September 2012 - openldap-technical

by Emmanuel Dreyfus

Hi When feeding a LDAP URI to ldap_url_parse(), I understand some characters may need to be escaped in filters in order to get a litteral: * => \2a ( => \28 ) => \29 \ => \5c / => \2f Reading the man page, I understand %-encoding is not mandatory, but it is of course required for ?, and obviously for %. ? -> %3F % -> %25 Are there other characters that should be %-encoded? -- Emmanuel Dreyfus manu(a)netbsd.org

11 years

6
12
0 / 0

Re: Ldap search that must work

by Amol Kulkarni

Hi, I had faced similar issue once - the cause was the index on the attribute was corrupt. Reindexing solved the issue. In your case, reindexing the uidnumber attribute should solve the issue. Amol. ----- Original Message ----- From: Aitor Garcia Ortega - Tempel.es Sent: 09/26/12 05:24 PM To: openldap-technical(a)openldap.org Subject: Ldap search that must work I'm feeling som kind of stupid I'm running openldap-servers-2.4.23-26.el6_3.2.x86_64 under Centos 6.3. Using ldapsearch I get this result: ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uid=aitiddnet)' > # extended LDIF > # > # LDAPv3 > # base <o=Iddover,c=Net> with scope subtree > # filter: (uid=aitiddnet) > # requesting: ALL > # > > # aitiddnet, People, Iddover, Net > dn: uid=aitiddnet,ou=People,o=Iddover,c=Net > uid: aitiddnet > cn: Aitor Garcia Ortega - Iddover.net > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: inetLocalMailRecipient > userPassword:: ************** > shadowLastChange: 14363 > shadowMax: 99999 > shadowWarning: 7 > uidNumber: 546 > gidNumber: 546 > gecos: Aitor Garcia Ortega - Iddover.net > mailLocalAddress: aitor.garcia(a)iddover.net > mailHost: localhost > homeDirectory: /home/aitiddnet > loginShell: /bin/bash > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 But this seconf ldap serch don't work # ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uidNumber=546)' > # extended LDIF > # > # LDAPv3 > # base <o=Iddover,c=Net> with scope subtree > # filter: (uidNumber=546) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success I really don't undertand. In another server with CentOS release 5.6 (Final), openldap-servers-2.3.43-12.el5_6.7 and the same database it works well... # ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uidNumber=546)' # extended LDIF # # LDAPv3 # base <o=Iddover,c=Net> with scope subtree # filter: (uidNumber=546) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root@r300te1 ~]# ldapsearch -h 172.16.6.1 -x -b 'o=Iddover,c=Net' '(uidNumber=546)' # extended LDIF # # LDAPv3 # base <o=Iddover,c=Net> with scope subtree # filter: (uidNumber=546) # requesting: ALL # # aitiddnet, People, Iddover, Net dn: uid=aitiddnet,ou=People,o=Iddover,c=Net uid: aitiddnet cn: Aitor Garcia Ortega - Iddover.net objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: inetLocalMailRecipient userPassword:: ***************** shadowLastChange: 14363 shadowMax: 99999

11 years

2
1
0 / 0

slapd: do_syncrepl: rid=010 rc -2 retrying (4 retries left)

by Roman Rybalko

slapd[21334]: do_syncrepl: rid=010 rc -2 retrying (4 retries left) olcSyncrepl: {0}rid=010 provider=ldap://ldap binddn="cn=config" bindmethod=simple credentials=XXX searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 slapd-2.4.23 on master & slave This happens when the slave server is restarted. If make some change to cn=config, then the error disappear. I didn't find any explanation about rc -2. What this is about? -- WBR, Roman Rybalko

11 years

1
0
0 / 0

TLS error on startup

by Brian Empson

Hello, I'm having an issue starting up slapd with TLS enabled. I tried to search for the error code but I couldn't find any GnuTLS error codes that match. Here are the log entries that appear: Sep 25 21:07:05 dir0 slapd[15018]: main: TLS init def ctx failed: -1 Sep 25 21:07:05 dir0 slapd[15018]: DIGEST-MD5 common mech free Sep 25 21:07:05 dir0 slapd[15018]: slapd stopped. Sep 25 21:07:05 dir0 slapd[15018]: connections_destroy: nothing to destroy. Is there a way to check and see if this build is enabled with TLS support? I installed it from a package manager rather than compiling it. Here are the TLS portions of the config: # SSL TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/ssl/ca.pem TLSCertificateFile /etc/openldap/ssl/server.pem TLSCertificateKeyFile /etc/openldap/ssl/server.key TLSVerifyClient demand Here are the files listed: (I changed the permissions during troubleshooting) [09/25/12 9:16PM][root@dir0 /etc/openldap]# ls -lah ssl total 12 drw------- 2 _openldap _openldap 512B Sep 25 19:59 . drwxr-xr-x 4 root wheel 512B Sep 25 19:54 .. -rwxrwxrwx 1 _openldap _openldap 3B Sep 25 20:08 digits.srl -rwxrwxrwx 1 _openldap _openldap 887B Sep 25 19:56 server.key -rwxrwxrwx 1 _openldap _openldap 904B Sep 25 20:08 server.pem -rwxrwxrwx 1 _openldap _openldap 684B Sep 25 19:57 server.req [09/25/12 9:16PM][root@dir0 /etc/openldap]# ls -lah /etc/ssl total 170 drwxr-xr-x 4 root wheel 512B Sep 25 19:52 . drwxr-xr-x 27 root wheel 2.5K Sep 24 20:50 .. -rw-r--r-- 1 root wheel 912B Sep 23 16:30 ca.crt -rw-r--r-- 1 root wheel 912B Sep 25 19:52 ca.pem -rw-r--r-- 1 root wheel 17B Sep 23 17:51 ca.srl -r--r--r-- 1 root bin 147K Feb 12 2012 cert.pem drwxr-xr-x 2 root wheel 512B Feb 12 2012 lib -r--r--r-- 1 root bin 1.6K Feb 12 2012 openssl.cnf drwx------ 2 root wheel 512B Sep 23 16:29 private -rw-r--r-- 1 root wheel 1.0K Sep 25 19:52 privkey.pem -r--r--r-- 1 root bin 1005B Feb 12 2012 x509v3.cnf Is this an issue with the build I'm running? (SSL not enabled or?) Thanks! Brian

11 years

4
3
0 / 0

Ldap search that must work

by Aitor Garcia Ortega - Tempel.es

I'm feeling som kind of stupid I'm running openldap-servers-2.4.23-26.el6_3.2.x86_64 under Centos 6.3. Using ldapsearch I get this result: ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uid=aitiddnet)' > # extended LDIF > # > # LDAPv3 > # base <o=Iddover,c=Net> with scope subtree > # filter: (uid=aitiddnet) > # requesting: ALL > # > > # aitiddnet, People, Iddover, Net > dn: uid=aitiddnet,ou=People,o=Iddover,c=Net > uid: aitiddnet > cn: Aitor Garcia Ortega - Iddover.net > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: inetLocalMailRecipient > userPassword:: ************** > shadowLastChange: 14363 > shadowMax: 99999 > shadowWarning: 7 > uidNumber: 546 > gidNumber: 546 > gecos: Aitor Garcia Ortega - Iddover.net > mailLocalAddress: aitor.garcia(a)iddover.net > mailHost: localhost > homeDirectory: /home/aitiddnet > loginShell: /bin/bash > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 But this seconf ldap serch don't work # ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uidNumber=546)' > # extended LDIF > # > # LDAPv3 > # base <o=Iddover,c=Net> with scope subtree > # filter: (uidNumber=546) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success I really don't undertand. In another server with CentOS release 5.6 (Final), openldap-servers-2.3.43-12.el5_6.7 and the same database it works well... # ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uidNumber=546)' # extended LDIF # # LDAPv3 # base <o=Iddover,c=Net> with scope subtree # filter: (uidNumber=546) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root@r300te1 ~]# ldapsearch -h 172.16.6.1 -x -b 'o=Iddover,c=Net' '(uidNumber=546)' # extended LDIF # # LDAPv3 # base <o=Iddover,c=Net> with scope subtree # filter: (uidNumber=546) # requesting: ALL # # aitiddnet, People, Iddover, Net dn: uid=aitiddnet,ou=People,o=Iddover,c=Net uid: aitiddnet cn: Aitor Garcia Ortega - Iddover.net objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: inetLocalMailRecipient userPassword:: ***************** shadowLastChange: 14363 shadowMax: 99999

11 years

1
0
0 / 0

ldapsearch stalling when performing searches with a large number of results

by Mark Cairney

Hi, I've been finding that ldapsearch will freeze when performing searches with a large (typically >10,000) number of results. As far as I can tell this does not appear to be related to server load as according to iostat and top the servers don't appear to be stressed and the servers continue to respond to incoming requests. I'm running OpenLDAP 2.4.30 with BDB 4.8.30 in multi-master mode with syncrepl if this makes any difference. I have tried upgrading to 2.4.32 but this appears to be exhibiting the same behaviour. In terms of the size of the database I've got about 300,000 entries and my bdb database files are currently taking up 5.6G. The servers themselves are 4xquad-cores with 24GB RAM. Has anyone else seen this behaviour or should I file an ITS? /**************************** Mark R Cairney ITI UNIX Section Information Services Tel: 0131 650 6565 Email: Mark.Cairney(a)ed.ac.uk ****************************/ -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.

11 years

3
2
0 / 0

Invalid Credentials when using ldappasswd

by Matej Mailing

Hi all, I have installed open LDAP utilities on Ubuntu 12.04 via apt-get install. I have version 2.4.28-1.1ubuntu4 installed. I can connect successully to the LDAP via phpldapadmin with login cn=admin,dc=mydomain,dc=net and my administrator password. I want to create an administrator for the SOGo login with the following ldif file: "dn: ou=accounts,dc=domain,dc=net objectClass: organizationalUnit ou: accounts dn: uid=adminsogo,ou=accounts,dc=domain,dc=net objectClass: top objectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson uid: adminsogo cn: SOGo Administrator mail: sogo(a)domain.net sn: Administrator givenName: SOGAdmin " When running ldapadd -f admin.ldif -x -W -D cn=admin,dc=domain,dc=net and after entering the administrator password (the same I use to log-in into phpldapadmin), I get: "adding new entry "ou=accounts,dc=domain,dc=net" adding new entry "uid=sogadmin,ou=accounts,dc=domain,dc=net" I assume that everything is OK at this point. The problem is when I enter: ldappasswd -h localhost -x -W -D cn=admin,dc=domain,dc=net,uid=sogadmin,ou=accounts,dc=domain,dc=net -s newpass I have to enter the LDAP password and I enter my administrator password, but always get the output: "ldap_bind: Invalid credentials (49)" When doing "dapsearch -x -h localhost -b "dc=domain,dc=net" -s sub "objectclass=*"" I can see that an object sogadmin is created: "..... dn: uid=adminsogo,ou=accounts,dc=domain,dc=net objectClass: top objectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson uid: adminsogo cn: SOGo Administrator mail: sogo(a)domain.net sn: Administrator givenName:: U09HQWRtaW4g ..." What should I check to get past this "ldap_bind: Invalid credentials (49)" when trying to ldappasswd of a new user? I am pretty sure this must be some basic thing, but I am really a beginner in the LDAP field .. I have spent few days already trying to solve this and any help will be very appreciated. Thanks for any ideas in advance. Regards, Matej

11 years

2
2
0 / 0

slapd: way of configuration

by Tobias Hachmer

Hello list, I want to know what the recommended way is to configure slapd. I'm using openldap package 2.4.28 under ubuntu precise. As default there is no /etc/ldap/slapd.conf and the whole configuration is located under /etc/ldap/slapd.d/ in ldif format. 1. Must I use ldapmodify to change slapd configuration in cn=config backend or can I just change configuration directives directly in the appropriate ldif file under /etc/ldap/slapd.d/cn=config/* ? If the latter, have I to restart slapd after configuration changes? 2. Will the old school way to configure slapd via slapd.conf be deprecated and not available at all in future? Thanks and kind regards, Tobias Hachmer

11 years

6
8
0 / 0

Mac Ldap Client login problem

by cbulist

Hi, I'm trying to configure a Mac client(OS X 10.7.2) with my Openldap server (2.4.23). I configured Directory Utility with my LDAPv3 support and see that Network Account Server on green status. After that I can do: su <username> or id <username> in terminal and I'm able to login or view the data of the user. The problem is when I reset the Mac and I try to login from the initial GUI login screen it does not permit me. I checked the openldap server log and I see the requested without any error. Do I have to do something in Mac's PAM file? I really appreciate any help with this problem. Thanks in advance.

11 years

1
0
0 / 0

Problem with olcAccess

by Tobias Hachmer

Hello list, I simply trying to add an olcAccess entry to the config backend. here the file contents: dn: olcDatabase={1}hdb,cn=config changeType: modify add: olcAccess olcAccess: to dn.subtree="ou=public,ou=addressbook,dc=example,dc=com" by users write What I've get after adding this to the backend is: olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=a dmin,dc=example,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read olcAccess:: ezN9dG8gZG4uc3VidHJlZT0ib3U9cHVibGljLG91PWFkZHJlc3Nib29rLGRjPWtva2 VsbmV0LGRjPWRlIiBieSAqIHdyaXRlIA== What's going on here, what did I wrong, I didn't get it yet. Please help me. Regards, Tobias Hachmer

11 years

4
6
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2012