Crash with syncrepl refreshAndPersist and database ldap
by Raffael Sahli
Hi
I run a master slapd with 2.4.33 which has a bdb and an ldap database.
A slave server 2.4.33 syncs the bdb database with delta syncrepl
(type=refreshAndPersist),
and has the same ldap database.
So my problem is, that the slave crashes very often (That could be
multiple times per hour). I have to kill (9) the daemon and restart it.
What I found out is, I can solve the problem with either set the type
from refreshAndPersist to refreshOnly
or remove the ldap database.
I have the problem on other servers, which run with 2.4.31, there I
disabled the ldap database on the slave.
I'm not sure if it was the same, but I had same problems with 2.4.28 and
earlier.
So what could that be? Maybe a config problem or a bug?
Thanks
--
Raffael Sahli
public(a)raffaelsahli.com
8 years
ldapsearch returning failure to import cert
by John Rouillard
Hi all:
I am running Scientific Linux 6 (a Red Hat enterprise
repackage). Until recently these machines were interacting fine with
our ldap setup. We use a self signed cert for the ldap servers and
deploy the CA cert in /etc/openldap/cacert.pem.
However after the last series of updates ldapsearch has been failing
in an interesting way and our sssd caching daemons are failing to
connect to our ldaps servers. I am hoping that they are both having the
same issue.
The relevant installed packages are:
openldap-2.4.23-26.el6_3.2.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
nss-util-3.14.0.0-2.el6.x86_64
nss-3.14.0.0-12.el6.x86_64
I am using the command (lightly obscured):
ldapsearch -d -1 -v -x -b
uid=user,ou=people,dc=staff,dc=example,dc=com -D
uid=user,ou=people,dc=staff,dc=example,dc=com -W -H
ldaps://auth.staff.example.com/
This fails with the error:
TLS: error: connect - force handshake failure: errno 21 - moznss error
-8054
TLS: can't connect: TLS error -8054:You are attempting to import a
cert with the same issuer/serial as an existing cert, but that is not
the same cert..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Where is ldapsearch "importing" a cert? Where is it getting its other
certs from? I ran strace on ldapsearch and the only cert file I can
see it accessing is /etc/openldap/cacert.pem as specified in
/etc/openldap/ldap.conf (not counting the /usr/lib64/libnssckbi.so
file). The cert in cacert.pem is identical to the one retrieved by
running:
openssl s_client -connect auth.staff.example.com:636 </dev/null \
2>/dev/null | sed -ne '/BEGIN CERTIFICATE/,/END CERTIFICATE/p'
Here is where it gets a little more interesting:
I have a previous CA cert (that used an md5 message digest). If I
install that as the CA, ldapsearch works for 2 of my 3 ldap servers.
I have used openssl x509 -in ... -text to compare the certificates for
my 3 ldap server and they look identical except where they shouldn't
be (subject name, subject name digests...). The issuer, issuer digest
... fields are the same.
If I use
openssl verify -CAfile /etc/openldap/cacert.pem -purpose sslserver
-issuer_checks ldap
where ldap is the cert retrieved using s_client it validates for all
three servers regardless of whether the CAfile is the older md5 or
newer cert.
Just to add more into the mix, our CentOS 5 boxes have no issues
with any of the servers (IIUC they have an entirely different tls/cert
level since they do not use Mozilla nss).
Thanks for any insight or questions as the answer didn't come to me
while I was writing this email 8-).
--
-- rouilj
John Rouillard System Administrator
Renesys Corporation 603-244-9084 (cell) 603-643-9300 x 111
8 years
Re: Problems with authentication against OpenlDAP
by francesco.policastro@selex-es.com
Hi,
I made some progress, but I am still unable to do what I need.
I said that ldapsearch correctly returns the record related to myself from
both servers, but one of them, namely that configured with ACL's, also
returns some other lines like this:
# refldap://ext.domain.net/CN=Configuration,DC=ext,DC=domain,DC=net
I use simple bind and these lines are returned because my servers answer
on port 389.
Querying the Global Catalog on port 3268 removes those lines (and
authentication works fine), but GC does not return an attribute I need,
i.e. the employeeID. So when the records synchronize I will get problems.
I did not find a way to avoid referrals to appear in the answer.
Did anyone face and solve this problem?
Thanks,
Francesco
8 years
None
by Nick
Dear All,
Please tell me, is there support for DIT structure rules or GoverningStructureRule in current version of OpenLDAP?
Best regards
Nikolay
8 years
openldap-2.4.32 su-ok, rlogin-fails
by Joe Phan
Hi,
I configured a machine to be LDAP Server (openldap-2.4.32) on Solaris 10. Adding users/groups to LDAP Server seems to be ok.
From a second machine, I configured it to be LDAP Client using command "ldapclient manual -v -a defaultsearchbase=dc=pg,dc=dtveng,dc=net -a domainname=pg.dtveng.net 10.26.82.16". It was successful. /var/ldap/ldap_client_file contains appropriate LDAP Server information.
Openldap-2.4.32 is not installed on the Client Machine.
I updated PAM configuration on Client Machine for su and rlogin, results are listed below:
- rlogin into Client Machine using root - OK
- rlogin into Client Machine using "jphan" user - Fails
- After login to Client Machine as root, su from root to "jphan" user - OK (Note: jphan user does not exist in Client Machine /etc/passwd, jphan user exists in LDAP Server)
- From "jphan" user, su to another user - Fails
Could someone please take a look at the configuration for rlogin PAM below to see if the configuration is correct.
Please let me know if there is anything missing from my setup.
Do I need to configure pam.conf on LDAP Server machine as well?
Any help is greatly appreciated.
Best regards,
Joe Phan
Downloaded and installed following packages from SunFreeWare.com to LDAP Server:
openldap-2.4.32-sol10-sparc-local.gz
db-4.7.25.NC-sol10-sparc-local.gz
gcc-3.3.2-sol10-sparc-local.gz
libgcc-3.3-sol10-sparc-local.gz
libtool-2.4.2-sol10-sparc-local.gz
openssl-1.0.1c-sol10-sparc-local.gz
sasl-2.1.25-sol10-sparc-local.gz
Client Machine configuration:
- /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
shadow: files ldap
- /etc/pam.conf:
apggd08dev# more pam.conf
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
#login auth required pam_unix_auth.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
login auth required pam_ldap.so.1 debug
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
#rlogin auth required pam_unix_auth.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required pam_ldap.so.1 debug
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
#ppp auth required pam_unix_auth.so.1
ppp auth sufficient pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
ppp auth required pam_ldap.so.1 debug
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
#other auth required pam_unix_auth.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1 debug
#
# passwd command (explicit because of a different authentication module)
#
#passwd auth required pam_passwd_auth.so.1
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1 debug
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account sufficient pam_ldap.so.1 debug
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
jphan user info:
apggd04dev# ldapsearch -x -b 'dc=pg,dc=dtveng,dc=net' 'uid=jphan'
# extended LDIF
#
# LDAPv3
# base <dc=pg,dc=dtveng,dc=net> with scope subtree
# filter: uid=jphan
# requesting: ALL
#
# jphan, people, pg.dtveng.net
dn: uid=jphan,ou=people,dc=pg,dc=dtveng,dc=net
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: posixGroup
cn: jphan
uid: jphan
uidNumber: 2003
gidNumber: 203
homeDirectory: /export/home/jphan
loginShell: /usr/bin/csh
gecos:: Sm9lIFBoYW4gMzEwLTk2NC00MTI1IA==
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
userPassword:: ....=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
8 years
ldap, kerberos and authorization by group membership
by brendan kearney
all,
please excuse my ignorance, as i am still learning. i have started working
with mit kerberos 5 and openldap. i have the krb5 database in ldap, have
several principals created, can can authenticate using kerberos. what i
would like to accomplish is authorization based on group membership. i am
unclear on how to do this, and if this requires the use of SASL (via the
cyrus-sasl packages). am i able to create a groupofnames object, populated
with kerberos principals and accomplish authorization by checking for
membership of that groupofnames? the scenario is mod_auth_kerb implemented
in httpd, or access control via acl in squid. based on group membership,
certain functionality or access would be given to authenticated users. i
have read and re-read the guide included with openldap, but am still
unclear about what is needed. Below is some info about versions, etc...
thank you in advance for any guidance.
OS: Fedora: 16 x86_64
OpenLDAP: 2.4.26-8
MIT Kerberos: 1.9.4-3
Cyrus SASL: 2.1.23-27
thank you,
brendan
8 years
Re: provider/consumer: entries have identical CSN
by Walter Werner
hi everyone
ok, i think i found it :-). It is the sizelimit parameter on the provider.
'The olcSizeLimit/sizelimit attribute/directive specifies the number
of entries to return to a search request'
Due to the website
http://www.zytrax.com/books/ldap/ch6/
It says that 'If no sizelimit directive is defined the default is
500.' No wonder that i had always 500 results with ldapsearch -x,
despite the fact, that i deleted some entries.
Walter
2013/3/18 Walter Werner <wernwa(a)gmail.com>:
> hello everyone
>
> I still did not solve my problem, but i think the solution could be
> really some size limitation (already suggested by Marc)
>
> LDAP_RES_SEARCH_RESULT (4) Size limit exceeded
>
> The replication was until Object stud31. So i deleted on provider (on
> the test environment i can do that) Objects stud01 until stud06. And
> the replication went until stud34. 6 deleted and 3 could replicate. I
> guess the other 3 objects where replicated in some other sub trees, i
> did not noticed, if the size-limit is a constant. The question is, is
> there an easy way to see the difference between the provider and
> consumer?
>
> And the main question is, where can the size limitation (if i am
> thinking right) comes from?
>
> Every help is highly appreciated.
>
> Walter
>
> 2013/3/15 Walter Werner <wernwa(a)gmail.com>:
>> hi Marc
>>
>> Thanks a lot for you quick answer.
>>
>> 2013/3/15 Marc Patermann <hans.moser(a)ofd-z.niedersachsen.de>:
>>> Walter,
>>>
>>> Walter Werner schrieb (15.03.2013 10:58 Uhr):
>>>
>>>
>>>> I get a strange replication problem. After i didn't find a solution
>>>> somewhere on internet i decided to post to this mailing-list. Probably
>>>> i should describe my system settings. Both consumer and provider are
>>>> running on suse 12.1. And i got the errors with openldap version
>>>> 2.4.26-3.1.3. Since it is a good
>>>> behavior i red somewhere on this email-list, i compiled the latest
>>>> openldap v2.4.34 and could unfortunately reproduce the same error.
>>>
>>> The is a repo, did you know?
>>> http://download.opensuse.org/repositories/network:/ldap:/OpenLDAP:/
>>> (it is still 2.4.33, but anyway)
>>
>> No, i didn't. That can save me a lot of time in the future.
>>
>>>
>>>> Mar 15 09:17:43 ismvm22 slapd[17313]: dn_callback : entries have
>>>> identical CSN uid=stud31,ou=Student,ou=People,ou=myou,dc=mybase
>>>> 20130315072217.081269Z#000000#000#000000
>>>
>>> do the objects differ from provider to consumer?
>>
>> Especially that stud31 object is exactly the same. I am not sure all
>> copied objects are the same, if that was the question. Apparently ldap
>> has added the stud objects in alphabetical order. There are all studXX
>> until stud31. So after stud31 there should be stud32 stud33 and so on,
>> but they are missing on the consumer. It is maybe no accident that in
>> the log it ends with stud31 object.
>>
>> dn_callback : entries have identical CSN uid=stud31...
>>
>>>
>>>> Mar 15 09:17:43 ismvm22 slapd[17313]: do_syncrep2: rid=010
>>>> LDAP_RES_SEARCH_RESULT (4) Size limit exceeded
>>>> Mar 15 09:17:43 ismvm22 slapd[17313]: do_syncrep2: rid=010 (4) Size
>>>> limit exceeded
>>>> Mar 15 09:17:43 ismvm22 slapd[17313]: do_syncrepl: rid=010 rc -2
>>>> retrying (58 retries left)
>>>
>>> Change that!
>>
>> Do you mean Size limit exceeded? I already thought about that. Please
>> look at the partial configs in the first mail.On the provider time and
>> size are set to unlimited for the replicator reader. On the consumer
>> it is also set to unlimited. Maybe i forgot some other option.
>>
>>>> overlay syncprov
>>>
>>> man slapo-syncprov tells more about options to the syncprov overlay.
>>
>> There are indeed a lot more. I tried with additional parameter for checkpoint
>>
>> syncprov-checkpoint 100 10
>>
>> No effect. Other options seems to me for speeding up ldap. I do not
>> want to complicate things. I don't now if it is useful, before trying
>> out something, i also always deleted the database files on the
>> consumer to avoid memory effects of some sort.
>>
>> Still not replicating properly.
>>
>> Walter
8 years
Problems with authentication against OpenlDAP
by francesco.policastro@selex-es.com
Hi all,
I have two OpenLDAP servers (2.4.34) used by some applications to
authenticate.
Both servers use the meta backend, that is the frontend to two AD domains
in separate forests.
Ldapsearch correctly finds the users in both servers, while authentication
works for one only.
I must say that I had to exclude some portions of the trees in order to
avoid duplicate names. My "correct" users are in 15 subtrees.
In the working server I configured 15 URI's, one for each subtree,
specifying for each of them the credentials, the attribute mappings and
the suffixmassage. The bad news is that slapd.conf is 580 lines and its
maintenance is error prone.
That's why I configured the second server with two URI's only and with
ACL's to limit the access to the 15 subtrees only. The resulting
slapd.conf is much more readable and easy to maintain, but it does not
work.
The ACL's are all of this type:
access to
dn.subtree="ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" read
by dn.exact="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" read
There are no other ACL's, but I already tried adding something like
"access to * by * read" with no success.
As said before ldapsearch works fine, while authentication does not.
Please look at the excerpt from the log files, for both servers, when I
try to authenticate.
Both servers start the same sequence, but one stops just after reading the
same search result.
conn=1033 fd=10 ACCEPT from IP=10.31.222.106:38492 (IP=0.0.0.0:389)
conn=1033 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=1033 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=1033 op=0 RESULT tag=97 err=0 text=
conn=1033 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0
filter="(sAMAccountName=policastro)"
conn=1033 op=1 SRCH attr=sAMAccountName
conn=1033 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1033 op=2 UNBIND
conn=1033 fd=10 closed
===========================
conn=4960 fd=373 ACCEPT from IP=10.31.221.162:40893 (IP=0.0.0.0:389)
conn=4960 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=4960 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=4960 op=0 RESULT tag=97 err=0 text=
conn=4960 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0
filter="(sAMAccountName=policastro)"
conn=4960 op=1 SRCH attr=sAMAccountName
conn=4960 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4960 op=2 BIND anonymous mech=implicit ssf=0
conn=4960 op=2 BIND dn="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com"
method=128
conn=4960 op=2 BIND dn="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com"
mech=SIMPLE ssf=0
conn=4960 op=2 RESULT tag=97 err=0 text=
conn=4960 op=3 UNBIND
conn=4960 fd=373 closed
conn=4961 fd=373 ACCEPT from IP=10.31.221.162:40894 (IP=0.0.0.0:389)
conn=4961 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=4961 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=4961 op=0 RESULT tag=97 err=0 text=
conn=4961 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0
filter="(&(!(?employeeID=-*))(employeeID=*)(mail=*)(givenName=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=policastro))"
conn=4961 op=1 SRCH attr=sAMAccountName
conn=4961 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4961 op=2 SRCH base="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" scope=0
deref=0
filter="(&(!(?employeeID=-*))(employeeID=*)(mail=*)(givenName=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
conn=4961 op=2 SRCH attr=givenName sn mail employeeID sAMAccountName
conn=4961 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4961 op=3 UNBIND
conn=4961 fd=373 closed
conn=4962 fd=373 ACCEPT from IP=10.31.221.162:40895 (IP=0.0.0.0:389)
conn=4962 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
method=128
conn=4962 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com"
mech=SIMPLE ssf=0
conn=4962 op=0 RESULT tag=97 err=0 text=
conn=4962 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0
filter="(sAMAccountName=policastro)"
conn=4962 op=1 SRCH attr=sAMAccountName
conn=4962 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4962 op=2 SRCH base="cn=Policastro
Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" scope=0
deref=0 filter="(objectClass=*)"
conn=4962 op=2 SRCH attr=shadowExpire
conn=4962 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4962 op=3 UNBIND
Can anyone explain me what happens and how to let the ACL version work?
Thanks, Francesco
8 years
LMDB - growing the database
by Shmulik Regev
Hi,
I understand that the DB size has an upper limit set by the call to
mdb_env_set_mapsize . I wonder what is the best strategy for growing the
size. From what I read, the put operations of either txn or cursor may fail
with the MDB_MAP_FULL error but then it is too late to change the DB size.
On the other hand I didn't find in mdb_env_stat (or perhaps I didn't
understand) any information suggesting how full is the DB so I can't really
implement any strategy for preemptively growing the DB based on the used
space.
Did I miss anything?
Cheers,
Shmul
8 years