/log/ldap.log which makes me think I should be covering every possible message sent by slapd. Now /var/log/ldap.log is created as -rw------- 1 root sys 0 Feb 28 16:21 ldap.log and in the slapd.conf file I have loglevel 11560 logfile /var/log/slapd.log which not only should mean slapd is blabbing a lot to the log file. Also note I am telling it to write to /var/log/slapd.log, -rw------- 1 root sys 0 Mar 1 07:39 slapd.log When I start slapd (after restarting syslog just in case), nothing is written to those two log files. In fact, the only clue that something happened is the data in slapd.log changed: -rw------- 1 root sys 0 Feb 28 16:21 ldap.log -rw------- 1 root sys 0 Mar 1 07:40 slapd.log Anything I am missing here?

10 years, 9 months

5
8
0 / 0

multiple certificates on one LDAP server

by Yann CUEFF

Hello, Is someone know how to use multiple certificates on one LDAP Server ? I need to use Thawte/Verisign SSL certificate and self signed SSL certificate on one LDAP server. I don't find any information about that. Regards, Yann Ce message et toutes les pièces jointes (ci-après le 'Message') sont établis à l'intention exclusive des destinataires et les informations qui y figurent sont strictement confidentielles. Toute utilisation de ce Message non conforme à sa destination, toute diffusion ou toute publication totale ou partielle, est interdite sauf autorisation expresse. Si vous n'êtes pas le destinataire de ce Message, il vous est interdit de le copier, de le faire suivre, de le divulguer ou d'en utiliser tout ou partie. Si vous avez reçu ce Message par erreur, merci de le supprimer de votre système, ainsi que toutes ses copies, et de n'en garder aucune trace sur quelque support que ce soit. Nous vous remercions également d'en avertir immédiatement l'expéditeur par retour du message. Il est impossible de garantir que les communications par messagerie électronique arrivent en temps utile, sont sécurisées ou dénuées de toute erreur ou virus. ____________________________________________________ This message and any attachments (the 'Message') are intended solely for the addressees. The information contained in this Message is confidential. Any use of information contained in this Message not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. If you are not the addressee, you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return message. E-mail communication cannot be guaranteed to be timely secure, error or virus-free.

10 years, 9 months

1
0
0 / 0

Poor performance on Solaris

by Juergen.Sprenger＠swisscom.com

Hi, we had some performance issues on our ldap servers running Solaris 10 sparc. I did some tests using slamd http://www.slamd.com/ and got disturbing results: ldap-service: OpenLDAP 2.4.23, setup identical on both boxes, threads=64, identical content. box1: hardware: Sun Microsystems sun4v SPARC Enterprise T5120 memory:32 GB RAM os: Solaris 10 s10s_u9wos_14a searches (avg/second): 1521 box2: hardware: AMD 64 phenom 9850 memory: 8 GB RAM os: Linux dsv00000 2.6.36.2 #1 SMP Mon Dec 27 10:09:29 CET 2010 x86_64 AMD Phenom(tm) 9850 Quad-Core Processor AuthenticAMD GNU/Linux searches (avg/second): 22968 I am looking for some hints to improve performance on box1 to a similar level as on box2 or an explanation why on box1 performance is so bad. As slapd.conf, ldap.conf and DB_CONFIG are identical there should not be such a big gap in performance. Juergen Sprenger

10 years, 9 months

7
10
0 / 0

Password policy: possible DoS scenario

by Konstantin Boyandin

Hello, Thanks to everyone having answered me earlier, I've managed to set up password policy on the OpenLDAP provided in CentOS 5.5 repositories (current version 2.3.43). The setup: we have password policy enabled for users accounts in our intranet. After 5 unsuccessful attempts the account is blocked for short duration (30 seconds). Does that mean that anyone now can keep all the accounts blocked most of the time? Am I right that if anyone enters someone else' incorrect password 5 times (in the given case), they will block the target account (regardless of what IP address the attacker was connecting from)? Narrower question: do password policy module developers plan to take into account what IPs are used to connect (thus, blocking only access from specific IPs)? Thanks. All the best, Konstantin

10 years, 9 months

2
3
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2011