rwm-rewriteMap for bindDN and slapo-ppolicy
by Michael Ströder
HI!
I'm trying to use slapo-rwm to simplify bind-DNs used. I'm also using
slapo-lastbind to record the last simple bind timestamp and slapo-ppolicy also
for recording pwdFailureTime.
Using latest RE24 of course.
Something like this defined *within* the database section:
---------------------- snip ----------------------
overlay accesslog
[..]
rwm-rewriteMap slapd uid2dn "ldap:///o=example?entryDN?sub?"
rwm-rewriteContext bindDN
rwm-rewriteRule "^(uid=[^,]+),o=example$" "${uid2dn($1)}" ":@I"
overlay lastbind
overlay ppolicy
ppolicy_default cn=ppolicy-default,cn=ampua,ou=ampua
ppolicy_hash_cleartext
ppolicy_use_lockout
slapo-lastbind correctly updates the attribute 'authTimestamp' in the entry
referenced by the rewritten bind-DN.
slapo-ppolicy does *not* correctly update the attribute 'pwdFailureTime' in
the entry referenced by the rewritten bind-DN.
---------------------- snip ----------------------
Any idea what's going on?
BTW: Using the rwm-rewriteMap in a MMR setup causes seg faults in a running
provider slapd when bringing up another empty provider. Have to examine that
further though.
Ciao, Michael.
7 years, 2 months
slapd-meta exclude syntax; larger problem with rwm, collective attributes.
by Dan Pritts
Hi folks -
first, a simple, direct question. I'm trying to use the meta backend,
and exclude part of the
back-end directory (which is AD, if that matters).
I tried the following config:
--------------------------
include /usr/local/pkg/openldap-2.4.39/etc/openldap/schema/core.schema
include /usr/local/pkg/openldap-2.4.39/etc/openldap/schema/cosine.schema
include
/usr/local/pkg/openldap-2.4.39/etc/openldap/schema/inetorgperson.schema
include /usr/local/pkg/openldap-2.4.39/etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd-filter.pid
argsfile /var/run/openldap/slapd-filter.args
loglevel any
access to *
by * read
database meta
suffix "dc=adsroot,dc=itd,dc=umich,dc=edu"
uri "ldap://adsroot.itd.umich.edu/dc=adsroot,dc=itd,dc=umich,dc=edu"
rootdn "cn=Manager,dc=adsroot,dc=itd,dc=umich,dc=edu"
#subtree-exclude
"ou=ICPSR,ou=Organizations,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu"
#subtree-exclude
"ou=ICPSR,ou=Accounts,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu"
subtree-exclude
"dn.subtree:ou=ICPSR,ou=Organizations,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu"
subtree-exclude
"dn.subtree:ou=ICPSR,ou=Accounts,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu"
--------------------------
As you can see i tried two syntaxes for subtree-exclude. with either
one, a search for "cn=danno" returns
dn: cn=danno,ou=ICPSR,ou=Accounts,ou=UMICH,dc=adsroot,dc=itd,dc=umich,dc=edu
What am I doing wrong? Or do I misunderstand what subtree-exclude is
supposed to be doing?
openldap 2.4.39 on centos 6, x64.
The larger question -
As I posted last week I am trying to put a proxy in front of Active
Directory. AD has most of the required
attributes for my application, but I need to fill in a couple that are
missing. Translucent proxy makes sense,
combined with the collect overlay. Unfortunately, slapd crashes when it
encounters a DN from AD that has
one of the collect attributes (its 7797). Not just a lookup failure, a
hard crash. :(
So, it next occurred to me to use another instance of slapd with rwm as
a "filter" to remove the attributes I am
trying to use with collect.
It's complicated further by the fact that some subtrees have different
attributes that I want to filter, or not.
I tried soemthing like this:
--------------------------
database ldap
uri ldap://foo
suffix ou=foo,dc=example,dc=edu
[ rwm entries to leave only the attributes i want for ou=foo ]
database ldap
uri ldap://foo
suffix ou=bar,dc=example,dc=edu
[ rwm entries to leave only the attributes i want for ou=bar ]
database meta
uri ldap://foo
suffix dc=example,dc=edu
subtree-exclude ou=foo
subtree-exclude ou=bar
--------------------------
I had to add the third database entry, with the root dn, before auth
would work.
Presuming that i can actually make meta work with the subtree-exclude
like I want, should a config like this work?
As it is, everything is being returned from the third database entry,
with the suffix at the root DN.
So, I'm not sure if this idea of combining multiple ldap databases would
work.
thanks for any input!
danno
--
Dan Pritts
ICPSR Computing & Network Services
University of Michigan
+1 (734)615-7362
7 years, 2 months
Re: Slow to add 1 million items
by Andrew Eross
Hi Quanah,
Ubuntu 10.04 LTS
Linux 2.6.32-43-generic-pae #97-Ubuntu SMP Wed Sep 5 16:59:17 UTC 2012 i686
GNU/Linux
The latest OpenLDAP 2.4.39
All of those tests done with the mdb backend, of course, and the actual
file system is ext4
It's a fairly stock 10.04 system, no special config/kernel changes.
Cheers,
Andrew
Andrew Eross
CTO
Locatrix Communications
Office: +61 7 3123 1469
Mobile: +55 37 9858 9815
eross(a)locatrix.com
On Wed, Feb 5, 2014 at 1:26 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Tuesday, February 04, 2014 6:52 PM -0200 Andrew Eross <
> eross(a)locatrix.com> wrote:
>
>
>>
>> Thanks, Dieter, Quanah.
>>
>>
>> I've been doing some experimenting with those mdb options.
>>
>>
>> I ran a few tests with inserting 10,000 records, wiping the DB in
>> between, and changing just the one option at a time:
>>
>>
>> Base-line, no extra options: 4m8sWith "writemap" enabled: 8m55s
>>
>> With "writemap+mapasync" enabled: 5m12s
>> With "dbnosync+checkpoint 0kb/1min": 0m14s
>>
>
> I know you answered some of this before, but please update with:
>
> What kernel?
> What OpenLDAP version?
> What Ubuntu release?
> What filesystem for the LDAP DB?
>
> Thanks,
>
> Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Architect - Server
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
7 years, 2 months
RE: Antw: RE: Syncrepl and mmr
by Ulrich Windl
Hi!
(People will flame me because of this, but...)
I'd suggest to start completely new with a clean standard distribution. Once your configuration works, you can update your software and change configuration until it stops working. ;-)
Regards,
Ulrich
>>> "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> schrieb am
06.02.2014 um 17:47 in Nachricht
<20140206164804.ECB0F44E78(a)rrzmta2.uni-regensburg.de>:
> All,
>
> I came in this morning, and the test environment was hung. Not sure what is
> going on. slapd on both servers will not stay up for more than 5-minutes. I
> tried to back step so attempted to slapadd from the dbase.ldif that I created
> the other day when things were working. When slapadding, I am receiving the
> following error:
> # slapadd -w -q -F /usr/local/openldap/etc/openldap/slapd.d -l
> /usr/local/openldap/etc/openldap/ldif/backup/mm-server2_example_ldap.ldif
> 52f3bb11 olcDbDirectory: value #0: invalid path: No such file or directory
> 52f3bb11 config error processing olcDatabase={1}bdb,cn=config:
> olcDbDirectory: value #0: invalid path: No such file or directory
> slapadd: bad configuration directory!
>
> Any assistance as to what to look for would be great!
>
> Thanks in advance
> John
>
> ________________________________________
> From: Ulrich Windl [Ulrich.Windl(a)rz.uni-regensburg.de]
> Sent: Wednesday, February 05, 2014 2:50 AM
> To: Borresen, John - 0442 - MITLL; openldap-technical(a)openldap.org; Quanah
> Gibson-Mount
> Subject: Antw: RE: Syncrepl and mmr
>
> "52f0fe5f send_search_entry: conn 1003 access to attribute userPassword,
> value #0 not allowed"
>
> I'm not surprised that you have a problem with the user's password.
>
>>>> "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> schrieb am
> 04.02.2014 um 15:56 in Nachricht
> <201402041456.s14EuaHc022629(a)boole.openldap.org>:
>> Here is a log snippet from mm-server2:
>>
>> 52f0fe5f => slap_access_allowed: read access granted by read(=rscxd)
>> 52f0fe5f => access_allowed: read access granted by read(=rscxd)
>> 52f0fe5f => access_allowed: result was in cache (objectClass)
>> 52f0fe5f => access_allowed: result was in cache (objectClass)
>> 52f0fe5f => access_allowed: result was in cache (objectClass)
>> 52f0fe5f => access_allowed: result was in cache (objectClass)
>> 52f0fe5f => access_allowed: result not in cache (userPassword)
>> 52f0fe5f => access_allowed: read access to
>> "uid=jdoe,ou=Users,dc=example,dc=ldap" "userPassword" requested
>> 52f0fe5f => acl_get: [1] attr userPassword
>> 52f0fe5f => acl_mask: access to entry "uid=jdoe,ou=Users,dc=example,dc=ldap",
>> attr "userPassword" requested
>> 52f0fe5f => acl_mask: to value by "cn=admin,cn=config", (=0)
>> 52f0fe5f <= check a_dn_pat: self
>> 52f0fe5f <= check a_dn_pat: anonymous
>> 52f0fe5f <= check a_dn_pat: cn=ldapadmin,dc=example,dc=ldap
>> 52f0fe5f <= check a_dn_pat: uid=replicator,ou=admins,dc=example,dc=ldap
>> 52f0fe5f <= check a_dn_pat: *
>> 52f0fe5f <= acl_mask: [5] applying none(=0) (stop)
>> 52f0fe5f <= acl_mask: [5] mask: none(=0)
>> 52f0fe5f => slap_access_allowed: read access denied by none(=0)
>> 52f0fe5f => access_allowed: no more rules
>> 52f0fe5f send_search_entry: conn 1003 access to attribute userPassword,
>> value #0 not allowed
>> 52f0fe5f conn=1003 op=20 ENTRY dn="uid=jdoe,ou=users,dc=example,dc=ldap"
>> ber_flush2: 496 bytes to sd 21
>>
>>
>>
>> -----Original Message-----
>> From: openldap-technical-bounces(a)OpenLDAP.org
>> [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Borresen,
>> John - 0442 - MITLL
>> Sent: Tuesday, February 04, 2014 9:31 AM
>> To: Quanah Gibson-Mount; openldap-technical(a)openldap.org
>> Subject: RE: Syncrepl and mmr
>>
>> All,
>>
>> This morning, I shut down slapd on mm-server2 and, using the ldif that I
>> created off of mm-server1 primary dbase (used slapcat to create) and
> attempted
>> to resync the dbases.
>>
>> Background: when viewing the dbases on mm-server1 and mm-server2 on Apache
>> Directory Studio (binding with cn=ldapadmin,dc=example,dc=ldap), the
>> "ou=Users,dc=example,dc=ldap" will show the userPassword attribute on
>> mm-server1, but NOT on mm-server2. If I perform an ldapsearch (again, with
>> cn=ldapadmin,dc=example,dc=ldap, on both servers the userPassword attribute
>> echoes out to console as expected. When binding to
>> uid=replicator,ou=Admins,dc=example,dc=ldap on both servers, on the Apache
>> Directory Studio, the userPassword attribute is seen.
>>
>> Now, this morning, as stated, slapd was shut down on mm-server2.
>>
>> Moved /var/lib/openldap/openldap-data out of the way Recreated the
>> /var/lib/openldap/openldap-data directory, copying the DB_CONFIG back in.
>>
>> Chowned it the directory to ldap:ldap
>>
>> Ran:
>>
>> # slapadd -w -q -F /usr/local/openldap/etc/openldap/slapd.d -l
>> /usr/local/openldap/etc/openldap/ldif/backup/example_ldap.ldif
>> _#################### 100.00% eta none elapsed none fast!
>>
>> Closing DB...
>> # /usr/local/openldap/sbin/slapindex -F
>> /usr/local/openldap/etc/openldap/slapd.d
>>
>> Reconnected, to mm-server2 via the Apache Directory Studio using
>> cn=ldapadmin,dc=example,dc=ldap &
> uid=replicator,ou=Admins,dc=example,dc=ldap,
>> same results as before.
>>
>> Any suggestions?
>>
>> Thanks in advance,
>> John
>>
>> -----Original Message-----
>> From: openldap-technical-bounces(a)OpenLDAP.org
>> [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Borresen,
>> John - 0442 - MITLL
>> Sent: Monday, February 03, 2014 4:22 PM
>> To: Quanah Gibson-Mount; openldap-technical(a)openldap.org
>> Subject: RE: Syncrepl and mmr
>>
>> Well...that was a "doh!" on my part. <lol>
>>
>> One last stupid question for the evening. "slapcat" created the ldif, when
>> slapadd-ing to the the secondary, should I remove the extra lines (ex.
>> entryUUID, creatorsName,createTimeStamp)?
>>
>> Thanks,
>> John
>>
>> -----Original Message-----
>> From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
>> Sent: Monday, February 03, 2014 4:03 PM
>> To: Borresen, John - 0442 - MITLL; openldap-technical(a)openldap.org
>> Subject: RE: Syncrepl and mmr
>>
>> --On Monday, February 03, 2014 3:57 PM -0500 "Borresen, John - 0442 - MITLL"
>> <John.Borresen(a)ll.mit.edu> wrote:
>>
>>> Hmmmmmmmm,
>>>
>>> Taking your advice to reload the secondary from the primary...by
>>> creating master set of ldifs off of the primary (mm-server1):
>>>
>>> On the primary (mm-server1):
>>># slapcat -F /usr/local/openldap/etc/openldap/slapd.d -l #
>>>backup/example_ldap.ldif -b dc=example,dc=ldap
>>> 52f000f2 ldif_read_file: checksum error on
>>>"/usr/local/openldap/etc/openldap/slapd.d/cn=config.ldif" 52f000f2
>>> bdb_monitor_db_open: monitoring disabled; configure monitor database
>>>to enable
>>>
>>> On the secondary (mm-server2):
>>> the same command worked...
>>
>> There is no indication here the command failed. All it is reporting is that
>> someone modified cn=config.ldif by hand rather than correctly using
>> ldapmodify.
>>
>> --Quanah
>>
>> --
>>
>> Quanah Gibson-Mount
>> Architect - Server
>> Zimbra, Inc.
>> --------------------
>> Zimbra :: the leader in open source messaging and collaboration
7 years, 2 months
RE: Antw: RE: Syncrepl and mmr
by Quanah Gibson-Mount
--On Thursday, February 06, 2014 12:32 PM -0500 "Borresen, John - 0442 -
MITLL" <John.Borresen(a)ll.mit.edu> wrote:
> All,
>
> The oldDbDirectory statement is pointing to
> /var/lib/openldap/openldap-data
>
> The accesslog olcDbDirectory statement is: /var/lib/openldap/accesslog
Then one of those does not exist or is not accessible to the openldap user.
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
7 years, 2 months
RE: Antw: RE: Syncrepl and mmr
by Quanah Gibson-Mount
--On Thursday, February 06, 2014 12:37 PM -0500 "Borresen, John - 0442 -
MITLL" <John.Borresen(a)ll.mit.edu> wrote:
> Then one of those does not exist or is not accessible to the openldap
> user.
Please read the OR portion of this sentence.
You can also add -d -1 to your slapadd command to get more output on the
error. Likely the permissons on one of /var, /var/lib, or
/var/lib/openldap blocks access for the ldap user.
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
7 years, 2 months
RE: Antw: RE: Syncrepl and mmr
by Quanah Gibson-Mount
--On Thursday, February 06, 2014 11:47 AM -0500 "Borresen, John - 0442 -
MITLL" <John.Borresen(a)ll.mit.edu> wrote:
> All,
>
> I came in this morning, and the test environment was hung. Not sure what
> is going on. slapd on both servers will not stay up for more than
> 5-minutes. I tried to back step so attempted to slapadd from the
> dbase.ldif that I created the other day when things were working. When
> slapadding, I am receiving the following error:
># slapadd -w -q -F /usr/local/openldap/etc/openldap/slapd.d -l
># /usr/local/openldap/etc/openldap/ldif/backup/mm-server2_example_ldap.ldif
> 52f3bb11 olcDbDirectory: value #0: invalid path: No such file or directory
> 52f3bb11 config error processing olcDatabase={1}bdb,cn=config:
> olcDbDirectory: value #0: invalid path: No such file or directory
> slapadd: bad configuration directory!
The database directory you specified for slapd to use in
olcDatabase={1}bdb,cn=config doesn't exist, as it clearly states.
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
7 years, 2 months
RE: Syncrepl and mmr
by Quanah Gibson-Mount
--On Monday, February 03, 2014 3:57 PM -0500 "Borresen, John - 0442 -
MITLL" <John.Borresen(a)ll.mit.edu> wrote:
> Hmmmmmmmm,
>
> Taking your advice to reload the secondary from the primary...by creating
> master set of ldifs off of the primary (mm-server1):
>
> On the primary (mm-server1):
># slapcat -F /usr/local/openldap/etc/openldap/slapd.d -l
># backup/example_ldap.ldif -b dc=example,dc=ldap
> 52f000f2 ldif_read_file: checksum error on
> "/usr/local/openldap/etc/openldap/slapd.d/cn=config.ldif" 52f000f2
> bdb_monitor_db_open: monitoring disabled; configure monitor database to
> enable
>
> On the secondary (mm-server2):
> the same command worked...
There is no indication here the command failed. All it is reporting is
that someone modified cn=config.ldif by hand rather than correctly using
ldapmodify.
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
7 years, 2 months
Re: OpenLDAP slapd problems - ldap_result: Can't contact LDAP server (-1) result.c:813 --- Low Sensitivity/Aerospace Internal Use Only
by Christian Kratzer
Hi Warraon,
On Wed, 5 Feb 2014, Warron S French wrote:
> Low Sensitivity/Aerospace Internal Use Only
>
> Thank you Christian, I don't know how to apply the patch, nor do I know
> where to get it. I will just wait for 2.4.40 to be officially released.
> Do you have any idea when that might be since I posted the issue last
> Thursday? I know this is Open Source code, so I am wondering how long it
> will be before I can continue with my dead-in-the-water project.
I have no idea when the 2.4.40 release will be as I am not associated
with the openldap project or their release management.
Altough unless something serious turns up it will propably be a couple
of months as 2.4.39 has just been released a week ago.
As you have been cc:ing the ltb-project people on this list I assume you
are using their packages ?
If you are and are willing to compile their source package, then
integrating the patch should not be too hard.
It's just a matter of locating the patch in the git repository and
adding it to the build.
ps: Adding the list back to cc.
Greetings
Christian
> Thanks,
>
> Warron French, MBA, SCSA
>
>
>
> From: Christian Kratzer <ck(a)cksoft.de>
> To: Quanah Gibson-Mount <quanah(a)zimbra.com>,
> Cc: Warron S French <Warron.S.French(a)aero.org>,
> openldap-technical(a)openldap.org, ltb-users(a)mail.ltb-project.org
> Date: 02/04/2014 04:37 PM
> Subject: Re: OpenLDAP slapd problems - ldap_result: Can't contact
> LDAP server (-1) result.c:813 --- Low Sensitivity/Aerospace Internal Use
> Only
>
>
>
> Hi,
>
> On Tue, 4 Feb 2014, Quanah Gibson-Mount wrote:
>> --On Tuesday, February 04, 2014 10:17 PM +0100 Christian Kratzer
>> <ck(a)cksoft.de> wrote:
>>
>>
>>> You should open an ITS for this. I will be glad to add my input once I
>>> see the ITS.
>>
>> There already is an ITS for this, and the fix has already been committed
> for
>> the OpenLDAP 2.4.40 release, or one can grab the patch and apply it to
> their
>> 2.4.39 source and rebuild.
>
> saw your mail after sending. ;(
>
> Greetings
> Christian
>
>
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
7 years, 2 months