openldap-technical November 2012

openldap-technical@openldap.org

62 participants
68 discussions

Nssov overlay in Ubuntu 12.04
by Simone Scremin 11 Nov '12

11 Nov '12

Hi all, I'm trying to setup the nssov overlay in Ubuntu 12.04. I setup the server as the official doc suggested here: https://help.ubuntu.com/12.04/serverguide/openldap-server.html Now I'm stuck because I didn't find anywhere a working ldif example to enable the addon. I tried with the following ldif: dn: olcOverlay={0}nssov,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcNssOvConfig olcOverlay: {0}nssov olcNssSsd: test ldap:///ou=People,dc=example,dc=com but I get: ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax Can someone please give some advice? Thank you! Simone Scremin

2 3

Lastlogon attribute
by jeevan kc 09 Nov '12

09 Nov '12

Hello there Does any versions of openldap schema support the last logon attribute? I am asked to add that attribute to run a report through a application? I don't know if simply addding that attribute on the local schema configuration(openldap 2.4.30) would do it.Is it possible? Thanks John

2 13

TLS issue with self-signed certificate
by Luc MAIGNAN 09 Nov '12

09 Nov '12

Hi, I want to setup a LDAPS connection with a self signed certificate. Unfortunaly, I have the following error : Peer's certificate issuer has been marked as not trusted by the user I tried to trust is by a : certutil -d ... -A -n 'CA' -t CT,,, -a -i ca.crt But it doen't change anything. Has someone an idea for me ? Best regards

2 5

Replication account kept being deleted
by sgao＠frontier.com 08 Nov '12

08 Nov '12

Hi, I am running into a problem with replication accounts being deleted from directory from time to time. Here is my setup: 1. Master-master replication configuration: On ldap1 Syncrepl rid=002 provider=ldaps://ldap2.example.com interval=00:00:02:00 retry="60 5 300 5" type=refreshAndPersist searchbase="dc=example,dc=com" schemachecking=off bindmethod=simple binddn="cn=repl1,dc=example,dc=com" credentials=password On ldap2 Syncrepl rid=001 provider=ldaps://ldap1.example.com interval=00:00:01:00 retry="60 5 300 5" type=refreshAndPersist searchbase="dc=example,dc=com" schemachecking=off bindmethod=simple binddn="cn=repl2,dc=example,dc=com" credentials=password The DNs "cn=repl1,dc=example,dc=com" and "cn=repl2,dc=example,dc=com" are kept being removed from directory on ldap1 or ldap2. When the DNs exist, replication worked fine. However, once the DNs got removed, replication would stop working upon restarting slapd. The version of OpenLDAP is 2.4.23. Any help would be very much appreciated. Simon

1 0

TLS issue
by Luc MAIGNAN 07 Nov '12

07 Nov '12

Hi, I try to setup a LDAPS server. The chain of my certificate seems to be right (openssl s_client showcerts id ok) but I have the following error : unable to get TLS client DN : error -49 Can anyone help me ? Thanks for any help BR

2 1

SASL issue
by Luc MAIGNAN 06 Nov '12

06 Nov '12

Hi, I want to configure SASL in my OpenLDAP server. I saw in documentation that I have to set 'sasl-host' and 'sasl-realm' in slapd.conf In fact I don't use slapd.conf but the cn=config architecture. So where put the parameters ? Thanks for any help

3 2

local password change in read-only replica?
by Marc Patermann 06 Nov '12

06 Nov '12

Hi, from a central master/provider server we replicate to (a lot of) sync-repl slave/consumers. Which are then - of course - read-only. We have passwordpolicy turned on on all the servers. Now we have three accounts - each an another "home" replica - which have a newer modifyTimestamp value on their replica then on the master and all other slaves. The userPassword attribute is different on the "home" replica. What could have caused this? In the log I cannot find any changing operation on the replica according to the time in modifyTimestamp. Marc

1 0

Ubuntu Server 12.04: StartTLS
by admus 05 Nov '12

05 Nov '12

Hello, I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls… how to: LDAP serwer starts correctly but when I tries to test StartTLS: ldapsearch -x -H ldap:/// -ZZ -d -1 I gets the following error: TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Any idea?

6 10

Re: Error : when create usermachine in LDAP
by rodrigo tavares 05 Nov '12

05 Nov '12

Hello Mauricio, 1) How comfortable are you with linux/unix in general and debian specifically? Do not take this as an insult; I just want to know what I need to ask. Remember I have no access to your machine. ;) I like much Debian Linux, it's very fast. I began work with Linux, i used Conetiva 6.0 and Red Hat Enteprise/Fedora both using format RPM. Debian have a lot packages. And is free, diffent red hat. 2) Are you using ldap to login to this machine or just to check mail? Well I have a server email with LDAP and Suport Samba. So the base ldap the mailserver is replicated from server samba. Then, all modifications LDAP made go to server samba. It run about 5 minutes. I create users emails e samba users. Making intgretion with users samba. 3) I do speak portuguese (I lived in SJC and then Rio). Would you prefer that a gente fale em portugues? Once again, it is all about your comfort level. Speak an English. For others in discussion ________________________________ De: Mauricio Tavares <raubvogel(a)gmail.com> Para: rodrigo tavares <rodrigofariat(a)yahoo.com.br> Enviadas: Quarta-feira, 31 de Outubro de 2012 14:14 Assunto: Re: Error : when create usermachine in LDAP A few questions (I am replying directly to you instead of to the list): 1) How comfortable are you with linux/unix in general and debian specifically? Do not take this as an insult; I just want to know what I need to ask. Remember I have no access to your machine. ;) 2) Are you using ldap to login to this machine or just to check mail? 3) I do speak portuguese (I lived in SJC and then Rio). Would you prefer that a gente fale em portugues? Once again, it is all about your comfort level. On Wed, Oct 31, 2012 at 11:49 AM, rodrigo tavares <rodrigofariat(a)yahoo.com.br> wrote: > Hello, > > > How exactly are you adding the computer to ldap? I take it is not > using ldapadd. ;) > > > In Brazil in state Parana, exists on sofwtare called Expresso Mail Free. > It have a easy interface, and you can create mail users, users samba and > machine, all integrate in > LDAP. It have cyrus-imap, openldap, posfix and postgresql. > > > http://rodrigofariat.files.wordpress.com/2012/10/ldap-error.png > > Some logs: > > Oct 31 13:59:08 defensoria slapd[1688]: conn=1542 op=1 SRCH > base="dc=defensoria,dc=mg,dc=gov,dc=br" scope=2 deref=0 > filter="(uid=computer2$)" > Oct 31 13:59:08 defensoria slapd[1688]: conn=1542 op=1 SEARCH RESULT tag=101 > err=0 nentries=0 text= > Oct 31 13:59:08 defensoria slapd[1688]: conn=1542 op=2 UNBIND > Oct 31 13:59:08 defensoria slapd[1688]: conn=1542 fd=38 closed > Oct 31 13:59:08 defensoria slapd[1688]: conn=1543 fd=38 ACCEPT from > IP=127.0.0.1:50679 (IP=0.0.0.0:389) > Oct 31 13:59:08 defensoria slapd[1688]: conn=1543 op=0 BIND > dn="cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br" method=128 > Oct 31 13:59:08 defensoria slapd[1688]: conn=1543 op=0 BIND > dn="cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br" mech=SIMPLE ssf=0 > Oct 31 13:59:08 defensoria slapd[1688]: conn=1543 op=0 RESULT tag=97 err=0 > text= > Oct 31 13:59:08 defensoria slapd[1688]: conn=1543 op=1 ADD > dn="uid=computer2$,ou=defensoria,dc=defensoria,dc=mg,dc=gov,dc=br" > Oct 31 13:59:08 defensoria slapd[1688]: conn=1543 op=1 RESULT tag=105 err=21 > text=gidNumber: value #0 invalid per syntax > Oct 31 13:59:08 defensoria slapd[1688]: conn=1543 op=2 UNBIND > Oct 31 13:59:08 defensoria slapd[1688]: conn=1543 fd=38 closed > Oct 31 13:59:08 defensoria slapd[1688]: conn=1544 fd=38 ACCEPT from > IP=127.0.0.1:50680 (IP=0.0.0.0:389) > Oct 31 13:59:08 defensoria slapd[1688]: conn=1544 op=0 BIND > dn="cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br" method=128 > Oct 31 13:59:08 defensoria slapd[1688]: conn=1544 op=0 BIND > dn="cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br" mech=SIMPLE ssf=0 > Oct 31 13:59:08 defensoria slapd[1688]: conn=1544 op=0 RESULT tag=97 err=0 > text= > Oct 31 13:59:08 defensoria slapd[1688]: conn=1545 fd=39 ACCEPT from > IP=127.0.0.1:50681 (IP=0.0.0.0:389) > Oct 31 13:59:08 defensoria slapd[1688]: conn=1545 op=0 BIND > dn="cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br" method=128 > Oct 31 13:59:08 defensoria slapd[1688]: conn=1545 op=0 BIND > dn="cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br" mech=SIMPLE ssf=0 > Oct 31 13:59:08 defensoria slapd[1688]: conn=1545 op=0 RESULT tag=97 err=0 > text= > Oct 31 13:59:08 defensoria slapd[1688]: conn=1545 op=1 SRCH > base="dc=defensoria,dc=mg,dc=gov,dc=br" scope=2 deref=0 > filter="(objectClass=organizationalUnit)" > Oct 31 13:59:08 defensoria slapd[1688]: conn=1545 op=1 SRCH attr=dn > Oct 31 13:59:08 defensoria slapd[1688]: conn=1545 op=1 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Oct 31 13:59:08 defensoria slapd[1688]: conn=1545 op=2 UNBIND > Oct 31 13:59:08 defensoria slapd[1688]: conn=1545 fd=39 closed > Oct 31 13:59:08 defensoria slapd[1688]: conn=1544 op=1 UNBIND > Oct 31 13:59:08 defensoria slapd[1688]: conn=1544 fd=38 closed > Oct 31 13:59:08 defensoria slapd[1688]: conn=1541 op=1 UNBIND > Oct 31 13:59:08 defensoria slapd[1688]: conn=1541 fd=17 closed > Oct 31 13:59:10 defensoria slapd[1688]: conn=1546 fd=17 ACCEPT from > IP=127.0.0.1:50682 (IP=0.0.0.0:389) > Oct 31 13:59:10 defensoria slapd[1688]: conn=1546 op=0 do_search: invalid > dn: "LDAP_DN" > Oct 31 13:59:10 defensoria slapd[1688]: conn=1546 op=0 SEARCH RESULT tag=101 > err=34 nentries=0 text=invalid DN > Oct 31 13:59:10 defensoria slapd[1688]: conn=1546 op=1 UNBIND > Oct 31 13:59:10 defensoria slapd[1688]: conn=1546 fd=17 closed > > Thanks ! > > Rodrigo > > > > ________________________________ > De: Mauricio Tavares <raubvogel(a)gmail.com> > Para: "openldap-technical(a)openldap.org" <openldap-technical(a)openldap.org> > Cc: rodrigo tavares <rodrigofariat(a)yahoo.com.br> > Enviadas: Quarta-feira, 31 de Outubro de 2012 12:47 > > Assunto: Re: Error : when create usermachine in LDAP > > On Wed, Oct 31, 2012 at 9:46 AM, Dan White <dwhite(a)olp.net> wrote: >> On 10/31/12 06:16 -0700, rodrigo tavares wrote: >>> >>> Hello, >>> >>> I try to create a computer in LDAP, come this message: >>> Error in OpenLDAP recording computer.* >>> >>> What is wrong ? >> >> >> Rodrigo, >> >> I am unfamiliar with the error message you are seeing. However, your >> post lacks some important information. See: >> >> http://www.chiark.greenend.org.uk/~sgtatham/bugs.html >> >> Provide a better mental image of what command or action you are performing >> that is causing your error, and what output you are expecting to see; what >> software are using that is causing this error? What version of OpenLDAP >> are >> you using? >> >> -- >> Dan White >> > Rodrigo: > > How exactly are you adding the computer to ldap? I take it is not > using ldapadd. ;) > > Does whatever you are using have a log and a debugging/verbose mode? > > >

2 2

general protection fault when deleting members from a large group (mdb)
by Mundry, Marvin 03 Nov '12

03 Nov '12

Hi, i was trying to remove all members from a group initially having 48428 members one by one. i.e.: dn: cn=students,ou=groups,dc=university,dc=com changetype: modify delete: member member: cn=user1,ou=users,dc=uni-hamburg,dc=de dn: cn=students,ou=groups,dc=university,dc=com changetype: modify delete: member member: cn=user2,ou=users,dc=uni-hamburg,dc=de [...] after some time ldapmodify stops as the slapd stops running. In the syslog i see the following message: Nov 3 15:05:45 oscar slapd[11040]: conn=1000 op=133 MOD dn="cn=students,ou=groups,dc=university,dc=com" Nov 3 15:05:45 oscar slapd[11040]: conn=1000 op=133 MOD attr=member Nov 3 15:05:45 oscar slapd[11040]: conn=1000 op=134 MOD dn="cn=students,ou=groups,dc=university,dc=com" Nov 3 15:05:45 oscar slapd[11040]: conn=1000 op=134 MOD attr=member Nov 3 15:05:45 oscar slapd[11040]: conn=1000 op=133 RESULT tag=103 err=0 text= Nov 3 15:05:45 oscar kernel: [21207.720483] slapd[11045] general protection ip:7fae665cbc1f sp:7faded9c9fc0 error:0 in back_mdb-2.4.so.2.8.5[7fae665a5000+30000] am i doing something wrong or is there a bug in my slapd? i am running openldap-2.4.33 on ubuntu 12.10, compiled with: --enable-dynamic=yes --enable-syslog=yes --enable-slapd=yes --enable-dynacl=yes --enable-crypt=yes --enable-modules=yes --enable-rewrite=yes --enable-bdb=mod --enable-hdb=mod --enable-ldap=mod --enable-mdb=mod --enable-meta=mod --enable-monitor=mod --enable-overlays=mod --with-tls=openssl Best regards, Marvin Mundry

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2012