openldap-technical March 2013

openldap-technical@openldap.org

84 participants
80 discussions

Crash with syncrepl refreshAndPersist and database ldap
by Raffael Sahli 20 Mar '13

20 Mar '13

Hi I run a master slapd with 2.4.33 which has a bdb and an ldap database. A slave server 2.4.33 syncs the bdb database with delta syncrepl (type=refreshAndPersist), and has the same ldap database. So my problem is, that the slave crashes very often (That could be multiple times per hour). I have to kill (9) the daemon and restart it. What I found out is, I can solve the problem with either set the type from refreshAndPersist to refreshOnly or remove the ldap database. I have the problem on other servers, which run with 2.4.31, there I disabled the ldap database on the slave. I'm not sure if it was the same, but I had same problems with 2.4.28 and earlier. So what could that be? Maybe a config problem or a bug? Thanks -- Raffael Sahli public(a)raffaelsahli.com

2 1

ldapsearch returning failure to import cert
by John Rouillard 19 Mar '13

19 Mar '13

Hi all: I am running Scientific Linux 6 (a Red Hat enterprise repackage). Until recently these machines were interacting fine with our ldap setup. We use a self signed cert for the ldap servers and deploy the CA cert in /etc/openldap/cacert.pem. However after the last series of updates ldapsearch has been failing in an interesting way and our sssd caching daemons are failing to connect to our ldaps servers. I am hoping that they are both having the same issue. The relevant installed packages are: openldap-2.4.23-26.el6_3.2.x86_64 openssl-1.0.0-27.el6_4.2.x86_64 nss-util-3.14.0.0-2.el6.x86_64 nss-3.14.0.0-12.el6.x86_64 I am using the command (lightly obscured): ldapsearch -d -1 -v -x -b uid=user,ou=people,dc=staff,dc=example,dc=com -D uid=user,ou=people,dc=staff,dc=example,dc=com -W -H ldaps://auth.staff.example.com/ This fails with the error: TLS: error: connect - force handshake failure: errno 21 - moznss error -8054 TLS: can't connect: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Where is ldapsearch "importing" a cert? Where is it getting its other certs from? I ran strace on ldapsearch and the only cert file I can see it accessing is /etc/openldap/cacert.pem as specified in /etc/openldap/ldap.conf (not counting the /usr/lib64/libnssckbi.so file). The cert in cacert.pem is identical to the one retrieved by running: openssl s_client -connect auth.staff.example.com:636 </dev/null \ 2>/dev/null | sed -ne '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' Here is where it gets a little more interesting: I have a previous CA cert (that used an md5 message digest). If I install that as the CA, ldapsearch works for 2 of my 3 ldap servers. I have used openssl x509 -in ... -text to compare the certificates for my 3 ldap server and they look identical except where they shouldn't be (subject name, subject name digests...). The issuer, issuer digest ... fields are the same. If I use openssl verify -CAfile /etc/openldap/cacert.pem -purpose sslserver -issuer_checks ldap where ldap is the cert retrieved using s_client it validates for all three servers regardless of whether the CAfile is the older md5 or newer cert. Just to add more into the mix, our CentOS 5 boxes have no issues with any of the servers (IIUC they have an entirely different tls/cert level since they do not use Mozilla nss). Thanks for any insight or questions as the answer didn't come to me while I was writing this email 8-). -- -- rouilj John Rouillard System Administrator Renesys Corporation 603-244-9084 (cell) 603-643-9300 x 111

2 1

Re: Problems with authentication against OpenlDAP
by francesco.policastro＠selex-es.com 19 Mar '13

19 Mar '13

Hi, I made some progress, but I am still unable to do what I need. I said that ldapsearch correctly returns the record related to myself from both servers, but one of them, namely that configured with ACL's, also returns some other lines like this: # refldap://ext.domain.net/CN=Configuration,DC=ext,DC=domain,DC=net I use simple bind and these lines are returned because my servers answer on port 389. Querying the Global Catalog on port 3268 removes those lines (and authentication works fine), but GC does not return an attribute I need, i.e. the employeeID. So when the records synchronize I will get problems. I did not find a way to avoid referrals to appear in the answer. Did anyone face and solve this problem? Thanks, Francesco

1 0

None
by Nick 19 Mar '13

19 Mar '13

Dear All, Please tell me, is there support for DIT structure rules or GoverningStructureRule in current version of OpenLDAP? Best regards Nikolay

2 1

openldap-2.4.32 su-ok, rlogin-fails
by Joe Phan 18 Mar '13

18 Mar '13

Hi, I configured a machine to be LDAP Server (openldap-2.4.32) on Solaris 10. Adding users/groups to LDAP Server seems to be ok. From a second machine, I configured it to be LDAP Client using command "ldapclient manual -v -a defaultsearchbase=dc=pg,dc=dtveng,dc=net -a domainname=pg.dtveng.net 10.26.82.16". It was successful. /var/ldap/ldap_client_file contains appropriate LDAP Server information. Openldap-2.4.32 is not installed on the Client Machine. I updated PAM configuration on Client Machine for su and rlogin, results are listed below: - rlogin into Client Machine using root - OK - rlogin into Client Machine using "jphan" user - Fails - After login to Client Machine as root, su from root to "jphan" user - OK (Note: jphan user does not exist in Client Machine /etc/passwd, jphan user exists in LDAP Server) - From "jphan" user, su to another user - Fails Could someone please take a look at the configuration for rlogin PAM below to see if the configuration is correct. Please let me know if there is anything missing from my setup. Do I need to configure pam.conf on LDAP Server machine as well? Any help is greatly appreciated. Best regards, Joe Phan Downloaded and installed following packages from SunFreeWare.com to LDAP Server: openldap-2.4.32-sol10-sparc-local.gz db-4.7.25.NC-sol10-sparc-local.gz gcc-3.3.2-sol10-sparc-local.gz libgcc-3.3-sol10-sparc-local.gz libtool-2.4.2-sol10-sparc-local.gz openssl-1.0.1c-sol10-sparc-local.gz sasl-2.1.25-sol10-sparc-local.gz Client Machine configuration: - /etc/nsswitch.conf: passwd: files ldap group: files ldap shadow: files ldap - /etc/pam.conf: apggd08dev# more pam.conf # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 #login auth required pam_unix_auth.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 login auth required pam_ldap.so.1 debug # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 #rlogin auth required pam_unix_auth.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 debug # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth binding pam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krsh auth required pam_unix_cred.so.1 krsh auth binding pam_krb5.so.1 krsh auth required pam_unix_auth.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth binding pam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 #ppp auth required pam_unix_auth.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 ppp auth required pam_ldap.so.1 debug # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 #other auth required pam_unix_auth.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 debug # # passwd command (explicit because of a different authentication module) # #passwd auth required pam_passwd_auth.so.1 passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 debug # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account sufficient pam_ldap.so.1 debug other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 jphan user info: apggd04dev# ldapsearch -x -b 'dc=pg,dc=dtveng,dc=net' 'uid=jphan' # extended LDIF # # LDAPv3 # base <dc=pg,dc=dtveng,dc=net> with scope subtree # filter: uid=jphan # requesting: ALL # # jphan, people, pg.dtveng.net dn: uid=jphan,ou=people,dc=pg,dc=dtveng,dc=net objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: posixGroup cn: jphan uid: jphan uidNumber: 2003 gidNumber: 203 homeDirectory: /export/home/jphan loginShell: /usr/bin/csh gecos:: Sm9lIFBoYW4gMzEwLTk2NC00MTI1IA== shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword:: ....= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1

2 1

ldap, kerberos and authorization by group membership
by brendan kearney 18 Mar '13

18 Mar '13

all, please excuse my ignorance, as i am still learning. i have started working with mit kerberos 5 and openldap. i have the krb5 database in ldap, have several principals created, can can authenticate using kerberos. what i would like to accomplish is authorization based on group membership. i am unclear on how to do this, and if this requires the use of SASL (via the cyrus-sasl packages). am i able to create a groupofnames object, populated with kerberos principals and accomplish authorization by checking for membership of that groupofnames? the scenario is mod_auth_kerb implemented in httpd, or access control via acl in squid. based on group membership, certain functionality or access would be given to authenticated users. i have read and re-read the guide included with openldap, but am still unclear about what is needed. Below is some info about versions, etc... thank you in advance for any guidance. OS: Fedora: 16 x86_64 OpenLDAP: 2.4.26-8 MIT Kerberos: 1.9.4-3 Cyrus SASL: 2.1.23-27 thank you, brendan

2 2

Re: provider/consumer: entries have identical CSN
by Walter Werner 18 Mar '13

18 Mar '13

hi everyone ok, i think i found it :-). It is the sizelimit parameter on the provider. 'The olcSizeLimit/sizelimit attribute/directive specifies the number of entries to return to a search request' Due to the website http://www.zytrax.com/books/ldap/ch6/ It says that 'If no sizelimit directive is defined the default is 500.' No wonder that i had always 500 results with ldapsearch -x, despite the fact, that i deleted some entries. Walter 2013/3/18 Walter Werner <wernwa(a)gmail.com>: > hello everyone > > I still did not solve my problem, but i think the solution could be > really some size limitation (already suggested by Marc) > > LDAP_RES_SEARCH_RESULT (4) Size limit exceeded > > The replication was until Object stud31. So i deleted on provider (on > the test environment i can do that) Objects stud01 until stud06. And > the replication went until stud34. 6 deleted and 3 could replicate. I > guess the other 3 objects where replicated in some other sub trees, i > did not noticed, if the size-limit is a constant. The question is, is > there an easy way to see the difference between the provider and > consumer? > > And the main question is, where can the size limitation (if i am > thinking right) comes from? > > Every help is highly appreciated. > > Walter > > 2013/3/15 Walter Werner <wernwa(a)gmail.com>: >> hi Marc >> >> Thanks a lot for you quick answer. >> >> 2013/3/15 Marc Patermann <hans.moser(a)ofd-z.niedersachsen.de>: >>> Walter, >>> >>> Walter Werner schrieb (15.03.2013 10:58 Uhr): >>> >>> >>>> I get a strange replication problem. After i didn't find a solution >>>> somewhere on internet i decided to post to this mailing-list. Probably >>>> i should describe my system settings. Both consumer and provider are >>>> running on suse 12.1. And i got the errors with openldap version >>>> 2.4.26-3.1.3. Since it is a good >>>> behavior i red somewhere on this email-list, i compiled the latest >>>> openldap v2.4.34 and could unfortunately reproduce the same error. >>> >>> The is a repo, did you know? >>> http://download.opensuse.org/repositories/network:/ldap:/OpenLDAP:/ >>> (it is still 2.4.33, but anyway) >> >> No, i didn't. That can save me a lot of time in the future. >> >>> >>>> Mar 15 09:17:43 ismvm22 slapd[17313]: dn_callback : entries have >>>> identical CSN uid=stud31,ou=Student,ou=People,ou=myou,dc=mybase >>>> 20130315072217.081269Z#000000#000#000000 >>> >>> do the objects differ from provider to consumer? >> >> Especially that stud31 object is exactly the same. I am not sure all >> copied objects are the same, if that was the question. Apparently ldap >> has added the stud objects in alphabetical order. There are all studXX >> until stud31. So after stud31 there should be stud32 stud33 and so on, >> but they are missing on the consumer. It is maybe no accident that in >> the log it ends with stud31 object. >> >> dn_callback : entries have identical CSN uid=stud31... >> >>> >>>> Mar 15 09:17:43 ismvm22 slapd[17313]: do_syncrep2: rid=010 >>>> LDAP_RES_SEARCH_RESULT (4) Size limit exceeded >>>> Mar 15 09:17:43 ismvm22 slapd[17313]: do_syncrep2: rid=010 (4) Size >>>> limit exceeded >>>> Mar 15 09:17:43 ismvm22 slapd[17313]: do_syncrepl: rid=010 rc -2 >>>> retrying (58 retries left) >>> >>> Change that! >> >> Do you mean Size limit exceeded? I already thought about that. Please >> look at the partial configs in the first mail.On the provider time and >> size are set to unlimited for the replicator reader. On the consumer >> it is also set to unlimited. Maybe i forgot some other option. >> >>>> overlay syncprov >>> >>> man slapo-syncprov tells more about options to the syncprov overlay. >> >> There are indeed a lot more. I tried with additional parameter for checkpoint >> >> syncprov-checkpoint 100 10 >> >> No effect. Other options seems to me for speeding up ldap. I do not >> want to complicate things. I don't now if it is useful, before trying >> out something, i also always deleted the database files on the >> consumer to avoid memory effects of some sort. >> >> Still not replicating properly. >> >> Walter

2 1

impact on performance by adding jpeg file
by Jignesh Patel 18 Mar '13

18 Mar '13

We have around 10 million users and trying to add images(only faces), is it wise to do that way? Or should I bring images from database? -jignesh

2 2

Problems with authentication against OpenlDAP
by francesco.policastro＠selex-es.com 18 Mar '13

18 Mar '13

Hi all, I have two OpenLDAP servers (2.4.34) used by some applications to authenticate. Both servers use the meta backend, that is the frontend to two AD domains in separate forests. Ldapsearch correctly finds the users in both servers, while authentication works for one only. I must say that I had to exclude some portions of the trees in order to avoid duplicate names. My "correct" users are in 15 subtrees. In the working server I configured 15 URI's, one for each subtree, specifying for each of them the credentials, the attribute mappings and the suffixmassage. The bad news is that slapd.conf is 580 lines and its maintenance is error prone. That's why I configured the second server with two URI's only and with ACL's to limit the access to the 15 subtrees only. The resulting slapd.conf is much more readable and easy to maintain, but it does not work. The ACL's are all of this type: access to dn.subtree="ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" read by dn.exact="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" read There are no other ACL's, but I already tried adding something like "access to * by * read" with no success. As said before ldapsearch works fine, while authentication does not. Please look at the excerpt from the log files, for both servers, when I try to authenticate. Both servers start the same sequence, but one stops just after reading the same search result. conn=1033 fd=10 ACCEPT from IP=10.31.222.106:38492 (IP=0.0.0.0:389) conn=1033 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" method=128 conn=1033 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" mech=SIMPLE ssf=0 conn=1033 op=0 RESULT tag=97 err=0 text= conn=1033 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0 filter="(sAMAccountName=policastro)" conn=1033 op=1 SRCH attr=sAMAccountName conn=1033 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1033 op=2 UNBIND conn=1033 fd=10 closed =========================== conn=4960 fd=373 ACCEPT from IP=10.31.221.162:40893 (IP=0.0.0.0:389) conn=4960 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" method=128 conn=4960 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" mech=SIMPLE ssf=0 conn=4960 op=0 RESULT tag=97 err=0 text= conn=4960 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0 filter="(sAMAccountName=policastro)" conn=4960 op=1 SRCH attr=sAMAccountName conn=4960 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=4960 op=2 BIND anonymous mech=implicit ssf=0 conn=4960 op=2 BIND dn="cn=Policastro Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" method=128 conn=4960 op=2 BIND dn="cn=Policastro Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" mech=SIMPLE ssf=0 conn=4960 op=2 RESULT tag=97 err=0 text= conn=4960 op=3 UNBIND conn=4960 fd=373 closed conn=4961 fd=373 ACCEPT from IP=10.31.221.162:40894 (IP=0.0.0.0:389) conn=4961 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" method=128 conn=4961 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" mech=SIMPLE ssf=0 conn=4961 op=0 RESULT tag=97 err=0 text= conn=4961 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0 filter="(&(!(?employeeID=-*))(employeeID=*)(mail=*)(givenName=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=policastro))" conn=4961 op=1 SRCH attr=sAMAccountName conn=4961 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=4961 op=2 SRCH base="cn=Policastro Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" scope=0 deref=0 filter="(&(!(?employeeID=-*))(employeeID=*)(mail=*)(givenName=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" conn=4961 op=2 SRCH attr=givenName sn mail employeeID sAMAccountName conn=4961 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=4961 op=3 UNBIND conn=4961 fd=373 closed conn=4962 fd=373 ACCEPT from IP=10.31.221.162:40895 (IP=0.0.0.0:389) conn=4962 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" method=128 conn=4962 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" mech=SIMPLE ssf=0 conn=4962 op=0 RESULT tag=97 err=0 text= conn=4962 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0 filter="(sAMAccountName=policastro)" conn=4962 op=1 SRCH attr=sAMAccountName conn=4962 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=4962 op=2 SRCH base="cn=Policastro Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" scope=0 deref=0 filter="(objectClass=*)" conn=4962 op=2 SRCH attr=shadowExpire conn=4962 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=4962 op=3 UNBIND Can anyone explain me what happens and how to let the ACL version work? Thanks, Francesco

1 0

LMDB - growing the database
by Shmulik Regev 16 Mar '13

16 Mar '13

Hi, I understand that the DB size has an upper limit set by the call to mdb_env_set_mapsize . I wonder what is the best strategy for growing the size. From what I read, the put operations of either txn or cursor may fail with the MDB_MAP_FULL error but then it is too late to change the DB size. On the other hand I didn't find in mdb_env_stat (or perhaps I didn't understand) any information suggesting how full is the DB so I can't really implement any strategy for preemptively growing the DB based on the used space. Did I miss anything? Cheers, Shmul

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2013