openldap-technical July 2012

openldap-technical@openldap.org

69 participants
71 discussions

Re: Openldap Problem
by devzero2000 27 Jul '12

27 Jul '12

Very often i see answer like this on rhel, in particular. So why don't tell or, better, write in some faq : the openldap version shipped and packaged with rhel is seriously borken, please don't use it. Should not be better ? regards (footnote) i am not a redhat folk 2012/7/26, Quanah Gibson-Mount <quanah(a)zimbra.com>: > --On Thursday, July 26, 2012 12:55 PM +0200 Chris <chris(a)flamengro.co.za> > wrote: > >> Hi. >> >> I am using rhel 6.3, with sssd-1.8.0 and openldap-servers-2.4.23-26, the >> kernel is 2.6.32-279.2.1.el6.x86_64. >> The problem I'm having is I get this error message in messages file. > > Upgrade to a newer version of OpenLDAP that has fixes for sssd. Upgrade to > > a version of OpenLDAP that doesn't use MozNSS for its SSL/TLS bits, and > instead uses the saner and reliable OpenSSL. > > --Quanah > > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > > -- Inviato dal mio dispositivo mobile

3 2

Does OpenLDAP 2.4 support nested group
by Qian Zhang 27 Jul '12

27 Jul '12

Hi, I'd like to know in OpenLDAP 2.4, if I create a group (objectClass is posixGroup), is it possible that I create another group as the member of this group? Or I have to do this with group which has groupOfNames as its objectClass? Thanks, Qian

3 2

Re: The Last Sysadmin Prayer: Discussion Returns to Wrap and Base64 World
by Peter Gietz 25 Jul '12

25 Jul '12

Hi Angel, you might want to post feature requests (after double checking that the feature does not already exists) to the ITS (http://www.openldap.org/its/). This list is, as Howard made quite clear, not the right place. Technical discussions can be made on openldap-technical. Although it is far better to use proper LDAP libraries of a proper scripting language, I second your request for a don't base64 feature for all those admins who only use bash and pray instead of learning python or perl ;-) But we should first discuss (on openldap-technical) how exactly such a feature should work (there are binary values that you don't want to have not base64ed). And: it is even nicer to post a proper patch than a feature request to ITS Cheers, Peter Am 23.07.2012 00:36, schrieb Angel Bosch: >> De: "Howard Chu" <hyc(a)symas.com> >> This is the Developer's list. Your post is off topic and you should be >> ashamed >> of yourself for posting it here. >> > sorry for the noise, I knew this is the developer's list but after seeing all lists: > > openldap-announce OpenLDAP announcements list > openldap-bugs OpenLDAP bugs discussion list > openldap-commit OpenLDAP source repository 'commit' list > openldap-devel OpenLDAP development discussion list > openldap-fortress OpenLDAP Fortress Discussion list > openldap-technical OpenLDAP Technical Discussion list > > > I thought this belongs here because the nature of the discussion. If you want me to move this thread to another list, please let me know. > > > >> An option for LDIF wrapping was released in 2.4.24, 2011-02-10. You >> should be >> ashamed of yourself for asking for something that has already been >> available >> for over a year and a half. >> > I was using lastest Centos 6.3 packages and I assumed that there was no wrapping option, sorry about that. I see now that Centos is packaging 2.4.23. That was close. I'm really happy to see that it was finally included upstream and I can't wait to see it on packages. > > > I think rest of the complain is still valid, though. Decoding values i still an issue, and the suggestion of Michael that best way is learning other languages instead of using ldapsearch reaffirms my pov. How broken can be a simple search such as > > FULLNAME=`ldapsearch -x -LLL "(uid=$1)" gecos | grep "^gecos: " | cut -d" " -f2- ` > > ? > > > I really thought that we could start a healthy discussion about what and when a widely requested feature should be included. And judging from amount of posts/discussions I've found digging last weeks I'm pretty sure that isn't the opinion of a single undocumented obtuse sysadmin. > > Instead of being double-ashamed because of my ignorance, I'm really proud of being part of the free software community and being able to address to people I admire and respect profundly. Even when I'm wrong and even more when I hardly find the right words to explain my boss that this "creppy guy with a violin" is the main developer of this huge project. > > > àngel > > > ps: english is not my native language, excuse my strange composition > > -- _______________________________________________________________________ Peter Gietz (CEO) DAASI International GmbH phone: +49 7071 407109-0 Europaplatz 3 Fax: +49 7071 407109-9 D-72072 Tübingen mail: peter.gietz(a)daasi.de Germany Web: www.daasi.de DAASI International GmbH, Tübingen Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175 Directory Applications for Advanced Security and Information Management _______________________________________________________________________

1 0

syncrepl and deleted entries
by Roman Serbski 23 Jul '12

23 Jul '12

Hello list, I'm having problems with deleted entries in a provider/consumer setup. Any hints would be greatly appreciated! ===PROVIDER=== Ubuntu 10.04.2 (lucid) OpenLDAP 2.4.21-0ubuntu5.3 (installed from packages) slapd.conf: moduleload syncprov overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 ===CONSUMER=== Ubuntu 12.04 (precise) OpenLDAP 2.4.28-1.1ubuntu4 (installed from packages) slapd.conf: syncrepl rid=001 provider=ldaps://provider.domain.org:636 tls_reqcert=never searchbase="dc=domain,dc=org" filter="(objectClass=*)" bindmethod=simple binddn="cn=admin,dc=domain,dc=org" credentials=xxxxxx retry="60 +" type=refreshAndPersist scope=sub attrs="*,+" schemachecking=off interval=00:00:05:00 Everything works fine and added/modified entries from the provider are immediately replicated to the consumer, but it doesn't work with deleted entries - if I delete an entry from the provider it gets never deleted from the consumer. Debug log files could be found here: http://pastebin.com/AmXRAXHp The first part is successful entry modification, and the last one is unsuccessful deletion. The only anomaly that I can spot is at the line 131: "<= bdb_index_read: failed (-30987)", but then I don't understand how adding/modifying works... Many thanks! Roman

2 1

slapd mmr failure due to tls cert name mismatch
by Patrick Hemmer 21 Jul '12

21 Jul '12

I have 2 servers (version 2.4.31) in multi-master-replication behind a single IP. Whenever replication tries to start, it fails because the cert name does not match the hostname. ---- TLS: hostname (per5-unity-ldap02.mbox.net) does not match common name in certificate (unity-ldap.mbox.net). 5009c52e slap_client_connect: URI=ldap://per5-unity-ldap02.mbox.net Error, ldap_start_tls failed (-11) 5009c52e do_syncrepl: rid=523 rc -11 retrying (5 retries left) ---- However in the slapd configuration, I have the olcSyncrepl tls_reqcert parameter set to 'never' ---- olcSyncrepl: {0}rid=523 provider="ldap://per5-unity-ldap02.mbox.net" network-timeout=2 retry="1 10 10 60 60 +" keepalive="60:3:60" starttls=critical tls_reqcert=never bindmethod=simple timeout=2 binddn="uid=foo,cn=bar" credentials="baz" type=refreshAndPersist searchbase="dc=my,dc=domain" ---- Why is this happening? I even ran across ITS#7014 which is about this exact issue, and with tls_reqcert=allow and tls_reqcert=never, it's not supposed to happen. Thanks -Patrick

2 1

replication verification
by Boyd Duffee 21 Jul '12

21 Jul '12

Hi all, I've been dropped in a the LDAP deep end due to a retirement in the office. The documentation I have regarding dealing with the failure of a master tells me how to fail over by promoting one of the replicas and then, when the problem with the master has been sorted, to re-configure it as a replica. My problem is with his following line When it is fully synchronised with the temporary master it can then be re-instated as the master. How do I know when it has fully synchronised? I'm running openldap v2.4.16, but I don't seem to have syncrepl in my path. Where should I be starting? thanks, -- Boyd Duffee Keele University (01782) 734225 Student Facing Systems It kind of makes me sad that all the dystopian capabilities are being created, but are mainly being used for advertising instead of the hot-evil-cool dystopia we were promised - phantomfive

3 3

Re[10]: Searching few domains for one uid
by kefast＠o2.pl 21 Jul '12

21 Jul '12

> --On Saturday, July 14, 2012 12:42 PM +0200 kefast(a)o2.pl wrote: >> Ok, thanx, I do understand that, but my point is, where I can put >> those "" in configuration files ? On a client side set BASE "" and in >> slapd.conf >> >> database bdb >> suffix "" >> rootdn "cn=admin" >> >> ? >> >> How persisly set config files (client, server) to search for all of >> those domains You listed. > Use an empty base. > --Quanah > -- > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration I can not import an ldif with an empty base on an server side. slapadd -v -b 'dc=""' -l ./root.ldif slapadd: slap_init invalid suffix ("dc=""") slapadd -v -b 'dc=' -l ./root.ldif slapadd: slap_init invalid suffix ("dc=") slapadd -v -b "dc=" -l ./root.ldif slapadd: slap_init invalid suffix ("dc=") slappadd -v -b "dc=" -l ./root.ldif slapadd: slap_init invalid suffix ("dc=") slapadd -v -b "dc=''" -l ./root.ldif slapadd: slap_init no backend for "dc=''" -- Pozdrowienia, kefast(a)o2.pl

2 1

slapo-chain + TLS = help
by Warren Howard 20 Jul '12

20 Jul '12

Hi, I'm not able to get slapo-chain + TLS to work. Slapo-chain without TLS works, syncrepl + TLS works, the ldapclients with TLS works, just slapo-chain + TLS does not work. "man slapo-chain" contains no information about the tls options for slapo-chain, but with I enable "chain-tls start" (as described in the OpenLDAP Admin Guide) I get the error : TLS negotiation failure. What TLS options for slapo-chain are available for me to configure to get this working? Note : I'm using Ubuntu 12.04 with slapd 2.4.28 provided by the distribution. Regards, Warren.

5 7

database ldap and acl-bind
by Nerijus Kislauskas 19 Jul '12

19 Jul '12

Hi everyone, As I understand from documentation, acl-bind is a technique to fetch acls from backend ldap to ldap proxy and apply them in there. Is this correct? I can't find any working example with shown logs to prove my idea nor i can get my configs to work. Maybe there is something i don't know? My configs: /etc/ldap/slapd.d/cn=config/olcDatabase={2}ldap.ldif: dn: olcDatabase={2}ldap objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {2}ldap structuralObjectClass: olcLDAPConfig entryUUID: da219748-6515-1031-9486-41b4d47f5b36 olcSuffix: dc=ktu,dc=lt olcDbURI: ldap://83.171.20.45 olcDbIdleTimeout: 60 olcDbACLBind: bindmethod=simple binddn="cn=test,dc=ktu,dc=lt" credentials="test" Logs: Jul 19 12:17:36 bijote slapd[1435]: => acl_mask: access to entry "dc=ktu,dc=lt", attr "entry" requested Jul 19 12:17:36 bijote slapd[1435]: => acl_mask: to all values by "cn=admin,dc=ktu,dc=lt", (=0) Jul 19 12:17:36 bijote slapd[1435]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Jul 19 12:17:36 bijote slapd[1435]: <= check a_dn_pat: * Jul 19 12:17:36 bijote slapd[1435]: <= acl_mask: [2] applying +0 (break) Jul 19 12:17:36 bijote slapd[1435]: <= acl_mask: [2] mask: =0 Jul 19 12:17:36 bijote slapd[1435]: => dn: [2] Jul 19 12:17:36 bijote slapd[1435]: => dn: [3] cn=subschema Jul 19 12:17:36 bijote slapd[1435]: <= acl_get: done. Jul 19 12:17:36 bijote slapd[1435]: => slap_access_allowed: no more rules Clearly visible, that there is no ACL configs in database definition, and ACL's comes from frontend database (defaults): /etc/ldap/slapd.d/cn=config/olcDatabase\={2}ldap.ldif: ... olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read .... As I understand, there should be ACL in ldap proxy (custom or defaults, tied to backends ACL's or not). Please help me to clear things out. -- Sincerely, Nerijus Kislauskas KTU ITPI, Litnet valdymo centras

1 0

openldap groups and roles
by Jignesh Patel 19 Jul '12

19 Jul '12

We are using OpenLDAP at present. But we are anticipating a huge growth in number of users. We are intented to support 300,000 users. Is that possible with openLDAP?Has any body tried it? Also can i define various roles inside openldap?Can I also define groups inside openldap? Jignesh Patel Chief Architect iCare.com LLC  Las Olas City Centre, Suite 2250 401 East Las Olas Boulevard Fort Lauderdale, Florida 33301 O: 954-616-5604 F: 954-616-5609 jignesh(a)icare.com CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender that you have received this communication in error and then delete it. Thank you. On Jul 18, 2012, at 2:57 PM, openldap-technical-request(a)OpenLDAP.org wrote: > openldap-technical(a)openldap.org

2 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2012