openldap-technical February 2012

openldap-technical@openldap.org

98 participants
113 discussions

adding new databases and olc*dbconfig must attributes
by ben thielsen 21 Feb '12

21 Feb '12

i was experimenting a bit with adding new databases to the config, and found that if the olcsuffix attribute was not provided, it would fail: >cat db.ldif dn: olcDatabase=hdb,cn=config changetype: add objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap/example.org >ldapadd -xWZZH 'ldap://dsa.example.com/' -D 'uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com' -f db.ldif Enter LDAP Password: adding new entry "olcDatabase=hdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcDbDirectory> failed startup >tail -F slapd.log Feb 21 19:39:41 flip slapd[19134]: conn=1535 fd=64 ACCEPT from IP=192.168.1.1:36891 (IP=0.0.0.0:389) Feb 21 19:39:41 flip slapd[19134]: conn=1535 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 21 19:39:41 flip slapd[19134]: conn=1535 op=0 STARTTLS Feb 21 19:39:41 flip slapd[19134]: conn=1535 op=0 RESULT oid= err=0 text= Feb 21 19:39:41 flip slapd[19134]: conn=1535 fd=64 TLS established tls_ssf=128 ssf=128 Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" method=128 Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" mech=SIMPLE ssf=0 Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=1 RESULT tag=97 err=0 text= Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=2 ADD dn="olcDatabase=hdb,cn=config" Feb 21 19:39:43 flip slapd[19134]: hdb_db_open: need suffix. Feb 21 19:39:43 flip slapd[19134]: backend_startup_one (type=hdb, suffix="(null)"): bi_db_open failed! (-1) Feb 21 19:39:43 flip slapd[19134]: olcDbDirectory: value #0: <olcDbDirectory> failed startup (0?:?X#024c?/ldap/example.org)! Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=2 RESULT tag=105 err=80 text=<olcDbDirectory> failed startup Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=3 UNBIND Feb 21 19:39:43 flip slapd[19134]: conn=1535 fd=64 closed providing an olcSuffix attribute in the ldif allowed the new database to be added without error: >ldapadd -xWZZH 'ldap://dsa.example.com/' -D 'uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com' -f db.ldif Enter LDAP Password: adding new entry "olcDatabase=hdb,cn=config" >tail -F slapd.log Feb 21 19:43:21 flip slapd[19134]: conn=1537 fd=44 ACCEPT from IP=192.168.1.1:36900 (IP=0.0.0.0:389) Feb 21 19:43:21 flip slapd[19134]: conn=1537 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Feb 21 19:43:21 flip slapd[19134]: conn=1537 op=0 STARTTLS Feb 21 19:43:21 flip slapd[19134]: conn=1537 op=0 RESULT oid= err=0 text= Feb 21 19:43:21 flip slapd[19134]: conn=1537 fd=44 TLS established tls_ssf=128 ssf=128 Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" method=128 Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" mech=SIMPLE ssf=0 Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=1 RESULT tag=97 err=0 text= Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=2 ADD dn="olcDatabase=hdb,cn=config" Feb 21 19:43:24 flip slapd[19134]: conn=1537 op=2 RESULT tag=105 err=0 text= Feb 21 19:43:24 flip slapd[19134]: conn=1537 op=3 UNBIND this behavior wasn't really all that surprising to me, as i don't really know in what capacity there might be a database without a suffix defined, even if it were just "", but what i am curious about is the schema definition for the olcHdbConfig object class. the best i can tell, only olcDatabase and olcDbDirectory are MUST attributes, while olcSuffix is not: >ldapsearch -xH 'ldap://dsa.example.com/' -s base -b 'cn=subschema' '*' '+' | grep -iFA 5 "NAME 'olcHdbConfig'" objectClasses: ( 1.3.6.1.4.1.4203.1.12.2.4.2.1.2 NAME 'olcHdbConfig' DESC 'HDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbCryptFile $ olcDb CryptKey $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ ol cDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree $ olcDbDNcacheSize $ olcDbPageSize ) ) >ldapsearch -xH 'ldap://dsa.example.com/' -s base -b 'cn=subschema' '*' '+' | grep -iFA 7 "NAME 'olcDatabaseConfig'" objectClasses: ( 1.3.6.1.4.1.4203.1.12.2.4.0.4 NAME 'olcDatabaseConfig' DESC ' OpenLDAP Database-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase MAY ( olcHidden $ olcSuffix $ olcSubordinate $ olcAccess $ olcAddContentAcl $ olcLastMod $ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcRe plica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ olc ReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncUseSubentry $ olcSyncrepl $ olcTimeLimi t $ olcUpdateDN $ olcUpdateRef $ olcMirrorMode $ olcMonitoring ) ) why is olcSuffix not a MUST attribute if the database can't be added without it? are there cases different than my exercise where a database might be added without the need for a suffix? it's not anything that's causing an insurmountable hurdle, just mostly curious if this was intended. -ben

2 1

Re: slapd.conf & ldap.conf - Re: LDAP guide, manuals
by stefano 21 Feb '12

21 Feb '12

thanks! i downloaded Mastering OpenLDAP. i will follow it hope to improve competence thanks

1 0

Issue with using ldap replace with memberof−dangling set as error.
by Vikram 20 Feb '12

20 Feb '12

Hi, I'm working on writing an custom authorization app on top of openldap. I am currently using openldap version 2.4.26, and using the c api to interact with it. I am trying to use the memberof overlay with memberof−dangling set to error and memberof−refint set to true. I noticed a weird issue which happens here. Steps: 1. I add a group with one/zero members who is present in the system. 2. I update the group with one or more non existent users using ldap_modify_ext with mod_op as LDAP_MOD_REPLACE. In this case, ldap throws up the error 'send_ldap_result: err=19 matched="" text="adding non-existing object as group member" ' , but still goes ahead and adds the non existing member to the group even though the operation should fail. Note that in the "memberof−dangling drop" case the non existent users are not added, though no error is thrown. This seems to be working as expected. Also doing ldap_modify_ext with LDAP_MOD_ADD works as expected too, where the same error this thrown but users are not added. Am I missing something? My slapd.conf has the following relevant configurations: overlay memberof memberof-group-oc customGroup memberof-dangling error memberof-refint true Thanks, Vikram [Reposting as I do not see my first attempt in the archives]

1 0

slapd.conf & ldap.conf
by stefano 20 Feb '12

20 Feb '12

hi, i need help about ldap configuration, please. i configured slapd.conf like this: /include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd.args loglevel none modulepath /usr/lib/ldap moduleload back_hdb sizelimit 500 backend hdb database hdb suffix "dc=amahoro,dc=bi" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30 / andldap.conf like this: /# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=amahoro,dc=bi URI ldap://192.168.5.4 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never/ but running ldapsearch the answer is /ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)/ what is wrong? thanks

2 3

Ldap users "not seen" by application
by teoman.onay＠degroof.be 20 Feb '12

20 Feb '12

Hi, I hope i'm in the right place to ask my question... I use openldap for user authentication on linux servers. Everything seems ok except for scheduled jobs. We use a software to launch processes based on event or schedule. An agent is installed on every servers. Unfortunately it doesn't "see" the users from the ldap. When it tries to launch the process it fails with an error like the user doesn't exists. The workaround is to create a local user but i'd prefer to use an ldap one. Do you know how i could solve that ? Tkx Teo P before printing this email, think about the environment. ******************************************************************************* This e-mail is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged information. Any copying, disclosure, distribution or other use of the content of this e-mail by persons or entities other than the intended recipient is prohibited. Please contact immediately the sender if you have received this e-mail in error and delete it from all locations of your computer. The company on behalf of which the present e-mail is sent is validly committed only if the rules on the delegation of powers, as set out in the appropriate documents, have been complied with. Furthermore, due to the risks inherent to the use of the Internet, the company is not liable for the content of this e-mail if altered, changed or falsified. *******************************************************************************

2 3

Re: circularly MMR Replication ?
by Meike Stone 19 Feb '12

19 Feb '12

> If you've got 5 hosts, Each host should connect to 3 other hosts for a mesh > network wherein any node can fail and the others remain online without > requiring every host be connected to every other host. Ok, But what is a/the recommended replication setup? It depends on the requirements if availability but also on the bandwidth between the loaction, hardware. If I configure such setup, it is much more complex like a circle. The hardware and bandwidth using for each server increases a lot. We also want use one load balancer (one vrrp pair) in each location. So each master has additionally a few ro slaves! The application separates write and read access to two vips on the load balancer. If the load balancer can't reach the local master, all further request (ro and rw) are directed to the closest remote location and LDAP-Servers. I also saw the last mail from Howard in the openldap-devel ml regarding "ITS#7052" and ITS#6024. So I'm absolutely unsure, what I should configure! Are there recommendations or practical experiences? > If any one host > should be considdered a true master, you're better off with a standard star > topology where all updates go to the master. You mean "If only one host ..."? then I understand this recommendation Thanks Meike

2 2

Changing schema OID values in cn=config
by Nick Milas 17 Feb '12

17 Feb '12

Hello, In my config there is: DN: cn={5}postfix,cn=schema,cn=config objectClass: olcSchemaConfig cn: {5}postfix olcAttributeTypes: {0}( 1.3.6.1.4.1.25260.1.000 NAME 'mailacceptinggeneralid' DESC 'Defines an address that we accept mail for' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.25260.1.001 NAME 'maildrop' DESC 'Defines the address mail goes to' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {2}( 1.3.6.1.4.1.25260.1.002 NAME 'mailacceptinguser' DESC 'Defines if this user accepts mail' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {3}( 1.3.6.1.4.1.25260.1.003 NAME 'aliasInactive' DESC 'A flag, for marking the alias as not in use' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.25260.1.1.100 NAME 'virtualaccount' DESC 'Holds mail info for a virtual account' STRUCTURAL MUST ( owner $ mailacceptinggeneralid $ maildrop $ cn ) MAY ( description $ aliasInactive ) ) olcObjectClasses: {1}( 1.3.6.1.4.1.25260.1.1.101 NAME 'maillist' DESC 'Virtual account for holding mailing list info' STRUCTURAL MUST ( mailacceptinggeneralid $ maildrop $ cn ) MAY ( owner $ description $ aliasInactive ) ) olcObjectClasses: {2}( 1.3.6.1.4.1.25260.1.1.102 NAME 'mailAccount' DESC 'Email account details' AUXILIARY MUST ( mailacceptinguser $ maildrop $ cn ) MAY ( mailacceptinggeneralid $ aliasInactive ) ) olcObjectClasses: {3}( 1.3.6.1.4.1.25260.1.1.105 NAME 'virtualbox' DESC 'Mailbox for system use' STRUCTURAL MUST ( owner $ mail $ uid $ cn ) MAY description ) When I try to change attribute OID value, for example: 1.3.6.1.4.1.25260.1.000 to 1.3.6.1.4.1.25260.1.0 (using a visual LDAP client) then the server hangs and will not restart. (I had to restore from backup and restart.) What is the recommended way to do this change? Thanks, Nick

4 14

Re: problems populating hdb
by stefano 16 Feb '12

16 Feb '12

now it's okay. i deleted with rm .../ldap/* and i added with slapadd the init.ldif. now i'va the corrects entries! thanks (for the moment, see you soon!) On 02/15/2012 04:54 PM, anax wrote: > Ciao Stefano > > your ldif file cannot be inserted into the DIT via slapadd, use > ldapadd ... > > your entries in dn: dc=nodomain may have been created when you > installed the ldap-server. > > you can find out what the naming-context of your DIT is by > ldapsearch -h localhost -x -b '' -s base objectclass=* namingContexts > > adjust the "-h localhost" parameter. > > suomi > > On 02/15/2012 04:28 PM, stefano wrote: >> Hi. >> >> i'm installing a ldap server on debian squeeze server. my goal is to >> assign to every users of different groups a username and password. >> my slapd.conf is: >> >> include /etc/ldap/schema/core.schema >> include /etc/ldap/schema/cosine.schema >> include /etc/ldap/schema/nis.schema >> include /etc/ldap/schema/inetorgperson.schema >> pidfile /var/run/slapd/slapd.pid >> argsfile /var/run/slapd/slapd.args >> loglevel none >> modulepath /usr/lib/ldap >> moduleload back_hdb >> sizelimit 500 >> >> backend hdb >> database hdb >> suffix "dc=pippo,dc=it" >> rootdn "cn=admin,dc=pippo,dc=it" >> rootpw {SSHA}ho2O8N4lyVnAIi6E/7kQrGl9U9iuGLbC >> directory "/var/lib/ldap" >> #index: definisce quali informazioni indicizzare per un accesso più >> veloce ai dati >> index objectClass eq >> #lastmod: richiede che il server memorizzi nel db le info relative >> all'ultima modifca di un oggetto >> lastmod on >> #checkpoint: frequenza con cui scarica su disco il registro delle >> transazioni >> checkpoint 512 30 >> #le impostazioni più sofisticate relative ai berkeleyDB si trovano nel >> file /var/lib/ldap/DB_CONFIG >> >> >> i created my first ldif file, init.ldif. i added the following >> information: >> >> dn: dc=pippo,dc=it >> objectClass: dcObject >> objectClass: organizationalUnit >> dc: pippo >> ou: pippo.it >> >> dn: o=Iuss,dc=pippo,dc=it >> objectClass: Organization >> o: Iuss >> >> dn: ou=Amministratori,o=Iuss,dc=pippo,dc=it >> objectClass: organizationalUnit >> ou: Amministratori >> >> dn: ou=Professori,o=Iuss,dc=pippo,dc=it >> objectClass: organizationalUnit >> ou: Professori >> >> dn: ou=Stud_Iuss,o=Iuss,dc=pippo,dc=it >> objectClass: organizationalUnit >> ou: Stud_Iuss >> >> dn: ou=Stud_Medicina,o=Iuss,dc=pippo,dc=it >> objectClass: organizationalUnit >> ou: Stud_Medicina >> >> dn: uid=stefano,ou=Amministratori,o=Iuss,dc=pippo,dc=it >> objectClass: inetOrgPerson >> uid: nome >> sn: cognome >> cn: nome cognome >> >> >> if i run >> >> slapadd -l init.ldif -b "dc=pippo","dc=it" >> >> i get the following result: >> >> => hdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair >> already exists (-30995) >> => hdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already >> exists (-30995) >> slapadd: could not add entry dn="dc=pippo,dc=it" (line=1): txn_aborted! >> DB_KEYEXIST: Key/data pair already exists (-30995) >> _### 16.07% eta none elapsed none spd 11.8 k/s >> >> then with: >> >> slapcat -b "dc=pippo","dc=it" >> >> i can see this: >> >> dn: dc=nodomain >> objectClass: top >> objectClass: dcObject >> objectClass: organization >> o: nodomain >> dc: nodomain >> structuralObjectClass: organization >> entryUUID: 805b9568-e687-1030-82d7-a7960b556dcd >> creatorsName: cn=admin,dc=nodomain >> createTimestamp: 20120208100040Z >> entryCSN: 20120208100040.557042Z#000000#000#000000 >> modifiersName: cn=admin,dc=nodomain >> modifyTimestamp: 20120208100040Z >> >> dn: cn=admin,dc=nodomain >> objectClass: simpleSecurityObject >> objectClass: organizationalRole >> cn: admin >> description: LDAP administrator >> userPassword:: e1NTSEF9ZVJjelJ0cS9UWWFiMDR2N3o5TUlvWHZaaDBESUNPZko= >> structuralObjectClass: organizationalRole >> entryUUID: 805c070a-e687-1030-82d8-a7960b556dcd >> creatorsName: cn=admin,dc=nodomain >> createTimestamp: 20120208100040Z >> entryCSN: 20120208100040.559953Z#000000#000#000000 >> modifiersName: cn=admin,dc=nodomain >> modifyTimestamp: 20120208100040Z >> >> dn: dc=pippo,dc=it >> objectClass: dcObject >> objectClass: organizationalUnit >> dc: pippo >> ou: pippo.it >> structuralObjectClass: organizationalUnit >> entryUUID: 90734578-e8ca-1030-8109-57345a76d294 >> creatorsName: >> createTimestamp: 20120211070546Z >> entryCSN: 20120211070546.162263Z#000000#000#000000 >> modifiersName: >> modifyTimestamp: 20120211070546Z >> >> why do i have the first error? >> why there are not the others informations about the tree? >> >> thanks >> >> stefano >

1 0

canonical way to force full refresh in 2.4.28 / n-way multimaster
by Aaron Bennett 16 Feb '12

16 Feb '12

Hi, I'm preparing to rollout 2.4.28 with n-way multimaster (in this case, it's really 2-way multimaster but could become more), and I'm looking to clarify what the exact canonical way to force a full refresh. Here's what I've come up with: By "full refresh" I mean, blow away whatever is on machine Y with whatever's on machine X. olcServerID: 1 ldaps://animal.clarku.edu olcServerID: 2 ldaps://zoot.clarku.edu olcSyncrepl: {0}rid=001 provider=ldaps://animal.clarku.edu binddn="DN OF REPLICATION USER" bindmethod=simple credentials=<PASSWORD> searchbase="dc=clarku,dc=edu" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=002 provider=ldaps://zoot.clarku.edu binddn="DN OF REPLICATION USER " bindmethod=simple credentials=<PASSWORD> searchbase="dc=clarku,dc=edu" type=refreshAndPersist retry="5 5 300 5" timeout=1 1. Stop slapd on zoot. 2. slapcat > ocrap-backup.ldif 3. rm -rf /var/lib/ldap/* on zoot 4. SLAPD_OPTIONS="-c \"rid=001,sid=001\"" /etc/init.d/slapd start Then wait and it will refresh. Is this correct? Is there some easier way? Is there a way to do it without the rm -rf ? After it's done, do I need to restart slapd again without the -c option? Thanks, and if I'm doing something stupid, I'm happy to look stupid in exchange for knowledge. :) --- Aaron Bennett Manager of Systems Administration Clark University ITS

2 1

Valid RDN or not ?
by Emmanuel Lécharny 16 Feb '12

16 Feb '12

Hi guys, I have read the RFC carefully, and still can't decide if such a RDN is valid : cn=test1+cn=test2 AFAICT, yes, but OpenLDAP reject the creation of an entry with such a RDN. I may have missed something in the 20+ RFCs and hundred of pages, is anyone able to tell me where in the RFC it's explicitely sad that it's not a valid RDN ? Many thanks ! PS : I can live with the fact that OpenLDAP reject such a RDN, it's not a big deal, I just want to be sure that the LDAP API we are working on should accept or not such a RDN. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com

1 1

← Newer
1
2
3
4
5
6
7
8
9
...
12
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2012