openldap-technical March 2012

openldap-technical@openldap.org

96 participants
116 discussions

i don't find a new user added in getent passwd list
by stefano 02 Mar '12

02 Mar '12

hi, i started to work with posixAccount objectClass. i installed libnss-ldap on debian squeeze server. i configured it during install time and i modified nsswitch.conf as follow: passwd files ldap group files ldap shadow files ldap and i didn't modify the remains lines. i succesfully added a structure.ldif file as follow #the root of the directory dn: dc=amahoro,dc=bi dc: amahoro o: amahoro.bi objectClass: top objectClass: dcObject objectClass: organization #subtree for the administrators dn: cn=Administrators,dc=amahoro,dc=bi cn: Administrators gidNumber: 100 objectClass: posixGroup i succesfully added a administrators.ldif file as follow: #Stefano Malini dn: uid=name,cn=Administrators,dc=amahoro,dc=bi cn: Administrators uid: name uidNumber: 100 gidNumber:100 homeDirectory: /home/name/ #Name info cn: Name Surname sn: Surname givenName: Name displayName: Name Surname #Work info title: System Administrator mail: address@mail #Misc userPassword: {SSHA}vB/RyxNdsVkwc9dDxEuS/sIGESBAkzTw objectClass: posixAccount objectClass: inetOrgPerson Now, with getent command-line there is not this user. Why?

3 7

memberOf and glued databases
by Marc Patermann 02 Mar '12

02 Mar '12

Hi, short question first: Is overlay memberOf supposed to work with glued databases in any direction? I tried with 2.4.28 and get the following results: slapd.conf with two databases 1. step ------- This is simple. MemberOf overlay only in one database ou=groups,ou=foo,ou=bar (subordinated). database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof database bdb suffix ou=bar ... - created one inetOrgPerson object employeenumber=11,ou=groups,ou=foo,ou=bar - created one group ou=2,ou=groups,ou=foo,ou=bar with member: employeenumber=11,ou=groups,ou=foo,ou=bar => memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and unset just fine. => no modifications in superior database ou=bar 2. step ------- overlay loaded in both databases database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof => modification in the subordinated database work in 1. step. - created one inetOrgPerson object employeenumber=1,ou=bar - created one group ou=1,ou=bar with member: employeenumber=1,ou=bar => memberOf in employeenumber=1,ou=bar is set and unset just fine. memberOf is working in the superior database. - setting group ou=1,ou=bar member: employeenumber=11,ou=groups,ou=foo,ou=bar => memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and unset just fine. Changes in groups of superior databases work in subordinate databases! - setting group ou=2,ou=groups,ou=foo,ou=bar member: employeenumber=1,ou=bar => does _not_ work: memberof_value_modify DN="employeenumber=1,ou=bar" add memberOf ="ou=2,ou=groups,ou=foo,ou=bar" failed err=32 Changes in groups of subordinated databases do not work in the superior database! 3. step ------- setting "overlay glue" explicitly and removing overlay memberof from the subordinate database: database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof overlay glue => changes in the subordinated database are _not_ managed by the overlay. => changes in groups of superior databases work in subordinate databases and in the superior database! 3. step II ---------- if glue is located in slapd.conf before memberof (which is IMHO wrong) and MOD on member in a group in the subordinated database is send, slapd segfaults! 4. step ------- setting "overlay glue" explicitly and overlay memberof in both databases: database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof overlay glue => like 2. step So the best I get is - memberOf works in the database, where it is set - memberOf works for group changes in superior database on members in subordinated databases - memberOf does not work for group changes in subordinated databases to members in superior databases. Is this the way it is supposed to work? What I really wanted to achieve is to get memerOf to work between database (under glue) of the same level. (Like ou=1,ou=foo and ou=2,ou=foo both subordinated of ou=foo.) But while my testings above did not succeed, it did not tried. Marc

9 15

delta-syncrepl and mirrormode problem (2.4.29)
by frank.offermanns＠caseris.de 01 Mar '12

01 Mar '12

Hi, I want to use delta-syncrepl replication with 2 masters. But each slapd-process permanently needs about 25 % CPU usage without any traffic on it. The log looks endless like this: ** ld 01e43698 Outstanding Requests: * msgid 55, origid 55, status InProgress outstanding referrals 0, parent count 0 ld 01e43698 request count 1 (abandoned 18) ** ld 01e43698 Response Queue: Empty ld 01e43698 response count 0 ldap_chkResponseList ld 01e43698 msgid 55 all 0 ldap_chkResponseList returns ld 01e43698 NULL ldap_int_select read1msg: ld 01e43698 msgid 55 all 0 ber_get_next ber_get_next: tag 0x30 len 1187 contents: abandoned/discarded ld 01e43698 msgid 53 message type search-entry wait4msg continue ld 01e43698 msgid 55 all 0 ** ld 01e43698 Connections: * host: secondmaster.mydomain.local port: 389 (default) refcnt: 2 status: Connected last used: Mon Feb 13 11:26:53 2012 ** ld 01e43698 Outstanding Requests: * msgid 55, origid 55, status InProgress outstanding referrals 0, parent count 0 ld 01e43698 request count 1 (abandoned 18) ** ld 01e43698 Response Queue: Empty ld 01e43698 response count 0 ldap_chkResponseList ld 01e43698 msgid 55 all 0 ldap_chkResponseList returns ld 01e43698 NULL ldap_int_select read1msg: ld 01e43698 msgid 55 all 0 ber_get_next ber_get_next: tag 0x30 len 1187 contents: abandoned/discarded ld 01e43698 msgid 53 message type search-entry wait4msg continue ld 01e43698 msgid 55 all 0 ** ld 01e43698 Connections: * host: secondmaster.mydomain.local port: 389 (default) refcnt: 2 status: Connected last used: Mon Feb 13 11:26:53 2012 here is my configuration (completely the same for both masters): ----------------------------------------------------------------------------------------------------- ucdata-path ./ucdata include ./schema/core.schema include ./schema/cosine.schema include ./schema/Personcaesar.schema include ./schema/ConfigObjects.schema loglevel 0 logfile "C:/test/slapd.log" pidfile ./run/slapd.pid argsfile ./run/slapd.args access to * by dn.one="ou=Admins,o=caesar" write by anonymous auth ServerID 1 "ldap://firstmaster.mydomain.local" ServerID 2 "ldap://secondmaster.mydomain.local" ###################################################################### database config rootdn cn=config rootpw {SHA}secret ####################################################################### # BDB database definitions ####################################################################### # Accesslog database definitions database hdb suffix cn=accesslog checkpoint 1024 5 cachesize 10000 directory "C:/test/accessdata" dbconfig set_cachesize 0 30000000 1 dbconfig set_flags DB_LOG_AUTOREMOVE dbconfig set_lg_regionmax 1048576 dbconfig set_lg_max 10485760 dbconfig set_lg_bsize 2097152 rootdn cn=accesslog index objectClass,entryCSN,entryUUID eq # I even tried removing reqMod, reading your docs I am not sure if this is needed here index reqEnd,reqResult,reqMod,reqStart eq overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE # Let the replica DN have limitless searches limits dn.exact="cn=Replicator,ou=admins,o=caesar" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited # Primary database definitions database hdb suffix "o=caesar" checkpoint 1024 5 cachesize 10000 idlcachesize 30000 rootdn "cn=Administrator,o=caesar" rootpw {SHA}secret directory "C:/test/data" dbconfig set_cachesize 0 100000000 1 dbconfig set_flags DB_LOG_AUTOREMOVE dbconfig set_lg_regionmax 1048576 dbconfig set_lg_max 10485760 dbconfig set_lg_bsize 2097152 # syncprov specific indexing index sn pres,eq index cn pres,eq,sub ... index entryUUID eq index entryCSN eq index objectClass eq # syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 syncprov-sessionlog 10000 # accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00 sizelimit size.soft=100 size.hard=1000 size.prtotal=unlimited # Let the replica DN have limitless searches limits dn.exact="cn=Replicator,ou=admins,o=caesar" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited syncrepl rid=001 provider="ldap://firstmaster.mydomain.local" searchbase="o=caesar" type=refreshAndPersist retry="5 3 15 +" binddn="cn=Replicator,ou=admins,o=caesar" bindmethod=simple credentials="secret" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on syncdata=accesslog syncrepl rid=002 provider="ldap://secondmaster.mydomain.local" searchbase="o=caesar" type=refreshAndPersist retry="5 3 15 +" binddn="cn=Replicator,ou=admins,o=caesar" bindmethod=simple credentials="secret" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on syncdata=accesslog MirrorMode On ----------------------------------------------------------------------------------------------------- I did my test on 2 Windows PCs and OpenLDAP 2.4.29 with Berkeley 5.1 . Thanks for any hints, FO

2 4

Does OpenLDAP affect leap second?
by ITPFS oota 01 Mar '12

01 Mar '12

At 2012-06-30, leap second will be introduced. ftp://hpiers.obspm.fr/iers/bul/bulc/bulletinc.dat Does OpenLDAP affect leap second? -- --- Oota Toshiya --- t-oota at dh.jp.nec.com NEC Systems Software Operations Unit Shiba,Minato,Tokyo IT Platform Solutions Division Japan,Earth,Solar system (samba-jp/ldap-jp Staff,mutt-j/samba-jp postmaster)

1 0

Controlled LDAP Proxy/Relay
by W.Siebert＠t-systems.com 01 Mar '12

01 Mar '12

Hello, I'v implemented a OpenLDAP Metadirectory that proxying 2 Microsft AD targets. One target is customers AD, the second our AD for management purposes. Problem: slapd-meta tries to authenticate the user first by one target and if this user there not exist will be the second target connected. Means: in both directories Intrusion Detection register a lot of unsuccessfully authentication. Is it possible to implement the controlled proxy with OpenLDAP ? E.g., like Radiusproxy based on realm: when username is xxx(a)domain01.com<mailto:xxx@domain01.com> go to the target1, and when username is xxx(a)domain99.net<mailto:xxx@domain99.net> go to the target2. Kind regards Waldemar

3 2

ssl negotiation and openldap
by Brett ＠Google 29 Feb '12

29 Feb '12

Hello, I've recently had issues with a 3rd party java client using jdk 1.4.x, trying to connect with ldaps:// to openldap 2.4.26, compiled with OpenSSL 1.0.0d It would appear that the client's jdk 1.4.x has a few harsh restrictions with regard to modulus size in certiicates, even with all unrestricted "export" policies installed. So i was wondering a few things : 1. does openldap do anything with the CA certs, other than verify local or remote certiticates, such as sending them over the ssl connection ? 2. it's my understanding that in SSL negotiation, only server or client certiticates are exchanged, and ca certs's are not sent over the wire (as IMHO it would literally bet a "trust" issue to do otherwise :). 3. other than providing certificates / keys to the openssl API, is there anything special that happens other than hand off to stock openssl negotiation ? Trying to work out what is being sent to the client to trigger a "modulus size" error on the client, other than clients inherent badness which i cannot control :) If 3. is no, then i'm open to any suggestions with regard to interesting or useful SSL negotiation documents out there, that might shed some light. Cheers Brett -- *The only thing that interferes with my learning is my education.* * Albert Einstein*

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2012