Re: Openldap Problem
by devzero2000
Very often i see answer like this on rhel, in particular. So why
don't tell or, better, write in some faq : the openldap version
shipped and packaged with rhel is seriously borken, please don't use
it. Should not be better ?
regards
(footnote)
i am not a redhat folk
2012/7/26, Quanah Gibson-Mount <quanah(a)zimbra.com>:
> --On Thursday, July 26, 2012 12:55 PM +0200 Chris <chris(a)flamengro.co.za>
> wrote:
>
>> Hi.
>>
>> I am using rhel 6.3, with sssd-1.8.0 and openldap-servers-2.4.23-26, the
>> kernel is 2.6.32-279.2.1.el6.x86_64.
>> The problem I'm having is I get this error message in messages file.
>
> Upgrade to a newer version of OpenLDAP that has fixes for sssd. Upgrade to
>
> a version of OpenLDAP that doesn't use MozNSS for its SSL/TLS bits, and
> instead uses the saner and reliable OpenSSL.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
--
Inviato dal mio dispositivo mobile
11 years, 2 months
Does OpenLDAP 2.4 support nested group
by Qian Zhang
Hi,
I'd like to know in OpenLDAP 2.4, if I create a group (objectClass is
posixGroup), is it possible that I create another group as the member
of this group?
Or I have to do this with group which has groupOfNames as its objectClass?
Thanks,
Qian
11 years, 2 months
Re: The Last Sysadmin Prayer: Discussion Returns to Wrap and Base64 World
by Peter Gietz
Hi Angel,
you might want to post feature requests (after double checking that the
feature does not already exists) to the ITS
(http://www.openldap.org/its/). This list is, as Howard made quite
clear, not the right place.
Technical discussions can be made on openldap-technical.
Although it is far better to use proper LDAP libraries of a proper
scripting language, I second your request for a don't base64 feature for
all those admins who only use bash and pray instead of learning python
or perl ;-)
But we should first discuss (on openldap-technical) how exactly such a
feature should work (there are binary values that you don't want to have
not base64ed).
And: it is even nicer to post a proper patch than a feature request to ITS
Cheers,
Peter
Am 23.07.2012 00:36, schrieb Angel Bosch:
>> De: "Howard Chu" <hyc(a)symas.com>
>> This is the Developer's list. Your post is off topic and you should be
>> ashamed
>> of yourself for posting it here.
>>
> sorry for the noise, I knew this is the developer's list but after seeing all lists:
>
> openldap-announce OpenLDAP announcements list
> openldap-bugs OpenLDAP bugs discussion list
> openldap-commit OpenLDAP source repository 'commit' list
> openldap-devel OpenLDAP development discussion list
> openldap-fortress OpenLDAP Fortress Discussion list
> openldap-technical OpenLDAP Technical Discussion list
>
>
> I thought this belongs here because the nature of the discussion. If you want me to move this thread to another list, please let me know.
>
>
>
>> An option for LDIF wrapping was released in 2.4.24, 2011-02-10. You
>> should be
>> ashamed of yourself for asking for something that has already been
>> available
>> for over a year and a half.
>>
> I was using lastest Centos 6.3 packages and I assumed that there was no wrapping option, sorry about that. I see now that Centos is packaging 2.4.23. That was close. I'm really happy to see that it was finally included upstream and I can't wait to see it on packages.
>
>
> I think rest of the complain is still valid, though. Decoding values i still an issue, and the suggestion of Michael that best way is learning other languages instead of using ldapsearch reaffirms my pov. How broken can be a simple search such as
>
> FULLNAME=`ldapsearch -x -LLL "(uid=$1)" gecos | grep "^gecos: " | cut -d" " -f2- `
>
> ?
>
>
> I really thought that we could start a healthy discussion about what and when a widely requested feature should be included. And judging from amount of posts/discussions I've found digging last weeks I'm pretty sure that isn't the opinion of a single undocumented obtuse sysadmin.
>
> Instead of being double-ashamed because of my ignorance, I'm really proud of being part of the free software community and being able to address to people I admire and respect profundly. Even when I'm wrong and even more when I hardly find the right words to explain my boss that this "creppy guy with a violin" is the main developer of this huge project.
>
>
> àngel
>
>
> ps: english is not my native language, excuse my strange composition
>
>
--
_______________________________________________________________________
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 407109-0
Europaplatz 3 Fax: +49 7071 407109-9
D-72072 Tübingen mail: peter.gietz(a)daasi.de
Germany Web: www.daasi.de
DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
Directory Applications for Advanced Security and Information Management
_______________________________________________________________________
11 years, 2 months
syncrepl and deleted entries
by Roman Serbski
Hello list,
I'm having problems with deleted entries in a provider/consumer setup.
Any hints would be greatly appreciated!
===PROVIDER===
Ubuntu 10.04.2 (lucid)
OpenLDAP 2.4.21-0ubuntu5.3 (installed from packages)
slapd.conf:
moduleload syncprov
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
===CONSUMER===
Ubuntu 12.04 (precise)
OpenLDAP 2.4.28-1.1ubuntu4 (installed from packages)
slapd.conf:
syncrepl rid=001
provider=ldaps://provider.domain.org:636
tls_reqcert=never
searchbase="dc=domain,dc=org"
filter="(objectClass=*)"
bindmethod=simple
binddn="cn=admin,dc=domain,dc=org"
credentials=xxxxxx
retry="60 +"
type=refreshAndPersist
scope=sub
attrs="*,+"
schemachecking=off
interval=00:00:05:00
Everything works fine and added/modified entries from the provider are
immediately replicated to the consumer, but it doesn't work with
deleted entries - if I delete an entry from the provider it gets never
deleted from the consumer.
Debug log files could be found here: http://pastebin.com/AmXRAXHp
The first part is successful entry modification, and the last one is
unsuccessful deletion. The only anomaly that I can spot is at the
line 131: "<= bdb_index_read: failed (-30987)", but then I don't
understand how adding/modifying works...
Many thanks!
Roman
11 years, 2 months
slapd mmr failure due to tls cert name mismatch
by Patrick Hemmer
I have 2 servers (version 2.4.31) in multi-master-replication behind a
single IP. Whenever replication tries to start, it fails because the
cert name does not match the hostname.
----
TLS: hostname (per5-unity-ldap02.mbox.net) does not match common name in
certificate (unity-ldap.mbox.net).
5009c52e slap_client_connect: URI=ldap://per5-unity-ldap02.mbox.net
Error, ldap_start_tls failed (-11)
5009c52e do_syncrepl: rid=523 rc -11 retrying (5 retries left)
----
However in the slapd configuration, I have the olcSyncrepl tls_reqcert
parameter set to 'never'
----
olcSyncrepl: {0}rid=523 provider="ldap://per5-unity-ldap02.mbox.net"
network-timeout=2 retry="1 10 10 60 60 +" keepalive="60:3:60"
starttls=critical tls_reqcert=never
bindmethod=simple timeout=2 binddn="uid=foo,cn=bar" credentials="baz"
type=refreshAndPersist searchbase="dc=my,dc=domain"
----
Why is this happening?
I even ran across ITS#7014 which is about this exact issue, and with
tls_reqcert=allow and tls_reqcert=never, it's not supposed to happen.
Thanks
-Patrick
11 years, 2 months
replication verification
by Boyd Duffee
Hi all,
I've been dropped in a the LDAP deep end due to a retirement in the office.
The documentation I have regarding dealing with the failure of a master tells
me how to fail over by promoting one of the replicas and then, when the
problem with the master has been sorted, to re-configure it as a replica.
My problem is with his following line
When it is fully synchronised with the temporary master
it can then be re-instated as the master.
How do I know when it has fully synchronised? I'm running openldap v2.4.16,
but I don't seem to have syncrepl in my path.
Where should I be starting?
thanks,
--
Boyd Duffee Keele University (01782) 734225
Student Facing Systems
It kind of makes me sad that all the dystopian capabilities
are being created, but are mainly being used for advertising
instead of the hot-evil-cool dystopia we were promised - phantomfive
11 years, 2 months
Re[10]: Searching few domains for one uid
by kefast@o2.pl
> --On Saturday, July 14, 2012 12:42 PM +0200 kefast(a)o2.pl wrote:
>> Ok, thanx, I do understand that, but my point is, where I can put
>> those "" in configuration files ? On a client side set BASE "" and in
>> slapd.conf
>>
>> database bdb
>> suffix ""
>> rootdn "cn=admin"
>>
>> ?
>>
>> How persisly set config files (client, server) to search for all of
>> those domains You listed.
> Use an empty base.
> --Quanah
> --
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
I can not import an ldif with an empty base on an server side.
slapadd -v -b 'dc=""' -l ./root.ldif
slapadd: slap_init invalid suffix ("dc=""")
slapadd -v -b 'dc=' -l ./root.ldif
slapadd: slap_init invalid suffix ("dc=")
slapadd -v -b "dc=" -l ./root.ldif
slapadd: slap_init invalid suffix ("dc=")
slappadd -v -b "dc=" -l ./root.ldif
slapadd: slap_init invalid suffix ("dc=")
slapadd -v -b "dc=''" -l ./root.ldif
slapadd: slap_init no backend for "dc=''"
--
Pozdrowienia,
kefast(a)o2.pl
11 years, 2 months
slapo-chain + TLS = help
by Warren Howard
Hi,
I'm not able to get slapo-chain + TLS to work. Slapo-chain without TLS
works, syncrepl + TLS works, the ldapclients with TLS works, just
slapo-chain + TLS does not work.
"man slapo-chain" contains no information about the tls options for
slapo-chain, but with I enable "chain-tls start" (as described in the
OpenLDAP Admin Guide) I get the error : TLS negotiation failure.
What TLS options for slapo-chain are available for me to configure to
get this working?
Note : I'm using Ubuntu 12.04 with slapd 2.4.28 provided by the
distribution.
Regards,
Warren.
11 years, 2 months
database ldap and acl-bind
by Nerijus Kislauskas
Hi everyone,
As I understand from documentation, acl-bind is a technique to fetch
acls from backend ldap to ldap proxy and apply them in there. Is this
correct?
I can't find any working example with shown logs to prove my idea nor i
can get my configs to work. Maybe there is something i don't know?
My configs:
/etc/ldap/slapd.d/cn=config/olcDatabase={2}ldap.ldif:
dn: olcDatabase={2}ldap
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
structuralObjectClass: olcLDAPConfig
entryUUID: da219748-6515-1031-9486-41b4d47f5b36
olcSuffix: dc=ktu,dc=lt
olcDbURI: ldap://83.171.20.45
olcDbIdleTimeout: 60
olcDbACLBind: bindmethod=simple binddn="cn=test,dc=ktu,dc=lt"
credentials="test"
Logs:
Jul 19 12:17:36 bijote slapd[1435]: => acl_mask: access to entry
"dc=ktu,dc=lt", attr "entry" requested
Jul 19 12:17:36 bijote slapd[1435]: => acl_mask: to all values by
"cn=admin,dc=ktu,dc=lt", (=0)
Jul 19 12:17:36 bijote slapd[1435]: <= check a_dn_pat:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Jul 19 12:17:36 bijote slapd[1435]: <= check a_dn_pat: *
Jul 19 12:17:36 bijote slapd[1435]: <= acl_mask: [2] applying +0 (break)
Jul 19 12:17:36 bijote slapd[1435]: <= acl_mask: [2] mask: =0
Jul 19 12:17:36 bijote slapd[1435]: => dn: [2]
Jul 19 12:17:36 bijote slapd[1435]: => dn: [3] cn=subschema
Jul 19 12:17:36 bijote slapd[1435]: <= acl_get: done.
Jul 19 12:17:36 bijote slapd[1435]: => slap_access_allowed: no more rules
Clearly visible, that there is no ACL configs in database definition,
and ACL's comes from frontend database (defaults):
/etc/ldap/slapd.d/cn=config/olcDatabase\={2}ldap.ldif:
...
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
....
As I understand, there should be ACL in ldap proxy (custom or defaults,
tied to backends ACL's or not). Please help me to clear things out.
--
Sincerely,
Nerijus Kislauskas
KTU ITPI, Litnet valdymo centras
11 years, 2 months
openldap groups and roles
by Jignesh Patel
We are using OpenLDAP at present. But we are anticipating a huge growth in number of users.
We are intented to support 300,000 users. Is that possible with openLDAP?Has any body tried it?
Also can i define various roles inside openldap?Can I also define groups inside openldap?
Jignesh Patel
Chief Architect
iCare.com LLC
Las Olas City Centre, Suite 2250
401 East Las Olas Boulevard
Fort Lauderdale, Florida 33301
O: 954-616-5604
F: 954-616-5609
jignesh(a)icare.com
CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender that you have received this communication in error and then delete it. Thank you.
On Jul 18, 2012, at 2:57 PM, openldap-technical-request(a)OpenLDAP.org wrote:
> openldap-technical(a)openldap.org
11 years, 2 months
