January 2012 - openldap-technical

Translucent attribute local search problem

by benoit

I've setup a simple translucent conf like described here http://www.openldap.org/doc/admin24/overlays.html#Translucent Proxy , on a Debian squeeze, 2.4.23 server. lastmod off overlay translucent translucent_local telephoneNumber3,gidNumber uri "ldap://master.example.com" acl-bind binddn="cn=manager,dc=example,dc=com" credentials="{SHA}ABC123" I can overridde (gidNumber) or add attributes(telephoneNumber3): $ cat add.ldif dn: uid=bob,ou=people,dc=example,dc=com gidNumber: 00000 telephoneNumber3: 0000000 $ ldapadd -H ldap://proxy.example.com -x -W -D 'cn=Manager,dc=example,dc=com' -f add.ldif adding new entry "uid=bob,ou=people,dc=example,dc=com" A query on translucent server retrieve remote and local attribute: $ ldapsearch -LLL -H ldap://proxy.example.com -x -b "ou=people,dc=example, dc=com" '(uid=bob)' dn: uid=bob,ou=people,dc=example,dc=com ... gidNumber: 00000 telephoneNumber: 1111111 telephoneNumber3: 0000000 But searches against locally added or overridden attributes fail: $ ldapsearch -LLL -H ldap://proxy.example.com -x -b "ou=people,dc=example, dc=com" '(gidNumber=00000)' $ ldapsearch -LLL -H ldap://proxy.example.com -x -b "ou=people,dc=example, dc=com" '(telephoneNumber3=0000000)' thank you for your help

11 years, 10 months

1
0
0 / 0

migrating from shadowAccount to password policy overlays

by Jonathon Anderson

We are in the midst of migrating from `shadowAccount` objects to the password policy overlay. Everything seems to be working so far, but I have been unable to migrate the data from `shadowLastChange` to `pwdChangedTime`. In particular, once I have the desired value for `pwdChangedTime`, I don't know how to write it into the attribute. ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed I read something about "relax rules" and oid `1.3.6.1.4.1.4203.666.5.12`, but I haven't figured out how to use it. How do I execute an `ldapmodify` that writes into `pwdChangedTime`? ~jonathon

11 years, 10 months

2
2
0 / 0

smbldap-populate error

by Adrián Arévalo Tirado

OpenLDAP version: 2.4.23-7.2 Samba Version: 2:3.5.6 Operating System Debian 6.0 "Squeeze" Hello everybody. I'm trying to install a Samba + LDAP PDC but when I try to create the database with smbldap-populate I get this error: -------------------------------------------------------------------------------- Populating LDAP directory for domain empresa (S-1-5-21-802753395-3202467916-1484007712) (using builtin directory structure) entry dc=empresa,dc=com already exist. entry ou=Users,dc=empresa,dc=com already exist. entry ou=Groups,dc=empresa,dc=com already exist. entry ou=Computers,dc=empresa,dc=com already exist. entry ou=Idmap,dc=empresa,dc=com already exist. adding new entry: uid=root,ou=Users,dc=empresa,dc=com failed to add entry: objectClass: value #4 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 58. adding new entry: uid=nobody,ou=Users,dc=empresa,dc=com failed to add entry: objectClass: value #4 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 89. adding new entry: cn=Domain Admins,ou=Groups,dc=empresa,dc=com failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 101. adding new entry: cn=Domain Users,ou=Groups,dc=empresa,dc=com failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 112. adding new entry: cn=Domain Guests,ou=Groups,dc=empresa,dc=com failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 123. adding new entry: cn=Domain Computers,ou=Groups,dc=empresa,dc=com failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 134. adding new entry: cn=Administrators,ou=Groups,dc=empresa,dc=com failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 179. adding new entry: cn=Account Operators,ou=Groups,dc=empresa,dc=com failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 201. adding new entry: cn=Print Operators,ou=Groups,dc=empresa,dc=com failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 212. adding new entry: cn=Backup Operators,ou=Groups,dc=empresa,dc=com failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 223. adding new entry: cn=Replicators,ou=Groups,dc=empresa,dc=com failed to add entry: objectClass: value #2 invalid per syntax at /usr/sbin/smbldap-populate line 498, <GEN1> line 234. adding new entry: sambaDomainName=empresa,dc=empresa,dc=com failed to add entry: invalid DN at /usr/sbin/smbldap-populate line 498, <GEN1> line 242. Please provide a password for the domain root: /usr/sbin/smbldap-passwd: user root doesn't exist ---------------------------------------------------------------------------------- In the log file I get this other error: ---------------------------------------------------------------------------------- slapd[1369]: conn=1005 op=28 do_search: invalid dn: "sambaDomainName=empresa,dc=empresa,dc=com" slapd[1369]: conn=1005 op=29 do_add: invalid dn (sambaDomainName=empresa,dc=empresa,dc=com) ---------------------------------------------------------------------------------- I included in slapd.conf the samba.schema. Any ideas? I've been looking for any solution for 4 days and nobody seems to know anything. Thanks in advance for the responses. -- Adrian <adri58(a)gmail.com>

11 years, 10 months

4
5
0 / 0

The problem of BINDDN/BINDPW in ldap.conf

by Tianyin Xu

Hi, all, I'm using Ubuntu 10.04 and LDAP 2.4.23. I'm having difficulty with the basic binding. I don't want to allow anonymous ldapsearch on the LDAP server so I specify a dn and password for the bind. If I use the following parameters for ldapsearch like ldapsearch -b "dc=ucsd,dc=edu" -D "cn=admin,dc=ucsd,dc=edu" -w 1234 This works quite fine. Then, I write the parameters into ldap.conf as follows: -----------------ldap.conf----------------------- BASE dc=ucsd,dc=edu BINDDN cn=admin,dc=ucsd,dc=edu BINDPW 12345 ----------------------------------------------------- Then only BASE has effect. According to the ldap.conf manual, BINDDN is a "user-only" attribute and needs to go in ~/.ldaprc; it doesn't mention BINDPW at all. But searching on the web, I found several cases that used "binddn" and "bindpw" in ldap.conf and worked successfully. So I'm quite confused for these two directives. Could anyone explain a little bit to me on BINDDN and BINDPW? Thanks a lot!! Tianyin -- Tianyin XU, http://cseweb.ucsd.edu/~tixu/

11 years, 10 months

3
3
0 / 0

Extending smbk5pwd overlay

by Clément OUDOT

Hello, I am interested in extending the features of smbk5pwd overlay to manage more password mechanisms: * Digest MD5 for authentication (see http://en.wikipedia.org/wiki/Digest_access_authentication): we will have MD5(user:domain:password), with configuration for user attribute to use and the domain string * Active Directory password: will use the syntax of AD unicodePwd, in order to sync the attribute into AD Are you interested by adding these features in the current smbk5pwd overlay or do you prefer that we create new overlay(s) for this? Another question: would you accept an option on the smbk5pwd overlay so it can be triggered by simple userPassword modifications instead of only extended password modification operation? Regards, Clément OUDOT.

11 years, 10 months

3
2
0 / 0

Heavy load problems

by Angel L. Mateo

Hello, We have a openldap (2.3.30, debian etch version 32bits) with 4 nodes (xen vm with one cpu core, Intel Xeon 3.20GHz and 2GB of RAM). It that farm we have two databases one with 121K entries (for authenticating users, with lots of connections) and other with 40K entries (with public information of our students, for example). Now we have migrated to two openldap (2.4.21, ubuntu lucid 64btis) farms. One with 4 nodes (xen vm with two cpu cores, Xeon E5450 3GHz, 2 GB of RAM) for the authentication database, and other with 2 nodes (with the same resources than the other) for the other database. The problem is that in the authentication farm we are having lot of problems due to heavy load, although we are not completely migrate all clients to this new farm (we already have clients querying the old farm), but in the old farm we didn't have any problem (just some punctual problems long time ago). The only difference between the old and the new farm is that the old farm was replicating information with slurpd. The new one is a multimaster configuration. The configuration of the replica is: mirrormode on syncrepl rid=11 provider="ldap://<server1>.um.es" binddn="<replica user dn>" bindmethod=simple credentials=<creds> searchbase="<base of database>" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" timeout=1 syncrepl rid=12 provider="ldap://<server2>.um.es" binddn="<replica user dn>" bindmethod=simple credentials=<creds> searchbase="<base of database>" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" timeout=1 syncrepl rid=13 provider="ldap://<server3>.um.es" binddn="<replica user dn>" bindmethod=simple credentials=<creds> searchbase="<base of database>" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" timeout=1 syncrepl rid=14 provider="ldap://<server4>.um.es" binddn="<replica user dn>" bindmethod=simple credentials=<creds> searchbase="<base of database>" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" timeout=1 This configuration is in the 4 farm nodes. We have checked indexes and both farms have the same. Another difference is that authentication database entries have some attributes obtained from the other database via dynlist overlay. In the old farm, because the two databases are in the same server we had no problem, but in the new one we have to configure this database as an ldap proxy to the other farm, with cache overlay used in this. Heavy loads appears randomly in all nodes (not always with all nodes at the same time). When this happens, slapd is using 100% (well... top reports 200% because we have two cpus), there is no swap, no iowait.... Any idea of what could it be the problem? Is this multimaster configuration so heavy load? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 868887590 Fax: 868888337

11 years, 10 months

3
4
0 / 0

OpenLDAP 2.4.28 causing Apache 2.2 to hang

by Kyle Smith

I recently upgraded OpenLDAP 2.4.26 to 2.4.28. When I did that, a separate server running apache 2.2 and php 5 started to hang every 10-15 minutes. It freezes to the point that it no longer accepts requests. This apache server is using a wildcard cert for https and uses php5-ldap which depends on libgnutls26 and libldap2.4-2. I am currently investigating further, but was wondering if the changes to MozNSS or GNUTls in 2.4.27 (ITS #7051, 6980, 6998, 7001, 7002, 7022, 7034 & 7006) may be interfering with apache. I don't think OpenLDAP is the cause, I am leaning towards an apache/php configuration error but the problem only occurs when I use 2.4.28. OpenLDAP 2.4.26 operates normally and is stable across the board. Any ideas? ldapsearch -H ldaps://ldap.my.com works fine, no errors with connecting or searching.

11 years, 11 months

2
2
0 / 0

Syncrepl: consumer ignores bindmethod=sasl

by Tim Dijkstra

Hi All, I'm trying to get syncrepl to work with TLS, and SASL External. I think I configured everything correctly; I explicitly state it should use bindmethod=sasl, but in the logs I see it is using simple nonetheless. Replication subsequently fails because lack of access rights. Using ldapsearch with identical setting in .ldaprc works... I'm at a loss. Anybody knows what is going on? Excerpt from slapd.conf of consumer: syncrepl rid=13 provider=ldaps://example.org:636 type=refreshAndPersist interval=00:00:30:00 searchbase="ou=People,dc=example,dc=org" scope=sub bindmethod=sasl saslmech=EXTERNAL schemachecking=off authcid=cn=kelderlied,ou=hosts,o=example authzid=cn=kelderlied,ou=hosts,o=example tls_cacert=/etc/ldap/trusted/ca.drs.p-cacert_root_3.pem tls_cert /etc/ssl/CA/kelderlied.crt tls_key /etc/ssl/CA/kelderlied.key tls_reqcert=demand starttls=critical When Syncrepl from the consumer is started in the logs of the provider I see: > ACCEPT from IP=A.B.C.D:55428 (IP=0.0.0.0:636) > TLS established tls_ssf=128 ssf=128 > BIND dn="" method=128 > conn=1099 op=0 RESULT tag=97 err=0 text= > SRCH BASE..... So, TLS is successful (I have TLS_REQ = demand on the provider), but bind simple is requested Here I do a search by hand with identical settings in my .ldaprc that succeeds > ldapsearch -H ldaps://example.org:636 -Y EXTERNAL -b "ou=people,dc=example,dc=org" "(objectClass=*)" > In the logs: > ACCEPT from IP=A.B.C.D:55434 (IP=0.0.0.0:636) > TLS established tls_ssf=128 ssf=128 > BIND dn="" method=163 > BIND authcid="cn=kelderlied,ou=hosts,o=example" authzid="cn=kelderlied,ou=hosts,o=example" > BIND dn="cn=libnss,dc=example,dc=org" mech=EXTERNAL sasl_ssf=0 ssf=128 > RESULT tag=97 err=0 text= > Any help is appreciated... Tim

11 years, 11 months

1
0
0 / 0

what is the pretty function and the validate function in OpenLDAP?

by Tianyin Xu

Hi, all, I'm trying to understand the internal workflow of the attribute type checking and syntax validation in OpenLDAP. For example, if I use an attribute whose syntax is not implemented like "presentationAddress", the log message "no validator for syntax" will occur. I trace this message in the source code and find this's done by checking "pretty" and "validate", as follows: -------------------------------------servers/slapd/modify.c-------------------------------- slap_syntax_validate_func *validate = ad->ad_type->sat_syntax->ssyn_validate; slap_syntax_transform_func *pretty = ad->ad_type->sat_syntax->ssyn_pretty; if( !pretty && !validate ) { *text = "no validator for syntax"; snprintf( textbuf, textlen, "%s: no validator for syntax %s", ml->sml_type.bv_val, ad->ad_type->sat_syntax->ssyn_oid ); *text = textbuf; return LDAP_INVALID_SYNTAX; } ----------------------------------------------------------------------------------------------------- Moreover, the pretty function and validate function are treat differently in the latter code like: if ( pretty ) { rc = ordered_value_pretty( ad, &ml->sml_values[nvals], &pval, ctx ); // wrapper for pretty function } else { rc = ordered_value_validate( ad, &ml->sml_values[nvals], ml->sml_op ); // wrapper for validate function } I'm very confused on the "pretty" function and the "validate" function. I tried to google but no related results. Could anyone tell me WHAT is the pretty function and what is the validate function? And HOW can OpenLDAP knows which function is pretty and which is validate? Sorry for the newbie question. Thanks a lot!!! Best, Tianyin -- Tianyin XU, http://cseweb.ucsd.edu/~tixu/

11 years, 11 months

3
2
0 / 0

View or filter based on ldaps://FQDN

by Ronie Gilberto Henrich

Hello, I need to be able to restrict ldap ou's access based on the ldaps://FQDN used to query the ldap server. Let say I have the following in my ldap server: ou=domain ou=raincoatcompany.com ou=umbrellacompany.com Considering that both ldap.raincoatcompany.com and ldap.umbrellacompany.com are resolving to IP address 10.0.0.10 So, querying the ldap server using ldaps://ldap.raincoatcompany.com/ou=domain should grant access only to the following: ou=domain ou=raincoatcompany.com Is there any way to accomplish that with OpenLDAP? Thanks, -- *Ronie Henrich* *GIT - Sistemas Ltda* <http://www.git.com.br> Novo Hamburgo, RS Brazil <http://maps.google.com/maps?q=%2CNovo+Hamburgo%2CRS%2CBrazil&hl=en> *http://br.linkedin.com/in/roniegh* See who we know in common <http://www.linkedin.com/e/wwk/11684020/>

11 years, 11 months

5
7
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2012