openldap-technical June 2011

openldap-technical@openldap.org

80 participants
92 discussions

Schema modification errors
by Marc Elliott 23 Jun '11

23 Jun '11

Hi All, I have a brand new OpenLDAP server installed by Ubuntu and running locally on which I need to alter one of the core schemas to accommodate some legacy data. Unfortunately, I keep getting errors on my modification attempts. (BTW - the LDAP repository is current empty, though schemas have been added to cn=config) The LDIF I've been submitting is: dn: cn=core,cn=schema,cn=config changetype: modify delete: objectclasses objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' ) - add: objectclasses objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description $ uniqueMember ) ) And the error I get is: #!RESULT ERROR #!CONNECTION ldap://localhost:389 #!DATE 2011-06-21T10:29:02.855 #!ERROR [LDAP: error code 21 - objectclasses: value #0 invalid per syntax] dn: cn=core,cn=schema,cn=config changetype: modify delete: objectclasses objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' ) - add: objectclasses objectclasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description $ uniqueMember ) ) Any ideas? I'm new to OpenLDAP and usually try to avoid changing standard schema elements so I may be missing something simple. Thanks! Marc

1 0

ppolicy works, then doesn't
by Bidwell, Matt 22 Jun '11

22 Jun '11

I had ppolicy working. Then it stopped. I've cut some stuff for security but I've included some debug info off the ldap server and the ldapsearch + output for that user. Most notably pwdHistory and pwdChangedTime no longer updates. pwdMinLength seems to work, as does pwdCheckQuality. Any ideas why it stopped working or what else I can use to debug? I've recently changed the hash, but it didn't coincide with the date ppolicy stopped working. Matt >From Ldap server debug: acl: internal mod entryCSN: modify access granted acl: internal mod modifiersName: modify access granted acl: internal mod modifyTimestamp: modify access granted bdb_modify_internal: replace userPassword bdb_modify_internal: replace entryCSN bdb_modify_internal: replace modifiersName bdb_modify_internal: replace modifyTimestampca oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "posixAccount" oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "shadowAccount" oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "inetOrgPerson" oc_check_allowed type "roomNumber" oc_check_allowed type "employeeType" oc_check_allowed type "shadowExpire" oc_check_allowed type "homePhone" oc_check_allowed type "givenName" oc_check_allowed type "mobile" oc_check_allowed type "objectClass" oc_check_allowed type "shadowLastChange" oc_check_allowed type "uid" oc_check_allowed type "mail" oc_check_allowed type "uidNumber" oc_check_allowed type "cn" oc_check_allowed type "telephoneNumber" oc_check_allowed type "loginShell" oc_check_allowed type "host" oc_check_allowed type "gidNumber" oc_check_allowed type "gecos" oc_check_allowed type "homeDirectory" oc_check_allowed type "sn" oc_check_allowed type "structuralObjectClass" oc_check_allowed type "entryUUID" oc_check_allowed type "creatorsName" oc_check_allowed type "createTimestamp" oc_check_allowed type "pwdHistory" oc_check_allowed type "pwdChangedTime" oc_check_allowed type "pwdPolicySubentry" oc_check_allowed type "userPassword" oc_check_allowed type "entryCSN" oc_check_allowed type "modifiersName" oc_check_allowed type "modifyTimestamp" Ldapsearch: # testuser, fte, people, dn: uid=testuser,ou=fte,ou=people structuralObjectClass: inetOrgPerson entryUUID: 2c51bca1-1460-4b26-ae20-3c054c861d30 creatorsName: cn=admin createTimestamp: 20110523222307Z pwdHistory: 20110606211017Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}aZlEl1nHU2K pwdHistory: 20110606211045Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}LCJWgHumf2f pwdHistory: 20110606211056Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}toDKXKosvds pwdChangedTime: 20110606211056Z pwdPolicySubentry: cn=default,ou=policies entryCSN: 20110617223036.234028Z#000000#000#000000 modifiersName: uid=testuser,ou=fte,ou=people modifyTimestamp: 20110617223036Z entryDN: uid=testuser,ou=fte,ou=people subschemaSubentry: cn=Subschema hasSubordinates: FALSE # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1

1 1

Schema modification errors
by Marc Elliott 21 Jun '11

21 Jun '11

1 0

Re: schema replication problems with test059-slave-config
by Christopher Strider Cook 20 Jun '11

20 Jun '11

I'm assuming that my schema sync config issues are related to the mirrormode configuration I have not working well with the additional sync of the cn=schema,cn=config tree into cn=config,cn=slave. So I'm looking for other ways to have a single authoritative schema source that replicates to all locations. Overview: I have a pair of MirrorMode servers syncing cn=config between themselves. Also on these servers is a cn=config,cn=slave which also sync in a MirrorMode setup. Then there are a number of Consumer servers that syncrepl cn=config,cn=slave with a suffixmassage into their local cn=config databases. Initially, there was a syncrepl on the mirrormode servers that synced cn=schema,cn=config into cn=schema,cn=config,cn=slave. But this is failing (I'm presuming do to a conflict over use of the contextCSN, with the mirrormode syncs) So what are my options for keeping cn=schema,cn=config on the consumers in sync with cn=schema,cn=config on the mirrormode providers? Thanks, Chris

1 0

Password Policy
by Darouichi, Aziz 17 Jun '11

17 Jun '11

Hi, I am trying to institute a password policy in openldap-2.4.23. I would like to hash userPassword: I used "ppolicy_hash_cleartext" This is the policy file: dn: ou=policies,dc=establishment,dc=edu objectClass: top objectClass: organizationalUnit ou: policies dn: cn=default,ou=policies,dc=establishment,dc=edu cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: 2.5.4.35 ppolicy_hash_cleartext pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 Password still shows up in clear txt. Thanks

2 1

experiences creating load-balanced/HA OpenLDAP clusters
by David N. Blank-Edelman 17 Jun '11

17 Jun '11

Hi- I'm in the process of building out our next revision of an OpenLDAP cluster (a master, several slaves, and a load balancer HA pair to distribute the workload to these servers). I was curious if anyone who has done a similar thing with open source software would be willing to share their experiences? I've combed the archives and it seems like the last time this topic came up here was around two years ago. I'm not sure the choices have changed much since then, but just in case I thought I'd ask to get a sense of the current "state of the art". At the moment I'm thinking about either doing a Pacemaker + HAproxy setup or just an updated version of our current ultramonkey setup (LVS + heartbeat + ldirectord). Does anybody have a config they particularly like/dislike? Thanks! -- dNb

2 1

Syncrepl issues, "glue" objectClass
by Mark Cairney 17 Jun '11

17 Jun '11

Hi, I've been trying to use a tool called "Grouper" to provision a hierarchical structure into my LDAP directory. I'm currently running OpenLDAP 2.4.25 with BDB 4.8.30 on 3 SL5.5 servers in a multi-master configuration. During the provisioning process it seems to be hitting a race condition where it creates a higher-level ou before the base-level ou is there resulting in the base-level ou existing in the tree with the "glue" objectClass. As this is invisible to searches I end up with syncrepl constantly trying to replicate it ad infinitum: Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=031 be_modify ou=2010/2011,ou=courses,ou=grouper,dc=authorise,dc=ed,dc=ac,dc=uk (0) Jun 10 14:53:16 alder slapd[20702]: syncprov_sendresp: cookie= Jun 10 14:53:16 alder slapd[20702]: do_syncrep2: rid=032 cookie= Jun 10 14:53:16 alder slapd[20702]: do_syncrep2: rid=031 cookie= Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=032 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=032 be_search (0) Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=032 ou=2010/2011,ou=courses,ou=grouper,dc=authorise,dc=ed,dc=ac,dc=uk Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=031 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=031 be_search (0) Jun 10 14:53:16 alder slapd[20702]: syncrepl_entry: rid=031 ou=2010/2011,ou=courses,ou=grouper,dc=authorise,dc=ed,dc=ac,dc=uk Jun 10 14:53:16 alder slapd[20702]: syncprov_sendresp: cookie= Jun 10 14:53:17 alder last message repeated 210 times Jun 10 14:53:17 alder slapd[20702]: syncrepl_entry: rid=032 be_modify ou=2010/2011,ou=courses,ou=grouper,dc=authorise,dc=ed,dc=ac,dc=uk (0) Jun 10 14:53:17 alder slapd[20702]: do_syncrep2: rid=032 cookie= Jun 10 14:53:17 alder slapd[20702]: syncrepl_entry: rid=032 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) Doing a bit of digging on the web the suggested solution is to modify the object and remove the glue objectlcass but there doesn't seem to be an obvious way to do this given that it's invisible to ldapsearch and if you try an ldapadd the object already exists? Even a sample ldif file for ldapmodify would be grand. Cheers, Mark /********************************* Mark Cairney ITI UNIX Section Information Services University of Edinburgh Tel: 0131 650 6565 Email: mark.cairney(a)ed.ac.uk *********************************/ -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.

2 3

allow or deny certain user access to certain hosts
by Hai Tao 16 Jun '11

16 Jun '11

I like to deny certain ldap user from ssh to certain hosts. I wonder how this can be done? Is there a way to associate with the /etc/security/access.conf file with ldap? Thanks. Hai Tao

1 0

Support Reverse Group Membership Maintenance for OpenLDAP 2.3
by Pedro Rodrigo Cardiel 16 Jun '11

16 Jun '11

Hello, I have some doubts about a topic openldap. I am working with groups in ldap and I have the need to ask users of a certain group. I have read that when you ask you can only filter by the field name and the value of this. And there is a way that when you add a user to a group, plus add the field member in the object group, adds a field memberOf to the object person. This is named "Reverse Group Membership Maintenance". I understand that I have to load a module in openldap of this way "moduleload memberof.la" but openldap can not find it. I have seen on the internet there is a package to install that module to the version 2.4. My question is: Does the openfire version 2.3 supports this functionality? I use: Centos Linux ia3 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:53:09 EST 2011 i686 i686 i386 GNU/Linux. Installed Packages Name : openldap Arch : i386 Version : 2.3.43 Release : 12.el5_6.7 Size : 593 k Repo : installed Regards -- ----------------------------------------------------------- Pedro Rodrigo Cardiel Programador Senior GeoSLab Logo C/ Carlos Marx, 6 CP 50015 Zaragoza (Spain) Tlf: +34 976 762134 +34 976 065152 Fax: +34 976 106201 prodrig(a)GeoSLab.com <mailto:suzarso@GeoSLab.com> http://www.GeoSLab.com Follow us on Twitter <http://twitter.com/GeoSLab> ------------------------------------------------------------------------ / Antes de imprimir este correo piensa si realmente es necesario hacerlo / Before printing this email, assess if it is really needed / / ---- ADVERTENCIA ---- La información contenida en este correo electrónico, y en su caso, cualquier fichero anexo al mismo, son de carácter privado y confidencial siendo para uso exclusivo de su destinatario. Si usted no es el destinatario correcto, el empleado o agente responsable de entregar el mensaje al destinatario, o ha recibido esta comunicación por error, le informamos que está totalmente prohibida cualquier divulgación, distribución o reproducción de esta comunicación según la legislación vigente y le rogamos que nos lo notifique inmediatamente, procediendo a su destrucción sin continuar su lectura. / / ---- WARNING ---- Information contained in this email, and any attached files, are private and confidential for the addressee. If you are not the intended recipient, employee or agent responsible for delivering this message to the addressee, or have received this communication by mistake, please be aware that any dissemination, distribution or duplication under current laws is forbidden and we request you to notify us immediately and destroy the message without continue reading. / ------------------------------------------------------------------------

2 1

parse_syncrepl_line: unable to parse "bindmethod=sasl"
by devendra ayalasomayajula 16 Jun '11

16 Jun '11

I am trying to setup mirror mode configuration setup. Attempted to set bindmethod to sasl and I see following error when slapd starts. invalid bind config value bindmethod=sasl /home/y/conf/atlas/slapd_ldapmaster.conf: line 62: Error: parse_syncrepl_line: unable to parse "bindmethod=sasl" . failed to add syncinfo slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. The setups runs fine when bindmethod is set to simple. Appreciate any info on why this is failing. --dev

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2011