Schema modification errors
by Marc Elliott
Hi All,
I have a brand new OpenLDAP server installed by Ubuntu and running
locally on which I need to alter one of the core schemas to accommodate
some legacy data. Unfortunately, I keep getting errors on my
modification attempts. (BTW - the LDAP repository is current empty,
though schemas have been added to cn=config)
The LDIF I've been submitting is:
dn: cn=core,cn=schema,cn=config
changetype: modify
delete: objectclasses
objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' )
-
add: objectclasses
objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a
group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL
MUST ( cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $
description $ uniqueMember ) )
And the error I get is:
#!RESULT ERROR
#!CONNECTION ldap://localhost:389
#!DATE 2011-06-21T10:29:02.855
#!ERROR [LDAP: error code 21 - objectclasses: value #0 invalid per
syntax]
dn: cn=core,cn=schema,cn=config
changetype: modify
delete: objectclasses
objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' )
-
add: objectclasses
objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a
group of
unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( cn )
MAY (
businessCategory $ seeAlso $ owner $ ou $ o $ description $
uniqueMember ) )
Any ideas? I'm new to OpenLDAP and usually try to avoid changing
standard schema elements so I may be missing something simple.
Thanks!
Marc
11 years, 9 months
ppolicy works, then doesn't
by Bidwell, Matt
I had ppolicy working. Then it stopped. I've cut some stuff for security but
I've included some debug info off the ldap server and the ldapsearch + output
for that user. Most notably pwdHistory and pwdChangedTime no longer updates.
pwdMinLength seems to work, as does pwdCheckQuality. Any ideas why it stopped
working or what else I can use to debug? I've recently changed the hash, but
it didn't coincide with the date ppolicy stopped working.
Matt
>From Ldap server debug:
acl: internal mod entryCSN: modify access granted
acl: internal mod modifiersName: modify access granted
acl: internal mod modifyTimestamp: modify access granted
bdb_modify_internal: replace userPassword
bdb_modify_internal: replace entryCSN
bdb_modify_internal: replace modifiersName
bdb_modify_internal: replace modifyTimestampca
oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "posixAccount"
oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "shadowAccount"
oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "inetOrgPerson"
oc_check_allowed type "roomNumber"
oc_check_allowed type "employeeType"
oc_check_allowed type "shadowExpire"
oc_check_allowed type "homePhone"
oc_check_allowed type "givenName"
oc_check_allowed type "mobile"
oc_check_allowed type "objectClass"
oc_check_allowed type "shadowLastChange"
oc_check_allowed type "uid"
oc_check_allowed type "mail"
oc_check_allowed type "uidNumber"
oc_check_allowed type "cn"
oc_check_allowed type "telephoneNumber"
oc_check_allowed type "loginShell"
oc_check_allowed type "host"
oc_check_allowed type "gidNumber"
oc_check_allowed type "gecos"
oc_check_allowed type "homeDirectory"
oc_check_allowed type "sn"
oc_check_allowed type "structuralObjectClass"
oc_check_allowed type "entryUUID"
oc_check_allowed type "creatorsName"
oc_check_allowed type "createTimestamp"
oc_check_allowed type "pwdHistory"
oc_check_allowed type "pwdChangedTime"
oc_check_allowed type "pwdPolicySubentry"
oc_check_allowed type "userPassword"
oc_check_allowed type "entryCSN"
oc_check_allowed type "modifiersName"
oc_check_allowed type "modifyTimestamp"
Ldapsearch:
# testuser, fte, people,
dn: uid=testuser,ou=fte,ou=people
structuralObjectClass: inetOrgPerson
entryUUID: 2c51bca1-1460-4b26-ae20-3c054c861d30
creatorsName: cn=admin
createTimestamp: 20110523222307Z
pwdHistory: 20110606211017Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}aZlEl1nHU2K
pwdHistory: 20110606211045Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}LCJWgHumf2f
pwdHistory: 20110606211056Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}toDKXKosvds
pwdChangedTime: 20110606211056Z
pwdPolicySubentry: cn=default,ou=policies
entryCSN: 20110617223036.234028Z#000000#000#000000
modifiersName: uid=testuser,ou=fte,ou=people
modifyTimestamp: 20110617223036Z
entryDN: uid=testuser,ou=fte,ou=people
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
11 years, 9 months
Schema modification errors
by Marc Elliott
Hi All,
I have a brand new OpenLDAP server installed by Ubuntu and running
locally on which I need to alter one of the core schemas to accommodate
some legacy data. Unfortunately, I keep getting errors on my
modification attempts. (BTW - the LDAP repository is current empty,
though schemas have been added to cn=config)
The LDIF I've been submitting is:
dn: cn=core,cn=schema,cn=config
changetype: modify
delete: objectclasses
objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' )
-
add: objectclasses
objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a
group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL
MUST ( cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $
description $ uniqueMember ) )
And the error I get is:
#!RESULT ERROR
#!CONNECTION ldap://localhost:389
#!DATE 2011-06-21T10:29:02.855
#!ERROR [LDAP: error code 21 - objectclasses: value #0 invalid per
syntax]
dn: cn=core,cn=schema,cn=config
changetype: modify
delete: objectclasses
objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' )
-
add: objectclasses
objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a
group of
unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( cn )
MAY (
businessCategory $ seeAlso $ owner $ ou $ o $ description $
uniqueMember ) )
Any ideas? I'm new to OpenLDAP and usually try to avoid changing
standard schema elements so I may be missing something simple.
Thanks!
Marc
11 years, 9 months
Re: schema replication problems with test059-slave-config
by Christopher Strider Cook
I'm assuming that my schema sync config issues are related to the
mirrormode configuration I have not working well with the additional
sync of the cn=schema,cn=config tree into cn=config,cn=slave.
So I'm looking for other ways to have a single authoritative schema
source that replicates to all locations.
Overview:
I have a pair of MirrorMode servers syncing cn=config between
themselves. Also on these servers is a cn=config,cn=slave which also
sync in a MirrorMode setup. Then there are a number of Consumer servers
that syncrepl cn=config,cn=slave with a suffixmassage into their local
cn=config databases.
Initially, there was a syncrepl on the mirrormode servers that synced
cn=schema,cn=config into cn=schema,cn=config,cn=slave. But this is
failing (I'm presuming do to a conflict over use of the contextCSN, with
the mirrormode syncs)
So what are my options for keeping cn=schema,cn=config on the consumers
in sync with cn=schema,cn=config on the mirrormode providers?
Thanks,
Chris
11 years, 9 months
Password Policy
by Darouichi, Aziz
Hi,
I am trying to institute a password policy in openldap-2.4.23. I would like to hash userPassword: I used "ppolicy_hash_cleartext"
This is the policy file:
dn: ou=policies,dc=establishment,dc=edu
objectClass: top
objectClass: organizationalUnit
ou: policies
dn: cn=default,ou=policies,dc=establishment,dc=edu
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
ppolicy_hash_cleartext
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
Password still shows up in clear txt.
Thanks
11 years, 9 months
experiences creating load-balanced/HA OpenLDAP clusters
by David N. Blank-Edelman
Hi-
I'm in the process of building out our next revision of an OpenLDAP cluster (a master, several slaves, and a load balancer HA pair to distribute the workload to these servers). I was curious if anyone who has done a similar thing with open source software would be willing to share their experiences?
I've combed the archives and it seems like the last time this topic came up here was around two years ago. I'm not sure the choices have changed much since then, but just in case I thought I'd ask to get a sense of the current "state of the art". At the moment I'm thinking about either doing a Pacemaker + HAproxy setup or just an updated version of our current ultramonkey setup (LVS + heartbeat + ldirectord). Does anybody have a config they particularly like/dislike?
Thanks!
-- dNb
11 years, 9 months
Syncrepl issues, "glue" objectClass
by Mark Cairney
Hi,
I've been trying to use a tool called "Grouper" to provision a hierarchical structure into my LDAP directory.
I'm currently running OpenLDAP 2.4.25 with BDB 4.8.30 on 3 SL5.5 servers in a multi-master configuration.
During the provisioning process it seems to be hitting a race condition where it creates a higher-level ou before the base-level ou is there resulting in the base-level ou existing in the tree with the "glue" objectClass.
As this is invisible to searches I end up with syncrepl constantly trying to replicate it ad infinitum:
Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=031 be_modify ou=2010/2011,ou=courses,ou=grouper,dc=authorise,dc=ed,dc=ac,dc=uk (0)
Jun 10 14:53:16 alder slapd[20702]: syncprov_sendresp: cookie=
Jun 10 14:53:16 alder slapd[20702]: do_syncrep2: rid=032 cookie=
Jun 10 14:53:16 alder slapd[20702]: do_syncrep2: rid=031 cookie=
Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=032 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=032 be_search (0)
Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=032 ou=2010/2011,ou=courses,ou=grouper,dc=authorise,dc=ed,dc=ac,dc=uk
Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=031 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=031 be_search (0)
Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=031 ou=2010/2011,ou=courses,ou=grouper,dc=authorise,dc=ed,dc=ac,dc=uk
Jun 10 14:53:16 alder slapd[20702]: syncprov_sendresp: cookie=
Jun 10 14:53:17 alder last message repeated 210 times
Jun 10 14:53:17 alder slapd[20702]: syncrepl_entry: rid=032 be_modify ou=2010/2011,ou=courses,ou=grouper,dc=authorise,dc=ed,dc=ac,dc=uk (0)
Jun 10 14:53:17 alder slapd[20702]: do_syncrep2: rid=032 cookie=
Jun 10 14:53:17 alder slapd[20702]: syncrepl_entry: rid=032 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY)
Doing a bit of digging on the web the suggested solution is to modify the object and remove the glue objectlcass but there doesn't seem to be an obvious way to do this given that it's invisible to ldapsearch and if you try an ldapadd the object already exists?
Even a sample ldif file for ldapmodify would be grand.
Cheers,
Mark
/*********************************
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email: mark.cairney(a)ed.ac.uk
*********************************/
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
11 years, 9 months
Support Reverse Group Membership Maintenance for OpenLDAP 2.3
by Pedro Rodrigo Cardiel
Hello,
I have some doubts about a topic openldap.
I am working with groups in ldap and I have the need to ask users of a
certain group.
I have read that when you ask you can only filter by the field name and
the value of this. And there is a way that when you add a user to a
group, plus add the field member in the object group, adds a field
memberOf to the object person. This is named "Reverse Group Membership
Maintenance".
I understand that I have to load a module in openldap of this way
"moduleload memberof.la" but openldap can not find it.
I have seen on the internet there is a package to install that module to
the version 2.4.
My question is: Does the openfire version 2.3 supports this functionality?
I use:
Centos Linux ia3 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:53:09 EST 2011
i686 i686 i386 GNU/Linux.
Installed Packages
Name : openldap
Arch : i386
Version : 2.3.43
Release : 12.el5_6.7
Size : 593 k
Repo : installed
Regards
--
-----------------------------------------------------------
Pedro Rodrigo Cardiel
Programador Senior
GeoSLab Logo
C/ Carlos Marx, 6 CP 50015 Zaragoza (Spain)
Tlf: +34 976 762134 +34 976 065152
Fax: +34 976 106201
prodrig(a)GeoSLab.com <mailto:suzarso@GeoSLab.com>
http://www.GeoSLab.com
Follow us on Twitter <http://twitter.com/GeoSLab>
------------------------------------------------------------------------
/ Antes de imprimir este correo piensa si realmente es necesario
hacerlo / Before printing this email, assess if it is really needed /
/ ---- ADVERTENCIA ----
La información contenida en este correo electrónico, y en su caso,
cualquier fichero anexo al mismo, son de carácter privado y confidencial
siendo para uso exclusivo de su destinatario. Si usted no es el
destinatario correcto, el empleado o agente responsable de entregar el
mensaje al destinatario, o ha recibido esta comunicación por error, le
informamos que está totalmente prohibida cualquier divulgación,
distribución o reproducción de esta comunicación según la legislación
vigente y le rogamos que nos lo notifique inmediatamente, procediendo a
su destrucción sin continuar su lectura. /
/ ---- WARNING ----
Information contained in this email, and any attached files, are private
and confidential for the addressee. If you are not the intended
recipient, employee or agent responsible for delivering this message to
the addressee, or have received this communication by mistake, please be
aware that any dissemination, distribution or duplication under current
laws is forbidden and we request you to notify us immediately and
destroy the message without continue reading. /
------------------------------------------------------------------------
11 years, 9 months
parse_syncrepl_line: unable to parse "bindmethod=sasl"
by devendra ayalasomayajula
I am trying to setup mirror mode configuration setup. Attempted to set bindmethod to sasl and I see following error when slapd starts.
invalid bind config value bindmethod=sasl
/home/y/conf/atlas/slapd_ldapmaster.conf: line 62: Error: parse_syncrepl_line: unable to parse "bindmethod=sasl"
.
failed to add syncinfo
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
The setups runs fine when bindmethod is set to simple.
Appreciate any info on why this is failing.
--dev
11 years, 9 months
