LDAP URI
by Emmanuel Dreyfus
Hi
When feeding a LDAP URI to ldap_url_parse(), I understand some characters
may need to be escaped in filters in order to get a litteral:
* => \2a
( => \28
) => \29
\ => \5c
/ => \2f
Reading the man page, I understand %-encoding is not mandatory, but
it is of course required for ?, and obviously for %.
? -> %3F
% -> %25
Are there other characters that should be %-encoded?
--
Emmanuel Dreyfus
manu(a)netbsd.org
11 years
Re: Ldap search that must work
by Amol Kulkarni
Hi,
I had faced similar issue once - the cause was the index on the attribute was corrupt.
Reindexing solved the issue.
In your case, reindexing the uidnumber attribute should solve the issue.
Amol.
----- Original Message -----
From: Aitor Garcia Ortega - Tempel.es
Sent: 09/26/12 05:24 PM
To: openldap-technical(a)openldap.org
Subject: Ldap search that must work
I'm feeling som kind of stupid I'm running openldap-servers-2.4.23-26.el6_3.2.x86_64 under Centos 6.3. Using ldapsearch I get this result: ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uid=aitiddnet)' > # extended LDIF > # > # LDAPv3 > # base <o=Iddover,c=Net> with scope subtree > # filter: (uid=aitiddnet) > # requesting: ALL > # > > # aitiddnet, People, Iddover, Net > dn: uid=aitiddnet,ou=People,o=Iddover,c=Net > uid: aitiddnet > cn: Aitor Garcia Ortega - Iddover.net > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: inetLocalMailRecipient > userPassword:: ************** > shadowLastChange: 14363 > shadowMax: 99999 > shadowWarning: 7 > uidNumber: 546 > gidNumber: 546 > gecos: Aitor Garcia Ortega - Iddover.net > mailLocalAddress: aitor.garcia(a)iddover.net > mailHost: localhost > homeDirectory: /home/aitiddnet > loginShell: /bin/bash > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 But this seconf ldap serch don't work # ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uidNumber=546)' > # extended LDIF > # > # LDAPv3 > # base <o=Iddover,c=Net> with scope subtree > # filter: (uidNumber=546) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success I really don't undertand. In another server with CentOS release 5.6 (Final), openldap-servers-2.3.43-12.el5_6.7 and the same database it works well... # ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uidNumber=546)' # extended LDIF # # LDAPv3 # base <o=Iddover,c=Net> with scope subtree # filter: (uidNumber=546) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root@r300te1 ~]# ldapsearch -h 172.16.6.1 -x -b 'o=Iddover,c=Net' '(uidNumber=546)' # extended LDIF # # LDAPv3 # base <o=Iddover,c=Net> with scope subtree # filter: (uidNumber=546) # requesting: ALL # # aitiddnet, People, Iddover, Net dn: uid=aitiddnet,ou=People,o=Iddover,c=Net uid: aitiddnet cn: Aitor Garcia Ortega - Iddover.net objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: inetLocalMailRecipient userPassword:: ***************** shadowLastChange: 14363 shadowMax: 99999
11 years
slapd: do_syncrepl: rid=010 rc -2 retrying (4 retries left)
by Roman Rybalko
slapd[21334]: do_syncrepl: rid=010 rc -2 retrying (4 retries left)
olcSyncrepl: {0}rid=010 provider=ldap://ldap binddn="cn=config"
bindmethod=simple credentials=XXX searchbase="cn=config"
type=refreshAndPersist retry="5 5 300 5" timeout=1
slapd-2.4.23 on master & slave
This happens when the slave server is restarted.
If make some change to cn=config, then the error disappear.
I didn't find any explanation about rc -2.
What this is about?
--
WBR,
Roman Rybalko
11 years
TLS error on startup
by Brian Empson
Hello,
I'm having an issue starting up slapd with TLS enabled. I tried to search for the error code but I couldn't find any GnuTLS error codes that match. Here are the log entries that appear:
Sep 25 21:07:05 dir0 slapd[15018]: main: TLS init def ctx failed: -1
Sep 25 21:07:05 dir0 slapd[15018]: DIGEST-MD5 common mech free
Sep 25 21:07:05 dir0 slapd[15018]: slapd stopped.
Sep 25 21:07:05 dir0 slapd[15018]: connections_destroy: nothing to destroy.
Is there a way to check and see if this build is enabled with TLS support? I installed it from a package manager rather than compiling it. Here are the TLS portions of the config:
# SSL
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/ca.pem
TLSCertificateFile /etc/openldap/ssl/server.pem
TLSCertificateKeyFile /etc/openldap/ssl/server.key
TLSVerifyClient demand
Here are the files listed: (I changed the permissions during troubleshooting)
[09/25/12 9:16PM][root@dir0 /etc/openldap]# ls -lah ssl
total 12
drw------- 2 _openldap _openldap 512B Sep 25 19:59 .
drwxr-xr-x 4 root wheel 512B Sep 25 19:54 ..
-rwxrwxrwx 1 _openldap _openldap 3B Sep 25 20:08 digits.srl
-rwxrwxrwx 1 _openldap _openldap 887B Sep 25 19:56 server.key
-rwxrwxrwx 1 _openldap _openldap 904B Sep 25 20:08 server.pem
-rwxrwxrwx 1 _openldap _openldap 684B Sep 25 19:57 server.req
[09/25/12 9:16PM][root@dir0 /etc/openldap]# ls -lah /etc/ssl
total 170
drwxr-xr-x 4 root wheel 512B Sep 25 19:52 .
drwxr-xr-x 27 root wheel 2.5K Sep 24 20:50 ..
-rw-r--r-- 1 root wheel 912B Sep 23 16:30 ca.crt
-rw-r--r-- 1 root wheel 912B Sep 25 19:52 ca.pem
-rw-r--r-- 1 root wheel 17B Sep 23 17:51 ca.srl
-r--r--r-- 1 root bin 147K Feb 12 2012 cert.pem
drwxr-xr-x 2 root wheel 512B Feb 12 2012 lib
-r--r--r-- 1 root bin 1.6K Feb 12 2012 openssl.cnf
drwx------ 2 root wheel 512B Sep 23 16:29 private
-rw-r--r-- 1 root wheel 1.0K Sep 25 19:52 privkey.pem
-r--r--r-- 1 root bin 1005B Feb 12 2012 x509v3.cnf
Is this an issue with the build I'm running? (SSL not enabled or?)
Thanks!
Brian
11 years
Ldap search that must work
by Aitor Garcia Ortega - Tempel.es
I'm feeling som kind of stupid
I'm running openldap-servers-2.4.23-26.el6_3.2.x86_64 under Centos 6.3.
Using ldapsearch I get this result:
ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uid=aitiddnet)'
> # extended LDIF
> #
> # LDAPv3
> # base <o=Iddover,c=Net> with scope subtree
> # filter: (uid=aitiddnet)
> # requesting: ALL
> #
>
> # aitiddnet, People, Iddover, Net
> dn: uid=aitiddnet,ou=People,o=Iddover,c=Net
> uid: aitiddnet
> cn: Aitor Garcia Ortega - Iddover.net
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: inetLocalMailRecipient
> userPassword:: **************
> shadowLastChange: 14363
> shadowMax: 99999
> shadowWarning: 7
> uidNumber: 546
> gidNumber: 546
> gecos: Aitor Garcia Ortega - Iddover.net
> mailLocalAddress: aitor.garcia(a)iddover.net
> mailHost: localhost
> homeDirectory: /home/aitiddnet
> loginShell: /bin/bash
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
But this seconf ldap serch don't work
# ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uidNumber=546)'
> # extended LDIF
> #
> # LDAPv3
> # base <o=Iddover,c=Net> with scope subtree
> # filter: (uidNumber=546)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
I really don't undertand.
In another server with CentOS release 5.6 (Final),
openldap-servers-2.3.43-12.el5_6.7 and the same database it works well...
# ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uidNumber=546)'
# extended LDIF
#
# LDAPv3
# base <o=Iddover,c=Net> with scope subtree
# filter: (uidNumber=546)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
[root@r300te1 ~]# ldapsearch -h 172.16.6.1 -x -b 'o=Iddover,c=Net'
'(uidNumber=546)'
# extended LDIF
#
# LDAPv3
# base <o=Iddover,c=Net> with scope subtree
# filter: (uidNumber=546)
# requesting: ALL
#
# aitiddnet, People, Iddover, Net
dn: uid=aitiddnet,ou=People,o=Iddover,c=Net
uid: aitiddnet
cn: Aitor Garcia Ortega - Iddover.net
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: inetLocalMailRecipient
userPassword:: *****************
shadowLastChange: 14363
shadowMax: 99999
11 years
ldapsearch stalling when performing searches with a large number of results
by Mark Cairney
Hi,
I've been finding that ldapsearch will freeze when performing searches with a large (typically >10,000) number of results.
As far as I can tell this does not appear to be related to server load as according to iostat and top the servers don't appear to be stressed
and the servers continue to respond to incoming requests.
I'm running OpenLDAP 2.4.30 with BDB 4.8.30 in multi-master mode with syncrepl if this makes any difference. I have tried upgrading to 2.4.32 but
this appears to be exhibiting the same behaviour.
In terms of the size of the database I've got about 300,000 entries and my bdb database files are currently taking up 5.6G.
The servers themselves are 4xquad-cores with 24GB RAM.
Has anyone else seen this behaviour or should I file an ITS?
/****************************
Mark R Cairney
ITI UNIX Section
Information Services
Tel: 0131 650 6565
Email: Mark.Cairney(a)ed.ac.uk
****************************/
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
11 years
Invalid Credentials when using ldappasswd
by Matej Mailing
Hi all,
I have installed open LDAP utilities on Ubuntu 12.04 via apt-get
install. I have version 2.4.28-1.1ubuntu4 installed. I can connect
successully to the LDAP via phpldapadmin with login
cn=admin,dc=mydomain,dc=net and my administrator password.
I want to create an administrator for the SOGo login with the
following ldif file:
"dn: ou=accounts,dc=domain,dc=net
objectClass: organizationalUnit
ou: accounts
dn: uid=adminsogo,ou=accounts,dc=domain,dc=net
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
uid: adminsogo
cn: SOGo Administrator
mail: sogo(a)domain.net
sn: Administrator
givenName: SOGAdmin
"
When running ldapadd -f admin.ldif -x -W -D cn=admin,dc=domain,dc=net
and after entering the administrator password (the same I use to
log-in into phpldapadmin), I get:
"adding new entry "ou=accounts,dc=domain,dc=net"
adding new entry "uid=sogadmin,ou=accounts,dc=domain,dc=net"
I assume that everything is OK at this point.
The problem is when I enter:
ldappasswd -h localhost -x -W -D
cn=admin,dc=domain,dc=net,uid=sogadmin,ou=accounts,dc=domain,dc=net -s
newpass
I have to enter the LDAP password and I enter my administrator
password, but always get the output:
"ldap_bind: Invalid credentials (49)"
When doing
"dapsearch -x -h localhost -b "dc=domain,dc=net" -s sub "objectclass=*""
I can see that an object sogadmin is created:
".....
dn: uid=adminsogo,ou=accounts,dc=domain,dc=net
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
uid: adminsogo
cn: SOGo Administrator
mail: sogo(a)domain.net
sn: Administrator
givenName:: U09HQWRtaW4g
..."
What should I check to get past this "ldap_bind: Invalid credentials
(49)" when trying to ldappasswd of a new user?
I am pretty sure this must be some basic thing, but I am really a
beginner in the LDAP field .. I have spent few days already trying to
solve this and any help will be very appreciated.
Thanks for any ideas in advance.
Regards,
Matej
11 years
slapd: way of configuration
by Tobias Hachmer
Hello list,
I want to know what the recommended way is to configure slapd. I'm
using openldap package 2.4.28 under ubuntu precise.
As default there is no /etc/ldap/slapd.conf and the whole configuration
is located under /etc/ldap/slapd.d/ in ldif format.
1. Must I use ldapmodify to change slapd configuration in cn=config
backend or can I just change configuration directives directly in the
appropriate ldif file under /etc/ldap/slapd.d/cn=config/* ? If the
latter, have I to restart slapd after configuration changes?
2. Will the old school way to configure slapd via slapd.conf be
deprecated and not available at all in future?
Thanks and kind regards,
Tobias Hachmer
11 years
Mac Ldap Client login problem
by cbulist
Hi,
I'm trying to configure a Mac client(OS X 10.7.2) with my Openldap
server (2.4.23).
I configured Directory Utility with my LDAPv3 support and see that
Network Account Server on green status.
After that I can do: su <username> or id <username> in terminal and I'm
able to login or view the data of the user.
The problem is when I reset the Mac and I try to login from the initial
GUI login screen it does not permit me. I checked the openldap server
log and I see the requested without any error.
Do I have to do something in Mac's PAM file?
I really appreciate any help with this problem.
Thanks in advance.
11 years
Problem with olcAccess
by Tobias Hachmer
Hello list,
I simply trying to add an olcAccess entry to the config backend.
here the file contents:
dn: olcDatabase={1}hdb,cn=config
changeType: modify
add: olcAccess
olcAccess: to dn.subtree="ou=public,ou=addressbook,dc=example,dc=com"
by users write
What I've get after adding this to the backend is:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
dn="cn=a
dmin,dc=example,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com"
write by *
read
olcAccess::
ezN9dG8gZG4uc3VidHJlZT0ib3U9cHVibGljLG91PWFkZHJlc3Nib29rLGRjPWtva2
VsbmV0LGRjPWRlIiBieSAqIHdyaXRlIA==
What's going on here, what did I wrong, I didn't get it yet. Please
help me.
Regards,
Tobias Hachmer
11 years