openldap-technical January 2013

openldap-technical@openldap.org

71 participants
131 discussions

setting rootpw for cn=monitor
by Chris Card 11 Jan '13

11 Jan '13

Hi all, I'm seeing an issue with setting the rootpw for the cn=monitor database and syncrepl replication (multi-master syncrepl). I am seeing this problem with openldap 2.4.31 at the moment, but I intend to upgrade to 2.4.34 when that becomes available. When I just have one LDAP server (ldap1 say), I can set the olcrootdn to cn=monitor and set the olcrootpw without any error, so I have something like: dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcRootPW: {SSHA}************** olcRootDN: cn=monitor When I create another LDAP server (ldap2 say) and set up multi-master syncrepl replication for cn=config between ldap1 and ldap2 I see an error in the slapd log on ldap2 like: olcRootPW: value #0: <olcRootPW> can only be set when rootdn is under suffix No olcSuffix is set for the cn=monitor database in the cn=config, but all the cn=monitor DNs are of the form cn=X,cn=Y,...,cn=monitor, so it seems that the suffix of the cn=monitor database is effectively cn=monitor. Any ideas? Chris

4 6

installing a new cacert - the transition
by Adam Wolfe 10 Jan '13

10 Jan '13

Greetings all. I am looking at having to install a new ca cert on our ldap server(s) and thus swapping out the client certs as well. This totals roughly 250 different machines. I am wondering as to the easiest way to go about this. Is there some grace period that can be set to allow me to relax and get to all the clients over a week's time? Or possibly the ability to use two certs? Then just slowly remove the old ones from the clients?

2 1

ldap update ( 2.2 to 2.4)
by Bruno Furtado 10 Jan '13

10 Jan '13

Hi Folks! I'm newbie to LDAP and I received a mission to update the version. Today is running Openldap 2.2.23 and I need to update to OpenLDAP 2.4.28. all update attempts failed. I observed that the new version have a different method of configuration. What the best way to do this? Best regards, -- Bruno Furtado

2 1

How to change a schema attribute definition or how to change the slapd configuration?
by Philip Colmer 10 Jan '13

10 Jan '13

I'm using OpenLDAP on Ubuntu 12.04. The installation of OpenLDAP automatically installs the schemas for core, cosine, nis and inetorgperson. In the nis schema, posixGroup is defined as structural but I need it to be auxiliary. Is it possible to change that definition? My database is completely empty - I've literally uninstalled OpenLDAP and then reinstalled it in an attempt to try and find a clean way of solving my problem. Alternatively - and perhaps better since I'm a bit worried about changing *just* that one thing - is it possible for me to export the slapd configuration in a way that I can then edit the configuration to replace nis with rfc2037bis and create everything afresh? Unfortunately, because the installation on Ubuntu does all of the slapd configuration automatically, I don't know what parameters are being specified. Many thanks for any help or suggestions provided. Philip

3 5

Re: LDAP - not starting
by Oshadha Gunawardena 09 Jan '13

09 Jan '13

Well I don't think so When I issue * netstat -lt | grep ldap* it shows nothing On Thu, Jan 10, 2013 at 7:01 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Thursday, January 10, 2013 6:29 AM +0530 Oshadha Gunawardena < > oshadha.rocky(a)gmail.com> wrote: > > >> >> >> >> >> >> >> Hi all, >> >> I myself is struggling to configure and starting up the openldap server >> (v 2.4.33). Every time I started the server >> >> service slapd start >> >> I'm getting this error - and it never starts >> > > Your output shows it started just fine. It looks like the status command > is broken. > > --Quanah > > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

LDAP - not starting
by Oshadha Gunawardena 09 Jan '13

09 Jan '13

Hi all, I myself is struggling to configure and starting up the openldap server (v 2.4.33). Every time I started the server *service slapd start* I'm getting this error - and it never starts check-config.sh[3003]: Configuration directory '/etc/openldap/slapd.d' does not exist. check-config.sh[3003]: Warning: Usage of a configuration file is obsolete! runuser[3006]: pam_unix(runuser:session): session opened for user ldap by (uid=0) runuser[3006]: pam_unix(runuser:session): session closed for user ldap slapd[3019]: @(#) $OpenLDAP: slapd 2.4.33 (Oct 31 2012 12:02:13) $ slapd[3021]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd[3021]: slapd starting slapd[3021]: daemon: shutdown requested and initiated. slapd[3021]: slapd shutdown: waiting for 0 operations/tasks to finish slapd[3021]: slapd stopped. When I issue the *service slapd status* slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled) Active: failed (Result: timeout) since Thu, 10 Jan 2013 06:21:30 +0530; 21s ago Process: 3019 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) Process: 3003 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/slapd.service My slapd.conf file * **include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema database bdb suffix "dc=test,dc=lan" rootdn "cn=Manager,dc=test,dc=lan" rootpw {SSHA}6U9AkmiHv9XpWBDyD9fsjhtF/NC0wpiq directory /mydata/Downloads/ldap/ # Global Read ACL access to * by self write by * read # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret* My ldap.conf file * # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/certs* I'm kind of new to LDAP and Openldap so appreciate some assistance Thanks, Oshadha.

2 1

syncrepl mirrormode with SSL/TLS issues
by Houston Ray 09 Jan '13

09 Jan '13

I am attempting to move my sycrepl with mirrormode configuration over to TLS using LDAPS (not starttls) and running into problems. Multimaster setup (2 servers) behind a VIP both RHEL 6.3 Openldap 2.4.23-26 still running the old slapd.conf method (apologies) There are 3 separate certificates ldap.mycompany.net, server01.mycompany.net, and server02.mycompany.net The primary certificate is used for running slapd, and the individual server certs are intended to allow syncrepl over ssl. My configurations for syncrepl/mirrormode are down below. I had success with non-ssl syncrepl/mirrormode. It worked great actually. Now I am attempting to get syncrepl/mirrormode working with SSL. What I observe is whichever slapd instance is the last to startup is the one that becomes a "Master" as if I was in a producer/consumer setup. Errors I am seeing are slapd[11995]: conn=1003 fd=13 ACCEPT from IP=<server1_IP>:56368 (IP= 0.0.0.0:636) slapd[11995]: connection_read(13): TLS accept failure error=-1 id=1003, closing slapd[11485]: slap_client_connect: URI=ldaps://server01.mycompany.netDN="cn=Admin,dc=mycompany,dc=net" ldap_sasl_bind_s failed (-1) slapd[11485]: do_syncrepl: rid=001 rc -1 retrying Server 1 configuration ************************* # Server1 synchronization settings serverID 1 syncrepl rid=002 provider=ldaps://server02.mycompany.net binddn="cn=Admin,dc=mycompany,dc=net" bindmethod=simple credentials=secret tls_cert=/etc/openldap/certs/server02.mycompany.net.pem tls_cacert=/etc/openldap/certs/Verisignbundle.crt tls_key=/etc/openldap/certs/server02.mycompany.net.key tls_reqcert=allow searchbase="dc=mycompany,dc=net" type=refreshAndPersist retry="5 5 300 +" timelimit=5 attrs="*,+" interval=00:00:05:00 schemachecking=off mirrormode on # Server1 synchronization overlay overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # Server1 end ************************************************************************************************** Server 2 configuration ********************************* # Server2 syncronization settings serverID 2 syncrepl rid=001 provider=ldaps://server01.mycompany.net binddn="cn=Admin,dc=mycompany,dc=net" bindmethod=simple credentials=secret tls_cert=/etc/openldap/certs/server01.mycompany.net.pem tls_cacert=/etc/openldap/certs/Verisignbundle.crt tls_key=/etc/openldap/certs/server01.mycompany.net.key tls_reqcert=allow searchbase="dc=mycompany,dc=net" type=refreshAndPersist retry="5 5 300 +" timelimit=5 attrs="*,+" interval=00:00:05:00 schemachecking=off mirrormode on # Server02 synchronization overlay overlay syncprov syncprov-checkpoint 100 10 # Server2 end ************************************************************************************************** any help is greatly appreciated

2 1

Get machines in Base LDAP
by rodrigo tavares 09 Jan '13

09 Jan '13

Hello, I have in my smb.conf, the follow line is: add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody %u So, with the line machines get logon in domain, but machines come to /etc/passwd. I would like add all machines in LDAP, how I can to do it ? ldap admin dn = cn=admin,dc=brazil,dc=mg,dc=gov,dc=br ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap passwd sync = yes ldap suffix = dc=brazil,dc=mg,dc=gov,dc=br ldap ssl = no ldap user suffix = ou=defensoria passdb backend = ldapsam:ldap://10.65.8.250 passdb backend = tdbsam hosts allow = 127.0.0.1, 10.65.8.0/255.255.252.0

2 1

slapd-ldap and backend errors
by John Madden 09 Jan '13

09 Jan '13

While setting up and testing new 2.4 infra (2.4.33), I've come across the situation where the proxy (slapd-ldap) doesn't pass LDAP_UNAVAILABLE back to the client when the backend slapd goes away. Is this behavior configurable on the proxy, something along the lines of chain-return-error? Example: connect to the backend slapd and ldapsearch a long-running query, then shut down slapd and the client provides the proper "error can't contact." Duplicate that behavior while searching against the proxy and you simply get a truncated list of entries with no errors. Thanks, John -- John Madden / Systems Engineer III Office of Technology / Ivy Tech Community College of Indiana Free Software is a matter of liberty, not price. To understand the concept, you should think of Free as in 'free speech,' not as in 'free beer.' -- Richard Stallman

2 2

access directive
by Friedrich Locke 09 Jan '13

09 Jan '13

Hi folks, i have just installed openldap and i am having trouble to understand access directive: I have 6 access rules : ################################################################################ # access definition on ou=people,dc=ufv,dc=br ################################################################################ access to dn.one="ou=people,dc=ufv,dc=br" attrs=userPassword by self read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read by anonymous auth by * none access to dn.one="ou=people,dc=ufv,dc=br" attrs=uid,homeDirectory by self read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read access to dn.one="ou=people,dc=ufv,dc=br" attrs=cn,uidNumber,gidNumber,loginShell,gecos,description by self read by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read access to dn.one="ou=people,dc=ufv,dc=br" attrs=mail,mailMessageStore,mailAlternateAddress,qmailUID,qmailGID,mailHost,mailForwardingAddress,deliveryProgramPath,qmailDotMode,deliveryMode,mailReplyText,accountStatus,qmailAccountPurge,mailQuotaSize,mailQuotaCount,mailSizeMax by self read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read access to dn.one="ou=people,dc=ufv,dc=br" by self read by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read access to dn.base="ou=people,dc=ufv,dc=br" by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read I have some rules, as you can see, giving acess to certain attributes of anything below (one level) ou=people,dc=ufv,dc=br. I have another rule given access to everything on the same level, this is the rule 5th. Everything works ok, for instance: sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory SASL/GSSAPI authentication started SASL username: sioux(a)UFV.BR SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <uid=sioux,ou=people,dc=ufv,dc=br> with scope subtree # filter: (objectclass=*) # requesting: homedirectory # # sioux, people, ufv.br dn: uid=sioux,ou=people,dc=ufv,dc=br homeDirectory: /home/sioux # search result search: 5 result: 0 Success # numResponses: 2 # numEntries: 1 sioux@gustav$ But if i comment the 5th rule (I keep the others, giving access to the homedirectory attribute), it does not work: sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory SASL/GSSAPI authentication started SASL username: sioux(a)UFV.BR SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <uid=sioux,ou=people,dc=ufv,dc=br> with scope subtree # filter: (objectclass=*) # requesting: homedirectory # # search result search: 5 result: 32 No such object # numResponses: 1 sioux@gustav$ Does anybody here know why ? Thanks in advance.

2 1

← Newer
1
...
8
9
10
11
12
13
14
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2013