adding new databases and olc*dbconfig must attributes
by ben thielsen
i was experimenting a bit with adding new databases to the config, and found that if the olcsuffix attribute was not provided, it would fail:
>cat db.ldif
dn: olcDatabase=hdb,cn=config
changetype: add
objectClass: olcHdbConfig
olcDatabase: hdb
olcDbDirectory: /var/lib/ldap/example.org
>ldapadd -xWZZH 'ldap://dsa.example.com/' -D 'uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com' -f db.ldif
Enter LDAP Password:
adding new entry "olcDatabase=hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcDbDirectory> failed startup
>tail -F slapd.log
Feb 21 19:39:41 flip slapd[19134]: conn=1535 fd=64 ACCEPT from IP=192.168.1.1:36891 (IP=0.0.0.0:389)
Feb 21 19:39:41 flip slapd[19134]: conn=1535 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Feb 21 19:39:41 flip slapd[19134]: conn=1535 op=0 STARTTLS
Feb 21 19:39:41 flip slapd[19134]: conn=1535 op=0 RESULT oid= err=0 text=
Feb 21 19:39:41 flip slapd[19134]: conn=1535 fd=64 TLS established tls_ssf=128 ssf=128
Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" method=128
Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" mech=SIMPLE ssf=0
Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=1 RESULT tag=97 err=0 text=
Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=2 ADD dn="olcDatabase=hdb,cn=config"
Feb 21 19:39:43 flip slapd[19134]: hdb_db_open: need suffix.
Feb 21 19:39:43 flip slapd[19134]: backend_startup_one (type=hdb, suffix="(null)"): bi_db_open failed! (-1)
Feb 21 19:39:43 flip slapd[19134]: olcDbDirectory: value #0: <olcDbDirectory> failed startup (0?:?X#024c?/ldap/example.org)!
Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=2 RESULT tag=105 err=80 text=<olcDbDirectory> failed startup
Feb 21 19:39:43 flip slapd[19134]: conn=1535 op=3 UNBIND
Feb 21 19:39:43 flip slapd[19134]: conn=1535 fd=64 closed
providing an olcSuffix attribute in the ldif allowed the new database to be added without error:
>ldapadd -xWZZH 'ldap://dsa.example.com/' -D 'uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com' -f db.ldif
Enter LDAP Password:
adding new entry "olcDatabase=hdb,cn=config"
>tail -F slapd.log
Feb 21 19:43:21 flip slapd[19134]: conn=1537 fd=44 ACCEPT from IP=192.168.1.1:36900 (IP=0.0.0.0:389)
Feb 21 19:43:21 flip slapd[19134]: conn=1537 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Feb 21 19:43:21 flip slapd[19134]: conn=1537 op=0 STARTTLS
Feb 21 19:43:21 flip slapd[19134]: conn=1537 op=0 RESULT oid= err=0 text=
Feb 21 19:43:21 flip slapd[19134]: conn=1537 fd=44 TLS established tls_ssf=128 ssf=128
Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" method=128
Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com" mech=SIMPLE ssf=0
Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=1 RESULT tag=97 err=0 text=
Feb 21 19:43:23 flip slapd[19134]: conn=1537 op=2 ADD dn="olcDatabase=hdb,cn=config"
Feb 21 19:43:24 flip slapd[19134]: conn=1537 op=2 RESULT tag=105 err=0 text=
Feb 21 19:43:24 flip slapd[19134]: conn=1537 op=3 UNBIND
this behavior wasn't really all that surprising to me, as i don't really know in what capacity there might be a database without a suffix defined, even if it were just "", but what i am curious about is the schema definition for the olcHdbConfig object class. the best i can tell, only olcDatabase and olcDbDirectory are MUST attributes, while olcSuffix is not:
>ldapsearch -xH 'ldap://dsa.example.com/' -s base -b 'cn=subschema' '*' '+' | grep -iFA 5 "NAME 'olcHdbConfig'"
objectClasses: ( 1.3.6.1.4.1.4203.1.12.2.4.2.1.2 NAME 'olcHdbConfig' DESC 'HDB
backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory
MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbCryptFile $ olcDb
CryptKey $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ ol
cDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey
$ olcDbCacheFree $ olcDbDNcacheSize $ olcDbPageSize ) )
>ldapsearch -xH 'ldap://dsa.example.com/' -s base -b 'cn=subschema' '*' '+' | grep -iFA 7 "NAME 'olcDatabaseConfig'"
objectClasses: ( 1.3.6.1.4.1.4203.1.12.2.4.0.4 NAME 'olcDatabaseConfig' DESC '
OpenLDAP Database-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase
MAY ( olcHidden $ olcSuffix $ olcSubordinate $ olcAccess $ olcAddContentAcl
$ olcLastMod $ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcRe
plica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplicationInterval $ olc
ReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN
$ olcSecurity $ olcSizeLimit $ olcSyncUseSubentry $ olcSyncrepl $ olcTimeLimi
t $ olcUpdateDN $ olcUpdateRef $ olcMirrorMode $ olcMonitoring ) )
why is olcSuffix not a MUST attribute if the database can't be added without it? are there cases different than my exercise where a database might be added without the need for a suffix? it's not anything that's causing an insurmountable hurdle, just mostly curious if this was intended.
-ben
11 years, 9 months
Issue with using ldap replace with memberof−dangling set as error.
by Vikram
Hi,
I'm working on writing an custom authorization app on top of openldap. I am currently using openldap version 2.4.26, and using the c api to interact with it. I am trying to use the memberof overlay with memberof−dangling set to error and memberof−refint set to true. I noticed a weird issue which happens here.
Steps:
1. I add a group with one/zero members who is present in the system.
2. I update the group with one or more non existent users using ldap_modify_ext with mod_op as LDAP_MOD_REPLACE. In this case, ldap throws up the error 'send_ldap_result: err=19 matched="" text="adding non-existing object as group member" ' , but still goes ahead and adds the non existing member to the group even though the operation should fail.
Note that in the "memberof−dangling drop" case the non existent users are not added, though no error is thrown. This seems to be working as expected.
Also doing ldap_modify_ext with LDAP_MOD_ADD works as expected too, where the same error this thrown but users are not added.
Am I missing something?
My slapd.conf has the following relevant configurations:
overlay memberof
memberof-group-oc customGroup
memberof-dangling error
memberof-refint true
Thanks,
Vikram
[Reposting as I do not see my first attempt in the archives]
11 years, 9 months
slapd.conf & ldap.conf
by stefano
hi,
i need help about ldap configuration, please.
i configured slapd.conf like this:
/include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
backend hdb
database hdb
suffix "dc=amahoro,dc=bi"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
/
andldap.conf like this:
/#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=amahoro,dc=bi
URI ldap://192.168.5.4
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never/
but running ldapsearch the answer is
/ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)/
what is wrong?
thanks
11 years, 9 months
Ldap users "not seen" by application
by teoman.onay@degroof.be
Hi,
I hope i'm in the right place to ask my question... I use openldap for
user authentication on linux servers. Everything seems ok except for
scheduled jobs. We use a software to launch processes based on event or
schedule. An agent is installed on every servers. Unfortunately it doesn't
"see" the users from the ldap. When it tries to launch the process it
fails with an error like the user doesn't exists. The workaround is to
create a local user but i'd prefer to use an ldap one. Do you know how i
could solve that ?
Tkx
Teo
P before printing this email, think about the environment.
*******************************************************************************
This e-mail is intended only for the person or entity to which it is addressed.
It may contain confidential and/or privileged information. Any copying,
disclosure, distribution or other use of the content of this e-mail by persons
or entities other than the intended recipient is prohibited. Please contact
immediately the sender if you have received this e-mail in error and delete it
from all locations of your computer. The company on behalf of which the present
e-mail is sent is validly committed only if the rules on the delegation of
powers, as set out in the appropriate documents, have been complied with.
Furthermore, due to the risks inherent to the use of the Internet, the company
is not liable for the content of this e-mail if altered, changed or falsified.
*******************************************************************************
11 years, 9 months
Re: circularly MMR Replication ?
by Meike Stone
> If you've got 5 hosts, Each host should connect to 3 other hosts for a mesh
> network wherein any node can fail and the others remain online without
> requiring every host be connected to every other host.
Ok, But what is a/the recommended replication setup?
It depends on the requirements if availability but also on the bandwidth
between the loaction, hardware.
If I configure such setup, it is much more complex like a circle. The
hardware and bandwidth using for each
server increases a lot.
We also want use one load balancer (one vrrp pair) in each location.
So each master has additionally a few ro slaves!
The application separates write and read access to two vips on the
load balancer.
If the load balancer can't reach the local master, all further request
(ro and rw) are directed to
the closest remote location and LDAP-Servers.
I also saw the last mail from Howard in the openldap-devel ml
regarding "ITS#7052" and ITS#6024.
So I'm absolutely unsure, what I should configure! Are there
recommendations or practical experiences?
> If any one host
> should be considdered a true master, you're better off with a standard star
> topology where all updates go to the master.
You mean "If only one host ..."? then I understand this recommendation
Thanks Meike
11 years, 9 months
Changing schema OID values in cn=config
by Nick Milas
Hello,
In my config there is:
DN: cn={5}postfix,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {5}postfix
olcAttributeTypes: {0}( 1.3.6.1.4.1.25260.1.000 NAME
'mailacceptinggeneralid' DESC 'Defines an address that we accept mail
for' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.25260.1.001 NAME 'maildrop' DESC
'Defines the address mail goes to' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.25260.1.002 NAME 'mailacceptinguser'
DESC 'Defines if this user accepts mail' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.25260.1.003 NAME 'aliasInactive'
DESC 'A flag, for marking the alias as not in use' EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.25260.1.1.100 NAME 'virtualaccount'
DESC 'Holds mail info for a virtual account' STRUCTURAL MUST ( owner $
mailacceptinggeneralid $ maildrop $ cn ) MAY ( description $
aliasInactive ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.25260.1.1.101 NAME 'maillist' DESC
'Virtual account for holding mailing list info' STRUCTURAL MUST (
mailacceptinggeneralid $ maildrop $ cn ) MAY ( owner $ description $
aliasInactive ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.25260.1.1.102 NAME 'mailAccount' DESC
'Email account details' AUXILIARY MUST ( mailacceptinguser $ maildrop $
cn ) MAY ( mailacceptinggeneralid $ aliasInactive ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.25260.1.1.105 NAME 'virtualbox' DESC
'Mailbox for system use' STRUCTURAL MUST ( owner $ mail $ uid $ cn ) MAY
description )
When I try to change attribute OID value, for example:
1.3.6.1.4.1.25260.1.000 to 1.3.6.1.4.1.25260.1.0 (using a visual LDAP
client) then the server hangs and will not restart. (I had to restore
from backup and restart.)
What is the recommended way to do this change?
Thanks,
Nick
11 years, 9 months
Re: problems populating hdb
by stefano
now it's okay.
i deleted with rm .../ldap/* and i added with slapadd the init.ldif. now
i'va the corrects entries!
thanks (for the moment, see you soon!)
On 02/15/2012 04:54 PM, anax wrote:
> Ciao Stefano
>
> your ldif file cannot be inserted into the DIT via slapadd, use
> ldapadd ...
>
> your entries in dn: dc=nodomain may have been created when you
> installed the ldap-server.
>
> you can find out what the naming-context of your DIT is by
> ldapsearch -h localhost -x -b '' -s base objectclass=* namingContexts
>
> adjust the "-h localhost" parameter.
>
> suomi
>
> On 02/15/2012 04:28 PM, stefano wrote:
>> Hi.
>>
>> i'm installing a ldap server on debian squeeze server. my goal is to
>> assign to every users of different groups a username and password.
>> my slapd.conf is:
>>
>> include /etc/ldap/schema/core.schema
>> include /etc/ldap/schema/cosine.schema
>> include /etc/ldap/schema/nis.schema
>> include /etc/ldap/schema/inetorgperson.schema
>> pidfile /var/run/slapd/slapd.pid
>> argsfile /var/run/slapd/slapd.args
>> loglevel none
>> modulepath /usr/lib/ldap
>> moduleload back_hdb
>> sizelimit 500
>>
>> backend hdb
>> database hdb
>> suffix "dc=pippo,dc=it"
>> rootdn "cn=admin,dc=pippo,dc=it"
>> rootpw {SSHA}ho2O8N4lyVnAIi6E/7kQrGl9U9iuGLbC
>> directory "/var/lib/ldap"
>> #index: definisce quali informazioni indicizzare per un accesso più
>> veloce ai dati
>> index objectClass eq
>> #lastmod: richiede che il server memorizzi nel db le info relative
>> all'ultima modifca di un oggetto
>> lastmod on
>> #checkpoint: frequenza con cui scarica su disco il registro delle
>> transazioni
>> checkpoint 512 30
>> #le impostazioni più sofisticate relative ai berkeleyDB si trovano nel
>> file /var/lib/ldap/DB_CONFIG
>>
>>
>> i created my first ldif file, init.ldif. i added the following
>> information:
>>
>> dn: dc=pippo,dc=it
>> objectClass: dcObject
>> objectClass: organizationalUnit
>> dc: pippo
>> ou: pippo.it
>>
>> dn: o=Iuss,dc=pippo,dc=it
>> objectClass: Organization
>> o: Iuss
>>
>> dn: ou=Amministratori,o=Iuss,dc=pippo,dc=it
>> objectClass: organizationalUnit
>> ou: Amministratori
>>
>> dn: ou=Professori,o=Iuss,dc=pippo,dc=it
>> objectClass: organizationalUnit
>> ou: Professori
>>
>> dn: ou=Stud_Iuss,o=Iuss,dc=pippo,dc=it
>> objectClass: organizationalUnit
>> ou: Stud_Iuss
>>
>> dn: ou=Stud_Medicina,o=Iuss,dc=pippo,dc=it
>> objectClass: organizationalUnit
>> ou: Stud_Medicina
>>
>> dn: uid=stefano,ou=Amministratori,o=Iuss,dc=pippo,dc=it
>> objectClass: inetOrgPerson
>> uid: nome
>> sn: cognome
>> cn: nome cognome
>>
>>
>> if i run
>>
>> slapadd -l init.ldif -b "dc=pippo","dc=it"
>>
>> i get the following result:
>>
>> => hdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair
>> already exists (-30995)
>> => hdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already
>> exists (-30995)
>> slapadd: could not add entry dn="dc=pippo,dc=it" (line=1): txn_aborted!
>> DB_KEYEXIST: Key/data pair already exists (-30995)
>> _### 16.07% eta none elapsed none spd 11.8 k/s
>>
>> then with:
>>
>> slapcat -b "dc=pippo","dc=it"
>>
>> i can see this:
>>
>> dn: dc=nodomain
>> objectClass: top
>> objectClass: dcObject
>> objectClass: organization
>> o: nodomain
>> dc: nodomain
>> structuralObjectClass: organization
>> entryUUID: 805b9568-e687-1030-82d7-a7960b556dcd
>> creatorsName: cn=admin,dc=nodomain
>> createTimestamp: 20120208100040Z
>> entryCSN: 20120208100040.557042Z#000000#000#000000
>> modifiersName: cn=admin,dc=nodomain
>> modifyTimestamp: 20120208100040Z
>>
>> dn: cn=admin,dc=nodomain
>> objectClass: simpleSecurityObject
>> objectClass: organizationalRole
>> cn: admin
>> description: LDAP administrator
>> userPassword:: e1NTSEF9ZVJjelJ0cS9UWWFiMDR2N3o5TUlvWHZaaDBESUNPZko=
>> structuralObjectClass: organizationalRole
>> entryUUID: 805c070a-e687-1030-82d8-a7960b556dcd
>> creatorsName: cn=admin,dc=nodomain
>> createTimestamp: 20120208100040Z
>> entryCSN: 20120208100040.559953Z#000000#000#000000
>> modifiersName: cn=admin,dc=nodomain
>> modifyTimestamp: 20120208100040Z
>>
>> dn: dc=pippo,dc=it
>> objectClass: dcObject
>> objectClass: organizationalUnit
>> dc: pippo
>> ou: pippo.it
>> structuralObjectClass: organizationalUnit
>> entryUUID: 90734578-e8ca-1030-8109-57345a76d294
>> creatorsName:
>> createTimestamp: 20120211070546Z
>> entryCSN: 20120211070546.162263Z#000000#000#000000
>> modifiersName:
>> modifyTimestamp: 20120211070546Z
>>
>> why do i have the first error?
>> why there are not the others informations about the tree?
>>
>> thanks
>>
>> stefano
>
11 years, 9 months
canonical way to force full refresh in 2.4.28 / n-way multimaster
by Aaron Bennett
Hi,
I'm preparing to rollout 2.4.28 with n-way multimaster (in this case, it's really 2-way multimaster but could become more), and I'm looking to clarify what the exact canonical way to force a full refresh. Here's what I've come up with:
By "full refresh" I mean, blow away whatever is on machine Y with whatever's on machine X.
olcServerID: 1 ldaps://animal.clarku.edu
olcServerID: 2 ldaps://zoot.clarku.edu
olcSyncrepl: {0}rid=001 provider=ldaps://animal.clarku.edu binddn="DN OF REPLICATION USER" bindmethod=simple credentials=<PASSWORD> searchbase="dc=clarku,dc=edu" type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=002 provider=ldaps://zoot.clarku.edu binddn="DN OF REPLICATION USER " bindmethod=simple credentials=<PASSWORD> searchbase="dc=clarku,dc=edu" type=refreshAndPersist retry="5 5 300 5" timeout=1
1. Stop slapd on zoot.
2. slapcat > ocrap-backup.ldif
3. rm -rf /var/lib/ldap/* on zoot
4. SLAPD_OPTIONS="-c \"rid=001,sid=001\"" /etc/init.d/slapd start
Then wait and it will refresh.
Is this correct? Is there some easier way? Is there a way to do it without the rm -rf ? After it's done, do I need to restart slapd again without the -c option?
Thanks, and if I'm doing something stupid, I'm happy to look stupid in exchange for knowledge. :)
---
Aaron Bennett
Manager of Systems Administration
Clark University ITS
11 years, 9 months
Valid RDN or not ?
by Emmanuel Lécharny
Hi guys,
I have read the RFC carefully, and still can't decide if such a RDN is
valid :
cn=test1+cn=test2
AFAICT, yes, but OpenLDAP reject the creation of an entry with such a RDN.
I may have missed something in the 20+ RFCs and hundred of pages, is
anyone able to tell me where in the RFC it's explicitely sad that it's
not a valid RDN ?
Many thanks !
PS : I can live with the fact that OpenLDAP reject such a RDN, it's not
a big deal, I just want to be sure that the LDAP API we are working on
should accept or not such a RDN.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
11 years, 9 months
