February 2013 - openldap-technical

by Venish Khant

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

7 years, 3 months

4
11
0 / 0

OpenLDAP and dynalogin (two-factor auth with HOTP)

by Daniel Pocock

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

8 years, 3 months

5
6
0 / 0

trouble with slapo-pcache

by btb＠bitrate.net

hi- i'm having a few different issues with slapo-pcache. i did a bit of searching in the its and did not find any items which seemed to match my symptoms. i'm using 2.4.31, on ubuntu 12.10. the first is that i so to not be able to add, via ldapadd, additional olcPcacheTemplate attributes to the config entry. i was able to add the first one using ldapadd, but subsequent modify operations to add another complain "no equality matching rule": >ldapsearch -LLLZZxWH 'ldap://localhost/' -D 'cn=config' -b 'olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config' -s base Enter LDAP Password: dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}pcache olcPcache: mdb 1000 100 1000 60 olcPcacheAttrset: 0 "*" "+" olcPcacheTemplate: "(uid=)" 0 3600 >cat template.ldif dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config changetype: modify add: olcPcacheTemplate olcPcacheTemplate: "(cn=)" 0 3600 >ldapadd -ZZxWH 'ldap://localhost/' -D 'cn=config' -f template.ldif Enter LDAP Password: modifying entry "olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcPcacheTemplate: no equality matching rule Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 STARTTLS Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 RESULT oid= err=0 text= Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 fd=12 ACCEPT from IP=127.0.0.1:32916 (IP=0.0.0.0:389) Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 fd=12 TLS established tls_ssf=128 ssf=128 Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 BIND dn="cn=config" method=128 Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 BIND dn="cn=config" mech=SIMPLE ssf=0 Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 RESULT tag=97 err=0 text= Oct 29 20:01:32 dsa1 slapd[8250]: connection_input: conn=1003 deferring operation: binding Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 MOD dn="olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config" Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 MOD attr=olcPcacheTemplate Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 RESULT tag=103 err=18 text=modify/add: olcPcacheTemplate: no equality matching rule Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=3 UNBIND Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 fd=12 closed adding the attribute "manually" [e.g. slapcat, modify ldif, slapadd] seems to be fine: >ldapsearch -LLLZZxWH 'ldap://localhost/' -D 'cn=config' -b 'olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config' -s base Enter LDAP Password: dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}pcache olcPcache: mdb 1000 100 1000 60 olcPcacheAttrset: 0 "*" "+" olcPcacheTemplate: "(objectclass=)" 0 3600 olcPcacheTemplate: "(uid=)" 0 3600 my second problem is with caching when slapo-nssov is involved. it appears to not cache [QUERY NOT ANSWERABLE/QUERY NOT CACHEABLE] when a query occurs via nss: >getent passwd flash flash:x:2013:2013:flash gordon:/home/flash:/bin/bash Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on: Oct 31 08:42:15 deepfield slapd[12862]: 11r Oct 31 08:42:15 deepfield slapd[12862]: Oct 31 08:42:15 deepfield slapd[12862]: daemon: read active on 11 Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: connection_get(11) Oct 31 08:42:15 deepfield slapd[12862]: connection_get(11): got connid=0 Oct 31 08:42:15 deepfield slapd[12862]: nssov: connection from uid=0 gid=0 Oct 31 08:42:15 deepfield slapd[12862]: nssov_passwd_byname(flash) Oct 31 08:42:15 deepfield slapd[12862]: str2filter "(&(objectClass=posixAccount)(uid=flash))" Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter Oct 31 08:42:15 deepfield slapd[12862]: AND Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter_list Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter Oct 31 08:42:15 deepfield slapd[12862]: EQUALITY Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0 Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:42:15 deepfield slapd[12862]: EQUALITY Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on: Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0 Oct 31 08:42:15 deepfield slapd[12862]: Oct 31 08:42:15 deepfield slapd[12862]: end get_filter_list Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0 Oct 31 08:42:15 deepfield slapd[12862]: query template of incoming query = (&(objectClass=)(uid=)) Oct 31 08:42:15 deepfield slapd[12862]: QUERY NOT ANSWERABLE Oct 31 08:42:15 deepfield slapd[12862]: QUERY NOT CACHEABLE Oct 31 08:42:15 deepfield slapd[12862]: =>ldap_back_getconn: conn 0xb51f8ee8 fetched refcnt=1. Oct 31 08:42:15 deepfield slapd[12862]: => ldap_back_munge_filter "(&(objectClass=posixAccount)(uid=flash))" Oct 31 08:42:15 deepfield slapd[12862]: <= ldap_back_munge_filter "(&(objectClass=posixAccount)(uid=flash))" (0) Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: >>> dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:42:15 deepfield slapd[12862]: <<< dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>, <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:42:15 deepfield slapd[12862]: send_ldap_result: conn=-1 op=0 p=0 Oct 31 08:42:15 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" although i believe i have a matching query template defined in the config: dn: olcDatabase={2}ldap,cn=config objectClass: olcLDAPConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcDatabase: {2}ldap olcSuffix: dc=example,dc=net olcLastMod: TRUE olcReadOnly: TRUE olcRootDN: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net olcMonitoring: TRUE olcDbURI: ldap://dsa1.example.net/ olcDbStartTLS: start tls_cacert="/etc/pki/trusted_roots/example_networks_roo t_ca-cert.pem" tls_reqcert="demand" olcDbACLBind: bindmethod=simple binddn="cn=slapd,ou=deepfield,ou=services,ou=a ccounts,dc=example,dc=net" credentials="xxxxxxxxxxxxxxx" s tarttls="critical" tls_cacert="/etc/pki/trusted_roots/example_networks_root _ca-cert.pem" tls_reqcert="demand" olcDbIDAssertBind: bindmethod=simple binddn="cn=slapd,ou=deepfield,ou=services ,ou=accounts,dc=example,dc=net" credentials="xxxxxxxxxxxxxxx" structuralObjectClass: olcLDAPConfig entryUUID: f24e435a-b35a-1031-8f37-336141b7bc90 creatorsName: cn=config createTimestamp: 20121026014812Z entryCSN: 20121031023501.089672Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121031023501Z dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}pcache olcPcache: mdb 1000 100 1000 60 olcPcacheAttrset: 0 "*" "+" olcPcacheTemplate: "(objectClass=)" 0 3600 olcPcacheTemplate: "(uid=)" 0 3600 olcPcacheTemplate: "(&(objectClass=)(uid=))" 0 3600 olcPcacheBind: "(uid=)" 0 60 "sub" "dc=example,dc=net" structuralObjectClass: olcPcacheConfig entryUUID: ddb05d7e-b4fa-1031-811e-353e11fff366 creatorsName: cn=config createTimestamp: 20121028032528Z entryCSN: 20121030002115.179177Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121030002115Z dn: olcDatabase={0}mdb,olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheDatabase objectClass: olcMdbConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcDatabase: {0}mdb olcDbDirectory: /var/lib/ldap/example.net/ olcLastMod: TRUE olcMaxDerefDepth: 15 olcDbNoSync: FALSE olcDbIndex: certfingerprint eq olcDbIndex: cn eq olcDbIndex: default eq olcDbIndex: description eq olcDbIndex: entrycsn eq olcDbIndex: entryuuid eq olcDbIndex: gidnumber pres,eq olcDbIndex: host eq olcDbIndex: iphostnumber eq olcDbIndex: ipserviceport eq olcDbIndex: ipserviceprotocol eq olcDbIndex: mail eq olcDbIndex: maillocaladdress eq olcDbIndex: member eq olcDbIndex: memberof eq olcDbIndex: memberuid eq olcDbIndex: objectclass eq olcDbIndex: rfc822mailmember eq olcDbIndex: sudoUser eq olcDbIndex: uid pres,eq,sub olcDbIndex: uidnumber pres,eq olcDbMode: 0600 olcDbSearchStack: 16 structuralObjectClass: olcMdbConfig entryUUID: 88b37716-b590-1031-8c75-439de7087923 creatorsName: cn=config createTimestamp: 20121028211650Z entryCSN: 20121029021315.039143Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121029021315Z dn: olcOverlay={1}nssov,olcDatabase={2}ldap,cn=config objectClass: olcNssOvConfig objectClass: olcOverlayConfig objectClass: olcConfig olcOverlay: {1}nssov olcNssMap: group uniquemember member olcNssPam: authz2dn hostservice olcNssPamSession: sshd olcNssPamSession: login structuralObjectClass: olcNssOvConfig entryUUID: 47ecaef0-b73e-1031-8761-9f0bff5d3212 creatorsName: cn=config createTimestamp: 20121031003305Z entryCSN: 20121031003305.637051Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121031003305Z and if i perform the same query using ldapsearch: >ldapsearch -LLLZZxH 'ldap://localhost/' -D 'uid=flash,ou=people,ou=accounts,dc=example,dc=net' -w 'test' '(&(objectClass=posixAccount)(uid=flash))' dn: uid=flash,ou=people,ou=accounts,dc=example,dc=net initials: fg givenName: flash loginShell: /bin/bash uidNumber: 2013 gidNumber: 2013 uid: flash objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: extensibleObject c: us homeDirectory: /home/flash sn: gordon cn: flash gordon displayName: flash_gordon mail: user(a)example.com it does seem to cache it: Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: slap_listener_activate(8): Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 busy Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: >>> slap_listener(ldap:///) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: listen=8, new connection on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: added 18r (active) listener=(nil) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 fd=18 ACCEPT from IP=127.0.0.1:37220 (IP=0.0.0.0:389) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x77, time 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 do_extended Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 31 08:55:37 deepfield slapd[12862]: do_extended: oid=1.3.6.1.4.1.1466.20037 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 STARTTLS Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_extended: err=0 oid= len=0 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_response: msgid=1 tag=120 err=0 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 RESULT oid= err=0 text= Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): unable to get TLS client DN, error=49 id=1003 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 fd=18 TLS established tls_ssf=128 ssf=128 Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x60, time 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 do_bind Oct 31 08:55:37 deepfield slapd[12862]: >>> dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: <<< dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>, <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 BIND dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" method=128 Oct 31 08:55:37 deepfield slapd[12862]: do_bind: version=3 dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" method=128 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: ndn: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: oc: "(null)", at: "(null)" Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: found entry: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: mdb_entry_get: rc=0 Oct 31 08:55:37 deepfield slapd[12862]: str2filter "(uid=flash)" Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: Lock QC index = 0xb867e250 Oct 31 08:55:37 deepfield slapd[12862]: Base of added query = dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: QUERY ANSWERABLE (answered 5 times) Oct 31 08:55:37 deepfield slapd[12862]: => mdb_search Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" "entry" requested Oct 31 08:55:37 deepfield slapd[12862]: <= root access granted Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access granted by manage(=mwrscxd) Oct 31 08:55:37 deepfield slapd[12862]: base_candidates: base: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" (0x00000004) Oct 31 08:55:37 deepfield slapd[12862]: => test_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" "uid" requested Oct 31 08:55:37 deepfield slapd[12862]: <= root access granted Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access granted by manage(=mwrscxd) Oct 31 08:55:37 deepfield slapd[12862]: <= test_filter 6 Oct 31 08:55:37 deepfield slapd[12862]: pc_bind_search: cache is stale, reftime: 1351688135, current time: 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" Oct 31 08:55:37 deepfield slapd[12862]: =>ldap_back_getconn: conn=1003 op=1: lc=0xb38f9788 inserted refcnt=1 rc=0 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 BIND dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" mech=SIMPLE ssf=0 Oct 31 08:55:37 deepfield slapd[12862]: do_bind: v3 bind: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" Oct 31 08:55:37 deepfield slapd[12862]: pc_setpw: CACHING BIND for uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify: uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify_internal: 0x00000004: uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: <= acl_access_allowed: granted to database root Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify_internal: replace userPassword Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_encode(0x00000004): uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_encode(0x00000004): uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify: updated id=00000004 dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_response: msgid=2 tag=97 err=0 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 RESULT tag=97 err=0 text= Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x63, time 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=2 do_search Oct 31 08:55:37 deepfield slapd[12862]: >>> dnPrettyNormal: <dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: <<< dnPrettyNormal: <dc=example,dc=net>, <dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: SRCH "dc=example,dc=net" 2 0 Oct 31 08:55:37 deepfield slapd[12862]: 0 60 0 Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: AND Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter_list Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: end get_filter_list Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: filter: (&(objectClass=posixAccount)(uid=flash)) Oct 31 08:55:37 deepfield slapd[12862]: attrs: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=2 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=flash))" Oct 31 08:55:37 deepfield slapd[12862]: ==> limits_get: conn=1003 op=2 self="uid=flash,ou=people,ou=accounts,dc=example,dc=net" this="dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: query template of incoming query = (&(objectClass=)(uid=)) Oct 31 08:55:37 deepfield slapd[12862]: Entering QC, querystr = (&(objectClass=posixAccount)(uid=flash)) Oct 31 08:55:37 deepfield slapd[12862]: Lock QC index = 0xb867e350 Oct 31 08:55:37 deepfield slapd[12862]: Base of added query = dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: QUERY ANSWERABLE (answered 1 times) Oct 31 08:55:37 deepfield slapd[12862]: => mdb_search Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x1 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: what am i doing wrong? -ben

10 years, 6 months

2
2
0 / 0

Is there any way to change structuralObjectClass of an LDAP entry?

by Marco Pizzoli

Hi all, yes, I already know this is not possible. But I have a particular scenario and maybe someone could give advice. In an LDAP tree I inherited some times ago, I have entries created many years ago by using a schema definition which implied an entry to acquire as structuralObjectClass a custom objectClass. This custom objectClass (let's say it's called custObjectClass) inherits from inetOrgPerson and mandates some specific attributes. Now, all entries are created expliciting the following objectClasses: - top - person - organizationalPerson - inetOrgPerson - custObjectClass The outcome is these entries have custObjectClass as structuralObjectClass. Now, I would like to make some cleaning on this tree, and I would like to change some schema definition on objects. First of all, I would like to NOT have custObjectClass as structuralObjectClass. Obviously I could slapcat my slapd engine, change the ldif and then re-import as new. But I would prefer to not switch off my slapd engine in the meantime. I can't afford that, to be honest... One idea I had was to create a replica consumer, change on it the schema definition (custObjectClass inheriting from TOP and being auxiliary instead of structural), and let the replication create the entries with the correct "structurality". I self-discovered this way is not viable, considering OL refuses to insert an entry with source structuralObjectClass not being defined structural on the slave as well. Now I'm asking for help to the community. Any hint welcome. How would you do? Thanks in advance Marco

10 years, 7 months

2
1
0 / 0

additional info: objectClasses: value #0 invalid per syntax

by Jimmy Royer

Hello, I am starting out with openldap and I don't know it that much. I got the error mentioned in the title when trying to add an object class, which is apparently a very common one per my google searches. I've read that common causes are: * extraneous white space (especially trailing white space) * improperly encoded characters (LDAPv3 uses UTF-8 encoded Unicode) * empty values (few syntaxes allow empty values) This is the object class file I am trying to add, I picked it as an example on some website, to have something minimal and make it easier to test: # cat exObjectClasses.ldif dn: cn=schema changetype: modify add: objectClasses objectClasses: ( 2.16.840.1.113730.3.2.2.9 NAME 'blogger' DESC 'Someone who has a blog' SUP inetOrgPerson STRUCTURAL MAY blog ) I've checked if there was any trailing spaces at the end with the following: # cat -vte exObjectClasses.ldif dn: cn=schema$ changetype: modify$ add: objectClasses$ objectClasses: ( 2.16.840.1.113730.3.2.2.9$ NAME 'blogger'$ DESC 'Someone who has a blog'$ SUP inetOrgPerson STRUCTURAL$ MAY blog )$ I've made sure the file is UTF-8: # iconv -f ASCII -t UTF-8 exObjectClasses.ldif > exObjectClasses.ldif.utf8 And I don't think there are any empty values defined in the LDIF file. So when I type this command, I still have the "invalid per syntax error: # ldapmodify -x -W -H "ldaps://127.0.0.1" -D cn=Manager,dc=modelsolv,dc=com -f exObjectClasses.ldif Enter LDAP Password: modifying entry "cn=schema" ldap_modify: Invalid syntax (21) additional info: objectClasses: value #0 invalid per syntax This is the content of the /etc/openldap/slapd.conf file: # cat slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules # - modulepath is architecture dependent value (32/64-bit system) # - back_sql.la overlay requires openldap-server-sql package # - dyngroup.la and dynlist.la cannot be used at the same time # modulepath /usr/lib/openldap # modulepath /usr/lib64/openldap # moduleload accesslog.la # moduleload auditlog.la # moduleload back_sql.la # moduleload chain.la # moduleload collect.la # moduleload constraint.la # moduleload dds.la # moduleload deref.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload memberof.la # moduleload pbind.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload seqmod.la # moduleload smbk5pwd.la # moduleload sssvlv.la # moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by running # /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk # at self-signed certificates, however. TLSCACertificatePath /etc/openldap/certs TLSCertificateFile "\"OpenLDAP Server\"" TLSCertificateKeyFile /etc/openldap/certs/password # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # enable on-the-fly configuration (cn=config) database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none # enable server status monitoring (cn=monitor) database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=my-domain,dc=com" read by * none ####################################################################### # database definitions ####################################################################### database bdb suffix "dc=modelsolv,dc=com" checkpoint 1024 15 rootdn "cn=Manager,dc=modelsolv,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw SECRET # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM I was able to add a few entries in LDAP so far. So I know I am able to reach the server, the connection is fine, and LDAP is somewhat functional. But I can't modify the schema with objectclasses. Is there anything obvious that I am doing wrong? Do you have any recommendation for debugging further? Regards, Jimmy Royer

10 years, 7 months

4
4
0 / 0

Limit on number of attrs in replica conf?

by Marco Pizzoli

Hi all, Is it possible I discovered a limit on the number of attributes I can specify on the "attrs" parameter of the replica directive in slapd.conf? In my config file, for the replica directive, I explicited a long list of attributes. On the provider side I can see, on the provider slapd logs, that only 8 of the attrs I specified on the replica directive are actually asked. Plus objectClass, structuralObjectClass and entryCSN. Is that the expected behaviour? I already checked on the man page and I don't see this limitation explicited Thanks in advance Marco

10 years, 7 months

1
1
0 / 0

internal_modify in overlays

by Tim Watts

Hi, Does anyone know of a bit of code I can look at that does an *internal* (completed inline) LDAP_MOD_REPLACE operation on one attribute without chaining (ie it does a return 0)? I've found Sun docs for doing this in a slapi plugin but not an openldap slapd plugin. Reason: Basically, I've been hacking on smbkrb5pwd.c and discovered if I do a "return 0;" at the end, I can prevent chaining (not documented but found some openldap hacking - denyop.c - that demonstrated this). At this point, smbkrb5pwd.c has changed our MIT Kerberos principal's password, and "return 0" prevenrs_modsts slapd from chaining onto the code that tries to set a local hash into userPassword. And it does it without causing a nasty client error. I thought: would it not be nice to set userPassword: to {SASL}UID(a)KERB.REALM now... Each user's auth method gets switched upon the first successful password change that propagates to kerberos. However, all the existing overlays seem to set extra attributes by setting up a request in ->rs_mods off the original request. I assume these get actioned after a "return SLAP_CB_CONTINUE". So - how do set an attribute if we are halting the chain at our overlay? Cheers :) Tim -- Tim Watts Personal Blog: http://squiddy.blog.dionic.net/ http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

10 years, 7 months

2
2
0 / 0

Re: meta backend subtree directive ignored by conversion to cn=config

by francesco.policastro＠selex-es.com

I see. So I need to look at ACL, because my real meta configuration contains two trees coming from different forests, sharing nothing. It's the result of a merge of two companies, each with its AD, and I use OpenLDAP to authenticate users against a single meta domain, after a long job to rename many users who just shared the only object I did not want, i.e. the sAMAccountNname. Thanks, Francesco

10 years, 7 months

1
0
0 / 0

Re: meta backend subtree directive ignored by conversion to cn=config

by Pierangelo Masarati

> Sorry! > I mistyped the uri where the user is found (this happens because I saw > this behaviour on the real configuration and I had to massage it). > The search command, issued from the openldap server itself, is: > > ldapsearch -xLLL -H ldap:/// -D ""cn=LdapBindUser,dc=newco,dc=com" -w > secret1 -E pr=647/noprompt -b 'DC=newco,DC=com' 'sn=policastro' dn > > I find two records, one correct and one unexpected: > > dn: cn=Policastro > Francesco,ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" (matches the > line marked with *) > > dn: cn=Policastro Francesco,ou=UsersDisable,dc=second,dc=newco,dc=com OK, I got the point. You're probably misusing this feature. If you want to prevent a portion of the subtree from being returned, you need to use ACL. The subtree-{in|ex}clude is only used during candidate selection. This means that it is used while deciding whether or not an operation must be propagated to a specific target. For example, let's say that target #1 is rooted at "ou=Sub 1,dc=org", and target #2 is rooted at "dc=org", and it is known that target #2 does not contain a subtree named "ou=Sub 1,dc=org", adding subtree-exclude "ou=Sub 1,dc=org" to target #2 prevents searches whose searchBase is (a subordinate of) "ou=Sub 1,dc=org" to span target #2 in addition to target #1. p. -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano

10 years, 7 months

1
0
0 / 0

Re: meta backend subtree directive ignored by conversion to cn=config

by francesco.policastro＠selex-es.com

Sorry! I mistyped the uri where the user is found (this happens because I saw this behaviour on the real configuration and I had to massage it). The search command, issued from the openldap server itself, is: ldapsearch -xLLL -H ldap:/// -D ""cn=LdapBindUser,dc=newco,dc=com" -w secret1 -E pr=647/noprompt -b 'DC=newco,DC=com' 'sn=policastro' dn I find two records, one correct and one unexpected: dn: cn=Policastro Francesco,ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" (matches the line marked with *) dn: cn=Policastro Francesco,ou=UsersDisable,dc=second,dc=newco,dc=com Francesco Policastro From: Pierangelo Masarati <masarati(a)aero.polimi.it> To: <openldap-technical(a)openldap.org> Date: 27/02/2013 10:36 Subject: Re: meta backend subtree directive ignored by conversion to cn=config Sent by: <openldap-technical-bounces(a)OpenLDAP.org> On 02/26/2013 02:19 PM, francesco.policastro(a)selex-es.com wrote: > Even worse: if I start the server using slapd.conf, not cn=config, the > subtree-include directives seem to be ignored. > With reference to the previously attached file if I search users from the > root ( "dc=newco,dc=com") I find them also outside the included subtrees; > e.g I find users under "ou=UsersDisable, > ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com". > Is it there anything wrong in my config file? Did I misunderstand the > directive? According to your configuration file, whose relevant directives I summarized below, the entry "ou=UsersDisable,ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" matches the 3rd subtree-include of the 1st target (marked with [*]). So it seems to behave as intended. p. ----- database meta suffix "dc=newco,dc=com" ... uri "ldap://server1.it.domain1.com/dc=first,dc=newco,dc=com" ... subtree-include "ou=Applications,ou=Groups Shared,dc=first,dc=newco,dc=com" subtree-include "ou=Users,ou=1st-location,dc=first,dc=newco,dc=com" subtree-include "ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" [*] subtree-include "ou=Users,ou=3rd-location,dc=first,dc=newco,dc=com" ... uri "ldap://server2.domain2.net/ou=organizationalUnit,dc=second,dc=newco,dc=com" ... subtree-include "ou=Users,ou=1st-location,ou=organizationalUnit,dc=second,dc=newco,dc=com" subtree-include "ou=My-ou,ou=1st-location,ou=organizationalUnit,dc=second,dc=newco,dc=com" subtree-include "ou=Remote Sites,ou=organizationalUnit,dc=second,dc=newco,dc=com" -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano

10 years, 7 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2013