openldap-technical March 2011

openldap-technical@openldap.org

102 participants
107 discussions

Error code 65 - invalid structural object class chain (groupOfUniqueNames/posixGroup)]
by Casey Jordan 18 Mar '11

18 Mar '11

Hi group, I am trying to import an ldif and I keep getting this error which has me totally stumped: [LDAP: error code 65 - invalid structural object class chain (groupOfUniqueNames/posixGroup)] ( And here is the attributes it fails on ) dn: cn=dba,ou=Groups,dc=exist,dc=easydita , dc=com gidNumber: 1 objectClass: groupOfUniqueNames objectClass: posixGroup uniqueMember: uid=admin,ou=Users,dc=exist,dc=easydita , dc=com cn: dba I assume this has something to do with a conflict between posixGroup and groupOfUniqueNames, but I am pretty green on this stuff so I am not sure what I need to do to resolve this. Any help would be much appreciated. Thanks, Casey -- -- Casey Jordan easyDITA a product of Jorsek LLC "CaseyDJordan" on LinkedIn, Twitter & Facebook Cell (585) 348 7399 Office (585) 239 6060 easydita.com This message is intended only for the use of the Addressee(s) and may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, please be advised that any disclosure copying, distribution, or use of the information contained herein is prohibited. If you have received this communication in error, please destroy all copies of the message, whether in electronic or hard copy format, as well as attachments, and immediately contact the sender by replying to this e-mail or by phone. Thank you.

2 1

Re: newbie problem importing ldap
by deconya 18 Mar '11

18 Mar '11

Hi Are you sure? I have a server working and not has any slapd.conf inside. The new server too. Are two ubuntu 9.04 server. Thanks 2011/3/18 Jonathan Clarke <jonathan(a)openldap.org> > On 18/03/11 15:42, deconya wrote: > > Ok and where i can change it? > > > > Mi ldap.conf only has: > > > > base dc=esci,dc=es > > > > uri ldapi://127.0.0.1/ <http://127.0.0.1/> > > > > ldap_version 3 > > > > rootbinddn cn=admin,dc=esci,dc=es > > > > Is other file? > > The configuration file for OpenLDAP server is slapd.conf. ldap.conf is > for LDAP *clients*, thus irrelevant here. > > Jonathan > > > > > 2011/3/18 Benjamin Griese <der.darude(a)gmail.com > > <mailto:der.darude@gmail.com>> > > > > Hello, > > your database suffix doesn't fit to your ldif, you're missing "dc=es" > > in your database suffix declaration. > > > > bye. > > > > On Fri, Mar 18, 2011 at 13:11, deconya <elmailpersonal(a)gmail.com > > <mailto:elmailpersonal@gmail.com>> wrote: > > > Hi list > > > > > > Im having problems configuring a new slave ldap server. I made > > > > > > # slapcat -l master.ldif in masters server > > > > > > Inside ubuntu server with openldap 2.4 Im going to import using > > > > > > # slapadd -c -l ./master.ldif > > > > > > Appears: > > > > > > slapadd: line 1: database (dc=esci) not configured to hold > > "dc=esci,dc=es" > > > slapadd: line 1: database (dc=esci) not configured to hold > > "dc=esci,dc=es" > > > slapadd: line 19: database (dc=esci) not configured to hold > > > "cn=admin,dc=esci,dc=es" > > > slapadd: line 19: database (dc=esci) not configured to hold > > > "cn=admin,dc=esci,dc=es" > > > slapadd: line 33: database (dc=esci) not configured to hold > > > "ou=Users,dc=esci,dc=es" > > > slapadd: line 33: database (dc=esci) not configured to hold > > > "ou=users,dc=esci,dc=es" > > > slapadd: line 45: database (dc=esci) not configured to hold > > > "ou=Groups,dc=esci,dc=es" > > > slapadd: line 45: database (dc=esci) not configured to hold > > > "ou=groups,dc=esci,dc=es" > > > slapadd: line 57: database (dc=esci) not configured to hold > > > "ou=Computers,dc=esci,dc=es" > > > slapadd: line 57: database (dc=esci) not configured to hold > > > "ou=computers,dc=esci,dc=es" > > > slapadd: line 69: database (dc=esci) not configured to hold > > > "ou=Idmap,dc=esci,dc=es" > > > slapadd: line 69: database (dc=esci) not configured to hold > > > "ou=idmap,dc=esci,dc=es" > > > > > > And more errores type: > > > > > > str2entry: invalid value for attributeType objectClass #4 (syntax > > > 1.3.6.1.4.1.1466.115.121.1.38) > > > slapadd: could not parse entry (line=123) > > > > > > Only I installed openldap package and inside schema folder I added > > the same > > > schema archives. > > > > > > What step Im wrong? > > > > > > Thanks And Best Regards > > > > > > > > > > > -- > > To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To > > be is to do -- Sartre | Do be do be do -- Sinatra > > > > > >

2 1

Confused about pwdpolicy
by Luo, Frank Y.F. Mr. 18 Mar '11

18 Mar '11

I have an administrative user "uid=admin,ou=people,dc=compnay,dc=com" and The first ACI sentence is like this access to * by dn=" uid=admin,ou=people,dc=compnay,dc=com" manage ... {omitted} by * break access to ..... {omitted} I assume that allows this admin user to manage all the attribute (*) including changing userPassword for all users. But it turns out that I still need to set pwdAllowUserChange to TRUE in the default pwdpolicy. But as I understand this password policy controls users changing their own password, not an administrator covered by above ACI. Here I copied from the man page. pwdAllowUserChange This attribute specifies whether users are allowed to change their own passwords or not. If pwdAllowUserChange is set to "TRUE", or if the attribute is not present, users will be allowed to change their own passwords. If its value is "FALSE", users will not be allowed to change their own passwords. There must be some misundersanding here. Anyone can help? Thanks Frank

1 1

newbie problem importing ldap
by deconya 18 Mar '11

18 Mar '11

Hi list Im having problems configuring a new slave ldap server. I made # slapcat -l master.ldif in masters server Inside ubuntu server with openldap 2.4 Im going to import using # slapadd -c -l ./master.ldif Appears: slapadd: line 1: database (dc=esci) not configured to hold "dc=esci,dc=es" slapadd: line 1: database (dc=esci) not configured to hold "dc=esci,dc=es" slapadd: line 19: database (dc=esci) not configured to hold "cn=admin,dc=esci,dc=es" slapadd: line 19: database (dc=esci) not configured to hold "cn=admin,dc=esci,dc=es" slapadd: line 33: database (dc=esci) not configured to hold "ou=Users,dc=esci,dc=es" slapadd: line 33: database (dc=esci) not configured to hold "ou=users,dc=esci,dc=es" slapadd: line 45: database (dc=esci) not configured to hold "ou=Groups,dc=esci,dc=es" slapadd: line 45: database (dc=esci) not configured to hold "ou=groups,dc=esci,dc=es" slapadd: line 57: database (dc=esci) not configured to hold "ou=Computers,dc=esci,dc=es" slapadd: line 57: database (dc=esci) not configured to hold "ou=computers,dc=esci,dc=es" slapadd: line 69: database (dc=esci) not configured to hold "ou=Idmap,dc=esci,dc=es" slapadd: line 69: database (dc=esci) not configured to hold "ou=idmap,dc=esci,dc=es" And more errores type: str2entry: invalid value for attributeType objectClass #4 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=123) Only I installed openldap package and inside schema folder I added the same schema archives. What step Im wrong? Thanks And Best Regards

2 2

openldap installed, running but can't connect remotely
by Casey Jordan 18 Mar '11

18 Mar '11

Hi group, I hope this is the right list to post this under. I have been having a problem connecting to an ldap server I just set up on ubuntu 10.10 I can use ldapsearch locally and get good results. but when I try to connect remotely IE: *sudo ldapsearch -xLLL -W -H ldap://ice.rit.edu -d1 "dc=easydita,dc=com"* (See end of debug) ldap_url_parse_ext(ldap://ice.rit.edu) ldap_create ldap_url_parse_ext(ldap://ice.rit.edu:389/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ice.rit.edu:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 34 bytes to sd 3 ldap_result ld 0xb8940170 msgid 1 wait4msg ld 0xb8940170 msgid 1 (infinite timeout) wait4msg continue ld 0xb8940170 msgid 1 all 1 ** ld 0xb8940170 Connections: * host: coheed.rit.edu port: 389 (default) refcnt: 2 status: Connected last used: Thu Mar 17 19:42:29 2011 ** ld 0xb8940170 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0xb8940170 request count 1 (abandoned 0) ** ld 0xb8940170 Response Queue: Empty ld 0xb8940170 response count 0 ldap_chkResponseList ld 0xb8940170 msgid 1 all 1 ldap_chkResponseList returns ld 0xb8940170 NULL ldap_int_select read1msg: ld 0xb8940170 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0xb8940170 msgid 1 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0xb8940170 0 new referrals read1msg: mark request completed, ld 0xb8940170 msgid 1 request done: ld 0xb8940170 msgid 1 res_errno: 49, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string *ldap_bind: Invalid credentials (49)* I think I set up my admin password correctly, but I don't know how to verify this. This info may help too: Contents of /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage by * break olcRootDN: cn=admin,cn=config structuralObjectClass: olcDatabaseConfig entryUUID: eca09490-e524-102f-87c5-17d7a82e8985 creatorsName: cn=config createTimestamp: 20110317205733Z entryCSN: 20110317205733.193089Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20110317205733Z I've spent about 5 hours now trying to get this to work so any help would be much appreciated. Thanks Casey -- -- Casey Jordan easyDITA a product of Jorsek LLC "CaseyDJordan" on LinkedIn, Twitter & Facebook Cell (585) 348 7399 Office (585) 239 6060 easydita.com This message is intended only for the use of the Addressee(s) and may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, please be advised that any disclosure copying, distribution, or use of the information contained herein is prohibited. If you have received this communication in error, please destroy all copies of the message, whether in electronic or hard copy format, as well as attachments, and immediately contact the sender by replying to this e-mail or by phone. Thank you.

2 2

OpenLDAP migration from 2.3 to 2.4
by jpb＠bordengrammar.kent.sch.uk 18 Mar '11

18 Mar '11

Hi All, I'm currently in the progress of moving from v2.3 to 2.4 and have been following the procedure shown in the documentation for switching from the old slapd.conf to the new cn= format, i.e. slaptest -f <path> -F path> . If I copy over slapd.conf from my old server and run slapd -d 256 , it starts perfectly and answers querires, etc.. If, on the other hand, I run the slaptest command shown above I get the following: <= str2entry(cn={1}core) -> 0x7fda53d38798 => access_allowed: search access to "cn={1}core,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) olcAttributeTypes: value #0 olcAttributeTypes: Duplicate attributeType: "2.5.4.2" config error processing cn={1}core,cn=schema,cn=config: olcAttributeTypes: Duplicate attributeType: "2.5.4.2" send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=80 matched="" text="" slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. I've been around Google and have found no solutions. My slapd.conf is years old and was made according to the smbldap tutorial originally written by IDEALX. The file is shown below and any info is welcome. Thanks, Julian ####slapd.conf #### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema database bdb directory /var/lib/ldap suffix "dc=bordengrammar,dc=kent,dc=sch,dc=uk" rootdn "cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk" sizelimit 10000 idletimeout 3700 rootpw {SSHA}<removed> index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,sub,eq index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq # TLSCertificateFile /etc/openldap/cacerts/ldap.cert # TLSCertificateKeyFile /etc/openldap/cacerts/ldap.key access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by dn="cn=nssldap,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by self write by anonymous auth by * none access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by * read access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by self write by * read access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by self write by * read access to dn.base="dc=bordengrammar,dc=kent,dc=sch,dc=uk" by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by * none access to dn="ou=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk" by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by * none access to dn="ou=Groups,dc=bordengrammar,dc=kent,dc=sch,dc=uk" by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by * none access to dn="ou=Computers,dc=bordengrammar,dc=kent,dc=sch,dc=uk" by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write by * none access to * by dn="cn=slapmaster,ou=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk" read by self read by * none

2 1

ppolicy pwdMinLenght, pwdAccountLockedTime and pwdLockoutDuration don't work as supposed
by Theo Alves 18 Mar '11

18 Mar '11

Hello there, We have 40 machines on an educational informatics lab authenticating with LDAP. I am using python ldap module as management tool. I am experiencing two problems at now. The first one is when an user access ldap by python the ppolicy pwdMinLenght doesn't work. The user can freely put a password too short. That doesn't happen when using passwd. Check out the python code snip: import ldap dn = 'uid=%s,ou=People,dc=example,dc=com' % 'user1' con = ldap.initialize('ldapi:///') con.bind_s(dn, raw_input('Password: ')) #getting the present password con.passwd_s(dn, None, '1') The to default_ppolicy entry pwdMinLenght is setted to 5, even so the code above works to regular users and they can put passwords too short. The second thing is in the lab sometimes users should be disabled for time periods (2 weeks for instance). I guessed I could set pwdAccountLockedTime to now and pwdLockoutDuration to the duration and the user would be automatically unlocked after that time, but it doesn't look to work. I guess this directives are only valid when pwdFailureTime is setted by the authentication methods. Can someone confirm that I can't set manually pwdAccountLockedTime and pwdLockoutDuration to block user access to a determined period? What would be the alternatives? I hope I haven't missed the answers because a lack of English skills. I have "googled" a lot about that, but nothing useful came up. The mail list archives search in openldap-technical doesn't return anything even when I try ldap, or ppolicy. I browsed some month archives but got nothing by the e-mail subjects. Thanks in advance for any help and answers. I hope I have been understood and sorry about any mistakes I've made concerning the language. Theo -- O Pensamento Governa o Universo http://www.999thnight.com http://www.unreversed.com

2 1

(no subject)
by Juan José Aragonés 18 Mar '11

18 Mar '11

Hello After installing and configuring openLDAP in Linux I’m trying to do the same in Windows 7. No, it’s not my idea but what my boss wants me to do. So I downloaded openLDAP from http://www.userbooster.de/en/download/openldap-for-windows.aspx and installed. Configured my slapd.conf as follows: include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema pidfile ./run/slapd.pid argsfile ./run/slapd.args ## server permits anonymous binds allow bind_anon_dn ## Misc security settings password-hash {SSHA} ####################################################################### # Database Section ####################################################################### ## Define the beggining of example database database bdb ## Define the root suffix you serve suffix "dc=example,dc=com" ## Define a root DN for superuser privilege (Not necessary) rootdn "cn=Manager,dc=example,dc=com" ## Define the password used with roodn. For this example it will be "secret" rootpw {SSHA}E7ptTQ3Z6DdkPacF6sO3qXrueUKoM8Kq ## Directory containing the database files directory ./data/example ## Indexes to maintain index ObjectClass eq index cn,sn,mail eq,sub index departmentNumber eq ## db tunning parameters: cache 2000 entries in memory cachesize 2000 I started it (slapd -h ldap://) and it works ok. But now I'm trying to connect using ldaps, but I don't find how to create a self-signed certificate in a way as easy as it was in Linux. If you know where there's a good guide I would be really grateful. Thank you Joe Aragones

1 0

Schema Design :: ACL on Groups by Group Members only
by sim123 18 Mar '11

18 Mar '11

Hi There, I want "n" number of groups (or similar structure which keeps member information) to be created and only group members have access to those groups. Members are defined in separate user branch so my DIT look like dc=example,dc=com +--ou=people,dc=example,dc=com +----uid=bjanson,ou=users,dc=example,dc=com +----uid=matt,ou=users,dc=example,dc=com +--cn=group1,dc=example,dc=com (groupOfNames) +----cn=subgroup1,dc=example,dc=com (groupOfNames) now users bjanson and matt are member of group1, only bjanson is member of subgroup1. I would like to have ACL defined so only members can access their group. I don't need any ACL on subgroup as long as only all members of parent group can access it. Is it possible to do that in generic form because basic ACL syntax needs dn/filter in "access to " clause. In my example if I have n groups I will end up having n access control syntax in slapd.conf, which doesn't sound a good idea. Also, I don't need to use groups as such but groupOfNames/ groupOd UniqueNames are the only classes which support member attribute. Please let me know if there is any other objectClass I should use. Thanks for all the help and support, I appreciate it very much.

3 2

OpenLDAP 2.4.23 hangs when creating new group objects
by Mark Cave-Ayland 17 Mar '11

17 Mar '11

Hi all, Having just upgraded our internal LDAP server from Debian Lenny (2.4.16 internal build) to Debian Squeeze (2.4.23), we have started to see instances where the slapd process hangs and stops responding to all requests until we kill -9 and restart the process. Bizarrely enough, we can reproduce this pretty much every time when we try and create a new LDAP group using the GOsa web administration tool. Is this a known issue at all? Next time it happens, I'm happy to post a backtrace if you let me know what output you need from gdb to debug this. Many thanks, Mark. -- Mark Cave-Ayland - Senior Technical Architect PostgreSQL - PostGIS Sirius Corporation plc - control through freedom http://www.siriusit.co.uk t: +44 870 608 0063 Sirius Labs: http://www.siriusit.co.uk/labs -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

3 6

← Newer
1
2
3
4
5
6
7
8
9
10
11
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2011