openldap-technical April 2011

openldap-technical@openldap.org

97 participants
98 discussions

Using memberOf overlay with groups that contain uids, not DNs
by Oliver Beattie 02 Apr '11

02 Apr '11

Hi, I realise the documentation for slapo-memberof indicate that this isn't possible, but I thought it worthwhile asking here anyway — is it possible to use the memberOf overlay with groups that use memberUid as their membership attributes, rather than user DNs? We have a large existing LDAP database that has thousands of groups like this, and would very much like to use slapo-memberof. Any pointers (positive or negative) much appreciated — just so I know for definite. —Oliver

2 1

adding a second node
by Friedrich Locke 01 Apr '11

01 Apr '11

Hi folks, i am begining to study ldap and have a doubt. In my tree i have a node a=b inserted below c=d,e=f, i.e., a=b,c=d,e=f exists. What happens if i try to insert a "new" a=b below c=d,e=f ? Thanks in advance. Gustavo.

2 1

Re: Antwort: Re: RHEL 6 OpenLDAP 2.4.19-15.el6 init problem
by Quanah Gibson-Mount 01 Apr '11

01 Apr '11

--On Friday, April 01, 2011 6:05 AM +0100 Markus Moj <MMoj(a)timocom.com> wrote: > > Hi, > > due to update and security policies in my company we are using the stable > version of the delivered build in openLDAP from Red Hat. Hi Markus, While I understand this is often the case with companies, this policy is short sighted. If you want to have a stable, secure, and functional LDAP server, then you need to be able to build OpenLDAP from source. If you insist on using RedHat's outdated and flawed packages, then you need to contact RedHat support to fix any bugs you find with it, as the advice from upstream will always be for you to build and install the current OpenLDAP version to verify whether or not any bugs you find actually exist in a current release. I would suggest you read over the change logs since OpenLDAP 2.4.19 was released to get an idea of the numerous issues that have been fixed since that release went out. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Dealing with BDB Crash
by ldap＠mm.st 01 Apr '11

01 Apr '11

A while ago I posted that we were having what we thought were random bdb backend crashes with the following in our log: bdb(o=example.com): PANIC: fatal region error detected; run recovery. This was on a on our RH5 openldap servers (2.3.43) that we were rebuilding: It appears that the crashes were caused by a vulnerability scanner that was hitting the server (still testing), even though it was suppose to be safe. We'll have to investigate what is causing it, maybe we will need an acl to stop whatever the scanner is doing. Once we stopped the automated scan, the servers seem to be running as expected. But, this brought up another issue. When the bdb backend failed, the slapd process continued run and listen on the ldap ports and clients still tried to connect to the failed server for authentication. The server accepted and established the connection with the client. Of course the client could not authenticate since the backend db was down. The client will not fail over to the other server that is listed in it's ldap.conf file since it thinks it has a valid connection. If the slap process is not running then the fail over works fine since no ports are there for the client to connect to. I'm thinking that bdb failures will be rare once we solve the scanner issue, but on a network that relies heavily on ldap, a failed bdb backend with a running slapd would cause significant issues. Just trying to restart the slapd service doesn't fix the issue, a manual recovery is required (slapd_db_recover). I was curious if anyone has put something in place to deal with this potential issue? Maybe run slapd_db_status via cron and if it errors due a bdb corruption, just stop slapd and let the admin know. At least the clients would be able to failover to the other ldap servers. I guess an automated recovery is possible via a script, but I'm not sure if that's a good idea. Maybe dealing with this type of failure is not really required, I was hoping that some of you that have been do this for a while would have some insight.

8 9

issue with slapadd
by Judith Flo Gaya 01 Apr '11

01 Apr '11

Hello, I'm using openldap-server 2.4.19-15 in a Red Hat 6 box (x86_64), rpm installation. This is the very first time I use ldap and I'm having some issues with the configuration. I read that the slapd.conf file should not be use, instead the slapd.d directory is the new system that is meant to be. As I don't know how this exactly works, I've been reading and folowing the tutorial in the openldap page. Specifically I read the Administration guide and I copy and adapt the config.ldif file to suit my needs. After a while I manage to run the command: slapadd -F /etc/openldap/slapd.d -n 0 -l config.ldif with no problems. I thought that once this was done the slapd should start smoothly, but instead I'm having an slaptest error saying that my configuration FILE is wrong. As the slapd.conf doesn't exists, I don't know where this error comes from. I tried #slaptest -v -d1 -F ../slapd.d/ [......] ldif_back_add: "olcDatabase={-1}frontend,cn=config" oc_check_required entry (olcDatabase={-1}frontend,cn=config), objectClass "olcDatabaseConfig" oc_check_required entry (olcDatabase={-1}frontend,cn=config), objectClass "olcFrontendConfig" oc_check_allowed type "objectClass" oc_check_allowed type "olcDatabase" oc_check_allowed type "olcAddContentAcl" oc_check_allowed type "olcLastMod" oc_check_allowed type "olcMaxDerefDepth" oc_check_allowed type "olcReadOnly" oc_check_allowed type "olcMonitoring" oc_check_allowed type "structuralObjectClass" oc_check_allowed type "entryUUID" oc_check_allowed type "creatorsName" oc_check_allowed type "createTimestamp" oc_check_allowed type "entryCSN" oc_check_allowed type "modifiersName" oc_check_allowed type "modifyTimestamp" ldif_back_add: err: 68 text: send_ldap_result: conn=-1 op=0 p=0 slaptest: bad configuration directory! Since the directory structure was built by the slapadd command, where is the problem? I'm sure I'm doing something wrong but I can't find it ;( Permissions are ok (at the beginning I had issues with the include core.ldif part of my config.ldif, I ended pasting the contents in the config.ldif) Thanks in advance for your help, hope you can shed some light on this. j -- Judith Flo Gaya Systems Administrator IMPPC e-mail: jflo(a)imppc.org Tel (+34) 93 554-3079 Fax (+34) 93 465-1472 Institut de Medicina Predictiva i Personalitzada del Càncer Crta Can Ruti, Camí de les Escoles s/n 08916 Badalona, Barcelona, Spain http://www.imppc.org

2 2

importing ldap database for a BDC
by deconya 01 Apr '11

01 Apr '11

Hi list Im preparing a BDC server using samba with ldap and I start to import the database. At first I commented and error with the suffix but not was the last of my problems, Im importing and appears: <= str2entry: str2ad(sambaLogonTime): attribute type undefined slapadd: could not parse entry (line=81) _ 0.09% eta 01m elapsed none spd 64.8 k/s Closing DB... What Im making bad? First I copied all inside /etc/ldap/schema/ to the BDC, and I prepared with slapcat a bckup from PDC. I installed samba and copied smb.conf modifying the role. When I go to execute the slapadd -l backup.ldif appears the error. Any idea? Thanks And Best Regards

3 3

Regexp in rootdn and set-resolving of monitor attr
by Kilian Röhner 01 Apr '11

01 Apr '11

Hey, i have two questions: 1. Is it possible to specify a regexp as rootdn? 2. In an access-rule, i have a set like: by set="(user + ([cn=Current,cn=Time,cn=Monitor]/monitorTimestamp)) & (this/modifiersName + this/createTimestamp)" write But it seems, that the Monitor-Part isn't resolved correctly (returns empty and thus empty for the whole set). What am i doing wrong here? Thanks! Regards, Kilian

3 7

overlay ppolicy not found
by sarath chandra 01 Apr '11

01 Apr '11

Hi, I'm getting this error: ------------------------------------------Mar 31 18:03:50 if-sr-000033 slapd[2170]: @(#) $OpenLDAP: slapd 2.4.23 (Feb 21 2011 03:15:19) $ root@IF-SR-000033:/root/ldap/openldap-2.4.23/servers/slapd Mar 31 18:03:50 if-sr-000033 slapd[2170]: overlay "ppolicy" not found Mar 31 18:03:50 if-sr-000033 slapd[2170]: slapd stopped. Mar 31 18:03:50 if-sr-000033 slapd[2170]: connections_destroy: nothing to destroy. ------------------------------------------ The slapd.conf file has these entries also: modulepath /usr/local/lib moduleload /usr/local/lib/ppolicy.la overlay ppolicy ppolicy_default "cn=Standard Policy,ou=Policies,dc=uaeexchange,dc=com ppolicy_use_lockout ------------------------------------------ The o/s is CentOS release 5. Can anybody suggest a solution for this? TIA Sarath

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2011