August 2011 - openldap-technical

by Naga Chaitanya Palle

Hi, I am trying to set up N-way multimaster configuration using syncrepl on openldap2.4 for RHEL 5.4 Currently I am using two masters for testing. The slapd.conf on server1 is moduleload syncprov.la serverid 124 ldap://devonly144.comverse-in.com syncrepl rid=124 provider=ldap://devonly144.comverse-in.com:389 type=refreshAndPersist interval=00:00:01:00 searchbase="dc=comverse-in,dc=com" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=Manager,dc=comverse-in,dc=com" credentials=sonora index objectClass,entryCSN,entryUUID eq mirrormode true overlay syncprov syncprov-checkpoint 100 10 The slapd.conf on server2 is moduleload syncprov.la serverid 123 ldap://uplite98.comverse-in.com syncrepl rid=123 provider=ldap://uplite98.comverse-in.com:389 type=refreshAndPersist interval=00:00:01:00 searchbase="dc=comverse-in,dc=com" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=Manager,dc=comverse-in,dc=com" credentials=sonora index objectClass,entryCSN,entryUUID eq mirrormode true overlay syncprov syncprov-checkpoint 100 10 But there is no data synchronization happening between the severs. When I added test3 user on server1, it is not reflecting on server 2. Same way when I added test4 user on server2 it is not reflecting on server1. Please let me know what is missing in this configuration. Thanks and Regards, Naga Chaitanya =============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================

11 years, 7 months

2
4
0 / 0

Re: Read-only Back-SQL

by masarati＠aero.polimi.it

> Hi, > > I have a little bit of, mainly experimental, experience configuring > back-sql to connect to a PostgreSQL database. I have a requirement in > front of me to expose a small table of user data in the database to an > existing LDAP client. The data in the database is already in the database > and managed by another application through the database directly. The > LDAP API I am being asked to provide will be read-only. In other words, > the data will continue to be managed by the existing management app. I > foresee two problems with this approach. > > First, since the database table is already populated when the new ldap > service is turned on, there is no data in the ldap_entries table. Is > there a way to populate ldap_entries after the fact so that the records > can be seen by OpenLDAP? > > Second, since the data is mastered by another application that goes > through SQL directly, is there a way to update the ldap_entries table on > the fly to reflect the additions and deletions that occur once the ldap > service is up and running? > > Right now I am looking at writing a custom procedure to initially populate > the ldap_entries table and then triggers to manage the additions and > deletions from that point onward. I was just wondering if there was > something in back-sql already that might provide a better solution. > > We are currently using OpenLDAP 2.4.21. In terms of a trigger, you could use ldapsync (RFC4533). Another "trick" that allows to automatically generate the ldap_entries table consists in using SQL views. This works relatively well for simple data structure (e.g. a single type of entries). p.

11 years, 7 months

2
1
0 / 0

About... bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/openldap/var/openldap-data: (2)

by Nguyen, Quoc Khanh

Hi all, I have a notification when using slapadd: bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/openldap/var/openldap-data: (2) I try to fix it following site: http://www.secure-computing.net/wiki/index.php/OpenLDAP chown -R ldap:ldap /usr/local/openldap/var/openldap-data buit it failed: chown: invalid user: `ldap:ldap' What's i'm doing wrong? Maybe i don't understand about openldap 2.4.6... Please help, Best Regards, -- *********************************** EVERYTHING HAS JUST BEGUN...

11 years, 7 months

2
3
0 / 0

Migrating server results in user password issues

by greep elem

Hi all, Hopefully someone can point me in the right direction as I appear to be going around in circles at this stage. I am attempting to migrate from one server running OpenLDAP 2.4.9 configured with old style slapd.conf to a new server running openldap 2.4.23 with the dynamic cn=config setup. I've successfully exported / imported via slapcat and slapadd and using phpLDAPadmin I can browse all my users. The issue I run into is the use passwords do not work when I try to log into services (e.g. IMAP). Using phpLDAPadmin I perform a password compare and it returns a mismatch. Looking at the slapcat output for a user, the "userPassword" is afaik md5 run though base64 and presented as such but once bas64 is decoded it matches what phpLDAPadmin reports if I export the user. userPassword:: e01somedandomdataPT0= I docode this : user(a)server.tld$ perl <<EOF > use MIME::Base64; > print decode_base64('e01somedandomdataPT0=') . "\n"; > EOF {MD5}thisisahash== Exporting the user in phpLDAPadmin and compare it's reported userPassword to the above perl output and they match. As they match I am at a loss as to why the password is not accepted when I try to login via IMAP or check password in phpLDAPadmin. As soon as I change the password, the account works find and the user can log in. Any help greatly appreciated, as I would rather not have to reset user passwords!

11 years, 7 months

1
0
0 / 0

OpenLDAP create children only

by Derek Yarnell

Hi, I would like to give a set of users the ability to create objects in the directory under a specific dn. It seems by reading the Admin Manual (specifically the bottom of 8.3.1) that setting the children attribute I can create correctly. I do not wish that they can remove the DN after they have added. So I can't just give them write access to the DN or that will give them the ability to delete. Am I missing something or is this just not possible with the current ACL structure. Eg. olcAccess: {9} to dn="ou=groups,dc=example,dc=com" attrs=children by dn.children="ou=people,dc=example,dc=com" write So I would like to add a group, cn=foo,ou=groups,dc=example,dc=com but not allow someone in ou=people,dc=example,dc=com to delete the DN after it is created. Thanks, derek -- --- Derek T. Yarnell University of Maryland Institute for Advanced Computer Studies

11 years, 7 months

2
1
0 / 0

Need sample OpenLDAP client test program connecting to LDAP server over SSL

by daisy.wu＠emc.com

Hi, OpenLDAP developers, Do you have any sample test programs (or code snippets) that uses OpenLDAP client API to connect to LDAP server over SSL? Thanks in advance. Daisy

11 years, 7 months

2
1
0 / 0

Re: syncrepl consumer(with delta replication configuration) skipping updates

by Rupesh Thakkar

Thank Quanah,delta replication is working now. I increased "interval" and changed "type" to RefreshAndPersist, but real cause was "logfilter" ,I corrected it as below. syncrepl rid=124 .......... logfilter="(&(objectClass=auditWriteObject)(reqResult=0))". ....... Thanks Rupesh On Fri, Aug 26, 2011 at 1:56 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Friday, August 26, 2011 3:06 AM +0700 Rupesh Thakkar < > rupeshthakkar(a)gmail.com> wrote: > > >> I have configured syncrepl provider and consumer with syncrepl delta >> replication as in document >> > > The first piece of data to *always* provide is the version of OpenLDAP you > are running. > > > syncrepl rid=125 >> provider=ldap://10.52.35.204:**389<http://10.52.35.204:389> >> type=refreshOnly >> > > Save yourself headaches and use RefreshAndPersist > > > interval=00:00:00:10 >> > > This interval is probably not long enough between connections. Use > RefreshAndPersist instead, see above. > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

11 years, 7 months

1
0
0 / 0

SASL Authentication Pass-Trough on several LDAP directories

by Clément OUDOT

Hi all, I searched in the mailing list archives but did not found any solution for my problem. Here it is: I want to enable SASL passwords with saslauthd but I have more than one LDAP directory as authentication backend. So the goal is to delegate the authentication to a specific directory depending on a user attribute. I know this is not directly possible with saslauthd and OpenLDAP, as OpenLDAP uses only one saslauthd socket, and saslauthd can use only one LDAP directory as backend (several for failover, but all with the same suffix, bind DN, etc.) My idea was to add an OpenLDAP meta between saslauthd and the LDAP backends, and use the domain part of the SASL credential to route the LDAP request to the good LDAP directory. For example: {SASL}alice@LDAP1 would bind to LDAP 1 and {SASL}bob@LDAP2 would bind to LDAP 2. As the domain part can be used in saslauthd configuration for the LDAP filter or the LDAP search base, we can maybe have this configuration in saslauthd.conf : ldap_search_base: ou=%d,dc=example,dc=com ldap_filter: uid=%U And then the OpenLDAP Meta would manage the ou=LDAP1,dc=example,dc=com and ou=LDAP2,dc=example,dc=com to access the target LDAP directory. Has everyone ever tried something like this? Do you have other suggestions? Thanks for your help, Clément.

11 years, 7 months

1
1
0 / 0

syncrepl consumer(with delta replication configuration) skipping updates

by Rupesh Thakkar

I have configured syncrepl provider and consumer with syncrepl delta replication as in document http://www.openldap.org/doc/admin24/replication.html. The consumer log shows it receives synchronization cookies for new updates on provider. But actual entries are not getting reflected in consumer, the log below doesn’t seems show any errors. ----------------------------------------------------------------------------------------------------------------- do_syncrep2: rid=125 LDAP_RES_SEARCH_RESULT do_syncrep2: rid=125 cookie=rid=125,csn=20110823211754.204723Z#000000#000#000000 slap_queue_csn: queing 0xa2209020 20110823211754.204723Z#000000#000#000000 slap_graduate_commit_csn: removing 0xa2209050 20110823211754.204723Z#000000#000#000000 do_syncrep2: rid=125 LDAP_RES_SEARCH_RESULT ----------------------------------------------------------------------------------------------------------------- Any thoughts on this ? Below is consumer configuration syncrepl rid=125 provider=ldap://10.52.35.204:389 type=refreshOnly interval=00:00:00:10 retry="5 5 20 5" searchbase="dc=suretecsystems,dc=com" filter="(objectClass=person)" scope=sub attrs="cn,sn,objectClass" schemachecking=off bindmethod=simple binddn="cn=Replicator,dc=suretecsystems,dc=com" credentials=secret logbase="cn=accesslog" logfilter="(&(objectClass=person)(reqResult=0))" syncdata=accesslog limits dn.exact="cn=Replicator,dc=suretecsystems,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited updateref ldap://10.52.35.204 Thanks Rupesh

11 years, 7 months

2
1
0 / 0

sudo configuration details

by Naga Chaitanya Palle

Hi, I am planning to configure sudoers on openldap2.4 for RHEL 5.4. Can anyone share the configuration steps needs to be done at server and client end? Thanks and Regards, Naga Chaitanya =============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================

11 years, 7 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2011