HowTo index generalizedTimeOrderingMatch
by Meike Stone
Hello,
I have in my own schema an attribute defined:
attributetype (1.3.6.1.4....
NAME ('InsertTime')
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
)
Now I can use this and search, but it takes very long.
So I want index it for searching:
* greater (">=")
* less ("<=")
Is it possible and how can I do this?
I have only seen "eq" and "pres".
Thanks in advance Meike
11 years, 1 month
open ldap gruop syncing
by dhanushka ranasinghe
hi guys ,,,
i have a master LDAP server and its has a group called .
cn=internal ou=group,dc=example,dc=com
--users of this group is :
uid=user1,ou=staff,dc=example,dc=com
uid=user2,ou=staff,dc=example,dc=com
and i want to sync this users to slave ldap server. under OU=staff ,
in my slave config file i used the following configuration ,
syncrepl rid=004
provider=ldap://masterldapserver
bindmethod=simple
binddn="cn=admin,dc=example,dc=com"
credentials="passWord"
searchbase="cn=internal,ou=group,dc=example,dc=com"
schemachecking=off
type=refreshAndPersist
retry="60 +"
sync seems to be working fine but users appers as [1] but not under OU=staff,
[1]
dn: cn=internal,ou=group,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: internal
member: uid=user1,ou=user,dc=example,dc=com
member: uid=user1,ou=user,dc=example,dc=com
is there any way sort out this issue
Thank You
Dhanushka
11 years, 1 month
Can't login with ldap user
by zingalo
Hi,
trying to login from my laptop ubuntu 11.10 using ldap user zingalo,
appears a black screen and it comes back to login screen.
Could you take a look of this paste of syslog please and tell me what do
i have to fix?
http://pastebin.com/k0dQq6NN
Are many lines!
Thanks
11 years, 1 month
openldap to AD proxy
by Alex Samad - Yieldbroker
Hi
I am still struggling with the my openldap to AD proxy connection.
I have successfully connected such that I can do search when I bind to openldap with an AD dn, but I want to be able to do anon search and I want anon to map through to a dn I have created in AD which has read only rights.
dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * read
olcReadOnly: TRUE
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcSizeLimit: 500
olcSuffix: dc=xyz,dc=com
olcDburi: "ldap://ldap. xyz.com "
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcdbaclbind: bindmethod=simple binddn="CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" credentials=":)" starttls=no
olcDbIDAssertBind: bindmethod=none binddn="CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" credentials=":)" starttls=no
I have a subordinate db at ou=external, DC= xyz,DC=com
I can do a
ldapsearch -x -D " CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" -b " DC= xyz,DC=com" -w :)
what I can't do is
ldapsearch -x -b " DC= xyz,DC=com"
I am thinking I want to map anon request through to the readonly DN. But still leave it such that when people bind to openldap as themselves they bind to AD as themselves
How would I do that ?
Thanks
Alex
11 years, 1 month
SMB+OPENLDAP
by Alejandro Iacobelli
Hello to all, my name is Alejandro and I have a little question to anyone of this list.
I´ve created ,6 years ago, an ldap+smb proyect for a big company. Back then, samba (Lenny server) only worked with NT hashes but now (Squeeze server) they want to authenticate with Win7 (ntlm2 protocols) And configurating windows7 to accept old NT hashes is not an exit. I want to update ONLY the smb package from samba (2:3.2.5-4lenny15) to samba (2:3.5.6~dfsg-3squeeze8).
My question is this:
Can you give me some information about if openldap could crash if only I update the samba module and not the ldap one? i need to know if something could go wrong in the relation with openldap. ( I will not touch openldap because i've modified that version by myself ).
11 years, 1 month
Re: Slapd Error
by Andy Carlson
Michael,
Thanks for your help. We found that it was the audit log that was slightly over 2GB, so I cleaned that up and it is good now.
Andy Carlson
Moody Bible Institute
Identity Administrator | Information Systems
312-329-4385
www.moody.edu
Michael Ströder <michael(a)stroeder.com> wrote:
Andy Carlson wrote:
> Here are the files [..]
And what does ulimit -a say?
Ciao, Michael.
11 years, 1 month
Slapd Error
by Andy Carlson
I am running OpenLDAP 2.4.11 and I am getting an error when I attempt to modify, delete, or add to the directory with a credentialed user (has worked for the past few years perfectly). I did a debug-level report on the server and it's giving me with respect to my modify request, I am getting the following results:
bdb_modify: updated id=00013892 dn="mbiUniqueID=669103f11bb82ef68f6adbcf75216c1b,ou=people, dc=XXXXXX,dc=XXX "
send_ldap_result: conn=1057 op=1 p=3
send_ldap_result: err=0 matched="" text=""
=> bdb_entry_get: ndn: "mbiUniqueID=669103f11bb82ef68f6adbcf75216c1b,ou=people, dc=XXXXXX,dc=XXX "
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("mbiUniqueID=669103f11bb82ef68f6adbcf75216c1b,ou=people, dc=XXXXXX,dc=XXX ")
=> bdb_entry_get: found entry: "mbiUniqueID=669103f11bb82ef68f6adbcf75216c1b,ou=people, dc=XXXXXX,dc=XXX "
bdb_entry_get: rc=0
=> test_filter
PRESENT
=> access_allowed: search access to "mbiUniqueID=669103f11bb82ef68f6adbcf75216c1b,ou=people, dc=XXXXXX,dc=XXX " "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
<= test_filter 6
syncprov_matchops: sid 000 fscope 1 rc 6
./slapd-PRODM1: line 227: 26203 File size limit exceeded$SLAPD_BIN -h "$SLAPD_SERVICES" $SLAPD_PARAMS
slapd-PRODM1[26473]: [ALERT] slapd not running
Also, the service script in /etc/init.d is named slapd-PRODM1. The line number given in the second to last line of the error corresponds to the line where the start_slapd function (to start the service) is declared. The function is as follows:
start_slapd() {
# Check if db_recover is required
if [ $RECOVER_AT_STARTUP -eq 1 ]
then
db_recover
else
message "info" "[INFO] no db_recover done"
fi
# Start message
message "info" "Launching OpenLDAP..."
# File descriptor limit, only for root
if [ `id -u` -eq 0 ]
then
ulimit -n $FD_LIMIT
if [ $? -eq 0 ]
then
message "info" "[OK] file descriptor limit set to $FD_LIMIT"
else
message "warning" "[WARNING] Fail to set file descriptor limit to $FD_LIMIT, going to next step"
fi
else
message "info" "[INFO] file descriptor limit not modified (require root privileges)"
fi
# Parameters
# if [ "$SLAPD_CONF" ]
# then
# SLAPD_PARAMS="$SLAPD_PARAMS -f $SLAPD_CONF"
# fi
# if [ "$SLAPDD_DIR" ]
# then
# SLAPD_PARAMS="$SLAPD_PARAMS -F $SLAPDD_DIR"
# fi
SLAPD_PARAMS="$SLAPD_PARAMS $SLAPD_CONF_LOAD"
if [ "$SLAPD_USER" -a `id -u` -eq 0 ]
then
SLAPD_PARAMS="$SLAPD_PARAMS -u $SLAPD_USER"
fi
if [ "$SLAPD_GROUP" -a `id -u` -eq 0 ]
then
SLAPD_PARAMS="$SLAPD_PARAMS -g $SLAPD_GROUP"
fi
# It's time to start slapd
$SLAPD_BIN -h "$SLAPD_SERVICES" $SLAPD_PARAMS
sleep 1
# Presence of PID file
if [ ! -r $SLAPD_PID_FILE ]
then
message "alert" "[ALERT] no PID file for slapd"
exit 1
fi
# Is slapd launched?
PID=`cat $SLAPD_PID_FILE`
if [ ! -e /proc/$PID ]
then
message "alert" "[ALERT] slapd not running"
exit 1
else
message "info" "[OK] OpenLDAP started on port $PORT"
fi
}
It should be noted that this machine has been working without problems for the past year or more, so I can only assume that the "File Size Limit Exceeded" error above relates to one of the Berkley DB files. Is this correct? Let me know if you have any thoughts. Thanks much!!!,
Andy Carlson
Moody Bible Institute
Identity Administrator | Information Systems
312-329-4385
www.moody.edu<http://www.moody.edu>
11 years, 1 month
slapadd hanging initializing mdb backend
by Mark
When I try to slapadd initial data into an empty mdb backend, the slapadd
hangs:
$ /tmp/openldap-2.4.31/sbin/slapadd -w -S 1 -c -F
/tmp/openldap-2.4.31/etc/slapd.d -b dc=example,dc=com -l
/tmp/openldap-2.4.31/etc/initdb.ldif
_#################### 100.00% eta none elapsed none fast!
(does not return to a shell prompt. I have to INT it.)
I add '-d -1' to get some debugging output and I get this after removing
the data.mdb and lock.mdb created above:
$ /tmp/openldap-2.4.31/sbin/slapadd -d -1 -w -S 1 -c -F
/tmp/openldap-2.4.31/etc/slapd.d -b dc=example,dc=com -l
/tmp/openldap-2.4.31/etc/initdb.ldif
(lines removed for brevity but can be submitted if need be)
4f9ea9c0 => str2entry: "dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
ou: Users
"
4f9ea9c0 >>> dnPrettyNormal: <ou=Users,dc=example,dc=com>
4f9ea9c0 <<< dnPrettyNormal: <ou=Users,dc=example,dc=com>,
<ou=users,dc=example,dc=com>
4f9ea9c0 <= str2entry(ou=Users,dc=example,dc=com) -> 0x6afeba8
4f9ea9c0 oc_check_required entry (ou=Users,dc=example,dc=com), objectClass
"organizationalUnit"
4f9ea9c0 oc_check_allowed type "objectClass"
4f9ea9c0 oc_check_allowed type "ou"
4f9ea9c0 oc_check_allowed type "structuralObjectClass"
4f9ea9c0 => mdb_tool_entry_put( -1, "ou=Users,dc=example,dc=com" )
4f9ea9c0 => mdb_dn2id("ou=users,dc=example,dc=com")
4f9ea9c0 <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair
found (-30798)
4f9ea9c0 => mdb_dn2id_add 0x6: "ou=users,dc=example,dc=com"
4f9ea9c0 <= mdb_dn2id_add 0x6: 0
4f9ea9c0 => index_entry_add( 6, "ou=Users,dc=example,dc=com" )
4f9ea9c0 mdb_idl_insert_keys: 6 [9bee355f]
4f9ea9c0 mdb_idl_insert_keys: 6 [ef1184ca]
4f9ea9c0 mdb_idl_insert_keys: 6
4f9ea9c0 <= index_entry_add( 6, "ou=Users,dc=example,dc=com" ) success
4f9ea9c0 => mdb_entry_encode(0x00000006): ou=Users,dc=example,dc=com
4f9ea9c0 <= mdb_entry_encode(0x00000006): ou=Users,dc=example,dc=com
4f9ea9c0 => mdb_dn2id("dc=example,dc=com")
4f9ea9c0 <= mdb_dn2id: got id=0x1
4f9ea9c0 => mdb_entry_decode:
4f9ea9c0 <= mdb_entry_decode
4f9ea9c0 => mdb_tool_entry_modify( 1, "(null)" )
(it's hung)
Here is the /tmp/openldap-2.4.31/etc/initdb.ldif:
### BEGIN INITDB.LDIF
dn: dc=example,dc=com
objectClass: organization
objectClass: dcObject
dc: example
o: example.com
dn: cn=manager,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: manager
userPassword: {SSHA}asif
dn: cn=replicator,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: replicator
userPassword: {SSHA}asif
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=LDAP Admins,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: LDAP Admins
uniqueMember: cn=manager,dc=example,dc=com
dn: ou=Users,dc=example,dc=com
objectClass: organizationalUnit
ou: Users
### END INITDB.LDIF
I used the following slaptest commands to create the initial slapd.d/
directory from a slapd.conf file:
$ /tmp/openldap-2.4.31/sbin/slaptest -u -f
/tmp/openldap-2.4.31/etc/slapd.conf -F /tmp/openldap-2.4.31/etc/slapd.d
config file testing succeeded
$ /tmp/openldap-2.4.31/sbin/slaptest -f /tmp/openldap-2.4.31/etc/slapd.conf
-F /tmp/openldap-2.4.31/etc/slapd.d
4f9eab15 mdb_db_open: database "dc=example,dc=com" cannot be opened, err 2.
Restore from backup!
4f9eab15 backend_startup_one (type=mdb, suffix="dc=example,dc=com"):
bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
Here is the /tmp/openldap-2.4.31/etc/slapd.conf:
### BEGIN SLAPD.CONF
include /tmp/openldap-2.4.31/etc/schema/core.schema
include /tmp/openldap-2.4.31/etc/schema/cosine.schema
include /tmp/openldap-2.4.31/etc/schema/nis.schema
include /tmp/openldap-2.4.31/etc/schema/inetorgperson.schema
argsfile /tmp/openldap-2.4.31/var/run/slapd.args
pidfile /tmp/openldap-2.4.31/var/run/slapd.pid
threads 8
tool-threads 2
idletimeout 0
writetimeout 0
reverse-lookup off
loglevel stats
serverid 1 ldap://boardwalk:2389
modulepath /tmp/openldap-2.4.31/libexec
moduleload back_monitor.la
moduleload back_mdb.la
moduleload syncprov.la
password-hash {SSHA}
sizelimit unlimited
database config
rootdn "cn=manager,dc=example,dc=com"
access to *
by group="cn=LDAP Admins,ou=Groups,dc=example,dc=com" write
by users read
by * none
database monitor
rootdn "cn=manager,dc=example,dc=com"
access to *
by users read
by * none
database mdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
directory /tmp/openldap-2.4.31/var/data
index objectClass eq
index entryCSN eq
index entryUUID eq
syncrepl rid=001
provider=ldap://boardwalk:2389
type=refreshAndPersist
retry="15 +"
bindmethod=simple
binddn="cn=replicator,dc=example,dc=com"
credentials="asif"
searchbase="dc=example,dc=com"
starttls=no
schemachecking=off
syncrepl rid=002
provider=ldap://chance:2389
type=refreshAndPersist
retry="15 +"
bindmethod=simple
binddn="cn=replicator,dc=example,dc=com"
credentials="asif"
searchbase="dc=example,dc=com"
starttls=no
schemachecking=off
syncrepl rid=003
provider=ldap://freeparking:2389
type=refreshAndPersist
retry="15 +"
bindmethod=simple
binddn="cn=replicator,dc=example,dc=com"
credentials="asif"
searchbase="dc=example,dc=com"
starttls=no
schemachecking=off
mirrormode TRUE
overlay syncprov
syncprov-checkpoint 50 10
syncprov-sessionlog 100
access to attrs=userPassword
by anonymous auth
by self write
by dn.exact="cn=replicator,dc=example,dc=com" read
by * none
access to *
by group="cn=LDAP Admins,ou=Groups,dc=example,dc=com" write
by dn.exact="cn=replicator,dc=example,dc=com" read
by users read
by * none
limits dn.exact="cn=replicator,dc=example,dc=com"
time.soft=unlimited time.hard=unlimited
size.soft=unlimited size.hard=unlimited
### END SLAPD.CONF
I compiled from the following source:
OpenLDAP 2.4.31
OpenSSL 1.0.1b
Cyrus-SASL 2.1.25
I am running in the following environment:
Dell Poweredge 2950; dual-core Intel(R) Xeon(R) CPU 5110 @ 1.60GHz; 8GB RAM
Scientific Linux 5.7
Am I doing something wrong (besides the ACLs for cn=LDAP
Admins,ou=Groups,dc=example,dc=com. I'm still struggling there) ?
Thank you,
Mark
11 years, 1 month
DEL don't get synced
by Marc Patermann
Hi,
under some circumstances DEL don't get replicated to the consumers
(SyncRepl). I think this has to do with other changes at the some moment.
I attached two logs excepts in sync.log.
In the first except there is only a DEL
Jan 31 09:16:01 ldapserver slapd[10641]: conn=79138 op=2 DEL
dn="employeeNumber=19676,ou=humans,ou=foo"
For this there is a
Jan 31 09:16:01 ldapserver slapd[10641]: syncprov_sendresp:
cookie=rid=401,csn=20120131081601.377028Z#000000#000#000000
line for every connected consumer.
In the second step there is a MOD and a DEL
Jan 31 10:31:01 ldapserver slapd[10641]: conn=79938 op=2 MOD
dn="ou=FA-WF,ou=gruppen,ou=humans,ou=foo"
Jan 31 10:31:01 ldapserver slapd[10641]: conn=79938 op=3 DEL
dn="employeeNumber=24387,ou=humans,ou=foo"
As far as I can see, there is only sync activity for the MOD action, and
not for the DEL action. The DEL is not synced.
Marc
11 years, 1 month
Monitor : HOW TO ?
by Olivier
I have worked on looked for help to configure and use
slapd monitor abilities under redhat 6 with no success.
Here is my monitor section :
cat /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}monitor.ldif
dn: olcDatabase={2}monitor,cn=config
objectclass: olcDatabaseConfig
olcaccess: {0}to * by dn.exact=”cn=Manager,dc=exemple,dc=fr”
by * none
olcaddcontentacl: FALSE
olcdatabase: {2}monitor
olclastmod: TRUE
olcmaxderefdepth: 15
olcmonitoring: FALSE
olcreadonly: FALSE
olcsyncusesubentry: FALSE
….
slapd runs and respond :
# ldapsearch -x -D ‘cn=Manager,dc=exemple,dc=fr’ -W -b
‘olcDatabase={2}monitor,cn=config’ -s base 1.1
# {2}monitor, config
dn: olcDatabase={2}monitor,cn=config
# search result
search: 2
result: 0 Success
However I can’t get any monitoring information :
$ ldapsearch -x -D ‘cn=Manager,dc=exemple,dc=fr’ -W -b ‘cn=Monitor’ -s base 1.1
# search result
search: 2
result: 32 No such object
Would you have any advice to use openldap monitoring abilities ?
# cat /etc/issue
Red Hat Enterprise Linux Server release 6.2 (Santiago)
# rpm -qa | grep openldap-servers
openldap-servers-2.4.23-20.el6.x86_64
# slapd -VVV
@(#) $OpenLDAP: slapd 2.4.23 (Oct 4 2011 07:43:22) $
mockbuild@x86-010.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
Thanks for any help one could provide !
---
Olivier
11 years, 1 month
