openldap-technical September 2012

openldap-technical@openldap.org

70 participants
88 discussions

Editing the olcAccess
by S, Mohan (GE Energy) 06 Sep '12

06 Sep '12

Hi, I've configured olcAccess for my bdb database and I can't able to modify that using ldapmodify. I tried deleting that : ldapmodify -x -h xxx.example.org -D "cn=replicator,ou=admins,dc=example,dc=org" -w secret -f delete.ldif No error cat delete.ldif changetype: modify delete: olcAccess olcAccess: {0} olcAccess: {1} ldapmodify -x -h xxx.example.org -D "cn=replicator,ou=admins,dc=example,dc=org" -w secret -f add.ldif No error cat add.ldif changetype: modify add: olcAccess olcAccess: to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=org" write by * none olcAccess: to * by self write by dn.children="ou=admins,dc=example,dc=org" write by * read olcAccess: to * by self write by dn.children="ou=melbourne,dc=example,dc=org" write by * read my ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}bdb returns old olcaccess. New access are not getting reflected. Can anyone guide my how to add/edit olcaccess? Can anyone please help me ... Thanks, Mohan

2 1

RE: Editing the olcAccess
by S, Mohan (GE Energy) 06 Sep '12

06 Sep '12

I could able to do this.. I missed the line in my ldif file dn: olcDatabase={2}bdb,cn=config. Apologize Regards, Mohan From: S, Mohan (GE Energy) Sent: Thursday, September 06, 2012 8:26 PM To: openldap-technical(a)openldap.org Subject: Editing the olcAccess Hi, I've configured olcAccess for my bdb database and I can't able to modify that using ldapmodify. I tried deleting that : ldapmodify -x -h xxx.example.org -D "cn=replicator,ou=admins,dc=example,dc=org" -w secret -f delete.ldif No error cat delete.ldif changetype: modify delete: olcAccess olcAccess: {0} olcAccess: {1} ldapmodify -x -h xxx.example.org -D "cn=replicator,ou=admins,dc=example,dc=org" -w secret -f add.ldif No error cat add.ldif changetype: modify add: olcAccess olcAccess: to attrs=userPassword by self write by anonymous auth by dn.children="ou=admins,dc=example,dc=org" write by * none olcAccess: to * by self write by dn.children="ou=admins,dc=example,dc=org" write by * read olcAccess: to * by self write by dn.children="ou=melbourne,dc=example,dc=org" write by * read my ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}bdb returns old olcaccess. New access are not getting reflected. Can anyone guide my how to add/edit olcaccess? Can anyone please help me ... Thanks, Mohan

1 0

ACL (Regex) help needed
by Denny Schierz 06 Sep '12

06 Sep '12

hi, I have the following structure: cn=foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo cn=foobar1,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo cn=foobar2,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo cn=foobar likes like: dn: foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo objectClass: inetLocalMailRecipient objectClass: person objectClass: top cn: admin sn: admin description: added_by_dekanat mailLocalAddress: sysop(a)department.domain.foo mailRoutingAddress: foobar(a)department.domain.foo At the moment I have one role "mail" that has access to: dn.sub="ou=mail,ou=services,ou=department,dc=domain,dc=foo" read it works as expected, the mailserver can read all entries. Now I want to create a role, who has permissions to delete/add/modify all entries below ou=aliases, from all domains (dc=domain,ou=mail...), but only, if "description: <string>" is found (for delete/modify only, but not for add). Is that possible? Otherwise, how does it look, if I throw the idea with "only if" ? cu denny

2 1

LDAP Administration
by Brian Green 06 Sep '12

06 Sep '12

Hello, I have recently taken over a bunch of systems controlled by an LDAP database - however, the previous admin. didn't add me to the needed group so that I can fully administer the LDAP directory. Is there a way I can force LDAP to add me to this group? I have root access to the Linux server where the OpenLDAP system is hosted, if that helps. I've tried changing the .acl documents - that didn't seem to work to allow me to add myself to that group. This is a production system, so taking it down for a long period of time, or messing it up, would be bad. Thanks for any help, Brian

2 1

Slaving from Mirror Mode
by Nick Urbanik 05 Sep '12

05 Sep '12

Dear Folks, I am having trouble understanding http://www.openldap.org/doc/admin24/dual_dc.png. In particular, I do not understand the exact meaning of the bidirectional arrows, and the purpose of the upper pair of load balancers. 1, Are the upper load balancers there to chain writes to both mirror mode masters? 2. Are the "replica pool" configured to replicate from both masters or only from one? I am setting up mirror mode masters both in the same data centre, with one slave offsite. Should all the slaves slave from both masters, or should they slave from a load balancer which decides which master is getting the writes at present? Although our slaves are busy, surviving network issues with data consistent and correct is very important. Network outages and strange disconnects are the rule without automated configuration management for network devices. -- Nick Urbanik http://nicku.org 808-71011 nick.urbanik(a)optusnet.com.au GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24 I disclaim, therefore I am.

4 6

Re: Execute a Filter and get the boolean status true/false
by Puneet Khunteta 05 Sep '12

05 Sep '12

Hello Quanah, then, what should i do to attach the no-op control for the ldap_search_s() operation ? Regards, PKHUN On Thu, Sep 6, 2012 at 12:48 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Wednesday, September 05, 2012 9:03 PM +0200 Michael Ströder < > michael(a)stroeder.com> wrote: > > Puneet Khunteta wrote: >> >>> Basically i need the count how many SearchResultEntry responses you get >>> from ldap_search_s(). >>> >> >> You won't get the count without retrieving the results. >> > > Incorrect. You can use the noop control to do this. We actually do this > now in Zimbra to get the total number of accounts in LDAP without having to > get the full result set back. > > --Quanah > > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

ldap_count_messages() Vs. ldap_count_entries() Vs. ldap_count_references()
by Puneet Khunteta 05 Sep '12

05 Sep '12

Hello, Please let me know the difference between the following three with their corresponding usage : ldap_count_message() ldap_count_entries() ldap_count_references() If possible narrate with some examples and a test application source code will be much much appreciated. Regards, PKHUN

1 0

ldapsearch SASL/GSSAPI bind really slow
by Matthew B. Brookover 05 Sep '12

05 Sep '12

I am upgrading the openldap servers and ran into a bit of a problem. SASL/GSSAPI binds to the new server are too slow. An ldapsearch to the old server using GSSAPI to bind is much faster on the old server then the same search on the new server. I am not even sure where to start to debug this and am hoping that some one will have some ideas. First off, here are a few details: The old LDAP server is running Openldap 2.3.43 on CentOS 5.2 with the CentOS built MIT Kerberos(1.6.1) and saslauthd (2.1.22). This server is configured with the slapd.conf file. The host name is infinite.mines.edu in the example runs below. The new LDAP server is running Openldap 2.4.31 on CentOS 6.3 with the CentOS built MIT Kerberos (1.9) and saslauthd (2.1.23). This server is configured with slapd-config (new dynamic configuration is very cool!) The host name is infinte-temp.mines.edu in the example runs below. Both the old and new servers are configured to use SASL for GSSAPI and for simple binds. First test, simple bind to new server and then the old server: [testua@merlin ~]$ time ldapsearch -LLL -ZZ -Duid=testua,ou=People,dc=mines,dc=edu -y passwd -x -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m0.324s user 0m0.017s sys 0m0.004s [testua@merlin ~]$ time ldapsearch -LLL -ZZ -Duid=testua,ou=People,dc=mines,dc=edu -y passwd -x -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m0.163s user 0m0.016s sys 0m0.004s [testua@merlin ~]$ As you can see, the new server takes nearly twice as long to perform the search as the old server. Both servers are using saslauthd to send the password to Kerberos for authentication. Next test, GSSAPI bind to the new server and then the old server: [testua@merlin ~]$ kinit Password for testua(a)MINES.EDU: [testua@merlin ~]$ klist Ticket cache: FILE:/tmp/krb5cc_11192_d1yOuC Default principal: testua(a)MINES.EDU Valid starting Expires Service principal 07/25/12 13:32:11 07/26/12 04:32:11 krbtgt/MINES.EDU(a)MINES.EDU renew until 07/26/12 13:32:07 Kerberos 4 ticket cache: /tmp/tkt11192 klist: You have no tickets cached [testua@merlin ~]$ time ldapsearch -LLL -ZZ -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua SASL/GSSAPI authentication started SASL username: testua(a)MINES.EDU SASL SSF: 56 SASL data security layer installed. dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m1.145s user 0m0.021s sys 0m0.004s [testua@merlin ~]$ time ldapsearch -LLL -ZZ -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua SASL/GSSAPI authentication started SASL username: testua(a)MINES.EDU SASL SSF: 56 SASL data security layer installed. dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m0.123s user 0m0.021s sys 0m0.003s [testua@merlin ~]$ klist Ticket cache: FILE:/tmp/krb5cc_11192_d1yOuC Default principal: testua(a)MINES.EDU Valid starting Expires Service principal 07/25/12 13:32:11 07/26/12 04:32:11 krbtgt/MINES.EDU(a)MINES.EDU renew until 07/26/12 13:32:07 07/25/12 13:32:33 07/26/12 04:32:11 ldap/infinite-temp.mines.edu(a)MINES.EDU renew until 07/26/12 13:32:07 07/25/12 13:32:41 07/26/12 04:32:11 ldap/infinite.mines.edu(a)MINES.EDU renew until 07/26/12 13:32:07 Kerberos 4 ticket cache: /tmp/tkt11192 klist: You have no tickets cached [testua@merlin ~]$ The old server is 9 times faster then the new server. This last test is to show that an anonymous bind is very fast and indicates to me that the network, BDB, caching, etc are not the issue. This test is to both servers, using a simple bind, first the old server and then the new server: [testua@merlin ~]$ time ldapsearch -LLL -ZZ -x -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m0.049s user 0m0.017s sys 0m0.005s [testua@merlin ~]$ time ldapsearch -LLL -ZZ -x -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m0.029s user 0m0.014s sys 0m0.006s [testua@merlin ~]$ When using an anonymous bind, the old server takes longer then the new server -- which is what I would expect given that the new server has twice the number of faster processors and double the memory of the old server. Any ideas? Thanks! Matt mbrookov(a)mines.edu

2 2

Master-Master replication different data centers
by S, Mohan (GE Energy) 05 Sep '12

05 Sep '12

Hi, I've been trying to setup OpenLDAP Master-Master replication running on SITE A (Datacenter 1) & SITE B (Datacenter 2) , I could successfully setup the sync between these masters. Changes are synchronized between the sites without any issues. Now I got a new requirement that "SITE A users/entries/objects should not be modifiable by SITE B and vice versa, but both have to send updates(sync) to each other. I'm not aware how do I go with this. Will I need to think of having different OU's configured for each site and sync the OU's, control the write access with ACL? Please suggest. Regards, Mohan

2 1

Execute a Filter and get the boolean status true/false
by Puneet Khunteta 05 Sep '12

05 Sep '12

Hello, I am facing an issue to get the result of a filter. Currently i have used the ldap_search () function to see whether AD has some entity corresponding to particular filter execution. But i am not able to find the function which returns the number of entity for the particular filter execution. Please help me to get the correct function which return the number of entity for the particular filter execution and what pre-requesties it has. If possible, please suggest function which just return true/false for the particular filter. Regards, PKHUN

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2012