openldap-technical December 2014

openldap-technical@openldap.org

44 participants
55 discussions

openldap group issue on centos 5.5 - all users automatically get put into newly created group
by Janet Houser 14 Dec '14

14 Dec '14

Hi, I created a dit on a Centos 6.5 box that looks something like this: ........dc=name,dc=com................................ | | | | | | ou=users ou=systems........... ou=policies | | | | | | | | user1 cn=group1 cn=group2 cn=ppolicy user2 | | user3 | | | | user1 user2 user2 user3 I created my users, and I added sever "linux groups" using the ldif file: dn: cn=dev,ou=systems,dc=ehs,dc=edu cn: dev gidNumber: 4005 objectClass: posixGroup My goal was to simulate an entry that you'd find in the /etc/group file on a linux system. So if I added people to this group using the ldif file: dn: cn=dev,ou=systems,dc=ehs,dc=edu changetype: modify add: memberuid memberuid: user1 memberuid: user2 So while user1 and user2 are in the default group "users", I wanted them to be able to change the group on their files to "dev" in order to protect their development files. Now, this seemed to work, and when I went on my client and did a command "groups user1", I saw "users" and "dev" However yesterday I added another group called "team0" with gid 22222 using the following ldif file: dn: cn=team0,ou=systems,dc=ehs,dc=edu cn: team0 gidNumber: 22222 objectClass: posixGroup When I was logged into my client machine (Centos 5.5 box) and did a groups on an old user, it showed "users", "dev" and now "team0" although I never added that user to the new group. I cleaned the client cache using the nscd -i invalidate=group command, and then I removed all the cached directories in /var/db/nscd, and rebooted, but that new group seems to have been applied to everyone. I might have screwed up the creation of my DIT, but I was thinking that things were working ok since I could added "unix groups" that are visible with the "getent group" command on a client, I could add users into these groups and changed the group of files to lock out some users, but I don't understand this behavior now. I have about 6 groups defined and the last one I created yesterday is the only one that seems to get applied to all users. I'd appreciate any help you could give.... I'm scratching my head on this one. Thanks.

2 3

DOS/Windows command to query OpenLDAP
by Scott Gates 13 Dec '14

13 Dec '14

Hello, I have a question. I support a Windows Server based application that connects to several forms of LDAP, including OpenLDAP. Occasionally, for debugging purposes, I need to see if we're on speaking terms with the OpenLDAP server and are getting proper information from it. In a DOS window using Active Directory, I'd type >net user john.doe /domain and get back. C:\Users\john.doe.VB>net user john.doe /domain The request will be processed at a domain controller for domain company.loc. User name john.doe Full Name John Doe Comment Product Support Engineer User's comment Country code (null) Account active Yes Account expires Never Password last set 11/30/2014 7:46.29 AM Password expires 12/30/2014 7:46.29 AM Password changeable 11/30/2014 7:46.29 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 12/12/2014 8:06:11 AM Logon hours allowed All Local Group Memberships Global Group memberships *FSUSERS *Network Support Engin *SupportSecGroup *Domain Users *Network Engineers The command completed successfully. Is there a command I can run from a Windows DOS prompt that would show me essentially the same info for OpenLDAP. When my customers are using OpenLDAP and having issues, I'm usually flying blind. Scott Gates Production Support Engineer VBrick Systems, Inc.

2 1

modify jpegPhoto => segfault
by Raffael Sahli 11 Dec '14

11 Dec '14

Hi Is there a known problem with the attribute jpegPhoto (InetOrgPerson) on 2.4.40 ? If I update or add the attribute with data bigger than ~27KB the slapd crash (`/usr/local/libexec/slapd': free(): invalid next size (normal):) (Tried with builds on ubuntu lts 12.04, 14.04 and with bdb or mdb, results all in the problem above) Going back to 2.4.39 solves the problem. -- Raffael Sahli

2 2

Re: 2.4.40 RPMs for openSUSE
by Michael Ströder 11 Dec '14

11 Dec '14

Ulrich Windl wrote: >>>> Michael Ströder <michael(a)stroeder.com> schrieb am 11.12.2014 um 09:25 in > Nachricht <54895505.5050005(a)stroeder.com>: >> Ulrich Windl wrote: >>>>>> Michael Ströder <michael(a)stroeder.com> schrieb am 10.12.2014 um 23:34 > in >>> Nachricht <5488CA70.3080805(a)stroeder.com>: >>>> HI! >>>> >>>> After some struggle and help by some opensuse-packaging list members >>>> (thanks!) >>>> I achieved almost what I wanted. >>>> >>>> I'd appreciate if someone could work on SLES support. >>> >>> AFAIK SLES 12 (current) will ship 2.4.39; it shouldn't be hard to use the >> SRPM >>> to upgrade to 2.4.40. >> >> Actually the package was not made from scratch. >> It's branched from the original openSUSE package. >> >>> I never did it, but I guess you can use the SUSE build >>> server to do the job. >> >> Before telling everybody what's already known: >> >> Did you actually read my e-mail? >> If yes, then you should have seen that the links in my e-mail are pointing >> to >> the SUSE build service. > > The links are pointing to some location within opensuse.org, No. https://build.opensuse.org is *the* link to the SUSE build service. Even a SuSE beginner, like myself, should know that. > and it's not > ovbious from the URI how the packages were built, and no: I' don't klick on > every link in every message, especially if I don't want to download the > software at the URI. Feel free to ignore information provided. But don't whine when you're ignored then. >> Please stop writing here when you're not willing to spend at least two >> minutes for reading and thinking before posting. > > Unfriendly tone seems to be common on this list. > > Maybe add to your signature: "I'm a guru, don't try to tell me anything, even > if it seems I'm asking for advice" If you dig into mailing list archives you can see that I give unpaid volunteer support since 15+ years now. I do this because other skilled people helped me when I was a beginner. And I can claim that I'm most times quite patient explaining things. I'm also not perfect either and consider myself to be still learning. The point is: Your postings are often plain wrong. It costs of lot of time to correct your false statements so that mailing list archive is not filled with rubbish leading beginners into the wrong direction. The deal with functional community support is: Don't generate extra work for the experts. Be committed to take over work items you can do yourself. So ask yourself before blaming others for their tone: What's your community contribution up to now? Ciao, Michael.

1 0

Re: Antw: 2.4.40 RPMs for openSUSE
by Michael Ströder 11 Dec '14

11 Dec '14

Ulrich Windl wrote: >>>> Michael Ströder <michael(a)stroeder.com> schrieb am 10.12.2014 um 23:34 in > Nachricht <5488CA70.3080805(a)stroeder.com>: >> HI! >> >> After some struggle and help by some opensuse-packaging list members >> (thanks!) >> I achieved almost what I wanted. >> >> I'd appreciate if someone could work on SLES support. > > AFAIK SLES 12 (current) will ship 2.4.39; it shouldn't be hard to use the SRPM > to upgrade to 2.4.40. Actually the package was not made from scratch. It's branched from the original openSUSE package. > I never did it, but I guess you can use the SUSE build > server to do the job. Before telling everybody what's already known: Did you actually read my e-mail? If yes, then you should have seen that the links in my e-mail are pointing to the SUSE build service. Did you bother clicking on one of the links? If yes, you should have seen from which package my package is branched. You can even see the linkdiff with *one* click. Please stop writing here when you're not willing to spend at least two minutes for reading and thinking before posting. Ciao, Michael.

1 0

Performance impact of linking libwrap
by Michael Ströder 10 Dec '14

10 Dec '14

HI! I'm currently trying to upgrade an OpenLDAP package for a openSUSE distribution. The original package links slapd with libwrap which made sense in former times on systems without local host firewall mechanisms. If libwrap does not have a major performance impact I'd keep it that way just for sake of backward compability. But AFAICT if slapd is linked with libwrap the TCP wrapper is always asked whether a connection is allowed or not. One cannot disable it by slapd configuration. So the question is: How big is the performance impact? Ciao, Michael.

6 11

./configure option for /usr/sbin/slapd
by Michael Ströder 10 Dec '14

10 Dec '14

HI! Is there a possibility to tell ./configure to install the slapd executable also in /usr/sbin/ instead of libexecdir? I set --libexecdir to arch-specific directory /usr/lib or /usr/lib64 for the loadable modules but would like to have slapd in the arch-independent directory /usr/sbin/. Ciao, Michael.

2 1

Problems starting an instance of openLDAP
by Ike Ikonne 10 Dec '14

10 Dec '14

Hi all, I am getting the following error message and would like to know if anyone has any idea as to why I am getting it: 547e04ae line 55 (index telephonenumber) 547e04ae index telephoneNumber 0x0714 547e04ae line 56 (index cn) 547e04ae index cn 0x0714 547e04af config_back_db_open: No explicit ACL for back-config configured. Using hardcoded default 547e04af config_build_attrs: error 21 on olcConfigFile value #0 547e04af config_build_entry: build "cn=config" failed: "" 547e04af backend_startup_one (type=config, suffix="cn=config"): bi_db_open failed! (-1) 547e04af slapd stopped. Thanks, Ike

3 8

-DLDAP_CONNECTIONLESS
by Michael Ströder 10 Dec '14

10 Dec '14

HI! Another packaging decision: Is building with -DLDAP_CONNECTIONLESS of any real use? Is there any harm using it? Personally I see no use but one never knows... Ciao, Michael.

4 9

ldap sync
by Kolijn, P. 10 Dec '14

10 Dec '14

List, I have been trying to configure a producer -> consumer setup with 2.4.39 and a mdb backend. It seems to work, for awhile, but the sync stops when data.mdb is approx 15M, about 1630 entries instead of the 50000 and about 400M... If I do a slapadd of the data into my consumer it will grow beyond the 15M size... --snip-- # ldap data database mdb maxsize 1073741824 directory /var/lib/ldap suffix "dc=example,dc=com" rootdn "cn=ldap_admin,dc=example,dc=com" rootpw "{SSHA}0rvO4rPODnqNPqkbDv/vuKm8hXGS7mtG" # Sync Consumer # The indent is necessary syncrepl rid=002 provider=ldap://ldapmaster.test.example.com type=refreshAndPersist retry="5 5 300 5" searchbase="dc=example,dc=com" filter="(objectclass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=replicator,dc=example,dc=com" credentials="secret" -- end snip -- I have set the global options: -- snip -- sizelimit unlimited timelimit unlimited -- end snip -- ...but that didn't help... I have no clue why or where this is coming from or how to figure out where it goes bottom up.. any pointers ? thnx ! -- Pascal Kolijn Vrije Universiteit Amsterdam

5 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2014