Re: Antw: getting warning:var/lib/ldap/__db.004 is not owned by "ldap" and ldap wont start
by wailok tam
Hi, thanks. it is fixed now. I get another trouble with doing replication over SSL on redhat. I dont know how to config the slave.If you can help with my other post, that would be greatly appreciated.
From: Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de>
To: openldap-technical(a)openldap.org; wailoktam(a)yahoo.com
Sent: Wednesday, November 26, 2014 5:26 PM
Subject: Antw: getting warning:var/lib/ldap/__db.004 is not owned by "ldap" and ldap wont start
>>> wailok tam <wailoktam(a)yahoo.com> schrieb am 26.11.2014 um 04:36 in Nachricht
<1434320209.699036.1416973016975.JavaMail.yahoo(a)jws100111.mail.ne1.yahoo.com>:
> Hi, all, I get the warning given in the title and ldap stops even after
> reporting to start successfully.
> The error is fixed by doing a chown for the affected files. It was
> mysteriously changed to root. I change it back to ldap and it works again.
> However, I want to know what has caused this to happen. Anyone can help?
Most likely: You started slapadd as root?
> I am in the course of changing a slurpd-based replication to a
> syncrepl-based replication. I suspect that is relevant.
> In the old and working master config:
> rootdn: root binddn for replication(slurpd) directive: replicator
> In the old and working slave config: rootdn: replicator
>
> In the new master config: rootdn: root
>
> In the new slave config: rootdn: replicator
> binddn for replication(syncrepl) directive: replicator
> What has caused the db.00X file to be owned by root?
> The new configs once start without error. But I find the replication is not
> doing its job when I check on the slave the data of a user account I changed
> on the master side. So I go back to the old config. And then the
> var/lib/ldap/__db.004 is not owned by "ldap" comes up and ldap wont start on
> the slave.
> Maybe the syncrepl has been working partially, just in a different name and
> causes the problem?Maybe it is not working at all as I dont know what to put
> about ssl/tls in the slave config file. In the master, I have commented out
> the tls cert/key lines and access to the server by the client are done with
> the ldaps:// port. But I dont know what to do with the slapd.conf of the
> slave file. Does it have to get the ssl lines commented out in order to get
> allowed to access the master.
> Any help would be greatly appreciated.
8 years
getting warning:var/lib/ldap/__db.004 is not owned by "ldap" and ldap wont start
by wailok tam
Hi, all, I get the warning given in the title and ldap stops even after reporting to start successfully.
The error is fixed by doing a chown for the affected files. It was mysteriously changed to root. I change it back to ldap and it works again. However, I want to know what has caused this to happen. Anyone can help?
I am in the course of changing a slurpd-based replication to a syncrepl-based replication. I suspect that is relevant.
In the old and working master config:
rootdn: root binddn for replication(slurpd) directive: replicator
In the old and working slave config: rootdn: replicator
In the new master config: rootdn: root
In the new slave config: rootdn: replicator
binddn for replication(syncrepl) directive: replicator
What has caused the db.00X file to be owned by root?
The new configs once start without error. But I find the replication is not doing its job when I check on the slave the data of a user account I changed on the master side. So I go back to the old config. And then the var/lib/ldap/__db.004 is not owned by "ldap" comes up and ldap wont start on the slave.
Maybe the syncrepl has been working partially, just in a different name and causes the problem?Maybe it is not working at all as I dont know what to put about ssl/tls in the slave config file. In the master, I have commented out the tls cert/key lines and access to the server by the client are done with the ldaps:// port. But I dont know what to do with the slapd.conf of the slave file. Does it have to get the ssl lines commented out in order to get allowed to access the master.
Any help would be greatly appreciated.
8 years
Re: Antw: Re: multi master replication
by Guruprasad Kulkarni
I think I can have two "rid=000" because I do not see any complaints on the
logs (both masters) and the replication works. I'll have to read more about
this.
Thanks,
Guruprasad
On Nov 25, 2014 2:46 AM, "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de>
wrote:
> Hi!
>
> First I think you cannot have two "rid=000", second (unless you use
> certificates or more sophisticated mechs) your password will be visible in
> the
> config. That's why the config should be protected (and better not be sent
> to
> this list unmodified).
>
> Regards,
> Ulrich
>
> >>> Guruprasad Kulkarni <gkulkarni(a)gridcosystems.com> schrieb am
> 24.11.2014
> um
> 20:01 in Nachricht
> <CAB6=W2stWBseeehyE7vPn-v1BG6Wro+WPZtqdMb8ZY0yFqrXSQ(a)mail.gmail.com>:
> > So I found an example for setting up multi master replication using
> > slapd.conf
> >
> > *slapd.conf for MASTER 1*
> >
> > *# slapd master ldap1.example.com <http://ldap1.example.com>*
> > *# global section*
> > *serverID 001*
> >
> > *database bdb*
> > *...*
> >
> > *access to **
> > * by dn.base="cn=admin,ou=people,dc=example,dc=com" read*
> > * by * read*
> >
> > *syncrepl rid=000 *
> > * provider=ldap://ldap2.example.com <http://ldap2.example.com>*
> > * type=refreshAndPersist*
> > * retry="5 5 300 +" *
> > * searchbase="dc=example,dc=com"*
> > * attrs="*,+"*
> > * bindmethod=simple*
> > * binddn="cn=admin,ou=people,dc=example,dc=com"*
> > * credentials=secret*
> >
> > *index objectClass eq*
> >
> > *mirrormode TRUE*
> >
> > *overlay syncprov*
> > *syncprov-checkpoint 100 10*
> >
> >
> >
> > *slapd.conf for MASTER 2*
> >
> > *# slapd master ldap2.example.com <http://ldap2.example.com>*
> > *# global section*
> > *serverID 002*
> >
> > *database bdb*
> > *...*
> >
> > *access to **
> > * by dn.base="cn=admin,ou=people,dc=example,dc=com" read*
> > * by * read *
> >
> > *syncrepl rid=000 *
> > * provider=ldap://ldap1.example.com <http://ldap1.example.com>*
> > * type=refreshAndPersist*
> > * retry="5 5 300 +" *
> > * searchbase="dc=example,dc=com"*
> > * attrs="*,+"*
> > * bindmethod=simple*
> > * binddn="cn=admin,ou=people,dc=example,dc=com"*
> > * credentials=secret*
> >
> > *index objectClass eq*
> >
> > *mirrormode TRUE*
> >
> > *overlay syncprov*
> > *syncprov-checkpoint 100 10*
> >
> >
> >
> > My question is - Do the credentials have to be clear text passwords? If
> > not, how do I mention encrypted passwords? (I tried within quotes ' '
> and "
> > ", but each time got invalid credentials error)
> >
> >
> >
> > On Mon, Nov 24, 2014 at 1:28 PM, Howard Chu <hyc(a)symas.com> wrote:
> >
> >> Guruprasad Kulkarni wrote:
> >>
> >>> Hi,
> >>>
> >>> I did have a look at the options and only "--enable-modules" option
> >>> talks about dynamic module support
> >>>
> >>> I tried "--enable-dynamic" option as well (the description for it is
> >>> enable linking built binaries with dynamic libs)
> >>>
> >>> What I do observe is that even though I have "moduleload syncprov.la
> >>> <http://syncprov.la>" directive in slapd.conf, slapd does not complain
> >>> about it. So I guess I do not have to specify the module path
> >>> (syncreplication tests were successful as well)
> >>>
> >>
> >> Correct, moduleload silently succeeds if you specify a module that was
> >> built statically.
> >>
> >>>
> >>> I also realized I was looking at the OLC configuration examples for
> >>> multi master. What I need to do is find slapd.conf example for multi
> >>> master.
> >>>
> >>>
> >>> On Mon, Nov 24, 2014 at 11:29 AM, Dieter Klünter <dieter(a)dkluenter.de
> >>> <mailto:dieter@dkluenter.de>> wrote:
> >>>
> >>> Am Mon, 24 Nov 2014 09:52:34 -0500
> >>> schrieb Guruprasad Kulkarni <gkulkarni(a)gridcosystems.com
> >>> <mailto:gkulkarni@gridcosystems.com>>:
> >>>
> >>> > I have 2 questions regarding multi master replication:
> >>> >
> >>> > 1. I built openldap 2.4.40 from source and according to the
> >>> makefile,
> >>> > the module directory should be at /usr/local/libexec/openldap.
> >>> >
> >>> > However I do not see such a folder. Am I missing something?
> The
> >>> > options I used with configure were "--enable-debug
> --enable-modules
> >>> > --enable-hdb --enable-monitor --enable-ppolicy --enable-syncprov
> >>> > --with-tls --with-cyrus-sasl"
> >>> >
> >>> > I am asking because the multi master replication example (
> >>> >http://www.openldap.org/doc/admin24/replication.html
> >>> > <http://www.openldap.org/doc/admin24/replication.html#N-Way>)
> >>> needs
> >>> > me to load thesyncprov.la <http://syncprov.la> module, but I am
> >>> not sure if the
> >>> > modulepath given there is correct or not.
> >>>
> >>> You have probably not build dynamic loadable modules, but built-in
> >>> modules.
> >>> you should run ./configure --help | less, which will show proper
> build
> >>> choices.
> >>>
> >>
> >> --
> >> -- Howard Chu
> >> CTO, Symas Corp. http://www.symas.com
> >> Director, Highland Sun http://highlandsun.com/hyc/
> >> Chief Architect, OpenLDAP http://www.openldap.org/project/
> >>
> >
> >
> >
> > --
> > -Guruprasad
>
>
>
>
8 years
Re: Antw: Passwords, Hashing, and Binds
by Quanah Gibson-Mount
--On Monday, November 24, 2014 12:22 PM +0100 Onno van der Straaten
<onno.van.der.straaten(a)gmail.com> wrote:
> sudo make install
I'd generally advise you really read over the options to configure, and
build a better set of binaries. For example, leave out back-bdb/hdb, and
enable building things modularly.
My options are:
--with-cyrus-sasl \
--with-tls=openssl \
--enable-dynamic \
--enable-slapd \
--enable-modules \
--enable-backends=mod \
--disable-shell \
--disable-sql \
--disable-bdb \
--disable-hdb \
--disable-ndb \
--enable-overlays=mod \
--enable-debug \
--enable-spasswd \
--enable-crypt; \
> Make the sha2 module
> cd ~/openldap/contrib/slapd-modules/passwd/sha2
> sed -i.bak s/-Wall -g/-Wall -g fPIC/g Makefile
> make
I do:
(cd openldap-$(LDAP_VERSION)/contrib/slapd-modules/passwd/sha2; \
$(MAKE) prefix=/usr/local LIBS="-L$(LDAP_LIB_DIR) -lldap_r -llber"
install STRIP=""; \
)
And then it installs it for me in the same location. Just make sure you
use the same prefix here.
> This results in a number of files pw-sha2.la sha2.lo sha2.o
slapd-sha2.lo slapd-sha2.o
>
> The question now is how to install this on my target OpenLDAP server. I
> put the files in /usr/lib64/openldap en dan tried to add the following
> dn: cn=module{0},cn=config
> changetype: modify
> replace: olcModuleLoad
> olcModuleLoad: slapd-sha2.la
I'm not sure that replacing olcModuleLoad is correct. If you already have
values in there, you probably want to keep them. I generally *add* an
additional values. In any case, your value for the attribute is incorrect.
The .la file is named, as in your email, pw-sha2.la, not slapd-sha2.la .
If you want to add it as an additional module to load, then you would do
changetype: modify
add: olcModuleLoad
olcModuleLoad: pw-sha2.la
My loaded modules are:
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /opt/zimbra/openldap/sbin/openldap
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}back_monitor.la
olcModuleLoad: {2}syncprov.la
olcModuleLoad: {3}accesslog.la
olcModuleLoad: {4}dynlist.la
olcModuleLoad: {5}unique.la
olcModuleLoad: {6}noopsrch.la
olcModuleLoad: {7}pw-sha2.la
for example.
now, if you want to make something like say, SHA512 the default, then you
need to modify the frontend config db:
dn: olcDatabase={-1},cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA512}
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8 years
multi master replication
by Guruprasad Kulkarni
I have 2 questions regarding multi master replication:
1. I built openldap 2.4.40 from source and according to the makefile, the
module directory should be at /usr/local/libexec/openldap.
However I do not see such a folder. Am I missing something? The options
I used with configure were "--enable-debug --enable-modules --enable-hdb
--enable-monitor --enable-ppolicy --enable-syncprov --with-tls
--with-cyrus-sasl"
I am asking because the multi master replication example (
http://www.openldap.org/doc/admin24/replication.html
<http://www.openldap.org/doc/admin24/replication.html#N-Way>) needs me to
load the syncprov.la module, but I am not sure if the modulepath given
there is correct or not.
2. Are the ldifs mentioned in the example enough with the following
slapd.conf file I have?
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
#custom password quality checker module location
modulepath /usr/local/lib
moduleload back_hdb.la
moduleload ppolicy.la
moduleload syncprov.la
database hdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
rootpw *rootpw*
access to *
by dn="cn=manager,dc=example,dc=com" write
by self write
by * read
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
loglevel 256
TLSCACertificateFile path_to_ca_certificate
TLSCertificateFile path_to_certificate_file
TLSCertificateKeyFile path_to_certificate_key_file
I am new to openLDAP and not sure how to set up muti master replication
properly.
--
-Guruprasad
8 years
can our redhat os be migrate into 64bit?
by Wang, Hui
Hi,
Our openLDAP is in version 2.3.4, it currently installed on a redhat 32bit. Can this server be migrate into 64bits? I can't find the os requirement for different version of openldap at this moment
thanks
Hui Wang (Holly)
CSUN IT Department
Identity and Directory Service
818-677-2031
holly.wang(a)csun.edu
8 years
Add attribute to already defined objectclass organizationalUnit in core.schema
by Shashi Ranjan
Hello,
I need to add two elements to organizationalUnit Object Class.
How can I do it without modifying the core.schema file?
Is there a way to define two new attributes in my private schema file (local.schema) and then extend the object class organizationalUnit defined in core.schema?
I do not want to modify the file core.schema.
I wish to deliver only my local schema file (local.schema) with other changes also.
P.S.: I m new OpenLDAP.
Thanks & Regards,
Shashi Ranjan
"DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."
8 years
Re: Antw: Passwords, Hashing, and Binds
by Onno van der Straaten
Hi,
I need some help getting this SSHA512 support. I found the module in the
contrib directory passwd/sha2 but the README is still the old readme. It is
doesn't explain how to install the module after compliation.
This is what I was able to do so far
On a clean CentOS VM make OpenLDAP 2-4-40
sudo yum -y install git
mkdir openldap && cd openldap
git clone git://git.openldap.org/openldap.git .
git tag -l
git checkout tags/OPENLDAP_REL_ENG_2_4_40
sudo yum -y install gcc
export CXXFLAGS="$CXXFLAGS -fPIC"
sudo yum -y install db4 db4-devel
./configure
make depend
sudo make
sudo make install
Make the sha2 module
cd ~/openldap/contrib/slapd-modules/passwd/sha2
sed -i.bak s/-Wall -g/-Wall -g fPIC/g Makefile
make
This results in a number of files pw-sha2.la sha2.lo sha2.o
slapd-sha2.lo slapd-sha2.o
The question now is how to install this on my target OpenLDAP server. I put
the files in /usr/lib64/openldap en dan tried to add the following
dn: cn=module{0},cn=config
changetype: modify
replace: olcModuleLoad
olcModuleLoad: slapd-sha2.la
This give me an error message
+ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f sha2.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcModuleLoad> handler exited with 1
adding new entry "cn=module{0},cn=config"
The readme only describes how this used to work. I followed the readme for
older version of OpenLDAP 2.4.23. This produces one file slapd-sha2.o
exactly as described in the readme. I was able to install this module using
this readme. Problem is that I need SSHA-512 which the older module does
not support.
Any tips or suggestions will be much appriacted
Thanks and Regards,
Onno
On Fri, Aug 29, 2014 at 9:15 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
> --On Friday, August 29, 2014 9:55 AM +0200 Ulrich Windl <
> Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
>
> Bram Cymet <bcymet(a)cbnco.com> schrieb am 28.08.2014 um 22:26 in
>>>>> Nachricht
>>>>>
>>>> <53FF9080.1050209(a)cbnco.com>:
>>
>>> Hi,
>>>
>>> I am storing users passwords in a userPassword attribute. When the
>>> passwords are hashed with MD5 I can bind as the user just fine. If I
>>> hash the password with sha-256 I get invalid credentials.
>>>
>>
>> I wonder: My slappasswd only knows about {SHA} and {SSHA}, {MD5} and
>> {SMD5}, {CRYPT}, and {CLEARTEXT}. Section 14.4 of the manual indicates
>> that hashed passwords are non-standard anyway. So implement the
>> non-standard on your clients.
>>
>
> It takes 5 seconds to look in the contrib directory shipped with the
> source and find:
>
> SHA-2 OpenLDAP support
> ----------------------
>
> slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256,
> SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For
> instance, one could have the LDAP attribute:
>
> userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRC
> FpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg==
>
> or:
>
> userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7
> gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt
>
> or:
>
> userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
>
> all of which encode the password 'secret'.
>
> (etc). As I already stated, there's a module for this. I use it on my
> systems to add SSHA512 suport.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Server Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
8 years
LDAP wire protocol analysis with Wireshark
by Igor Shmukler
Hello,
As per a suggestion by Andrew Findlay, I have been using Wireshark to
debug my LDAP client.
Specifically, at this time, I am working on simple paging results.
One "issue" which I have noticed, is that searchResultsControl
returned by both OpenLDAP and/or MS AD servers always has a size of 0.
The cookie is returned according to the RFC 2696 specification, but
size is not.
Please advise what I am missing.
Thank you,
Igor Shmukler
8 years
