Compiling OpenLDAP 2.4.33 on IBM AIX 7.X
by Tony Huang
Hi,
I am fairly new to this, before I compile OpenLDAP 2.4.33 on IBM AIX 7 platform
I'd like to know if there is anything I need to watch out for?
I had lots of bad taste with compiling on AIX 5.X ... just wondering
if anyone has had experiences in making it work on AIX 7.X
Thank you in advance!
Regards,
--Tony
10 years, 8 months
Empty Strings attributes in OpenLDAP
by Emilio García
Dear all,
Is there a way to define a string to be empty in OpenLDAP Schema? I read
that RFC 2252 doesnt allow empty strings. But is there any workaround for
this like a different SYNTAX or attribute type? We have a preexisting
software which tries to write empty strings and it is crashing because of
this.
Kind regards.
Cloudreach Limited is a limited company registered in England with registered number 06975407
The above terms reflect a potential business arrangement, are provided solely as a basis for further discussion,
and are not intended to be and do not constitute a legally binding obligation. No legally binding obligations
will be created, implied, or inferred until an agreement in final form is executed in writing by all parties involved.
This email may be confidential or privileged. If you received this communication by mistake, please don't forward
it to anyone else, please erase all copies and attachments, and please let us know that it has gone to the wrong person.
10 years, 8 months
LDAP Search Question (use of * in search filter)
by Παναγιώτης Ψαρράκος
Dear all
My environment consist of a mySWL Cluster database that use ndbcluster storage engine. I have install openLDAP using back ndb in otder to expose my database in LDAP fromat. The main table of LDAP is the table OL_dn2id.
Entries in this table have the following format
eid | object_class | a0 | a1 | a2 | a3 | a4 | a5 ... | a15
------------------------------------------------------------------------------------------------------------------------------------------
1 | usertable@top | ro | mydb | msisdn=40765111111 | billtype=prepaid | null (all other columns are null)
------------------------------------------------------------------------------------------------------------------------------------------
2 | usertable@top | ro | mydb | msisdn=40765111112 | billtype=postpaid | null (all other columns are null)
My database definition in slapd.conf is the following
database ndb
suffix "dc=mydb,dc=ro"
rootdn "cn=Manager,dc=mydb,dc=ro"
I want to execute ldap search queries based on msisdn or billtype attribute. I am trying to this using the command
i.e. return all postpaid user msisdns - i ma trying to use the * in the filter in order to have all msisdns
ldapsearch -h localhost -LLL -x -s sub -d 32 -b bill=postpaid,msisdn=*,dc=cosmote,dc=ro
The output of this command:
Invalid DN syntax (34)
Additional information: invalid DN
Any help on this would be very usefull
With Regards
Panagiotis Psarrakos
10 years, 8 months
Unable to perform recursive ldapdelete
by Ben Beuchler
ldapdelete -Wx -H ldapi:/// -r dc=maildomains,dc=example,dc=com
Enter LDAP Password:
ldap_delete: Other (e.g., implementation specific) error (80)
ldap_delete: Operation not allowed on non-leaf (66)
additional info: subordinate objects must be deleted first
There are a couple of hundred subordinate entries under
dc=maildomains,dc=example,dc=com.
Am I doing something wrong or have I encountered a bug?
I'm running 2.4.21 on Ubuntu 10.04.
10 years, 8 months
Reasons for bi_db_open failed! (-30793) with back-mdb?
by Michael Ströder
HI!
What are the possible reasons for this message?
5070a03c backend_startup_one (type=mdb, suffix="cn=accesslog,o=example"):
bi_db_open failed! (-30793)
I'm testing migrating an existing LDAP server with four DBs - two of them
accesslog DBs - to back-mdb with RE24 c62a82b07e1bcc4c795cb5185ee9f16406b05bd9.
Either slapadd fails or starting slapd fails after slapadd.
Ciao, Michael.
10 years, 8 months
slaptest fails to covnert overlay syncproc?
by Tim Tyler
Openldap experts?
I am trying to convert a slapd.conf file to cn=config version on Redhat 6.3
running openldap 2.4.23-26.
when I do the following to convert the slapd.conf file to the cn=config
version, I get the following error:
[root@ldap openldap]# slaptest -f slapd.conf -F slapd.d
overlay "syncprov" not found
slaptest: bad configuration directory!
I am not loading any modules in slapd.conf as the old Centos 5 version did
not require that I load any syncprov modules for syncprov to work. I think
I read that it was statically included it in the binary. It always worked
without the module call anyways. Do I now need to add in a line for the
syncprov module in the slapd.conf file in order to get slaptest to view and
convert the overlay of syncprov with the redhat 6 version of openldap?
Note: Here are the following lines for synprov in my slapd.conf file:
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
limits dn.exact="cn=xxxx,dc=site,dc=edu" size=unlimited time=unlimited
Or is there some other issue I might be missing?
Tim Tyler
Network Engineer
Beloit College
10 years, 8 months
how to tell client to use ssf=256 instead of ssf=128
by Tobias Hachmer
Hello,
I'm using openldap 2.4.28 on ubuntu server and configured TLS.
I want to allow write operations only when ssf=256 is used. (security
update_ssf=256)
Certificates were set up with openssl CA.pl.
When I connect via
# ldapadd -Y EXTERNAL -ZZ -f /src/test.ldif
I get this:
SASL/EXTERNAL authentication started
SASL username: cn=ldapadmin,.............
SASL SSF: 0
adding new entry "dc=example,dc=com"
ldap_add: Confidentiality required (13)
additional info: stronger confidentiality required for update
the log says:
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 ACCEPT from
IP=127.0.0.1:56698 (IP=0.0.0.0:389)
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 STARTTLS
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 RESULT oid= err=0
text=
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 TLS established
tls_ssf=128 ssf=128
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND dn="" method=163
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND
authcid="cn=ldapadmin,........." authzid="cn=ldapadmin,........"
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND
dn="cn=ldapadmin,......." mech=EXTERNAL sasl_ssf=0 ssf=128
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 RESULT tag=97 err=0
text=
Oct 8 19:38:14 ldap slapd[2205]: connection_input: conn=1003 deferring
operation: binding
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=2 ADD
dn="dc=example,dc=com"
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=2 RESULT tag=105 err=13
text=stronger confidentiality required for update
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=3 UNBIND
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 closed
1. Why is the client connecting with ssf=128?
2. Can I influence the ssf used by client, if yes, how?
3. Maybe a certificate issue?
Thanks in advance,
Tobias Hachmer
10 years, 8 months
Complete re-sync in MirrorMode
by Santosh Kumar Gupta
Dear List,
I set up two openldap servers in MirrorMode replication.
I addeed a user in Master2 and it synced in Master1 but without
userPassword.
Digging into the problem I found a typo error in olcAccess for replicator
user. I fixed the error and any new updates in Master2 get updated in
Master1 including userPassword, but not syncing the previously replicated
users.
I tried running slapd with parameter -c "rid=000" but without success.
Please help me to full sync Master1 without recreating db.
TIA
Santosh
10 years, 8 months
Openldap Synchronization Issue
by Victor Silva
Hello folks, I have an ldap base running in 2 machines in a master/slave
design. I've tried to do a db2ldiff but as I'm using virtual machines it
took a very long time and I aborted the process with crtl C.
Since them my bases no longer sync. I have the following erros logs:
*[05/Oct/2012:17:44:22 -0300] - 389-Directory/1.2.9.9 B2011.244.2040
starting up
[05/Oct/2012:17:44:22 -0300] - from ldbm instance init: line 0: unknown or
invalid matching rule "integerOrderingMatch" in index configuration
(ignored)
[05/Oct/2012:17:44:22 -0300] - from DSE add: line 0: unknown or invalid
matching rule "integerOrderingMatch" in index configuration (ignored)
[05/Oct/2012:17:44:22 -0300] - from ldbm instance init: line 0: unknown or
invalid matching rule "integerOrderingMatch" in index configuration
(ignored)
[05/Oct/2012:17:44:22 -0300] - from DSE add: line 0: unknown or invalid
matching rule "integerOrderingMatch" in index configuration (ignored)
*I've read in some other mailing lists many people had this problem but I
could not pint point an appropriate solution. I don't know which other logs
I can post in order to help you but I will be happy to provide them if you
require more info.
Regards,
vfbsilva
10 years, 8 months
pwdReset: TRUE not working
by Jason Cwik
Hi,
I've recently configured a new openldap 2.4.32 server with the ppolicy
overlay. Most of the features like lockout and minLength work fine,
but I can't seem to force the user's password to expire. I've even
set pwdReset: TRUE on the user's record to try and force them to reset
the password, but it doesn't seem to do anything.
Here's my overlay config:
MBP2:~ me$ ldapsearch -h 10.242.25.158 -D "cn=root,cn=config" -x -W -b
"cn=config" -s sub "olcOverlay=ppolicy"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcOverlay=ppolicy
# requesting: ALL
#
# {1}ppolicy, {1}bdb, config
dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {1}ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=my,dc=domain,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
And the default pwdPolicy object:
MBP2:~ me$ ldapsearch -h 10.242.25.158 -D
"cn=ldapadmin,dc=my,dc=domain,dc=com" -x -W -b
"ou=policies,dc=my,dc=domain,dc=com" -s sub "cn=default"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=policies,dc=my,dc=domain,dc=com> with scope subtree
# filter: cn=default
# requesting: ALL
#
# default, policies, my.domain.com
dn: cn=default,ou=policies,dc=my,dc=domain,dc=com
objectClass: person
objectClass: top
objectClass: pwdPolicy
cn: default
pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
pwdCheckQuality: 2
pwdExpireWarning: 0
pwdFailureCountInterval: 30
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 11555200
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: TRUE
pwdSafeModify: TRUE
sn: dummy value
I turned on trace debugging and I do see it successfully loading
cn=default,ou=policies,dc=my,dc=domain,dc=com during the bind
operation, so it appears that ppolicy is running fine and loading the
policy object.
Any ideas?
10 years, 8 months