openldap-technical September 2013

openldap-technical@openldap.org

72 participants
78 discussions

a few MDB questions
by Brent Bice 03 Sep '13

03 Sep '13

I'm trying out the mdb backend before converting several of our LDAP servers to it and have a few questions I haven't found answers to yet. Firstly, I found when I spun up an instance using MDB that I couldn't have more than 1000 leaf nodes. It appears when I tried to create the 1001st leaf node, one of the earlier nodes disappeared. Is this a known limitation or just a config option I don't see in the slapd-mdb man page? Right now my config just contains: database mdb masxize 2147483648 suffix "dc=mysuffix,dc=com" rootdn "cn=Manager,dc=sgi,dc=com" rootpw myrootpw directory /data/ldap/instance-v1.4/var/openldap-data [... a bunch of indexes ...] checkpoint 1024000 60 The total size of the DB was only 412 megs so far and each of three branches in the DB appeared to be limited at 1000 leaf nodes so I don't think I was just hitting a maxsize limit. Which leads me to the 2nd question... The maxsize option (according to what I've read) is the maximum size of the database in bytes. But it looks to me like the biggest value I can specify is 4G - the biggest value for an unsigned long. Would this be cuz the system I'm testing on is a 32bit version of linux? (unsigned long is only 4 bytes whereas on a 64 bit OS unsigned longs are 8 bytes) I can just switch to a 64 bit system, easy-peasy. But I'm not sure why I seem to be limited to 1000 leaf nodes. Brent

2 4

schema extension trouble
by Horatiu Nimigean 03 Sep '13

03 Sep '13

Greetings, I have an $OpenLDAP: slapd 2.4.23 on centos 6.4 installed and i need to extend the schema to fit my setup. all i need is to add to my users in ou People a simple boolean attribute named vpnStatus that i want to be the basis upon which users are given vpn access or not. i created /etc/openldap/schema/local.schema containing > attributetype ( 1.2.3.4.5.6.7.000.1 > NAME 'accountStatus' > DESC 'boolean - defines if user has access to vpn' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE ) the OID is random picked. i restarted slapd without error but i can't find this attribute anywhere. i have apache directory studio used for editing and lam as a web gui and i can't find it there either. i'm a bit confused. then i tried to export this attribute as ldif (using apache ds) and import it using cli tools: > > ldapadd -x -W -h 127.0.0.1 -D "cn=Manager,dc=example,dc=com" -f > /tmp/vpnSchema.ldif > > Enter LDAP Password: > adding new entry "cn=vpnSchema, ou=schema" > ldap_add: Invalid syntax (21) > additional info: objectclass: value #0 invalid per syntax what do i need to do ?

2 1

Error message with memberof overlay
by Sylvain 03 Sep '13

03 Sep '13

Hi ! In my logs, I saw lot of lines like this (we have a poor script which refresh the base with delete/add primitives) : memberof_value_modify DN="uid=v6971,ou=people,dc=xxx,dc=com" delete memberOf="cn=VAC,ou=groups,dc=xxx,dc=com" failed err=16 I can reproduce the problem with a small LDIF : # 1st part dn: uid=V6971,ou=people,dc=xxx,dc=com changetype: delete dn: uid=V6971,ou=people,dc=xxx,dc=com changetype: add objectClass... # 2nd part dn: cn=VAC,ou=groups,dc=xxx,dc=com changetype: delete dn: cn=VAC,ou=groups,dc=xxx,dc=com changetype: add objectClass... In the logs (shown below), we saw that problem occurs only on the delete of cn=VAC but if I reduce the LDIF to that (2nd part), I have no more the problem !? I don't understand... Here the logs with all the LDIF : Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 fd=32 ACCEPT from IP= 192.168.0.1:48049 (IP=0.0.0.0:389) Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=0 BIND dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" method=128 Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=0 BIND dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" mech=SIMPLE ssf=0 Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=0 RESULT tag=97 err=0 text= --> Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=1 DEL dn="cn=VAC,ou=groups,dc=xxx,dc=com" --> Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=1: memberof_value_modify DN="uid=v6971,ou=people,dc=xxx,dc=com" delete memberOf="cn=VAC,ou=groups,dc=xxx,dc=com" failed err=16 Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=1 RESULT tag=107 err=0 text= Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=2 ADD dn="cn=VAC,ou=groups,dc=xxx,dc=com" Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=2 RESULT tag=105 err=0 text= Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=3 DEL dn="uid=V6971,ou=people,dc=xxx,dc=com" Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=3 RESULT tag=107 err=0 text= Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=4 ADD dn="uid=V6971,ou=people,dc=xxx,dc=com" Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=4 RESULT tag=105 err=0 text= Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=5 UNBIND Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 fd=32 closed And here the logs with only the 2nd part of LDIF : Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 fd=107 ACCEPT from IP= 192.168.0.1:43599 (IP=0.0.0.0:389) Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=0 BIND dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" method=128 Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=0 BIND dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" mech=SIMPLE ssf=0 Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=0 RESULT tag=97 err=0 text= --> Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=1 DEL dn="cn=VAC,ou=groups,dc=xxx,dc=com" Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=1 RESULT tag=107 err=0 text= Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=2 ADD dn="cn=VAC,ou=groups,dc=xxx,dc=com" Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=2 RESULT tag=105 err=0 text= Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=3 UNBIND Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 fd=107 closed For information, here the configuration of memberOf overlay : dn: olcOverlay={0}memberof, olcDatabase={1}hdb, cn=config olcMemberOfMemberAD: member olcMemberOfRefInt: FALSE olcOverlay: memberof olcMemberOfDangling: ignore objectClass: olcMemberOf objectClass: olcOverlayConfig olcMemberOfMemberOfAD: memberOf olcMemberOfGroupOC: groupOfNames We run OpenLDAP 2.4.31 replicated onto another host on Debian Wheezy. Do you have an idea on the problem ? Thanks, Sylvain

2 3

Re : Re: (ITS#7676) OpenLDAP 2.4.36 slapd crash with "assertion failed" message
by "POISSON Frédéric" 03 Sep '13

03 Sep '13

Hello all, Thanks first for the patch, i have applied it on my own build of 2.4.36 but i have now a strange behavior, the slapd do not crash but it refused operations. First here is the diff after applying the patch : $ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig 3795d3794 < slap_tls_ctx = NULL; 3804,3808d3802 < } else { < if ( rc == LDAP_NOT_SUPPORTED ) < rc = LDAP_UNWILLING_TO_PERFORM; < else < rc = LDAP_OTHER; Now when i only add or replace only attribute olcTLSRandFile on cn=config i have : ldap_modify: Server is unwilling to perform (53) When i replace following values in this order with 4 actions/operations or with a single action/operation it works : dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem - replace: olcTLSRandFile olcTLSRandFile: /dev/random But it don't works with only olcTLSRandfile if i do an add or replace first, why ? What do you need for investigation ? Regards, PS: Sorry this is my second post for a better reading... -- Frederic Poisson

2 1

Cannot bind with 2.4.35
by Olivier Nicole 02 Sep '13

02 Sep '13

Hi, I have a small program that I wrote some time back. It authenticates against an LDAP server. Linked with the library provided with OpenLDAP 2.3.40 it works fine, but when I tried to upgrade to 2.4.35, it would not bind anymore. The LDAP server (on a different machine) has not changed, the version of my program with the old library is still working fine. I am getting the error: Can't contact LDAP server I am useing self signed CA. The program is below. Thank you in advance, Olivier i=ldap_initialize(&ldap, "ldaps://ldap.x.y.z/"); if (i != LDAP_SUCCESS) { ERROR; } i=ldap_set_option(ldap, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); if (i!=LDAP_OPT_SUCCESS) { ERROR; } i=ldap_set_option(ldap, LDAP_OPT_RESTART, LDAP_OPT_ON); if (i!=LDAP_OPT_SUCCESS) { ERROR; } res=LDAP_VERSION3; i=ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &res); if (i!=LDAP_OPT_SUCCESS) { ERROR; } /* DN containts the dn and passwd contains the password, they are correct */ i=ldap_bind_s(ldap, DN, passwd, LDAP_AUTH_SIMPLE); if (i != LDAP_SUCCESS) { if (i==49) { /* bad user or password */ } else if (i==53) { /* empty password */ } else { /* print ldap_err2string(i) */ /* this is where I get the error */ } } --

2 1

Extending schema problem.
by Mónico Briseño 02 Sep '13

02 Sep '13

Hi all. I'm new using openldap. I googled all info related with it. I decided to extend a ldap schema. but it didn't work. The error message is the following: adding new entry "cn=Gerald W. Cummings,ou=people,dc=example,dc=com" ldap_add: Undefined attribute type (17) additional info: businessName: attribute type undefined I had that error with the following files: #new object schema objectClass ( 1.3.6.1.4.1.4203.666.1.100 NAME 'YoLinuxPerson' DESC 'X-Person' SUP inetOrgPerson STRUCTURAL MAY ( personStatus $ preferredEmail $ mail2 $ businessName $ xmozillanickname $ birthdate $ c ) ) #new attributes # New attribute definitions: attributetype ( 1.3.6.1.4.1.4203.666.1.90 NAME 'personStatus' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( 1.3.6.1.4.1.4203.666.1.91 NAME 'preferredEmail' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( 1.3.6.1.4.1.4203.666.1.93 NAME 'businessName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) attributetype ( 1.3.6.1.4.1.4203.666.1.94 NAME 'xmozillanickname' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) #attributetype ( 1.3.6.1.4.1.4203.666.1.95 NAME 'birthdate' SUP name ) Both files are inside of the schema folder with the same right that other files to run ldpap deamon without problem. ldap.conf file #Global section ##Include the minimum schema required. include /usr/local/etc/openldap/schema/core.schema ##Added to support the inetOrgPerson object. include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inteorgperson.schema #testing schemas include /usr/local/etc/openldap/schema/new-object.schema include /usr/local/etc/openldap/schema/new-attributes.schema What did I wrong? TIA -- M.S. José M. Briseño Cortés Universidad de Guadalajara Instructional Technologist Univ. Houston Moodle Teacher Certificate NTCM, IACEP, iNACOL, ACM member

3 3

Replicate part of cn=config in Multi-Master mode
by Yann Bordenave 02 Sep '13

02 Sep '13

Hello, I am running a Multi-master system with 3 nodes, replicating both main database and configuration database. I want to be able to have local configuration on every single node of my system. Is there a way to replicate just a part of cn=config database and still be able to modify the other part. As far I as understand, the filter option in syncrepl allows us to replicate a subtree but will I be able to replicate multiple subtrees with one filter ? Thanks for your answers. -- Yann Bordenave - Intern, R&E Infrastructure Smartjog S.A.S. - http://www.smartjog.com - Groupe TDF 27 Bd Hippolyte Marques, 94200 Ivry sur Seine, France Cell : +33.6.68.86.81.61

1 0

Limit value count of multivalued attribute?
by Ole 01 Sep '13

01 Sep '13

Hi, i'm searching a solution to limit the number of values for multivalued attributes. For example, my users can wirte multivalued "mail". But they should set only 20 mailaddress in max, not 20.000. Is there a way to do this with overlays? Regards Ole

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2013