openldap-technical March 2013

openldap-technical@openldap.org

84 participants
80 discussions

Re: Help me for " LDAP Sync with Active Directory from Openldap side"
by Mark Pröhl 25 Mar '13

25 Mar '13

please discuss this on the list. I do not fully understand why you need synchronization. If it is because your LDAP client (i.e. liferay) only supports one LDAP-URI but you have two different user directories (AD and OpenLDAP), than there would be no need for synchronization: OpenLDAP could be used to integrate both directories under one URL (e.g. by meta backend) On 25.03.2013 10:02, Suman Karki wrote: > thank you for your reply. And i need some help that can perform my task. > > I am using liferey for web hosting. Which is http://www.liferay.com/ > > I am managing liferay's user accounts with open ldap server. > > And i need to sync AD to Open Ldap . > > So through one Open Ldap server configuration i can access both > servers user account. > > I have admin access to both server. > > Just, I need to sync AD to Open Ldap server for user account accessing. > > > > > > On 3/25/13, Mark Pröhl <mark(a)mproehl.net> wrote: >> on 25.03.2013 06:57, Suman Karki wrote: >>> I am running open ldap server in redhat server, and active directory >>> in win server 2008. >>> I have admin access to both servers. >>> >>> The thing is that i have to sync both server, like from openldap i >>> could access active directory data. >>> >>> >>> So anybody tell me how can we synchronize both server, any solutions ? >>> or it will be better if anyone provide me some tutorials or better >>> give me some documentation? >>> >>> please i need to solve this problem as soon as possible. >>> >> can you describe your requirements a little bit more? I.e. >> >> - which attributes do you need to be synchronized? >> - do you need to synchronize from AD to OpenLDAP >> or from OpenLDAP to AD or in both directions? >> - do you need passwords to be synchronized? >> >> BTW: OpenLDAP can be configured as a (caching) LDAP >> proxy to Active Directory. Configuring that is much >> more simple than synchronization with AD. >> >> For synchronization you will need some kind of >> 3rd-party product, like the SPML based solution >> mentioned here: >> http://www.openldap.org/lists/openldap-technical/201303/msg00167.html >> >> -- >> Mark Pröhl >> mark(a)mproehl.net >> www.kerberos-buch.de >> >>

1 0

Help me for " LDAP Sync with Active Directory from Openldap side"
by Suman Karki 25 Mar '13

25 Mar '13

I am running open ldap server in redhat server, and active directory in win server 2008. I have admin access to both servers. The thing is that i have to sync both server, like from openldap i could access active directory data. So anybody tell me how can we synchronize both server, any solutions ? or it will be better if anyone provide me some tutorials or better give me some documentation? please i need to solve this problem as soon as possible.

2 1

Re: openldap-technical Digest, Vol 64, Issue 24
by Suman Karki 24 Mar '13

24 Mar '13

Help me for " LDAP Sync Replication with Active Directory from Openldap side" If any person is willing to help me and require more detail about this problem i will reply that.

1 0

trouble with slapo-pcache
by btb＠bitrate.net 24 Mar '13

24 Mar '13

hi- i'm having a few different issues with slapo-pcache. i did a bit of searching in the its and did not find any items which seemed to match my symptoms. i'm using 2.4.31, on ubuntu 12.10. the first is that i so to not be able to add, via ldapadd, additional olcPcacheTemplate attributes to the config entry. i was able to add the first one using ldapadd, but subsequent modify operations to add another complain "no equality matching rule": >ldapsearch -LLLZZxWH 'ldap://localhost/' -D 'cn=config' -b 'olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config' -s base Enter LDAP Password: dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}pcache olcPcache: mdb 1000 100 1000 60 olcPcacheAttrset: 0 "*" "+" olcPcacheTemplate: "(uid=)" 0 3600 >cat template.ldif dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config changetype: modify add: olcPcacheTemplate olcPcacheTemplate: "(cn=)" 0 3600 >ldapadd -ZZxWH 'ldap://localhost/' -D 'cn=config' -f template.ldif Enter LDAP Password: modifying entry "olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcPcacheTemplate: no equality matching rule Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 STARTTLS Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 RESULT oid= err=0 text= Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 fd=12 ACCEPT from IP=127.0.0.1:32916 (IP=0.0.0.0:389) Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 fd=12 TLS established tls_ssf=128 ssf=128 Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 BIND dn="cn=config" method=128 Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 BIND dn="cn=config" mech=SIMPLE ssf=0 Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 RESULT tag=97 err=0 text= Oct 29 20:01:32 dsa1 slapd[8250]: connection_input: conn=1003 deferring operation: binding Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 MOD dn="olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config" Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 MOD attr=olcPcacheTemplate Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 RESULT tag=103 err=18 text=modify/add: olcPcacheTemplate: no equality matching rule Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=3 UNBIND Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 fd=12 closed adding the attribute "manually" [e.g. slapcat, modify ldif, slapadd] seems to be fine: >ldapsearch -LLLZZxWH 'ldap://localhost/' -D 'cn=config' -b 'olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config' -s base Enter LDAP Password: dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}pcache olcPcache: mdb 1000 100 1000 60 olcPcacheAttrset: 0 "*" "+" olcPcacheTemplate: "(objectclass=)" 0 3600 olcPcacheTemplate: "(uid=)" 0 3600 my second problem is with caching when slapo-nssov is involved. it appears to not cache [QUERY NOT ANSWERABLE/QUERY NOT CACHEABLE] when a query occurs via nss: >getent passwd flash flash:x:2013:2013:flash gordon:/home/flash:/bin/bash Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on: Oct 31 08:42:15 deepfield slapd[12862]: 11r Oct 31 08:42:15 deepfield slapd[12862]: Oct 31 08:42:15 deepfield slapd[12862]: daemon: read active on 11 Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: connection_get(11) Oct 31 08:42:15 deepfield slapd[12862]: connection_get(11): got connid=0 Oct 31 08:42:15 deepfield slapd[12862]: nssov: connection from uid=0 gid=0 Oct 31 08:42:15 deepfield slapd[12862]: nssov_passwd_byname(flash) Oct 31 08:42:15 deepfield slapd[12862]: str2filter "(&(objectClass=posixAccount)(uid=flash))" Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter Oct 31 08:42:15 deepfield slapd[12862]: AND Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter_list Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter Oct 31 08:42:15 deepfield slapd[12862]: EQUALITY Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0 Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:42:15 deepfield slapd[12862]: EQUALITY Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on: Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0 Oct 31 08:42:15 deepfield slapd[12862]: Oct 31 08:42:15 deepfield slapd[12862]: end get_filter_list Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0 Oct 31 08:42:15 deepfield slapd[12862]: query template of incoming query = (&(objectClass=)(uid=)) Oct 31 08:42:15 deepfield slapd[12862]: QUERY NOT ANSWERABLE Oct 31 08:42:15 deepfield slapd[12862]: QUERY NOT CACHEABLE Oct 31 08:42:15 deepfield slapd[12862]: =>ldap_back_getconn: conn 0xb51f8ee8 fetched refcnt=1. Oct 31 08:42:15 deepfield slapd[12862]: => ldap_back_munge_filter "(&(objectClass=posixAccount)(uid=flash))" Oct 31 08:42:15 deepfield slapd[12862]: <= ldap_back_munge_filter "(&(objectClass=posixAccount)(uid=flash))" (0) Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: >>> dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:42:15 deepfield slapd[12862]: <<< dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>, <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:42:15 deepfield slapd[12862]: send_ldap_result: conn=-1 op=0 p=0 Oct 31 08:42:15 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" although i believe i have a matching query template defined in the config: dn: olcDatabase={2}ldap,cn=config objectClass: olcLDAPConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcDatabase: {2}ldap olcSuffix: dc=example,dc=net olcLastMod: TRUE olcReadOnly: TRUE olcRootDN: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net olcMonitoring: TRUE olcDbURI: ldap://dsa1.example.net/ olcDbStartTLS: start tls_cacert="/etc/pki/trusted_roots/example_networks_roo t_ca-cert.pem" tls_reqcert="demand" olcDbACLBind: bindmethod=simple binddn="cn=slapd,ou=deepfield,ou=services,ou=a ccounts,dc=example,dc=net" credentials="xxxxxxxxxxxxxxx" s tarttls="critical" tls_cacert="/etc/pki/trusted_roots/example_networks_root _ca-cert.pem" tls_reqcert="demand" olcDbIDAssertBind: bindmethod=simple binddn="cn=slapd,ou=deepfield,ou=services ,ou=accounts,dc=example,dc=net" credentials="xxxxxxxxxxxxxxx" structuralObjectClass: olcLDAPConfig entryUUID: f24e435a-b35a-1031-8f37-336141b7bc90 creatorsName: cn=config createTimestamp: 20121026014812Z entryCSN: 20121031023501.089672Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121031023501Z dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}pcache olcPcache: mdb 1000 100 1000 60 olcPcacheAttrset: 0 "*" "+" olcPcacheTemplate: "(objectClass=)" 0 3600 olcPcacheTemplate: "(uid=)" 0 3600 olcPcacheTemplate: "(&(objectClass=)(uid=))" 0 3600 olcPcacheBind: "(uid=)" 0 60 "sub" "dc=example,dc=net" structuralObjectClass: olcPcacheConfig entryUUID: ddb05d7e-b4fa-1031-811e-353e11fff366 creatorsName: cn=config createTimestamp: 20121028032528Z entryCSN: 20121030002115.179177Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121030002115Z dn: olcDatabase={0}mdb,olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheDatabase objectClass: olcMdbConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcDatabase: {0}mdb olcDbDirectory: /var/lib/ldap/example.net/ olcLastMod: TRUE olcMaxDerefDepth: 15 olcDbNoSync: FALSE olcDbIndex: certfingerprint eq olcDbIndex: cn eq olcDbIndex: default eq olcDbIndex: description eq olcDbIndex: entrycsn eq olcDbIndex: entryuuid eq olcDbIndex: gidnumber pres,eq olcDbIndex: host eq olcDbIndex: iphostnumber eq olcDbIndex: ipserviceport eq olcDbIndex: ipserviceprotocol eq olcDbIndex: mail eq olcDbIndex: maillocaladdress eq olcDbIndex: member eq olcDbIndex: memberof eq olcDbIndex: memberuid eq olcDbIndex: objectclass eq olcDbIndex: rfc822mailmember eq olcDbIndex: sudoUser eq olcDbIndex: uid pres,eq,sub olcDbIndex: uidnumber pres,eq olcDbMode: 0600 olcDbSearchStack: 16 structuralObjectClass: olcMdbConfig entryUUID: 88b37716-b590-1031-8c75-439de7087923 creatorsName: cn=config createTimestamp: 20121028211650Z entryCSN: 20121029021315.039143Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121029021315Z dn: olcOverlay={1}nssov,olcDatabase={2}ldap,cn=config objectClass: olcNssOvConfig objectClass: olcOverlayConfig objectClass: olcConfig olcOverlay: {1}nssov olcNssMap: group uniquemember member olcNssPam: authz2dn hostservice olcNssPamSession: sshd olcNssPamSession: login structuralObjectClass: olcNssOvConfig entryUUID: 47ecaef0-b73e-1031-8761-9f0bff5d3212 creatorsName: cn=config createTimestamp: 20121031003305Z entryCSN: 20121031003305.637051Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121031003305Z and if i perform the same query using ldapsearch: >ldapsearch -LLLZZxH 'ldap://localhost/' -D 'uid=flash,ou=people,ou=accounts,dc=example,dc=net' -w 'test' '(&(objectClass=posixAccount)(uid=flash))' dn: uid=flash,ou=people,ou=accounts,dc=example,dc=net initials: fg givenName: flash loginShell: /bin/bash uidNumber: 2013 gidNumber: 2013 uid: flash objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: extensibleObject c: us homeDirectory: /home/flash sn: gordon cn: flash gordon displayName: flash_gordon mail: user(a)example.com it does seem to cache it: Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: slap_listener_activate(8): Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 busy Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: >>> slap_listener(ldap:///) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: listen=8, new connection on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: added 18r (active) listener=(nil) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 fd=18 ACCEPT from IP=127.0.0.1:37220 (IP=0.0.0.0:389) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x77, time 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 do_extended Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 31 08:55:37 deepfield slapd[12862]: do_extended: oid=1.3.6.1.4.1.1466.20037 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 STARTTLS Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_extended: err=0 oid= len=0 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_response: msgid=1 tag=120 err=0 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 RESULT oid= err=0 text= Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): unable to get TLS client DN, error=49 id=1003 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 fd=18 TLS established tls_ssf=128 ssf=128 Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x60, time 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 do_bind Oct 31 08:55:37 deepfield slapd[12862]: >>> dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: <<< dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>, <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 BIND dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" method=128 Oct 31 08:55:37 deepfield slapd[12862]: do_bind: version=3 dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" method=128 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: ndn: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: oc: "(null)", at: "(null)" Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: found entry: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: mdb_entry_get: rc=0 Oct 31 08:55:37 deepfield slapd[12862]: str2filter "(uid=flash)" Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: Lock QC index = 0xb867e250 Oct 31 08:55:37 deepfield slapd[12862]: Base of added query = dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: QUERY ANSWERABLE (answered 5 times) Oct 31 08:55:37 deepfield slapd[12862]: => mdb_search Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" "entry" requested Oct 31 08:55:37 deepfield slapd[12862]: <= root access granted Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access granted by manage(=mwrscxd) Oct 31 08:55:37 deepfield slapd[12862]: base_candidates: base: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" (0x00000004) Oct 31 08:55:37 deepfield slapd[12862]: => test_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" "uid" requested Oct 31 08:55:37 deepfield slapd[12862]: <= root access granted Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access granted by manage(=mwrscxd) Oct 31 08:55:37 deepfield slapd[12862]: <= test_filter 6 Oct 31 08:55:37 deepfield slapd[12862]: pc_bind_search: cache is stale, reftime: 1351688135, current time: 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" Oct 31 08:55:37 deepfield slapd[12862]: =>ldap_back_getconn: conn=1003 op=1: lc=0xb38f9788 inserted refcnt=1 rc=0 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 BIND dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" mech=SIMPLE ssf=0 Oct 31 08:55:37 deepfield slapd[12862]: do_bind: v3 bind: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" Oct 31 08:55:37 deepfield slapd[12862]: pc_setpw: CACHING BIND for uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify: uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify_internal: 0x00000004: uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: <= acl_access_allowed: granted to database root Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify_internal: replace userPassword Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_encode(0x00000004): uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_encode(0x00000004): uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify: updated id=00000004 dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_response: msgid=2 tag=97 err=0 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 RESULT tag=97 err=0 text= Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x63, time 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=2 do_search Oct 31 08:55:37 deepfield slapd[12862]: >>> dnPrettyNormal: <dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: <<< dnPrettyNormal: <dc=example,dc=net>, <dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: SRCH "dc=example,dc=net" 2 0 Oct 31 08:55:37 deepfield slapd[12862]: 0 60 0 Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: AND Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter_list Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: end get_filter_list Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: filter: (&(objectClass=posixAccount)(uid=flash)) Oct 31 08:55:37 deepfield slapd[12862]: attrs: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=2 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=flash))" Oct 31 08:55:37 deepfield slapd[12862]: ==> limits_get: conn=1003 op=2 self="uid=flash,ou=people,ou=accounts,dc=example,dc=net" this="dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: query template of incoming query = (&(objectClass=)(uid=)) Oct 31 08:55:37 deepfield slapd[12862]: Entering QC, querystr = (&(objectClass=posixAccount)(uid=flash)) Oct 31 08:55:37 deepfield slapd[12862]: Lock QC index = 0xb867e350 Oct 31 08:55:37 deepfield slapd[12862]: Base of added query = dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: QUERY ANSWERABLE (answered 1 times) Oct 31 08:55:37 deepfield slapd[12862]: => mdb_search Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x1 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: what am i doing wrong? -ben

2 2

unable to load back-perl module
by Benin Technologies 24 Mar '13

24 Mar '13

Hi, I'm unable to load the back-perl backend module, I get "lt_dlopenext failed: (back_perl.la) file not found" But back_perl.la is there though, and I can load other modules without problem (back_hdb.la, back_sql.la, ...) Any idea what's going on ? My slapd.conf : # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_hdb.la moduleload back_sql.la moduleload back_perl.la If I comment the last line, slapd starts without problem. The error message : root@ldap:~# /usr/local/libexec/slapd -u openldap -g openldap -d 256 514dbea0 @(#) $OpenLDAP: slapd 2.X (Feb 3 2013 19:41:33) $ root@ldap:/tmp/openldap-a98eb28/servers/slapd 514dbea0 lt_dlopenext failed: (back_perl.la) file not found 514dbea0 slapd stopped. 514dbea0 connections_destroy: nothing to destroy. It doesn't find back_perl.la, but the file exists though, with the same right as the other backend modules: root@ldap:/usr/local/libexec/openldap# ls -la -rwxr-xr-x 1 root staff 987 Feb 3 19:43 back_hdb.la -rwxr-xr-x 1 root staff 1026 Feb 3 19:43 back_perl.la -rwxr-xr-x 1 root staff 991 Feb 3 19:43 back_sql.la I'm using OpenLDAP 2.4.33 on Debian 6.0.4 Ben.

2 2

pwdMaxAge And pwdExpireWarning not working
by Swapnil Dubey 23 Mar '13

23 Mar '13

Hi All, I am using OpenLdap 2.4.32 on solaris 10. It seems that pwdMaxAge And pwdExpireWarning are not working. Other policies like pwdInHistory, pwdLockout seems to work fine. I cannot see either expiry message or authentication failure in logs after I wait for configured time/seconds. Can somebody help me out with this? -bash-3.00# ./ldapwhoami -x -D uid=admin,ou=People,dc=example,dc=com -W -e ppolicy Enter LDAP Password: ldap_bind: Success (0) (Password expires in 0 seconds) dn:uid=admin,ou=people,dc=example,dc=com Here is my configuration. -bash-3.00# ./ldapsearch -x -b "dc=example,dc=com" "(objectclass=*)" # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: dcObject objectClass: domain dc: example # roles, example.com dn: ou=roles,dc=example,dc=com objectClass: organizationalUnit ou: roles # people, example.com dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people # admin, people, example.com dn: uid=admin,ou=people,dc=example,dc=com objectClass: person objectClass: inetOrgPerson cn: admin displayName: Admin givenName: admin mail: admin(a)example.com sn: Admin uid: admin userPassword:: e1NTSEF9NU1WNHpuTHB2N3ZmSkcvaU44VC85QkNJMWVueU5hcDc= # utsacct_provisioner, roles, example.com dn: cn=utsacct_provisioner,ou=roles,dc=example,dc=com objectClass: groupOfUniqueNames cn: utsacct_provisioner uniqueMember: uid=admin,ou=people,dc=example,dc=com # provisioner, roles, example.com dn: cn=provisioner,ou=roles,dc=example,dc=com objectClass: groupOfUniqueNames cn: provisioner uniqueMember: uid=admin,ou=people,dc=example,dc=com # policies, example.com dn: ou=policies,dc=example,dc=com ou: policies objectClass: organizationalUnit objectClass: top # default, policies, example.com dn: cn=default,ou=policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 2000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value # search result search: 2 result: 0 Success # numResponses: 9 # numEntries: 8 Slapd.conf --------------------------------- ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext Regards, Swapnil

1 1

openldap and AD sync
by 杨峰 23 Mar '13

23 Mar '13

I had set up LDAP on linux side, I want to build a AD with Windows2008R2, and AD should sync the user information from LDAP, is there any suggestion on this?

7 8

shadowLastChange can't be read
by Maria McKinley 23 Mar '13

23 Mar '13

Hi there, I can change the shadowLastChange attribute: maria@mimi:~/sysadmin/ldap$ ldapmodify -x -v -r -W -D "cn=admin,dc=example,dc=com" -f pass.expldap_initialize( <DEFAULT> ) Enter LDAP Password: replace shadowLastChange: 15786 modifying entry "uid=chris,ou=people,dc=example,dc=com" modify complete But, I can't see it: annette:~# ldapsearch -x "uid=chris" shadowLastChange # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: uid=chris # requesting: shadowLastChange # # chris, people, example.com dn: uid=chris,ou=people,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Even though this is my permission: olcAccess: {0}to attrs=shadowLastChange by self write by anonymous auth by dn= "cn=admin,dc=example,dc=com" write by * read olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn= admin,dc=example,dc=com" write by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read Have I done something wrong with my permissions? Is there something else that could be going on here? thanks, Maria

2 1

Question about OpenLDAP integration with JMS
by Nick 22 Mar '13

22 Mar '13

Dear All, Please tell me, is there any way to integrate OpenLDAP with some JMS service (in particular - Apache ActiveMQ) to make OpenLDAP server post all changes (object creates/upadtes/deletes) to the message bus, and also to receive updates from the message bus? Best regards Nikolay

4 8

pcache overlay help
by brendan kearney 21 Mar '13

21 Mar '13

i am trying to setup the pcache overlay to cache routinely used entries in the DIT. using the below, i am able to load the pcache module: ldapmodify -QY EXTERNAL -H ldapi:/// dn: cn=module,cn=config changetype:add objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: pcache.la then i try to add some caching directives, using the below: ldapmodify -QY EXTERNAL -H ldapi:/// dn: olcOverlay={0}pcache,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcPcacheConfig objectClass: olcPcacheDatabase olcOverlay: {0}pcache olcPcache: hdb 100000 50 1000 100 olcPcacheAttrset: 0 nSRecord sOARecord pTRRecord aRecord cNAMERecord sRVRecord tXTRecord olcPcacheTemplate: "(zoneName=)" 0 3600 olcPcacheTemplate: "(&(zoneName=)(relativeDomainName=))" 0 3600 olcPcacheAttrset: 1 krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo olcPcacheTemplate: "(&(|(objectClass=)(objectClass=))(krbPrincipalName=))" 1 3600 olcPcacheAttrset: 2 userPassword cn gidNumber uidNumber loginShell objectClass gecos uid homeDirectory olcPcacheTemplate: "(&(objectClass=)(uid=))" 2 3600 olcPcacheAttrset: 3 cn userPassword memberUid gidNumber uniqueMember olcPcacheTemplate: "(&(objectClass=)(cn=))" 3 3600 olcPcacheTemplate: "(&(objectClass=)(memberUid=))" 3 3600 olcPcacheTemplate: "(&(objectClass=)(gidNumber=))" 3 3600 olcPcacheTemplate: "(&(objectClass=)(|(memberUid=)(uniqueMember=)))" 3 3600 i no longer have logs around the failure, but the error message indicated that the olcDbDirectory could not be found. the DN dn: olcDatabase={2}hdb,cn=config has that specified (olcDbDirectory: /var/lib/ldap), but i am missing something about pcache and the backend sharing this directive. can anyone point me in the right direction about how to get the pcache overlay setup correctly?

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2013