openldap-technical April 2011

openldap-technical@openldap.org

97 participants
98 discussions

Re: Deleted DNs, and the great quest.
by xsun 27 Apr '11

27 Apr '11

I agree with that, I've been using delta-syncrepl here for a while and its much more reliable than syncrepl IMO. I did not found any consistency issue with the replication so far. Thanks, Matheus Morais 2011/4/27 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Wednesday, April 27, 2011 8:01 PM +0200 Michael Ströder < > michael(a)stroeder.com> wrote: > > Correct. >>> >> >> Couldn't this be the cause for delta-syncrepl to seem more reliable than >> normal syncrepl (without slapo-accesslog)? >> > > I don't think so, because that is on the master, not on the replicas. > Replicas still get changes in the order they were written to the master > (supposedly anyhow. ;) ). > > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > >

1 0

'Operations error' possible from self signed cert?
by paul.osborne＠canterbury.ac.uk 27 Apr '11

27 Apr '11

Hi, I have a working (I think) LDAP proxy using TLS between other systems and our Active Directory. I am though slightly confused as to why when the proxy is working it is generating the following operations error messages. An example of the query and response: ldapsearch -x -LLL "(cn=ta99)" -D "CN=ldapproxy,OU=Service Accounts,DC=myad,DC=canterbury,DC=ac,DC=uk" -w password -Z ldap_start_tls: Operations error (1) additional info: TLS already started dn: cn=ta99,ou=Test Accounts,ou=OU Canterbury,dc=myad,dc=canterbury,dc=ac, dc=uk cn: ta99 SAMACCOUNTNAME: ta99 # refldaps://ForestDnsZones.myad.canterbury.ac.uk/DC=ForestDnsZones,DC=cca d,D C=canterbury,DC=ac,DC=uk # refldaps://ccad.canterbury.ac.uk/CN=Configuration,DC=myad,DC=canterbury, DC= ac,DC=uk # refldaps://DomainDnsZones.ccad.canterbury.ac.uk/DC=DomainDnsZones,DC=mya d,D C=canterbury,DC=ac,DC=uk # refldaps://ccad.canterbury.ac.uk/CN=Schema,CN=Configuration,DC=myad,DC=c ant erbury,DC=ac,DC=uk Operations error (1) Note that the response LDIF has been filtered somewhat via use of the rwm overlay and this is deliberate. My concern though is the 'Operations error (1)' at the beginning and end of the operation. I *think* that this is because I am using a self signed cert which I am politely allowing though (TLS_REQCERT allow) - but would like to be sure that this is the cause of the error before I have to start getting things up on a real server with a properly trusted certificate and appropriate chain. Many thanks Paul

1 0

Mailbox Limitation
by Vinayagamoorthi.Kvi＠wipro.com 27 Apr '11

27 Apr '11

Hi, My mail server setup is having openldap-2.3.43-3.el5 for virtual users, postfix as MTA and courier-IMAP as IMAP. Now I need to limit the Maildir size via open dap but I don't know how to implement. Please help. Regards, Vinay. Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

1 0

Installation openLDAP in Debian
by D. R. Paudel 27 Apr '11

27 Apr '11

Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. regards, -- Dambar Raj Paudel (Wireless Technology - Researcher) WAKHOK University, Wakkanai, Japan Skype: drpaudel

12 27

integrating a new overlay to the server
by Cohen Roi 27 Apr '11

27 Apr '11

I'm working with rhel 5.5 I want to write a new overlay which also uses another library How do I compile\configure it to work within the server?? Thanks, Roi. ________________________________ "This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: security(a)comverse.com. Thank You."

1 0

LDAP proxy to AD - fails to bind
by paul.osborne＠canterbury.ac.uk 26 Apr '11

26 Apr '11

Hi, I am going through the hoops of setting up an LDAP proxy (OpenLDAP 2.3 as supplied with Red Hat 5.6) in order to expose parts of our Active Directory to other services which for political and security reasons (that I have no influence in) we do not want talking directly to the AD. In order to achieve this I would like to use ldap-back as the database to act as the proxy to the AD and then a module such as translucent to mask out the bits of the AD that we do not want exposed. So far I am fighting to get ldap-back working as I would expect, at the moment no matter what I do it fails to bind against the AD and a tcp dump demonstrates this failure. Anonymously binding and querying the AD is not an option and so I have to specify a user and get ID assertion working to force a bind against the AD as a specific known user. This does mean that anything (at the moment) could query our proxy and so get at the exposed parts of the AD and for the moment that is intentional. I am also aware that TLS etc are not enabled - this is deliberate as it makes packet sniffing for debugging easier. So for my slapd.conf I have: [slapd.conf] database ldap uri "ldap://myad.canterbury.ac.uk/" suffix "dc=myad,dc=canterbury,dc=ac,dc=uk" acl-bind bindmethod=simple binddn="CN=ldapproxy,OU=AD Administrators,DC=myad,DC=canterbury,DC=ac,DC=uk" credentials="password" access to * by * read idassert-bind bindmethod=simple authzId=dn:CN=ldapproxy,OU=Administrators,DC=myad,DC=canterbury,DC=ac,DC =uk binddn="CN=ldapproxy,OU=Administrators,DC=myad,DC=canterbury,DC=ac,DC=uk " credentials="password" idassert-authzFrom "dn.regex:.*" [end slapd.conf] At the moment I don't really care that anyone can read anything from the AD since I can't even bind, that will be tightened up in due course. I have seen others over the years have had similar issues and I have noted the responses they have received as well as reading the man pages and the Admin Guide, but am now at the point where some community support would be appreciated. Thanks Paul

1 0

Problem about CA Issue Certificate with LDAP
by Nguyen, Quoc Khanh 26 Apr '11

26 Apr '11

Hi all, I'm a new comer, I'm trying to config a CA with LDAP follow this site http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.2. 4.2 CA Issue Certificate When going to step 4, I have receieved an error messeage. root@ldap:/usr/local/openssl/bin# /usr/local/openssl/ssl/misc/CA.sh -sign Using configuration from /usr/lib/ssl/openssl.cnf Error opening CA private key ./demoCA/private/cakey.pem 665:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('./demoCA/private/cakey.pem','r') 665:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358: unable to load CA private key cat: newcert.pem: No such file or directory Signed certificate is in newcert.pem I think it's very simple, but i don't know how to solve it. I have tried to many ways but fail to fix it. Maybe i don't understand about the CA Certificate. I... I am so confusing. Please help, khanhnq -- *********************************** EVERYTHING HAS JUST BEGUN...

1 0

clarifications on cachesize, preferred db, et. al. from admin guide
by Tim Mooney 21 Apr '11

21 Apr '11

All- I'm getting back to the project of upgrading our OpenLDAP infrastructure, which I started last summer but was interrupted by email outsourcing... As things currently stand, I'll be deploying 2.4.25 + BDB 4.8.30 on RHEL 5.6. I'm starting with a DB_CONFIG of set_cachesize 0 536870912 1 set_lg_regionmax 262144 set_lg_bsize 2097152 set_flags DB_LOG_AUTOREMOVE though I suspect I will tune further, as the servers are quite beefy and our OpenLDAP databases are pretty modest (60K dn, 80 MB id2entry), so we have horsepower and RAM to spare. I've been carefully reviewing the docs and admin guide and have several questions as points of clarification. - Admin Guide, section 21.4.1.1. The tuning chapter is a godsend and the section on the calculations for Berkeley DB cache sizing is extremely helpful, but I've noted that the docs indicate that each index is a hash structure and proceed to describe how to calculate how much additional cache you will want for each index you have, beyond what you need for the (Btree) id2entry and dn2id. Every single one of my index .bdb files is of type Btree, though, not Hash. Is that section of the docs outdated, and all indexed attributes are now in Btree databases (for back-bdb and presumably back-hdb), or am I fundamentally misunderstanding what the index-related cache calculations are saying? - Admin Guide, section 5. The last note in the intro section of chapter 5 mentions that some backends and overlays do not support slapd-config, without listing what those backends are. Looking through the documentation-related ITS's, it appears that at one point slapo-rwm didn't support slapd-config, but that's apparently changed. I realize it's more work to spell out what backends would prevent someone from using slapd-config, especially since it must be kept up to date as things change, but I think that explicitly listing the backends (and overlays) that don't work with slapd-config will make people more likely to choose slapd-config moving forward. As things stand, most people aren't going to know whether they can use slapd-config or not because they don't know which backends work with it and which don't. If you agree that it would be useful to explicitly list which backends would block the use of slapd-config and someone can provide me with the list of blockers, I would be happy to file an ITS and provide a patch to the current docs to spell things out. I personally think it will help adoption of slapd-config. - man page for slapd.backends(5). The man page entry states that bdb is the preferred backend. I've seen enough hints and comments on the mailing list to suggest that it will eventually be supplanted by hdb. How soon is that going to happen (2.5?), and is it worth mentioning that hdb is as good as bdb now and will be the new preferred backend soon? Again, I'll submit the ITS with the doc patch if it's worth making that assertion in the docs now. - Admin Guide, chapter 21. The tuning chapter doesn't mention the potential benefits of using an alternate memory allocator on Linux, as Quanah clued me in to on the mailing list last month. Should it? If people feel it would be worthwhile to mention, I would be happy to write the first draft and supply the patch in an ITS. - Admin Guide, chapter 21. The tuning chapter doesn't mention the potential benefits of using sysv shared memory vs. mmap'ed files on some platforms. Should it? Same offer for documentation patch applies, though I expect this one will need more feedback from the experts. Thanks, Tim -- Tim Mooney Tim.Mooney(a)ndsu.edu Enterprise Computing & Infrastructure 701-231-1076 (Voice) Room 242-J6, IACC Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164

4 7

parsing output from ldap_search_ext_s C API
by sim123 21 Apr '11

21 Apr '11

Hi All, I am using ldap_search_ext_s C API and having strange results, not sure if I am missing something or its an API bug: My Directory Tree looks like this: | -- dc=example,dc=com | ------ ou=users,dc=example,dc=com | ---------- uid=1,ou=users,dc=example,dc=com | --------------- cn=john | ------ ou=departments,dc=example,dc=com | ---------- uid=11,ou=departments,dc=example,dc=com | --------------- cn=hr | --------------- member=uid=1 | ---------- uid=12,ou=departments,dc=example,dc=com | --------------- cn=sales | --------------- member=uid=1 | ---------- uid=13,ou=departments,dc=example,dc=com | --------------- cn=marketing | --------------- member=uid=1 First I get all the departments for "john" by using *memberof* in sarch attribute. for this query my search filter contains only one criteria ("uid=1") Then I construct another search filter for getting names of all the departments john belongs to : (|(uid=11)(uid=12)(uid=13)) I pass this filter to ldap_search_ext_s, where base is "ou=departments,dc=example,dc=com", scope is one level down, and I want "cn" in the attribute LDAPMessage* output; int retCode = ldap_search_ext_s(ld,base.c_str(), scope,filter.c_str(),attrs,false,NULL,NULL,NULL,0,&output); if(retCode == LDAP_SUCCESS){ //log success //send result to a static method for parsing LDAPUtil::parseResult(ld,output,result); ldap_msgfree(output); }else{ //log error & throw exception } LDAPUtil parse result implementation void LDAPUtil::parseResult(LDAP* ld, LDAPMessage* ldapResponse, LDAPSearchResult* parsedResult){ int numEntries = ldap_count_entries(ld,ldapResponse); cout << "number of entries" << numEntries << endl;* // I get 3 here* if(numEntries > 0){ //parse result LDAPMessage * entry; BerElement * ber; char * attr; BerVarray* vals ; map<string,LDAPAttribute*> attributeValueMap ; int count = 0; * //If I don't use count < numEntries this loop becomes an infinite loop, this loop runs 3 times, however the dn value output is:* *// run 1 :: dn: uid=11,ou=departments,dc=examples,dc=com //run 2 :: dn: uid=12,ou=departments,dc=examples,dc=com // run 3 :: dn: uid=12,ou=departments,dc=examples,dc=com* for ( entry = ldap_first_entry(ld,ldapResponse);entry != NULL && count < numEntries; entry = ldap_next_entry(ld,ldapResponse)){ count++; //create LDAP Attributes LDAPAttribute* attribute = new LDAPAttribute(); //set DN attribute->setDn(ldap_get_dn(ld,entry)); cout << "dn is " << ldap_get_dn(ld,entry) <<endl; for(attr = ldap_first_attribute(ld,entry,&ber); attr != NULL; attr=ldap_next_attribute(ld,entry,ber)) { string temp = attr; cout << "attribute :: " << attr << endl; vals = ldap_get_values_len(ld,entry,attr); if((ldap_count_values_len(vals))> 0 ){ LDAPUtil::processAttribute(attribute,temp,vals); } ldap_value_free_len(vals); } attributeValueMap.insert(pair<string,LDAPAttribute*>(attribute->getDn(),attribute)); } parsedResult->setAttributeValueMap(attributeValueMap); } } Basically above code is working only if I have one entry returned in the output. I would really appreciate if someone can help me with this. As I have hard time beliving its an API bug since I am just doing basic operation. Thanks, - Simon

1 1

Re: Installation openLDAP in Debian
by Jose Ildefonso Camargo Tolosa 21 Apr '11

21 Apr '11

On Thu, Apr 21, 2011 at 11:47 AM, Olivier Guillard <olivier(a)guillard.nom.fr> wrote: >> No, that is not the meaning of "add". > > In that case, how can you change > olcRootPW: MySecretPassword If you forgot your rootdn pass, and have no other user that with write privileges to cn=config, I guess you would need to slapcat your config, edit it, delete old config, and reload with slapadd. Or... take the risk and just edit the file by hand. Ildefonso.

2 5

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2011