openldap-technical February 2012

openldap-technical@openldap.org

98 participants
113 discussions

Using NSS
by Braden McDaniel 05 Feb '12

05 Feb '12

I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15. In cn=config.ldif I have: olcTLSCACertificatePath: /etc/pki/nssdb olcTLSCertificateFile: endoframe I have used certutil to create a self-signed certificate: # certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI endoframe Cu,Cu,Cu But this doesn't appear to be working: $ ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1 ldap_url_parse_ext(ldaps://rail) ldap_create ldap_url_parse_ext(ldaps://rail:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP rail:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) slapd is running: # systemctl status slapd.service slapd.service - LSB: starts and stopd OpenLDAP server daemon Loaded: loaded (/etc/rc.d/init.d/slapd) Active: active (running) since Wed, 05 Oct 2011 02:24:11 -0400; 3 weeks and 0 days ago Main PID: 1429 (slapd) CGroup: name=systemd:/system/slapd.service └ 1429 /usr/sbin/slapd -h ldap:/// -u ldap Any ideas of what I might be doing wrong, or where I should be looking to debug this? -- Braden McDaniel <braden(a)endoframe.com>

8 19

How do I reset rootdn password?
by Daniel Savard 05 Feb '12

05 Feb '12

I would like to know how to reset the rootpw in OpenLDAP 2.4? Do I need to recreate over the entire configuration database and the database itself or there is a trick? -- Daniel Savard

7 11

Accursed LDAP+SSL Breakage When Using libgcrypt
by Ken Stailey 05 Feb '12

05 Feb '12

Hi, I abandoned any efforts to get anyone to hack the broken libgcrypt11 so that it would stop dropping setuid permissions. This was motivated largely by the fact that upstream GnuTLS started releasing versions that were intended to stop using libcrypt as the crypto back-end along with support for multiple crypto back-ends. The preferred crypto library for GnuTLS is nettle now. This change requires a minimum of GnuTLS 2.11.x and Ubuntu 12.04 is using GnuTLS 2.12.x. There were miscellaneous announcements made about this change: Andreas Metzler http://lists.debian.org/debian-legal/2011/02/msg00006.html {{ GnuTLS upstream has added support for different crypto backends in 2.11.x and has chosen nettle as prefered [sic] backend (2.10.x is using libgcrypt). }} It works for me, when I configure GnuTLS on Ubuntu 12.04 to use nettle the painful regression goes away and I can use setuid binaries from an LDAP account configured to access an LDAP server via SSL. To test on Ubuntu 12.04 or Debian Testing or Unstable simply: apt-get build-dep libgnutls26 apt-get source gnutls26 to fetch the source for gnutls26-2.12.14 (or 2.12.16-1 on Debian) then chop out --with-libgcrypt from the debian/rules file and rebuild gnutls26 debuild -i -uc -us -b and install the resulting .deb files. Much to my chagrin, upstream Debian still configures GnuTLS to use the horribly defective and rejected-by-upstream libgcrypt11 instead of the preferred-by-upstream nettle despite both Debian Testing and Debian Unstable having GnuTLS 2.12.16-1 $ grep with-libgcrypt sid/gnutls26-2.12.16/debian/rules --cache-file=$(CURDIR)/config.cache --with-libgcrypt \ So I opened two bug reports: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658739 https://bugs.launchpad.net/bugs/926350 Hope that helps.

1 0

2.4.28 cn=config replication trouble
by Aaron Bennett 03 Feb '12

03 Feb '12

Hello, I've got two 2.4.28 boxes and I'm trying to get two-way multimaster replication set up - first for cn=config, and then for the entire tree. I can attach more of config.ldif if needed, but here are what I think are the relevant snippets: First thing that leaps out is, of course, the certificate is for ds.clarku.edu and the hosts are called animal.clarku.edu and zoot.clarku.edu; that's needed because I intend to round-robin those two hosts. I have TLS_REQCERT never in ldap.conf on each machine and I can do a successful "ldapsearch -H ldaps://animal.clarku.edu -x -D "cn=config" -W -b cn=config" from each machine to the other. dn: cn=config objectClass: olcGlobal cn: config olcAllows: bind_v2 olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 25 olcConfigDir: /etc/openldap/ldap/slapd.d olcConfigFile: /etc/openldap/slapd.conf olcConnMaxPending: 400 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexIntLen: 4 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcLocalSSF: 71 olcLogLevel: stats sync olcPidFile: /var/run/openldap/slapd.pid olcReadOnly: FALSE olcReverseLookup: FALSE olcServerID: 1 ldaps://animal.clarku.edu olcServerID: 2 ldaps://zoot.clarku.edu olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 25 olcTLSCACertificatePath: /etc/openldap/nssdb olcTLSCertificateFile: ds.clarku.edu olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by * none olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcMirrorMode: TRUE olcMonitoring: FALSE olcReadOnly: FALSE olcRootDN: cn=config olcRootPW: {SSHA}<PASSWORD> olcSyncrepl: {0}rid=001 provider=ldaps://animal.clarku.edu binddn="cn=config " bindmethod="simple" credentials="<PASSWORD>" searchbase="cn=config" type= refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldaps://zoot.clarku.edu binddn="cn=config" bindmethod="simple" credentials="<PASSWORD>" searchbase="cn=config" type=r efreshAndPersist retry="5 5 300 5" timeout=1 Here's the -d1 output: 4f2ae081 do_syncrepl: rid=001 rc -1 retrying (4 retries left) 4f2ae081 slap_listener_activate(9): 4f2ae081 >>> slap_listener(ldaps:///) 4f2ae081 connection_get(15): got connid=1000 4f2ae081 connection_read(15): checking for input on id=1000 TLS: using moznss security dir /etc/openldap/nssdb prefix . TLS: certificate [CN=ds.clarku.edu,OU=ITS,O=Clark University,L=Worcester,ST=Massachusetts,C=US,serialNumber=HUpyuTQIxJ8ShXHOBGZo7j-BC9l4ykNA] is valid 4f2ae081 connection_get(15): got connid=1000 4f2ae081 connection_read(15): checking for input on id=1000 TLS certificate verification: subject: no certificate, issuer: no certificate, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 1, cache not reusable: 0 4f2ae081 connection_read(15): unable to get TLS client DN, error=49 id=1000 4f2ae081 connection_get(15): got connid=1000 4f2ae081 connection_read(15): checking for input on id=1000 ber_get_next 4f2ae081 ber_get_next on fd 15 failed errno=0 (Success) 4f2ae081 connection_close: conn=1000 sd=15 4f2ae086 =>do_syncrepl rid=001 ldap_create ldap_url_parse_ext(ldaps://animal.clarku.edu) ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP animal.clarku.edu:636 4f2ae086 slap_listener_activate(9): 4f2ae086 >>> slap_listener(ldaps:///) 4f2ae086 connection_get(18): got connid=1001 4f2ae086 connection_read(18): checking for input on id=1001 ldap_new_socket: 15 ldap_prepare_socket: 15 ldap_connect_to_host: Trying 140.232.1.12:636 ldap_pvt_connect: fd: 15 tm: -1 async: 0 4f2ae086 connection_get(18): got connid=1001 4f2ae086 connection_read(18): checking for input on id=1001 TLS certificate verification: subject: no certificate, issuer: no certificate, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 2, cache not reusable: 0 4f2ae086 connection_read(18): unable to get TLS client DN, error=49 id=1001 4f2ae086 connection_get(18): got connid=1001 4f2ae086 connection_read(18): checking for input on id=1001 ber_get_next ber_get_next: tag 0x30 len 31 contents: 4f2ae086 op tag 0x60, time 1328210054 ber_get_next 4f2ae086 conn=1001 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: 4f2ae086 >>> dnPrettyNormal: <cn=config> 4f2ae086 <<< dnPrettyNormal: <cn=config>, <cn=config> 4f2ae086 do_bind: version=3 dn="cn=config" method=128 4f2ae086 do_bind: v3 bind: "cn=config" to "cn=config" 4f2ae086 send_ldap_result: conn=1001 op=0 p=3 4f2ae086 send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 18 4f2ae086 connection_get(18): got connid=1001 4f2ae086 connection_read(18): checking for input on id=1001 ber_get_next ber_get_next: tag 0x30 len 185 contents: 4f2ae086 op tag 0x63, time 1328210054 ber_get_next 4f2ae086 conn=1001 op=1 do_search ber_scanf fmt ({miiiib) ber: 4f2ae086 >>> dnPrettyNormal: <cn=config> 4f2ae086 <<< dnPrettyNormal: <cn=config>, <cn=config> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: 4f2ae086 => get_ctrls ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: 4f2ae086 => get_ctrls: oid="1.3.6.1.4.1.4203.1.9.1.1" (noncritical) ber_scanf fmt ({i) ber: ber_scanf fmt (m) ber: ber_scanf fmt (b) ber: ber_scanf fmt (}) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (b) ber: 4f2ae086 => get_ctrls: oid="2.16.840.1.113730.3.4.2" (critical) 4f2ae086 <= get_ctrls: n=2 rc=0 err="" 4f2ae086 send_ldap_result: conn=1001 op=1 p=3 4f2ae086 send_ldap_result: conn=1001 op=1 p=3 4f2ae086 send_ldap_intermediate: err=0 oid=1.3.6.1.4.1.4203.1.9.1.4 len=2 4f2ae086 send_ldap_response: msgid=2 tag=121 err=0 ber_flush2: 37 bytes to sd 18 TLS: certificate [CN=ds.clarku.edu,OU=ITS,O=Clark University,L=Worcester,ST=Massachusetts,C=US,serialNumber=HUpyuTQIxJ8ShXHOBGZo7j-BC9l4ykNA] is valid TLS certificate verification: subject: CN=ds.clarku.edu,OU=ITS,O=Clark University,L=Worcester,ST=Massachusetts,C=US,serialNumber=HUpyuTQIxJ8ShXHOBGZo7j-BC9l4ykNA, issuer: CN=GeoTrust SSL CA,O="GeoTrust, Inc.",C=US, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 2, cache not reusable: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 33 bytes to sd 15 ldap_result ld 0x7f59cc100910 msgid 1 wait4msg ld 0x7f59cc100910 msgid 1 (timeout 1000000 usec) wait4msg continue ld 0x7f59cc100910 msgid 1 all 1 ** ld 0x7f59cc100910 Connections: * host: animal.clarku.edu port: 636 (default) refcnt: 2 status: Connected last used: Thu Feb 2 14:14:14 2012 ** ld 0x7f59cc100910 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x7f59cc100910 request count 1 (abandoned 0) ** ld 0x7f59cc100910 Response Queue: Empty ld 0x7f59cc100910 response count 0 ldap_chkResponseList ld 0x7f59cc100910 msgid 1 all 1 ldap_chkResponseList returns ld 0x7f59cc100910 NULL ldap_int_select read1msg: ld 0x7f59cc100910 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x7f59cc100910 msgid 1 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x7f59cc100910 0 new referrals read1msg: mark request completed, ld 0x7f59cc100910 msgid 1 request done: ld 0x7f59cc100910 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search_ext put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 188 bytes to sd 15 4f2ae086 =>do_syncrep2 rid=001 ldap_result ld 0x7f59cc100910 msgid 2 wait4msg ld 0x7f59cc100910 msgid 2 (timeout 1000000 usec) wait4msg continue ld 0x7f59cc100910 msgid 2 all 0 ** ld 0x7f59cc100910 Connections: * host: animal.clarku.edu port: 636 (default) refcnt: 2 status: Connected last used: Thu Feb 2 14:14:14 2012 ** ld 0x7f59cc100910 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x7f59cc100910 request count 1 (abandoned 0) ** ld 0x7f59cc100910 Response Queue: Empty ld 0x7f59cc100910 response count 0 ldap_chkResponseList ld 0x7f59cc100910 msgid 2 all 0 ldap_chkResponseList returns ld 0x7f59cc100910 NULL ldap_int_select read1msg: ld 0x7f59cc100910 msgid 2 all 0 ber_get_next ber_get_next: tag 0x30 len 35 contents: read1msg: ld 0x7f59cc100910 msgid 2 message type intermediate ldap_parse_intermediate ber_scanf fmt ({) ber: ber_scanf fmt (a) ber: ber_scanf fmt (O) ber: ber_scanf fmt (t{) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_result ld 0x7f59cc100910 msgid 2 wait4msg ld 0x7f59cc100910 msgid 2 (timeout 0 usec) wait4msg continue ld 0x7f59cc100910 msgid 2 all 0 ** ld 0x7f59cc100910 Connections: * host: animal.clarku.edu port: 636 (default) refcnt: 2 status: Connected last used: Thu Feb 2 14:14:14 2012 ** ld 0x7f59cc100910 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x7f59cc100910 request count 1 (abandoned 0) ** ld 0x7f59cc100910 Response Queue: Empty ld 0x7f59cc100910 response count 0 ldap_chkResponseList ld 0x7f59cc100910 msgid 2 all 0 ldap_chkResponseList returns ld 0x7f59cc100910 NULL ldap_int_select 4f2ae08a connection_get(15): got connid=0 4f2ae08a =>do_syncrepl rid=001 4f2ae08a =>do_syncrep2 rid=001 ldap_result ld 0x7f59cc100910 msgid 2 wait4msg ld 0x7f59cc100910 msgid 2 (timeout 0 usec) wait4msg continue ld 0x7f59cc100910 msgid 2 all 0 ** ld 0x7f59cc100910 Connections: * host: animal.clarku.edu port: 636 (default) refcnt: 2 status: Connected last used: Thu Feb 2 14:14:14 2012 ** ld 0x7f59cc100910 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x7f59cc100910 request count 1 (abandoned 0) ** ld 0x7f59cc100910 Response Queue: Empty ld 0x7f59cc100910 response count 0 ldap_chkResponseList ld 0x7f59cc100910 msgid 2 all 0 ldap_chkResponseList returns ld 0x7f59cc100910 NULL ldap_int_select read1msg: ld 0x7f59cc100910 msgid 2 all 0 ber_get_next ldap_err2string 4f2ae08a do_syncrep2: rid=001 (-1) Can't contact LDAP server ldap_err2string 4f2ae08a connection_get(15): got connid=0 ldap_free_request (origid 2, msgid 2) ldap_free_connection 1 1 ldap_free_connection: actually freed Thanks for your time - any help is appreciated. - Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS

3 8

RE: Best Practices for configuration management with cn=config?
by Quanah Gibson-Mount 03 Feb '12

03 Feb '12

--On Friday, February 03, 2012 1:57 PM -0500 "Charles T. Brooks" <brooksct(a)hbcs.org> wrote: > Quanah, could you elaborate at little on this comment? > >> The cn=config method IS a database, not a set of flat text files. >> Modifications to the configuration are immediate with the exception of >> changes to olcSecurity. > > I'm just starting to convert a heavily replicated environment to > cn=config, and I (apparently stupidly) thought that slapd.d was a live > database. Is the cn=config database held by sleepycat then, mixed up > with my user and system data in /var/lib/ldap? Or is it in memory only? cn=config is indeed a live database, so thinking that is in no way stupid ;). My point was, that you cannot just go and edit the cn=config database with something like 'vi'. The correct method is to use something like ldapmodify, etc. > Also, the olcSecurity exception - why aren't changes to security also > immediate? Because it requires restarting slapd to take effect, due to the way in which it affects the connection handler. AFAIK, this is the only exception. Security changes to acls (such as SSF lines) are immediate. > I'll appreciate any insights you can share - I prefer slapd.conf > personally, but I want to proceed in the direction the code authors > favor, since they almost certainly have a clearer vision of what's > optimal for the future of the software than I do. > > Currently I make changes by shutting down slapd, deleting slapd.d, > rebuilding slapd.d from my slapd.conf with slaptest, and restarting > slapd. Works for me right now, but I hope to progress past it. That definitely is not the correct approach. You should just be using ldapmodify or similar to update the cn=config db. ;) --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

3 4

Best Practices for configuration management with cn=config?
by Jeff B 03 Feb '12

03 Feb '12

I'm using puppet for configuration management and with the slapd.conf it was dumb simple to push configs to the master and the slave servers and have the server reload when the config was updated. However I'm running an overlay that pukes with a slapd.conf and had to convert over to cn=config. Now I'm not sure how I want to manage this. Can I safely modify the files while slapd is running? I wouldn't expect it to pick up the config changes without a reload, but if I want puppet to push configs and reload will this be a valid method? Or do I need to do something with an LDIF of the config and have some kind of ldapadd/ldapmodify mojo? Are there any puppet modules for cn=config that I missed when I looked?

4 3

Openldap 2.4.28 master/slave crash after upgrade?
by Raffael Sahli 03 Feb '12

03 Feb '12

Hi I did an upgrade of two ldap server (master/slave) from 2.4.21 to 2.4.28 two days ago. And today, the master crashed, if I do an ldapsearch: root@ldap-master001 /]#---> ldapsearch -ZZ -hlocalhost -d-1 ldap_create ldap_url_parse_ext(ldap://localhost) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x13c3910 ptr=0x13c3910 end=0x13c392f len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x13c3910 ptr=0x13c3915 end=0x13c392f len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush2: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x13bb660 msgid 1 wait4msg ld 0x13bb660 msgid 1 (infinite timeout) wait4msg continue ld 0x13bb660 msgid 1 all 1 ** ld 0x13bb660 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Thu Jan 26 21:43:50 2012 ** ld 0x13bb660 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x13bb660 request count 1 (abandoned 0) ** ld 0x13bb660 Response Queue: Empty ld 0x13bb660 response count 0 ldap_chkResponseList ld 0x13bb660 msgid 1 all 1 ldap_chkResponseList returns ld 0x13bb660 NULL ldap_int_select It hangs at ldap_int_select (There's nothing in the slapd debug log) Same problem again after a few seconds, if I kill the daemon and start it again. (The daemon crashed, only a kill -9 helped) And now, after one hour of debug, the same problem occurred on our first slave server.... Has someone similar problems, or can somone helps me? The next thing I'll do is go back to 2.4.21, maybe that helps.... Thanks -- Raffael Sahli public(a)raffaelsahli.com

2 3

BayLISA OpenLDAP talk
by Howard Chu 02 Feb '12

02 Feb '12

For any folks in the San Francisco area who haven't already heard, I'll be giving a talk on OpenLDAP's new memory-mapped database and backend (back-mdb) there on February 16. http://www.baylisa.org/ -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Directory Manager (cn=config) ACLs
by Andy Carlson 02 Feb '12

02 Feb '12

Are there any ACLs that control what cn=directory manager,cn=config can modify or is it a LDAP superuser sort-of account? I only ask because I want to blow away my ACLs (olcAccess attributes in olcDatabase={2}bdb) and re-add updated ones them (I know it sounds silly, but I have valid reasons for doing this) and I want to make sure that I can still make these modifications as this directory manager even if I have no ACLs. Thanks, Andy Carlson Moody Bible Institute Identity Administrator | Information Systems 312-329-4385 www.moody.edu<http://www.moody.edu>

2 1

openldap 2.4.28 and "allow bind_v2"
by Francis Swasey 02 Feb '12

02 Feb '12

I have built and upgraded one of my openldap servers from 2.4.26 to 2.4.28 (on RHEL release 5.7 x86_64) and with the identical configuration to my other servers, I am seeing the following messages in the slapd.log file: slapd[4434]: conn=115331 fd=263 ACCEPT from IP=X.X.X.X:51856 (IP=0.0.0.0:389) slapd[4434]: conn=115331 op=0 do_extended: protocol version (2) too low slapd[4434]: conn=115331 op=0 DISCONNECT tag=120 err=2 text=requires LDAPv3 slapd[4434]: conn=115331 fd=263 closed (operations error) I'm not seeing anything leaping out at me from the change log for 2.4.27/2.4.28 that indicates what I have gotten wrong that worked until now. As I said, I am running the same slapd.conf file on my 2.4.26 installations and not seeing these failures there at all (and since I use an F5 load balancer, these connections are sprayed all across my pool of servers). Where should I start looking? Thanks, -- Frank Swasey | http://www.uvm.edu/~fcs Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900)

3 6

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2012