February 2014 - openldap-technical

rwm-rewriteMap for bindDN and slapo-ppolicy

by Michael Ströder

HI! I'm trying to use slapo-rwm to simplify bind-DNs used. I'm also using slapo-lastbind to record the last simple bind timestamp and slapo-ppolicy also for recording pwdFailureTime. Using latest RE24 of course. Something like this defined *within* the database section: ---------------------- snip ---------------------- overlay accesslog [..] rwm-rewriteMap slapd uid2dn "ldap:///o=example?entryDN?sub?" rwm-rewriteContext bindDN rwm-rewriteRule "^(uid=[^,]+),o=example$" "${uid2dn($1)}" ":@I" overlay lastbind overlay ppolicy ppolicy_default cn=ppolicy-default,cn=ampua,ou=ampua ppolicy_hash_cleartext ppolicy_use_lockout slapo-lastbind correctly updates the attribute 'authTimestamp' in the entry referenced by the rewritten bind-DN. slapo-ppolicy does *not* correctly update the attribute 'pwdFailureTime' in the entry referenced by the rewritten bind-DN. ---------------------- snip ---------------------- Any idea what's going on? BTW: Using the rwm-rewriteMap in a MMR setup causes seg faults in a running provider slapd when bringing up another empty provider. Have to examine that further though. Ciao, Michael.

7 years, 7 months

1
1
0 / 0

slapd-meta exclude syntax; larger problem with rwm, collective attributes.

by Dan Pritts

Hi folks - first, a simple, direct question. I'm trying to use the meta backend, and exclude part of the back-end directory (which is AD, if that matters). I tried the following config: -------------------------- include /usr/local/pkg/openldap-2.4.39/etc/openldap/schema/core.schema include /usr/local/pkg/openldap-2.4.39/etc/openldap/schema/cosine.schema include /usr/local/pkg/openldap-2.4.39/etc/openldap/schema/inetorgperson.schema include /usr/local/pkg/openldap-2.4.39/etc/openldap/schema/nis.schema pidfile /var/run/openldap/slapd-filter.pid argsfile /var/run/openldap/slapd-filter.args loglevel any access to * by * read database meta suffix "dc=adsroot,dc=itd,dc=umich,dc=edu" uri "ldap://adsroot.itd.umich.edu/dc=adsroot,dc=itd,dc=umich,dc=edu" rootdn "cn=Manager,dc=adsroot,dc=itd,dc=umich,dc=edu" #subtree-exclude "ou=ICPSR,ou=Organizations,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu" #subtree-exclude "ou=ICPSR,ou=Accounts,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu" subtree-exclude "dn.subtree:ou=ICPSR,ou=Organizations,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu" subtree-exclude "dn.subtree:ou=ICPSR,ou=Accounts,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu" -------------------------- As you can see i tried two syntaxes for subtree-exclude. with either one, a search for "cn=danno" returns dn: cn=danno,ou=ICPSR,ou=Accounts,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu What am I doing wrong? Or do I misunderstand what subtree-exclude is supposed to be doing? openldap 2.4.39 on centos 6, x64. The larger question - As I posted last week I am trying to put a proxy in front of Active Directory. AD has most of the required attributes for my application, but I need to fill in a couple that are missing. Translucent proxy makes sense, combined with the collect overlay. Unfortunately, slapd crashes when it encounters a DN from AD that has one of the collect attributes (its 7797). Not just a lookup failure, a hard crash. :( So, it next occurred to me to use another instance of slapd with rwm as a "filter" to remove the attributes I am trying to use with collect. It's complicated further by the fact that some subtrees have different attributes that I want to filter, or not. I tried soemthing like this: -------------------------- database ldap uri ldap://foo suffix ou=foo,dc=example,dc=edu [ rwm entries to leave only the attributes i want for ou=foo ] database ldap uri ldap://foo suffix ou=bar,dc=example,dc=edu [ rwm entries to leave only the attributes i want for ou=bar ] database meta uri ldap://foo suffix dc=example,dc=edu subtree-exclude ou=foo subtree-exclude ou=bar -------------------------- I had to add the third database entry, with the root dn, before auth would work. Presuming that i can actually make meta work with the subtree-exclude like I want, should a config like this work? As it is, everything is being returned from the third database entry, with the suffix at the root DN. So, I'm not sure if this idea of combining multiple ldap databases would work. thanks for any input! danno -- Dan Pritts ICPSR Computing & Network Services University of Michigan +1 (734)615-7362

7 years, 7 months

2
2
0 / 0

Re: Slow to add 1 million items

by Andrew Eross

Hi Quanah, Ubuntu 10.04 LTS Linux 2.6.32-43-generic-pae #97-Ubuntu SMP Wed Sep 5 16:59:17 UTC 2012 i686 GNU/Linux The latest OpenLDAP 2.4.39 All of those tests done with the mdb backend, of course, and the actual file system is ext4 It's a fairly stock 10.04 system, no special config/kernel changes. Cheers, Andrew Andrew Eross CTO Locatrix Communications Office: +61 7 3123 1469 Mobile: +55 37 9858 9815 eross(a)locatrix.com On Wed, Feb 5, 2014 at 1:26 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Tuesday, February 04, 2014 6:52 PM -0200 Andrew Eross < > eross(a)locatrix.com> wrote: > > >> >> Thanks, Dieter, Quanah. >> >> >> I've been doing some experimenting with those mdb options. >> >> >> I ran a few tests with inserting 10,000 records, wiping the DB in >> between, and changing just the one option at a time: >> >> >> Base-line, no extra options: 4m8sWith "writemap" enabled: 8m55s >> >> With "writemap+mapasync" enabled: 5m12s >> With "dbnosync+checkpoint 0kb/1min": 0m14s >> > > I know you answered some of this before, but please update with: > > What kernel? > What OpenLDAP version? > What Ubuntu release? > What filesystem for the LDAP DB? > > Thanks, > > Quanah > > > -- > > Quanah Gibson-Mount > Architect - Server > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

7 years, 7 months

5
7
0 / 0

RE: Antw: RE: Syncrepl and mmr

by Ulrich Windl

Hi! (People will flame me because of this, but...) I'd suggest to start completely new with a clean standard distribution. Once your configuration works, you can update your software and change configuration until it stops working. ;-) Regards, Ulrich >>> "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> schrieb am 06.02.2014 um 17:47 in Nachricht <20140206164804.ECB0F44E78(a)rrzmta2.uni-regensburg.de>: > All, > > I came in this morning, and the test environment was hung. Not sure what is > going on. slapd on both servers will not stay up for more than 5-minutes. I > tried to back step so attempted to slapadd from the dbase.ldif that I created > the other day when things were working. When slapadding, I am receiving the > following error: > # slapadd -w -q -F /usr/local/openldap/etc/openldap/slapd.d -l > /usr/local/openldap/etc/openldap/ldif/backup/mm-server2_example_ldap.ldif > 52f3bb11 olcDbDirectory: value #0: invalid path: No such file or directory > 52f3bb11 config error processing olcDatabase={1}bdb,cn=config: > olcDbDirectory: value #0: invalid path: No such file or directory > slapadd: bad configuration directory! > > Any assistance as to what to look for would be great! > > Thanks in advance > John > > ________________________________________ > From: Ulrich Windl [Ulrich.Windl(a)rz.uni-regensburg.de] > Sent: Wednesday, February 05, 2014 2:50 AM > To: Borresen, John - 0442 - MITLL; openldap-technical(a)openldap.org; Quanah > Gibson-Mount > Subject: Antw: RE: Syncrepl and mmr > > "52f0fe5f send_search_entry: conn 1003 access to attribute userPassword, > value #0 not allowed" > > I'm not surprised that you have a problem with the user's password. > >>>> "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> schrieb am > 04.02.2014 um 15:56 in Nachricht > <201402041456.s14EuaHc022629(a)boole.openldap.org>: >> Here is a log snippet from mm-server2: >> >> 52f0fe5f => slap_access_allowed: read access granted by read(=rscxd) >> 52f0fe5f => access_allowed: read access granted by read(=rscxd) >> 52f0fe5f => access_allowed: result was in cache (objectClass) >> 52f0fe5f => access_allowed: result was in cache (objectClass) >> 52f0fe5f => access_allowed: result was in cache (objectClass) >> 52f0fe5f => access_allowed: result was in cache (objectClass) >> 52f0fe5f => access_allowed: result not in cache (userPassword) >> 52f0fe5f => access_allowed: read access to >> "uid=jdoe,ou=Users,dc=example,dc=ldap" "userPassword" requested >> 52f0fe5f => acl_get: [1] attr userPassword >> 52f0fe5f => acl_mask: access to entry "uid=jdoe,ou=Users,dc=example,dc=ldap", >> attr "userPassword" requested >> 52f0fe5f => acl_mask: to value by "cn=admin,cn=config", (=0) >> 52f0fe5f <= check a_dn_pat: self >> 52f0fe5f <= check a_dn_pat: anonymous >> 52f0fe5f <= check a_dn_pat: cn=ldapadmin,dc=example,dc=ldap >> 52f0fe5f <= check a_dn_pat: uid=replicator,ou=admins,dc=example,dc=ldap >> 52f0fe5f <= check a_dn_pat: * >> 52f0fe5f <= acl_mask: [5] applying none(=0) (stop) >> 52f0fe5f <= acl_mask: [5] mask: none(=0) >> 52f0fe5f => slap_access_allowed: read access denied by none(=0) >> 52f0fe5f => access_allowed: no more rules >> 52f0fe5f send_search_entry: conn 1003 access to attribute userPassword, >> value #0 not allowed >> 52f0fe5f conn=1003 op=20 ENTRY dn="uid=jdoe,ou=users,dc=example,dc=ldap" >> ber_flush2: 496 bytes to sd 21 >> >> >> >> -----Original Message----- >> From: openldap-technical-bounces(a)OpenLDAP.org >> [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Borresen, >> John - 0442 - MITLL >> Sent: Tuesday, February 04, 2014 9:31 AM >> To: Quanah Gibson-Mount; openldap-technical(a)openldap.org >> Subject: RE: Syncrepl and mmr >> >> All, >> >> This morning, I shut down slapd on mm-server2 and, using the ldif that I >> created off of mm-server1 primary dbase (used slapcat to create) and > attempted >> to resync the dbases. >> >> Background: when viewing the dbases on mm-server1 and mm-server2 on Apache >> Directory Studio (binding with cn=ldapadmin,dc=example,dc=ldap), the >> "ou=Users,dc=example,dc=ldap" will show the userPassword attribute on >> mm-server1, but NOT on mm-server2. If I perform an ldapsearch (again, with >> cn=ldapadmin,dc=example,dc=ldap, on both servers the userPassword attribute >> echoes out to console as expected. When binding to >> uid=replicator,ou=Admins,dc=example,dc=ldap on both servers, on the Apache >> Directory Studio, the userPassword attribute is seen. >> >> Now, this morning, as stated, slapd was shut down on mm-server2. >> >> Moved /var/lib/openldap/openldap-data out of the way Recreated the >> /var/lib/openldap/openldap-data directory, copying the DB_CONFIG back in. >> >> Chowned it the directory to ldap:ldap >> >> Ran: >> >> # slapadd -w -q -F /usr/local/openldap/etc/openldap/slapd.d -l >> /usr/local/openldap/etc/openldap/ldif/backup/example_ldap.ldif >> _#################### 100.00% eta none elapsed none fast! >> >> Closing DB... >> # /usr/local/openldap/sbin/slapindex -F >> /usr/local/openldap/etc/openldap/slapd.d >> >> Reconnected, to mm-server2 via the Apache Directory Studio using >> cn=ldapadmin,dc=example,dc=ldap & > uid=replicator,ou=Admins,dc=example,dc=ldap, >> same results as before. >> >> Any suggestions? >> >> Thanks in advance, >> John >> >> -----Original Message----- >> From: openldap-technical-bounces(a)OpenLDAP.org >> [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Borresen, >> John - 0442 - MITLL >> Sent: Monday, February 03, 2014 4:22 PM >> To: Quanah Gibson-Mount; openldap-technical(a)openldap.org >> Subject: RE: Syncrepl and mmr >> >> Well...that was a "doh!" on my part. <lol> >> >> One last stupid question for the evening. "slapcat" created the ldif, when >> slapadd-ing to the the secondary, should I remove the extra lines (ex. >> entryUUID, creatorsName,createTimeStamp)? >> >> Thanks, >> John >> >> -----Original Message----- >> From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] >> Sent: Monday, February 03, 2014 4:03 PM >> To: Borresen, John - 0442 - MITLL; openldap-technical(a)openldap.org >> Subject: RE: Syncrepl and mmr >> >> --On Monday, February 03, 2014 3:57 PM -0500 "Borresen, John - 0442 - MITLL" >> <John.Borresen(a)ll.mit.edu> wrote: >> >>> Hmmmmmmmm, >>> >>> Taking your advice to reload the secondary from the primary...by >>> creating master set of ldifs off of the primary (mm-server1): >>> >>> On the primary (mm-server1): >>># slapcat -F /usr/local/openldap/etc/openldap/slapd.d -l # >>>backup/example_ldap.ldif -b dc=example,dc=ldap >>> 52f000f2 ldif_read_file: checksum error on >>>"/usr/local/openldap/etc/openldap/slapd.d/cn=config.ldif" 52f000f2 >>> bdb_monitor_db_open: monitoring disabled; configure monitor database >>>to enable >>> >>> On the secondary (mm-server2): >>> the same command worked... >> >> There is no indication here the command failed. All it is reporting is that >> someone modified cn=config.ldif by hand rather than correctly using >> ldapmodify. >> >> --Quanah >> >> -- >> >> Quanah Gibson-Mount >> Architect - Server >> Zimbra, Inc. >> -------------------- >> Zimbra :: the leader in open source messaging and collaboration

7 years, 7 months

1
0
0 / 0

RE: Antw: RE: Syncrepl and mmr

by Quanah Gibson-Mount

--On Thursday, February 06, 2014 12:32 PM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > All, > > The oldDbDirectory statement is pointing to > /var/lib/openldap/openldap-data > > The accesslog olcDbDirectory statement is: /var/lib/openldap/accesslog Then one of those does not exist or is not accessible to the openldap user. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

7 years, 7 months

3
2
0 / 0

RE: Antw: RE: Syncrepl and mmr

by Quanah Gibson-Mount

--On Thursday, February 06, 2014 12:37 PM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > Then one of those does not exist or is not accessible to the openldap > user. Please read the OR portion of this sentence. You can also add -d -1 to your slapadd command to get more output on the error. Likely the permissons on one of /var, /var/lib, or /var/lib/openldap blocks access for the ldap user. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

7 years, 7 months

1
0
0 / 0

RE: Antw: RE: Syncrepl and mmr

by Quanah Gibson-Mount

--On Thursday, February 06, 2014 11:47 AM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > All, > > I came in this morning, and the test environment was hung. Not sure what > is going on. slapd on both servers will not stay up for more than > 5-minutes. I tried to back step so attempted to slapadd from the > dbase.ldif that I created the other day when things were working. When > slapadding, I am receiving the following error: ># slapadd -w -q -F /usr/local/openldap/etc/openldap/slapd.d -l ># /usr/local/openldap/etc/openldap/ldif/backup/mm-server2_example_ldap.ldif > 52f3bb11 olcDbDirectory: value #0: invalid path: No such file or directory > 52f3bb11 config error processing olcDatabase={1}bdb,cn=config: > olcDbDirectory: value #0: invalid path: No such file or directory > slapadd: bad configuration directory! The database directory you specified for slapd to use in olcDatabase={1}bdb,cn=config doesn't exist, as it clearly states. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

7 years, 7 months

2
2
0 / 0

RE: Syncrepl and mmr

by Quanah Gibson-Mount

--On Monday, February 03, 2014 3:57 PM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > Hmmmmmmmm, > > Taking your advice to reload the secondary from the primary...by creating > master set of ldifs off of the primary (mm-server1): > > On the primary (mm-server1): ># slapcat -F /usr/local/openldap/etc/openldap/slapd.d -l ># backup/example_ldap.ldif -b dc=example,dc=ldap > 52f000f2 ldif_read_file: checksum error on > "/usr/local/openldap/etc/openldap/slapd.d/cn=config.ldif" 52f000f2 > bdb_monitor_db_open: monitoring disabled; configure monitor database to > enable > > On the secondary (mm-server2): > the same command worked... There is no indication here the command failed. All it is reporting is that someone modified cn=config.ldif by hand rather than correctly using ldapmodify. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

7 years, 7 months

3
5
0 / 0

Re: OpenLDAP slapd problems - ldap_result: Can't contact LDAP server (-1) result.c:813 --- Low Sensitivity/Aerospace Internal Use Only

by Christian Kratzer

Hi Warraon, On Wed, 5 Feb 2014, Warron S French wrote: > Low Sensitivity/Aerospace Internal Use Only > > Thank you Christian, I don't know how to apply the patch, nor do I know > where to get it. I will just wait for 2.4.40 to be officially released. > Do you have any idea when that might be since I posted the issue last > Thursday? I know this is Open Source code, so I am wondering how long it > will be before I can continue with my dead-in-the-water project. I have no idea when the 2.4.40 release will be as I am not associated with the openldap project or their release management. Altough unless something serious turns up it will propably be a couple of months as 2.4.39 has just been released a week ago. As you have been cc:ing the ltb-project people on this list I assume you are using their packages ? If you are and are willing to compile their source package, then integrating the patch should not be too hard. It's just a matter of locating the patch in the git repository and adding it to the build. ps: Adding the list back to cc. Greetings Christian > Thanks, > > Warron French, MBA, SCSA > > > > From: Christian Kratzer <ck(a)cksoft.de> > To: Quanah Gibson-Mount <quanah(a)zimbra.com>, > Cc: Warron S French <Warron.S.French(a)aero.org>, > openldap-technical(a)openldap.org, ltb-users(a)mail.ltb-project.org > Date: 02/04/2014 04:37 PM > Subject: Re: OpenLDAP slapd problems - ldap_result: Can't contact > LDAP server (-1) result.c:813 --- Low Sensitivity/Aerospace Internal Use > Only > > > > Hi, > > On Tue, 4 Feb 2014, Quanah Gibson-Mount wrote: >> --On Tuesday, February 04, 2014 10:17 PM +0100 Christian Kratzer >> <ck(a)cksoft.de> wrote: >> >> >>> You should open an ITS for this. I will be glad to add my input once I >>> see the ITS. >> >> There already is an ITS for this, and the fix has already been committed > for >> the OpenLDAP 2.4.40 release, or one can grab the patch and apply it to > their >> 2.4.39 source and rebuild. > > saw your mail after sending. ;( > > Greetings > Christian > > -- Christian Kratzer CK Software GmbH Email: ck(a)cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/

7 years, 7 months

1
0
0 / 0

Re: OpenLDAP slapd problems - ldap_result: Can't contact LDAP server (-1) result.c:813 --- Low Sensitivity/Aerospace Internal Use Only

by Quanah Gibson-Mount

--On Tuesday, February 04, 2014 10:17 PM +0100 Christian Kratzer <ck(a)cksoft.de> wrote: > You should open an ITS for this. I will be glad to add my input once I > see the ITS. There already is an ITS for this, and the fix has already been committed for the OpenLDAP 2.4.40 release, or one can grab the patch and apply it to their 2.4.39 source and rebuild. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

7 years, 7 months

1
0
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2014