openldap-technical May 2012

openldap-technical@openldap.org

76 participants
101 discussions

options for meta when using configuration backend
by Scott Koranda 15 May '12

15 May '12

Hi, I am using slapd 2.4.23 on Debian Squeeze. Is 'olcDbURI' the correct configuration option to use with the configuration backend? Put another way, is 'olcDbURI' the configuration backend analog of the 'uri' target specification option used in the slapd.conf file? If 'olcDbURI' is not the correct option I would be grateful to know the correct option to use. Thanks, Scott

2 3

extracting
by Alex Samad - Yieldbroker 15 May '12

15 May '12

Hi Wondering if anyone can help me, I need to extra schema info out of MS AD and then add it to openldap . try to get openldap - proxy to - MS AD working... I can do simple type of searches like on cn, but I can do search on attributes like samaccountype ... I am guess that's it's a scheme issues... A

3 6

Re: options for meta when using configuration backend
by André Ribas 15 May '12

15 May '12

2012/5/15 Quanah Gibson-Mount <quanah(a)zimbra.com>: > --On Tuesday, May 15, 2012 5:35 PM -0500 Scott Koranda <skoranda(a)gmail.com> > wrote: > >> Hi, >> >> I am using slapd 2.4.23 on Debian Squeeze. > > > Bad idea. Build your own package. > Can I ask you why is it a bad idea? > > [...] > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > André Ribas

1 0

2.4.31 slapd-meta
by Eugene Vilensky 15 May '12

15 May '12

Hello, I am trying to move a meta-directory from version 2.3.43 (included with RHEL 5) to version 2.4.31 (openldap-ltb packages on RHEL6). I've tried to follow the man pages and FAQ properly in using newer directives for the same functionality, but searches that previously worked on 2.3.43 no longer work. The meta database in the 2.3.43 is defined like so: ----- database meta suffix "dc=example,dc=edu" uri "ldap://central-ldap.example.edu/ou=people,dc=example,dc=edu" idassert-bind bindmethod=simple binddn "cn=account,ou=service,dc=example,dc=edu" bindpw secret uri "ldap://localhost/ou=groups,dc=local,dc=example,dc=edu" idassert-bind bindmethod=simple binddn "cn=Manager,dc=local,dc=example,dc=edu" bindpw supersecret ---------- This seems to work (People are retrieved from the upstream ldap and a local bdb [not shown] database serves groupofnames memberships specific to our org unit), with deprecation warnings: /etc/openldap/slapd.conf: line 118: "binddn" statement is deprecated; use "acl-authcDN" instead /etc/openldap/slapd.conf: line 119: "bindpw" statement is deprecated; use "acl-passwd" instead /etc/openldap/slapd.conf: line 123: "binddn" statement is deprecated; use "acl-authcDN" instead /etc/openldap/slapd.conf: line 124: "bindpw" statement is deprecated; use "acl-passwd" instead [1] I've assumed binddn and bindpw are used by slapd-meta to perform searches against the remote directory. Is this wrong? Moving these configuration options to 2.4.31, my <database meta> is defined like so (focusing on the remote LDAP entry): database meta suffix "dc=example,dc=edu" uri "ldap://central-ldap.example.edu/ou=people,dc=example,dc=edu" idassert-bind bindmethod=simple binddn="cn=account,ou=service,dc=example,dc=edu" credentials="secret" Searches don't work and debug output includes among other information: 4fb288b5 conn=1001 op=11 meta_search_dobind_init[0] mc=0x7ff4c0104b20: non-empty dn with empty cred; binding anonymously request done: ld 0x7ff4c4101f40 msgid 2 res_errno: 48, res_error: <binds with a dn require a password>, res_matched: <> Is there a reason why credentials aren't being used along with bind dn? Was I wrong about assumption [1]? Hmm..the search works if I use "rebind-as-user yes" as an option for the remote URI, but I've not figured out from slapd-ldap(5) why this is so...the client credentials are not valid upstream, its a dn specific to the local database. Any help greatly appreciated (as before!) -Eugene

1 0

Root cause: Strange OpenLdap performace issue
by Michele Mase' 15 May '12

15 May '12

I've a tiny ldap service (only 6000 records) vith openldap 2.3.x rhel5.x master/slave; The first query takes me over 4 seconds (instead of taking less than 0.1.seconds): time ldapsearch -x -b "c=it" -s sub "(o=*)" -D "cn=Manager,dc=sir" -h www.example.com -w mypasswd The same query using one level takes only 0.4 seconds time ldapsearch -x -b "c=it" -s one "(o=*)" -D "cn=Manager,dc=sir" -h www.example.com -w mypasswd I've tested the following: New brand system with openldap 2.4.x rhel6.x mirror mode: both queries take me less than 0.2 seconds New brand system with the same releases, 2.3.x rhel5.x: both queries take me less than 0.2 seconds The problem should be in the prod. system: I've tried almost all: reindexing operations, better indexing options, more cache, better threads tuning, more cpu and ram to the servers ... nothing to do: the first quey takes more than 4 seconds. The last operation was a "disaster recovery" of the prod. ldap: 1 stop ldap on both systems 2 slapcat to save the last good ldif 3 remove of all databases (rm -fr /var/lib/ldap/*) on both systems 4 recreate dirs, DB_CONFIG and restore ldif; restore permissions 5 start ldap service on both servers And magically, the issue has gone! Now first query, yes the "bad" query with the subtree options, works like a charm, giving me the results in less than 0.1 seconds .... Which could be the root cause? DB defragmentation? I was unable to find the root cause. PLS, help me to find some suggestions. Regards Michele Masè

2 2

overlay nssov + pass-through authentication
by Uwe Werler 15 May '12

15 May '12

Hello list, up to now we have pam_ldap/nss_ldap running from padl and all user accounts have pass-through authentication configured to authenticate against an external ldap server.* Now I try the overlay nssov and except authentication all is running fine. If I use the userPassword directly the user can authenticate without problems. Isn't it possible to use pass-through authentication with overlay nssov? Thanks in advance! Regards Uwe *userPassword: {SASL}uid

1 0

Cannot mount users's home directories
by zingalo 15 May '12

15 May '12

Hi, i have problems mounting on the client ubuntu the users's home directories that are on a server debian squeeze with ldap-samba. First of all, which is the correct syntax for homeDirectory attribute if that home is on a server. I wrote: homeDirectory: //192.168.5.219/users/username but pam_mount tells me volume not found. am not sure of samba and smbldap configurations also. could you take a look of my conf files? this is smb.conf: [global] #identificazione workgroup = AMAHORO server string = amahoro security = user #opzioni di rete hosts allow = 192.168.5.0/24 localhost #opzioni per il log log file = /var/log/samba/log.%u max log size = 1000 log level = 3 #opzioni per l'accesso alle condivisioni encrypt passwords = yes null passwords = no security = user #smb passwd file = /etc/samba/smbpasswd username map = /etc/samba/smbusers #LDAP passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=amahoro,dc=bi ldap suffix = dc=amahoro,dc=bi ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap ssl = no add user script = /usr/local/sbin/smbldap-useradd -m "%u" add group script = /usr/local/sbin/smbldap-groupadd "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" delete user script = /usr/local/sbin/smbldap-userdel "%u" delete group script = /usr/loca/sbin/smbldap-groupdel "%g" [homes] path = /users/%u browseable = no writable = yes valid users = %S read only = no guest ok = no admin users = %u write list = %u read list = %u create mask = 0700 directory mask = 0700 [user_data] comment = Leçon browseable = yes public = yes writable = no path = /user_data and this is smbldap.conf: # $Source: $ # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $ # # smbldap-tools.conf : Q & D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . be the configuration file for all smbldap-tools scripts ############################################################################## # # General Configuration # ############################################################################## # Put your own SID. To obtain this number do: "net getlocalsid". # If not defined, parameter is taking from "net getlocalsid" return SID="S-1-5-21-251852451-2940789264-3475694606" # Domain name the Samba server is in charged. # If not defined, parameter is taking from smb.conf configuration file # Ex: sambaDomain="IDEALX-NT" sambaDomain="AMAHORO" #realm="amahoro.bi" ############################################################################## # # LDAP Configuration # ############################################################################## # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done # (typically a replication directory) # Slave LDAP server # Ex: slaveLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" slaveLDAP="127.0.0.1" # Slave LDAP port # If not defined, parameter is set to "389" slavePort="389" # Master LDAP server: needed for write operations # Ex: masterLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" masterLDAP="127.0.0.1" # Master LDAP port # If not defined, parameter is set to "389" #masterPort="389" masterPort="389" # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) # If not defined, parameter is set to "0" ldapTLS="0" # Use SSL for LDAP # If set to 1, this option will use SSL for connection # (standard port for ldaps is 636) # If not defined, parameter is set to "0" ldapSSL="0" # How to verify the server's certificate (none, optional or require) # see "man Net::LDAP" in start_tls section for more details verify="require" # CA certificate # see "man Net::LDAP" in start_tls section for more details cafile="/etc/smbldap-tools/ca.pem" # certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem" # key certificate to use to connect to the ldap server # see "man Net::LDAP" in start_tls section for more details clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key" # LDAP Suffix # Ex: suffix=dc=IDEALX,dc=ORG suffix="dc=amahoro,dc=bi" # Where are stored Users # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for usersdn usersdn="ou=Users,${suffix}" # Where are stored Computers # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for computersdn computersdn="ou=Computers,${suffix}" # Where are stored Groups # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn groupsdn="ou=Groups,${suffix}" # Where are stored Idmap entries (used if samba is a domain member server) # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn idmapdn="ou=Idmap,${suffix}" # Where to store next uidNumber and gidNumber available for new users and groups # If not defined, entries are stored in sambaDomainName object. # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" sambaUnixIdPooldn="sambaDomainName=AMAHORO,${suffix}" # Default scope Used scope="sub" # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt="SSHA" # if hash_encrypt is set to CRYPT, you may set a salt format. # default is "%s", but many systems will generate MD5 hashed # passwords if you use "$1$%.8s". This parameter is optional! crypt_salt_format="%s" ############################################################################## # # Unix Accounts Configuration # ############################################################################## # Login defs # Default Login Shell # Ex: userLoginShell="/bin/bash" userLoginShell="/bin/bash" # Home directory # Ex: userHome="/home/%U" userHome="/users/%U" # Default mode used for user homeDirectory userHomeDirectoryMode="700" # Gecos userGecos="System User" # Default User (POSIX and Samba) GID defaultUserGid="513" # Default Computer (Samba) GID defaultComputerGid="550" # Skel dir skeletonDir="/etc/skel" # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) defaultMaxPasswordAge="45" ############################################################################## # # SAMBA Configuration # ############################################################################## # The UNC path to home drives location (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon home' # directive and/or disable roaming profiles # Ex: userSmbHome="\\PDC-SMB3\%U" userSmbHome="\\amahoro\users\%U" # The UNC path to profiles locations (%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon path' # directive and/or disable roaming profiles # Ex: userProfile="\\PDC-SMB3\profiles\%U" userProfile="\\amahoro\profiles\%U" # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: userHomeDrive="H:" #userHomeDrive="H:" # The default user netlogon script name (%U username substitution) # if not used, will be automatically username.cmd # make sure script file is edited under dos # Ex: userScript="startup.cmd" # make sure script file is edited under dos userScript="logon.bat" # Domain appended to the users "mail"-attribute # when smbldap-useradd -M is used # Ex: mailDomain="idealx.com" mailDomain="iallanis.info" ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ############################################################################## # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but # prefer Crypt::SmbHash library with_smbpasswd="0" #smbpasswd="/usr/bin/smbpasswd" # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) # but prefer Crypt:: libraries with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" # comment out the following line to get rid of the default banner # no_banner="1" Thanks for your time

2 4

LDAP & AUTOMOUNT QUESTION
by Borresen, John - 0442 - MITLL 14 May '12

14 May '12

All, Running OpenLDAP 2.4.23 on CentOS5.8. Looking into modifying our automount a bit. For example, say we have the following LDIF for an automap: from the auto.master: objectClass automount(structural) automountInformation auto.admin -nosuid automountKey /admin The auto.admin LDIF has this: objectClass automount(structural) automountInformation server:/vol/vol2/admin/documents automountKey docs There is another entry, same automountInformation (server:/vol/vol2/admin/documents) for documents and doc. Is there any way that we can combine those entries into one? For example, something like this: objectClass automount(structural) automountInformation server:/vol/vol2/admin/documents automountKey docs automountKey documents automountKey doc I tried to modify things in this fashion but, it failed, "only one automountKey is permitted". Thanks for the help, I hope I made our intentions clear. In the long run we would like to have the option for an EU (end-user) to be able to change directories to /admin/docs, /admin/documents, or /admin/doc. Dave Borresen Solaris/Linux Systems Administrator Surveillance Systems Group MIT Lincoln Laboratory john.borresen(a)ll.mit.edu

1 0

ACL for nssov-overlay
by Uwe Werler 14 May '12

14 May '12

Hello list, does someone know how I can define an ACL for the socket used by the nssov-overlay? I tried by socket.url="/var/run/nslcd/socket" read but it won't work. Any suggestions? Thanks in advance! Regards Uwe

1 0

Re: OpenLDAP 2.4.23 multi-master replication of the cn=config tree error: could not put entry file in place
by Brandon Hume 11 May '12

11 May '12

(Please reply to the list, so any useful information gets archived for others in the future...) On 05/11/12 05:39 AM, Cyril Grosjean wrote: > 26374 open("/etc/openldap/slapd.d/cn=config.ldif", O_RDONLY) = 16 > 26374 open("/etc/openldap/slapd.d/cn=config.40TIFd", > O_RDWR|O_CREAT|O_EXCL, 0600) = 16 > 26374 rename("/etc/openldap/slapd.d/cn=config.40TIFd", > "/etc/openldap/slapd.d/cn=config.ldif") = -1 EACCES (Permission denied) > 26374 unlink("/etc/openldap/slapd.d/cn=config.40TIFd") = 0 > So it really looks to me like a bug. As suggested by Quanah, I'll try > OpenLDAP 2.4.31 if I've time for that, but my goal was possibly to > stick to "official" rpms, for obvious support reasons. If it's a bug, then it's a bug in the operating system. strace traces system calls ("_s_ystem trace"). You can plainly see OpenLDAP creating the new cn=config.ldif as a tempfile, trying to rename it to overwrite the old, and being told by the *OS* that it's not allowed to do so. Here's the exact same operation on my own server: 5596 open("/appl/ldap/etc/slapd.d/cn=config.ldif", O_RDONLY) = 57 5596 open("/appl/ldap/etc/slapd.d/cn=config.Zi6PH7", O_RDWR|O_CREAT|O_EXCL, 0600) = 57 5596 rename("/appl/ldap/etc/slapd.d/cn=config.Zi6PH7", "/appl/ldap/etc/slapd.d/cn=config.ldif") = 0 How about showing us the exact permissions on the directory and that file? What's the output of: ls -lZd /etc/openldap/slapd.d /etc/openldap/slapd.d/cn=config.ldif and: getfacl /etc/openldap/slapd.d /etc/openldap/slapd.d/cn=config.ldif

3 2

← Newer
1
...
5
6
7
8
9
10
11
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2012