openldap-technical April 2012

openldap-technical@openldap.org

76 participants
80 discussions

Way to email users when their password is about to expire?
by Kline, Sara 25 Apr '12

25 Apr '12

Hey all, Our OpenLDAP environment is up and functional and is working great. I was asked if there is a way to have the server email users when their account password is about to expire. For instance, 7 days before expiration they get an email that lets them know their password will expire on date x. Is there functionality within OpenLDAP to do this, or has anyone written a script that would do it? We are using the policy overlay to enforce the password policy. Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

4 3

mismatch between slapd.conf and olcDatabase
by Nagaraj Panyam 25 Apr '12

25 Apr '12

Hi, This is a question from an absolute novice. I just installed openldap (RHEL 6.1), and created a config file with suffix "dc=example, dc=com" And started up slapd. However, the value of "dc" in the olcDatabase files remains "dc=my-domain,dc=com" How does one remove this mismatch? Secondly, how does one see the contents of /var/lib/ldap/log.0000000001 Thanks a lot for the support. - Raj

3 2

syncrepl issue not replicating all changes
by Mark Coetser 25 Apr '12

25 Apr '12

Hi Guys debian stable openldap 2.4.23-7.2 I have multiple consumers with a single provider, when making changes too the provider ie creating a new user, sometimes the change doesnt propagate too all the consumers some have the correct entries and some dont. If I then compare the contextcsn on both the provider and the consumer it is identical on the consumers with the missing entry. The only way I can then resync is by shutting down openldap on the consumer deleting the tree and restarting which then syncs the directory with the missing entry. How would I go about troubleshooting this issue? Or am I missing something simple? Any help would be appreciated. -- Thank you,

2 3

Fwd: Re: getent passwd doesn't show ldap user
by stefano malini 23 Apr '12

23 Apr '12

any ideas? -------- Original Message -------- Subject: Re: getent passwd doesn't show ldap user Date: Mon, 23 Apr 2012 12:20:03 +0200 From: stefano malini <lozingalo(a)gmail.com> To: openldap-technical(a)openldap.org hi, installed openldap and configured nslcd.conf and nsswitch.conf. At the moment getent passwd doesn't show ldap user. I create a user nslcd_proc for nslcd lookups. this user belong to the System organizationalUnit. You can see some checks. FIRST SHELL nslcd -d nslcd: DEBUG: add_uri(ldap://localhost:389) nslcd: version 0.7.15 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(107) done nslcd: DEBUG: setuid(105) done nslcd: accepting connections SECOND SHELL: getent passwd-->shows only local users FIRST SHELL shows: nslcd: [8b4567] DEBUG: connection from pid=2055 uid=0 gid=0 nslcd: [8b4567] DEBUG: nslcd_passwd_all() nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi", filter="(objectClass=posixAccount)") nslcd: [8b4567] DEBUG: ldap_initialize(ldap://localhost:389) nslcd: [8b4567] DEBUG: ldap_set_rebind_proc() nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_simple_bind_s("uid=nslcd_proc,ou=System,dc=amahoro,dc=bi","***") (uri="ldap://localhost:389") nslcd: [8b4567] ldap_result() failed: No such object These are the permissions of nslcd files and folder ls -ld /etc/nslcd.conf /var/run/nslcd/ /var/run/nslcd/* -rw-r----- 1 root nslcd 635 Apr 21 11:54 /etc/nslcd.conf drwxr-xr-x 2 nslcd nslcd 4096 Apr 21 11:55 /var/run/nslcd/ -rw-r--r-- 1 root root 5 Apr 21 11:55 /var/run/nslcd/nslcd.pid srw-rw-rw- 1 root root 0 Apr 21 11:55 /var/run/nslcd/socket Opening /var/run/nslcd/socket it shows: Error reading /var/run/nslcd/socket: No such device or address Follow nslcd.conf and slapd.conf. __________________________________________________________________ # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://localhost:389 # The search base that will be used for all queries. base dc=amahoro,dc=bi # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. binddn uid=nslcd_proc,ou=System,dc=amahoro,dc=bi bindpw ***** # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options #ssl off #tls_reqcert never # The search scope. #scope sub ___________________________________________________________________ slapd.conf slapd.conf #Basics include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel trace modulepath /usr/lib/ldap moduleload back_hdb #Database Configuration backend hdb database hdb suffix "dc=amahoro,dc=bi" rootdn "cn=Manager,dc=amahoro,dc=bi" rootpw {SSHA}zH2A+jeSlbl2/UcAXm596KPV4IB/R6x9 directory /var/lib/ldap index objectClass,cn eq #ACLs access to attrs=userPassword by anonymous auth by self write by * none access to * by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read by self write by * none Please, do you have some ideas? thanks

1 0

Re: getent passwd doesn't show ldap user
by stefano malini 23 Apr '12

23 Apr '12

hi, installed openldap and configured nslcd.conf and nsswitch.conf. At the moment getent passwd doesn't show ldap user. I create a user nslcd_proc for nslcd lookups. this user belong to the System organizationalUnit. You can see some checks. FIRST SHELL nslcd -d nslcd: DEBUG: add_uri(ldap://localhost:389) nslcd: version 0.7.15 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(107) done nslcd: DEBUG: setuid(105) done nslcd: accepting connections SECOND SHELL: getent passwd-->shows only local users FIRST SHELL shows: nslcd: [8b4567] DEBUG: connection from pid=2055 uid=0 gid=0 nslcd: [8b4567] DEBUG: nslcd_passwd_all() nslcd: [8b4567] DEBUG: myldap_search(base="dc=amahoro,dc=bi", filter="(objectClass=posixAccount)") nslcd: [8b4567] DEBUG: ldap_initialize(ldap://localhost:389) nslcd: [8b4567] DEBUG: ldap_set_rebind_proc() nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_simple_bind_s("uid=nslcd_proc,ou=System,dc=amahoro,dc=bi","***") (uri="ldap://localhost:389") nslcd: [8b4567] ldap_result() failed: No such object These are the permissions of nslcd files and folder ls -ld /etc/nslcd.conf /var/run/nslcd/ /var/run/nslcd/* -rw-r----- 1 root nslcd 635 Apr 21 11:54 /etc/nslcd.conf drwxr-xr-x 2 nslcd nslcd 4096 Apr 21 11:55 /var/run/nslcd/ -rw-r--r-- 1 root root 5 Apr 21 11:55 /var/run/nslcd/nslcd.pid srw-rw-rw- 1 root root 0 Apr 21 11:55 /var/run/nslcd/socket Opening /var/run/nslcd/socket it shows: Error reading /var/run/nslcd/socket: No such device or address Follow nslcd.conf and slapd.conf. __________________________________________________________________ # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://localhost:389 # The search base that will be used for all queries. base dc=amahoro,dc=bi # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. binddn uid=nslcd_proc,ou=System,dc=amahoro,dc=bi bindpw ***** # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options #ssl off #tls_reqcert never # The search scope. #scope sub ___________________________________________________________________ slapd.conf slapd.conf #Basics include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel trace modulepath /usr/lib/ldap moduleload back_hdb #Database Configuration backend hdb database hdb suffix "dc=amahoro,dc=bi" rootdn "cn=Manager,dc=amahoro,dc=bi" rootpw {SSHA}zH2A+jeSlbl2/UcAXm596KPV4IB/R6x9 directory /var/lib/ldap index objectClass,cn eq #ACLs access to attrs=userPassword by anonymous auth by self write by * none access to * by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read by self write by * none Please, do you have some ideas? thanks

1 0

slapd crash in slap_listener
by Stefan Wold 22 Apr '12

22 Apr '12

Hi! It seems slapd crash when it's hammered with ~30 simultaneous connections in our test environment. Each client connecting to the server run "ldapsearch -YGSSAPI -H ldap://ldap.example.com uid=user". In earlier versions of openldap we noticed crashes in SASL with the same setup, however that doesn't seem to happen anymore. The test server is running openldap 2.4.28 on Ubuntu 12.04. After a while slapd segfault with the following backtrace: (gdb) bt #0 0x00007f8577401445 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007f8577404bab in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007f85773fa10e in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #3 0x00007f85773fa1b2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6 #4 0x00007f8578cf17e0 in slap_listener (sl=0x7f857978b2e0) at ../../../../servers/slapd/daemon.c:1890 #5 0x00007f8578cf17f9 in slap_listener_thread (ctx=<optimized out>, ptr=0x7f857978b2e0) at ../../../../servers/slapd/daemon.c:2092 #6 0x00007f85788579aa in ldap_int_thread_pool_wrapper (xpool=0x7f85797c8c80) at ../../../../libraries/libldap_r/tpool.c:685 #7 0x00007f857778fe9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #8 0x00007f85774bd4bd in clone () from /lib/x86_64-linux-gnu/libc.so.6 #9 0x0000000000000000 in ?? () For a full bt: https://gist.github.com/112c3bf7a98a5df69907 Let me know if anything else is needed. -- Sincerely Stefan Wold IT-services, Stockholm University

2 2

Configuring Proxy on Master Master replication set issues - openldap version 2.4.23
by Bhargav Mistry 22 Apr '12

22 Apr '12

Hi, I have 2 set of servers and each set contains 2 servers. I have setup n-way multi master replication per set. FirstMaster-1 <-- --> FirstMaster-2 - set1 SecondMaster-1 <-- --> SecondMaster-2 - set2 There is no replication between set1 and set2. Set 2 is inside a service network so in order to setup replication on set 2 I am trying to setup proxy on FirstMaster-1 which will point to SecondMaster-1 and FirstMaster-2 which will point to SecondMaster-2. I tried to google it but I didn't find any body doing it for version 2.4.23. I am able to setup a standalone proxy and configure it but I want to do it on the master servers itself. I am trying to setup proxy for the tree Cn=Manager, dc=my-domain,dc=com on both first masters but in order to do that I have to create a ldap database with the same suffix and rootDN correct? In order to setup replication for ldap database. Ldap throws error saying "dc=my-domain,dc=com" is already defined. FirstMaster-1 : olcDatabase={3}ldap.ldif dn: olcDatabase={3}ldap objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {3}ldap olcSuffix: dc=my-domain,dc=com olcRootDN: cn=ldap olcSyncUseSubentry: FALSE olcMonitoring: TRUE structuralObjectClass: olcLDAPConfig entryUUID: 633dcaac-1eb1-1031-884a-f7149142768b creatorsName: cn=config createTimestamp: 20120419212135Z entryCSN: 20120419212135.686069Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20120419212135Z olcSyncrepl: rid=000 provider=ldap://FirstMaster-1:389 binddn="cn=Manager,dc=my-domain,dc=com" bindmethod=simple credentials="secret" searchbase="dc=my-domain,dc=com" filter="(objectClass=*)" scope=sub schemachecking=off type=refreshAndPersist retry="5 5 300 5" timeout=1 olcDbURI: ldap://SecondMaster-1.eng.qpass.net:389 olcDbACLBind: bindmethod=simple timeout=0 network-timeout=0 binddn="cn=Manager,dc=my-domain,dc=com" credentials="secret" The above configuration is giving me errors when I try to reload it saying the "dc=my-domain,dc=com" is already used by the preceding database (bdb) then how do I setup the proxy on the master itself? Your help is appreciated. Thanks. Bhargav. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp

2 2

slapd-ldap proxy database
by Ismael Gil 20 Apr '12

20 Apr '12

Hello all, I'm trying to configure a ldap proxy to conect to a windows active directory to get data. My /etc/openldap/slapd.conf, looks like that (the databases definition only): # Our slapd-ldap back end to connect to AD database ldap suffix "cn=users,dc=XXX,dc=XXX" #rootdn "cn=Administrador,dc=XXX,dc=XXX" subordinate lastmod off rebind-as-user uri "ldap://serverip/" chase-referrals yes database bdb suffix "dc=XXX,dc=XXX" rootdn "cn=Administrador,dc=XXX,dc=XXX" #rootdn "dc=XXX,dc=XXX" rootpw {SSHA}YYYYYYYYYYYYYYYYYyyy Whit this config, I only can query the "users" directory, on the Active Directory server, but I need to be able to query all OUs inside the Active Directory. Why I only can get data from users ou, instead the whole Active Directory? How could I get to proxy all my querys to the Active directory server? If I have an ou called "Bussines", in the Active Directory server, ¿how could I make a database definition or other configuration to get that working? Thanks in advance, Ismaeleitor

1 0

getent passwd doesn't show ldap user
by stefano malini 20 Apr '12

20 Apr '12

hi, as said before i reinstalled openldap and configured nslcd.conf and nsswitch.conf. at the moment geten passwd doesn't show ldap user. as follow you see that i create a user nslcd_proc for nslcd lookups. this user belong to the System organizationalUnit. follow nslcd.conf and slapd.conf (please take a look of ACLs for nslcd_proc): ------------------------------------------------------------------ # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldap://localhost:389 # The search base that will be used for all queries. base dc=amahoro,dc=bi # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. binddn uid=nslcd_proc,ou=System,dc=amahoro,dc=bi bindpw ***** # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options #ssl off #tls_reqcert never # The search scope. #scope sub ------------------------------------------------------------------ slapd.conf ACLs: access to attrs=userPassword by anonymous auth by self write by * none access to * by dn.base="uid=nslcd_proc,ou=System,dc=amahoro,dc=bi" read by self write by * none thanks

1 1

Behavior change on overlay sssvlv
by Clément OUDOT 20 Apr '12

20 Apr '12

Hello, I noticed that with OpenLDAP 2.4.30, a search request with a non criticical sss control on an attribute without ordering matching rule returns an error: clement@ader:~/Programmes/openldap$ bin/ldapsearch -H ldap://localhost:3389 -D ou=lsc,ou=accounts,ou=XXX -w secret -b ou=people,ou=XXX -E sss=cn # extended LDIF # # LDAPv3 # with server side sorting control # # search result search: 2 result: 18 Inappropriate matching text: serverSort control: No ordering rule # numResponses: 1 Before, the error was only returned if the control was set to critical. This was discussed in this ITS: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6647 Is this behavior change intentional or is this a side effect of of recent commit? Clément.

3 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2012