openldap-technical September 2012

openldap-technical@openldap.org

70 participants
88 discussions

Logging events to a log file
by Mik J 23 Sep '12

23 Sep '12

Hello List, When I start slapd with the option -d 256 I can see what's happening when there's a connection # /usr/local/libexec/slapd -4 -d 256 -u _openldap -g _openldap -h ldaps:/// However I would like to have this in a log file and I added these lines to slapd.conf loglevel 256 logfile /var/log/slapd.log But my log file remains empty after I start the server with (without -d 256) # /usr/local/libexec/slapd -4 -u _openldap -g _openldap -h ldaps:/// However if I start the server with # /usr/local/libexec/slapd -4 -d 256 -u _openldap -g _openldap -h ldaps:/// The events display on the screen and in the slapd.log file as well. This behavior surprises me, am I missing something ? My ldap server version is 2.4.26p0 Thank you

3 4

Glue slapd-ldap with hdb
by Tio Teath 21 Sep '12

21 Sep '12

I'm trying to glue remote database, provided by ldap backend with local hdb. I have following settings: dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcRootDN: cn=admin,cn=config olcSuffix: dc=local dn: olcOverlay={0}glue,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}glue ... dn: olcDatabase={3}ldap,cn=config objectClass: olcLDAPConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcDatabase: {3}ldap olcDbChaseReferrals: TRUE olcDbRebindAsUser: TRUE olcDbURI: ldap://remote.server olcRootDN: cn=admin,cn=config olcSubordinate: TRUE olcSuffix: dc=corp,dc=local" But when I try to load it into cn=config, I get next error: [LDAP: error code 80 - <olcSuffix> namingContext "dc=corp,dc=local" already served by a preceding hdb database] Version: 2.4.25-1.1ubuntu4.1

2 1

Re: Message to Change Password
by Guillaume Rousse 21 Sep '12

21 Sep '12

Le 21/09/2012 16:28, Soporte Ti a écrit : > This message appears missing five days for the password expires and > appears until this has expired but only every time I login with the user. Login where ? On a web application ? On a unix workstation ? On an imap mail server ? > There is something more than the passwd command to be used for this? A password is just an attribute in an LDAP server, so any command able to modify LDAP content can be potentially used. ldappassword being the most obvious one here. If, as I'm supposing now, you're actually using an LDAP server to manage Posix user accounts, and you have this issue when logging on an unix host, your problem is merely a client-side issue, and not an LDAP issue. You'll have better answers on the mailing list related to your exact LDAP client (pam_ldap, sssd, nss_pam_ldapd). -- BOFH excuse #70: nesting roaches shorted out the ether cable

1 0

Re: How enforce TLS connection to openldap server only?
by Khosrow Ebrahimpour 20 Sep '12

20 Sep '12

On September 20, 2012 09:59:05 AM Quanah Gibson-Mount wrote: > --On Thursday, September 20, 2012 9:58 AM -0700 Quanah Gibson-Mount > > <quanah(a)zimbra.com> wrote: > > --On Thursday, September 20, 2012 12:02 PM -0400 Yan Gong > > > > <yan(a)fabric.com> wrote: > >> Peter: > >> > >> Thanks for the confirmation! > >> I only used olcSecurity, not olcAccess to enforce the TLS connection. > >> Man, I wish there is more detailed, updated and user-friendly information > >> about OpenLdap on the web. > >> I guess, that's why people are turning to Active Directory because it is > >> much easier to use. > > > > It is documented in the manual pages, which are both on the web, and ship > > with the software itself. Lack of comprehension does not mean lack of > > documentation. > > > > If you think AD is LDAP, then you are in for a world of hurt. > > Meant to send this to the list. ;) > I agree with Quanah that documentation is there, I also think Yan is correct that the information is not very easy to find. I've used the Admin Guide and the Faq-O-Matic on many occassions and found them a good starting point, but not the final answer. I think a wiki-style documentation where the user commuity could more easily contribute to the knowledge base may be a helpful thing. Having said all that, there may already be something like that and I just don't know about it. I can start a new thread if more people want to chime in since I don't want to derail the original thread here.

2 1

RE: How enforce TLS connection to openldap server only?
by Quanah Gibson-Mount 20 Sep '12

20 Sep '12

--On Thursday, September 20, 2012 1:53 PM -0400 Yan Gong <yan(a)fabric.com> wrote: > > > Hmm…when I tried to search for keyword: olsSecurity, nothing shows up: Please keep replies on the list. Since you are looking for configuration options, I suggest you search for slapd-config Also, learn how to use the "man" command from the linux prompt. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

RE: How enforce TLS connection to openldap server only?
by Yan Gong 20 Sep '12

20 Sep '12

Nope, olcSecurity didn't help. Still have the problem. I restared slapd. Please see below: dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcSecurity: simple_bind=128 olcSecurity: ssf=128 olcSecurity: tls=1 olcAccess: {0}to attrs=userPassword by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write b y tls_ssf=128 ssf=128 anonymous auth by tls_ssf=128 ssf=128 self write by * none olcAccess: {1}to attrs=shadowLastChange by tls_ssf=128 ssf=128 self write by tls_ssf=128 ssf=128 * read olcAccess: {2}to dn.base="" by tls_ssf=128 ssf=128 * read olcAccess: {3}to * by tls_ssf=128 ssf=128 dn="cn=admin,dc=example,dc=com" write by tls_ssf=128 ssf=128 * read olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcRootPW:: c2VjcmV0 olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: uid eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: a1f57758-96d0-1031-93fd-1108a4f5996c creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20120919180734Z entryCSN: 20120919181117.233986Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20120919181117Z Thanks a lot! Yan -----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Thursday, September 20, 2012 7:50 AM To: Quanah Gibson-Mount Cc: Yan Gong; openldap-technical(a)openldap.org Subject: Re: How enforce TLS connection to openldap server only? Quanah Gibson-Mount wrote: >> Should I use olcAccess or olcSecurity? or both? I couldn't find any >> detailed steps/documentation > > olcSecurity would enforce encryption for any and all connections. > Note that you have to restart slapd for it to take effect. Eh, no. olcSecurity changes take effect immediately. No restart needed. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

4 6

RE: How enforce TLS connection to openldap server only?
by Quanah Gibson-Mount 20 Sep '12

20 Sep '12

--On Thursday, September 20, 2012 9:58 AM -0700 Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, September 20, 2012 12:02 PM -0400 Yan Gong > <yan(a)fabric.com> wrote: > >> Peter: >> >> Thanks for the confirmation! >> I only used olcSecurity, not olcAccess to enforce the TLS connection. >> Man, I wish there is more detailed, updated and user-friendly information >> about OpenLdap on the web. >> I guess, that's why people are turning to Active Directory because it is >> much easier to use. > > It is documented in the manual pages, which are both on the web, and ship > with the software itself. Lack of comprehension does not mean lack of > documentation. > > If you think AD is LDAP, then you are in for a world of hurt. > Meant to send this to the list. ;) --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

translucent-overlay with back-relay and rwm
by Alexander Sulfrian 20 Sep '12

20 Sep '12

Hi, I was trying to get a translucent-overlay working, using the relay backend. But it does not work as expected. I want to merge two existent entries form the same server into a new virtual entry. The problem it, that I could not get the rwm overlay needed for the relay backend to work. If I simply try to add the rwm entry into the config like that: olcOverlay={0}rwm,olcDatabase={0}relay,olcOverlay={0}translucent,olcDatabase={1}hdb,cn=config The server answers with an object class violation error: "no structural objectClass add function". The cause of this error, is that the olcTranslucentDatabase entry is defined as Cfg_Misc and not Cfg_Database and the rwm Entry insists to be initiated in a Cfg_Database entry. I tried even more. I changed the source if the translucent overlay and defined olcTranslucentDatabase to be a Cfg_Database entry. Now the server gives to following error: config_add_internal: DN="olcOverlay={0}rwm,olcDatabase={0}relay,olcOverlay={0}translucent,olcDatabase={1}hdb,cn=config" not child of DN="olcOverlay={0}translucent,olcOverlay={1}hdb,cn=config" Adding some debug output I see that the server is testing if the olcOverlay={0}rwm entry is a child of olcDatabase={-1}relay,olcOverlay={0}translucent,olcOverlay={1}hdb,cn=config. But the relay Database is added with an id of 0. Where does the mysterious "-1" come from? I have seen this in the translucent source: backend_db_init( "ldap", &ov->db, -1, NULL ) Is this maybe the cause? I tried to change this "-1" to "0", but nothing changes. I read somewhere, that the translucent overlay is only supposed to work with the ldap backend. But as far as I can see, I need the same rewriting using the rwm overlay with the ldap backend. So that should not work either. Could someone give me a clue, how to get this working? Thanks, Alex

1 0

How enforce TLS connection to openldap server only?
by Yan Gong 19 Sep '12

19 Sep '12

Sir/Madam: I successfully set up TLS on both openldap server and client through port 389 on ubuntu. I didn't use SSL through port 636. However, I found non encrypted/clear text connections can be made through port 389 to the openldap server as well. How can I enforce TLS connection only and reject any non encrypted connections? Should I use olcAccess or olcSecurity? or both? I couldn't find any detailed steps/documentation about it. Please note, I am not use slapd.conf which is for older version of openldap. Thanks a lot! Yan Thanks a lot! Yan

2 1

Problem when I use alias with deferencing option
by Paola Laguzzi 19 Sep '12

19 Sep '12

Hi, I have a problem when I use the alias. I have an OpenLdap with 450.000 entries and 450.000 alias. When I make a search using the deferencing I obtain a wrong result. For example: - if I search in the alias tree uid=xxxx I obtain zero entry but I have the alias and I have the phisical entry - if I search in the alias tree ou=xxxx I obtain a number of entries that is different from same search performed on the phisical tree This happens only when I use the deferencing option. Why? I find in Internet that: "If you have a thousand or more alias objects, avoid alias dereferencing in the search" .... this means I could get wrong results using alias? Thanks in advance Regards Paola

2 2

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2012