Multiple uid's?
by R V
Is there a alias entry that can be used for authentication? Basically I
am looking for away to allow a user record to have multiple uid's.
Example:
uid johnsmith
uid jsmith
Trying to bring multiple services under one authentication method. The
challenging part, some services have varying usernames as list above.
Which unfortunately can not be changed.
Thanks
RV
8 years, 8 months
Encryption or hash for password?
by Gerhardus Geldenhuis
Hi
I am using the default Ubuntu 12.10 openldap installation and have
inherited an existing ldap setup. When I do a slapcat -n 1
It shows userPassword entries as follows:
userPassword:: e2NyeFB0fSQxJEkwKGc3bGJjJFpwL3JndlpCZDBlSPZuZGdoMFczTC8=
( password string has been edited... )
I am not sure how this is encoded... is there a way to find out? I have
tried md5 which is currently the default encoding for our servers.
I have also tried slappasswd with various -h option to see if I can
recreate the same hash if it is a hash.
I want to add new users using ldif and would like to encrypt/hash their
passwords in a similar fashion if possible.
Any help would be appreciated.
Regards
--
Gerhardus Geldenhuis
8 years, 8 months
provider/consumer: entries have identical CSN
by Walter Werner
hi to everyone
I get a strange replication problem. After i didn't find a solution
somewhere on internet i decided to post to this mailing-list. Probably
i should describe my system settings. Both consumer and provider are
running on suse 12.1. And i got the errors with openldap version
2.4.26-3.1.3. Since it is a good
behavior i red somewhere on this email-list, i compiled the latest
openldap v2.4.34 and could unfortunately reproduce the same error.
The Problem is that the consumer does not replicate all objects. The
loglevel on the consumer is
loglevel stats sync
This is the partial output of the /var/log/messages
...
Mar 15 09:17:43 ismvm22 slapd[17313]: dn_callback : entries have
identical CSN cn=stud31,nisMapName=ws,ou=autofs,ou=etc,ou=Data,ou=myou,dc=mybase
20130315072217.079828Z#000000#000#000000
Mar 15 09:17:43 ismvm22 slapd[17313]: syncrepl_entry: rid=010 be_search (0)
Mar 15 09:17:43 ismvm22 slapd[17313]: syncrepl_entry: rid=010
cn=stud31,nisMapName=ws,ou=autofs,ou=etc,ou=Data,ou=myou,dc=mybase
Mar 15 09:17:43 ismvm22 slapd[17313]: syncrepl_entry: rid=010 entry
unchanged, ignored
(cn=stud31,nisMapName=ws,ou=autofs,ou=etc,ou=Data,ou=myou,dc=mybase)
Mar 15 09:17:43 ismvm22 slapd[17313]: syncrepl_message_to_entry:
rid=010 DN: uid=stud31,ou=Student,ou=People,ou=myou,dc=mybase, UUID:
5949c18a-cd49-4dec-85dc-68ae129c13d7
Mar 15 09:17:43 ismvm22 slapd[17313]: syncrepl_entry: rid=010
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Mar 15 09:17:43 ismvm22 slapd[17313]: syncrepl_entry: rid=010 inserted
UUID 5949c18a-cd49-4dec-85dc-68ae129c13d7
Mar 15 09:17:43 ismvm22 slapd[17313]: dn_callback : entries have
identical CSN uid=stud31,ou=Student,ou=People,ou=myou,dc=mybase
20130315072217.081269Z#000000#000#000000
Mar 15 09:17:43 ismvm22 slapd[17313]: syncrepl_entry: rid=010 be_search (0)
Mar 15 09:17:43 ismvm22 slapd[17313]: syncrepl_entry: rid=010
uid=stud31,ou=Student,ou=People,ou=myou,dc=mybase
Mar 15 09:17:43 ismvm22 slapd[17313]: syncrepl_entry: rid=010 entry
unchanged, ignored (uid=stud31,ou=Student,ou=People,ou=myou,dc=mybase)
Mar 15 09:17:43 ismvm22 slapd[17313]: do_syncrep2: rid=010
LDAP_RES_SEARCH_RESULT
Mar 15 09:17:43 ismvm22 slapd[17313]: do_syncrep2: rid=010
LDAP_RES_SEARCH_RESULT (4) Size limit exceeded
Mar 15 09:17:43 ismvm22 slapd[17313]: do_syncrep2: rid=010 (4) Size
limit exceeded
Mar 15 09:17:43 ismvm22 slapd[17313]: do_syncrepl: rid=010 rc -2
retrying (58 retries left)
The config files
privider:
---------------------------------------------
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
# lege ein replicator reader an der auch passwörter lesen kann
limits dn.exact="cn=replicator,dc=mybase" size=unlimited time=unlimited
access to *
by dn.exact="cn=replicator,dc=mybase" read
by * break
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
database bdb
suffix "dc=mybase"
checkpoint 1024 5
cachesize 10000
rootdn "cn=ldapadmin,dc=mybase"
directory /opt/var/openldap-data/
# Indices to maintain
index objectClass eq
index entryUUID eq
overlay syncprov
------------------------------------------------------------------
On the consumer side is all same except the syncrepl directive
consumer:
-------------------------------------------------------
syncrepl rid=10
provider=ldap://172.22.199.121
searchbase="dc=mybase"
type=refreshAndPersist
retry="30 60 120 +"
filter="objectClass=*"
scope=sub
attrs="*,+"
sizelimit=unlimited
timelimit=unlimited
binddn="cn=replicator,dc=mybase"
bindmethod=simple
credentials="secred"
------------------------
Any Ideas? I am glad for every help.
8 years, 8 months
Local group and ldap user combination
by Gerhardus Geldenhuis
Hi
Admittedly this is slightly OT but I were hoping someone could point me in
the right direction.
I want to be able to grant LDAP users group membership to local groups on a
Ubuntu box. For example the adm group.
How would I go about doing this?
As a very quick test I created a adm group in ldap but it is not having the
desired effect. Output from getent group | grep arm
adm:x:4:
adm:*:4:uid=ggeldenhuis,ou=People,dc=example,dc=com
The first adm group is the local file group and the second my ldap group.
Am I going about this in the wrong way... ?
Regards
--
Gerhardus Geldenhuis
8 years, 8 months
Adding samba schema to OpenLDAP2.4
by Wes Modes
Previously, I was running 2.3 and then 2.4 using all the 2.3 config files.
I am building a new 2.4 server the right way using OpenLDAP native
database and config schema.
As I migrate the functionality of the old server to the new one, I will
have various questions.
Today's question: How do I import the samba (3.6.9) schema (previously
in an include schema file) to the new 2.4 server?
W.
--
Wes Modes
Systems Designer, Developer, and Administrator
University Library ITS
University of California, Santa Cruz
8 years, 8 months
Issues with deletes and syncrepl
by Adam
Hi, I am currently working on setting up a new openldap environment, based
on the current stable version of 2.4.34
I have two servers, ldap1 and ldap2, which are performing mirror-mode
multi-master replication.
When ldap1 and ldap2 are both up, adds/deletes/modifications are
replicated correctly.
When ldap1 is up and ldap2 is down, adds/modifications can be performed
successfully against ldap1, and when ldap2 comes back up, changes are
replicated successfully.
Problem is, if ldap2 is down, and a deletion occurs against ldap1, when
ldap2 comes back up, the deletion is not replicated.
Here are my slapd.confs for each server
ldap1:
-----------------------------
include /opt/openldap/etc/openldap/schema/core.schema
pidfile /opt/openldap/var/run/slapd.pid
argsfile /opt/openldap/var/run/slapd.args
moduleload syncprov.la
moduleload accesslog.la
moduleload back_bdb.la
serverID 1
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
rootpw {SSHA}zViBuH78jtg/BKtT1sZHNp7gwWnlCWDk
directory /opt/openldap/var/openldap-data
checkpoint 10240 720
cachesize 50000
dbconfig set_cachesize 0 524288000 1
dbconfig set_lk_max_locks 3000
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
syncrepl rid=001
provider=ldap://ldap2.example.com:389
binddn="cn=manager,dc=example,dc=com"
bindmethod=simple
credentials=password
searchbase="dc=example,dc=com"
type=refreshAndPersist
interval=00:00:00:01
retry="60 +"
schemachecking=on
index objectClass eq
index entryUUID eq
index entryCSN eq
mirrormode on
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 100 1
ldap2:
-----------------------------
include /opt/openldap/etc/openldap/schema/core.schema
pidfile /opt/openldap/var/run/slapd.pid
argsfile /opt/openldap/var/run/slapd.args
moduleload syncprov.la
moduleload accesslog.la
moduleload back_bdb.la
serverID 2
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
rootpw {SSHA}zViBuH78jtg/BKtT1sZHNp7gwWnlCWDk
directory /opt/openldap/var/openldap-data
checkpoint 10240 720
cachesize 50000
dbconfig set_cachesize 0 524288000 1
dbconfig set_lk_max_locks 3000
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
syncrepl rid=001
provider=ldap://ldap1.example.com:389
binddn="cn=manager,dc=example,dc=com"
bindmethod=simple
credentials=password
searchbase="dc=example,dc=com"
type=refreshAndPersist
interval=00:00:00:01
retry="60 +"
schemachecking=on
index objectClass eq
index entryUUID eq
index entryCSN eq
mirrormode on
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 100 1
Here is the logging output at level 16384
ldap1:
-----------------------------
51401797 bdb_monitor_db_open: monitoring disabled; configure monitor
database to enable
51401797 slapd starting
51401797 do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
514017ae do_syncrep2: rid=001 (-1) Can't contact LDAP server
514017ae do_syncrepl: rid=001 rc -1 retrying
514017c9 slap_queue_csn: queing 0x7fa53f0c5020
20130313060809.655329Z#000000#001#000000
514017c9 slap_graduate_commit_csn: removing 0x7fa530100910
20130313060809.655329Z#000000#001#000000
514017cc syncprov_search_response:
cookie=rid=001,sid=001,csn=20130313060809.655329Z#000000#001#000000;20130313054634.762054Z#000000#002#000000
514017e8 slap_queue_csn: queing 0x7fa53e8c4470
20130313060840.173887Z#000000#001#000000
514017e8 slap_graduate_commit_csn: removing 0x7fa534101170
20130313060840.173887Z#000000#001#000000
514017ea slap_client_connect: URI=ldap://ldap2.example.com:389
DN="cn=manager,dc=example,dc=com" ldap_sasl_bind_s failed (-1)
514017ea do_syncrepl: rid=001 rc -1 retrying
514017ed syncprov_search_response:
cookie=rid=001,sid=001,csn=20130313060840.173887Z#000000#001#000000;20130313054634.762054Z#000000#002#000000
51401826 do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
ldap2:
-----------------------------
514017ed bdb_monitor_db_open: monitoring disabled; configure monitor
database to enable
514017ed slapd starting
514017ed do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
514017ed do_syncrep2: rid=001
cookie=rid=001,sid=001,csn=20130313060840.173887Z#000000#001#000000;20130313054634.762054Z#000000#002#000000
514017ed slap_queue_csn: queing 0x7f5070109540
20130313060840.173887Z#000000#001#000000
514017ed slap_graduate_commit_csn: removing 0x7f50701096b0
20130313060840.173887Z#000000#001#000000
Heres the command I'm using on the client to perform the delete:
While ldap2 is offline,
ldapdelete -h ldap1 -x -r -D "cn=manager,dc=example,dc=com" -w password
"ou=groups,dc=example,dc=com"
Let me know if you want any further information
I'm sure its something stupid I'm missing, but would appreciate any
assistance with this.
Cheers,
Adam
8 years, 8 months
ldapmodify: multiple additions
by infirit
Hi, I am working through a book (Mastering OpenLDAP, Packtpub) which is
based on openldap 2.3.
The book talks in chapter 3 how to modify/add/delete attributes for a
dn. It instructs to put the bellow in an ldif file and read it with
ldapmodify. The writerś point here is that I am supposed to add both a
"description" and "title" without separating out the additions with a
dash (-).
It never works for me and always comes with a syntax error.
non working ldif file:
dn: uid=nicholas,ou=Users,dc=home
changetype: modify
add: description title # <- 2 attributes
description: This is a test
title: Cartesian philosopher
Error: ldapmodify: wrong attributeType at line 4, entry
"uid=nicholas,ou=Users,dc=home"
The ldif file that does work is below.
Working ldif file:
dn: uid=nicholas,ou=Users,dc=home
changetype: modify
add: description
description: This is a test
-
add: title
title: Cartesian philosopher
Now am I doing something wrong, is the book using functionality that is
not available in openldap version 2.4 or something else?
Any pointers and help much appreciated.
Thx
infirit
8 years, 8 months
slapd version 2.4.32 crashes on Solaris 10
by Juergen.Sprenger@swisscom.com
Hello,
Since update from OpenLDAP 2.4.23 to OpenLDAP 2.4.32 about one to three times a week a slapd process crashes with a coredump.
Seems it's caused by ldap requests as only some of our servers are affected which are all in the same network zone.
The facts I found out so far:
Syslog:
Mar 8 20:13:01 vg0092 slapd[220]: [ID 870088 local4.debug] get_filter: unknown filter type=48
Mar 8 20:13:01 vg0092 last message repeated 14 times
Mar 8 20:13:01 vg0092 slapd[220]: [ID 870088 local4.debug] get_filter: unknown filter type=48
Mar 8 20:13:01 vg0092 last message repeated 17 times
Mar 8 20:13:01 vg0092 slapd[220]: [ID 870088 local4.debug] get_filter: unknown filter type=48
Mar 8 20:13:01 vg0092 last message repeated 15 times
Mar 8 20:13:01 vg0092 slapd[220]: [ID 870088 local4.debug] get_filter: unknown filter type=48
Mar 8 20:13:02 vg0092 last message repeated 18 times
Mar 8 20:13:02 vg0092 slapd[220]: [ID 870088 local4.debug] get_filter: unknown filter type=48
Mar 8 20:13:11 vg0092 last message repeated 1091 times
Mar 8 20:13:11 vg0092 slapd[220]: [ID 870088 local4.debug] get_filter: unknown filter type=48
Mar 8 20:13:20 vg0092 last message repeated 1057 times
Mar 8 20:14:14 vg0092 genunix: [ID 603404 kern.notice] NOTICE: core_log: slapd[220] core dumped: /dpool/vg0092-data/ldap/core/core.slapd.220
Mar 8 20:14:14 vg0092 slapd[7288]: [ID 702911 local4.debug] @(#) $OpenLDAP: slapd 2.4.32 (Aug 5 2012 00:09:28) $
Mar 8 20:14:14 vg0092 steve@sunblade2500:/bigdisk/SOURCES/S10/openldap-2.4.32/servers/slapd
Mar 8 20:14:14 vg0092 slapd[7299]: [ID 643551 local4.debug] hdb_db_open: database "dc=scom": unclean shutdown detected; attempting recovery.
Mar 8 20:14:31 vg0092 last message repeated 2 times
Mar 8 20:14:42 vg0092 last message repeated 5 times
Mar 8 20:15:03 vg0092 slapd[8246]: [ID 702911 local4.debug] @(#) $OpenLDAP: slapd 2.4.32 (Aug 5 2012 00:09:28) $
Mar 8 20:15:03 vg0092 steve@sunblade2500:/bigdisk/SOURCES/S10/openldap-2.4.32/servers/slapd
Mar 8 20:15:03 vg0092 ldap: [ID 702911 user.warning] vg0092 slapd maintenance, rebuilding, WARNING
The 'unknown filter' messages are caused by HPUX clients. By the crash the Berkeley-DB became corrupt and has to be rebuilt.
Coredump:
# adb /usr/local/libexec/slapd core.slapd.220
core file = core.slapd.220 -- program ``/usr/local/libexec/slapd'' on platform SUNW,SPARC-Enterprise-T5120
SIGABRT: Abort
$c
libc.so.1`_lwp_kill+8(6, 0, fed87080, fecede54, ffffffff, 6)
libc.so.1`abort+0x110(b07ff4e8, 1, fed833f0, ffba0, fed85518, 0)
libc.so.1`_assert+0x64(12d0d0, 12c9d0, 3a8, 0, ff8bc, 19418c)
connection_next+0x138(0, b07ff7c4, b07ff7c0, 199d1c, fd17ba00, 1a2000)
0x112574(8000, b07ffcb8, 5e9bb4, 199d1c, b07ff8a8, 1c77a8)
monitor_entry_create+0x94(714ba50, b07ffcb8, 0, 545d64, b07ff8a8, 546084)
0xe1eec(714ba50, b07ffcb8, 545d3c, 0, 1, 1a2400)
monitor_back_search+0x248(714ba50, b07ffcb8, 0, 142a7da8, e1fb8, 1971d8)
fe_op_search+0x420(714ba50, b07ffcb8, 12d838, 0, 1a2928, 1a2a20)
do_search+0x618(714ba50, b07ffcb8, fed87940, 0, 3f0f4, b07ffa38)
0x3da44(b07ffe08, 714ba50, fed87940, 0, fd17ba00, 0)
0x3e3d0(0, 2f, fed87940, 0, fd17ba00, 2330ec)
libldap_r-2.4.so.2`ldap_int_thread_pool_wrapper+0x190(2330a8, b0800000, 0, 0, ff30ed80, 1)
libc.so.1`_lwp_start(0, 0, 0, 0, 0, 0)
pflags shows, that lwp 25 might be the culprit:
# pflags core.slapd.220
core 'core.slapd.220' of 220: /usr/local/libexec/slapd -4 -u ldap -g ldap -f /dpool/vg0092-data/ldap
data model = _ILP32 flags = MSACCT|MSFORK
/1: flags = STOPPED lwp_wait(0x4,0xffbffb34)
why = PR_SUSPENDED
/2: flags = STOPPED pollsys(0x4,0x9f,0x0,0x0)
why = PR_SUSPENDED
/3: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/4: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/5: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/6: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/7: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/8: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/9: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/10: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/11: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/12: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/13: flags = DETACH|STOPPED
why = PR_SUSPENDED
/14: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/15: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/16: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/17: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/18: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/19: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/20: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/21: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/22: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/23: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/24: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/25: flags = DETACH
sigmask = 0xffffbefc,0x0000ffff cursig = SIGABRT
/26: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/27: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/28: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/29: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/30: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/31: flags = DETACH|STOPPED
why = PR_SUSPENDED
/32: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/33: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
/34: flags = DETACH|STOPPED lwp_park(0x4,0x0,0x0)
why = PR_SUSPENDED
pstack:
----------------- lwp# 25 / thread# 25 --------------------
fed0e8cc _lwp_kill (6, 0, fed87080, fecede54, ffffffff, 6) + 8
fec82950 abort (b07ff4e8, 1, fed833f0, ffba0, fed85518, 0) + 110
fec82b8c _assert (12d0d0, 12c9d0, 3a8, 0, ff8bc, 19418c) + 64
0003cc64 connection_next (0, b07ff7c4, b07ff7c0, 199d1c, fd17ba00, 1a2000) + 138
00112574 ???????? (8000, b07ffcb8, 5e9bb4, 199d1c, b07ff8a8, 1c77a8)
00114670 monitor_entry_create (714ba50, b07ffcb8, 0, 545d64, b07ff8a8, 546084) + 94
000e1eec ???????? (714ba50, b07ffcb8, 545d3c, 0, 1, 1a2400)
000e2200 monitor_back_search (714ba50, b07ffcb8, 0, 142a7da8, e1fb8, 1971d8) + 248
0004005c fe_op_search (714ba50, b07ffcb8, 12d838, 0, 1a2928, 1a2a20) + 420
0003f70c do_search (714ba50, b07ffcb8, fed87940, 0, 3f0f4, b07ffa38) + 618
0003da44 ???????? (b07ffe08, 714ba50, fed87940, 0, fd17ba00, 0)
0003e3d0 ???????? (0, 2f, fed87940, 0, fd17ba00, 2330ec)
ff30ef10 ldap_int_thread_pool_wrapper (2330a8, b0800000, 0, 0, ff30ed80, 1) + 190
fed0abd8 _lwp_start (0, 0, 0, 0, 0, 0)
Questions:
- Is this a known problem?
- If yes: is it already fixed in OpenLDAP 2.4.34 or can it be circumvented?
- If no: Is there any additional info I can provide which might be helpful?
Sending the coredump is no option yet as it contains all password hashes etc.
Regards
Jürgen Sprenger
E-Mail: mailto:juergen.sprenger@swisscom.com
Internet: http://www.swisscom.com/it-services
8 years, 8 months
