i don't find a new user added in getent passwd list
by stefano
hi,
i started to work with posixAccount objectClass.
i installed libnss-ldap on debian squeeze server. i configured it during
install time and i modified nsswitch.conf as follow:
passwd files ldap
group files ldap
shadow files ldap
and i didn't modify the remains lines.
i succesfully added a structure.ldif file as follow
#the root of the directory
dn: dc=amahoro,dc=bi
dc: amahoro
o: amahoro.bi
objectClass: top
objectClass: dcObject
objectClass: organization
#subtree for the administrators
dn: cn=Administrators,dc=amahoro,dc=bi
cn: Administrators
gidNumber: 100
objectClass: posixGroup
i succesfully added a administrators.ldif file as follow:
#Stefano Malini
dn: uid=name,cn=Administrators,dc=amahoro,dc=bi
cn: Administrators
uid: name
uidNumber: 100
gidNumber:100
homeDirectory: /home/name/
#Name info
cn: Name Surname
sn: Surname
givenName: Name
displayName: Name Surname
#Work info
title: System Administrator
mail: address@mail
#Misc
userPassword: {SSHA}vB/RyxNdsVkwc9dDxEuS/sIGESBAkzTw
objectClass: posixAccount
objectClass: inetOrgPerson
Now, with getent command-line there is not this user. Why?
11 years, 6 months
memberOf and glued databases
by Marc Patermann
Hi,
short question first:
Is overlay memberOf supposed to work with glued databases in any direction?
I tried with 2.4.28 and get the following results:
slapd.conf with two databases
1. step
-------
This is simple. MemberOf overlay only in one database
ou=groups,ou=foo,ou=bar (subordinated).
database hbd
suffix ou=groups,ou=foo,ou=bar
subordinate
...
overlay memberof
memberof-group-ac groupOfNames
memberof-member-ad member
memberof-memberof-ad memberof
database bdb
suffix ou=bar
...
- created one inetOrgPerson object
employeenumber=11,ou=groups,ou=foo,ou=bar
- created one group
ou=2,ou=groups,ou=foo,ou=bar
with
member: employeenumber=11,ou=groups,ou=foo,ou=bar
=> memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and
unset just fine.
=> no modifications in superior database ou=bar
2. step
-------
overlay loaded in both databases
database hbd
suffix ou=groups,ou=foo,ou=bar
subordinate
...
overlay memberof
memberof-group-ac groupOfNames
memberof-member-ad member
memberof-memberof-ad memberof
database bdb
suffix ou=bar
...
overlay memberof
memberof-group-ac groupOfNames
memberof-member-ad member
memberof-memberof-ad memberof
=> modification in the subordinated database work in 1. step.
- created one inetOrgPerson object
employeenumber=1,ou=bar
- created one group
ou=1,ou=bar
with
member: employeenumber=1,ou=bar
=> memberOf in employeenumber=1,ou=bar is set and unset just fine.
memberOf is working in the superior database.
- setting group ou=1,ou=bar
member: employeenumber=11,ou=groups,ou=foo,ou=bar
=> memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and
unset just fine.
Changes in groups of superior databases work in subordinate
databases!
- setting group ou=2,ou=groups,ou=foo,ou=bar
member: employeenumber=1,ou=bar
=> does _not_ work:
memberof_value_modify DN="employeenumber=1,ou=bar" add memberOf
="ou=2,ou=groups,ou=foo,ou=bar" failed err=32
Changes in groups of subordinated databases do not work in the
superior database!
3. step
-------
setting "overlay glue" explicitly and removing overlay memberof from the
subordinate database:
database hbd
suffix ou=groups,ou=foo,ou=bar
subordinate
...
database bdb
suffix ou=bar
...
overlay memberof
memberof-group-ac groupOfNames
memberof-member-ad member
memberof-memberof-ad memberof
overlay glue
=> changes in the subordinated database are _not_ managed by the
overlay.
=> changes in groups of superior databases work in subordinate
databases and in the superior database!
3. step II
----------
if glue is located in slapd.conf before memberof (which is IMHO wrong)
and MOD on member in a group in the subordinated database is send, slapd
segfaults!
4. step
-------
setting "overlay glue" explicitly and overlay memberof in both databases:
database hbd
suffix ou=groups,ou=foo,ou=bar
subordinate
...
overlay memberof
memberof-group-ac groupOfNames
memberof-member-ad member
memberof-memberof-ad memberof
database bdb
suffix ou=bar
...
overlay memberof
memberof-group-ac groupOfNames
memberof-member-ad member
memberof-memberof-ad memberof
overlay glue
=> like 2. step
So the best I get is
- memberOf works in the database, where it is set
- memberOf works for group changes in superior database on members in
subordinated databases
- memberOf does not work for group changes in subordinated databases to
members in superior databases.
Is this the way it is supposed to work?
What I really wanted to achieve is to get memerOf to work between
database (under glue) of the same level. (Like ou=1,ou=foo and
ou=2,ou=foo both subordinated of ou=foo.) But while my testings above
did not succeed, it did not tried.
Marc
11 years, 6 months
delta-syncrepl and mirrormode problem (2.4.29)
by frank.offermanns@caseris.de
Hi,
I want to use delta-syncrepl replication with 2 masters.
But each slapd-process permanently needs about 25 % CPU usage without any
traffic on it.
The log looks endless like this:
** ld 01e43698 Outstanding Requests:
* msgid 55, origid 55, status InProgress
outstanding referrals 0, parent count 0
ld 01e43698 request count 1 (abandoned 18)
** ld 01e43698 Response Queue:
Empty
ld 01e43698 response count 0
ldap_chkResponseList ld 01e43698 msgid 55 all 0
ldap_chkResponseList returns ld 01e43698 NULL
ldap_int_select
read1msg: ld 01e43698 msgid 55 all 0
ber_get_next
ber_get_next: tag 0x30 len 1187 contents:
abandoned/discarded ld 01e43698 msgid 53 message type search-entry
wait4msg continue ld 01e43698 msgid 55 all 0
** ld 01e43698 Connections:
* host: secondmaster.mydomain.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Feb 13 11:26:53 2012
** ld 01e43698 Outstanding Requests:
* msgid 55, origid 55, status InProgress
outstanding referrals 0, parent count 0
ld 01e43698 request count 1 (abandoned 18)
** ld 01e43698 Response Queue:
Empty
ld 01e43698 response count 0
ldap_chkResponseList ld 01e43698 msgid 55 all 0
ldap_chkResponseList returns ld 01e43698 NULL
ldap_int_select
read1msg: ld 01e43698 msgid 55 all 0
ber_get_next
ber_get_next: tag 0x30 len 1187 contents:
abandoned/discarded ld 01e43698 msgid 53 message type search-entry
wait4msg continue ld 01e43698 msgid 55 all 0
** ld 01e43698 Connections:
* host: secondmaster.mydomain.local port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Feb 13 11:26:53 2012
here is my configuration (completely the same for both masters):
-----------------------------------------------------------------------------------------------------
ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/Personcaesar.schema
include ./schema/ConfigObjects.schema
loglevel 0
logfile "C:/test/slapd.log"
pidfile ./run/slapd.pid
argsfile ./run/slapd.args
access to * by dn.one="ou=Admins,o=caesar" write
by anonymous auth
ServerID 1 "ldap://firstmaster.mydomain.local"
ServerID 2 "ldap://secondmaster.mydomain.local"
######################################################################
database config
rootdn cn=config
rootpw {SHA}secret
#######################################################################
# BDB database definitions
#######################################################################
# Accesslog database definitions
database hdb
suffix cn=accesslog
checkpoint 1024 5
cachesize 10000
directory "C:/test/accessdata"
dbconfig set_cachesize 0 30000000 1
dbconfig set_flags DB_LOG_AUTOREMOVE
dbconfig set_lg_regionmax 1048576
dbconfig set_lg_max 10485760
dbconfig set_lg_bsize 2097152
rootdn cn=accesslog
index objectClass,entryCSN,entryUUID eq
# I even tried removing reqMod, reading your docs I am not sure if this is
needed here
index reqEnd,reqResult,reqMod,reqStart eq
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
# Let the replica DN have limitless searches
limits dn.exact="cn=Replicator,ou=admins,o=caesar" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
# Primary database definitions
database hdb
suffix "o=caesar"
checkpoint 1024 5
cachesize 10000
idlcachesize 30000
rootdn "cn=Administrator,o=caesar"
rootpw {SHA}secret
directory "C:/test/data"
dbconfig set_cachesize 0 100000000 1
dbconfig set_flags DB_LOG_AUTOREMOVE
dbconfig set_lg_regionmax 1048576
dbconfig set_lg_max 10485760
dbconfig set_lg_bsize 2097152
# syncprov specific indexing
index sn pres,eq
index cn pres,eq,sub
...
index entryUUID eq
index entryCSN eq
index objectClass eq
# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60
syncprov-sessionlog 10000
# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
sizelimit size.soft=100 size.hard=1000 size.prtotal=unlimited
# Let the replica DN have limitless searches
limits dn.exact="cn=Replicator,ou=admins,o=caesar" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
syncrepl rid=001
provider="ldap://firstmaster.mydomain.local"
searchbase="o=caesar"
type=refreshAndPersist
retry="5 3 15 +"
binddn="cn=Replicator,ou=admins,o=caesar"
bindmethod=simple
credentials="secret"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
syncdata=accesslog
syncrepl rid=002
provider="ldap://secondmaster.mydomain.local"
searchbase="o=caesar"
type=refreshAndPersist
retry="5 3 15 +"
binddn="cn=Replicator,ou=admins,o=caesar"
bindmethod=simple
credentials="secret"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
syncdata=accesslog
MirrorMode On
-----------------------------------------------------------------------------------------------------
I did my test on 2 Windows PCs and OpenLDAP 2.4.29 with Berkeley 5.1 .
Thanks for any hints,
FO
11 years, 6 months
Does OpenLDAP affect leap second?
by ITPFS oota
At 2012-06-30, leap second will be introduced.
ftp://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat
Does OpenLDAP affect leap second?
--
--- Oota Toshiya --- t-oota at dh.jp.nec.com
NEC Systems Software Operations Unit Shiba,Minato,Tokyo
IT Platform Solutions Division Japan,Earth,Solar system
(samba-jp/ldap-jp Staff,mutt-j/samba-jp postmaster)
11 years, 6 months
Controlled LDAP Proxy/Relay
by W.Siebert@t-systems.com
Hello,
I'v implemented a OpenLDAP Metadirectory that proxying 2 Microsft AD targets.
One target is customers AD, the second our AD for management purposes.
Problem: slapd-meta tries to authenticate the user first by one target and if this user there not exist will be the second target connected.
Means: in both directories Intrusion Detection register a lot of unsuccessfully authentication.
Is it possible to implement the controlled proxy with OpenLDAP ?
E.g., like Radiusproxy based on realm: when username is xxx(a)domain01.com<mailto:xxx@domain01.com> go to the target1, and when username is xxx(a)domain99.net<mailto:xxx@domain99.net> go to the target2.
Kind regards
Waldemar
11 years, 6 months
ssl negotiation and openldap
by Brett @Google
Hello,
I've recently had issues with a 3rd party java client using jdk 1.4.x,
trying to connect with ldaps:// to openldap 2.4.26, compiled with OpenSSL
1.0.0d
It would appear that the client's jdk 1.4.x has a few harsh restrictions
with regard to modulus size in certiicates, even with all unrestricted
"export" policies installed.
So i was wondering a few things :
1. does openldap do anything with the CA certs, other than verify local or
remote certiticates, such as sending them over the ssl connection ?
2. it's my understanding that in SSL negotiation, only server or client
certiticates are exchanged, and ca certs's are not sent over the wire
(as IMHO it would literally bet a "trust" issue to do otherwise :).
3. other than providing certificates / keys to the openssl API, is there
anything special that happens other than hand off to stock openssl
negotiation ?
Trying to work out what is being sent to the client to trigger a "modulus
size" error on the client, other than clients inherent badness which i
cannot control :)
If 3. is no, then i'm open to any suggestions with regard to interesting or
useful SSL negotiation documents out there, that might shed some light.
Cheers
Brett
--
*The only thing that interferes with my learning is my education.*
*
Albert Einstein*
11 years, 6 months