openldap-technical October 2012

openldap-technical@openldap.org

68 participants
66 discussions

max. numbers of subordinate databases
by Dieter Klünter 29 Oct '12

29 Oct '12

Hello, I have a strange requirement to setup a Server with as much as possible subordinate databases. In a test environment I could create any number of databases, but a one level search presents the results of 27 databases and after this an internal error is reported. (thread_pool_setkey failed err (12)) I did this tests with back-hdb and back-mdb. Is there any way to increase the number of subordinate databases? -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E

2 1

[PATCH] ctrl & exop for PHP 5.3
by Emmanuel Dreyfus 29 Oct '12

29 Oct '12

Hello Quite some time ago, Pierangelo Masarati wrote a patch to brind ctrl and exop support to PHP. Unfortunately the patch was never checked in upstream and broke with PHP 5.3 I trieed to upgrade the patch for PHP 5.3 support. Here is my first attempt, which builds on PHP 5.3.17: http://ftp.espci.fr/shadow/manu/ldap-ctrl-exop-20121025.patch I successfully tested ldap_exop_passwd, ldap_exop_whoami, and ldap_refresh. Everything else was not tested and is broken without any doubt (zend_parse_parameters 3rd argument is wrong, it should probably be Z more often). Feel free to help, either by fixing the remaining bits, or by providing a test case for the broken parts (I never used controls and therefore I am not going to do it). -- Emmanuel Dreyfus manu(a)netbsd.org

4 3

Problem in sync-repling multiple databases
by Marco Pizzoli 29 Oct '12

29 Oct '12

Hi all, I'm using OL 2.4.33 and I'm trying to replicate a tree to an instace of OL 2.4.33 composed by multiple databases. My tree is something as this: - basedn - ou=ou1 - ou=ou2 - ou=ou3 If I have all my subtrees, on the master, served by a single db... then I can syncrepl to the consumer without problems. If my master is composed by separate databases (ou1, ou2, etc.. are all distinct databases), then the replica stops after completing the first one of them. So to recap: - single database to multiple database --> ok - multiple database to multiple database --> ko Is it a known problem? I read that it was as of OL 2.3, but also that it was fixed in OL2.4. My logs present no indication of any kind of problem, even at debug level. If I try to configure a second replica configration targeted directly to (in example) to ou=ou3, then that ou get replicated. Any help/advice is welcome. Thanks in advance as usual Marco

2 1

Newbie question about host base authentication
by Simone Scremin 29 Oct '12

29 Oct '12

Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login. In example: user Bob needs to authenticate on systems: sys01pra sys02pre sys03pra sys03pre some configuration on the LDAP server enable this hostnames for Bob with a regular expression like: sys0*pr* Is it feasable? Thanks Simone

5 7

Re: Newbie question about host base authentication
by Simone Scremin 29 Oct '12

29 Oct '12

Hi Olivier, thanks for the fast answer. I'm looking at pam_ldap component and I already saw the host based authentication that enables to list hostnames on the server per user. Your idea, if I'm not mistaken, would be to specify this host parameter as some kind of LDAP data structure (ie: groupOfNames) and have the authentication mechanism match on that structure. I'm looking at groupOfNames and it's not clear to me if it can really be used for that purpose but the most obscure point is where the logic for the matching should go. I'm really open to any input on this subject whether it is some example of already implemented solutions or just some direction on how to go forward with the development. Thank you Simone On Oct 29, 2012, at 2:40 PM, Olivier <ldap(a)guillard.nom.fr> wrote: > ---Previous mail sent accidently before ending (sorry for doublon)--- > > Feasable it is (there different ways to do that). > > BTW, I'm also interested to gather some input on that topic. > > @simone : I suggest that you look at pam mecanisms : > http://www.padl.com/OSS/pam_ldap.html > And more specifically at the access.conf syntax. > > You may be interested in : > Hosts, posix groups, group of names and netgroups > > > @list : I would appreciate some input from others about the > best way to store hosts in ldap for this kind of usage : > > Which container to use for hosts (structural class account? > device ? ... ) > > How to deal with groups of hosts : groupOfNames ? posixGroup ? > > Any advice ? > > Thanks, > > > 2012/10/29 Simone Scremin <simone.scremin(a)gmail.com>: >> Hi all, >> I'm in the process of learning the OpenLDAP authentication mechanics. >> I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login. >> >> In example: >> >> user Bob needs to authenticate on systems: >> >> sys01pra >> sys02pre >> sys03pra >> sys03pre >> >> some configuration on the LDAP server enable this hostnames for Bob with a regular expression like: >> >> sys0*pr* >> >> Is it feasable? >> >> Thanks >> >> Simone >>

1 0

compile 2.4.33 on AIX 6.1 with IBM vac - mdb.c - mdb_cursor_pop fails
by Howard Allison 25 Oct '12

25 Oct '12

Hi I've compiled openldap 2.4.33 on AIX 6.1 and had to edit the file libraries/libmdb/mdb.c. In mdb_cursor_pop I had to comment out the #if MDB_DEBUG directive to make *top visible. #if MDB_DEBUG */ MDB_page *top = mc->mc_pg[mc->mc_top]; /* #endif */ Is this something particular to xlc? Thanks Howard Allison -------------------------------------------------------------------------------------------------------- VERTRAULICHKEIT: Diese Nachricht ist ausschließlich für denjenigen bestimmt, an den sie adressiert ist und kann vertrauliche Informationen enthalten. Falls Sie nicht der Empfänger dieser Nachricht sind, weisen wir Sie darauf hin, dass die unberechtigte Weitergabe oder Verwendung sowie das unberechtigte Verteilen oder Kopieren dieser Nachricht strikt untersagt sind. Falls Sie diese Nachricht irrtümlich erhalten haben, vernichten Sie sie bitte sofort. CONFIDENTIALITY: This message is intended only for the use of the individuality or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure. If you are not the intended recipient you are notified that any dissemination, distribution, use or copying of this communication is strictly prohibited. If you received this message in error, please immediately destroy this message. --------------------------------------------------------------------------------------------------------

2 1

Sincrony groups in LDAP
by rodrigo tavares 23 Oct '12

23 Oct '12

Hello, With paramater retry="60 30 300 +", i can to replicate users. But, I see the groups not copyed for LDAP. I can't replicate the groups. syncrepl rid=123 provider=ldap://10.26.7.45:389 type=refreshOnly interval=00:00:05:00 retry="60 30 300 +" searchbase="dc=company,dc=mg,dc=gov,dc=br" filter="(objectClass=organizationalPerson)" scope=sub attrs="*,+" schemachecking=off bindmethod=simple binddn="cn=admin,dc=company,dc=mg,dc=gov,dc=br" credentials=secret Do I have modificate the objectClass ? Best regards, Rodrigo Faria

2 1

Using replication LDAP
by rodrigo tavares 23 Oct '12

23 Oct '12

Hello ! I'm trying make a replication from master for slave. My configure master: moduleload syncprov.la moduleload back_monitor.la moduleload back_bdb overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 Slave: syncrepl rid=123 provider=ldap://10.26.7.45:389 type=refreshOnly interval=00:00:05:00 searchbase="dc=company,dc=mg,dc=gov,dc=br" filter="(objectClass=organizationalPerson)" scope=sub attrs="*,+" schemachecking=off bindmethod=simple binddn="cn=admin,dc=company,dc=mg,dc=gov,dc=br" credentials=secret I syslog i see this message: Oct 23 10:23:32 replica slapd[1827]: syncrepl rid=123 searchbase="dc=company,dc=mg,dc=gov,dc=br": no retry defined, using default. How I can to resolve it ? Best regards, Rodrigo Faria

3 2

Search response attribute/alias names
by Tele Fone 22 Oct '12

22 Oct '12

Hello, I've searched and think I know the answer, but... This post from several years ago is exactly my issue: www.openldap.org/its/?findid=787 See this one too: www.openldap.org/lists/openldap-software/200105/msg00160.html I would like to know if anything has changed in 10+ years. I'm in the middle of coverting from Critical Path LDAP to OpenLDAP 2.4.26. Critical Path returns the alias name (when requested in search) in search responses. Has there been a magic configuration flag added to make the transition to openldap a bit easier? I understand that openLDAP conforms to the LDAPv3 standard, but had to ask. Thanks.

1 0

ContextCSN generation
by Sven Jourgensen 21 Oct '12

21 Oct '12

I have an odd issue, where I have some new slaves that I added to my pool, they ran fine sync'ing with the master, etc. for weeks, until I added them into use (we're using an F5 frontend) whereupon they started getting a contextCSN which was larger than that of the master. How is the contextCSN generated, I thought the slave could never get ahead of the master, but it's happening consistently, it's not a transient thing, the slave gets a larger contextCSN and keeps it, until the master is updated again. master: contextCSN: 20121010154339.775633Z#000000#000#000000 slave1: contextCSN: 20121010154442.858054Z#000000#000#000000 slave2: contextCSN: 20121010154351.807575Z#000000#000#000000 As soon as I remove them from use, and update the master, they come back into sync. Thanks in advance. SJ

3 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2012