Logging events to a log file
by Mik J
Hello List,
When I start slapd with the option -d 256 I can see what's happening when there's a connection
# /usr/local/libexec/slapd -4 -d 256 -u _openldap -g _openldap -h ldaps:///
However I would like to have this in a log file and I added these lines to slapd.conf
loglevel 256
logfile /var/log/slapd.log
But my log file remains empty after I start the server with (without -d 256)
# /usr/local/libexec/slapd -4 -u _openldap -g _openldap -h ldaps:///
However if I start the server with
# /usr/local/libexec/slapd -4 -d 256 -u _openldap -g _openldap -h ldaps:///
The events display on the screen and in the slapd.log file as well. This behavior surprises me, am I missing something ?
My ldap server version is 2.4.26p0
Thank you
10 years, 12 months
Glue slapd-ldap with hdb
by Tio Teath
I'm trying to glue remote database, provided by ldap backend with
local hdb. I have following settings:
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcRootDN: cn=admin,cn=config
olcSuffix: dc=local
dn: olcOverlay={0}glue,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}glue
...
dn: olcDatabase={3}ldap,cn=config
objectClass: olcLDAPConfig
objectClass: olcDatabaseConfig
objectClass: olcConfig
objectClass: top
olcDatabase: {3}ldap
olcDbChaseReferrals: TRUE
olcDbRebindAsUser: TRUE
olcDbURI: ldap://remote.server
olcRootDN: cn=admin,cn=config
olcSubordinate: TRUE
olcSuffix: dc=corp,dc=local"
But when I try to load it into cn=config, I get next error:
[LDAP: error code 80 - <olcSuffix> namingContext "dc=corp,dc=local"
already served by a preceding hdb database]
Version: 2.4.25-1.1ubuntu4.1
10 years, 12 months
Re: Message to Change Password
by Guillaume Rousse
Le 21/09/2012 16:28, Soporte Ti a écrit :
> This message appears missing five days for the password expires and
> appears until this has expired but only every time I login with the user.
Login where ? On a web application ? On a unix workstation ? On an imap
mail server ?
> There is something more than the passwd command to be used for this?
A password is just an attribute in an LDAP server, so any command able
to modify LDAP content can be potentially used. ldappassword being the
most obvious one here.
If, as I'm supposing now, you're actually using an LDAP server to manage
Posix user accounts, and you have this issue when logging on an unix
host, your problem is merely a client-side issue, and not an LDAP issue.
You'll have better answers on the mailing list related to your exact
LDAP client (pam_ldap, sssd, nss_pam_ldapd).
--
BOFH excuse #70:
nesting roaches shorted out the ether cable
11 years
Re: How enforce TLS connection to openldap server only?
by Khosrow Ebrahimpour
On September 20, 2012 09:59:05 AM Quanah Gibson-Mount wrote:
> --On Thursday, September 20, 2012 9:58 AM -0700 Quanah Gibson-Mount
>
> <quanah(a)zimbra.com> wrote:
> > --On Thursday, September 20, 2012 12:02 PM -0400 Yan Gong
> >
> > <yan(a)fabric.com> wrote:
> >> Peter:
> >>
> >> Thanks for the confirmation!
> >> I only used olcSecurity, not olcAccess to enforce the TLS connection.
> >> Man, I wish there is more detailed, updated and user-friendly information
> >> about OpenLdap on the web.
> >> I guess, that's why people are turning to Active Directory because it is
> >> much easier to use.
> >
> > It is documented in the manual pages, which are both on the web, and ship
> > with the software itself. Lack of comprehension does not mean lack of
> > documentation.
> >
> > If you think AD is LDAP, then you are in for a world of hurt.
>
> Meant to send this to the list. ;)
>
I agree with Quanah that documentation is there, I also think Yan is correct
that the information is not very easy to find.
I've used the Admin Guide and the Faq-O-Matic on many occassions and found
them a good starting point, but not the final answer. I think a wiki-style
documentation where the user commuity could more easily contribute to the
knowledge base may be a helpful thing.
Having said all that, there may already be something like that and I just
don't know about it.
I can start a new thread if more people want to chime in since I don't want to
derail the original thread here.
11 years
RE: How enforce TLS connection to openldap server only?
by Quanah Gibson-Mount
--On Thursday, September 20, 2012 1:53 PM -0400 Yan Gong <yan(a)fabric.com>
wrote:
>
>
> Hmm…when I tried to search for keyword: olsSecurity, nothing shows up:
Please keep replies on the list. Since you are looking for configuration
options, I suggest you search for slapd-config
Also, learn how to use the "man" command from the linux prompt.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years
RE: How enforce TLS connection to openldap server only?
by Yan Gong
Nope, olcSecurity didn't help. Still have the problem. I restared slapd.
Please see below:
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcSecurity: simple_bind=128
olcSecurity: ssf=128
olcSecurity: tls=1
olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128
dn="cn=admin,dc=example,dc=com" write b
y tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write by
* none
olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write
by tls_ssf=128 ssf=128 * read
olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read
olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com"
write by tls_ssf=128 ssf=128 * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: c2VjcmV0
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: uid eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20120919180734Z
entryCSN: 20120919181117.233986Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20120919181117Z
Thanks a lot!
Yan
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Thursday, September 20, 2012 7:50 AM
To: Quanah Gibson-Mount
Cc: Yan Gong; openldap-technical(a)openldap.org
Subject: Re: How enforce TLS connection to openldap server only?
Quanah Gibson-Mount wrote:
>> Should I use olcAccess or olcSecurity? or both? I couldn't find any
>> detailed steps/documentation
>
> olcSecurity would enforce encryption for any and all connections.
> Note that you have to restart slapd for it to take effect.
Eh, no. olcSecurity changes take effect immediately. No restart needed.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years
RE: How enforce TLS connection to openldap server only?
by Quanah Gibson-Mount
--On Thursday, September 20, 2012 9:58 AM -0700 Quanah Gibson-Mount
<quanah(a)zimbra.com> wrote:
> --On Thursday, September 20, 2012 12:02 PM -0400 Yan Gong
> <yan(a)fabric.com> wrote:
>
>> Peter:
>>
>> Thanks for the confirmation!
>> I only used olcSecurity, not olcAccess to enforce the TLS connection.
>> Man, I wish there is more detailed, updated and user-friendly information
>> about OpenLdap on the web.
>> I guess, that's why people are turning to Active Directory because it is
>> much easier to use.
>
> It is documented in the manual pages, which are both on the web, and ship
> with the software itself. Lack of comprehension does not mean lack of
> documentation.
>
> If you think AD is LDAP, then you are in for a world of hurt.
>
Meant to send this to the list. ;)
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years
translucent-overlay with back-relay and rwm
by Alexander Sulfrian
Hi,
I was trying to get a translucent-overlay working, using the relay
backend. But it does not work as expected. I want to merge two existent
entries form the same server into a new virtual entry.
The problem it, that I could not get the rwm overlay needed for the
relay backend to work. If I simply try to add the rwm entry into the
config like that:
olcOverlay={0}rwm,olcDatabase={0}relay,olcOverlay={0}translucent,olcDatabase={1}hdb,cn=config
The server answers with an object class violation error: "no structural
objectClass add function". The cause of this error, is that the
olcTranslucentDatabase entry is defined as Cfg_Misc and not Cfg_Database
and the rwm Entry insists to be initiated in a Cfg_Database entry.
I tried even more. I changed the source if the translucent overlay and
defined olcTranslucentDatabase to be a Cfg_Database entry. Now the
server gives to following error:
config_add_internal:
DN="olcOverlay={0}rwm,olcDatabase={0}relay,olcOverlay={0}translucent,olcDatabase={1}hdb,cn=config" not child of DN="olcOverlay={0}translucent,olcOverlay={1}hdb,cn=config"
Adding some debug output I see that the server is testing if the
olcOverlay={0}rwm entry is a child of
olcDatabase={-1}relay,olcOverlay={0}translucent,olcOverlay={1}hdb,cn=config.
But the relay Database is added with an id of 0. Where does the
mysterious "-1" come from? I have seen this in the translucent source:
backend_db_init( "ldap", &ov->db, -1, NULL )
Is this maybe the cause? I tried to change this "-1" to "0", but nothing
changes.
I read somewhere, that the translucent overlay is only supposed to work
with the ldap backend. But as far as I can see, I need the same
rewriting using the rwm overlay with the ldap backend. So that should
not work either.
Could someone give me a clue, how to get this working?
Thanks,
Alex
11 years
How enforce TLS connection to openldap server only?
by Yan Gong
Sir/Madam:
I successfully set up TLS on both openldap server and client through port 389 on ubuntu.
I didn't use SSL through port 636.
However, I found non encrypted/clear text connections can be made through port 389
to the openldap server as well.
How can I enforce TLS connection only and reject any non encrypted connections?
Should I use olcAccess or olcSecurity? or both? I couldn't find any detailed steps/documentation
about it. Please note, I am not use slapd.conf which is for older version of openldap.
Thanks a lot!
Yan
Thanks a lot!
Yan
11 years
Problem when I use alias with deferencing option
by Paola Laguzzi
Hi,
I have a problem when I use the alias. I have an OpenLdap with 450.000 entries and 450.000 alias.
When I make a search using the deferencing I obtain a wrong result.
For example:
- if I search in the alias tree uid=xxxx I obtain zero entry but I have the alias and I have the phisical entry
- if I search in the alias tree ou=xxxx I obtain a number of entries that is different from same search performed on the phisical tree
This happens only when I use the deferencing option.
Why?
I find in Internet that: "If you have a thousand or more alias objects, avoid alias
dereferencing in the search" .... this means I could get wrong results using alias?
Thanks in advance
Regards
Paola
11 years