openldap-technical November 2014

openldap-technical@openldap.org

66 participants
69 discussions

syncrepl and change in ordering
by Amol Kulkarni 27 Nov '14

27 Nov '14

Hello, I've a openldap 2.4.30 syncrepl setup which is used by our applications. There are over 50 servers in the setup. I want to upgrade our application to the next version. In a single downtime, all servers cannot be upgraded. So the application will be upgraded in phase wise manner. Application upgrade requires some changes in ldap schemas. I want to update the schemas in same phases as the application so as to avoid separate downtime for schema update. I'm planning to update schema on the consumers first and provider last so that during the phases, some servers with old schemas and others with new schemas both replicate properly. schemachecking is set to off on all servers. I understand that new attributes added in schema will not be present on provider at the beginning, so there is no question of their replication. I've compared the schemas and found that none of the attributes is deleted. Only change is that for some attributes we have added 'ordering' and for some we have changed the 'equality'. I'm not using cn=config - if that is a consideration. So will it all work ? Is there a better way? Thanks in advance, Amol Kulkarni.

3 3

Re: ldaps replication question
by wailok tam 26 Nov '14

26 Nov '14

Hi, thanks a lot for your reply. I want to leave the password in text first and go step by step. Do you mind highlighting those lines needed for a SSL thru ldaps configured slave? I find information about modifying another slapd file under etc/defaults on debian base system but I dont know what to do with those on Redhat 5. What is the corresponding file on Rh and what to do in them on the master and slave? ------------------------------ On Wed, Nov 26, 2014 12:57 PM GMT Dieter Klünter wrote: >Am Wed, 26 Nov 2014 06:39:25 +0000 (UTC) >schrieb wailok tam <wailoktam(a)yahoo.com>: > >> Hi, all, >> I cannot get replication to work even I get no error message. I >> change a record on the Master but when I check it on the slave, it >> remains unchanged. (Is it immediate?) The following command on slave: >> ldapsearch -x -h [MASTER HOST NAME] -W -D >> 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=tam)' >> returns no error message and gives the expected record. I am >> suspecting I may have screwed up the ssl/tls setting for the slave as >> I dont know what to put there. >[...] > >This is a simplified slapd.conf that may help. > >http://pastebin.com/JcDz6Tkh > >-Dieter > >-- >Dieter Klünter | Systemberatung >http://sys4.de >GPG Key ID: E9ED159B >53°37'09,95"N >10°08'02,42"E

1 0

using ldap database (multiple upstream servers), how to force reconnect after failover?
by David Young 26 Nov '14

26 Nov '14

Hi technical, We have an openldap server (v2.4.39) which acts as a reverse proxy for 2 backend servers (replicated). The intention is that we use this "proxy" server for authentication requests for applications which can't handle SSL, or multiple backend servers, properly. The implementation works as designed - a query is received from a client, passed on to the first server defined in olcDbURL (server1). If the first server is unavailable, after a brief timeout (1 sec), the query is passed to the second server in the oldDbURL (server2). Here's the problem - server1 is never polled again. Queries continue to be passed to server2, but when server2 is unavailable, all queries fail, even if server1 is now available again. Is there a config directive I can use to force ldap to reattempt connection to server1 after the initial failure? My config is below. Thanks :) David --- dn: olcDatabase={1}ldap objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {1}ldap olcSuffix: dc=mydomain,dc=net,dc=nz olcAddContentAcl: FALSE olcLastMod: FALSE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcDbURI: "ldaps://server1 ldaps://server2" olcDbStartTLS: none starttls=no olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbNetworkTimeout: 1 olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE structuralObjectClass: olcLDAPConfig entryUUID: 01eb5074-6f65-1033-8a02-cd0b00053594 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140514033850Z olcDbIdleTimeout: 1m olcDbConnTtl: 5m entryCSN: 20140514033850.182221Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140514033850Z

1 0

Invalid DN errors
by Nick Bright 26 Nov '14

26 Nov '14

Greetings, I hope this is an appropriate mailing list to ask for some assistance. I will state up front that my LDAP experience is extremely limited - essentially noob level. I've been attempting to set up openldap 2.4.39 on CentOS 6 via the official distribution packages. The server is up and running, and my application is connecting successfully, and attempting to add entries to the directory; so I believe I have the most fundamentals in place like the directory manager password, and basic base DN. When connecting with an LDAP browser, I see "dc=valnet,dc=net" which was the configured base DN. When my application attempts to add to the directory it searches for the entry, then adds if the entry isn't found. I'm receiving this error: 54760bfd conn=1003 op=971 do_search: invalid dn: "x500UniqueIdentifier=45270,dc=valnet,dc=net" 54760bfd conn=1003 op=971 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN 54760bfd conn=1003 op=972 do_add: invalid dn (x500UniqueIdentifier=45270,dc=valnet,dc=net) 54760bfd conn=1003 op=972 RESULT tag=105 err=34 text=invalid DN I suspect that I am missing some sort of extremely basic configuration item, but I've been having a very very difficult time locating relevant documentation - everything I find in my searches references the old style configuration, not the new style LDIF configuration with cn=config directories, nor have I found any information about how to troubleshoot an "invalid DN" error. It appears that I may be missing a schema file such as inetOrgPerson or nis. The application is attempting to create entries with these attributes: Primary Key: x500UniqueIdentifier Attributes: cn, uid, sn, givenname, userPassword, dn, x500UniqueIdentifier I would appreciate some basic guidance as to what to do, or some direction to the proper documentation or guide for solving "invalid DN" while attempting to add entries to the directory. -- ----------------------------------------------- - Nick Bright - - Vice President of Technology - - Valnet -=- We Connect You -=- - - Tel 888-332-1616 x 315 / Fax 620-331-0789 - - Web http://www.valnet.net/ - ----------------------------------------------- - Are your files safe? - - Valnet Vault - Secure Cloud Backup - - More information& 30 day free trial at - - http://www.valnet.net/services/valnet-vault - -----------------------------------------------

3 5

Setting SSL/TLS options in client code?
by Scott Neugroschl 26 Nov '14

26 Nov '14

Right now, I'm passing an ldaps:// URI to ldap_initialize. I'd like to be able to change the SSL/TLS options before initiating the connection. Is such a thing possible? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

3 2

TLS Configuration
by Hydro Tium 26 Nov '14

26 Nov '14

Hi guys, I'm struggling to configure my OpenLDAP with TLS (openssl) without success. I'm receiving the following error: $ sudo slapd -d 3 ... TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed 5475ca9c main: TLS init failed: -1 My configuration is the following: dn: cn=config objectClass: olcGlobal cn: config olcPidFile: /var/run/slapd/slapd.pid olcArgsFile: /var/run/slapd/slapd.args olcIdleTimeout: 7 olcLogLevel: conns filter stats none olcReferral: ldap://root.openldap.org olcTLSCACertificateFile: /etc/ssl/certs/My_Root_CA.pem olcTLSCertificateFile: /etc/ssl/certs/My_Root_CA.pem olcTLSCertificateKeyFile: /etc/ldap/server.key.pem olcTLSVerifyClient: demand olcTLSRandFile: /dev/urandom Any clues on how to solve this one?

4 4

Cannot add to mdb
by Da Rock 26 Nov '14

26 Nov '14

I'm trying to get openldap to play nice with mdb given that it is the "recommended" database backend for it now- although the conf wasn't an issue excepting I'm playing with the new cn=config setup we're expected to use now as well (even though it is mainly broken). My issue is that it seems to not respond like the older bdb/hdb databases. And when I say respond, I mean it hangs the ldapadd and makes slapd go into conniptions. I see slapd go to 100% WCPU and not come down as well as going into a uwait state. I've left it going for 10 minutes or more with no change, and I'm only adding 1 small entry of less the 10 lines. Strangely, I can still view other entries in the specific db as well access the rest of the server, which I won't complain about (aren't threads a wonderful invention? ). So coming to the experts - got a fix at all? Or should I just go back to ye olde db backends? At this point I have a db I can't add anything to. And before anyone asks, there is practically nothing in the logs that I can see; and I set the logging to everything (-1). I see recognition of the user in the acl and then nothing. The only possible curious entry is some blank lines and a number (that changes each time), so nothing informative. I set it up using the cn=config (and I'm still not entirely convinced that I will keep cn=config, but apparently it could be gone next version according to the grapevine, so the consensus is to suck it up and get used to it or your panties will get in a bunch and around your ankles when the upgrade comes along), and I've got only olcDBMaxSize. olcSizeLimit (not sure exactly which of these 2 can go just yet), olcDBMode, olcDBDirectory, and olcDatabase and the obviously root attrs. My max size I've set larger than 50M (so 7 digits) which is larger than what I have in another db so far, and I figure I can add more if needed - currently it is sitting at 64k. I'm using FreeBSD 9.1, ports Openldap version is 2.4.40_1 with bdb/hdb and mdb set in config. But I notice lmdb is not installed as a dependency - is this right? I've been on this for near a week now with no further advancement so any help would be very welcome at this point. No googling seems to find anything remotely similar either. TIA

2 4

Unexpected growth in mdb database file
by Rene B. Elgaard 26 Nov '14

26 Nov '14

I have gone through an upgrade proces from OpenLDAP 2.4.21 to 2.4.40 and took the opportunity to switch from the bdb backend to mdb. I am expiriencing an (in my eyes) unexpected growth of the mdb database file. Two types of setup: Setup 1: One master, one slave Setup 2: Two masters MMR (read,write,syncrepl goes to one master, three slaves) I see the growth in both setups on the master, who services read,write and syncrepl. In setup 2 the master, who is "idle" and only syncrepl's with the other master, does not grow more than expected. Example from setup 2: Servicing master: -rw------- 1 openldap openldap 4294963200 Nov 26 10:18 data.mdb Non-servicing master: -rw------- 1 openldap openldap 271347712 Nov 26 10:18 data.mdb Quite a difference ! A slapcat on the servicing master shows that I have no where near 4 Gb of data, here from my nightly backup: -rw------- 1 openldap openldap 73389431 Nov 25 23:46 20141125234504_slapd-dump.ldif I have the same backend configuration on all masters: database mdb maxsize 8589934592 suffix "c=<country>" rootdn "cn=Manager,o=<some-org>,c=<country>" rootpw <some-pw> directory <some-path> index objectClass,entryCSN,entryUUID eq No overlays involved. Operating system is Solaris 10. OpenLDAP compiled with Oracles compiler, compiler flags are: export CC="cc" export CFLAGS="-m64 -fast -D_AVL_H" Unsure how to proceed. Should I file an ITS (looks somewhat like 7974 though) ? I may also have missed something entirely... Happy to provide further info. /Rene

1 0

OpenLDAP incroyable!
by Onno van der Straaten 26 Nov '14

26 Nov '14

What was created with OpenLDAP is incredible. Truly. Experienced with open source but never seen before a system that is so archaic. Amazing. The way that configuration works is something that has to be seen and experienced to be believed. There must be strong commercial interest served here to create a system that works in this manner. It allows for configuration changes that corrupt the installation but will now allow manual correction of the configuration. Chicken and egg. To correct the configuration you have start OpenLDAP and ldapmodify the config files. But.... OpenLDAP will not start because the configuration is not correct. Really funny. And if you try to manually undo your changes, OpenLDAP will completely refuse to put itself into something that resembles a working configuration. It is fairly easy to make configuration changes that corrupt the database. Documentation is often incorrect or non-existing. For example try to add sha2 support. Accidentally add non existing hash method will create a corrupt configuration. If you slapd restart it will fail to start. To correct the configuration you need to start slapd. To start slapd you need correct configuration. It is the end of your efforts. I'm not doing this on a production system of course, I am trying to create a production system where OpenLDAP is on of the many components. So far most of the effort is OpenLDAP effort. It is consuming most of the project budget. A project of a couple of days turns into a project for a couple of weeks. We just need a LDAP user directory. OpenLDAP is not it.

8 14

ldaps replication question
by wailok tam 26 Nov '14

26 Nov '14

Hi, all, I cannot get replication to work even I get no error message. I change a record on the Master but when I check it on the slave, it remains unchanged. (Is it immediate?) The following command on slave: ldapsearch -x -h [MASTER HOST NAME] -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=tam)' returns no error message and gives the expected record. I am suspecting I may have screwed up the ssl/tls setting for the slave as I dont know what to put there. The master is set to use ssl/tls and it communicates fine with the client thru the ldaps protocol. Your help is much needed. First come the slapd.conf of the slave (I dont have the lines for ssl certs. I just use the ldaps address in the replication directive. Is that enough?): ### configuration for IER### writeen by T.Tanaka include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 # Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args ######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw SLAVEPWdirectory /var/lib/ldap # Replicas of this database # Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000 access to attrs=userPassword by dn="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" write by self write by anonymous auth by * none access to * by dn="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" write by self write by * read #loglevel stats sync syncrepl rid=001 provider=ldaps://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" credentials=SLAVEPW Next come the slapd.conf of the master: ### configuration for IER### writeen by T.Tanaka### edited by WL.Tam include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default.allow bind_v2 pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args ######################################################################## ldbm and/or bdb database definitions####################################################################### database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw MASTERPWdirectory /var/lib/ldap TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crtTLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crtTLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100 # Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000 access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2014