different hdbs for ou
by Denny Fuchs
hi,
I have one main HDB Database for:
dc=example,dc=net -> /var/lib/ldap/
with one subtree:
ou=department,dc=example,dc=net
Now I want to let other departments use our N-Way LDAP server too. My idea was to put the new departments into different hdb databases:
ou=department-1,dc=example,dc=net -> /var/lib/ldap/department-1/
ou=department-2,dc=example,dc=net -> /var/lib/ldap/department-2/
ou=department-n,dc=example,dc=net -> /var/lib/ldap/department-n/
all with own admin access to there root dn.
How should I do that?
cu denny
7 years, 7 months
Reseting content/database/schema
by Merve Temizer
I need to remove every configuration/schema/database.
Is it possible and if so how?
So far
Code:
sudo apt-get purge slapd ldap-utils
remove
Code:
/etc/ldap
/etc/openldap
/var/lib/ldap
and
Code:
sudo apt-get install slapd ldap-utils
tried to
Code:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend2.example.com.ldif
still getting 80 error, which means, according to my restricted knowledge,
ldap already has modules and cn s in ldif file.
7 years, 7 months
OpenLDAP DB question
by Dheeraj Khanna
Hi
I wanted to find if I can add a host based authentication, here is my setup.
Regular LDAP DB , I use group and users and associate permissions to users
based on groups. What I want to achieve is this:
*If a User A is a member of "Group A" and has access to "hostsA" allow else
deny, this will allow me to limit access to certain server types based on
user groups. I think we can define this in /etc/ldap.conf but I could not
find find the right syntax to add hosts in this config file.*
*Question: *I do not know how to add this ou called "hostaccess", I used a
GUI portal called Apache Directory Studio to add/delete users and groups.
If some one knows how to add hosts in LDAP and be able t map groups and
users to it that would greatly help me.
Thanks
Dheera
7 years, 7 months
slapd-mdb network performance
by Jancewicz, Russell
Hello,
I am experiencing a bit of an issue with mdb network traffic.
When I request large queries (entire subtrees) from remote hosts my searches take hundreds of times longer to complete than they do if I search on the local machine (in all expect for one case).
I have attempted to tune the kernel network settings, adjusted tx buffer sizes all to no avail.
Just before turning to this list i gave one last shot in the dark attempt running my query using the rootDN. This produced the expected results.
When queried with a typical account DN my system was transmitting around 2.0Mbps to the remote client.
When queried with the rootDN my system was transmitting around 100Mbps to the client.�
The system has an olcLimits rule allowing unlimited time and size to the account "typical account" I was testing with.
' olcLimits: dn.children="ou=accounts,dc=example,dc=com" time=unlimited size=unlimited '
Clearly the server is capable of serving data to the remote machine at 100Mbps (given that the rootDN has done so)
I cannot for the life of me find a configuration option or setting would should be impacting the transmission bandwidth of searches.
Any help or advice of where I should be looking would be greatly appreciated.
I have included the relevant cn=config information below.
Thank you,
-Russell J. Jancewicz
University of Connecticut
OpenLDAP: slapd 2.4.36 (Sep 19 2013 11:16:48) $
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /srv/ldap/example.com
olcSuffix: dc=example,dc=com
# ... olcAccess
olcLimits: {0}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" time=unlimited size=unlimited
olcLimits: {1}dn.children="ou=accounts,dc=example,dc=com" time=unlimited size=unlimited
olcRootDN: cn=root,dc=example,dc=com
olcDbCheckpoint: 512 30
olcDbNoSync: FALSE
olcDbMaxSize: 8589934592
7 years, 7 months
unsubscribe
by Richards, Toby
Respectfully Submitted,
R. Toby Richards
Network Administrator
Superior Court of California
In and for the County of San Luis Obispo
(805) 781-4150
7 years, 7 months
slapd appears to incorrectly report an object class violation when renaming an entry
by Jon C Kidder
I am running 2.4.36 in my sandbox environment and have recently found myself needing to rename some entries in my directory. Slapd is reporting an object class violation when attempting to rename the entries even though all required attributes are present on the entry. I have a sample ldif that reproduces this problem.
dn: cn=testuser,ou=users,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: testuser
uid: testuser
sn: surname
dn: cn=testuser,ou=users,dc=example,dc=com
changetype: modrdn
newrdn: uid=testuser
deleteoldrdn: 1
newsuperior: ou=users,dc=example,dc=com
When I run this ldif using ldapmodify this is the result I get back.
adding new entry "cn=testuser,ou=users,dc=example,dc=com"
modifying rdn of entry "cn=testuser,ou=users,dc=example,dc=com"
ldap_rename: Object class violation (65)
additional info: object class 'inetOrgPerson' requires attribute 'cn'
As you can see from the ldif the cn attribute is clearly present. I am assuming this is a bug and needs reported but wanted to review it with the list members before I submitted the ITS entry.
-Jon C. Kidder
American Electric Power
Middleware Services
Email: jckidder(a)aep.com<mailto:jckidder@aep.com>
Phone: 614-716-4970
7 years, 7 months
Openldap Synch problem
by Darouichi, Aziz
Hi,
I have 2 Openldaps that are configured for replication one is on site, the other is a remote. They are connected via a VPN tunnel and every time there is a connection problem between the two the replication fails, but I have to stop the services on the remote, delete the database and start a fresh replication. Is there a way that I can configure the remote to force it to re-synch without having to delete the database and start all over again?
This is what I see in the log after connection gets re-established:
Nov 6 11:37:39 LDAP-TLS-2 slapd[4903]: slap_graduate_commit_csn: removing 0x1cffefb0 20131106163739.780633Z#000000#000#000000
Nov 6 11:37:50 LDAP-TLS-2 slapd[4903]: do_syncrep2: rid=006 LDAP_RES_SEARCH_RESULT
Nov 6 11:37:50 LDAP-TLS-2 slapd[4903]: do_syncrepl: rid=006 rc -2 retrying
Nov 6 11:38:28 LDAP-TLS-2 slapd[4903]: slap_queue_csn: queing 0x41d1be70 20131106163828.873440Z#000000#000#000000
Nov 6 11:38:28 LDAP-TLS-2 slapd[4903]: slap_graduate_commit_csn: removing 0x1d10d1f0 20131106163828.873440Z#000000#000#000000
Nov 6 11:38:39 LDAP-TLS-2 slapd[4903]: slap_queue_csn: queing 0x41d1c0e0 20131106163839.682221Z#000000#000#000000
Nov 6 11:38:39 LDAP-TLS-2 slapd[4903]: slap_graduate_commit_csn: removing 0x1d3f3fc0 20131106163839.682221Z#000000#000#000000
Nov 6 11:38:49 LDAP-TLS-2 slapd[4903]: slap_queue_csn: queing 0x4251ce70 20131106163849.281885Z#000000#000#000000
Nov 6 11:38:49 LDAP-TLS-2 slapd[4903]: slap_graduate_commit_csn: removing 0x1d369af0 20131106163849.281885Z#000000#000#000000
Nov 6 11:38:50 LDAP-TLS-2 slapd[4903]: do_syncrep2: rid=006 LDAP_RES_SEARCH_RESULT
Nov 6 11:38:50 LDAP-TLS-2 slapd[4903]: do_syncrepl: rid=006 rc -2 retrying.
This is the config of the remote for synrepl
syncrepl rid=006
provider=ldap://192.168.19.43
tls_cert=/etc/pki/tls/certs/ldap-tls.curry.edu.cert.pem
tls_key=/etc/pki/tls/private/ldap-tls.curry.edu.key.pem
tls_cacert=/etc/pki/tls/certs/cacert.pem
tls_reqcert=demand
searchbase="dc=curry,dc=edu"
schemachecking=on
timelimit=unlimited
sizelimit=unlimited
type=refreshAndPersist
retry="60 +"
keepalive=240:10:30
Thank You
7 years, 7 months
Q: syntax attribute in schema
by Ulrich Windl
Hi!
This is probably a stupid question, but I wonder:
In the schema definitions, neither "gn" nor "sn" have a "syntax" attribute. So I wonder: If an attribute has a "sup", is the syntax inherited from the "sup" ("name" in this special case)?
In Perilish:
DB<27> x $s->attribute('sn')
0 HASH(0xd89e88)
'aliases' => ARRAY(0xd87a40)
0 'surname'
'desc' => 'RFC2256: last (family) name(s) for which the entity is known by'
'name' => 'sn'
'oid' => '2.5.4.4'
'sup' => ARRAY(0xd89fc0)
0 'name'
'type' => 'at'
DB<28> x $s->attribute('surname')
0 HASH(0xd89e88)
'aliases' => ARRAY(0xd87a40)
0 'surname'
'desc' => 'RFC2256: last (family) name(s) for which the entity is known by'
'name' => 'sn'
'oid' => '2.5.4.4'
'sup' => ARRAY(0xd89fc0)
0 'name'
'type' => 'at'
DB<29> x $s->attribute('gn')
0 HASH(0x14e25d0)
'aliases' => ARRAY(0xd8b508)
0 'gn'
'desc' => 'RFC2256: first name(s) for which the entity is known by'
'name' => 'givenName'
'oid' => '2.5.4.42'
'sup' => ARRAY(0x14e2738)
0 'name'
'type' => 'at'
DB<30> x $s->attribute('givenname')
0 HASH(0x14e25d0)
'aliases' => ARRAY(0xd8b508)
0 'gn'
'desc' => 'RFC2256: first name(s) for which the entity is known by'
'name' => 'givenName'
'oid' => '2.5.4.42'
'sup' => ARRAY(0x14e2738)
0 'name'
'type' => 'at'
DB<31> x $s->attribute('name')
0 HASH(0x1476008)
'aliases' => ARRAY(0x1475ff0)
empty array
'desc' => 'RFC4519: common supertype of name attributes'
'equality' => 'caseIgnoreMatch'
'max_length' => 32768
'name' => 'name'
'oid' => '2.5.4.41'
'substr' => 'caseIgnoreSubstringsMatch'
'syntax' => '1.3.6.1.4.1.1466.115.121.1.15'
'type' => 'at'
Regards,
Ulrich
7 years, 7 months
Unique overlay not working, where is the misconfiguration ? [Debian 7 - 2.4.31]
by Philippe MARASSE
Hello,
I'm trying to enable unique overlay to enforce uniqueness of uid and mail attributes
with no luck. My server is debian 7 based with packaged slapd (2.4.31]. Here's the config
for the unique overlay :
DN: cn=module{1},cn=config
objectClass: olcModuleList
objectClass: olcConfig
objectClass: top
cn: module{1}
olcModuleLoad: {0}memberof
olcModuleLoad: {1}refint
olcModuleLoad: {2}unique
olcModulePath: /usr/lib/ldap
DN: olcOverlay={4}unique,olcDatabase={1}hdb,cn=config
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {4}unique
olcUniqueURI: ldap:///?mail?sub
olcUniqueURI: ldap:///?uid?sub
assuming the configuration is good, I've tried to create 2 entries :
uid=test,ou=people,dc=mydomain,dc=com and uid=test2,ou=people,dc=mydomain,dc=com with the
same mail : test(a)mydomain.com => created without error.
change mail to test2(a)mydomain.com on entry uid=test2,ou=people,dc=mydomain,dc=com works
going back to test(a)mydomain.com => no error
The first time, I've used the main administrative account. So I created a sub
administrator account, changed the ACLs, fine. Deleted the two entries, recreated the two
entries with the same mail without error.
I've tried to put slapd in debug mode, the only ting I've noticed is :
51f7df1e >>> dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e <<< dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>,
<uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e ==> unique_modify <uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e *unique_modify: administrative bypass, skipping*
51f7df1e bdb_dn2entry("uid=test2,ou=people,dc=mydomain,dc=com")
51f7df1e bdb_entry_get: rc=0
If someone has a clue...
Rgds
--
Philippe MARASSE
Service Informatique - Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
7 years, 7 months
OpenLDAP with ssl client certs
by Brent Bice
I was recently asked if we could use ssl client certs as a 2nd form
of authentication with OpenLDAP and didn't know for sure. Is it
possible to have OpenLDAP require both a DN/password pair *and* a client
ssl cert?
Just to see if I could make any form of client cert authentication
work, I took a test-bed instance of OpenLDAP and added this line to
slapd.conf:
TLSVerifyClient allow
Then I created a self-signed ssl cert, converted it to a .der binary
file, then added it to an LDAP record's userCertificate attribute with this:
dn: <my-dn>
changetype: modify
add: userCertificate;binary
userCertificate;binary:< file:///tmp/ldapclient.bin
Then I found my ldap client of choice doesn't seem to have an option
to authenticate via client certs, and didn't see any command line
options for ldapsearch for specifying a client ssl cert/key pair. So I
edited ~/.ldaprc and added:
BINDDN <my-dn>
TLS_REQCERT demand
TLS_CERT /tmp/ldapclient.crt
TLS_KEY /tmp/ldapclient.key
But when I run ldapsearch -x with no -D and -W options, it's clearly
still just binding anonymously. When I run ldapsearch -x with a -D and
no -W option it says I can't bind without a password. :-) So... I'm
clearly missing something here.
How do I get ldapsearch to try to authenticate with the SSL cert?
Or is it possibly trying but failing because slapd can't validate the
self-signed client cert I made? It's definitely finding and using my
.ldaprc file because I can change BASE, PORT, and HOST settings in there
and don't have to specify 'em on the command line afterwards, but as
near as I can tell it's not using the client cert.
Brent
7 years, 7 months
