openldap-technical February 2012

openldap-technical@openldap.org

98 participants
113 discussions

Is putting slapd into read-only mode sufficient for backups?
by Brian Reichert 13 Feb '12

13 Feb '12

I'm curious if the tactics described in this thread are currently sufficient: http://www.openldap.org/lists/openldap-software/200608/msg00152.html The thread overall suggests the tried-and-true tactic of using slapcat to extract and LDIF file, to be imported later. But, our application's DB if large enough that reimportation is prohibitive. We're using OpenLDAP 2.3.43 under CentOS 5.7. What we're doing currently is: - stopping slapd - using db_checkpoint and db_archive to manage the BDB logs - copy away the directory - restart slapd This results in a window of time during which the LDAP server is not available. My hope was that my managing the olcReadOnly attribute via the config database (or as that cited message in the thread suggests, use the monitor database), we could perform those middle two steps while leaving a RO server in place. Is that feasible? Recommended? -- Brian Reichert <reichert(a)numachi.com> BSD admin/developer at large

8 31

Mirror to MultiMaster cluster transform
by Andrey Konovalov 13 Feb '12

13 Feb '12

Dear developers and users of OpenLDAP! I'm wondering to know something awful again :) Now i have a cluster replicated in Mirror mode (without replication of cn=config) with configuration like below: Server0: dn: cn=config olcServerID: 1 dn: olcDatabase={1}hdb,cn=config olcSyncRepl: rid=001 provider=ldap://server1 Server1: dn: cn=config olcServerID: 2 dn: olcDatabase={1}hdb,cn=config olcSyncRepl: rid=001 provider=ldap://server0 And now i want to convert this to multimaster cluster (with possibility to add other writeable nodes) So... can i do something like this and get what i desire? on Server0 and on Server1 do the same: dn: cn=config changeType: modify replace: olcServerID olcServerID: 1 ldap://server0 olcServerID: 2 ldap://server1 dn: olcDatabase={1}hdb,cn=config changeType: modify replace: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://server0 olcSyncRepl: rid=002 provider=ldap://server1 Am i write and this will lead to cluster transformation from Mirror to MultiMaster? Maybe, i have to convert olcDatabase={0}config to mirror/multimaster too? Thanks a lot!

1 0

OpenLDAP cannot start if some TLS cert value gets invalid
by Nick Milas 13 Feb '12

13 Feb '12

Hi, I found out that if, in a working OpenLDAP installation, we inadvertently change the value of: olcTLSCertificateKeyFile: /path/to/key.pem to some invalid value, like: olcTLSCertificateKeyFile: /path/to/non/existing/key.pem then OpenLDAP continues to work (and we see no error message whatsoever), but if it is stopped, it refuses to restart. In the logs, while OpenLDAP is starting, we see: Feb 11 16:20:44 vdev slapd[15272]: main: TLS init def ctx failed: -1 and then service is immediately stopped. I believe that in such cases at least OpenLDAP could start without TLS support, logging the problem and not being unable to restart. The same should hold true for the other associated attributes (olcTLSCACertificateFile, olcTLSCertificateFile), for which I didn't test separately. A workaround if this happens (because, since OpenLDAP server is not running, we cannot easily change the dynamic config) could be to create a symbolic link (/path/to/non/existing/key.pem)to the true file (/path/to/working/key.pem), and thus OpenLDAP can start. Any comments/advice? Thanks, Nick

2 6

help with replication
by Aditya Kalabarigi 13 Feb '12

13 Feb '12

Hello Everyone, I am trying to migrate our existing LDAP setup running on rhel4 to virtual hosts. I am able to setup the ldap server on the virtual host but cannot get the replication working. I cannot find the slapd.replog on the server. Please let me know how can I get this running. Server A - virtual host running rhel 5 (master server) slapd.conf is as follows replogfile /var/lib/ldap/slapd.replog replica host=abc.ex.com:389 suffix="o=xxx,dc=xx,dc=xx,dc=xx" binddn="cn=Replica,o=xxx,dc=xx,dc=xx,dc=xx" credentials="slavepasswd" bindmethod=simple tls=yes Server B - virtual host running rhel5 (slave server) slapd.conf is as follows updatedn "cn=Replica,o=xxx,dc=xx,dc=xx,dc=xx" updateref ldap://xyz.ex.com I have added the ldap database on the exisitng on to the new virtual master and slave servers using an ldif file , slapcat and slapadd. Everything is working fine as it should, except the replication is not working. I have checked the configuration of the running setup and the only difference i could find is in the /var/lib/ldap/ directory. I couldnt find slurpd.replog file in it on the master server. Any help on this is greatly appreciated. Thank you. Regards, Aditya

2 3

Got error while enabling SASL
by Gaurav Gugnani 13 Feb '12

13 Feb '12

Hello All, I'm a new bie to LDAP and trying to enable SASL on the newly created user. I read link at open ldap forum: http://www.openldap.org/doc/admin24/sasl.html#DIGEST-MD5 *and performed following steps:* Step-1: saslpasswd2 -c sasluser2 <asked for password> Step-2: sasldblistusers2 sasluser2(a)test0.devcs: userPassword add_sasl_accnt.ldif ---------------------------- # TEST Account for SASL: dn: uid=sasluser2,ou=System,o=db uid: sasluser2 ou: System description: Special account for SASL Testing userPassword: sasluser2 objectClass: account objectClass: simpleSecurityObject Step-3: ldapadd -x -D cn=Manager,o=db -W -f add_sasl_accnt.ldif After performing these stpes, i tried to perform ldapsearch and landed up in getting error: ldapsearch -U sasluser2 -b 'o=db' '(objectclass=*)' *ldap_sasl_interactive_bind_s: No such attribute (16)* ldapsearch -LLL -U sasluser2 -b 'o=db' *ldap_sasl_interactive_bind_s: No such attribute (16)* Kindly help. Thanks and Regards, Gaurav Gugnani

4 22

replication problem after provider crash
by mimo benjamin 13 Feb '12

13 Feb '12

I'm using a single provider and one consumer (Open Ldap 2.4.26 on Windows). The replication seems to work only if the provider is online. E.g. if i unplug the provider from the network, the consumer replication will stop and never retries, although retry and interval parameter are set. Only after I restart the consumer, the replication will be continued. Here are my slapd.conf for provider/consumer: ServerID 1 "ldap://ldapmaster:389" ServerID 2 "ldap://ldapslave:10389" ####################################################################### # bdb database definitions ####################################################################### database bdb suffix "o=userManagement" rootdn "uid=admin,o=userManagement" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw admin rootpw {MD5}ISMvKXpXpadDiUoOSoAfww== # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory ./data # Indices to maintain index objectClass eq overlay syncprov syncprov-checkpoint 1 10 syncprov-sessionlog 100 password-hash {md5} and for consumer ServerID 1 "ldap://ldapmaster:389" ServerID 2 "ldap://ldapslave:10389" ####################################################################### # bdb database definitions ####################################################################### database bdb suffix "o=userManagement" rootdn "uid=admin,o=userManagement" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw admin rootpw {MD5}ISMvKXpXpadDiUoOSoAfww== # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory ./data # Indices to maintain index objectClass eq syncrepl rid=002 provider=ldap://ldapmaster:389 type=refreshOnly interval=00:00:05:00 searchbase="o=userManagement" attrs="*,+" scope=sub schemachecking=off retry="5 2 1 +" bindmethod=simple binddn="uid=admin,o=userManagement" credentials=admin password-hash {md5} Are my settings bad or did I misunderstood it? My assumption was that this setup should do a replication between provider and consumer in the given interval yielding a r/o replica in the consumer ldap. Thanks for any help, mimo -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

1 0

ldapmodify is crashing the slapd process
by Daniel Savard 11 Feb '12

11 Feb '12

Hi everyone, I am trying to do a number of changes into the configuration database using the following ldif entries: dn: cn=config changetype: modify add: olcTLSCACertificatePath olcTLSCACertificatePath: /etc/ssl/certs - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/openldap/ssl/slapd.cert - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/openldap/ssl/slapd.key - add: olcTLSCipherSuite olcTLSCipherSuite: AES256 - replace: olcTLSVerifyClient olcTLSVerifyClient: allow - When running the ldapmodify command as follow: ldapmodify -f tlsmods.ldir -D cn=config -H ldapi:/// -x -W the slapd process is crashing. I tried to gather some info into the syslog using -s 255 and I cannot find any hints why the process is crashing. I am running OpenLDAP 2.4.24 and here are the entries generated in the syslog after the ldapmodify command: Feb 7 16:00:27 charpak ldapmodify: mdns: Couldn't open nss_mdns configuration file /etc/nss_mdns.conf, using default. Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on 1 descriptor Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on: Feb 7 16:00:31 charpak slapd[23821]: Feb 7 16:00:31 charpak slapd[23821]: slap_listener_activate(9): Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=9 busy Feb 7 16:00:31 charpak slapd[23821]: >>> slap_listener(ldapi://%2fvar% 2frun%2fopenldap%2fslapd.sock) Feb 7 16:00:31 charpak slapd[23821]: daemon: listen=9, new connection on 15 Feb 7 16:00:31 charpak slapd[23821]: daemon: added 15r (active) listener=(nil) Feb 7 16:00:31 charpak slapd[23821]: conn=1000 fd=15 ACCEPT from PATH=/var/run/openldap/slapd.sock (PATH=/var/run/openldap/slapd.sock) Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on 1 descriptor Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on: Feb 7 16:00:31 charpak slapd[23821]: Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=9 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on 1 descriptor Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on: Feb 7 16:00:31 charpak slapd[23821]: 15r Feb 7 16:00:31 charpak slapd[23821]: Feb 7 16:00:31 charpak slapd[23821]: daemon: read active on 15 Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=9 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: connection_get(15) Feb 7 16:00:31 charpak slapd[23821]: connection_get(15): got connid=1000 Feb 7 16:00:31 charpak slapd[23821]: connection_read(15): checking for input on id=1000 Feb 7 16:00:31 charpak slapd[23821]: op tag 0x60, time 1328648431 Feb 7 16:00:31 charpak slapd[23821]: conn=1000 op=0 do_bind Feb 7 16:00:31 charpak slapd[23821]: >>> dnPrettyNormal: <cn=config> Feb 7 16:00:31 charpak slapd[23821]: <<< dnPrettyNormal: <cn=config>, <cn=config> Feb 7 16:00:31 charpak slapd[23821]: conn=1000 op=0 BIND dn="cn=config" method=128 Feb 7 16:00:31 charpak slapd[23821]: do_bind: version=3 dn="cn=config" method=128 Feb 7 16:00:31 charpak slapd[23821]: conn=1000 op=0 BIND dn="cn=config" mech=SIMPLE ssf=0 Feb 7 16:00:31 charpak slapd[23821]: do_bind: v3 bind: "cn=config" to "cn=config" Feb 7 16:00:31 charpak slapd[23821]: send_ldap_result: conn=1000 op=0 p=3 Feb 7 16:00:31 charpak slapd[23821]: send_ldap_result: err=0 matched="" text="" Feb 7 16:00:31 charpak slapd[23821]: send_ldap_response: msgid=1 tag=97 err=0 Feb 7 16:00:31 charpak slapd[23821]: conn=1000 op=0 RESULT tag=97 err=0 text= Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on 1 descriptor Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on: Feb 7 16:00:31 charpak slapd[23821]: Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=9 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on 1 descriptor Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on: Feb 7 16:00:31 charpak slapd[23821]: 15r Feb 7 16:00:31 charpak slapd[23821]: Feb 7 16:00:31 charpak slapd[23821]: daemon: read active on 15 Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=9 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: connection_get(15) Feb 7 16:00:31 charpak slapd[23821]: connection_get(15): got connid=1000 Feb 7 16:00:31 charpak slapd[23821]: connection_read(15): checking for input on id=1000 Feb 7 16:00:31 charpak slapd[23821]: op tag 0x66, time 1328648431 Feb 7 16:00:31 charpak slapd[23821]: conn=1000 op=1 do_modify Feb 7 16:00:31 charpak slapd[23821]: conn=1000 op=1 do_modify: dn (cn=config) Feb 7 16:00:31 charpak slapd[23821]: >>> dnPrettyNormal: <cn=config> Feb 7 16:00:31 charpak slapd[23821]: <<< dnPrettyNormal: <cn=config>, <cn=config> Feb 7 16:00:31 charpak slapd[23821]: conn=1000 op=1 modifications: Feb 7 16:00:31 charpak slapd[23821]: add: olcTLSCACertificatePath Feb 7 16:00:31 charpak slapd[23821]: one value, length 14 Feb 7 16:00:31 charpak slapd[23821]: add: olcTLSCertificateFile Feb 7 16:00:31 charpak slapd[23821]: one value, length 28 Feb 7 16:00:31 charpak slapd[23821]: add: olcTLSCertificateKeyFile Feb 7 16:00:31 charpak slapd[23821]: one value, length 27 Feb 7 16:00:31 charpak slapd[23821]: add: olcTLSCipherSuite Feb 7 16:00:31 charpak slapd[23821]: one value, length 6 Feb 7 16:00:31 charpak slapd[23821]: replace: olcTLSVerifyClient Feb 7 16:00:31 charpak slapd[23821]: one value, length 5 Feb 7 16:00:31 charpak slapd[23821]: conn=1000 op=1 MOD dn="cn=config" Feb 7 16:00:31 charpak slapd[23821]: conn=1000 op=1 MOD attr=olcTLSCACertificatePath olcTLSCertificateFile olcTLSCertificateKeyFile olcTLSCipherSuite olcTLSVerifyClient Feb 7 16:00:31 charpak slapd[23821]: <= acl_access_allowed: granted to database root Feb 7 16:00:31 charpak slapd[23821]: oc_check_required entry (cn=config), objectClass "olcGlobal" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "objectClass" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "cn" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcConfigFile" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcConfigDir" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcArgsFile" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcAttributeOptions" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcAuthzPolicy" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcAuthzRegexp" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcConcurrency" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcConnMaxPending" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcConnMaxPendingAuth" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcGentleHUP" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcIdleTimeout" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcIndexSubstrIfMaxLen" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcIndexSubstrIfMinLen" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcIndexSubstrAnyLen" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcIndexSubstrAnyStep" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcIndexIntLen" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcLocalSSF" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcPidFile" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcReadOnly" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcReverseLookup" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcSaslHost" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcSaslSecProps" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcServerID" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcSockbufMaxIncoming" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcSockbufMaxIncomingAuth" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcThreads" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcToolThreads" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcWriteTimeout" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "structuralObjectClass" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "entryUUID" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "creatorsName" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "createTimestamp" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcTLSCACertificatePath" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcTLSCertificateFile" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcTLSCertificateKeyFile" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcTLSCipherSuite" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "olcTLSVerifyClient" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "entryCSN" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "modifiersName" Feb 7 16:00:31 charpak slapd[23821]: oc_check_allowed type "modifyTimestamp" Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on 1 descriptor Feb 7 16:00:31 charpak slapd[23821]: daemon: activity on: Feb 7 16:00:31 charpak slapd[23821]: Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 7 16:00:31 charpak slapd[23821]: daemon: epoll: listen=9 active_threads=0 tvp=zero Any hints? -- Daniel Savard

5 9

howto prepare automatic backups
by deconya 11 Feb '12

11 Feb '12

Hi Im looking how to prepare automatic backups to openldap database. In last mail I comment problem with a crash report, and Im testing how can I do backups and restore it. Only I view slapcat command, but you need to stop the database, and is a critical server and I can't do this stop without create problems to users. There is not any other form? And for other part I would like to understand the content of every folder, because Im with a ubuntu 9.04 server and Im checking what folder I need to control for future restores. Can someone explain the funcition of /var/lib/ldap and /etc/ldap/??? Where is the users data? Thanks

3 3

Loging problem in Ubuntu 11.10 with rsyslog
by rey sebastien 11 Feb '12

11 Feb '12

Hi, I'm using the last release of slapd compiled with --debug option on ubuntu 11.10 :) ./configure --with-tls=openssl --with-threads --with-cyrus-sasl --enable-crypt --enable-debug --enable-cleartext --enable-spasswd --enable-dynacl --enable-aci --enable-modules --enable-wrappers --enable-rewrite --enable-rlookups The ldap is functionnal, i add and modify data without problem, except the logging .. I read tutorial, and documentation, and make some modification to ldap and rsyslog : a > My modification on config : /dn: cn=config replace: olcLogLevel olcLogLevel: Stats dn: cn=config replace: olcLogFile olcLogFile:/var/log/ldap.log/ b > Modification on /etc/rsyslog.d/50-default.conf (syslog.conf doesn't exist anymore on ubuntu ...) I change the last line on this block of rules : /# # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log #daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log #lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log #user.* -/var/log/user.log local4.* /var/log/ldap.log/ c > /touch /var/log/ldap.log / d > /chown openldap:openldap /var/log/ldap.log/ I restart ( service rsyslog restart) and restart slapd ... But this procedure doesn't work, and syslog continue to catch all debug information :( Do you have and idea to help me ? Best regards, SR

1 0

GnuTLS / OpenSSL certificates compatibilty
by rey sebastien 11 Feb '12

11 Feb '12

Hi, One or two question about certificate compatibility, I have self signed certificate generated by openSSL, and the official package of openldap in Ubuntu is compilated with gnutls library. Do you think this configuration could create error ? If this is the case, and if i want to maintain the easy deb package upgrade system, do you know a repository with deb version of openldap compiled with openssl library ? Thanks for advice, SR

5 5

← Newer
1
...
5
6
7
8
9
10
11
12
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2012