openldap-technical February 2012

openldap-technical@openldap.org

98 participants
113 discussions

2.4.29 memberof: entry_encode: Assertion `i == a->a_numvals' failed.
by Colin Hudler 23 Feb '12

23 Feb '12

Greetings, Haven't used OpenLDAP since 2.1; I see it has come a long way. I have a few hundred static groups and am using the memberOf overlay. There's a hundred thousand or so people entries and thousands of memberships. The overlay is configured thusly: # {0}memberof, {1}bdb, config dn: olcOverlay={0}memberof,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {0}memberof olcMemberOfDangling: drop olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfUniqueNames olcMemberOfMemberAD: uniqueMember olcMemberOfMemberOfAD: isMemberOf (I know a number of these attributes are not strictly correct -- a legacy encumbrance) When the replica starts a total update, it goes well for a while, then stops right here every time: 4f450e2d syncrepl_entry: rid=004 be_search (0) 4f450e2d syncrepl_entry: rid=004 cn=uc:org:nsit:integration:techag,ou=groups,dc=uchicago,dc=edu 4f450e2d conn=-1 op=0: memberof_op_add("cn=uc:org:nsit:integration:techag,ou=groups,dc=uchicago,dc=edu"): member="uid=chudler,ou=people,dc=uchicago,dc=edu" does not exist (stripping...) slapd: entry.c:773: entry_encode: Assertion `i == a->a_numvals' failed. The member ("uid=chudler") does exist in the master, I can find it with ldapsearch. I believe it does not yet exist in the replica. I'd like for total replication to succeed without doing an initial slapcat. Has anyone encountered this before? I am happy to debug if you need more information. Version 2.4.29, also using the refint overlay if that matters.

1 1

Re: daemon: bind(6) failed errno=98 (Address,already in use)
by Marc Patermann 23 Feb '12

23 Feb '12

stefano, stefano schrieb (23.02.2012 10:40 Uhr): > STATE "B" slapd is stopped run "/etc/init.d/slapd start"--->it works > checking pid "pgrep slaps"--->2237 stopping slapd "/etc/init.d/slapd > stop"---> slapd is stopped pgrep slapd--->2237 -the process is still > active- starting slapd "/etc/init.d/slapd start" ---> failed > > why stopping slapd "/etc/init.d/slapd stop" doesn't free the PID? This is out of scope of this mailing list. Check with your distribution "support". Marc

2 1

LDAP guide, manuals
by stefano 22 Feb '12

22 Feb '12

Hi, am searching documentation, guide, manuals, about Ldap. on line there are many and differents things. where can i find a guide complete and reliable about ldap on linux to understand everything? thank you

10 9

daemon: bind(6) failed errno=98 (Address,already in use)
by stefano 22 Feb '12

22 Feb '12

Hi folks, i don't understand a little problem with mi ldap server I installed and configuring my ldap server. after configuring slapd.conf, restarting the server was ok. then i prepared the client with ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. URI ldap://localhost BASE dc=amahoro,dc=bi BINDDN cn=Administrator,dc=amahoro,dc=bi #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never and tryed to test the server: ldapsearch -x -W -D 'cn=Administrator,dc=amahoro,dc=bi' -b "" -s base and it asks me Enter LDAP Password. i wrote the password asked me during the ldap installation without success. i tried to change it with ldappasswd it asked me the password, i wrote the same password but the answer is ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database. i tryied to comment everything in ldap.conf and restart the ldap server but is failed. checking in syslog the error is daemon: bind(6) failed errno=98 (Address,already in use) do you have any idea about the resolution of this problem? thank you

3 2

Join my network on LinkedIn
by Nathaniel Simch de Morais via LinkedIn 22 Feb '12

22 Feb '12

LinkedIn ------------ Nathaniel Simch de Morais requested to add you as a connection on LinkedIn: ------------------------------------------ I'd like to add you to my professional network on LinkedIn. Accept invitation from Nathaniel Simch de Morais http://www.linkedin.com/e/-48cabe-gyyo5kj5-2j/IxIpDd2wsdsod7c6kW2TzgvFvx58f… View invitation from Nathaniel Simch de Morais http://www.linkedin.com/e/-48cabe-gyyo5kj5-2j/IxIpDd2wsdsod7c6kW2TzgvFvx58f… ------------------------------------------ Why might connecting with Nathaniel Simch de Morais be a good idea? Nathaniel Simch de Morais's connections could be useful to you: After accepting Nathaniel Simch de Morais's invitation, check Nathaniel Simch de Morais's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future. -- (c) 2012, LinkedIn Corporation

1 0

request for brief documentation
by tirumala chenchala 22 Feb '12

22 Feb '12

Dear team, This is tirumala rao, working as a system administrator in infronics systems ltd, and i want to configure the open ldap server in my office and i have choose open ldap version-2.4.29 in the centos-6 and my problem is that i refered open ldap documentation but i didn't under stand "how to configure slapd" and i didn't find slapd.conf file in my centos-6.2 Actually i installed the open ldap in centos by using the command yum install openldap* and the out put as i have enclosed in to attachment 1, please find the attachment and guide me how to configure slapd after install in centos-6.2 And in /etc/openldap folder i found the files as in attachment 2 Thanks for advance and Please help me how to done the issue.

4 3

Re: daemon: bind(6) failed errno=98 (Address,already in use)
by stefano 22 Feb '12

22 Feb '12

thank you! there was a process: openldap 1797 0.0 0.3 23752 4004 ? Ssl 11:48 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -f /etc/ldap/slapd.conf after kill it i restarted without problems. i increased the loglevel to "4" and tried another time to test the server: ldapsearch -x -W -D 'cn=Administrator,dc=amahoro,dc=bi' -b "" -s base with the next answer: ldap_bind: Invalid credentials (49) and then restarting server is failed. checking on syslog: Feb 22 12:06:40 debservbis slapd[1890]: connection_get(13) Feb 22 12:06:40 debservbis slapd[1890]: ==> hdb_bind: dn: cn=Administrator,dc=amahoro,dc=bi Feb 22 12:06:40 debservbis slapd[1890]: send_ldap_result: err=49 matched="" text="" Feb 22 12:06:40 debservbis slapd[1890]: connection_get(13) killed another time the openldap process. restarting is ok. trying to change the password with ldappasswd the answer is ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database on syslog: Feb 22 12:12:42 debservbis slapd[1958]: @(#) $OpenLDAP: slapd 2.4.23 (Jun 16 2011 02:53:39) $#012#011buildd@murphy:/build/buildd-openldap_2.4.23-7.2-i386-Y1mwvF/openldap-2.4.23/debian/build/servers/slapd Feb 22 12:12:42 debservbis slapd[1958]: daemon: bind(8) failed errno=98 (Address already in use) Feb 22 12:12:42 debservbis slapd[1958]: daemon: bind(8) failed errno=98 (Address already in use) Feb 22 12:12:42 debservbis slapd[1958]: slapd stopped. Feb 22 12:12:42 debservbis slapd[1958]: connections_destroy: nothing to destroy. and restarting failed. mmmmmmmmmmmm!

1 1

TIME_WAIT
by arun.sasi1＠wipro.com 22 Feb '12

22 Feb '12

Hello Team, I have a problem with my LDAP server. There are many TIME_WAIT connections (more than 5000). MinimumConnectionsInPool=1 MaximumConnectionsInpool=20 Thanks & Regards, Arun Sasi V ------------------------------------------------------------------------ ------------------------------------------------------------- Sr. Engineer - Server Management (UNIX), Wipro Infotech (GSMC) |Direct +918213029356 Mob: +919731031500 | E: arun.sasi1(a)wipro.com <mailto:koresh.dash@wipro.com> Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

1 0

Re: Howto implement RBAC with OU's and posixGroups
by Fred van Zwieten 22 Feb '12

22 Feb '12

*Hi Milan, I know RedHat's IPA server can do this, but that based on 389 Directory Server. Also, have a look here: http://www.mail-archive.com/sssd-devel@lists.fedorahosted.org/msg06902.html This guy succeeded, but with a combi of posixGroup and groupOfMembers. I'll try to see if I get you suggestion working, although I don't like to change the default schema too much. Ideally nss_ldap should give us more options in this regard. *Greetz, Fred <http://epsilon.eridani.nl> 2012/2/22 Ponjevic, Milan <Milan.Ponjevic(a)travelocity.com> > Hi Fred,**** > > ** ** > > Have you tried ‘hacking’ your schema, and change for example ‘STRUCTURAL’ > to ‘AUXILIARY’. In that case you would be able to specify both posixGroup > and groupOfMembers, or even use groupOfNames.**** > > ** ** > > Have a lok at this**** > > > http://serverfault.com/questions/224750/dn-based-linux-groups-from-ldap/226… > **** > > ** ** > > I am also struggling to understand what is the best way to implement this, > and I would really appreciate if somebody already done it, and can share > the idea.**** > > ** ** > > Regards**** > > ** ** > > ** ** > > ** ** > > *From:* openldap-technical-bounces(a)OpenLDAP.org [mailto: > openldap-technical-bounces(a)OpenLDAP.org] *On Behalf Of *Fred van Zwieten > *Sent:* 22 February 2012 11:00 > *To:* openldap-technical(a)openldap.org > *Subject:* Re: Howto implement RBAC with OU's and posixGroups**** > > ** ** > > Howard, > > So, what is the right way? Could you give me an example how to set this up > or give me a reference to a good source on this? > > Thank you! > > Greetz,**** > > ** ** > > Fred <http://epsilon.eridani.nl>**** > > > > **** > > 2012/2/22 Howard Chu <hyc(a)symas.com>**** > > Fred van Zwieten wrote:**** > > Hi llg, > > I fail to see how this solves my RBAC need. > > Let me give an example: > > Say, personA is in ou DeptA. Then, ideally personA would based on being in > this ou, become member of group webserver > > No, when I move personA to ou DeptB, this would mean that, on the next > login, > it looses it's membership to group Webserver, but now becomes member of ie > group mailservers > > This way, you implement security policies based on the role of a person.** > ** > > ** ** > > This is not the right way to implement roles. Generally DNs are intended > to be constant (though obviously they are allowed to change, changes should > be infrequent).**** > > > How could this ideally be done with OpenLDAP? > > Greetz,**** > > Fred <http://epsilon.eridani.nl> > > > > 2012/2/22 llg <llg(a)portaildulibre.fr <mailto:llg@portaildulibre.fr>>**** > > > > Hi, > persons should use inetOrgPerson and PosixAccount schemas : > gidNumber > gives primary group. > > Then define specific branch ou=posix based on PosixGroup schema and add > the uid of the person in memberUid multiple values attribute to specify > secondary gid. > > Regards > Llg > > Le 22/02/2012 10:22, Fred van Zwieten a écrit :**** > > Hi all, > > warning: openldap newbie.. > > is it possible to have a person put into an OU and, because of this, > will become member of some group in such a way that this group shows up > in linux using "id". This to implement some form of RBAC. I found > GroupofMembers, but that has nothing to do with OU's. Also, it seems > posixGroup and groupOfMembers objecttypes are no longer allowed together > because the are both STRUCTURAL. > > In AD this is possible. > > Greetz,**** > > Fred <http://epsilon.eridani.nl>**** > > ** ** > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/**** > > ** ** >

1 0

Howto implement RBAC with OU's and posixGroups
by Fred van Zwieten 22 Feb '12

22 Feb '12

Hi all, warning: openldap newbie.. is it possible to have a person put into an OU and, because of this, will become member of some group in such a way that this group shows up in linux using "id". This to implement some form of RBAC. I found GroupofMembers, but that has nothing to do with OU's. Also, it seems posixGroup and groupOfMembers objecttypes are no longer allowed together because the are both STRUCTURAL. In AD this is possible. Greetz, Fred <http://epsilon.eridani.nl>

4 5

← Newer
1
2
3
4
5
6
7
8
...
12
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2012