Re: Help me for " LDAP Sync with Active Directory from Openldap side"
by Mark Pröhl
please discuss this on the list.
I do not fully understand why you need synchronization.
If it is because your LDAP client (i.e. liferay) only supports
one LDAP-URI but you have two different user directories
(AD and OpenLDAP), than there would be no need for
synchronization: OpenLDAP could be used to integrate both
directories under one URL (e.g. by meta backend)
On 25.03.2013 10:02, Suman Karki wrote:
> thank you for your reply. And i need some help that can perform my task.
>
> I am using liferey for web hosting. Which is http://www.liferay.com/
>
> I am managing liferay's user accounts with open ldap server.
>
> And i need to sync AD to Open Ldap .
>
> So through one Open Ldap server configuration i can access both
> servers user account.
>
> I have admin access to both server.
>
> Just, I need to sync AD to Open Ldap server for user account accessing.
>
>
>
>
>
> On 3/25/13, Mark Pröhl <mark(a)mproehl.net> wrote:
>> on 25.03.2013 06:57, Suman Karki wrote:
>>> I am running open ldap server in redhat server, and active directory
>>> in win server 2008.
>>> I have admin access to both servers.
>>>
>>> The thing is that i have to sync both server, like from openldap i
>>> could access active directory data.
>>>
>>>
>>> So anybody tell me how can we synchronize both server, any solutions ?
>>> or it will be better if anyone provide me some tutorials or better
>>> give me some documentation?
>>>
>>> please i need to solve this problem as soon as possible.
>>>
>> can you describe your requirements a little bit more? I.e.
>>
>> - which attributes do you need to be synchronized?
>> - do you need to synchronize from AD to OpenLDAP
>> or from OpenLDAP to AD or in both directions?
>> - do you need passwords to be synchronized?
>>
>> BTW: OpenLDAP can be configured as a (caching) LDAP
>> proxy to Active Directory. Configuring that is much
>> more simple than synchronization with AD.
>>
>> For synchronization you will need some kind of
>> 3rd-party product, like the SPML based solution
>> mentioned here:
>> http://www.openldap.org/lists/openldap-technical/201303/msg00167.html
>>
>> --
>> Mark Pröhl
>> mark(a)mproehl.net
>> www.kerberos-buch.de
>>
>>
10 years, 2 months
Help me for " LDAP Sync with Active Directory from Openldap side"
by Suman Karki
I am running open ldap server in redhat server, and active directory
in win server 2008.
I have admin access to both servers.
The thing is that i have to sync both server, like from openldap i
could access active directory data.
So anybody tell me how can we synchronize both server, any solutions ?
or it will be better if anyone provide me some tutorials or better
give me some documentation?
please i need to solve this problem as soon as possible.
10 years, 2 months
Re: openldap-technical Digest, Vol 64, Issue 24
by Suman Karki
Help me for " LDAP Sync Replication with Active Directory from Openldap side"
If any person is willing to help me and require more detail about this
problem i will reply that.
10 years, 2 months
trouble with slapo-pcache
by btb@bitrate.net
hi-
i'm having a few different issues with slapo-pcache. i did a bit of searching in the its and did not find any items which seemed to match my symptoms. i'm using 2.4.31, on ubuntu 12.10.
the first is that i so to not be able to add, via ldapadd, additional olcPcacheTemplate attributes to the config entry. i was able to add the first one using ldapadd, but subsequent modify operations to add another complain "no equality matching rule":
>ldapsearch -LLLZZxWH 'ldap://localhost/' -D 'cn=config' -b 'olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config' -s base
Enter LDAP Password:
dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config
objectClass: olcPcacheConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}pcache
olcPcache: mdb 1000 100 1000 60
olcPcacheAttrset: 0 "*" "+"
olcPcacheTemplate: "(uid=)" 0 3600
>cat template.ldif
dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config
changetype: modify
add: olcPcacheTemplate
olcPcacheTemplate: "(cn=)" 0 3600
>ldapadd -ZZxWH 'ldap://localhost/' -D 'cn=config' -f template.ldif
Enter LDAP Password:
modifying entry "olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config"
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcPcacheTemplate: no equality matching rule
Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 STARTTLS
Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 RESULT oid= err=0 text=
Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 fd=12 ACCEPT from IP=127.0.0.1:32916 (IP=0.0.0.0:389)
Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 fd=12 TLS established tls_ssf=128 ssf=128
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 BIND dn="cn=config" method=128
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 BIND dn="cn=config" mech=SIMPLE ssf=0
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 RESULT tag=97 err=0 text=
Oct 29 20:01:32 dsa1 slapd[8250]: connection_input: conn=1003 deferring operation: binding
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 MOD dn="olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config"
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 MOD attr=olcPcacheTemplate
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 RESULT tag=103 err=18 text=modify/add: olcPcacheTemplate: no equality matching rule
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=3 UNBIND
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 fd=12 closed
adding the attribute "manually" [e.g. slapcat, modify ldif, slapadd] seems to be fine:
>ldapsearch -LLLZZxWH 'ldap://localhost/' -D 'cn=config' -b 'olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config' -s base
Enter LDAP Password:
dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config
objectClass: olcPcacheConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}pcache
olcPcache: mdb 1000 100 1000 60
olcPcacheAttrset: 0 "*" "+"
olcPcacheTemplate: "(objectclass=)" 0 3600
olcPcacheTemplate: "(uid=)" 0 3600
my second problem is with caching when slapo-nssov is involved. it appears to not cache [QUERY NOT ANSWERABLE/QUERY NOT CACHEABLE] when a query occurs via nss:
>getent passwd flash
flash:x:2013:2013:flash gordon:/home/flash:/bin/bash
Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:42:15 deepfield slapd[12862]: 11r
Oct 31 08:42:15 deepfield slapd[12862]:
Oct 31 08:42:15 deepfield slapd[12862]: daemon: read active on 11
Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:42:15 deepfield slapd[12862]: connection_get(11)
Oct 31 08:42:15 deepfield slapd[12862]: connection_get(11): got connid=0
Oct 31 08:42:15 deepfield slapd[12862]: nssov: connection from uid=0 gid=0
Oct 31 08:42:15 deepfield slapd[12862]: nssov_passwd_byname(flash)
Oct 31 08:42:15 deepfield slapd[12862]: str2filter "(&(objectClass=posixAccount)(uid=flash))"
Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter
Oct 31 08:42:15 deepfield slapd[12862]: AND
Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter_list
Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter
Oct 31 08:42:15 deepfield slapd[12862]: EQUALITY
Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0
Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter
Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:42:15 deepfield slapd[12862]: EQUALITY
Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0
Oct 31 08:42:15 deepfield slapd[12862]:
Oct 31 08:42:15 deepfield slapd[12862]: end get_filter_list
Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0
Oct 31 08:42:15 deepfield slapd[12862]: query template of incoming query = (&(objectClass=)(uid=))
Oct 31 08:42:15 deepfield slapd[12862]: QUERY NOT ANSWERABLE
Oct 31 08:42:15 deepfield slapd[12862]: QUERY NOT CACHEABLE
Oct 31 08:42:15 deepfield slapd[12862]: =>ldap_back_getconn: conn 0xb51f8ee8 fetched refcnt=1.
Oct 31 08:42:15 deepfield slapd[12862]: => ldap_back_munge_filter "(&(objectClass=posixAccount)(uid=flash))"
Oct 31 08:42:15 deepfield slapd[12862]: <= ldap_back_munge_filter "(&(objectClass=posixAccount)(uid=flash))" (0)
Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:42:15 deepfield slapd[12862]: >>> dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>
Oct 31 08:42:15 deepfield slapd[12862]: <<< dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>, <uid=flash,ou=people,ou=accounts,dc=example,dc=net>
Oct 31 08:42:15 deepfield slapd[12862]: send_ldap_result: conn=-1 op=0 p=0
Oct 31 08:42:15 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text=""
although i believe i have a matching query template defined in the config:
dn: olcDatabase={2}ldap,cn=config
objectClass: olcLDAPConfig
objectClass: olcDatabaseConfig
objectClass: olcConfig
objectClass: top
olcDatabase: {2}ldap
olcSuffix: dc=example,dc=net
olcLastMod: TRUE
olcReadOnly: TRUE
olcRootDN: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net
olcMonitoring: TRUE
olcDbURI: ldap://dsa1.example.net/
olcDbStartTLS: start tls_cacert="/etc/pki/trusted_roots/example_networks_roo
t_ca-cert.pem" tls_reqcert="demand"
olcDbACLBind: bindmethod=simple binddn="cn=slapd,ou=deepfield,ou=services,ou=a
ccounts,dc=example,dc=net" credentials="xxxxxxxxxxxxxxx" s
tarttls="critical" tls_cacert="/etc/pki/trusted_roots/example_networks_root
_ca-cert.pem" tls_reqcert="demand"
olcDbIDAssertBind: bindmethod=simple binddn="cn=slapd,ou=deepfield,ou=services
,ou=accounts,dc=example,dc=net" credentials="xxxxxxxxxxxxxxx"
structuralObjectClass: olcLDAPConfig
entryUUID: f24e435a-b35a-1031-8f37-336141b7bc90
creatorsName: cn=config
createTimestamp: 20121026014812Z
entryCSN: 20121031023501.089672Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20121031023501Z
dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config
objectClass: olcPcacheConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}pcache
olcPcache: mdb 1000 100 1000 60
olcPcacheAttrset: 0 "*" "+"
olcPcacheTemplate: "(objectClass=)" 0 3600
olcPcacheTemplate: "(uid=)" 0 3600
olcPcacheTemplate: "(&(objectClass=)(uid=))" 0 3600
olcPcacheBind: "(uid=)" 0 60 "sub" "dc=example,dc=net"
structuralObjectClass: olcPcacheConfig
entryUUID: ddb05d7e-b4fa-1031-811e-353e11fff366
creatorsName: cn=config
createTimestamp: 20121028032528Z
entryCSN: 20121030002115.179177Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20121030002115Z
dn: olcDatabase={0}mdb,olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config
objectClass: olcPcacheDatabase
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig
objectClass: olcConfig
objectClass: top
olcDatabase: {0}mdb
olcDbDirectory: /var/lib/ldap/example.net/
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcDbNoSync: FALSE
olcDbIndex: certfingerprint eq
olcDbIndex: cn eq
olcDbIndex: default eq
olcDbIndex: description eq
olcDbIndex: entrycsn eq
olcDbIndex: entryuuid eq
olcDbIndex: gidnumber pres,eq
olcDbIndex: host eq
olcDbIndex: iphostnumber eq
olcDbIndex: ipserviceport eq
olcDbIndex: ipserviceprotocol eq
olcDbIndex: mail eq
olcDbIndex: maillocaladdress eq
olcDbIndex: member eq
olcDbIndex: memberof eq
olcDbIndex: memberuid eq
olcDbIndex: objectclass eq
olcDbIndex: rfc822mailmember eq
olcDbIndex: sudoUser eq
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidnumber pres,eq
olcDbMode: 0600
olcDbSearchStack: 16
structuralObjectClass: olcMdbConfig
entryUUID: 88b37716-b590-1031-8c75-439de7087923
creatorsName: cn=config
createTimestamp: 20121028211650Z
entryCSN: 20121029021315.039143Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20121029021315Z
dn: olcOverlay={1}nssov,olcDatabase={2}ldap,cn=config
objectClass: olcNssOvConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
olcOverlay: {1}nssov
olcNssMap: group uniquemember member
olcNssPam: authz2dn hostservice
olcNssPamSession: sshd
olcNssPamSession: login
structuralObjectClass: olcNssOvConfig
entryUUID: 47ecaef0-b73e-1031-8761-9f0bff5d3212
creatorsName: cn=config
createTimestamp: 20121031003305Z
entryCSN: 20121031003305.637051Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20121031003305Z
and if i perform the same query using ldapsearch:
>ldapsearch -LLLZZxH 'ldap://localhost/' -D 'uid=flash,ou=people,ou=accounts,dc=example,dc=net' -w 'test' '(&(objectClass=posixAccount)(uid=flash))'
dn: uid=flash,ou=people,ou=accounts,dc=example,dc=net
initials: fg
givenName: flash
loginShell: /bin/bash
uidNumber: 2013
gidNumber: 2013
uid: flash
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: extensibleObject
c: us
homeDirectory: /home/flash
sn: gordon
cn: flash gordon
displayName: flash_gordon
mail: user(a)example.com
it does seem to cache it:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: slap_listener_activate(8):
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 busy
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: >>> slap_listener(ldap:///)
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: listen=8, new connection on 18
Oct 31 08:55:37 deepfield slapd[12862]: daemon: added 18r (active) listener=(nil)
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 fd=18 ACCEPT from IP=127.0.0.1:37220 (IP=0.0.0.0:389)
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: 18r
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18)
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x77, time 1351688137
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 do_extended
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 31 08:55:37 deepfield slapd[12862]: do_extended: oid=1.3.6.1.4.1.1466.20037
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 STARTTLS
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_extended: err=0 oid= len=0
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_response: msgid=1 tag=120 err=0
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 RESULT oid= err=0 text=
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: 18r
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18)
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: 18r
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18)
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): unable to get TLS client DN, error=49 id=1003
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 fd=18 TLS established tls_ssf=128 ssf=128
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: 18r
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18)
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003
Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x60, time 1351688137
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 do_bind
Oct 31 08:55:37 deepfield slapd[12862]: >>> dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>
Oct 31 08:55:37 deepfield slapd[12862]: <<< dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>, <uid=flash,ou=people,ou=accounts,dc=example,dc=net>
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 BIND dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" method=128
Oct 31 08:55:37 deepfield slapd[12862]: do_bind: version=3 dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" method=128
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: ndn: "uid=flash,ou=people,ou=accounts,dc=example,dc=net"
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: oc: "(null)", at: "(null)"
Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode:
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: found entry: "uid=flash,ou=people,ou=accounts,dc=example,dc=net"
Oct 31 08:55:37 deepfield slapd[12862]: mdb_entry_get: rc=0
Oct 31 08:55:37 deepfield slapd[12862]: str2filter "(uid=flash)"
Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter
Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY
Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0
Oct 31 08:55:37 deepfield slapd[12862]: Lock QC index = 0xb867e250
Oct 31 08:55:37 deepfield slapd[12862]: Base of added query = dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: QUERY ANSWERABLE (answered 5 times)
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_search
Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode:
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode
Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" "entry" requested
Oct 31 08:55:37 deepfield slapd[12862]: <= root access granted
Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access granted by manage(=mwrscxd)
Oct 31 08:55:37 deepfield slapd[12862]: base_candidates: base: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" (0x00000004)
Oct 31 08:55:37 deepfield slapd[12862]: => test_filter
Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY
Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" "uid" requested
Oct 31 08:55:37 deepfield slapd[12862]: <= root access granted
Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access granted by manage(=mwrscxd)
Oct 31 08:55:37 deepfield slapd[12862]: <= test_filter 6
Oct 31 08:55:37 deepfield slapd[12862]: pc_bind_search: cache is stale, reftime: 1351688135, current time: 1351688137
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text=""
Oct 31 08:55:37 deepfield slapd[12862]: =>ldap_back_getconn: conn=1003 op=1: lc=0xb38f9788 inserted refcnt=1 rc=0
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 BIND dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" mech=SIMPLE ssf=0
Oct 31 08:55:37 deepfield slapd[12862]: do_bind: v3 bind: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" to "uid=flash,ou=people,ou=accounts,dc=example,dc=net"
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text=""
Oct 31 08:55:37 deepfield slapd[12862]: pc_setpw: CACHING BIND for uid=flash,ou=people,ou=accounts,dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify: uid=flash,ou=people,ou=accounts,dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode:
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode
Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify_internal: 0x00000004: uid=flash,ou=people,ou=accounts,dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: <= acl_access_allowed: granted to database root
Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify_internal: replace userPassword
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_encode(0x00000004): uid=flash,ou=people,ou=accounts,dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_encode(0x00000004): uid=flash,ou=people,ou=accounts,dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify: updated id=00000004 dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net"
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text=""
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_response: msgid=2 tag=97 err=0
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 RESULT tag=97 err=0 text=
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: 18r
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18)
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003
Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x63, time 1351688137
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=2 do_search
Oct 31 08:55:37 deepfield slapd[12862]: >>> dnPrettyNormal: <dc=example,dc=net>
Oct 31 08:55:37 deepfield slapd[12862]: <<< dnPrettyNormal: <dc=example,dc=net>, <dc=example,dc=net>
Oct 31 08:55:37 deepfield slapd[12862]: SRCH "dc=example,dc=net" 2 0
Oct 31 08:55:37 deepfield slapd[12862]: 0 60 0
Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter
Oct 31 08:55:37 deepfield slapd[12862]: AND
Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter_list
Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter
Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0
Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter
Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY
Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0
Oct 31 08:55:37 deepfield slapd[12862]: end get_filter_list
Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0
Oct 31 08:55:37 deepfield slapd[12862]: filter: (&(objectClass=posixAccount)(uid=flash))
Oct 31 08:55:37 deepfield slapd[12862]: attrs:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=2 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=flash))"
Oct 31 08:55:37 deepfield slapd[12862]: ==> limits_get: conn=1003 op=2 self="uid=flash,ou=people,ou=accounts,dc=example,dc=net" this="dc=example,dc=net"
Oct 31 08:55:37 deepfield slapd[12862]: query template of incoming query = (&(objectClass=)(uid=))
Oct 31 08:55:37 deepfield slapd[12862]: Entering QC, querystr = (&(objectClass=posixAccount)(uid=flash))
Oct 31 08:55:37 deepfield slapd[12862]: Lock QC index = 0xb867e350
Oct 31 08:55:37 deepfield slapd[12862]: Base of added query = dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: QUERY ANSWERABLE (answered 1 times)
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_search
Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x1
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode:
what am i doing wrong?
-ben
10 years, 2 months
unable to load back-perl module
by Benin Technologies
Hi,
I'm unable to load the back-perl backend module, I get "lt_dlopenext
failed: (back_perl.la) file not found"
But back_perl.la is there though, and I can load other modules without
problem (back_hdb.la, back_sql.la, ...)
Any idea what's going on ?
My slapd.conf :
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_hdb.la
moduleload back_sql.la
moduleload back_perl.la
If I comment the last line, slapd starts without problem.
The error message :
root@ldap:~# /usr/local/libexec/slapd -u openldap -g openldap -d 256
514dbea0 @(#) $OpenLDAP: slapd 2.X (Feb 3 2013 19:41:33) $
root@ldap:/tmp/openldap-a98eb28/servers/slapd
514dbea0 lt_dlopenext failed: (back_perl.la) file not found
514dbea0 slapd stopped.
514dbea0 connections_destroy: nothing to destroy.
It doesn't find back_perl.la, but the file exists though, with the same
right as the other backend modules:
root@ldap:/usr/local/libexec/openldap# ls -la
-rwxr-xr-x 1 root staff 987 Feb 3 19:43 back_hdb.la
-rwxr-xr-x 1 root staff 1026 Feb 3 19:43 back_perl.la
-rwxr-xr-x 1 root staff 991 Feb 3 19:43 back_sql.la
I'm using OpenLDAP 2.4.33 on Debian 6.0.4
Ben.
10 years, 2 months
pwdMaxAge And pwdExpireWarning not working
by Swapnil Dubey
Hi All,
I am using OpenLdap 2.4.32 on solaris 10. It seems
that pwdMaxAge And pwdExpireWarning are not working. Other policies
like pwdInHistory, pwdLockout seems to work fine. I cannot see either expiry message
or authentication failure in logs after I wait for configured time/seconds.
Can somebody help me out with this?
-bash-3.00# ./ldapwhoami -x -D
uid=admin,ou=People,dc=example,dc=com -W -e ppolicy
Enter LDAP Password:
ldap_bind: Success (0) (Password expires in 0 seconds)
dn:uid=admin,ou=people,dc=example,dc=com
Here is my configuration.
-bash-3.00# ./ldapsearch -x -b "dc=example,dc=com"
"(objectclass=*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: domain
dc: example
# roles, example.com
dn: ou=roles,dc=example,dc=com
objectClass: organizationalUnit
ou: roles
# people, example.com
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
# admin, people, example.com
dn: uid=admin,ou=people,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
cn: admin
displayName: Admin
givenName: admin
mail: admin(a)example.com
sn: Admin
uid: admin
userPassword::
e1NTSEF9NU1WNHpuTHB2N3ZmSkcvaU44VC85QkNJMWVueU5hcDc=
# utsacct_provisioner, roles, example.com
dn: cn=utsacct_provisioner,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: utsacct_provisioner
uniqueMember: uid=admin,ou=people,dc=example,dc=com
# provisioner, roles, example.com
dn: cn=provisioner,ou=roles,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: provisioner
uniqueMember: uid=admin,ou=people,dc=example,dc=com
# policies, example.com
dn: ou=policies,dc=example,dc=com
ou: policies
objectClass: organizationalUnit
objectClass: top
# default, policies, example.com
dn: cn=default,ou=policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 2000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value
# search result
search: 2
result: 0 Success
# numResponses: 9
# numEntries: 8
Slapd.conf
---------------------------------
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix
"dc=example,dc=com"
rootdn
"cn=Manager,dc=example,dc=com"
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
Regards,
Swapnil
10 years, 2 months
openldap and AD sync
by 杨峰
I had set up LDAP on linux side, I want to build a AD with
Windows2008R2, and AD should sync the user information from LDAP, is
there any suggestion on this?
10 years, 2 months
shadowLastChange can't be read
by Maria McKinley
Hi there,
I can change the shadowLastChange attribute:
maria@mimi:~/sysadmin/ldap$ ldapmodify -x -v -r -W -D
"cn=admin,dc=example,dc=com" -f pass.expldap_initialize( <DEFAULT> )
Enter LDAP Password:
replace shadowLastChange:
15786
modifying entry "uid=chris,ou=people,dc=example,dc=com"
modify complete
But, I can't see it:
annette:~# ldapsearch -x "uid=chris" shadowLastChange
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=chris
# requesting: shadowLastChange
#
# chris, people, example.com
dn: uid=chris,ou=people,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Even though this is my permission:
olcAccess: {0}to attrs=shadowLastChange by self write by anonymous auth by
dn=
"cn=admin,dc=example,dc=com" write by * read
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by
dn="cn=
admin,dc=example,dc=com" write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=example,dc=com" write
by *
read
Have I done something wrong with my permissions? Is there something else
that could be going on here?
thanks,
Maria
10 years, 2 months
Question about OpenLDAP integration with JMS
by Nick
Dear All,
Please tell me, is there any way to integrate OpenLDAP with some JMS service (in particular - Apache ActiveMQ) to make OpenLDAP server post all changes (object creates/upadtes/deletes) to the message bus, and also to receive updates from the message bus?
Best regards
Nikolay
10 years, 2 months
pcache overlay help
by brendan kearney
i am trying to setup the pcache overlay to cache routinely used entries in
the DIT. using the below, i am able to load the pcache module:
ldapmodify -QY EXTERNAL -H ldapi:///
dn: cn=module,cn=config
changetype:add
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: pcache.la
then i try to add some caching directives, using the below:
ldapmodify -QY EXTERNAL -H ldapi:///
dn: olcOverlay={0}pcache,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcPcacheConfig
objectClass: olcPcacheDatabase
olcOverlay: {0}pcache
olcPcache: hdb 100000 50 1000 100
olcPcacheAttrset: 0 nSRecord sOARecord pTRRecord aRecord cNAMERecord
sRVRecord tXTRecord
olcPcacheTemplate: "(zoneName=)" 0 3600
olcPcacheTemplate: "(&(zoneName=)(relativeDomainName=))" 0 3600
olcPcacheAttrset: 1 krbprincipalname krbcanonicalname objectclass
krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags
krbprincipalexpiration krbticketpolicyreference krbUpEnabled
krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth
krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock krbLastPwdChange
krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo
olcPcacheTemplate: "(&(|(objectClass=)(objectClass=))(krbPrincipalName=))"
1 3600
olcPcacheAttrset: 2 userPassword cn gidNumber uidNumber loginShell
objectClass gecos uid homeDirectory
olcPcacheTemplate: "(&(objectClass=)(uid=))" 2 3600
olcPcacheAttrset: 3 cn userPassword memberUid gidNumber uniqueMember
olcPcacheTemplate: "(&(objectClass=)(cn=))" 3 3600
olcPcacheTemplate: "(&(objectClass=)(memberUid=))" 3 3600
olcPcacheTemplate: "(&(objectClass=)(gidNumber=))" 3 3600
olcPcacheTemplate: "(&(objectClass=)(|(memberUid=)(uniqueMember=)))" 3 3600
i no longer have logs around the failure, but the error message indicated
that the olcDbDirectory could not be found. the DN dn:
olcDatabase={2}hdb,cn=config has that specified (olcDbDirectory:
/var/lib/ldap), but i am missing something about pcache and the backend
sharing this directive. can anyone point me in the right direction about
how to get the pcache overlay setup correctly?
10 years, 2 months