openldap-technical May 2013

openldap-technical@openldap.org

67 participants
76 discussions

invalid value for attributeType olcSuffix while restoring cn=config (slapd-2.4.33)
by Igor Zinovik 06 May '13

06 May '13

Hello, openldap-technical@ readers. I backed up cn=config from openldap-2.4.33 and now i try to restore it, but with no success. I made backup copy this way: ldap1# sudo slapcat -b cn=config -F /etc/openldap/slapd.d -l config.ldif After this i created new clean VM with opensuse 12.3 and slapd 2.4.33 opensuse# slapadd -u -F /etc/openldap/slapd.d -b cn=config -l config.ldif 5187acde str2entry: invalid value for attributeType olcSuffix #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12) slapadd: could not parse entry (line=3206) _################### 98.19% eta none elapsed none spd 19.9 M/s opensuse# fgrep -n olcSuffix config.ldif 522:olcAttributeTypes: ( OLcfgDbAt:0.10 NAME 'olcSuffix' EQUALITY distinguishedNam 1049: n $ olcSuffix $ olcSubordinate $ olcAccess $ olcAddContentAcl $ olcLastMod $ 3205:olcSuffix: dc=example,dc=ru 3411:olcSuffix: cn=example-log LDIF content around line 3206 is following: 3201: dn: olcDatabase={1}mdb,cn=config 3202: objectClass: olcDatabaseConfig 3203: objectClass: olcMdbConfig 3204: olcDatabase: {1}mdb 3205: olcSuffix: dc=example,dc=ru 3206: olcAddContentAcl: FALSE Here is trace: 5187b22a <<< dnPrettyNormal: <olcDatabase={1}mdb,cn=config>, <olcDatabase={1}mdb,cn=config> 5187b22a >>> dnPretty: <dc=example,dc=ru> 5187b22a str2entry: invalid value for attributeType olcSuffix #0 (syntax 1.3.6.1.4.1.1466.115.121.1. 12) slapadd: could not parse entry (line=3201)

1 0

Use LDAP netgroup to control NFS exports?
by jupiter 06 May '13

06 May '13

Hi, I am running LDAP server and NFS server on CentOS 6, is it true that LDAP can be used to control NFS exports authentication, uid and gid setting without needing to specifie client IP addresses , anonuid and anongid on NFS exports file? I saw some sample such as to define "/tmp/nfs2 @mynetgrp(rw,no_root_squash)" to exports file, it seems to me, you can add new user with IP address to LDAP entry anytine without updating exports file in NFS server? If it is correct, has the netgroup schema already been defined in /etc/openldap/schema? Could anyone kindly point me a link for document or howto for the setting in both LDAP and NFS exports? Thank you. Kind regards. Jupiter

2 1

About ppolicy
by Jacques Foucry 06 May '13

06 May '13

Hello Folks, On my openldap server I was using shadowAccount to enforce password change for my users. It works, but it's not really secure. Users can reuse old passwors, etc. So I had a look to ppolicy and appli this tutorial: http://theslashroot.blogspot.fr/2011/12/openldap-with-ppolicy.html Some things are not clear for me. Did I have to disable shadowAccount on my schema? If not is shadowLastChange will be updated? I hope I need to include ppolicy schema on all my replica. Thanks in advance for your help, Jacques Foucry -- Jacques Foucry *NOVΛSPARKS * IT Manager Tel : +33 (0)1 42 68 12 61 jacques.foucry(a)novasparks.com

2 2

Modern Password Hashes in Openldap?
by Chris Hiestand 04 May '13

04 May '13

Since SSHA-1 is weak these days I'd like to switch to PBKDF2, Bcrypt or the like with key stretching. Since Openldap does not support relatively strong hashes, do you guys use SASL to store stronger hashes? If so, what kind of backend are you using to store hashes? Background: OclHashcat can generate tens of billions of SHA-1 hashes per second with off-the-shelf hardware. But it can only generate thousands of bcrypt hashes per second on similar hadware: https://hashcat.net/forum/thread-1541.html .

4 4

Questions about multiple identical values in a field
by Nicolas Mora 04 May '13

04 May '13

Hello, I'm currently programming a connector between a CardDAV server and a LDAP server in php. I'm using the schema inetOrgPerson which is good for most of the data but I have a problem with multiple equal data. The VCard data is set like this : ADR;TYPE=HOME:;;123 1st av;Montreal;QC;GGG RT3;CA which is translated into : street:: 123 1st av l: Montreal st:QC postalcode: GGG RT3 By default in the inetOrgPerson schema, the country code is not added, so I add a personalized schema with 2 fields : - countryCode ('c') - VCardUnassigned ('vcardunassigned') The second one is when a vcard field has no correspondance in the ldap schema Problem is, when you have multiple fields with the same value, you get an error 0x14 - LDAP_TYPE_OR_VALUE_EXISTS. Which is logical but kinda annoying if you want for example to add a second address in the same state or country, like : ADR;TYPE=HOME:;;321 42nd st;Montreal;QC;GGG RT1;CA Is there a way to save multiple equal values for an entry for some fields ?

4 3

Re: Questions about multiple identical values in a field
by Erwann Abalea 04 May '13

04 May '13

2013/5/3 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Friday, May 03, 2013 6:24 PM +0200 Erwann Abalea <eabalea(a)gmail.com> > wrote: > > Can't you use the postalAddress attribute? >> With your examples, it should be something like: >> postalAddress: 123 1st av$Montreal$QC$GGG RT3$CA >> >> postalAddress: 321 42nd st$Montreal$QC$GGG RT1$CA >> > > This is almost the correct way to format it... it should be: > > postalAddress: 123 1st av $ Montreal $ QC $ GGG RT3 $ CA > If I correctly read RFC2252, the space character around the "$" isn't required: postal-address = dstring *( "$" dstring ) dstring = 1*utf8 And the provided examples don't include such spaces. I would also note that there is no guaranteed return order for values > unless you use weighted attributes. Is the weighted attribute standardized LDAP, or specific to OpenLDAP? I can't find supportive definition in RFC45* documents. > Generally the best thing to do if you are going to have multiple > addresses (say home, work, business, mailing, etc) is to have custom > attributes specifically for those addresses > Or maybe a subordinate leaf for each address (with address elements splitted in several attributes), to be able to use search filters. -- Erwann.

4 5

Re: Questions about multiple identical values in a field
by Erwann Abalea 03 May '13

03 May '13

2013/5/3 Quanah Gibson-Mount <quanah(a)zimbra.com>: > --On Friday, May 03, 2013 7:01 PM +0200 Erwann Abalea <eabalea(a)gmail.com> > wrote: > >> 2013/5/3 Quanah Gibson-Mount <quanah(a)zimbra.com> >>> --On Friday, May 03, 2013 6:24 PM +0200 Erwann Abalea <eabalea(a)gmail.com> >>> wrote: >>>> Can't you use the postalAddress attribute? >>>> With your examples, it should be something like: >>>> postalAddress: 123 1st av$Montreal$QC$GGG RT3$CA >>>> >>>> postalAddress: 321 42nd st$Montreal$QC$GGG RT1$CA >>> >>> This is almost the correct way to format it... it should be: >>> >>> postalAddress: 123 1st av $ Montreal $ QC $ GGG RT3 $ CA >> >> If I correctly read RFC2252, the space character around the "$" isn't >> required: >> >> postal-address = dstring *( "$" dstring ) >> dstring = 1*utf8 >> >> And the provided examples don't include such spaces. > > Please fix your email client to quote replies properly. ;) That's GMail, multipart/alternative stuff, with inline replying :( The text/plain part was mostly OK, but it's difficult to manually read+parse the quoted-printable text/html part... I have similar problems when using Google Groups. Switched to pure text, manually added missing quote levels, it should be better. >>> I would also note that there is no guaranteed return order for values >>> unless you use weighted attributes. >> >> Is the weighted attribute standardized LDAP, or specific to OpenLDAP? I >> can't find supportive definition in RFC45* documents. > > This is an OpenLDAP specific overlay (valsort). Nice to know it's non portable. >>> Generally the best thing to do if you are going to have multiple >>> addresses (say home, work, business, mailing, etc) is to have custom >>> attributes specifically for those addresses >> >> Or maybe a subordinate leaf for each address (with address elements >> splitted in several attributes), to be able to use search filters. > > Personally, I would avoid subtrees for this. I prefer to see all my data > for a given user stored with the user entry. But that's me. ;) I've used > custom AUX objectClasses for this in the past to attach to the person entry > if they had a specific type of addr. Then a simple copy of "TYPE=HOME:;;123 1st av;Montreal;QC;GGG RT3;CA" into a custom attribute (with a properly defined auxiliary class) should get the job done. -- Erwann.

1 0

RE: Chaining stops working after slapd restart
by Quanah Gibson-Mount 03 May '13

03 May '13

--On Monday, April 29, 2013 6:56 PM +0000 jeevan kc <jeev_biz(a)hotmail.com> wrote: > > No, I'm fully using cn=config on Openldap 2.4.30 . I'm working on the > chain overlay for the past couple of weeks and when now I finally was > able to get it working, I found I could modify the slaves until I restart > the server. After I restart the server the chaining doesn't work it says > "strong authentication required". So the chaining basically worked only > just before I restarted the server. > Thanks Please do not top post. Please keep replies to the list. Please verify whether or not you can reproduce this with OpenLDAP 2.4.35. Thanks, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

4 5

Help with first immersion into LDAP
by Šerých Jakub 03 May '13

03 May '13

Dear group, I would like to ask you for the little help with the newbie first immersion into LDAP. The problem is, that I need to build LDAP proxy, that will connect information from two MS ADs into one meta LDAP. But all the beginers tutorials start from the building of the new fresh LDAP database on the server, so it's very hard for me to catch the first clues... My situation: Debian with openLDAP and two Microsoft Win2008 servers with AD. The commands from Linux server: ldapsearch -x -H ldap://192.168.0.10 -D "ldap-user" -w password -b "ou=studenti,dc=student,dc=intra" and ldapsearch -x -H ldap://192.168.100.5 -D "ldap-user" -w password -b "dc=panska,dc=intra" are fully functional and returning the results I need. But when I try to config openLDAP server just to play role of proxy between the client and AD server it is not working and I cannot find why. One of my attempts to set ldap.conf: loglevel 255 database ldap suffix "ou=studenti,dc=student,dc=intra" uri "ldap://192.168.0.10/" binddn "name=ldap-user" bindpw password I'm trying the functionality by the command: ldapsearch -x -H ldap://localhost -D "ldap-user" -w password -b "ou=studenti,dc=student,dc=intra" or ldapsearch -x -H ldap://localhost "ou=studenti,dc=student,dc=intra" Could somebody give me a tip, how to set the ldap.conf to do just this simple proxying for the begining? How can I track what is going on, if the openLDAP at least tries to send something to MS AD server and if yes, what is the structure of his query (the loglevel 255 doesn't seem to be very helpfull)? Sorry for that newbie type of question and thanks in advance for any info Jakub

2 1

Checking that a change has reached all servers
by Hallvard Breien Furuseth 03 May '13

03 May '13

We have clients which must check that an update has reached all LDAP servers before they start some task. So we need to publish a list of all servers. Where would you put that list, when clients should normally not contact these servers directly (ldap-prod*.uio.no) but instead contact the load balancer sitting in front of them (ldap.uio.no)? 'altServer' in the root DSE anyway, or has someone defined another attribute? With transactional backend databases, an existing slow LDAP operation predating the change might return the old value while this quick poll sees the change. I'm content to just tell clients to wait a second after seeing the change though, unless someone has brighter ideas. Finally, has anyone written a nice little server (LDAP or otherwise) which does this - client sends a request, server checks all LDAP servers and either returns true/false or waits & retries while false? -- Hallvard

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2013