March 2014 - openldap-technical

by "POISSON Frédéric"

Hello, I'm trying to build mdb tools (mdb_stat and mdb_copy inside libraries/liblmdb directory) on a Solaris 10 SPARC operating system with OpenLDAP 2.4.39. Is there some requirements for building the tools on this OS because i have a error during build ? Here is my result (while i do not set any specific gcc flags) : # make ... gcc -pthreads -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast mdb_stat.o liblmdb.a -o mdb_stat Undefined first referenced symbol in file fdatasync liblmdb.a(mdb.o) ld: fatal: Symbol referencing errors. No output written to mdb_stat collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `mdb_stat' # Notice that i use a gcc 3.4.3 and gcc option "-pthread" do not exist for this gcc release, i had to replace it by "-pthreads". I try to read mdb.c for any specific options but i don't find anything... Notice also that i succeed to build OpenLDAP 2.4.39 with my Solaris 10 environment. Thanks, -- Frederic Poisson

9 years, 6 months

5
5
0 / 0

Re : Re: Build mdb tools

by "POISSON Frédéric"

Hello, Thanks for the answer, i build it without errors. I have patched the Makefile by for my Solaris 10 with gcc 3.4.3 : - replacing "-pthread" by "-pthreads", - add "-lrt" to OPT parameter. Regards, Le 20/03/14, Howard Chu <hyc(a)symas.com> a écrit : > "POISSON Frédéric" wrote: > >Hello, > > > >I'm trying to build mdb tools (mdb_stat and mdb_copy inside libraries/liblmdb > >directory) on a Solaris 10 SPARC operating system with OpenLDAP 2.4.39. > > > >Is there some requirements for building the tools on this OS because i have a > >error during build ? > > > >Here is my result (while i do not set any specific gcc flags) : > ># make > >... > >gcc -pthreads -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast > >mdb_stat.o liblmdb.a -o mdb_stat > >Undefined first referenced > > symbol in file > >fdatasync liblmdb.a(mdb.o) > >ld: fatal: Symbol referencing errors. No output written to mdb_stat > >collect2: ld returned 1 exit status > >*** Error code 1 > >make: Fatal error: Command failed for target `mdb_stat' > ># > > Read the Solaris manpage for fdatasync. > > The requirement for building on any given OS is that you know your own OS. > > >Notice that i use a gcc 3.4.3 and gcc option "-pthread" do not exist for this > >gcc release, i had to replace it by "-pthreads". I try to read mdb.c for any > >specific options but i don't find anything... > > > >Notice also that i succeed to build OpenLDAP 2.4.39 with my Solaris 10 > >environment. > > > >Thanks, > >-- > > > >*Frederic Poisson* > > > > > > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > > -- Frederic Poisson

9 years, 6 months

1
0
0 / 0

Re: Slave not able to update master pwdFailureTime via chain.

by Esteban Pereira

I've never configured this kind of architecture, but as far as I know the ppolicy, I think my first thought configuring this would have been to not rebind as user because the attribute modified is an operational one which need the manage right (not sure about that) So I should have configured this with the replication user with manage right and without rebinding as a user when chaining to the master. Hope this help On Thu, Mar 20, 2014 at 6:14 PM, Brad dameron <serpent6877(a)hotmail.com>wrote: > I understand what you are saying. But this is what the > ppolicy_forward_updates says: > > ppolicy_forward_updates > Specify that policy state changes that result from Bind operations (such as recording > failures, lockout, etc.) on a consumer should be forwarded to a master instead of > being written directly into the consumer’s local database. This setting is only use‐ > ful on a replication consumer, and also requires the updateref setting and chain > overlay to be appropriately configured. > > So when a password failure occurs "pwdFailureTime" it relays it to the master as the user doing a MOD > from what I have seen in my logs. And thus the user doesn't have access to modify this attribute. > > Brad > > > > ------------------------------ > Date: Thu, 20 Mar 2014 12:13:02 +0100 > Subject: Re: Slave not able to update master pwdFailureTime via chain. > From: esteban.pereira(a)gepsit.fr > To: serpent6877(a)hotmail.com > CC: openldap-technical(a)openldap.org > > > Hi Brad, > > pwdFailureTime is an operational attribute, I don't think any user can > modify it on any instance. May be you should try to modify it on the master > to see if it comes from this assumption. > > Esteban > > > On Thu, Mar 20, 2014 at 11:33 AM, Brad dameron <serpent6877(a)hotmail.com>wrote: > > OpenLDAP 2.4.23-26 on CentOS 5. I am trying to get the pwdFailureTime > updated on the master when the slave recieves a password failure. Here is > my config. It's pretty simple and basic. No TLS. > > Master: > > access to attrs=userPassword > by group.exact="cn=ldapadmins,ou=Groups,dc=test,dc=net" write > by dn.exact="cn=replication,dc=test,dc=net" read > by self write > by anonymous auth > by * none > access to * > by group.exact="cn=ldapadmins,ou=Groups,dc=test,dc=net" write > by dn.exact="cn=replication,dc=test,dc=net" write > by self write > by users read > by anonymous read > by * none > > > > Slave: > > overlay chain > chain-uri ldap://172.16.0.84:389 > chain-rebind-as-user TRUE > chain-idassert-bind bindmethod=simple > binddn="cn=replication,dc=test,dc=net" > credentials="MyPasswd" > mode="self" > chain-return-error TRUE > > # Password Policy > overlay ppolicy > ppolicy_default "cn=default,ou=Policies,dc=test,dc=net > ppolicy_use_lockout > ppolicy_forward_updates > > > # Slave Replication > syncrepl rid=101 > provider=ldap://172.16.0.84:389 > type=refreshAndPersist > interval=00:00:01:00 > retry="60 10 300 +" > searchbase="dc=test,dc=net" > schemachecking=off > bindmethod=simple > binddn="cn=replication,dc=test,dc=net" > credentials="MyPasswd" > updateref "ldap://172.16.0.84:389" > > > > I see the connection on the master but it gives a permission error: > > > Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 MOD > dn="cn=testuser,ou=People,dc=test,dc=net" > Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 MOD > attr=pwdFailureTime > Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 RESULT tag=103 > err=50 text= > > > I read that you maybe need authzTo added to the binddn for the chain? Or > is this only for TLS? > > I tried adding this ldif: > > dn: cn=replication,dc=test,dc=net > changetype: modify > add: authzTo > authzTo: * > > And even set the: > > chain-idassert-authzFrom "*" > > in the chain. But it always gives me the error code 50 not enough > permissions. I believe it is supposed to give access to the user to MOD the > pwdFailureTime tribute knowing it is coming from a relay. But I can't find > very specific docs on this or see what is wrong. Any help apreciated. > > Thanks, > Brad > > >

9 years, 6 months

1
0
0 / 0

Cups Schema

by Borresen, John - 0442 - MITLL

Hopefully, someone can point me in the correct direction. Forgive me if this falls into the category of "What is the color of George Washington's white horse?" But, I want to do this in the correct way. Using this schema: # Definitions for a schema to store CUPS printer information in LDAP # OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) me(5323) cupsSchema(22) # Syntaxes are under 1.3.6.1.4.1.5323.22.0 # Attributes are under 1.3.6.1.4.1.5323.22.1 # Object Classes are under 1.3.6.1.4.1.5323.22.2 attributetype ( 1.3.6.1.4.1.5323.22.1.1 NAME 'printerDescription' DESC 'Description of Printer' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 1.3.6.1.4.1.5323.22.1.2 NAME 'printerURI' DESC 'CUPS style URI for printer' EQUALITY caseExactIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.5323.22.1.3 NAME 'printerLocation' DESC 'Identifier string for Printer Location' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 1.3.6.1.4.1.5323.22.1.4 NAME 'printerMakeAndModel' DESC 'String CUPS uses to figure out driver' EQUALITY caseExactMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetype ( 1.3.6.1.4.1.5323.22.1.5 NAME 'printerType' DESC 'Integer CUPS uses to figure out type' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) objectclass ( 1.3.6.1.4.1.5323.22.2.1 NAME 'cupsPrinter' SUP top AUXILIARY MUST ( printerDescription $ printerURI $ printerLocation $ printerMakeAndModel $ printerType ) ) There is no Structural ObjectClass defined specifically in this schema. Would I use the same ObjectClass as I used to define Hosts, it is a network device. Thanks, John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Surveillance Systems Group 244 Wood St Lexington, MA 02420 Email: john.borresen(a)ll.mit.edu

9 years, 6 months

3
2
0 / 0

Slave not able to update master pwdFailureTime via chain.

by Brad dameron

OpenLDAP 2.4.23-26 on CentOS 5. I am trying to get the pwdFailureTime updated on the master when the slave recieves a password failure. Here is my config. It's pretty simple and basic. No TLS. Master: access to attrs=userPassword by group.exact="cn=ldapadmins,ou=Groups,dc=test,dc=net" write by dn.exact="cn=replication,dc=test,dc=net" read by self write by anonymous auth by * none access to * by group.exact="cn=ldapadmins,ou=Groups,dc=test,dc=net" write by dn.exact="cn=replication,dc=test,dc=net" write by self write by users read by anonymous read by * none Slave: overlay chain chain-uri ldap://172.16.0.84:389 chain-rebind-as-user TRUE chain-idassert-bind bindmethod=simple binddn="cn=replication,dc=test,dc=net" credentials="MyPasswd" mode="self" chain-return-error TRUE # Password Policy overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=test,dc=net ppolicy_use_lockout ppolicy_forward_updates # Slave Replication syncrepl rid=101 provider=ldap://172.16.0.84:389 type=refreshAndPersist interval=00:00:01:00 retry="60 10 300 +" searchbase="dc=test,dc=net" schemachecking=off bindmethod=simple binddn="cn=replication,dc=test,dc=net" credentials="MyPasswd" updateref "ldap://172.16.0.84:389" I see the connection on the master but it gives a permission error: Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 MOD dn="cn=testuser,ou=People,dc=test,dc=net" Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 MOD attr=pwdFailureTime Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 RESULT tag=103 err=50 text= I read that you maybe need authzTo added to the binddn for the chain? Or is this only for TLS? I tried adding this ldif: dn: cn=replication,dc=test,dc=net changetype: modify add: authzTo authzTo: * And even set the: chain-idassert-authzFrom "*" in the chain. But it always gives me the error code 50 not enough permissions. I believe it is supposed to give access to the user to MOD the pwdFailureTime tribute knowing it is coming from a relay. But I can't find very specific docs on this or see what is wrong. Any help apreciated. Thanks, Brad

9 years, 6 months

2
1
0 / 0

mdb and bdb

by Friedrich Locke

Hi folks! I wonder if, with the increased interest on mdb, the support for bdb will be removed in a near future. Thanks a lot.

9 years, 6 months

6
12
0 / 0

openldap 2.4(slave) replication to openldap2.3(provider not working

by Andrew Belford

Hi All I have just registered on the mail list seeking for assistance of how to get openldap replication working between 2.3 and 2.4 openldap. My provider is running on 2.3(openldap) which replicates successfully to a 2.3(openldap slave). Recently we build a rhel6 host that comes with openldap 2.4 with the intention to run openldap on it as slave. I have stand up the new slave(2.4 openldap) using the same configuration of the other running slave(2.3openldap) I have managed to slapadd the ldif of the master to the new slave slapadd -l /tmp/AAA01_20140314.ldif However, if I try and search for entries, it shows the following but I am expecting 32K objects [root@vm-nix-t01 ldap]# ldapsearch -x -h 127.0.0.1 "Objectclass=*" 1:1 # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: Objectclass=* # requesting: 1:1 # # search result search: 2 result: 32 No such object I also don't see any replication details in /var/log/slapd.log Could you please show me some troubleshooting directions here regards

9 years, 6 months

2
3
0 / 0

Re: mdb and bdb

by Jeff D'Angelo

On 3/19/14 1:29 PM, Howard Chu wrote: > Quanah Gibson-Mount wrote: >> --On Wednesday, March 19, 2014 9:16 AM -0300 Friedrich Locke >> <friedrich.locke(a)gmail.com> wrote: >> >>> >>> >>> >>> Hi folks! >>> >>> I wonder if, with the increased interest on mdb, the support for bdb >>> will >>> be removed in a near future. >>> >>> Thanks a lot. > > See the slides from LDAPCon 2013. http://lanyrd.com/2013/ldapcon/sckyhk/ > > Since Oracle has changed the license of BDB 6 to AGPLv3, most network > services that used BDB will be required to migrate away from it. (This > also affects Cyrus SASL and Heimdal Kerberos, but we already wrote LMDB > drivers for them 3 years ago.) And since BDB is now technologically > obsolete anyway, there's no reason to continue to support it. Thanks for the explanation. Do you expect the statement in slapd-bdb(5), "hdb is the recommended primary database backend," to be revised and/or relaxed in 2.4? Based on the man pages, there are some who read the inverse to be true, that mdb is not (yet) recommended as the primary database backend, or even a reliable option. Or is that still the case? My current read from this discussion is that the recommendation has already flipped, but not yet officially in the documentation. Just wanted to make sure. Thanks! >> Hi Friedrich, >> >> bdb and hdb will still exist, but be disabled by default in configure, >> with >> OpenLDAP 2.5. Removal would be slated for OpenLDAP 2.6. > > -- Jeff

9 years, 6 months

1
0
0 / 0

LDAP Manager

by Julien Courtès

Hey, I want to know if it's possible to setup manager in LDAP. I mean an user can have access to others account and change informations such as password for example. One manager can have rights on 2 users to change password. But the manager don't have rights to change informations of other users and only have rights in a single OU. Do I have to use ACL or there is an other way to do it? Thanks, Julien Courtès

9 years, 6 months

2
1
0 / 0

Re: Question on replication files.

by Quanah Gibson-Mount

--On Friday, March 14, 2014 2:07 PM +0100 Marc Haber <mh+openldap-technical(a)zugschlus.de> wrote: > On Thu, Mar 13, 2014 at 11:03:22AM -0700, Quanah Gibson-Mount wrote: >> Known issue with 2.4.31. Solution is to upgrade and stop using the >> crap shipped by Debian. > > Please watch your language: it was the OpenLDAP project that released > this "crap" a while ago. Debian makes very specific decisions to: a) Not update what they ship to address known issues (The debian openldap package list is littered with bug reports with pointers to the upstream ITSes) b) Link to a TLS implementation that is known to be utterly flawed (<https://symas.com/software-design-and-trustworthiness/>) So don't try and lecture me about the decisions made by Debian. What they ship is crap, and what they ship could be fixed to not be crap. End of story. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

9 years, 6 months

3
5
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2014