openldap-technical November 2013

openldap-technical@openldap.org

73 participants
72 discussions

different hdbs for ou
by Denny Fuchs 08 Nov '13

08 Nov '13

hi, I have one main HDB Database for: dc=example,dc=net -> /var/lib/ldap/ with one subtree: ou=department,dc=example,dc=net Now I want to let other departments use our N-Way LDAP server too. My idea was to put the new departments into different hdb databases: ou=department-1,dc=example,dc=net -> /var/lib/ldap/department-1/ ou=department-2,dc=example,dc=net -> /var/lib/ldap/department-2/ ou=department-n,dc=example,dc=net -> /var/lib/ldap/department-n/ all with own admin access to there root dn. How should I do that? cu denny

2 6

Reseting content/database/schema
by Merve Temizer 07 Nov '13

07 Nov '13

I need to remove every configuration/schema/database. Is it possible and if so how? So far Code: sudo apt-get purge slapd ldap-utils remove Code: /etc/ldap /etc/openldap /var/lib/ldap and Code: sudo apt-get install slapd ldap-utils tried to Code: sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend2.example.com.ldif still getting 80 error, which means, according to my restricted knowledge, ldap already has modules and cn s in ldif file.

2 1

OpenLDAP DB question
by Dheeraj Khanna 07 Nov '13

07 Nov '13

Hi I wanted to find if I can add a host based authentication, here is my setup. Regular LDAP DB , I use group and users and associate permissions to users based on groups. What I want to achieve is this: *If a User A is a member of "Group A" and has access to "hostsA" allow else deny, this will allow me to limit access to certain server types based on user groups. I think we can define this in /etc/ldap.conf but I could not find find the right syntax to add hosts in this config file.* *Question: *I do not know how to add this ou called "hostaccess", I used a GUI portal called Apache Directory Studio to add/delete users and groups. If some one knows how to add hosts in LDAP and be able t map groups and users to it that would greatly help me. Thanks Dheera

3 3

slapd-mdb network performance
by Jancewicz, Russell 06 Nov '13

06 Nov '13

Hello, I am experiencing a bit of an issue with mdb network traffic. When I request large queries (entire subtrees) from remote hosts my searches take hundreds of times longer to complete than they do if I search on the local machine (in all expect for one case). I have attempted to tune the kernel network settings, adjusted tx buffer sizes all to no avail. Just before turning to this list i gave one last shot in the dark attempt running my query using the rootDN. This produced the expected results. When queried with a typical account DN my system was transmitting around 2.0Mbps to the remote client. When queried with the rootDN my system was transmitting around 100Mbps to the client. The system has an olcLimits rule allowing unlimited time and size to the account "typical account" I was testing with. ' olcLimits: dn.children="ou=accounts,dc=example,dc=com" time=unlimited size=unlimited ' Clearly the server is capable of serving data to the remote machine at 100Mbps (given that the rootDN has done so) I cannot for the life of me find a configuration option or setting would should be impacting the transmission bandwidth of searches. Any help or advice of where I should be looking would be greatly appreciated. I have included the relevant cn=config information below. Thank you, -Russell J. Jancewicz University of Connecticut OpenLDAP: slapd 2.4.36 (Sep 19 2013 11:16:48) $ dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbDirectory: /srv/ldap/example.com olcSuffix: dc=example,dc=com # ... olcAccess olcLimits: {0}dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" time=unlimited size=unlimited olcLimits: {1}dn.children="ou=accounts,dc=example,dc=com" time=unlimited size=unlimited olcRootDN: cn=root,dc=example,dc=com olcDbCheckpoint: 512 30 olcDbNoSync: FALSE olcDbMaxSize: 8589934592

3 4

unsubscribe
by Richards, Toby 06 Nov '13

06 Nov '13

Respectfully Submitted, R. Toby Richards Network Administrator Superior Court of California In and for the County of San Luis Obispo (805) 781-4150

1 0

slapd appears to incorrectly report an object class violation when renaming an entry
by Jon C Kidder 06 Nov '13

06 Nov '13

I am running 2.4.36 in my sandbox environment and have recently found myself needing to rename some entries in my directory. Slapd is reporting an object class violation when attempting to rename the entries even though all required attributes are present on the entry. I have a sample ldif that reproduces this problem. dn: cn=testuser,ou=users,dc=example,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: testuser uid: testuser sn: surname dn: cn=testuser,ou=users,dc=example,dc=com changetype: modrdn newrdn: uid=testuser deleteoldrdn: 1 newsuperior: ou=users,dc=example,dc=com When I run this ldif using ldapmodify this is the result I get back. adding new entry "cn=testuser,ou=users,dc=example,dc=com" modifying rdn of entry "cn=testuser,ou=users,dc=example,dc=com" ldap_rename: Object class violation (65) additional info: object class 'inetOrgPerson' requires attribute 'cn' As you can see from the ldif the cn attribute is clearly present. I am assuming this is a bug and needs reported but wanted to review it with the list members before I submitted the ITS entry. -Jon C. Kidder American Electric Power Middleware Services Email: jckidder(a)aep.com<mailto:jckidder@aep.com> Phone: 614-716-4970

4 3

Openldap Synch problem
by Darouichi, Aziz 06 Nov '13

06 Nov '13

Hi, I have 2 Openldaps that are configured for replication one is on site, the other is a remote. They are connected via a VPN tunnel and every time there is a connection problem between the two the replication fails, but I have to stop the services on the remote, delete the database and start a fresh replication. Is there a way that I can configure the remote to force it to re-synch without having to delete the database and start all over again? This is what I see in the log after connection gets re-established: Nov 6 11:37:39 LDAP-TLS-2 slapd[4903]: slap_graduate_commit_csn: removing 0x1cffefb0 20131106163739.780633Z#000000#000#000000 Nov 6 11:37:50 LDAP-TLS-2 slapd[4903]: do_syncrep2: rid=006 LDAP_RES_SEARCH_RESULT Nov 6 11:37:50 LDAP-TLS-2 slapd[4903]: do_syncrepl: rid=006 rc -2 retrying Nov 6 11:38:28 LDAP-TLS-2 slapd[4903]: slap_queue_csn: queing 0x41d1be70 20131106163828.873440Z#000000#000#000000 Nov 6 11:38:28 LDAP-TLS-2 slapd[4903]: slap_graduate_commit_csn: removing 0x1d10d1f0 20131106163828.873440Z#000000#000#000000 Nov 6 11:38:39 LDAP-TLS-2 slapd[4903]: slap_queue_csn: queing 0x41d1c0e0 20131106163839.682221Z#000000#000#000000 Nov 6 11:38:39 LDAP-TLS-2 slapd[4903]: slap_graduate_commit_csn: removing 0x1d3f3fc0 20131106163839.682221Z#000000#000#000000 Nov 6 11:38:49 LDAP-TLS-2 slapd[4903]: slap_queue_csn: queing 0x4251ce70 20131106163849.281885Z#000000#000#000000 Nov 6 11:38:49 LDAP-TLS-2 slapd[4903]: slap_graduate_commit_csn: removing 0x1d369af0 20131106163849.281885Z#000000#000#000000 Nov 6 11:38:50 LDAP-TLS-2 slapd[4903]: do_syncrep2: rid=006 LDAP_RES_SEARCH_RESULT Nov 6 11:38:50 LDAP-TLS-2 slapd[4903]: do_syncrepl: rid=006 rc -2 retrying. This is the config of the remote for synrepl syncrepl rid=006 provider=ldap://192.168.19.43 tls_cert=/etc/pki/tls/certs/ldap-tls.curry.edu.cert.pem tls_key=/etc/pki/tls/private/ldap-tls.curry.edu.key.pem tls_cacert=/etc/pki/tls/certs/cacert.pem tls_reqcert=demand searchbase="dc=curry,dc=edu" schemachecking=on timelimit=unlimited sizelimit=unlimited type=refreshAndPersist retry="60 +" keepalive=240:10:30 Thank You

1 0

Q: syntax attribute in schema
by Ulrich Windl 06 Nov '13

06 Nov '13

Hi! This is probably a stupid question, but I wonder: In the schema definitions, neither "gn" nor "sn" have a "syntax" attribute. So I wonder: If an attribute has a "sup", is the syntax inherited from the "sup" ("name" in this special case)? In Perilish: DB<27> x $s->attribute('sn') 0 HASH(0xd89e88) 'aliases' => ARRAY(0xd87a40) 0 'surname' 'desc' => 'RFC2256: last (family) name(s) for which the entity is known by' 'name' => 'sn' 'oid' => '2.5.4.4' 'sup' => ARRAY(0xd89fc0) 0 'name' 'type' => 'at' DB<28> x $s->attribute('surname') 0 HASH(0xd89e88) 'aliases' => ARRAY(0xd87a40) 0 'surname' 'desc' => 'RFC2256: last (family) name(s) for which the entity is known by' 'name' => 'sn' 'oid' => '2.5.4.4' 'sup' => ARRAY(0xd89fc0) 0 'name' 'type' => 'at' DB<29> x $s->attribute('gn') 0 HASH(0x14e25d0) 'aliases' => ARRAY(0xd8b508) 0 'gn' 'desc' => 'RFC2256: first name(s) for which the entity is known by' 'name' => 'givenName' 'oid' => '2.5.4.42' 'sup' => ARRAY(0x14e2738) 0 'name' 'type' => 'at' DB<30> x $s->attribute('givenname') 0 HASH(0x14e25d0) 'aliases' => ARRAY(0xd8b508) 0 'gn' 'desc' => 'RFC2256: first name(s) for which the entity is known by' 'name' => 'givenName' 'oid' => '2.5.4.42' 'sup' => ARRAY(0x14e2738) 0 'name' 'type' => 'at' DB<31> x $s->attribute('name') 0 HASH(0x1476008) 'aliases' => ARRAY(0x1475ff0) empty array 'desc' => 'RFC4519: common supertype of name attributes' 'equality' => 'caseIgnoreMatch' 'max_length' => 32768 'name' => 'name' 'oid' => '2.5.4.41' 'substr' => 'caseIgnoreSubstringsMatch' 'syntax' => '1.3.6.1.4.1.1466.115.121.1.15' 'type' => 'at' Regards, Ulrich

2 1

Unique overlay not working, where is the misconfiguration ? [Debian 7 - 2.4.31]
by Philippe MARASSE 05 Nov '13

05 Nov '13

Hello, I'm trying to enable unique overlay to enforce uniqueness of uid and mail attributes with no luck. My server is debian 7 based with packaged slapd (2.4.31]. Here's the config for the unique overlay : DN: cn=module{1},cn=config objectClass: olcModuleList objectClass: olcConfig objectClass: top cn: module{1} olcModuleLoad: {0}memberof olcModuleLoad: {1}refint olcModuleLoad: {2}unique olcModulePath: /usr/lib/ldap DN: olcOverlay={4}unique,olcDatabase={1}hdb,cn=config objectClass: olcUniqueConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {4}unique olcUniqueURI: ldap:///?mail?sub olcUniqueURI: ldap:///?uid?sub assuming the configuration is good, I've tried to create 2 entries : uid=test,ou=people,dc=mydomain,dc=com and uid=test2,ou=people,dc=mydomain,dc=com with the same mail : test(a)mydomain.com => created without error. change mail to test2(a)mydomain.com on entry uid=test2,ou=people,dc=mydomain,dc=com works going back to test(a)mydomain.com => no error The first time, I've used the main administrative account. So I created a sub administrator account, changed the ACLs, fine. Deleted the two entries, recreated the two entries with the same mail without error. I've tried to put slapd in debug mode, the only ting I've noticed is : 51f7df1e >>> dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e <<< dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>, <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e ==> unique_modify <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e *unique_modify: administrative bypass, skipping* 51f7df1e bdb_dn2entry("uid=test2,ou=people,dc=mydomain,dc=com") 51f7df1e bdb_entry_get: rc=0 If someone has a clue... Rgds -- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19

4 13

OpenLDAP with ssl client certs
by Brent Bice 05 Nov '13

05 Nov '13

I was recently asked if we could use ssl client certs as a 2nd form of authentication with OpenLDAP and didn't know for sure. Is it possible to have OpenLDAP require both a DN/password pair *and* a client ssl cert? Just to see if I could make any form of client cert authentication work, I took a test-bed instance of OpenLDAP and added this line to slapd.conf: TLSVerifyClient allow Then I created a self-signed ssl cert, converted it to a .der binary file, then added it to an LDAP record's userCertificate attribute with this: dn: <my-dn> changetype: modify add: userCertificate;binary userCertificate;binary:< file:///tmp/ldapclient.bin Then I found my ldap client of choice doesn't seem to have an option to authenticate via client certs, and didn't see any command line options for ldapsearch for specifying a client ssl cert/key pair. So I edited ~/.ldaprc and added: BINDDN <my-dn> TLS_REQCERT demand TLS_CERT /tmp/ldapclient.crt TLS_KEY /tmp/ldapclient.key But when I run ldapsearch -x with no -D and -W options, it's clearly still just binding anonymously. When I run ldapsearch -x with a -D and no -W option it says I can't bind without a password. :-) So... I'm clearly missing something here. How do I get ldapsearch to try to authenticate with the SSL cert? Or is it possibly trying but failing because slapd can't validate the self-signed client cert I made? It's definitely finding and using my .ldaprc file because I can change BASE, PORT, and HOST settings in there and don't have to specify 'em on the command line afterwards, but as near as I can tell it's not using the client cert. Brent

5 12

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2013