ppolicy and simpleSecurityObject exemptions
by Nick Urbanik
Dear Folks,
What is the best/right way to exempt system users (entries that have the
simpleSecurityObject objectclass) from the ppolicy default policy?
Is it to create another policy without restrictions and specify that
each system user should use that policy using pwdPolicySubentry?
--
Nick Urbanik http://nicku.org 808-71011 nick.urbanik(a)optusnet.com.au
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24
I disclaim, therefore I am.
10 years
search ldap
by Noel Akins
I have a dumb question. I've been struggling with LDAP for a couple of weeks
now, working on it at home at night. I seem to have something working here
given the ldapsearch i tried doing below. I had started with a base.ldif and
added a user via a add_user.ldif. I assume the numEntries: 1 is the user that I
entered. But for the life of me, I can't seem to figure out how to view that
entry. What do I need to do actually see the entry?
Thank you.
ldapsearch -L -x -b 'dc=mergeemerge,dc=org'
version: 1
#
# LDAPv3
# base <dc=mergeemerge,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# mergeemerge.org
dn: dc=mergeemerge,dc=org
objectClass: dcObject
objectClass: organization
o: mergeemerge
dc: mergeemerge
# search result
# numResponses: 2
# numEntries: 1
10 years
Strange log entries
by Peter Schütt
Hallo,
I got the following log entries in /var/log/messages
Apr 5 13:19:51 myhost slaptest: auxpropfunc error invalid parameter supplied
Apr 5 13:19:51 myhost slapd[18435]: auxpropfunc error invalid parameter supplied
This is funny because I redirect the logs of OpenLDAP in an own file
by an entry in
/etc/rsyslog.conf:
# OpenLDAP
local4.* /var/log/ldap.log
What does these log entries mean?
Ciao
Peter Schütt
10 years
Speeding up BDB question
by Cannady, Mike
I have a situation where I need to delete a major branch of my DIT and
reload it with a new ldif file on live systems. My current
configuration is a two node multi-master running on Red Hat Enterprise
5.4 with openldap 2.22 and BDB 4.8.26.
With both masters running, when I delete the branch it takes about 1.5
hours and the reload (ldapadd) takes about 6-7 hours. I've researched
the documentation on Berkeley but didn't make any headway to reduce the
time. It appeared to me that BDB was doing syncs (lots and lots of disk
writes). To test this, I moved the database directory of both masters
to a ram drive (mount ramfs) that could hold the whole database
directory with room to spare and changed the configuration to use the
new location.
I reran the tests and the results were that the delete took 6 minutes
and the load took about 13 minutes. This is definitely a lot faster and
the other master kept up with the updating master.
So my question is there anyway to configure Berkeley to come close to
this? Is there someway to disable the syncs?
Portion of
slapd.conf:====================================================
database bdb
suffix "dc=htc,dc=com"
rootdn "cn=XXXXXXXXXXXXXXXX,dc=htc,dc=com"
rootpw XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxx
directory /usr/local/var/openldap-data
#directory /var/local/var.ram/openldap-data
cachesize 50000
dncachesize 50000
idlcachesize 150000
checkpoint 1024 5
dbnosync
dirtyread
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_bsize 2097152
dbconfig set_lg_regionmax 262144
dbconfig set_flags DB_LOG_AUTOREMOVE
monitoring on
DB_CONFIG:=====================================
set_cachesize 0 268435456 1
set_lg_bsize 2097152
set_lg_regionmax 262144
set_flags DB_LOG_AUTOREMOVE
set_flags DB_TXN_WRITE_NOSYNC
set_flags DB_TXN_NOSYNC
Mike Cannady
Information Services
Horry Telephone Cooperative (HTC)
Phone: (843)369-8212
Fax..: (843)369-7195
Pager: (843)828-5899
Email: Mike.Cannady(a)htcinc.net
**********************************************************************
HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
**********************************************************************
10 years
openLDAP 2.4.25 make fails with TLS errors
by sim123
I am trying to compile openLDAP 2.4.25 with TLS and cyrusSASL and following
these two links
http://www.openldap.org/faq/data/cache/196.html
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html
configure and make depend works but make fails with very long list of
undeclared/undefined errors in TLS.
tls_m.c:2994: warning: comparison between pointer and integer
tls_m.c:2994: error: 'PR_WOULD_BLOCK_ERROR' undeclared (first use in this
function)
tls_m.c:2994: warning: comparison between pointer and integer
tls_m.c: In function 'tlsm_sb_write':
tls_m.c:3016: error: 'struct tls_data' has no member named 'session'
tls_m.c:3016: error: 'PR_INTERVAL_NO_TIMEOUT' undeclared (first use in this
function)
tls_m.c:3019: error: 'PR_PENDING_INTERRUPT_ERROR' undeclared (first use in
this function)
tls_m.c:3019: warning: comparison between pointer and integer
tls_m.c:3019: error: 'PR_WOULD_BLOCK_ERROR' undeclared (first use in this
function)
tls_m.c:3019: warning: comparison between pointer and integer
make[2]: *** [tls_m.lo] Error 1
make[2]: Leaving directory
`/root/Desktop/openldap-2.4.25-source/libraries/libldap'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory `/root/Desktop/openldap-2.4.25-source/libraries'
make: *** [all-common] Error 1
[root@100x103 openldap-2.4.25-source]#
I am using
./configure --prefix=/root/Desktop/openldap-2.4.25 --with-tls=no
--enable-slapd --with-cyrus-sasl --enable-crypt --enable-debug
--enable-cleartext
to configure on CentOS 5.2 and have cflags and cpppflags defined.
Can someone please help me fixing this? Thanks for the help.
Thanks,
Simon
10 years
Fwd: Re: Tuning openldap, nss_ldap and pam_ldap
by Marco Pizzoli
---------- Forwarded message ----------
From: "Marco Pizzoli" <marco.pizzoli(a)gmail.com>
Date: 5 Apr 2011 14:29
Subject: Re: Tuning openldap, nss_ldap and pam_ldap
To: "c0re" <nr1c0re(a)gmail.com>
Hi,
If it was the same problem that I had some time ago, it was due to idle
connections that I gold slapd to close after x seconds.
Check yours, and eventually set a keep alive parameter on your client,
nss_ldap.
Regards
Marco
On 5 Apr 2011 13:44, "c0re" <nr1c0re(a)gmail.com> wrote:
>
> Hello openldap users!
>
> I've got Openldap 2.4.23 that used as authentication and authorization
server for about 40-50 servers.
> OS - FreeBSD 8.1.
>
> It's not heavy loaded.
>
> openldap# top -SP
> last pid: 45647; load averages: 0.15, 0.15, 0.07
up 81+22:29:21 15:18:57
> 99 processes: 3 running, 80 sleeping, 16 waiting
> CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle
> CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle
> Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free
> Swap: 4060M Total, 8K Used, 4060M Free
>
> PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU
COMMAND
> 11 root 2 171 ki31 0K 32K CPU0 0 3874.8 200.00% idle
> 4773 ldap 18 44 0 398M 53748K ucond 1 41.1H 0.00% slapd
>
> But on my servers sometimes I see in logs something like
>
> on FTP-server:
> Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server -
Server is unavailable
>
> Authentication works fine, no problems. But want to find out what can be
wrong.
>
> To understand this problem I installed ldap-stats utility and made it run:
>
> /var/log/debug.log - it's half day openldap server usage log.
>
> openldap# ldap-stats -c 1000 /var/log/debug.log
>
>
> Report Generated on Tue Apr 5 15:16:47 2011
> --------------------------------------------
> Processed "/var/log/debug.log": Apr 5 00:00:00 - Apr 5 15:17:33
>
>
> Operation totals
> ----------------
> Total operations : 913845
> Total connections : 101226
> Total authentication failures : 2
> Total binds : 99700
> Total unbinds : 99181
> Total searches : 714964
> Total compares : 7
> Total modifications : 0
> Total modrdns : 0
> Total additions : 0
> Total deletions : 0
> Unindexed attribute requests : 0
> Operations per connection : 9.03
>
>
> # Uses Filter
> ---------- -----------------------------------------------------------
> 615504 (&(objectClass=posixAccount)(uid=mailer-daemon))
> 90699 (&(objectClass=posixGroup))
> 6833 (&(objectClass=posixAccount)(uid=root))
> 2236 (&(objectClass=posixAccount)(uid=hiddenuser1))
> 669 (&(objectClass=posixGroup)(memberUid=root))
> 318 (&(objectClass=posixAccount)(uid=testacc))
> 87 (&(objectClass=posixGroup)(memberUid=postfix))
> 87 (&(objectClass=posixAccount)(uid=postfix))
> 81 (objectClass=posixAccount)
> 68 (&(objectClass=posixAccount)(uid=debian-exim))
> 68 (&(objectClass=posixGroup)(memberUid=Debian-exim))
> 39 (&(objectClass=posixAccount)(uid=normaluser))
> 34 (&(objectClass=posixAccount)(uidNumber=7333))
> 30 (&(objectClass=posixGroup)(memberUid=hiddenuser1))
> 29 (&(objectClass=posixGroup)(memberUid=chelovek))
> 29 (&(objectClass=posixAccount)(uid=chelovek))
> 27 (&(objectClass=posixAccount)(uid=user0))
> 23 (&(objectClass=posixAccount)(uid=nobody))
> 21 (&(objectClass=posixAccount)(uid=user1))
> 18 (&(objectClass=posixAccount)(uid=user2))
> 16 (&(objectClass=posixAccount)(uid=user3))
> 15 (&(objectClass=posixAccount)(uid=user4))
> 12 (&(objectClass=posixAccount)(uid=user5))
> 11 (&(objectClass=posixAccount)(uidNumber=7330))
> 10 (&(objectClass=posixAccount)(uid=user15))
> 9 (&(objectClass=posixAccount)(uid=user16))
> 8 (&(objectClass=posixAccount)(uidNumber=7333))
> 6 (&(objectClass=posixAccount)(uid=user6))
> 5 (&(objectClass=posixAccount)(uid=user7))
> 5 (cn=defaults)
> 4 (&(objectClass=posixAccount)(uidNumber=7228))
> 4 (&(objectClass=shadowAccount)(uid=user1))
> 4 (&(objectClass=posixAccount)(uid=user9))
> 4 (&(objectClass=posixAccount)(uid=user10))
> 4 (&(objectClass=posixAccount)(uid=user11))
> 3 (&(objectClass=posixAccount)(uid=user12))
> 3 (&(objectClass=posixAccount)(uid=user13))
> 3 (&(objectClass=posixAccount)(uid=user14))
> ...............
> and MANY others that has 1 use in this stats.
> I think this many queries from mail relay server.
> * user1 and etc - just hidden real users.
>
> What can I do to tune nss? Can you point me in a right direction? Do not
know what to look at.
> If you need any additional information, logs and etc - I'll provide it.
>
> Thanks in advance!
>
10 years
LDAP_RES_INTERMEDIATE - SYNC_ID_SET makes me in trouble
by Olivier PAVILLA
Hi everyone.
I have another OpenLDAP server.
luz2:/home/romain# uname -a
Linux luz2 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686 GNU/Linux
And:
luz2:/home/romain# uname -a
Linux luz2 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686 GNU/Linux
luz2:/home/romain# slapd -VV
@(#) $OpenLDAP: slapd 2.4.11 (Nov 26 2009 09:17:06) $
root@SD6-Casa:/tmp/buildd/openldap-2.4.11/debian/build/servers/slapd
I read those lines in my /var/log/syslog:
Apr 5 06:28:38 luz2 slapd[21213]: syncrepl_message_to_entry: rid=008
mods check (objectClass: value #4 invalid per syntax)
Apr 5 06:28:38 luz2 slapd[21213]: do_syncrepl: rid=008 retrying
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Apr 5 06:38:50 luz2 slapd[21213]: syncrepl_message_to_entry: rid=008
mods check (objectClass: value #4 invalid per syntax)
Apr 5 06:38:50 luz2 slapd[21213]: do_syncrepl: rid=008 retrying
Someone or anyone could tell me what's wrong?
I didn't change anything on my server for several months. So suddenly I
got those lines. Who can explain to me?
Kind regards
--
% scan for <<"Arnold Schwarzenegger"^J^D
"Arnold Schwarzenegger": << terminator not found
S.C.I.R.C. Orléans (Bøurgøgne) - I.U.F.M. Centre-Val de Løire
72 Rue du Faubourg Bourgogne -45044 ORLEANS Cedex 1
Tel : 02-38-49-26-00 mailto:ølivier.pavilla@univ-ørleans.fr
http://blog.linux-squad.com -
10 years
beginner -old slapd.conf
by eric
I was familiar configuring openldap with slapd.conf ver 2.3 I recently
install 2.4 and am having a bear of a time trying to follow any
instructions from any source... man pages, openldap.org, and
https://help.ubuntu.com/10.04/serverguide/C/samba-ldap.html
This part is nerve racking on the ubuntu site... after I generate part
3, part 4 says...
##########################
4. Edit the generated /tmp/cn\=samba.ldif file, changing the following
attributes:
dn: cn=samba,cn=schema,cn=config
...
cn: samba
##########################
but it does not say what I should change the attributes too... just
gives an example that is (in my opinion poor) for a beginner like my self.
Following instructions and learning seemed so much easier with 2.3
Can someone please let me in to the 2.4 LDAP world?
I just want to get something in 2.4 setup to play with so I can learn
setups with 2.4
Thanks for any help in advance.
10 years
Tuning openldap, nss_ldap and pam_ldap
by c0re
Hello openldap users!
I've got Openldap 2.4.23 that used as authentication and authorization
server for about 40-50 servers.
OS - FreeBSD 8.1.
It's not heavy loaded.
openldap# top -SP
last pid: 45647; load averages: 0.15, 0.15, 0.07
up 81+22:29:21 15:18:57
99 processes: 3 running, 80 sleeping, 16 waiting
CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle
CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle
Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free
Swap: 4060M Total, 8K Used, 4060M Free
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
11 root 2 171 ki31 0K 32K CPU0 0 3874.8 200.00% idle
4773 ldap 18 44 0 398M 53748K ucond 1 41.1H 0.00% slapd
But on my servers sometimes I see in logs something like
on FTP-server:
Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server -
Server is unavailable
Authentication works fine, no problems. But want to find out what can be
wrong.
To understand this problem I installed ldap-stats utility and made it run:
/var/log/debug.log - it's half day openldap server usage log.
openldap# ldap-stats -c 1000 /var/log/debug.log
Report Generated on Tue Apr 5 15:16:47 2011
--------------------------------------------
Processed "/var/log/debug.log": Apr 5 00:00:00 - Apr 5 15:17:33
Operation totals
----------------
Total operations : 913845
Total connections : 101226
Total authentication failures : 2
Total binds : 99700
Total unbinds : 99181
Total searches : 714964
Total compares : 7
Total modifications : 0
Total modrdns : 0
Total additions : 0
Total deletions : 0
Unindexed attribute requests : 0
Operations per connection : 9.03
# Uses Filter
---------- -----------------------------------------------------------
615504 (&(objectClass=posixAccount)(uid=mailer-daemon))
90699 (&(objectClass=posixGroup))
6833 (&(objectClass=posixAccount)(uid=root))
2236 (&(objectClass=posixAccount)(uid=hiddenuser1))
669 (&(objectClass=posixGroup)(memberUid=root))
318 (&(objectClass=posixAccount)(uid=testacc))
87 (&(objectClass=posixGroup)(memberUid=postfix))
87 (&(objectClass=posixAccount)(uid=postfix))
81 (objectClass=posixAccount)
68 (&(objectClass=posixAccount)(uid=debian-exim))
68 (&(objectClass=posixGroup)(memberUid=Debian-exim))
39 (&(objectClass=posixAccount)(uid=normaluser))
34 (&(objectClass=posixAccount)(uidNumber=7333))
30 (&(objectClass=posixGroup)(memberUid=hiddenuser1))
29 (&(objectClass=posixGroup)(memberUid=chelovek))
29 (&(objectClass=posixAccount)(uid=chelovek))
27 (&(objectClass=posixAccount)(uid=user0))
23 (&(objectClass=posixAccount)(uid=nobody))
21 (&(objectClass=posixAccount)(uid=user1))
18 (&(objectClass=posixAccount)(uid=user2))
16 (&(objectClass=posixAccount)(uid=user3))
15 (&(objectClass=posixAccount)(uid=user4))
12 (&(objectClass=posixAccount)(uid=user5))
11 (&(objectClass=posixAccount)(uidNumber=7330))
10 (&(objectClass=posixAccount)(uid=user15))
9 (&(objectClass=posixAccount)(uid=user16))
8 (&(objectClass=posixAccount)(uidNumber=7333))
6 (&(objectClass=posixAccount)(uid=user6))
5 (&(objectClass=posixAccount)(uid=user7))
5 (cn=defaults)
4 (&(objectClass=posixAccount)(uidNumber=7228))
4 (&(objectClass=shadowAccount)(uid=user1))
4 (&(objectClass=posixAccount)(uid=user9))
4 (&(objectClass=posixAccount)(uid=user10))
4 (&(objectClass=posixAccount)(uid=user11))
3 (&(objectClass=posixAccount)(uid=user12))
3 (&(objectClass=posixAccount)(uid=user13))
3 (&(objectClass=posixAccount)(uid=user14))
...............
and MANY others that has 1 use in this stats.
I think this many queries from mail relay server.
* user1 and etc - just hidden real users.
What can I do to tune nss? Can you point me in a right direction? Do not
know what to look at.
If you need any additional information, logs and etc - I'll provide it.
Thanks in advance!
10 years
