openldap-technical March 2011

openldap-technical@openldap.org

102 participants
107 discussions

php ldap binding problems
by Bram Cymet 11 Mar '11

11 Mar '11

Hi, Has anyone had to problem using php_ldap where the bind to ldap will work find but will unbind right away so any attempt to search the tree fails? If so were you able to fix it? -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. 613-608-9752

4 3

Null Search Base
by ldap＠mm.st 10 Mar '11

10 Mar '11

A security scanner was run against our ldap severs and came back with a warning stating "The remote LDAP server supports search requests with a null, or empty, base object. This allows information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool . . ." I'm not overly concerned with the warning, but I was a little confused what the scanner was reffering to. I used the following search in an effort to somewhat duplicate what the scanner was sending and what information is retrieved and was hoping someone could commet if I was ontrack. I assume the warning is due to the namingContext attribute and if desired an acl could be setup to stop the retrival on the information. This is on a RH5 openlap 2.3 server. ldapsearch -x -s base -b '' -H ldap://my.lapdap.server "(objectClass=*)" "*" + I got back this: # dn: objectClass: top objectClass: OpenLDAProotDSE structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: o=mydomain supportedControl: 1.3.6. ..... . . . . supportedControl: 1.3.6. ..... supportedLDAPVersion: 3 entryDN: subschemaSubentry: cn=Subschema

3 2

Remove/Cleanup pwdHistory attribute.
by Meghanand Acharekar 10 Mar '11

10 Mar '11

Hi, Is it possible to change/remove pwdHistory attribute from an individual entry. I'm trying to change/remove using following ldif. dn: uid=user1,ou=People,dc=example,dc=com changetype: modify replace: pwdHistory pwdHistory: 0 and dn: uid=user1,ou=People,dc=example,dc=com changetype: delete delete: pwdHistory Both the tries gives following error. ldapmodify: Constraint violation (19) additional info: pwdHistory: no user modification allowed Thanks in advance. Regards, Meghanand N. Acharekar ------------------------------------------ The gates in my computer are AND, OR and NOT; they are not Bill..

1 0

JLDAP question
by PhilNad214 PhilNad214 10 Mar '11

10 Mar '11

Hi, we've had JLDAP enbedded in our project for 3-4 years and it's been easy to maintain (actually no maintenance required!). I now need to extend it and need to find out a few things - I must confess to not knowing much about LDAP and what its query language is capable of, so if I ask the question here I'm sure if it cannot be answered easily then someone will recommend a good web resource :-) Our first issue, currently we use LDAPConnection.search() to retrieve all the users that are members of a group in a particular OU. This has always been fine with small setups where admins have happily made (manually) the users part of the group. However in larger LDAP setups, where the users may already be in one of several groups, it 's a lot of extra work (potentially) to manage them (making them all members also of our group). What we'd ideally like is for the admins to be able to add those existing groups themselves to our group. This is possible of course, but when we are iterating over the search results, we get all the existing individually added members, but when it comes to an added group, we get just the group entry (no real surprise). So my question is, can the search be written in a way that if the search results was to include a group, all the members of that group are actually returned in the results? (Sort of like 'auto-expand' groups.) If that isn't possible then I assume we'll have to refactor our code to automatically do another search within the search if we encounter a group entry within the results? BTW here is a trimmed-down version of the search code: String aGroupname = "bob"; int searchScope = LDAPConnection.SCOPE_SUB; String attrs[] = { "msDS-UserAccountDisabled", "ms-DS-UserAccountAutoLocked", "msDS-UserPasswordExpired", "isDeleted", "CN", "sAMAccountName", "distinguishedName", "givenName", "middleName", "sn", "memberOf", "mail", "name", "employeeID"}; boolean attributeOnly = false; String searchDN = "OU=...."; String searchFilterA = "(memberOf=CN="+aGroupname+","+searchDN + ")"; String searchFilterB = "(memberOf=sAMAccountName="+aGroupname+","+searchDN + ")"; String searchFilter = "(|" + searchFilterA + searchFilterB + ")"; LDAPSearchConstraints cons = new LDAPSearchConstraints(); cons.setTimeLimit(10000); LDAPSearchResults searchResults = _lc.search(searchDN, // container to search searchScope, // search scope searchFilter, // search filter attrs, // "1.1" returns entry name only attributeOnly, // no attributes are returned cons); // time out value while (searchResults.hasMore()) .... etc .... Cheers, Phil

1 0

syncrepl with with multiple subordinate databases
by Dieter Kluenter 09 Mar '11

09 Mar '11

Hi, I am facing a severe problem with the replication of subordinate databases and a log database. The initial replication of the subordinate databases is successful but afterwards slapd crashes, A backtrace and a momory map can be found here http://pastebin.de/15919 the provider slapd.conf can be found here http://pastebin.de/15920 the consumer slapd.conf can be found here http://pastebin.de/15922 -Dieter -- Dieter Klünter | Systemberatung sip: 7770535(a)sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6

2 1

[Solved] Poor performance on Solaris
by Juergen.Sprenger＠swisscom.com 09 Mar '11

09 Mar '11

Hi, first I wish to thank all those who supplied helpful hints to solve the problem, especially Quanah Gibson-Mount and Howard Chu. My performance issue was solved by switching from memory mapped keys to shared memory keys for hdb as suggested by Quanah and Howard. Putting 'shm_key 10' into slapd.conf and restart of slapd solved the problem. Performance improvement was about factor 10 on the Solaris box. As the problem was gone connection logging was switched off, which additionally doubled throughput as Solaris sylog can't do asynchronous logging. During further tests slapd stopped responding when many concurrent connections were active. This behaviour was caused by default settings in /etc/system. Adding two lines to /etc/system and reboot solved the problem: set rlim_fd_max = 16368 set rlim_fd_cur = 8192 Should be enough for about 8000 connections. Performance before: box1: hardware: Sun Microsystems sun4v SPARC Enterprise T5120 memory:32 GB RAM os: Solaris 10 s10s_u9wos_14a searches (avg/second): 1521 Performance after: box1: hardware: Sun Microsystems sun4v SPARC Enterprise T5120 memory:32 GB RAM os: Solaris 10 s10s_u9wos_14a searches (avg/second): 37000 My next step will be tuning network parameters. Juergen Sprenger

2 3

slapcat on bdb
by ldap＠mm.st 08 Mar '11

08 Mar '11

Running RH5 openldap 2.3 with "database bdb" in slapd.conf. This has most likely been covered, but I am seeing many conflicting recommendations on running slapcat while slapd is running. The man page states "It is always safe to run slapcat with the slapd-bdb" Which seems very definitive, but I came across another well know guide that states that even though the man page states its ok, slapd should be stopped first before running slapcat. I'm writing a short backup script to generate nightly ldif output using slapcat and would rather not shut down slapd in the script. Since I have not been running openlap for very long, I was curious if anyone has had any problems running slapcat while slapd was running.

2 1

Re: LDAP browsers and cn=config
by harry.jede＠arcor.de 08 Mar '11

08 Mar '11

Gervase Markham wrote: > Can you tell me which LDAP browsers do support this scheme? After > all, the other part of my message was asking for advice on which was > best. GQ I am using gq for years. It's an GTK based graphical LDAP Editor. And yes, you may edit cn=config. Snippet of my ~/.gq <ldapserver> <name>debby-3</name> <ldaphost>debby-3</ldaphost> <ldapport>389</ldapport> <basedn>cn=config</basedn> <binddn>cn=admin,dc=kronprinz,dc=xx</binddn> <pw-encoding>Base64</pw-encoding> <search-attribute>cn</search-attribute> </ldapserver> I am NOT using ldapi and NOT the directory cn=config, but the file slapd.conf with a config-DB definition: database config rootdn "cn=admin,dc=kronprinz,dc=xx" This rootdn is the same rootdn as I use in database hdb. So there is no need to specify a password here. -- Harry Jede

1 0

LDAP single sign on with samba
by Lumeng Lim 08 Mar '11

08 Mar '11

not sure if this is the right place. would like to implement samba with ldap as well as authentication using sonicwall basically, I just want to be able to manage groups, users and computers. would like your help on where I can start so I can implement this properly.

5 4

back_shell anomaly with distribution example deploy
by Marco Pizzoli 07 Mar '11

07 Mar '11

Hi list, I'm having a problem in using the example back_shell example of OL distribution. I'm using OL 2.4.21 as released in Ubuntu10.04 distribution. This is my database definition: database shell suffix "dc=pippo,dc=it" search /tmp/slapd_search.sh This is the example script found in the OL distribution. Im my test this is /tmp/slapd_search.sh #!/bin/bash # $OpenLDAP: /servers/slapd/back-shell/searchexample.sh,v 1.9.2.6 2011/01/04 23:50:44 kurt Exp $ ## This work is part of OpenLDAP Software <http://www.openldap.org/>. ## ## Copyright 1998-2011 The OpenLDAP Foundation. ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted only as authorized by the OpenLDAP ## Public License. ## ## A copy of this license is available in the file LICENSE in the ## top-level directory of the distribution or, alternatively, at ## <http://www.OpenLDAP.org/license.html>. # ## Portions Copyright (c) 1995 Regents of the University of Michigan. ## All rights reserved. ## ## Redistribution and use in source and binary forms are permitted ## provided that this notice is preserved and that due credit is given ## to the University of Michigan at Ann Arbor. The name of the University ## may not be used to endorse or promote products derived from this ## software without specific prior written permission. This software ## is provided ``as is'' without express or implied warranty. while [ 1 ]; do read TAG VALUE #echo "TAG: $TAG" >>/tmp/temp1.txt #echo "VALUE: $VALUE" >>/tmp/temp1.txt if [ $? -ne 0 ]; then break fi case "$TAG" in base:) BASE=$VALUE ;; filter:) FILTER=$VALUE ;; # include other parameters here esac done LOGIN=`echo $FILTER | sed -e 's/.*=$.*$)/\1/'` PWLINE=`grep -i "^$LOGIN" /etc/passwd` #sleep 60 # if we found an entry that matches if [ $? = 0 ]; then echo $PWLINE | awk -F: '{ printf("dn: cn=%s,%s\n", $1, base); printf("objectclass: top\n"); printf("objectclass: person\n"); printf("cn: %s\n", $1); printf("cn: %s\n", $5); printf("sn: %s\n", $1); printf("uid: %s\n", $1); }' base="$BASE" echo "" fi # result echo "RESULT" echo "code: 0" exit 0 This is the result. I cannot see my user listed root@LTSP-vanilla:/etc/ldap/slapd.conf.d# ldapsearch -v -x -s sub -b "dc=pippo,dc=it" "(cn=marco)" ldap_initialize( <DEFAULT> ) filter: (cn=marco) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=pippo,dc=it> with scope subtree # filter: (cn=marco) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 By using strace I can see full execution appering. This is the final excerpt of my output: Process 3914 detached [pid 3915] <... read resumed> "", 4096) = 0 [pid 3915] write(1, "dn: cn=marco,dc=pippo,dc=it\nobjectclass: top\nobjectclass: person\ncn: marco\ncn: marco,,,\nsn: marco\nuid: marco\n", 109) = 109 [pid 3915] exit_group(0) = ? Process 3915 detached [pid 3909] <... waitpid resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 3914 [pid 3909] waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 3915 [pid 3909] rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0 [pid 3909] rt_sigaction(SIGINT, {SIG_DFL, [], 0}, {0x8086b90, [], 0}, 8) = 0 [pid 3909] close(4) = -1 EBADF (Bad file descriptor) [pid 3909] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 3909] --- SIGCHLD (Child exited) @ 0 (0) --- [pid 3909] waitpid(-1, 0xbfda677c, WNOHANG) = -1 ECHILD (No child processes) [pid 3909] sigreturn() = ? (mask now []) [pid 3909] write(1, "\n", 1) = 1 [pid 3909] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 [pid 3909] read(255, "\n# result\necho \"RESULT\"\necho \"code: 0\"\n\nexit 0\n\n", 1835) = 48 [pid 3909] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 [pid 3909] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 [pid 3909] write(1, "RESULT\n", 7) = 7 [pid 3909] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 [pid 3909] write(1, "code: 0\n", 8) = 8 [pid 3909] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 [pid 3909] rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 [pid 3909] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 3909] exit_group(0) = ? Process 3909 detached [pid 3767] <... read resumed> "dn: cn=marco,dc=pippo,dc=it\nobjectclass: top\nobjectclass: person\ncn: marco\ncn: marco,,,\nsn: marco\nuid: marco\n", 4096) = 109 [pid 3767] --- SIGCHLD (Child exited) @ 0 (0) --- [pid 3767] waitpid(-1, NULL, WNOHANG) = 3909 [pid 3767] waitpid(-1, NULL, WNOHANG) = -1 ECHILD (No child processes) [pid 3767] sigreturn() = ? (mask now []) [pid 3767] read(19, "\nRESULT\ncode: 0\n", 4096) = 16 [pid 3767] read(19, "", 4096) = 0 [pid 3767] time(NULL) = 1299531296 [pid 3767] send(4, "<167>*Mar 7 21:54:56 slapd[3765]: shell: fgets failed: Success (0)\n*", 67, MSG_NOSIGNAL) = 67 [pid 3767] write(16, "0\f\2\1\2e\7\n\1\0\4\0\4\0", 14) = 14 [pid 3767] time(NULL) = 1299531296 [pid 3767] send(4, "<167>Mar 7 21:54:56 slapd[3765]: conn=1003 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=\n", 94, MSG_NOSIGNAL) = 94 [pid 3767] close(19) = 0 [pid 3767] munmap(0xb777f000, 4096) = 0 [pid 3767] futex(0x212fc060, FUTEX_WAIT_PRIVATE, 32, NULL <unfinished ...> [pid 3766] <... epoll_wait resumed> {{EPOLLIN, {u32=556622232, u64=556622232}}}, 1024, 450000) = 1 [pid 3766] epoll_ctl(7, EPOLL_CTL_MOD, 16, {0, {u32=556622232, u64=556622232}}) = 0 [pid 3766] futex(0x212fc060, FUTEX_WAKE_OP_PRIVATE, 1, 1, 0x212fc05c, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_GT, 1} <unfinished ...> [pid 3789] <... futex resumed> ) = 0 [pid 3789] futex(0x212fc044, FUTEX_WAIT_PRIVATE, 2, NULL <unfinished ...> [pid 3766] <... futex resumed> ) = 1 [pid 3766] futex(0x212fc044, FUTEX_WAKE_PRIVATE, 1 <unfinished ...> [pid 3789] <... futex resumed> ) = 0 [pid 3789] futex(0x212fc044, FUTEX_WAKE_PRIVATE, 1) = 0 [pid 3789] time(NULL) = 1299531296 [pid 3789] read(16, "0\5\2\1\3B\0", 8) = 7 [pid 3789] time(NULL) = 1299531296 [pid 3789] read(16, "", 8) = 0 [pid 3789] write(6, "0", 1) = 1 [pid 3789] time(NULL) = 1299531296 [pid 3789] send(4, "<167>Mar 7 21:54:56 slapd[3765]: conn=1003 op=2 UNBIND\n", 56, MSG_NOSIGNAL) = 56 [pid 3789] epoll_ctl(7, EPOLL_CTL_DEL, 16, {0, {u32=556622232, u64=556622232}}) = 0 [pid 3789] shutdown(16, 2 /* send and receive */) = 0 [pid 3789] close(16) = 0 [pid 3789] time(NULL) = 1299531296 [pid 3789] send(4, "<167>Mar 7 21:54:56 slapd[3765]: conn=1003 fd=16 closed\n", 57, MSG_NOSIGNAL) = 57 [pid 3789] futex(0x212fc060, FUTEX_WAIT_PRIVATE, 34, NULL <unfinished ...> [pid 3766] <... futex resumed> ) = 1 [pid 3766] time(NULL) = 1299531296 [pid 3766] epoll_wait(7, {{EPOLLIN, {u32=556622188, u64=556622188}}}, 1024, 1283000) = 1 [pid 3766] read(5, "0", 8192) = 1 [pid 3766] time(NULL) = 1299531296 [pid 3766] epoll_wait(7, <unfinished ...> [pid 3765] <... futex resumed> ) = ? ERESTARTSYS (To be restarted) [pid 3765] futex(0xb7609bd8, FUTEX_WAIT, 3766, NULL^C <unfinished ...> Process 3765 detached Process 3766 detached Process 3767 detached Process 3789 detached As you can see with bold font, I obtain a strange behaviour "fgets failed". But user "marco" exists in /etc/passwd. Someone could tell me what is wrong? Thanks in advance Marco -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2011