2.4.29 memberof: entry_encode: Assertion `i == a->a_numvals' failed.
by Colin Hudler
Greetings,
Haven't used OpenLDAP since 2.1; I see it has come a long way. I have a
few hundred static groups and am using the memberOf overlay. There's a
hundred thousand or so people entries and thousands of memberships. The
overlay is configured thusly:
# {0}memberof, {1}bdb, config
dn: olcOverlay={0}memberof,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {0}memberof
olcMemberOfDangling: drop
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfMemberAD: uniqueMember
olcMemberOfMemberOfAD: isMemberOf
(I know a number of these attributes are not strictly correct -- a
legacy encumbrance)
When the replica starts a total update, it goes well for a while, then
stops right here every time:
4f450e2d syncrepl_entry: rid=004 be_search (0)
4f450e2d syncrepl_entry: rid=004
cn=uc:org:nsit:integration:techag,ou=groups,dc=uchicago,dc=edu
4f450e2d conn=-1 op=0:
memberof_op_add("cn=uc:org:nsit:integration:techag,ou=groups,dc=uchicago,dc=edu"):
member="uid=chudler,ou=people,dc=uchicago,dc=edu" does not exist
(stripping...)
slapd: entry.c:773: entry_encode: Assertion `i == a->a_numvals' failed.
The member ("uid=chudler") does exist in the master, I can find it with
ldapsearch. I believe it does not yet exist in the replica. I'd like for
total replication to succeed without doing an initial slapcat. Has
anyone encountered this before? I am happy to debug if you need more
information.
Version 2.4.29, also using the refint overlay if that matters.
11 years, 9 months
Re: daemon: bind(6) failed errno=98 (Address,already in use)
by Marc Patermann
stefano,
stefano schrieb (23.02.2012 10:40 Uhr):
> STATE "B" slapd is stopped run "/etc/init.d/slapd start"--->it works
> checking pid "pgrep slaps"--->2237 stopping slapd "/etc/init.d/slapd
> stop"---> slapd is stopped pgrep slapd--->2237 -the process is still
> active- starting slapd "/etc/init.d/slapd start" ---> failed
>
> why stopping slapd "/etc/init.d/slapd stop" doesn't free the PID?
This is out of scope of this mailing list.
Check with your distribution "support".
Marc
11 years, 9 months
LDAP guide, manuals
by stefano
Hi,
am searching documentation, guide, manuals, about Ldap. on line there
are many and differents things. where can i find a guide complete and
reliable about ldap on linux to understand everything?
thank you
11 years, 9 months
daemon: bind(6) failed errno=98 (Address,already in use)
by stefano
Hi folks,
i don't understand a little problem with mi ldap server
I installed and configuring my ldap server. after configuring
slapd.conf, restarting the server was ok.
then i prepared the client with ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
URI ldap://localhost
BASE dc=amahoro,dc=bi
BINDDN cn=Administrator,dc=amahoro,dc=bi
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
and tryed to test the server:
ldapsearch -x -W -D 'cn=Administrator,dc=amahoro,dc=bi' -b "" -s base
and it asks me
Enter LDAP Password.
i wrote the password asked me during the ldap installation without success.
i tried to change it with
ldappasswd
it asked me the password, i wrote the same password but the answer is
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database.
i tryied to comment everything in ldap.conf and restart the ldap server
but is failed.
checking in syslog the error is
daemon: bind(6) failed errno=98 (Address,already in use)
do you have any idea about the resolution of this problem?
thank you
11 years, 9 months
Join my network on LinkedIn
by Nathaniel Simch de Morais via LinkedIn
LinkedIn
------------
Nathaniel Simch de Morais requested to add you as a connection on LinkedIn:
------------------------------------------
I'd like to add you to my professional network on LinkedIn.
Accept invitation from Nathaniel Simch de Morais
http://www.linkedin.com/e/-48cabe-gyyo5kj5-2j/IxIpDd2wsdsod7c6kW2TzgvFvx5...
View invitation from Nathaniel Simch de Morais
http://www.linkedin.com/e/-48cabe-gyyo5kj5-2j/IxIpDd2wsdsod7c6kW2TzgvFvx5...
------------------------------------------
Why might connecting with Nathaniel Simch de Morais be a good idea?
Nathaniel Simch de Morais's connections could be useful to you:
After accepting Nathaniel Simch de Morais's invitation, check Nathaniel Simch de Morais's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
--
(c) 2012, LinkedIn Corporation
11 years, 9 months
request for brief documentation
by tirumala chenchala
Dear team,
This is tirumala rao, working as a system administrator in infronics systems ltd, and i want to configure the open ldap server in my office and i have choose open ldap version-2.4.29 in the centos-6 and my problem is that i refered open ldap documentation but i didn't under stand "how to configure slapd" and i didn't find slapd.conf file in my centos-6.2
Actually i installed the open ldap in centos by using the command yum install openldap*
and the out put as i have enclosed in to attachment 1, please find the attachment and guide me how to configure slapd after install in centos-6.2
And in /etc/openldap folder i found the files as in attachment 2
Thanks for advance and Please help me how to done the issue.
11 years, 9 months
Re: daemon: bind(6) failed errno=98 (Address,already in use)
by stefano
thank you!
there was a process:
openldap 1797 0.0 0.3 23752 4004 ? Ssl 11:48 0:00
/usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -f
/etc/ldap/slapd.conf
after kill it i restarted without problems.
i increased the loglevel to "4" and tried another time to test the server:
ldapsearch -x -W -D 'cn=Administrator,dc=amahoro,dc=bi' -b "" -s base
with the next answer:
ldap_bind: Invalid credentials (49)
and then restarting server is failed.
checking on syslog:
Feb 22 12:06:40 debservbis slapd[1890]: connection_get(13)
Feb 22 12:06:40 debservbis slapd[1890]: ==> hdb_bind: dn:
cn=Administrator,dc=amahoro,dc=bi
Feb 22 12:06:40 debservbis slapd[1890]: send_ldap_result: err=49
matched="" text=""
Feb 22 12:06:40 debservbis slapd[1890]: connection_get(13)
killed another time the openldap process. restarting is ok.
trying to change the password with ldappasswd the answer is
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
on syslog:
Feb 22 12:12:42 debservbis slapd[1958]: @(#) $OpenLDAP: slapd 2.4.23
(Jun 16 2011 02:53:39)
$#012#011buildd@murphy:/build/buildd-openldap_2.4.23-7.2-i386-Y1mwvF/openldap-2.4.23/debian/build/servers/slapd
Feb 22 12:12:42 debservbis slapd[1958]: daemon: bind(8) failed errno=98
(Address already in use)
Feb 22 12:12:42 debservbis slapd[1958]: daemon: bind(8) failed errno=98
(Address already in use)
Feb 22 12:12:42 debservbis slapd[1958]: slapd stopped.
Feb 22 12:12:42 debservbis slapd[1958]: connections_destroy: nothing to
destroy.
and restarting failed.
mmmmmmmmmmmm!
11 years, 9 months
TIME_WAIT
by arun.sasi1@wipro.com
Hello Team,
I have a problem with my LDAP server.
There are many TIME_WAIT connections (more than 5000).
MinimumConnectionsInPool=1
MaximumConnectionsInpool=20
Thanks & Regards,
Arun Sasi V
------------------------------------------------------------------------
-------------------------------------------------------------
Sr. Engineer - Server Management (UNIX),
Wipro Infotech (GSMC) |Direct +918213029356 Mob: +919731031500 | E:
arun.sasi1(a)wipro.com <mailto:koresh.dash@wipro.com>
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
11 years, 9 months
Re: Howto implement RBAC with OU's and posixGroups
by Fred van Zwieten
*Hi Milan,
I know RedHat's IPA server can do this, but that based on 389 Directory
Server. Also, have a look here:
http://www.mail-archive.com/sssd-devel@lists.fedorahosted.org/msg06902.html
This guy succeeded, but with a combi of posixGroup and groupOfMembers. I'll
try to see if I get you suggestion working, although I don't like to change
the default schema too much.
Ideally nss_ldap should give us more options in this regard.
*Greetz,
Fred <http://epsilon.eridani.nl>
2012/2/22 Ponjevic, Milan <Milan.Ponjevic(a)travelocity.com>
> Hi Fred,****
>
> ** **
>
> Have you tried ‘hacking’ your schema, and change for example ‘STRUCTURAL’
> to ‘AUXILIARY’. In that case you would be able to specify both posixGroup
> and groupOfMembers, or even use groupOfNames.****
>
> ** **
>
> Have a lok at this****
>
>
> http://serverfault.com/questions/224750/dn-based-linux-groups-from-ldap/2...
> ****
>
> ** **
>
> I am also struggling to understand what is the best way to implement this,
> and I would really appreciate if somebody already done it, and can share
> the idea.****
>
> ** **
>
> Regards****
>
> ** **
>
> ** **
>
> ** **
>
> *From:* openldap-technical-bounces(a)OpenLDAP.org [mailto:
> openldap-technical-bounces(a)OpenLDAP.org] *On Behalf Of *Fred van Zwieten
> *Sent:* 22 February 2012 11:00
> *To:* openldap-technical(a)openldap.org
> *Subject:* Re: Howto implement RBAC with OU's and posixGroups****
>
> ** **
>
> Howard,
>
> So, what is the right way? Could you give me an example how to set this up
> or give me a reference to a good source on this?
>
> Thank you!
>
> Greetz,****
>
> ** **
>
> Fred <http://epsilon.eridani.nl>****
>
>
>
> ****
>
> 2012/2/22 Howard Chu <hyc(a)symas.com>****
>
> Fred van Zwieten wrote:****
>
> Hi llg,
>
> I fail to see how this solves my RBAC need.
>
> Let me give an example:
>
> Say, personA is in ou DeptA. Then, ideally personA would based on being in
> this ou, become member of group webserver
>
> No, when I move personA to ou DeptB, this would mean that, on the next
> login,
> it looses it's membership to group Webserver, but now becomes member of ie
> group mailservers
>
> This way, you implement security policies based on the role of a person.**
> **
>
> ** **
>
> This is not the right way to implement roles. Generally DNs are intended
> to be constant (though obviously they are allowed to change, changes should
> be infrequent).****
>
>
> How could this ideally be done with OpenLDAP?
>
> Greetz,****
>
> Fred <http://epsilon.eridani.nl>
>
>
>
> 2012/2/22 llg <llg(a)portaildulibre.fr <mailto:llg@portaildulibre.fr>>****
>
>
>
> Hi,
> persons should use inetOrgPerson and PosixAccount schemas :
> gidNumber
> gives primary group.
>
> Then define specific branch ou=posix based on PosixGroup schema and add
> the uid of the person in memberUid multiple values attribute to specify
> secondary gid.
>
> Regards
> Llg
>
> Le 22/02/2012 10:22, Fred van Zwieten a écrit :****
>
> Hi all,
>
> warning: openldap newbie..
>
> is it possible to have a person put into an OU and, because of this,
> will become member of some group in such a way that this group shows up
> in linux using "id". This to implement some form of RBAC. I found
> GroupofMembers, but that has nothing to do with OU's. Also, it seems
> posixGroup and groupOfMembers objecttypes are no longer allowed together
> because the are both STRUCTURAL.
>
> In AD this is possible.
>
> Greetz,****
>
> Fred <http://epsilon.eridani.nl>****
>
> ** **
>
>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/****
>
> ** **
>
11 years, 9 months
Howto implement RBAC with OU's and posixGroups
by Fred van Zwieten
Hi all,
warning: openldap newbie..
is it possible to have a person put into an OU and, because of this, will
become member of some group in such a way that this group shows up in linux
using "id". This to implement some form of RBAC. I found GroupofMembers,
but that has nothing to do with OU's. Also, it seems posixGroup and
groupOfMembers objecttypes are no longer allowed together because the are
both STRUCTURAL.
In AD this is possible.
Greetz,
Fred <http://epsilon.eridani.nl>
11 years, 9 months
