Translucent attribute local search problem
by benoit
I've setup a simple translucent conf like described here
http://www.openldap.org/doc/admin24/overlays.html#Translucent
Proxy , on a Debian squeeze, 2.4.23 server.
lastmod off
overlay translucent
translucent_local telephoneNumber3,gidNumber
uri "ldap://master.example.com"
acl-bind binddn="cn=manager,dc=example,dc=com"
credentials="{SHA}ABC123"
I can overridde (gidNumber) or add attributes(telephoneNumber3):
$ cat add.ldif
dn: uid=bob,ou=people,dc=example,dc=com
gidNumber: 00000
telephoneNumber3: 0000000
$ ldapadd -H ldap://proxy.example.com -x -W -D
'cn=Manager,dc=example,dc=com' -f add.ldif
adding new entry "uid=bob,ou=people,dc=example,dc=com"
A query on translucent server retrieve remote and local attribute:
$ ldapsearch -LLL -H ldap://proxy.example.com -x -b "ou=people,dc=example,
dc=com" '(uid=bob)'
dn: uid=bob,ou=people,dc=example,dc=com
...
gidNumber: 00000
telephoneNumber: 1111111
telephoneNumber3: 0000000
But searches against locally added or overridden attributes fail:
$ ldapsearch -LLL -H ldap://proxy.example.com -x -b "ou=people,dc=example,
dc=com" '(gidNumber=00000)'
$ ldapsearch -LLL -H ldap://proxy.example.com -x -b "ou=people,dc=example,
dc=com" '(telephoneNumber3=0000000)'
thank you for your help
11 years, 10 months
migrating from shadowAccount to password policy overlays
by Jonathon Anderson
We are in the midst of migrating from `shadowAccount` objects to the
password policy overlay. Everything seems to be working so far, but I
have been unable to migrate the data from `shadowLastChange` to
`pwdChangedTime`. In particular, once I have the desired value for
`pwdChangedTime`, I don't know how to write it into the attribute.
ldap_modify: Constraint violation (19)
additional info: pwdChangedTime: no user modification allowed
I read something about "relax rules" and oid
`1.3.6.1.4.1.4203.666.5.12`, but I haven't figured out how to use it.
How do I execute an `ldapmodify` that writes into `pwdChangedTime`?
~jonathon
11 years, 10 months
smbldap-populate error
by Adrián Arévalo Tirado
OpenLDAP version: 2.4.23-7.2
Samba Version: 2:3.5.6
Operating System Debian 6.0 "Squeeze"
Hello everybody.
I'm trying to install a Samba + LDAP PDC but when I try to create the database
with smbldap-populate I get this error:
--------------------------------------------------------------------------------
Populating LDAP directory for domain empresa
(S-1-5-21-802753395-3202467916-1484007712)
(using builtin directory structure)
entry dc=empresa,dc=com already exist.
entry ou=Users,dc=empresa,dc=com already exist.
entry ou=Groups,dc=empresa,dc=com already exist.
entry ou=Computers,dc=empresa,dc=com already exist.
entry ou=Idmap,dc=empresa,dc=com already exist.
adding new entry: uid=root,ou=Users,dc=empresa,dc=com
failed to add entry: objectClass: value #4 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 58.
adding new entry: uid=nobody,ou=Users,dc=empresa,dc=com
failed to add entry: objectClass: value #4 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 89.
adding new entry: cn=Domain Admins,ou=Groups,dc=empresa,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 101.
adding new entry: cn=Domain Users,ou=Groups,dc=empresa,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 112.
adding new entry: cn=Domain Guests,ou=Groups,dc=empresa,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 123.
adding new entry: cn=Domain Computers,ou=Groups,dc=empresa,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 134.
adding new entry: cn=Administrators,ou=Groups,dc=empresa,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 179.
adding new entry: cn=Account Operators,ou=Groups,dc=empresa,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 201.
adding new entry: cn=Print Operators,ou=Groups,dc=empresa,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 212.
adding new entry: cn=Backup Operators,ou=Groups,dc=empresa,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 223.
adding new entry: cn=Replicators,ou=Groups,dc=empresa,dc=com
failed to add entry: objectClass: value #2 invalid per syntax at
/usr/sbin/smbldap-populate line 498, <GEN1> line 234.
adding new entry: sambaDomainName=empresa,dc=empresa,dc=com
failed to add entry: invalid DN at /usr/sbin/smbldap-populate line 498,
<GEN1>
line 242.
Please provide a password for the domain root:
/usr/sbin/smbldap-passwd: user root doesn't exist
----------------------------------------------------------------------------------
In the log file I get this other error:
----------------------------------------------------------------------------------
slapd[1369]: conn=1005 op=28 do_search: invalid dn:
"sambaDomainName=empresa,dc=empresa,dc=com"
slapd[1369]: conn=1005 op=29 do_add: invalid dn
(sambaDomainName=empresa,dc=empresa,dc=com)
----------------------------------------------------------------------------------
I included in slapd.conf the samba.schema.
Any ideas? I've been looking for any solution for 4 days and nobody seems to
know anything.
Thanks in advance for the responses.
--
Adrian <adri58(a)gmail.com>
11 years, 10 months
The problem of BINDDN/BINDPW in ldap.conf
by Tianyin Xu
Hi, all,
I'm using Ubuntu 10.04 and LDAP 2.4.23. I'm having difficulty with the
basic binding.
I don't want to allow anonymous ldapsearch on the LDAP server so I specify
a dn and password for the bind. If I use the following parameters for
ldapsearch like
ldapsearch -b "dc=ucsd,dc=edu" -D "cn=admin,dc=ucsd,dc=edu" -w 1234
This works quite fine. Then, I write the parameters into ldap.conf as
follows:
-----------------ldap.conf-----------------------
BASE dc=ucsd,dc=edu
BINDDN cn=admin,dc=ucsd,dc=edu
BINDPW 12345
-----------------------------------------------------
Then only BASE has effect. According to the ldap.conf manual, BINDDN is a
"user-only" attribute and needs to go in ~/.ldaprc; it doesn't mention
BINDPW at all.
But searching on the web, I found several cases that used "binddn" and
"bindpw" in ldap.conf and worked successfully. So I'm quite confused for
these two directives.
Could anyone explain a little bit to me on BINDDN and BINDPW?
Thanks a lot!!
Tianyin
--
Tianyin XU,
http://cseweb.ucsd.edu/~tixu/
11 years, 10 months
Extending smbk5pwd overlay
by Clément OUDOT
Hello,
I am interested in extending the features of smbk5pwd overlay to
manage more password mechanisms:
* Digest MD5 for authentication (see
http://en.wikipedia.org/wiki/Digest_access_authentication): we will
have MD5(user:domain:password), with configuration for user attribute
to use and the domain string
* Active Directory password: will use the syntax of AD unicodePwd, in
order to sync the attribute into AD
Are you interested by adding these features in the current smbk5pwd
overlay or do you prefer that we create new overlay(s) for this?
Another question: would you accept an option on the smbk5pwd overlay
so it can be triggered by simple userPassword modifications instead of
only extended password modification operation?
Regards,
Clément OUDOT.
11 years, 10 months
Heavy load problems
by Angel L. Mateo
Hello,
We have a openldap (2.3.30, debian etch version 32bits) with 4 nodes
(xen vm with one cpu core, Intel Xeon 3.20GHz and 2GB of RAM). It that
farm we have two databases one with 121K entries (for authenticating
users, with lots of connections) and other with 40K entries (with public
information of our students, for example).
Now we have migrated to two openldap (2.4.21, ubuntu lucid 64btis)
farms. One with 4 nodes (xen vm with two cpu cores, Xeon E5450 3GHz, 2
GB of RAM) for the authentication database, and other with 2 nodes (with
the same resources than the other) for the other database.
The problem is that in the authentication farm we are having lot of
problems due to heavy load, although we are not completely migrate all
clients to this new farm (we already have clients querying the old
farm), but in the old farm we didn't have any problem (just some
punctual problems long time ago).
The only difference between the old and the new farm is that the old
farm was replicating information with slurpd. The new one is a
multimaster configuration. The configuration of the replica is:
mirrormode on
syncrepl rid=11
provider="ldap://<server1>.um.es"
binddn="<replica user dn>"
bindmethod=simple
credentials=<creds>
searchbase="<base of database>"
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +"
timeout=1
syncrepl rid=12
provider="ldap://<server2>.um.es"
binddn="<replica user dn>"
bindmethod=simple
credentials=<creds>
searchbase="<base of database>"
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +"
timeout=1
syncrepl rid=13
provider="ldap://<server3>.um.es"
binddn="<replica user dn>"
bindmethod=simple
credentials=<creds>
searchbase="<base of database>"
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +"
timeout=1
syncrepl rid=14
provider="ldap://<server4>.um.es"
binddn="<replica user dn>"
bindmethod=simple
credentials=<creds>
searchbase="<base of database>"
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +"
timeout=1
This configuration is in the 4 farm nodes. We have checked indexes and
both farms have the same.
Another difference is that authentication database entries have some
attributes obtained from the other database via dynlist overlay. In the
old farm, because the two databases are in the same server we had no
problem, but in the new one we have to configure this database as an
ldap proxy to the other farm, with cache overlay used in this.
Heavy loads appears randomly in all nodes (not always with all nodes at
the same time). When this happens, slapd is using 100% (well... top
reports 200% because we have two cpus), there is no swap, no iowait....
Any idea of what could it be the problem? Is this multimaster
configuration so heavy load?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica _(___V
Tfo: 868887590
Fax: 868888337
11 years, 10 months
OpenLDAP 2.4.28 causing Apache 2.2 to hang
by Kyle Smith
I recently upgraded OpenLDAP 2.4.26 to 2.4.28. When I did that, a
separate server running apache 2.2 and php 5 started to hang every
10-15 minutes. It freezes to the point that it no longer accepts
requests.
This apache server is using a wildcard cert for https and uses
php5-ldap which depends on libgnutls26 and libldap2.4-2. I am
currently investigating further, but was wondering if the changes to
MozNSS or GNUTls in 2.4.27 (ITS #7051, 6980, 6998, 7001, 7002, 7022,
7034 & 7006) may be interfering with apache. I don't think OpenLDAP is
the cause, I am leaning towards an apache/php configuration error but
the problem only occurs when I use 2.4.28. OpenLDAP 2.4.26 operates
normally and is stable across the board. Any ideas?
ldapsearch -H ldaps://ldap.my.com works fine, no errors with
connecting or searching.
11 years, 11 months
Syncrepl: consumer ignores bindmethod=sasl
by Tim Dijkstra
Hi All,
I'm trying to get syncrepl to work with TLS, and SASL External. I think
I configured everything correctly; I explicitly state it should use
bindmethod=sasl, but in the logs I see it is using simple nonetheless.
Replication subsequently fails because lack of access rights. Using
ldapsearch with identical setting in .ldaprc works... I'm at a loss.
Anybody knows what is going on?
Excerpt from slapd.conf of consumer:
syncrepl rid=13
provider=ldaps://example.org:636
type=refreshAndPersist
interval=00:00:30:00
searchbase="ou=People,dc=example,dc=org"
scope=sub
bindmethod=sasl
saslmech=EXTERNAL
schemachecking=off
authcid=cn=kelderlied,ou=hosts,o=example
authzid=cn=kelderlied,ou=hosts,o=example
tls_cacert=/etc/ldap/trusted/ca.drs.p-cacert_root_3.pem
tls_cert /etc/ssl/CA/kelderlied.crt
tls_key /etc/ssl/CA/kelderlied.key
tls_reqcert=demand
starttls=critical
When Syncrepl from the consumer is started in the logs of the provider I
see:
> ACCEPT from IP=A.B.C.D:55428 (IP=0.0.0.0:636)
> TLS established tls_ssf=128 ssf=128
> BIND dn="" method=128
> conn=1099 op=0 RESULT tag=97 err=0 text=
> SRCH BASE.....
So, TLS is successful (I have TLS_REQ = demand on the provider), but bind simple is requested
Here I do a search by hand with identical settings in my .ldaprc that succeeds
> ldapsearch -H ldaps://example.org:636 -Y EXTERNAL -b "ou=people,dc=example,dc=org" "(objectClass=*)"
>
In the logs:
> ACCEPT from IP=A.B.C.D:55434 (IP=0.0.0.0:636)
> TLS established tls_ssf=128 ssf=128
> BIND dn="" method=163
> BIND authcid="cn=kelderlied,ou=hosts,o=example" authzid="cn=kelderlied,ou=hosts,o=example"
> BIND dn="cn=libnss,dc=example,dc=org" mech=EXTERNAL sasl_ssf=0 ssf=128
> RESULT tag=97 err=0 text=
>
Any help is appreciated...
Tim
11 years, 11 months
what is the pretty function and the validate function in OpenLDAP?
by Tianyin Xu
Hi, all,
I'm trying to understand the internal workflow of the attribute type
checking and syntax validation in OpenLDAP. For example, if I use an
attribute whose syntax is not implemented like "presentationAddress", the
log message "no validator for syntax" will occur.
I trace this message in the source code and find this's done by checking
"pretty" and "validate", as follows:
-------------------------------------servers/slapd/modify.c--------------------------------
slap_syntax_validate_func *validate
= ad->ad_type->sat_syntax->ssyn_validate;
slap_syntax_transform_func *pretty = ad->ad_type->sat_syntax->ssyn_pretty;
if( !pretty && !validate ) {
*text = "no validator for syntax";
snprintf( textbuf, textlen,
"%s: no validator for syntax %s",
ml->sml_type.bv_val,
ad->ad_type->sat_syntax->ssyn_oid );
*text = textbuf;
return LDAP_INVALID_SYNTAX;
}
-----------------------------------------------------------------------------------------------------
Moreover, the pretty function and validate function are treat differently
in the latter code like:
if ( pretty ) {
rc = ordered_value_pretty( ad, &ml->sml_values[nvals], &pval, ctx );
// wrapper for pretty function
} else {
rc = ordered_value_validate( ad, &ml->sml_values[nvals], ml->sml_op );
// wrapper for validate function
}
I'm very confused on the "pretty" function and the "validate" function. I
tried to google but no related results.
Could anyone tell me WHAT is the pretty function and what is the validate
function? And HOW can OpenLDAP knows which function is pretty and which is
validate?
Sorry for the newbie question. Thanks a lot!!!
Best,
Tianyin
--
Tianyin XU,
http://cseweb.ucsd.edu/~tixu/
11 years, 11 months