openldap-technical April 2012

openldap-technical@openldap.org

76 participants
80 discussions

modifyTimeStamp not modified on replica
by jehan procaccia 03 Apr '12

03 Apr '12

Hello when I modify the mail attribute on the master, the attribute is correctly replicated on the replica, but the modifyTimeStamp isn't !? shouldn't it be modified !? The master is runing openldap-servers-2.3.43-12.el5_7.10 the replica that failes to replicate modifyTimeStamp is an openldap-servers-2.4.23-20.el6.i686 on a openldap-servers-2.3.43-12.el5_7.10 replica, modifyTimeStamp is correctly updated ! could it be a openldap version incompatibility ? or perhaps an ACL miss-configuration !? Thanks for your help .

2 5

Ubuntu can't connect to SambaPDC
by Imre Bertalan 03 Apr '12

03 Apr '12

Hi guys. This is not really an OpenLDAP question, but it seems we have some fine qualified users here, so I'll ask this question here. :) I have a nice working Zentyal 2.2 server with DNS and SambaPDC. Windows client's can join the domain with the network users ans they see all the shared folders too. My problem is that I don't know how to join a domain with Ubuntu. Tried with likewise-open and likewise-open-gui, but all the time, it sais Bad_DNS_Package. Same error message comes when I try to join from terminal with the command "*sudo domainjoin-cli join DOMAIN USER*" I also installed samba, smbclient, winbind on the client. I heard that it could be because the server is set to allow Win clients only. Could that be? Thanks in advance! Imi

2 1

Active Directory connected to OpenLDAP (master)
by Sylvain 03 Apr '12

03 Apr '12

Hi ! Currently, we've got an OpenLDAP which acts as a master and contains 20000+ users and groups, we want to keep it. CIO ask us to deploy Windows with AD connected to our master OpenLDAP. I've googled a lot and I don't find any clean solutions like replica (OpenLDAP -> AD). Another solution could be use of referrals on the AD but I doubt ? Unclean solutions found are use of LSC or MIIS/FIM which are not real-time... A little help would be cool :) Best regards, Sylvain

3 8

Replication stops working due to objectClass=glue
by frank.offermanns＠caseris.de 03 Apr '12

03 Apr '12

Hi, I have a synrepl-master and one slave. I delete both databases and do a slapadd on the master. After doing so I start the slave. Our system has a few dozen processes changing values every minute, so they also do it when the inital replication is running. >From time to time replication stops working while doing the initial replication. It then always has problems with the values being edited while the intial replication is running (full replication needs a few minutes). Here's a quote concerning master/master. "Both servers will initialize their accesslogs separately from their main DB since they are empty, and the two logs will have different timestamps. You need to make sure that the main DB and log DB are initialized together on at least one of the servers." But this quote should not count for master/slave, does it? If replication works I have slavelogentrys like this: 30.03.2012 11:40:24 4f757f88 oc_check_required entry (ou=Trinity64.ub2.cae.local,ou=SystemStatus,o=caesar), objectClass "Server" If it fails the objectClass is "glue" 30.03.2012 11:25:23 4f757c03 bdb_modify_internal: 0x000006af: ou=Trinity64.ub2.cae.local,ou=SystemStatus,o=caesar 30.03.2012 11:25:23 4f757c03 oc_check_required entry (ou=Trinity64.ub2.cae.local,ou=SystemStatus,o=caesar), objectClass "glue" 30.03.2012 11:25:23 4f757c03 oc_check_allowed type "structuralObjectClass" 30.03.2012 11:25:23 4f757c03 oc_check_allowed type "objectClass" 30.03.2012 11:25:23 4f757c03 oc_check_allowed type "entryUUID" 30.03.2012 11:25:23 4f757c03 oc_check_allowed type "creatorsName" 30.03.2012 11:25:23 4f757c03 oc_check_allowed type "createTimestamp" 30.03.2012 11:25:23 4f757c03 oc_check_allowed type "LastModifiedApplication" 30.03.2012 11:25:23 4f757c03 Entry (ou=Trinity64.ub2.cae.local,ou=SystemStatus,o=caesar), attribute 'LastModifiedApplication' not allowed 30.03.2012 11:25:23 4f757c03 entry failed schema check: attribute 'LastModifiedApplication' not allowed 30.03.2012 11:25:23 4f757c03 hdb_modify: modify failed (65) 30.03.2012 11:25:23 4f757c03 send_ldap_result: conn=-1 op=0 p=3 30.03.2012 11:25:23 4f757c03 null_callback : error code 0x41 30.03.2012 11:25:23 4f757c03 syncrepl_message_to_op: rid=001 be_modify ou=Trinity64.ub2.cae.local,ou=SystemStatus,o=caesar (65) According to post: http://www.openldap.org/lists/openldap-bugs/200608/msg00044.html "But eventually the entry should get replicated, and the consumer should replace everything with the correct objectclasses. I guess there's a possibility that we're not setting the right flags to allow the consumer to change the entry's structuralObjectClass." there has been a possible problem here. Is this fixed? Version is 2.4.30, Berkeley DB 5.1 using hdb and OS is Windows. If I should post my config please tell me, but I posted it in different threads before and I also don't think the config is the problem here, since it sometimes works. Regards, Frank

1 0

AD proxy in OpenLDAP
by Chris O'Kelly 02 Apr '12

02 Apr '12

Hi guys, Posted a while back but didn't get far, just trying again to see if I can get this working. We have AD on our DC server, working fine, and a list of external clients in OpenLDAP, also working fine. We have a new web service that needs to authenticate against only one DSA, so I need to have the OpenLDAP DSA proxy to AD. The initial setup in OpenLDAP is - dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb olcModuleload: back_ldap dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=companyname,dc=local olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=companyname,dc=local olcRootPW: secret olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=companyname,dc=local" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=companyname,dc=local" write by * read the ldap backend I have added with ldapadd is - olcDatabase: ldap olcSuffix: dc=internal,dc=companyname,dc=local olcDbDirectory: /var/lib/ldap uri: ldap://companyname.local acl-bind: bindmethod=simple binddn="CN=proxy,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=companyname,DC=local" credentials=secret. When I attempt to search on dc=companyname,dc=local I get results. When I attempt to search AD directly from the server running OpenLDAP I get results. However if I search dc=internal,dc=companyname,dc=local pointed at OpenLDAP I get No Such Object (32). I believe this could be related to one of two things, however I have been unable to find the fix (I have read the slapd, slapd-ldap, slapd-relay, slapd-pbind manpages, as well as numerous tutorials). I believe it is either that I am missing the schema files for AD or that I am incorrect in putting the LDAP backend in a seperate dc (internal). On AD the base suffix is also just dc=companyname, dc=local, I put the LDAP backend in this suffix as the rest of the directory is already in dc=companyname,dc=local in OpenLDAP and I wished for it to be separate, I don't know if this has caused the issue. As for the scema files, I used Apache directory studio to export the cn=schema branch from AD into an LDIF file and attempted to add it using ldapadd, the result was adding new entry "CN=Schema,CN=Configuration,DC=companyname,DC=local" ldap_add: Undefined attribute type (17) additional info: instanceType: attribute type undefined I have been trying to figure out this issue for weeks and I am at my wits end. I am seriously at the point of contemplating trying to find someone I can pay to show me the fix.

3 2

groups added to provider not replicating to consumer
by btb＠bitrate.net 02 Apr '12

02 Apr '12

hi- i've recently set up delta-syncrepl, with one provider and one consumer. things seemed to be generally working, but i recently noticed that member attributes in group entries were not getting replicated. after a bit of testing, i also found that new groups added to the provider appear to not be replicated to the consumer. it also appears that the operation of adding a group is not being written to the accesslog. on a possibly related note, i'm using the memberof overlay, and the memberof attribute modifications which occur as a result of adding a group are written to the accesslog, and are replicated to the consumer. i'm using 2.4.25, courtesy of ubuntu 11.10. what can i do to better understand what is happening, and why? below is some preliminary data, and log entries using olcloglevel: any thanks -ben >cat add_group.ldif dn: cn=test_group,ou=general,ou=groups,dc=example,dc=net changetype: add objectClass: top objectClass: groupOfNames description: test group cn: test_group member: uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net >ldapadd -xZZD 'uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net' -w 'xxxxxxxxxxxx' -f add_group.ldif adding new entry "cn=test_group,ou=general,ou=groups,dc=example,dc=net" subsequent ldapsearch on provider: >ldapsearch -xLLLZZD 'uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net' -w 'xxxxxxxxxxxx' -b 'cn=test_group,ou=general,ou=groups,dc=example,dc=net' -s base '*' '+' dn: cn=test_group,ou=general,ou=groups,dc=example,dc=net objectClass: top objectClass: groupOfNames description: test group cn: test_group member: uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example, dc=net structuralObjectClass: groupOfNames entryUUID: d68c73e4-10c1-1031-8246-9dfa8daa46e0 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net createTimestamp: 20120402034404Z entryCSN: 20120402034404.808333Z#000000#000#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net modifyTimestamp: 20120402034404Z entryDN: cn=test_group,ou=general,ou=groups,dc=example,dc=net subschemaSubentry: cn=Subschema hasSubordinates: FALSE subsequent ldapsearch on consumer: >ldapsearch -xLLLZZD 'uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net' -w 'xxxxxxxxxxxx' -b 'cn=test_group,ou=general,ou=groups,dc=example,dc=net' -s base '*' '+' No such object (32) Matched DN: ou=general,ou=groups,dc=example,dc=net provider log entries: Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: slap_listener_activate(8): Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 busy Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: >>> slap_listener(ldap:///) Apr 1 23:44:04 flip slapd[9255]: daemon: listen=8, new connection on 54 Apr 1 23:44:04 flip slapd[9255]: daemon: added 54r (active) listener=(nil) Apr 1 23:44:04 flip slapd[9255]: conn=1378 fd=54 ACCEPT from IP=192.168.1.1:47610 (IP=0.0.0.0:389) Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 2 descriptors Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: 54r Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: read active on 54 Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: connection_get(54) Apr 1 23:44:04 flip slapd[9255]: connection_get(54): got connid=1378 Apr 1 23:44:04 flip slapd[9255]: connection_read(54): checking for input on id=1378 Apr 1 23:44:04 flip slapd[9255]: op tag 0x77, time 1333338244 Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=0 do_extended Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Apr 1 23:44:04 flip slapd[9255]: do_extended: oid=1.3.6.1.4.1.1466.20037 Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=0 STARTTLS Apr 1 23:44:04 flip slapd[9255]: send_ldap_extended: err=0 oid= len=0 Apr 1 23:44:04 flip slapd[9255]: send_ldap_response: msgid=1 tag=120 err=0 Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=0 RESULT oid= err=0 text= Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: 54r Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: read active on 54 Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: connection_get(54) Apr 1 23:44:04 flip slapd[9255]: connection_get(54): got connid=1378 Apr 1 23:44:04 flip slapd[9255]: connection_read(54): checking for input on id=1378 Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: 54r Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: read active on 54 Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: connection_get(54) Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: connection_get(54): got connid=1378 Apr 1 23:44:04 flip slapd[9255]: connection_read(54): checking for input on id=1378 Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: 54r Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: read active on 54 Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: connection_get(54) Apr 1 23:44:04 flip slapd[9255]: connection_get(54): got connid=1378 Apr 1 23:44:04 flip slapd[9255]: connection_read(54): checking for input on id=1378 Apr 1 23:44:04 flip slapd[9255]: connection_read(54): unable to get TLS client DN, error=49 id=1378 Apr 1 23:44:04 flip slapd[9255]: conn=1378 fd=54 TLS established tls_ssf=128 ssf=128 Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: 54r Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: read active on 54 Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: connection_get(54) Apr 1 23:44:04 flip slapd[9255]: connection_get(54): got connid=1378 Apr 1 23:44:04 flip slapd[9255]: connection_read(54): checking for input on id=1378 Apr 1 23:44:04 flip slapd[9255]: op tag 0x60, time 1333338244 Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=1 do_bind Apr 1 23:44:04 flip slapd[9255]: >>> dnPrettyNormal: <uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 flip slapd[9255]: <<< dnPrettyNormal: <uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net>, <uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net" method=128 Apr 1 23:44:04 flip slapd[9255]: do_bind: version=3 dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net" method=128 Apr 1 23:44:04 flip slapd[9255]: ==> hdb_bind: dn: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net Apr 1 23:44:04 flip slapd[9255]: bdb_dn2entry("uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net") Apr 1 23:44:04 flip slapd[9255]: => access_allowed: result not in cache (userPassword) Apr 1 23:44:04 flip slapd[9255]: => access_allowed: auth access to "uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net" "userPassword" requested Apr 1 23:44:04 flip slapd[9255]: => acl_get: [1] attr userPassword Apr 1 23:44:04 flip slapd[9255]: => acl_mask: access to entry "uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net", attr "userPassword" requested Apr 1 23:44:04 flip slapd[9255]: => acl_mask: to value by "", (=0) Apr 1 23:44:04 flip slapd[9255]: <= check a_dn_pat: anonymous Apr 1 23:44:04 flip slapd[9255]: <= acl_mask: [1] applying auth(=xd) (stop) Apr 1 23:44:04 flip slapd[9255]: <= acl_mask: [1] mask: auth(=xd) Apr 1 23:44:04 flip slapd[9255]: => slap_access_allowed: auth access granted by auth(=xd) Apr 1 23:44:04 flip slapd[9255]: => access_allowed: auth access granted by auth(=xd) Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=1 BIND dn="uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net" mech=SIMPLE ssf=0 Apr 1 23:44:04 flip slapd[9255]: do_bind: v3 bind: "uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net" to "uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net" Apr 1 23:44:04 flip slapd[9255]: send_ldap_result: conn=1378 op=1 p=3 Apr 1 23:44:04 flip slapd[9255]: send_ldap_result: err=0 matched="" text="" Apr 1 23:44:04 flip slapd[9255]: send_ldap_response: msgid=2 tag=97 err=0 Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: activity on 1 descriptor Apr 1 23:44:04 flip slapd[9255]: daemon: activity on: Apr 1 23:44:04 flip slapd[9255]: 54r Apr 1 23:44:04 flip slapd[9255]: Apr 1 23:44:04 flip slapd[9255]: daemon: read active on 54 Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=8 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 1 23:44:04 flip slapd[9255]: connection_get(54) Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=1 RESULT tag=97 err=0 text= Apr 1 23:44:04 flip slapd[9255]: connection_get(54): got connid=1378 Apr 1 23:44:04 flip slapd[9255]: connection_read(54): checking for input on id=1378 Apr 1 23:44:04 flip slapd[9255]: op tag 0x68, time 1333338244 Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=2 do_add Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=2 do_add: dn (cn=test_group,ou=general,ou=groups,dc=example,dc=net) Apr 1 23:44:04 flip slapd[9255]: >>> dnPrettyNormal: <cn=test_group,ou=general,ou=groups,dc=example,dc=net> Apr 1 23:44:04 flip slapd[9255]: <<< dnPrettyNormal: <cn=test_group,ou=general,ou=groups,dc=example,dc=net>, <cn=test_group,ou=general,ou=groups,dc=example,dc=net> Apr 1 23:44:04 flip slapd[9255]: conn=1378 op=2 ADD dn="cn=test_group,ou=general,ou=groups,dc=example,dc=net" Apr 1 23:44:04 flip slapd[9255]: >>> dnPretty: <uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 flip slapd[9255]: <<< dnPretty: <uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 flip slapd[9255]: >>> dnNormalize: <uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 flip slapd[9255]: <<< dnNormalize: <uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 flip slapd[9255]: bdb_dn2entry("cn=test_group,ou=general,ou=groups,dc=example,dc=net") Apr 1 23:44:04 flip slapd[9255]: => hdb_dn2id("cn=test_group,ou=general,ou=groups,dc=example,dc=net") Apr 1 23:44:04 flip slapd[9255]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) Apr 1 23:44:04 flip slapd[9255]: hdb_referrals: tag=104 target="cn=test_group,ou=general,ou=groups,dc=example,dc=net" matched="ou=general,ou=groups,dc=example,dc=net" Apr 1 23:44:04 flip slapd[9255]: ==> unique_add <cn=test_group,ou=general,ou=groups,dc=example,dc=net> Apr 1 23:44:04 flip slapd[9255]: ==> hdb_add: cn=test_group,ou=general,ou=groups,dc=example,dc=net Apr 1 23:44:04 flip slapd[9255]: oc_check_required entry (cn=test_group,ou=general,ou=groups,dc=example,dc=net), objectClass "groupOfNames" Apr 1 23:44:04 flip slapd[9255]: oc_check_allowed type "objectClass" Apr 1 23:44:04 flip slapd[9255]: oc_check_allowed type "description" Apr 1 23:44:04 flip slapd[9255]: oc_check_allowed type "cn" Apr 1 23:44:04 flip slapd[9255]: oc_check_allowed type "member" Apr 1 23:44:04 flip slapd[9255]: oc_check_allowed type "structuralObjectClass" Apr 1 23:44:04 flip slapd[9255]: slap_queue_csn: queing 0xb2fcd8ce 20120402034404.808333Z#000000#000#000000 Apr 1 23:44:04 flip slapd[9255]: bdb_dn2entry("cn=test_group,ou=general,ou=groups,dc=example,dc=net") Apr 1 23:44:04 flip slapd[9255]: => hdb_dn2id("cn=test_group,ou=general,ou=groups,dc=example,dc=net") Apr 1 23:44:04 flip slapd[9255]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) Apr 1 23:44:04 flip slapd[9255]: => access_allowed: add access to "ou=general,ou=groups,dc=example,dc=net" "children" requested Apr 1 23:44:04 flip slapd[9255]: <= root access granted Apr 1 23:44:04 flip slapd[9255]: => access_allowed: add access granted by manage(=mwrscxd) Apr 1 23:44:04 flip slapd[9255]: => access_allowed: add access to "cn=test_group,ou=general,ou=groups,dc=example,dc=net" "entry" requested Apr 1 23:44:04 flip slapd[9255]: <= root access granted Apr 1 23:44:04 flip slapd[9255]: => access_allowed: add access granted by manage(=mwrscxd) Apr 1 23:44:04 flip slapd[9255]: => hdb_dn2id_add 0xe8: "cn=test_group,ou=general,ou=groups,dc=example,dc=net" Apr 1 23:44:04 flip slapd[9255]: <= hdb_dn2id_add 0xe8: 0 Apr 1 23:44:04 flip slapd[9255]: => index_entry_add( 232, "cn=test_group,ou=general,ou=groups,dc=example,dc=net" ) Apr 1 23:44:04 flip slapd[9255]: => key_change(ADD,e8) Apr 1 23:44:04 flip slapd[9255]: bdb_idl_insert_key: e8 [0096defd] Apr 1 23:44:04 flip slapd[9255]: <= key_change 0 Apr 1 23:44:04 flip slapd[9255]: => key_change(ADD,e8) Apr 1 23:44:04 flip slapd[9255]: bdb_idl_insert_key: e8 [c14a3e76] Apr 1 23:44:04 flip slapd[9255]: <= key_change 0 Apr 1 23:44:04 flip slapd[9255]: => key_change(ADD,e8) Apr 1 23:44:04 flip slapd[9255]: bdb_idl_insert_key: e8 [943e86da] Apr 1 23:44:04 flip slapd[9255]: <= key_change 0 Apr 1 23:44:04 flip slapd[9255]: => key_change(ADD,e8) Apr 1 23:44:04 flip slapd[9255]: bdb_idl_insert_key: e8 [c866ab14] Apr 1 23:44:04 flip slapd[9255]: <= key_change 0 consumer log entries: Apr 1 23:44:04 exo slapd[8007]: daemon: activity on 1 descriptor Apr 1 23:44:04 exo slapd[8007]: daemon: activity on: Apr 1 23:44:04 exo slapd[8007]: 12r Apr 1 23:44:04 exo slapd[8007]: Apr 1 23:44:04 exo slapd[8007]: daemon: read active on 12 Apr 1 23:44:04 exo slapd[8007]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Apr 1 23:44:04 exo slapd[8007]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Apr 1 23:44:04 exo slapd[8007]: connection_get(12) Apr 1 23:44:04 exo slapd[8007]: connection_get(12): got connid=0 Apr 1 23:44:04 exo slapd[8007]: =>do_syncrepl rid=000 Apr 1 23:44:04 exo slapd[8007]: =>do_syncrep2 rid=000 Apr 1 23:44:04 exo slapd[8007]: do_syncrep2: rid=000 cookie=rid=000,csn=20120402034404.869559Z#000000#000#000000 Apr 1 23:44:04 exo slapd[8007]: >>> dnPrettyNormal: <uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 exo slapd[8007]: <<< dnPrettyNormal: <uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net>, <uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 exo slapd[8007]: slap_queue_csn: queing 0x7f6bd2694710 20120402034404.869559Z#000000#000#000000 Apr 1 23:44:04 exo slapd[8007]: >>> dnPretty: <cn=test_group,ou=general,ou=groups,dc=example,dc=net> Apr 1 23:44:04 exo slapd[8007]: <<< dnPretty: <cn=test_group,ou=general,ou=groups,dc=example,dc=net> Apr 1 23:44:04 exo slapd[8007]: >>> dnNormalize: <cn=test_group,ou=general,ou=groups,dc=example,dc=net> Apr 1 23:44:04 exo slapd[8007]: <<< dnNormalize: <cn=test_group,ou=general,ou=groups,dc=example,dc=net> Apr 1 23:44:04 exo slapd[8007]: >>> dnPretty: <uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 exo slapd[8007]: <<< dnPretty: <uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 exo slapd[8007]: >>> dnNormalize: <uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 exo slapd[8007]: <<< dnNormalize: <uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net> Apr 1 23:44:04 exo slapd[8007]: => bdb_entry_get: ndn: "uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: => bdb_entry_get: oc: "(null)", at: "(null)" Apr 1 23:44:04 exo slapd[8007]: bdb_dn2entry("uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net") Apr 1 23:44:04 exo slapd[8007]: => bdb_entry_get: found entry: "uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: bdb_entry_get: rc=0 Apr 1 23:44:04 exo slapd[8007]: hdb_modify: uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net Apr 1 23:44:04 exo slapd[8007]: bdb_dn2entry("uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net") Apr 1 23:44:04 exo slapd[8007]: bdb_modify_internal: 0x0000001a: uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net Apr 1 23:44:04 exo slapd[8007]: <= acl_access_allowed: granted to database root Apr 1 23:44:04 exo slapd[8007]: bdb_modify_internal: add memberOf Apr 1 23:44:04 exo slapd[8007]: dnMatch 17#012#011"cn=dummy_default,ou=dummy_groups,ou=other,ou=groups,dc=example,dc=net"#012#011"cn=test_group,ou=general,ou=groups,dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: dnMatch -19#012#011"cn=all_people,ou=general,ou=groups,dc=example,dc=net"#012#011"cn=test_group,ou=general,ou=groups,dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: dnMatch 2#012#011"cn=docs,ou=flip,ou=servers,ou=groups,dc=example,dc=net"#012#011"cn=test_group,ou=general,ou=groups,dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: dnMatch 5#012#011"cn=monitor,ou=flip,ou=servers,ou=groups,dc=example,dc=net"#012#011"cn=test_group,ou=general,ou=groups,dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: dnMatch 5#012#011"cn=systems,ou=flip,ou=servers,ou=groups,dc=example,dc=net"#012#011"cn=test_group,ou=general,ou=groups,dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: dnMatch 14#012#011"cn=mail_submitters-non_auth,ou=general,ou=groups,dc=example,dc=net"#012#011"cn=test_group,ou=general,ou=groups,dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: bdb_modify_internal: replace modifiersName Apr 1 23:44:04 exo slapd[8007]: bdb_modify_internal: replace entryCSN Apr 1 23:44:04 exo slapd[8007]: bdb_modify_internal: replace modifyTimestamp Apr 1 23:44:04 exo slapd[8007]: oc_check_required entry (uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net), objectClass "inetOrgPerson" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "uid" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "objectClass" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "sn" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "cn" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "structuralObjectClass" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "entryUUID" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "creatorsName" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "createTimestamp" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "memberOf" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "modifiersName" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "entryCSN" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "modifyTimestamp" Apr 1 23:44:04 exo slapd[8007]: => key_change(DELETE,1a) Apr 1 23:44:04 exo slapd[8007]: bdb_idl_delete_key: 1a Apr 1 23:44:04 exo slapd[8007]: <= key_change 0 Apr 1 23:44:04 exo slapd[8007]: => key_change(ADD,1a) Apr 1 23:44:04 exo slapd[8007]: bdb_idl_insert_key: 1a [768b75dc] Apr 1 23:44:04 exo slapd[8007]: <= key_change 0 Apr 1 23:44:04 exo slapd[8007]: => key_change(ADD,1a) Apr 1 23:44:04 exo slapd[8007]: bdb_idl_insert_key: 1a [7f0c99d1] Apr 1 23:44:04 exo slapd[8007]: <= key_change 0 Apr 1 23:44:04 exo slapd[8007]: => key_change(ADD,1a) Apr 1 23:44:04 exo slapd[8007]: bdb_idl_insert_key: 1a [0f345f5f] Apr 1 23:44:04 exo slapd[8007]: <= key_change 0 Apr 1 23:44:04 exo slapd[8007]: => key_change(ADD,1a) Apr 1 23:44:04 exo slapd[8007]: bdb_idl_insert_key: 1a [86c8d479] Apr 1 23:44:04 exo slapd[8007]: <= key_change 0 Apr 1 23:44:04 exo slapd[8007]: => key_change(ADD,1a) Apr 1 23:44:04 exo slapd[8007]: bdb_idl_insert_key: 1a [da3d54f3] Apr 1 23:44:04 exo slapd[8007]: <= key_change 0 Apr 1 23:44:04 exo slapd[8007]: => key_change(ADD,1a) Apr 1 23:44:04 exo slapd[8007]: bdb_idl_insert_key: 1a [8d6b497f] Apr 1 23:44:04 exo slapd[8007]: <= key_change 0 Apr 1 23:44:04 exo slapd[8007]: => key_change(ADD,1a) Apr 1 23:44:04 exo slapd[8007]: bdb_idl_insert_key: 1a [144a6a9d] Apr 1 23:44:04 exo slapd[8007]: <= key_change 0 Apr 1 23:44:04 exo slapd[8007]: => key_change(ADD,1a) Apr 1 23:44:04 exo slapd[8007]: bdb_idl_insert_key: 1a Apr 1 23:44:04 exo slapd[8007]: <= key_change 0 Apr 1 23:44:04 exo slapd[8007]: => entry_encode(0x0000001a): Apr 1 23:44:04 exo slapd[8007]: <= entry_encode(0x0000001a): Apr 1 23:44:04 exo slapd[8007]: hdb_modify: updated id=0000001a dn="uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: send_ldap_result: conn=-1 op=0 p=0 Apr 1 23:44:04 exo slapd[8007]: send_ldap_result: err=0 matched="" text="" Apr 1 23:44:04 exo slapd[8007]: slap_graduate_commit_csn: removing 0x7f6bd267ec10 20120402034404.869559Z#000000#000#000000 Apr 1 23:44:04 exo slapd[8007]: syncrepl_message_to_op: rid=000 be_modify uid=dummy_default,ou=dummy_accounts,ou=other,ou=accounts,dc=example,dc=net (0) Apr 1 23:44:04 exo slapd[8007]: slap_queue_csn: queing 0x7f6bd268f8c0 20120402034404.869559Z#000000#000#000000 Apr 1 23:44:04 exo slapd[8007]: => bdb_entry_get: ndn: "dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: => bdb_entry_get: oc: "(null)", at: "(null)" Apr 1 23:44:04 exo slapd[8007]: bdb_dn2entry("dc=example,dc=net") Apr 1 23:44:04 exo slapd[8007]: => bdb_entry_get: found entry: "dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: bdb_entry_get: rc=0 Apr 1 23:44:04 exo slapd[8007]: hdb_modify: dc=example,dc=net Apr 1 23:44:04 exo slapd[8007]: bdb_dn2entry("dc=example,dc=net") Apr 1 23:44:04 exo slapd[8007]: bdb_modify_internal: 0x00000001: dc=example,dc=net Apr 1 23:44:04 exo slapd[8007]: <= acl_access_allowed: granted to database root Apr 1 23:44:04 exo slapd[8007]: bdb_modify_internal: replace contextCSN Apr 1 23:44:04 exo slapd[8007]: oc_check_required entry (dc=example,dc=net), objectClass "organization" Apr 1 23:44:04 exo slapd[8007]: oc_check_required entry (dc=example,dc=net), objectClass "dcObject" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "dc" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "objectClass" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "o" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "structuralObjectClass" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "entryUUID" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "creatorsName" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "createTimestamp" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "l" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "st" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "postalCode" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "entryCSN" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "modifiersName" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "modifyTimestamp" Apr 1 23:44:04 exo slapd[8007]: oc_check_allowed type "contextCSN" Apr 1 23:44:04 exo slapd[8007]: => entry_encode(0x00000001): Apr 1 23:44:04 exo slapd[8007]: <= entry_encode(0x00000001): Apr 1 23:44:04 exo slapd[8007]: hdb_modify: updated id=00000001 dn="dc=example,dc=net" Apr 1 23:44:04 exo slapd[8007]: send_ldap_result: conn=-1 op=0 p=0 Apr 1 23:44:04 exo slapd[8007]: send_ldap_result: err=0 matched="" text="" Apr 1 23:44:04 exo slapd[8007]: slap_graduate_commit_csn: removing 0x7f6bd2674970 20120402034404.869559Z#000000#000#000000 Apr 1 23:44:04 exo slapd[8007]: daemon: activity on 1 descriptor Apr 1 23:44:04 exo slapd[8007]: daemon: activity on: Apr 1 23:44:04 exo slapd[8007]: Apr 1 23:44:04 exo slapd[8007]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Apr 1 23:44:04 exo slapd[8007]: daemon: epoll: listen=9 active_threads=0 tvp=NULL

3 3

RE: Solaris client configuration
by Juergen.Sprenger＠swisscom.com 02 Apr '12

02 Apr '12

Hi Sara, what You listed is just a part of which has to be done to get a Solaris client authenticated against an OpenLDAP server. Recommended steps: - upgrade to OpenLDAP 2.4.30 - upgrade and patch Solaris. You didn't mention the release level of Your Solaris box, and there are quite some patches out which affect Solaris LDAP client. Consult file /etc/release on that box. - beside output of 'ldapclient list' have a look at config files /etc/nsswitch.conf and /etc/pam.conf - use more than just one LDAP server in production. - check Your setup by running ldaplist, getent passwd and getent group - don't edit files in /var/ldap manually, use ldapclient - get access to a Solaris person at Your site. - use duaconfig profiles in Your LDAP server to provide standard configs. - get proper set up certificates with X509v3 Subject Alternative Names. Solaris client will need that. - check first whether client is working properly without tls to detect a certificate issue. - sample output of 'ldapclient list': NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=ourAgent,dc=ourdomain,dc=com NS_LDAP_BINDPASSWD= ={NS1}ourpassword NS_LDAP_SERVERS= oly-infra-ldap1.ourdomain.com, oly-infra-ldap2.ourdomain.com, oly-infra-ldap3.ourdomain.com, oly-infra-ldap4.ourdomain.com NS_LDAP_SEARCH_BASEDN= dc=ourdomain,dc=com NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 0 NS_LDAP_PROFILE= default NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=sudoers,dc=ourdomain,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=Account,dc=ourdomain,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=Account,dc=ourdomain,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=ourdomain,dc=com?one NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=ourdomain,dc=com?one NS_LDAP_BIND_TIME= 2 - Ymmv depending on Your environment. Not all arising questions will fit into this mailing list. Regards Juergen Sprenger -----Original Message----- Message: 2 Date: Thu, 29 Mar 2012 10:55:10 -0700 From: "Kline, Sara" <SKline(a)tnsi.com> To: "openldap-technical(a)openldap.org" <openldap-technical(a)openldap.org> Subject: Solaris client configuration Message-ID: <C0C9408742654B429ECD3D1FF11A118D16EB097A0D(a)TNS-MAIL-NA1.win2k.corp.tnsi.com> Content-Type: text/plain; charset="us-ascii" Hey all, I am trying to get a Solaris 10 client to authenticate to our OpenLDAP (2.3.43) server, which was built on Red Hat 5.7. Linux clients (RHEL 4,5 and 6, and Oracle 5.7) authenticate without issue. I think it may be a simple misconfiguration but I am really not a Solaris person at all. Would someone be willing to send an ldapclient list to me? I would really appreciate it. Steps I have taken: 1. Imported the SSL cert according to Oracle's instructions 2. Made the 3 files cert8, keys3, and secmod readable to everyone with chmod 444 My current ldapclient list looks like this: LDAP_CLIENT_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=admin,dc=prod,dc=ourdomain,dc=com NS_LDAP_BINDPASSWD={NS1}ourpassword NS_LDAP_SERVERS=oly-infra-ldap1 (this is how the name appears on the cert, it is in the hosts file) NS_LDAP_SEARCH_BASEDN=dc=prod,dc=ourdomain,dc=com NS_LDAP_AUTH=tls:simple NS_LDAP_CACHETTL=0 NS_LDAP_CREDENTIAL_LEVEL=proxy NS_LDAP_SERVICE_AUTH_METHOD=pam_ldap:tls:simple NS_LDAP_HOST_CERTPATH=/var/ldap Any help would be greatly appreciated. Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495

1 0

LDAP transactions
by Chris Card 02 Apr '12

02 Apr '12

Hi all, what is the current state of the support for LDAP transactions (http://tools.ietf.org/html/rfc5805) in openldap? I can see code for it, protected by #ifdef LDAP_X_TXN, but it looks like it hasn't been touched for several years. Does the code work? Is anyone actively working on it? If not, are there any plans to in the future? Chris

1 0

problem with ldap backend
by Alex Samad - Yieldbroker 01 Apr '12

01 Apr '12

Hi I am trying to setup a connection from openldap to MS AD I am using this dn: olcDatabase={3}ldap objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {3}ldap olcSuffix: dc=xyz,dc=com olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.base="cn=Subschema" by * read olcAccess: {2}to * by self write by users read by anonymous auth olcReadOnly: TRUE olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth olcSizeLimit: 500 olcDbURI: "ldap://dc101. xyz.com ldap://dc201. xyz.com" olcDbRebindAsUser: TRUE olcDbChaseReferrals: TRUE This works fine when I pass a bind DN. I would like to convert this to allow anon access to ldap, which does a user bind to MS AD so I added this olcdbaclbind: bindmethod=simple binddn="CN=ad readonly,OU= xyz,DC= xyz,DC=com" credentials="secret" starttls=no but it is not working, I can not make a anon search request, they retrieve any thing frome the MSAD ldap server. Thanks

2 4

REL_ENG versions produce different libraries?
by Nick Milas 01 Apr '12

01 Apr '12

Hi, I noticed that in an installation of openldap-ltb 2.4.30 the libraries are in the form: "libldap-2.4.so.2" etc. However, in an installation of a pre-30 (e.g. openldap-OPENLDAP_REL_ENG_2_4-eb3ea42.tar.gz with LTB 2.4.28 src.rpm on Centos 5.7 64bit) I see that libraries are in the form: "libldap-2.4-releng.so.2" etc. I guess these differences between the (names of the) libraries of the official release and the REL_ENG are intentional. (Probably to emphasize the fact that the package is not final.) ***The Question***: What should we change so as to build the package as a normal (i.e. non-test) package? This will allow better compatibility on the system (where the package is tested), because packages built with ldap lib dependencies expect the same ldap lib names (liblber-2.4.so.2 and libldap-2.4.so.2). I would expect some "test" parameter in build/version.var, but I didn't see any. An easy solution could be to edit build/version.sh to remove "-releng", but I don't think this is the best approach. Please advise. Thanks, Nick

4 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2012