The problem I'm having is simple, although I didn't find much
eplanations for it, once I try to backup the database with :
slapcat -v -l ldap-backup5.ldif
It works nicely, except that _all_ entries have :
Although the information is still there, if I ldapsearch one of the
entities it comes easily :
ldapsearch -x -LLL '(uid=samir)'
dn: cn=Samir Cury,ou=abc,ou=def,dc=org,dc=edu
cn: Samir Cury Siqueira
is this problem obvious to any of you?
The only similar case I found in the history was
Which doesn't have a clear outcome.
Any hint on where to look at?
==== Aditional information - just in case ====
My setup is a 1 Master 1 Slave of slapd 2.3.43. Relevant information
is that after the master's hardware died, few days later the slave
started to misbehave and probably got the DB corrupted.
slapd_db_recover seems to have fixed it as now it is working just
fine, log messages from before the error / recovery :
#slapcat -v -l ldap-backup.ldif
bdb_db_open: unclean shutdown detected; attempting recovery.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery
if errors are encountered.
#slapd_db_recover -v -h /var/lib/ldap
Finding last valid log LSN: file: 2 offset 6078834
Recovery starting from 
Recovery complete at Wed Oct 9 16:42:55 2013
Maximum transaction ID 8000c207 Recovery checkpoint 
-- slapcat now has no warnings/errors --
I suspect slightly of this as I've read that corrupted databases can
cause such effects, but the ldapsearch with full DNs makes me think
that it didn't happen.
==== / Aditional information ====
I have been fighting along getting some Solaris 10 nodes (both SPARC
and x86) to talk via TLS/SSL to our OpenLDAP infrastructure.
Without SSL (tls:simple) it binds and functions fine which in my mind
rules out most of the usual culprits.
As for the certificates, I have verified connectivity with the
certificate via openssl s_client -connect <fqdn> -CAfile <cacert>
-showcerts but I cannot get the correct version/combination of
certutil to setup the appropriate keystore (cert.db, key3.db and
secmod.db) and make the native SUN ldapsearch or native ldapclient
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid: [ID 293258
daemon.warning] libsldap: Status: 91 Mesg: createTLSSession: failed
to initialize TLS security (security library: bad database.)
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid: [ID 292100
daemon.warning] libsldap: could not remove <ldapserver> from servers
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid: [ID 293258
daemon.warning] libsldap: Status: 7 Mesg: Session error no available
# certutil -d /var/ldap -L
Certificate Nickname Trust Attributes
CA certificate CT,,
# ldapclient list
I've tried a few of the older certutil's getting around, including the
one from here: along with libraries from openCSW to get it all working
I'm pretty sure its the cert database or something to do with
certutill being painful. Any suggestions?
Hi, all. I'm having trouble figuring out how to allow SSL connections
(using ldapsearch) to a single host with an invalid certificate. I know
this can be done using TLS_REQCERT=allow (or never), but the same
account also connects to multiple other hosts using certificate-based
authentication, and the problem is that I can get those two
configurations to work together.
To illustrate, here's the current ~/.ldaprc file for this user:
That works fine for everything but this one new host. I'm not able to
fix the the SSL issue on this host, so for now I need to work around it.
If I replace the above ~/.ldaprc with this:
Then ldapsearch works fine for this new server, but, of course,
SASL/cert auth fails for everything else.
So, how do I get these to work together, with that first configuration
example set as the default for all hosts *except* server.domain.com?
Here's what I've tried so far:
* Appending the configuration for server.domain.com to the existing
~/.ldaprc file - it doesn't have an effect, like the global stuff is
overriding the host-specific options
* Adding the server.domain.com config to /etc/openldap/ldap.conf, but
~/.ldaprc takes precedence over this, so again it has no effect.
* Creating a separate ~/.ldaprc-server file and exporting
LDAPRC=.ldaprc-server - in this case, both ~/.ldaprc AND
~/.ldaprc-server are sourced (found using strace), so again my
host-specific settings are ignored.
* exporting both LDAPNOINIT=true and LDAPRC=.ldaprc-server, but that
prevents either rc file from being sourced
* exporting LDAPNOINIT=true and calling ldapsearch with:
LDAPTLS_REQCERT=allow ldapsearch -H ldaps://server.domain.com ... - this
also seems to have no effect, though
I'm sure I must be missing something simple, but I'm out of ideas at
this point. Would appreciate any tips or pointers.
I was looking into OpenLDAP and couldn't find the following information in the documentation:
Is there any possibility to have hooks in the openLDAP system which allow a customizable action to be performed when records are added/deleted/updated?
An example for this would be to send a message to an external system in case a modification of the directory service has occured, so that this system can act on this (the 'external' system could, of course, belong to the same organization as well). E.g. for improving synchronization with GAE (but I could name some other uses for it too).
I have found a prior post on hooks for authentication (http://www.openldap.org/lists/openldap-software/200510/msg00549.html) but this is not what I am looking for.
If it is not supported in openLDAP, are there any plug-ins which do support it?
Thanks in advance!
considered the importance of the patches which have landed in the last few
days, could I ask to start with a testing call for a new release?
I'm confident they could solve the crashes I have been facing since I
started working heavily with back-mdb and I'm only allowed to work with
Thanks in advance as usual
On a test VM I create a replica of my LDAP server, install pureFtp-ldap
and configure it.
It work perfectly. I can login on my vm, use ftp user too.
But when I try to start ldap with the init script, it failed. I found
that on the log file:
> Oct 8 16:02:38 ldap-test slapd: @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $#012#011root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd
> Oct 8 16:02:38 ldap-test slapd: daemon: bind(10) failed errno=2 (No such file or directory)
> Oct 8 16:02:38 ldap-test slapd: slapd stopped.
> Oct 8 16:02:38 ldap-test slapd: connections_destroy: nothing to destroy.
If I launch it on the cli:
Everything work perfectly.
I can figure what's wrong with the startup script.
Is somebody could see what's wrong ?
Thanks in advance,
Tel : +33 (0)1 42 68 12 61
it seems this has been asked before but I am not sure of the conclusion:
I have setup setup with slapo-lastbind configured on some slaves that
have a working chaining configuration to the masters.
It seems that the authTimestmap attribute from slapo-lastbind is not
>From looking at the source code for lastbind it seems we would need
to implement something similar to olcPPolicyForwardUpdates from
If none of the gurus here don't object the code looks clean enough
that I would attempt to port forwarding of updates from slapo-ppolicy
to slapo-lastbind. ( olcLastbindForwardUpdates )
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer