openldap-technical October 2012

openldap-technical@openldap.org

68 participants
66 discussions

Compiling OpenLDAP 2.4.33 on IBM AIX 7.X
by Tony Huang 10 Oct '12

10 Oct '12

Hi, I am fairly new to this, before I compile OpenLDAP 2.4.33 on IBM AIX 7 platform I'd like to know if there is anything I need to watch out for? I had lots of bad taste with compiling on AIX 5.X ... just wondering if anyone has had experiences in making it work on AIX 7.X Thank you in advance! Regards, --Tony

1 0

Empty Strings attributes in OpenLDAP
by Emilio García 10 Oct '12

10 Oct '12

Dear all, Is there a way to define a string to be empty in OpenLDAP Schema? I read that RFC 2252 doesnt allow empty strings. But is there any workaround for this like a different SYNTAX or attribute type? We have a preexisting software which tries to write empty strings and it is crashing because of this. Kind regards. Cloudreach Limited is a limited company registered in England with registered number 06975407 The above terms reflect a potential business arrangement, are provided solely as a basis for further discussion, and are not intended to be and do not constitute a legally binding obligation. No legally binding obligations will be created, implied, or inferred until an agreement in final form is executed in writing by all parties involved. This email may be confidential or privileged. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let us know that it has gone to the wrong person.

3 4

LDAP Search Question (use of * in search filter)
by Παναγιώτης Ψαρράκος 10 Oct '12

10 Oct '12

Dear all My environment consist of a mySWL Cluster database that use ndbcluster storage engine. I have install openLDAP using back ndb in otder to expose my database in LDAP fromat. The main table of LDAP is the table OL_dn2id. Entries in this table have the following format eid | object_class | a0 | a1 | a2 | a3 | a4 | a5 ... | a15 ------------------------------------------------------------------------------------------------------------------------------------------ 1 | usertable@top | ro | mydb | msisdn=40765111111 | billtype=prepaid | null (all other columns are null) ------------------------------------------------------------------------------------------------------------------------------------------ 2 | usertable@top | ro | mydb | msisdn=40765111112 | billtype=postpaid | null (all other columns are null) My database definition in slapd.conf is the following database ndb suffix "dc=mydb,dc=ro" rootdn "cn=Manager,dc=mydb,dc=ro" I want to execute ldap search queries based on msisdn or billtype attribute. I am trying to this using the command i.e. return all postpaid user msisdns - i ma trying to use the * in the filter in order to have all msisdns ldapsearch -h localhost -LLL -x -s sub -d 32 -b bill=postpaid,msisdn=*,dc=cosmote,dc=ro The output of this command: Invalid DN syntax (34) Additional information: invalid DN Any help on this would be very usefull With Regards Panagiotis Psarrakos

4 5

Unable to perform recursive ldapdelete
by Ben Beuchler 09 Oct '12

09 Oct '12

ldapdelete -Wx -H ldapi:/// -r dc=maildomains,dc=example,dc=com Enter LDAP Password: ldap_delete: Other (e.g., implementation specific) error (80) ldap_delete: Operation not allowed on non-leaf (66) additional info: subordinate objects must be deleted first There are a couple of hundred subordinate entries under dc=maildomains,dc=example,dc=com. Am I doing something wrong or have I encountered a bug? I'm running 2.4.21 on Ubuntu 10.04.

1 0

Reasons for bi_db_open failed! (-30793) with back-mdb?
by Michael Ströder 09 Oct '12

09 Oct '12

HI! What are the possible reasons for this message? 5070a03c backend_startup_one (type=mdb, suffix="cn=accesslog,o=example"): bi_db_open failed! (-30793) I'm testing migrating an existing LDAP server with four DBs - two of them accesslog DBs - to back-mdb with RE24 c62a82b07e1bcc4c795cb5185ee9f16406b05bd9. Either slapadd fails or starting slapd fails after slapadd. Ciao, Michael.

3 3

slaptest fails to covnert overlay syncproc?
by Tim Tyler 08 Oct '12

08 Oct '12

Openldap experts? I am trying to convert a slapd.conf file to cn=config version on Redhat 6.3 running openldap 2.4.23-26. when I do the following to convert the slapd.conf file to the cn=config version, I get the following error: [root@ldap openldap]# slaptest -f slapd.conf -F slapd.d overlay "syncprov" not found slaptest: bad configuration directory! I am not loading any modules in slapd.conf as the old Centos 5 version did not require that I load any syncprov modules for syncprov to work. I think I read that it was statically included it in the binary. It always worked without the module call anyways. Do I now need to add in a line for the syncprov module in the slapd.conf file in order to get slaptest to view and convert the overlay of syncprov with the redhat 6 version of openldap? Note: Here are the following lines for synprov in my slapd.conf file: overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 limits dn.exact="cn=xxxx,dc=site,dc=edu" size=unlimited time=unlimited Or is there some other issue I might be missing? Tim Tyler Network Engineer Beloit College

3 2

how to tell client to use ssf=256 instead of ssf=128
by Tobias Hachmer 08 Oct '12

08 Oct '12

Hello, I'm using openldap 2.4.28 on ubuntu server and configured TLS. I want to allow write operations only when ssf=256 is used. (security update_ssf=256) Certificates were set up with openssl CA.pl. When I connect via # ldapadd -Y EXTERNAL -ZZ -f /src/test.ldif I get this: SASL/EXTERNAL authentication started SASL username: cn=ldapadmin,............. SASL SSF: 0 adding new entry "dc=example,dc=com" ldap_add: Confidentiality required (13) additional info: stronger confidentiality required for update the log says: Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 ACCEPT from IP=127.0.0.1:56698 (IP=0.0.0.0:389) Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 STARTTLS Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 RESULT oid= err=0 text= Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 TLS established tls_ssf=128 ssf=128 Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND dn="" method=163 Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND authcid="cn=ldapadmin,........." authzid="cn=ldapadmin,........" Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND dn="cn=ldapadmin,......." mech=EXTERNAL sasl_ssf=0 ssf=128 Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 RESULT tag=97 err=0 text= Oct 8 19:38:14 ldap slapd[2205]: connection_input: conn=1003 deferring operation: binding Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=2 ADD dn="dc=example,dc=com" Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=2 RESULT tag=105 err=13 text=stronger confidentiality required for update Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=3 UNBIND Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 closed 1. Why is the client connecting with ssf=128? 2. Can I influence the ssf used by client, if yes, how? 3. Maybe a certificate issue? Thanks in advance, Tobias Hachmer

4 4

Complete re-sync in MirrorMode
by Santosh Kumar Gupta 07 Oct '12

07 Oct '12

Dear List, I set up two openldap servers in MirrorMode replication. I addeed a user in Master2 and it synced in Master1 but without userPassword. Digging into the problem I found a typo error in olcAccess for replicator user. I fixed the error and any new updates in Master2 get updated in Master1 including userPassword, but not syncing the previously replicated users. I tried running slapd with parameter -c "rid=000" but without success. Please help me to full sync Master1 without recreating db. TIA Santosh

4 3

Openldap Synchronization Issue
by Victor Silva 05 Oct '12

05 Oct '12

Hello folks, I have an ldap base running in 2 machines in a master/slave design. I've tried to do a db2ldiff but as I'm using virtual machines it took a very long time and I aborted the process with crtl C. Since them my bases no longer sync. I have the following erros logs: *[05/Oct/2012:17:44:22 -0300] - 389-Directory/1.2.9.9 B2011.244.2040 starting up [05/Oct/2012:17:44:22 -0300] - from ldbm instance init: line 0: unknown or invalid matching rule "integerOrderingMatch" in index configuration (ignored) [05/Oct/2012:17:44:22 -0300] - from DSE add: line 0: unknown or invalid matching rule "integerOrderingMatch" in index configuration (ignored) [05/Oct/2012:17:44:22 -0300] - from ldbm instance init: line 0: unknown or invalid matching rule "integerOrderingMatch" in index configuration (ignored) [05/Oct/2012:17:44:22 -0300] - from DSE add: line 0: unknown or invalid matching rule "integerOrderingMatch" in index configuration (ignored) *I've read in some other mailing lists many people had this problem but I could not pint point an appropriate solution. I don't know which other logs I can post in order to help you but I will be happy to provide them if you require more info. Regards, vfbsilva

2 1

pwdReset: TRUE not working
by Jason Cwik 05 Oct '12

05 Oct '12

Hi, I've recently configured a new openldap 2.4.32 server with the ppolicy overlay. Most of the features like lockout and minLength work fine, but I can't seem to force the user's password to expire. I've even set pwdReset: TRUE on the user's record to try and force them to reset the password, but it doesn't seem to do anything. Here's my overlay config: MBP2:~ me$ ldapsearch -h 10.242.25.158 -D "cn=root,cn=config" -x -W -b "cn=config" -s sub "olcOverlay=ppolicy" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: olcOverlay=ppolicy # requesting: ALL # # {1}ppolicy, {1}bdb, config dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {1}ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=my,dc=domain,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 And the default pwdPolicy object: MBP2:~ me$ ldapsearch -h 10.242.25.158 -D "cn=ldapadmin,dc=my,dc=domain,dc=com" -x -W -b "ou=policies,dc=my,dc=domain,dc=com" -s sub "cn=default" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=policies,dc=my,dc=domain,dc=com> with scope subtree # filter: cn=default # requesting: ALL # # default, policies, my.domain.com dn: cn=default,ou=policies,dc=my,dc=domain,dc=com objectClass: person objectClass: top objectClass: pwdPolicy cn: default pwdAllowUserChange: TRUE pwdAttribute: 2.5.4.35 pwdCheckQuality: 2 pwdExpireWarning: 0 pwdFailureCountInterval: 30 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxAge: 11555200 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: TRUE pwdSafeModify: TRUE sn: dummy value I turned on trace debugging and I do see it successfully loading cn=default,ou=policies,dc=my,dc=domain,dc=com during the bind operation, so it appears that ppolicy is running fine and loading the policy object. Any ideas?

4 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2012