openldap-technical July 2011

openldap-technical@openldap.org

80 participants
92 discussions

Re: OpenLDAP freezes and doesn't respond
by Cyril GROSJEAN 13 Jul '11

13 Jul '11

No I don't use pass through authentication. Anyway, I'll check the cyrus-sasl related rpm's just in case there's an available update or patch from Red Hat .. 2011/7/13 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Tuesday, July 12, 2011 11:59 AM +0200 Cyril GROSJEAN < > cgrosjean(a)janua.fr> wrote: > > # 5 0x00000000004af398 in ldap_pvt_sasl_mutex_dispose () >> >> # 6 0x00000000004b04ca in ldap_pvt_sasl_mutex_dispose () >> # 7 0x00000000004b4183 in ldap_pvt_sasl_mutex_dispose () >> # 8 0x00000000004b802e in ldap_pvt_sasl_mutex_dispose () >> # 9 0x0000000000481a7a in ldap_pvt_sasl_mutex_dispose () >> # 10 0x0000000000482547 in ldap_pvt_sasl_mutex_dispose () >> # 11 0x00000000004decab in ldap_pvt_sasl_mutex_dispose () >> # 12 0x0000000000481b4a in ldap_pvt_sasl_mutex_dispose () >> # 13 0x0000000000482127 in ldap_pvt_sasl_mutex_dispose () >> # 14 0x000000000043be3e in ldap_pvt_sasl_mutex_dispose () >> # 15 0x0000000000481bc2 in ldap_pvt_sasl_mutex_dispose () >> # 16 0x0000000000482127 in ldap_pvt_sasl_mutex_dispose () >> # 17 0x000000000043c83f in ldap_pvt_sasl_mutex_dispose () >> # 18 0x00000000004205a5 in ldap_pvt_sasl_mutex_dispose () >> # 19 0x0000000000420b7f in ldap_pvt_sasl_mutex_dispose () >> # 20 0x00002ba9886e08a8 in ldap_int_thread_pool_wrapper () >> > > This looks like a bug with cyrus-sasl to me. Are you doing pass through > authentication? > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

RE: Multi Master OpenLdap.
by arun.sasi1＠wipro.com 13 Jul '11

13 Jul '11

Team any update… From: Arun Sasi V (WI01 - Manage IT) Sent: Monday, July 11, 2011 3:20 PM To: E.S. Rosenberg Cc: openldap-technical(a)openldap.org Subject: RE: Multi Master OpenLdap. And also I could see below message nonpresent_callback: rid=003 present UUI Thanks, -Arun From: Arun Sasi V (WI01 - Manage IT) Sent: Monday, July 11, 2011 1:36 PM To: 'E.S. Rosenberg' Cc: openldap-technical(a)openldap.org Subject: RE: Multi Master OpenLdap. Thank you very much Eli for concidering my issue. Here is my scenario... I couldn’t find any abnormality in log files and also I never seen any deletion logs in the server. Slapd will go for hang and some ID`s will get disappear same will be replicate to slaves too. Mainly Groups and Computer accounts I can see some UNBIND and connection lost logs from one server and another multimaster server from Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138411 op=24 SEARCH RESULT tag=101 err=32 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=65534))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SEARCH RESULT tag=101 err=0 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138415 op=21 SRCH base="sambaDomainName=EMB,sambaDomainName=emb,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=emb))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138415 op=21 SEARCH RESULT tag=101 err=32 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138385 op=46 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(displayName=test)(cn=test)))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138385 op=46 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 11 04:03:39 gb0135embldap01 slapd[9852]: <= bdb_equality_candidates: (displayName) not indexed Jul 11 04:03:39 gb0135embldap01 slapd[9852]: <= bdb_equality_candidates: (cn) not indexed Jul 11 04:07:53 gb0135embldap01 slapd[21335]: @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:07:59) $ ^Ibuildd@yellow:/build/buildd/openldap-2.4.15/debian/build/servers/slapd Jul 11 04:07:54 gb0135embldap01 slapd[21337]: slapd starting Jul 11 04:07:54 gb0135embldap01 slapd[21337]: conn=0 fd=23 ACCEPT from IP=[::1]:57016 (IP=[::]:389) Jul 11 04:07:54 gb0135embldap01 slapd[21337]: conn=1 fd=24 ACCEPT from IP=134.32.44.37:40763 (IP=0.0.0.0:389) OLCDATABSE dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=emb,dc=slb,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword by dn="cn=admin,dc=emb,dc=slb,dc=com" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read #Enable Local Admin to add users in the Group and also SunOne to add users to country groups olcAccess: {2}to dn.subtree="ou=groups,dc=emb,dc=slb,dc=com" by set="user/uid & [cn=group-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read #Enable Local Admin to add computers olcAccess: {3}to dn.subtree="ou=Computers,dc=emb,dc=slb,dc=com" by set="user/uid & [cn=group-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by * read #Enable shell-admin to set up local user access olcAccess: {4}to attrs=loginShell,homeDirectory by set="user/uid & [cn=shell-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read #Enable write access to account sun-one-replication for sun ldap replication. olcAccess: {5}to * by dn="cn=admin,dc=emb,dc=slb,dc=com" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub structuralObjectClass: olcHdbConfig entryUUID: f479600a-5f34-102f-8ddd-3ff046e70702 creatorsName: cn=admin,cn=config createTimestamp: 20100928101442Z olcRootDN: cn=admin,dc=emb,dc=slb,dc=com olcSyncrepl: {0}rid=003 provider=ldap://gb0135embldap01.emb.slb.com binddn="cn =admin,dc=emb,dc=slb,dc=com" bindmethod=simple credentials=Bsl@121z searchbas e="dc=emb,dc=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes olcSyncrepl: {1}rid=004 provider=ldap://ae0042embldap01.emb.slb.com binddn="cn =admin,dc=emb,dc=slb,dc=com" bindmethod=simple credentials=Bsl@121z searchbas e="dc=emb,dc=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes olcMirrorMode: TRUE entryCSN: 20100928191927.932499Z#000000#001#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20100928191927Z Ldap Version @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:07:59) $ Operating system Distributor ID: Ubuntu Description: Ubuntu 9.04 Release: 9.04 Codename: jaunty Thanks, -Arun -----Original Message----- From: E.S. Rosenberg [mailto:esr@g.jct.ac.il] Sent: Monday, July 11, 2011 12:58 PM To: Arun Sasi V (WI01 - Manage IT) Cc: openldap-technical(a)openldap.org Subject: Re: Multi Master OpenLdap. Have you tried raising the loglevel? Are the schemas the same between the servers? Is time in sync between the servers? What versions are you dealing with? You don't provide a lot of info and most of us are not clairvoyant.... Regards, Eli 2011/7/11 <arun.sasi1(a)wipro.com>: > > > > > Thanks, > > -Arun > > > > From: Arun Sasi V (WI01 - Manage IT) > Sent: Wednesday, July 06, 2011 5:46 PM > To: 'openldap-technical(a)openldap.org' > Subject: Multi Master OpenLdap. > > > > Hello Team, > > > > I have configured Multi-master Mirror mode replica setup in our environment. > We have 3 regions slave Ldap server which is read only and two location we > have configured as mirror mode replica Ldap. My problem here is… > > > > Master Ldap is going hang some times and some ID`s are disappearing from the > master server. I couldn’t find any logs over there for why ID`s are > disappearing and also why Ldap is going hung state. > > > > Thanks & Regards, > > Arun Sasi V > > Please do not print this email unless it is absolutely necessary. > > The information contained in this electronic message and any attachments to > this message are intended for the exclusive use of the addressee(s) and may > contain proprietary, confidential or privileged information. If you are not > the intended recipient, you should not disseminate, distribute or copy this > e-mail. Please notify the sender immediately and destroy all copies of this > message and any attachments. > > WARNING: Computer viruses can be transmitted via email. The recipient should > check this email and any attachments for the presence of viruses. The > company accepts no liability for any damage caused by any virus transmitted > by this email. > > www.wipro.com Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

2 1

Syncrepl can't start ssl session because of refused 'client' certificate
by Thibault Le Meur 12 Jul '11

12 Jul '11

Hello, I'm trying to upgrade an openLdap server from Fedora Core 13 (openldap-servers-2.4.21-11) to Redhat Enterprise 6 (openldap-servers-2.4.23-15.el6.x86_64). In this new setup, my local bdb backend works: I can query the LDAP server on this backend using an "ldaps://" connection (it is using a server certificate). However, the Syncrepl replication process fails to establish the "ldaps://" session to my syncrepl-providers. Indeed, the TLS layer complains that my _server's certificate_ isn't a valid _client certificate_ (with error 8101 - SEC_ERROR_INADEQUATE_CERT_TYPE): but I don't want client-side authentication! In the past syncrepl didn't try to use the server certificate as a client certificate, and I haven't seen any reference to this in the documentation. I first thought it could have been related to ITS#6791 but I don't think so anymore because it only affects Syncrepl. Do you think I've missed something in the setup? Thanks in advance, Thibault Here is an excerpt of slapd startup log in debug-mode: ---------------------------------------------------------- ldap_connect_to_host: Trying 10.10.10.10:636 ldap_pvt_connect: fd: 21 tm: -1 async: 0 TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem. TLS: certificate [CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is not valid - error -8101:Unknown code ___f 91. TLS: error: unable to set up client certificate authentication for certificate named PEM Token #0:myldap.mydom.fr-cert.pem - 0 TLS: error: unable to set up client certificate authentication using PEM Token #0:myldap.mydom.fr-cert.pem - 0 TLS: error: could not initialize moznss security context - error -8101:Unknown code ___f 91 TLS: can't create ssl handle. slap_client_connect: URI=ldaps://otherldap.mydom.fr DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=125 rc -1 retrying (9 retries left) ---------------------------------------------------------- Here is my syncrepl setup: --------------------------------------------------------- syncrepl rid=125 provider=ldaps://otherldap.mydom.fr type=refreshOnly interval=00:00:03:00 retry="60 10 300 +" searchbase="dc=subranch,dc=mydom,dc=fr" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="cn=myreplicationAccount,dc=mydom,dc=fr" credentials="MyVerySecretPassword" --------------------------------------------------------- My setup related to TLS: --------------------------------------------------------- TLSCipherSuite HIGH TLSCertificateFile /etc/ssl/certs/myldap.mydom.fr-cert.pem TLSCertificateKeyFile /etc/ssl/keys/myldap.mydom.fr-key.pem TLSCACertificateFile /etc/ssl/cacerts/cacert.pem --------------------------------------------------------- And eventually my /etc/openldap/ldap.conf: --------------------------------------------------------- TLS_CACERT /etc/ssl/cacerts/cacert.pem ---------------------------------------------------------

4 13

Locking SAMBA ccounts with LDAP backend‏
by Michael Starling 12 Jul '11

12 Jul '11

Hello. Is it possible to have SAMBA respect PAM so that when an LDAP accounts gets locked out the SAMBA account simultaneously gets locked out as well? All my windows clients are either 2003 or 2008 servers and if I understand the blurbs below in the samba man page, the "encrypted password" directive must be set to yes in order for Windows machines to authenticate against SAMBA, however if "encrypted passwords" is set to yes then SAMBA will ignore the directive "obey pam restrictions". Is there any way around this? I'm sure you'll let me know if this question is better suited for the samba lists. OS: RHEL 5.5 x64 samba3x-3.5.4-0.70.el5_6.1 openldap-2.3.43-12.el5_6.7 obey pam restrictions (G) When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAMÂ´s account and session management directives. The default behavior is to use PAM for clear text authentication only and to ignore any account or session management. Note that Samba always ignores PAM for authentication in the case of encrypt passwords = yes. The reason is that PAM modules cannot support the challenge/response authentication mechanism needed in the presence of SMB password encryption. encrypt passwords (G) This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter "User Database" in the Samba HOWTO Collection. MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encrypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts. The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use plain text passwords you must set this parameter to no. In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up and maintain this file), or set the security = [server|domain|ads] parameter which causes smbd to authenticate against another server. -Mike

2 2

getent passwd always return 1065 users
by Oliver Schulze L. 11 Jul '11

11 Jul '11

Hi, I have a openldap server in RHEL4 and after the latest update I can only get 1065 users from the command getent passwd: getent passwd | wc -l I have like 15k users. Slapcat list them all. Where should I look for a solution? In the cache size of the DBD, in /etc/ldap.conf, in slapd.conf? Many thanks Oliver -- Oliver Schulze L. Asuncion - Paraguay http://tinymailto.com/oliver

3 3

RE: Multi Master OpenLdap.
by arun.sasi1＠wipro.com 11 Jul '11

11 Jul '11

And also I could see below message nonpresent_callback: rid=003 present UUI Thanks, -Arun From: Arun Sasi V (WI01 - Manage IT) Sent: Monday, July 11, 2011 1:36 PM To: 'E.S. Rosenberg' Cc: openldap-technical(a)openldap.org Subject: RE: Multi Master OpenLdap. Thank you very much Eli for concidering my issue. Here is my scenario... I couldn’t find any abnormality in log files and also I never seen any deletion logs in the server. Slapd will go for hang and some ID`s will get disappear same will be replicate to slaves too. Mainly Groups and Computer accounts I can see some UNBIND and connection lost logs from one server and another multimaster server from Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138411 op=24 SEARCH RESULT tag=101 err=32 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=65534))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SEARCH RESULT tag=101 err=0 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138415 op=21 SRCH base="sambaDomainName=EMB,sambaDomainName=emb,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=emb))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138415 op=21 SEARCH RESULT tag=101 err=32 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138385 op=46 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(displayName=test)(cn=test)))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138385 op=46 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 11 04:03:39 gb0135embldap01 slapd[9852]: <= bdb_equality_candidates: (displayName) not indexed Jul 11 04:03:39 gb0135embldap01 slapd[9852]: <= bdb_equality_candidates: (cn) not indexed Jul 11 04:07:53 gb0135embldap01 slapd[21335]: @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:07:59) $ ^Ibuildd@yellow:/build/buildd/openldap-2.4.15/debian/build/servers/slapd Jul 11 04:07:54 gb0135embldap01 slapd[21337]: slapd starting Jul 11 04:07:54 gb0135embldap01 slapd[21337]: conn=0 fd=23 ACCEPT from IP=[::1]:57016 (IP=[::]:389) Jul 11 04:07:54 gb0135embldap01 slapd[21337]: conn=1 fd=24 ACCEPT from IP=134.32.44.37:40763 (IP=0.0.0.0:389) OLCDATABSE dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=emb,dc=slb,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword by dn="cn=admin,dc=emb,dc=slb,dc=com" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read #Enable Local Admin to add users in the Group and also SunOne to add users to country groups olcAccess: {2}to dn.subtree="ou=groups,dc=emb,dc=slb,dc=com" by set="user/uid & [cn=group-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read #Enable Local Admin to add computers olcAccess: {3}to dn.subtree="ou=Computers,dc=emb,dc=slb,dc=com" by set="user/uid & [cn=group-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by * read #Enable shell-admin to set up local user access olcAccess: {4}to attrs=loginShell,homeDirectory by set="user/uid & [cn=shell-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read #Enable write access to account sun-one-replication for sun ldap replication. olcAccess: {5}to * by dn="cn=admin,dc=emb,dc=slb,dc=com" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub structuralObjectClass: olcHdbConfig entryUUID: f479600a-5f34-102f-8ddd-3ff046e70702 creatorsName: cn=admin,cn=config createTimestamp: 20100928101442Z olcRootDN: cn=admin,dc=emb,dc=slb,dc=com olcSyncrepl: {0}rid=003 provider=ldap://gb0135embldap01.emb.slb.com binddn="cn =admin,dc=emb,dc=slb,dc=com" bindmethod=simple credentials=Bsl@121z searchbas e="dc=emb,dc=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes olcSyncrepl: {1}rid=004 provider=ldap://ae0042embldap01.emb.slb.com binddn="cn =admin,dc=emb,dc=slb,dc=com" bindmethod=simple credentials=Bsl@121z searchbas e="dc=emb,dc=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes olcMirrorMode: TRUE entryCSN: 20100928191927.932499Z#000000#001#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20100928191927Z Ldap Version @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:07:59) $ Operating system Distributor ID: Ubuntu Description: Ubuntu 9.04 Release: 9.04 Codename: jaunty Thanks, -Arun -----Original Message----- From: E.S. Rosenberg [mailto:esr@g.jct.ac.il] Sent: Monday, July 11, 2011 12:58 PM To: Arun Sasi V (WI01 - Manage IT) Cc: openldap-technical(a)openldap.org Subject: Re: Multi Master OpenLdap. Have you tried raising the loglevel? Are the schemas the same between the servers? Is time in sync between the servers? What versions are you dealing with? You don't provide a lot of info and most of us are not clairvoyant.... Regards, Eli 2011/7/11 <arun.sasi1(a)wipro.com>: > > > > > Thanks, > > -Arun > > > > From: Arun Sasi V (WI01 - Manage IT) > Sent: Wednesday, July 06, 2011 5:46 PM > To: 'openldap-technical(a)openldap.org' > Subject: Multi Master OpenLdap. > > > > Hello Team, > > > > I have configured Multi-master Mirror mode replica setup in our environment. > We have 3 regions slave Ldap server which is read only and two location we > have configured as mirror mode replica Ldap. My problem here is… > > > > Master Ldap is going hang some times and some ID`s are disappearing from the > master server. I couldn’t find any logs over there for why ID`s are > disappearing and also why Ldap is going hung state. > > > > Thanks & Regards, > > Arun Sasi V > > Please do not print this email unless it is absolutely necessary. > > The information contained in this electronic message and any attachments to > this message are intended for the exclusive use of the addressee(s) and may > contain proprietary, confidential or privileged information. If you are not > the intended recipient, you should not disseminate, distribute or copy this > e-mail. Please notify the sender immediately and destroy all copies of this > message and any attachments. > > WARNING: Computer viruses can be transmitted via email. The recipient should > check this email and any attachments for the presence of viruses. The > company accepts no liability for any damage caused by any virus transmitted > by this email. > > www.wipro.com Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

1 0

RE: Multi Master OpenLdap.
by arun.sasi1＠wipro.com 11 Jul '11

11 Jul '11

Thank you very much Eli for concidering my issue. Here is my scenario... I couldn’t find any abnormality in log files and also I never seen any deletion logs in the server. Slapd will go for hang and some ID`s will get disappear same will be replicate to slaves too. Mainly Groups and Computer accounts I can see some UNBIND and connection lost logs from one server and another multimaster server from Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138411 op=24 SEARCH RESULT tag=101 err=32 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=65534))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138424 op=12 SEARCH RESULT tag=101 err=0 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138415 op=21 SRCH base="sambaDomainName=EMB,sambaDomainName=emb,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=emb))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138415 op=21 SEARCH RESULT tag=101 err=32 nentries=0 text= Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138385 op=46 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(displayName=test)(cn=test)))" Jul 11 04:03:39 gb0135embldap01 slapd[9852]: conn=138385 op=46 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Jul 11 04:03:39 gb0135embldap01 slapd[9852]: <= bdb_equality_candidates: (displayName) not indexed Jul 11 04:03:39 gb0135embldap01 slapd[9852]: <= bdb_equality_candidates: (cn) not indexed Jul 11 04:07:53 gb0135embldap01 slapd[21335]: @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:07:59) $ ^Ibuildd@yellow:/build/buildd/openldap-2.4.15/debian/build/servers/slapd Jul 11 04:07:54 gb0135embldap01 slapd[21337]: slapd starting Jul 11 04:07:54 gb0135embldap01 slapd[21337]: conn=0 fd=23 ACCEPT from IP=[::1]:57016 (IP=[::]:389) Jul 11 04:07:54 gb0135embldap01 slapd[21337]: conn=1 fd=24 ACCEPT from IP=134.32.44.37:40763 (IP=0.0.0.0:389) OLCDATABSE dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=emb,dc=slb,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword by dn="cn=admin,dc=emb,dc=slb,dc=com" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read #Enable Local Admin to add users in the Group and also SunOne to add users to country groups olcAccess: {2}to dn.subtree="ou=groups,dc=emb,dc=slb,dc=com" by set="user/uid & [cn=group-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read #Enable Local Admin to add computers olcAccess: {3}to dn.subtree="ou=Computers,dc=emb,dc=slb,dc=com" by set="user/uid & [cn=group-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by * read #Enable shell-admin to set up local user access olcAccess: {4}to attrs=loginShell,homeDirectory by set="user/uid & [cn=shell-admin,ou=SuperGroups,dc=emb,dc=slb,dc=com]/memberuid" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read #Enable write access to account sun-one-replication for sun ldap replication. olcAccess: {5}to * by dn="cn=admin,dc=emb,dc=slb,dc=com" write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=136.250.9.48 write by dn="cn=sunone-replication,dc=emb,dc=slb,dc=com" peername.ip=163.185.18.238 write by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub structuralObjectClass: olcHdbConfig entryUUID: f479600a-5f34-102f-8ddd-3ff046e70702 creatorsName: cn=admin,cn=config createTimestamp: 20100928101442Z olcRootDN: cn=admin,dc=emb,dc=slb,dc=com olcSyncrepl: {0}rid=003 provider=ldap://gb0135embldap01.emb.slb.com binddn="cn =admin,dc=emb,dc=slb,dc=com" bindmethod=simple credentials=Bsl@121z searchbas e="dc=emb,dc=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes olcSyncrepl: {1}rid=004 provider=ldap://ae0042embldap01.emb.slb.com binddn="cn =admin,dc=emb,dc=slb,dc=com" bindmethod=simple credentials=Bsl@121z searchbas e="dc=emb,dc=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes olcMirrorMode: TRUE entryCSN: 20100928191927.932499Z#000000#001#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20100928191927Z Ldap Version @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:07:59) $ Operating system Distributor ID: Ubuntu Description: Ubuntu 9.04 Release: 9.04 Codename: jaunty Thanks, -Arun -----Original Message----- From: E.S. Rosenberg [mailto:esr@g.jct.ac.il] Sent: Monday, July 11, 2011 12:58 PM To: Arun Sasi V (WI01 - Manage IT) Cc: openldap-technical(a)openldap.org Subject: Re: Multi Master OpenLdap. Have you tried raising the loglevel? Are the schemas the same between the servers? Is time in sync between the servers? What versions are you dealing with? You don't provide a lot of info and most of us are not clairvoyant.... Regards, Eli 2011/7/11 <arun.sasi1(a)wipro.com>: > > > > > Thanks, > > -Arun > > > > From: Arun Sasi V (WI01 - Manage IT) > Sent: Wednesday, July 06, 2011 5:46 PM > To: 'openldap-technical(a)openldap.org' > Subject: Multi Master OpenLdap. > > > > Hello Team, > > > > I have configured Multi-master Mirror mode replica setup in our environment. > We have 3 regions slave Ldap server which is read only and two location we > have configured as mirror mode replica Ldap. My problem here is… > > > > Master Ldap is going hang some times and some ID`s are disappearing from the > master server. I couldn’t find any logs over there for why ID`s are > disappearing and also why Ldap is going hung state. > > > > Thanks & Regards, > > Arun Sasi V > > Please do not print this email unless it is absolutely necessary. > > The information contained in this electronic message and any attachments to > this message are intended for the exclusive use of the addressee(s) and may > contain proprietary, confidential or privileged information. If you are not > the intended recipient, you should not disseminate, distribute or copy this > e-mail. Please notify the sender immediately and destroy all copies of this > message and any attachments. > > WARNING: Computer viruses can be transmitted via email. The recipient should > check this email and any attachments for the presence of viruses. The > company accepts no liability for any damage caused by any virus transmitted > by this email. > > www.wipro.com Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

1 0

RE: Multi Master OpenLdap.
by arun.sasi1＠wipro.com 11 Jul '11

11 Jul '11

Thanks, -Arun From: Arun Sasi V (WI01 - Manage IT) Sent: Wednesday, July 06, 2011 5:46 PM To: 'openldap-technical(a)openldap.org' Subject: Multi Master OpenLdap. Hello Team, I have configured Multi-master Mirror mode replica setup in our environment. We have 3 regions slave Ldap server which is read only and two location we have configured as mirror mode replica Ldap. My problem here is... Master Ldap is going hang some times and some ID`s are disappearing from the master server. I couldn't find any logs over there for why ID`s are disappearing and also why Ldap is going hung state. Thanks & Regards, Arun Sasi V Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

1 0

whose responsability
by Friedrich Locke 10 Jul '11

10 Jul '11

Hi, i have installed and configured openldap and so far, so good. But i have a simple doubt. Up to now, all users i have added to the ldap server have a field: userPassword: {SASL}user@domain I am connecting to retrieve the entry attributes with the following command: ldapsearch -x -w PASSWORD -D uid=user,ou=people,dc=my,dc=domain -b uid=user,ou=people,dc=my,dc=domain And everyting works ok. My doubt is: who is performing the password checking? The openldap server daemon (slapd) ou the ldapsearch ? Thanks in advance. Regards, Friedrich

2 3

selective services in an LDAP based CAS setup
by Joe Steeve 09 Jul '11

09 Jul '11

Hello all, We are using OpenLDAP to provide a common authentication back-end for mail, samba and a couple of web-applications. We want to selectively enable/disable services (mail, samba, etc.) for some users based on management policy. What is the best way to do it using LDAP? Regards, Joe -- .o. I'm a Free man. I use Free Software. ..o ooo http://www.joesteeve.org/

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2011