openldap-technical April 2011

openldap-technical@openldap.org

97 participants
98 discussions

ppolicy and simpleSecurityObject exemptions
by Nick Urbanik 09 Apr '11

09 Apr '11

Dear Folks, What is the best/right way to exempt system users (entries that have the simpleSecurityObject objectclass) from the ppolicy default policy? Is it to create another policy without restrictions and specify that each system user should use that policy using pwdPolicySubentry? -- Nick Urbanik http://nicku.org 808-71011 nick.urbanik(a)optusnet.com.au GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24 I disclaim, therefore I am.

2 1

search ldap
by Noel Akins 09 Apr '11

09 Apr '11

I have a dumb question. I've been struggling with LDAP for a couple of weeks now, working on it at home at night. I seem to have something working here given the ldapsearch i tried doing below. I had started with a base.ldif and added a user via a add_user.ldif. I assume the numEntries: 1 is the user that I entered. But for the life of me, I can't seem to figure out how to view that entry. What do I need to do actually see the entry? Thank you. ldapsearch -L -x -b 'dc=mergeemerge,dc=org' version: 1 # # LDAPv3 # base <dc=mergeemerge,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL # # mergeemerge.org dn: dc=mergeemerge,dc=org objectClass: dcObject objectClass: organization o: mergeemerge dc: mergeemerge # search result # numResponses: 2 # numEntries: 1

3 2

Strange log entries
by Peter Schütt 06 Apr '11

06 Apr '11

Hallo, I got the following log entries in /var/log/messages Apr 5 13:19:51 myhost slaptest: auxpropfunc error invalid parameter supplied Apr 5 13:19:51 myhost slapd[18435]: auxpropfunc error invalid parameter supplied This is funny because I redirect the logs of OpenLDAP in an own file by an entry in /etc/rsyslog.conf: # OpenLDAP local4.* /var/log/ldap.log What does these log entries mean? Ciao Peter Schütt

2 2

Speeding up BDB question
by Cannady, Mike 05 Apr '11

05 Apr '11

I have a situation where I need to delete a major branch of my DIT and reload it with a new ldif file on live systems. My current configuration is a two node multi-master running on Red Hat Enterprise 5.4 with openldap 2.22 and BDB 4.8.26. With both masters running, when I delete the branch it takes about 1.5 hours and the reload (ldapadd) takes about 6-7 hours. I've researched the documentation on Berkeley but didn't make any headway to reduce the time. It appeared to me that BDB was doing syncs (lots and lots of disk writes). To test this, I moved the database directory of both masters to a ram drive (mount ramfs) that could hold the whole database directory with room to spare and changed the configuration to use the new location. I reran the tests and the results were that the delete took 6 minutes and the load took about 13 minutes. This is definitely a lot faster and the other master kept up with the updating master. So my question is there anyway to configure Berkeley to come close to this? Is there someway to disable the syncs? Portion of slapd.conf:==================================================== database bdb suffix "dc=htc,dc=com" rootdn "cn=XXXXXXXXXXXXXXXX,dc=htc,dc=com" rootpw XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxx directory /usr/local/var/openldap-data #directory /var/local/var.ram/openldap-data cachesize 50000 dncachesize 50000 idlcachesize 150000 checkpoint 1024 5 dbnosync dirtyread dbconfig set_cachesize 0 268435456 1 dbconfig set_lg_bsize 2097152 dbconfig set_lg_regionmax 262144 dbconfig set_flags DB_LOG_AUTOREMOVE monitoring on DB_CONFIG:===================================== set_cachesize 0 268435456 1 set_lg_bsize 2097152 set_lg_regionmax 262144 set_flags DB_LOG_AUTOREMOVE set_flags DB_TXN_WRITE_NOSYNC set_flags DB_TXN_NOSYNC Mike Cannady Information Services Horry Telephone Cooperative (HTC) Phone: (843)369-8212 Fax..: (843)369-7195 Pager: (843)828-5899 Email: Mike.Cannady(a)htcinc.net ********************************************************************** HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. **********************************************************************

3 6

openLDAP 2.4.25 make fails with TLS errors
by sim123 05 Apr '11

05 Apr '11

I am trying to compile openLDAP 2.4.25 with TLS and cyrusSASL and following these two links http://www.openldap.org/faq/data/cache/196.html http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html configure and make depend works but make fails with very long list of undeclared/undefined errors in TLS. tls_m.c:2994: warning: comparison between pointer and integer tls_m.c:2994: error: 'PR_WOULD_BLOCK_ERROR' undeclared (first use in this function) tls_m.c:2994: warning: comparison between pointer and integer tls_m.c: In function 'tlsm_sb_write': tls_m.c:3016: error: 'struct tls_data' has no member named 'session' tls_m.c:3016: error: 'PR_INTERVAL_NO_TIMEOUT' undeclared (first use in this function) tls_m.c:3019: error: 'PR_PENDING_INTERRUPT_ERROR' undeclared (first use in this function) tls_m.c:3019: warning: comparison between pointer and integer tls_m.c:3019: error: 'PR_WOULD_BLOCK_ERROR' undeclared (first use in this function) tls_m.c:3019: warning: comparison between pointer and integer make[2]: *** [tls_m.lo] Error 1 make[2]: Leaving directory `/root/Desktop/openldap-2.4.25-source/libraries/libldap' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/root/Desktop/openldap-2.4.25-source/libraries' make: *** [all-common] Error 1 [root@100x103 openldap-2.4.25-source]# I am using ./configure --prefix=/root/Desktop/openldap-2.4.25 --with-tls=no --enable-slapd --with-cyrus-sasl --enable-crypt --enable-debug --enable-cleartext to configure on CentOS 5.2 and have cflags and cpppflags defined. Can someone please help me fixing this? Thanks for the help. Thanks, Simon

2 6

Fwd: Re: Tuning openldap, nss_ldap and pam_ldap
by Marco Pizzoli 05 Apr '11

05 Apr '11

---------- Forwarded message ---------- From: "Marco Pizzoli" <marco.pizzoli(a)gmail.com> Date: 5 Apr 2011 14:29 Subject: Re: Tuning openldap, nss_ldap and pam_ldap To: "c0re" <nr1c0re(a)gmail.com> Hi, If it was the same problem that I had some time ago, it was due to idle connections that I gold slapd to close after x seconds. Check yours, and eventually set a keep alive parameter on your client, nss_ldap. Regards Marco On 5 Apr 2011 13:44, "c0re" <nr1c0re(a)gmail.com> wrote: > > Hello openldap users! > > I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers. > OS - FreeBSD 8.1. > > It's not heavy loaded. > > openldap# top -SP > last pid: 45647; load averages: 0.15, 0.15, 0.07 up 81+22:29:21 15:18:57 > 99 processes: 3 running, 80 sleeping, 16 waiting > CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle > CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle > Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free > Swap: 4060M Total, 8K Used, 4060M Free > > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND > 11 root 2 171 ki31 0K 32K CPU0 0 3874.8 200.00% idle > 4773 ldap 18 44 0 398M 53748K ucond 1 41.1H 0.00% slapd > > But on my servers sometimes I see in logs something like > > on FTP-server: > Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable > > Authentication works fine, no problems. But want to find out what can be wrong. > > To understand this problem I installed ldap-stats utility and made it run: > > /var/log/debug.log - it's half day openldap server usage log. > > openldap# ldap-stats -c 1000 /var/log/debug.log > > > Report Generated on Tue Apr 5 15:16:47 2011 > -------------------------------------------- > Processed "/var/log/debug.log": Apr 5 00:00:00 - Apr 5 15:17:33 > > > Operation totals > ---------------- > Total operations : 913845 > Total connections : 101226 > Total authentication failures : 2 > Total binds : 99700 > Total unbinds : 99181 > Total searches : 714964 > Total compares : 7 > Total modifications : 0 > Total modrdns : 0 > Total additions : 0 > Total deletions : 0 > Unindexed attribute requests : 0 > Operations per connection : 9.03 > > > # Uses Filter > ---------- ----------------------------------------------------------- > 615504 (&(objectClass=posixAccount)(uid=mailer-daemon)) > 90699 (&(objectClass=posixGroup)) > 6833 (&(objectClass=posixAccount)(uid=root)) > 2236 (&(objectClass=posixAccount)(uid=hiddenuser1)) > 669 (&(objectClass=posixGroup)(memberUid=root)) > 318 (&(objectClass=posixAccount)(uid=testacc)) > 87 (&(objectClass=posixGroup)(memberUid=postfix)) > 87 (&(objectClass=posixAccount)(uid=postfix)) > 81 (objectClass=posixAccount) > 68 (&(objectClass=posixAccount)(uid=debian-exim)) > 68 (&(objectClass=posixGroup)(memberUid=Debian-exim)) > 39 (&(objectClass=posixAccount)(uid=normaluser)) > 34 (&(objectClass=posixAccount)(uidNumber=7333)) > 30 (&(objectClass=posixGroup)(memberUid=hiddenuser1)) > 29 (&(objectClass=posixGroup)(memberUid=chelovek)) > 29 (&(objectClass=posixAccount)(uid=chelovek)) > 27 (&(objectClass=posixAccount)(uid=user0)) > 23 (&(objectClass=posixAccount)(uid=nobody)) > 21 (&(objectClass=posixAccount)(uid=user1)) > 18 (&(objectClass=posixAccount)(uid=user2)) > 16 (&(objectClass=posixAccount)(uid=user3)) > 15 (&(objectClass=posixAccount)(uid=user4)) > 12 (&(objectClass=posixAccount)(uid=user5)) > 11 (&(objectClass=posixAccount)(uidNumber=7330)) > 10 (&(objectClass=posixAccount)(uid=user15)) > 9 (&(objectClass=posixAccount)(uid=user16)) > 8 (&(objectClass=posixAccount)(uidNumber=7333)) > 6 (&(objectClass=posixAccount)(uid=user6)) > 5 (&(objectClass=posixAccount)(uid=user7)) > 5 (cn=defaults) > 4 (&(objectClass=posixAccount)(uidNumber=7228)) > 4 (&(objectClass=shadowAccount)(uid=user1)) > 4 (&(objectClass=posixAccount)(uid=user9)) > 4 (&(objectClass=posixAccount)(uid=user10)) > 4 (&(objectClass=posixAccount)(uid=user11)) > 3 (&(objectClass=posixAccount)(uid=user12)) > 3 (&(objectClass=posixAccount)(uid=user13)) > 3 (&(objectClass=posixAccount)(uid=user14)) > ............... > and MANY others that has 1 use in this stats. > I think this many queries from mail relay server. > * user1 and etc - just hidden real users. > > What can I do to tune nss? Can you point me in a right direction? Do not know what to look at. > If you need any additional information, logs and etc - I'll provide it. > > Thanks in advance! >

2 4

LDAP_RES_INTERMEDIATE - SYNC_ID_SET makes me in trouble
by Olivier PAVILLA 05 Apr '11

05 Apr '11

Hi everyone. I have another OpenLDAP server. luz2:/home/romain# uname -a Linux luz2 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686 GNU/Linux And: luz2:/home/romain# uname -a Linux luz2 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686 GNU/Linux luz2:/home/romain# slapd -VV @(#) $OpenLDAP: slapd 2.4.11 (Nov 26 2009 09:17:06) $ root@SD6-Casa:/tmp/buildd/openldap-2.4.11/debian/build/servers/slapd I read those lines in my /var/log/syslog: Apr 5 06:28:38 luz2 slapd[21213]: syncrepl_message_to_entry: rid=008 mods check (objectClass: value #4 invalid per syntax) Apr 5 06:28:38 luz2 slapd[21213]: do_syncrepl: rid=008 retrying Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:38 luz2 slapd[21213]: do_syncrep2: rid=008 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Apr 5 06:38:50 luz2 slapd[21213]: syncrepl_message_to_entry: rid=008 mods check (objectClass: value #4 invalid per syntax) Apr 5 06:38:50 luz2 slapd[21213]: do_syncrepl: rid=008 retrying Someone or anyone could tell me what's wrong? I didn't change anything on my server for several months. So suddenly I got those lines. Who can explain to me? Kind regards -- % scan for <<"Arnold Schwarzenegger"^J^D "Arnold Schwarzenegger": << terminator not found S.C.I.R.C. Orléans (Bøurgøgne) - I.U.F.M. Centre-Val de Løire 72 Rue du Faubourg Bourgogne -45044 ORLEANS Cedex 1 Tel : 02-38-49-26-00 mailto:ølivier.pavilla@univ-ørleans.fr http://blog.linux-squad.com -

3 2

Import of a schema file into the cn=schema, cn=config tree
by Peter Schütt 05 Apr '11

05 Apr '11

Hallo, what is the best way to import a schema file into the cn=schema,cn=config tree? Thanks for any hints. Ciao Peter Schütt

2 1

beginner -old slapd.conf
by eric 05 Apr '11

05 Apr '11

I was familiar configuring openldap with slapd.conf ver 2.3 I recently install 2.4 and am having a bear of a time trying to follow any instructions from any source... man pages, openldap.org, and https://help.ubuntu.com/10.04/serverguide/C/samba-ldap.html This part is nerve racking on the ubuntu site... after I generate part 3, part 4 says... ########################## 4. Edit the generated /tmp/cn\=samba.ldif file, changing the following attributes: dn: cn=samba,cn=schema,cn=config ... cn: samba ########################## but it does not say what I should change the attributes too... just gives an example that is (in my opinion poor) for a beginner like my self. Following instructions and learning seemed so much easier with 2.3 Can someone please let me in to the 2.4 LDAP world? I just want to get something in 2.4 setup to play with so I can learn setups with 2.4 Thanks for any help in advance.

3 4

Tuning openldap, nss_ldap and pam_ldap
by c0re 05 Apr '11

05 Apr '11

Hello openldap users! I've got Openldap 2.4.23 that used as authentication and authorization server for about 40-50 servers. OS - FreeBSD 8.1. It's not heavy loaded. openldap# top -SP last pid: 45647; load averages: 0.15, 0.15, 0.07 up 81+22:29:21 15:18:57 99 processes: 3 running, 80 sleeping, 16 waiting CPU 0: 0.7% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.3% idle CPU 1: 0.4% user, 0.0% nice, 0.7% system, 0.0% interrupt, 98.9% idle Mem: 79M Active, 1402M Inact, 379M Wired, 84M Cache, 213M Buf, 31M Free Swap: 4060M Total, 8K Used, 4060M Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 11 root 2 171 ki31 0K 32K CPU0 0 3874.8 200.00% idle 4773 ldap 18 44 0 398M 53748K ucond 1 41.1H 0.00% slapd But on my servers sometimes I see in logs something like on FTP-server: Mar 25 21:55:32 someftp ftpd: nss_ldap: could not search LDAP server - Server is unavailable Authentication works fine, no problems. But want to find out what can be wrong. To understand this problem I installed ldap-stats utility and made it run: /var/log/debug.log - it's half day openldap server usage log. openldap# ldap-stats -c 1000 /var/log/debug.log Report Generated on Tue Apr 5 15:16:47 2011 -------------------------------------------- Processed "/var/log/debug.log": Apr 5 00:00:00 - Apr 5 15:17:33 Operation totals ---------------- Total operations : 913845 Total connections : 101226 Total authentication failures : 2 Total binds : 99700 Total unbinds : 99181 Total searches : 714964 Total compares : 7 Total modifications : 0 Total modrdns : 0 Total additions : 0 Total deletions : 0 Unindexed attribute requests : 0 Operations per connection : 9.03 # Uses Filter ---------- ----------------------------------------------------------- 615504 (&(objectClass=posixAccount)(uid=mailer-daemon)) 90699 (&(objectClass=posixGroup)) 6833 (&(objectClass=posixAccount)(uid=root)) 2236 (&(objectClass=posixAccount)(uid=hiddenuser1)) 669 (&(objectClass=posixGroup)(memberUid=root)) 318 (&(objectClass=posixAccount)(uid=testacc)) 87 (&(objectClass=posixGroup)(memberUid=postfix)) 87 (&(objectClass=posixAccount)(uid=postfix)) 81 (objectClass=posixAccount) 68 (&(objectClass=posixAccount)(uid=debian-exim)) 68 (&(objectClass=posixGroup)(memberUid=Debian-exim)) 39 (&(objectClass=posixAccount)(uid=normaluser)) 34 (&(objectClass=posixAccount)(uidNumber=7333)) 30 (&(objectClass=posixGroup)(memberUid=hiddenuser1)) 29 (&(objectClass=posixGroup)(memberUid=chelovek)) 29 (&(objectClass=posixAccount)(uid=chelovek)) 27 (&(objectClass=posixAccount)(uid=user0)) 23 (&(objectClass=posixAccount)(uid=nobody)) 21 (&(objectClass=posixAccount)(uid=user1)) 18 (&(objectClass=posixAccount)(uid=user2)) 16 (&(objectClass=posixAccount)(uid=user3)) 15 (&(objectClass=posixAccount)(uid=user4)) 12 (&(objectClass=posixAccount)(uid=user5)) 11 (&(objectClass=posixAccount)(uidNumber=7330)) 10 (&(objectClass=posixAccount)(uid=user15)) 9 (&(objectClass=posixAccount)(uid=user16)) 8 (&(objectClass=posixAccount)(uidNumber=7333)) 6 (&(objectClass=posixAccount)(uid=user6)) 5 (&(objectClass=posixAccount)(uid=user7)) 5 (cn=defaults) 4 (&(objectClass=posixAccount)(uidNumber=7228)) 4 (&(objectClass=shadowAccount)(uid=user1)) 4 (&(objectClass=posixAccount)(uid=user9)) 4 (&(objectClass=posixAccount)(uid=user10)) 4 (&(objectClass=posixAccount)(uid=user11)) 3 (&(objectClass=posixAccount)(uid=user12)) 3 (&(objectClass=posixAccount)(uid=user13)) 3 (&(objectClass=posixAccount)(uid=user14)) ............... and MANY others that has 1 use in this stats. I think this many queries from mail relay server. * user1 and etc - just hidden real users. What can I do to tune nss? Can you point me in a right direction? Do not know what to look at. If you need any additional information, logs and etc - I'll provide it. Thanks in advance!

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2011