openldap-technical March 2014

openldap-technical@openldap.org

89 participants
101 discussions

pam_ldap does not working
by PRAJITH 18 Mar '14

18 Mar '14

Hi, When users with an expired account try to log into PAM (SSH, Su, etc..) there is no warning displayed that the account is expired. The user is also allowed to login normally. In the slapd logging, the following message is displayed: Mar 18 12:46:25 sip slapd[11790]: ppolicy_bind: Entry uid=prajith,ou=people,dc=XXX,dc=XX has an expired password: 0 grace logins In auth log ### Mar 18 23:43:37 chiron-desktop-linux2 login[7411]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=prajith Mar 18 23:43:41 chiron-desktop-linux2 login[7411]: pam_unix(login:session): session opened for user prajith by root(uid=0) ### here is my ldap.conf ######## base dc=XXX,dc=XX uri ldap://XX.XX.XX ldap_version 3 pam_lookup_policy yes pam_password md5 pam_password exop nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,clamav,colord,daemon,dansguardi an,dnsmasq,festival,games,gnats,guest-yRzqOV,hplip,imspector,irc,kernoops,libuuid,libvir t-dnsmasq,libvirt-qemu,lightdm,list,lp,mail,man,messagebus,mysql,new s,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,swift,sync,sys,syslog,usbmux ,uucp,whoopsie,www-data ####### Best Regards, Prajith http://prajith.in --

2 1

lmdb maturity
by Jeff D'Angelo 18 Mar '14

18 Mar '14

Hi folks, Would anyone want to comment on the maturity of lmdb? I've been mostly swayed by the compelling technical arguments for it for most purposes of an instance of OpenLDAP, by whitepapers and benchmarks. I've yet to read many real complaints/known major issues against it. But still today, the manual pages for hdb and lmdb state hdb remains the preferred normal use database backend. There's also the future file [in]compatibility bit in the slapd-mdb man page. Any thoughts on when lmdb may be declared "good enough for production loads" and/or the default recommended backend? Thanks! -- Jeff

2 1

slapd shuts down for no reason
by GALAMBOS Daniel 18 Mar '14

18 Mar '14

Hi, We recently left the debian openldap, and compiled the 2.4.39 and installed on our servers. The old slapd failed multiple times a day, and now the new one too. The log says: Mar 15 07:06:25 ldap1 slapd[2798]: daemon: shutdown requested and initiated. Mar 15 07:06:25 ldap1 slapd[2798]: conn=72598 op=1 DISCONNECT tag=120 err=52 text= ... Mar 15 07:06:25 ldap1 slapd[2798]: conn=72570 op=3 DISCONNECT tag=120 err=52 text= Mar 15 07:06:25 ldap1 slapd[2798]: conn=72583 fd=45 closed (slapd shutdown) .... Mar 15 07:06:25 ldap1 slapd[2798]: conn=72602 fd=59 closed (slapd shutdown) Mar 15 07:06:25 ldap1 slapd[2798]: conn=72603 fd=60 closed (slapd shutdown) Mar 15 07:06:25 ldap1 slapd[2798]: slapd shutdown: waiting for 0 operations/tasks to finish Mar 15 07:06:25 ldap1 slapd[2798]: slapd stopped. I've run out of the ideas. The configure was with the following switches: --enable-crypt --enable-spasswd --enable-modules --enable-ppolicy --enable-syncprov --enable-unique --with-cyrus-sasl using libdb5.1-dev (deb 5.1.29-5) Can you give me some pointers where to search for errors? thanks, Dancsa

6 13

Fw: Salted hashes
by espeake＠oreillyauto.com 18 Mar '14

18 Mar '14

I have been doing some reading on the salted hash and I know that I never setup a salt for servers. We are doing some documentation for our security people and the question came up about the salt and if it differs for each user, or if the same salt is used? Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts (417) 862-2674 Ext. 1975 This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

3 3

Re: Antw: Re: Question on replication files.
by Joshua Schaeffer 18 Mar '14

18 Mar '14

Not to beat a dead horse and not to bash on Debian (personally Debian is the only distro I use), but to further help other people make a decision as to which version they should/may want to install: the slapd package included with Debian or the latest version from source: The Debian community is fully aware of the numerous issues with their OpenLDAP package and acknowledges that it needs work, they have also been asking for help with OpenLDAP for some time (1878 days according to their "work-needing packages" list): openldap (#512360), requested 1878 days ago Description: OpenLDAP server, libraries, and utilities Reverse Depends: 389-admin 389-ds-base 389-ds-base-dev 389-ds-base-libs 389-dsgw adcli alpine am-utils aolserver4-nsldap apache2-bin (200 more omitted) Installations reported by Popcon: 163954 As the entry specifies bug #512360 in the BTS gives additional information about what work is needed: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512360 Thanks, Josh On Mon, Mar 17, 2014 at 11:32 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Monday, March 17, 2014 9:00 AM +0100 Ulrich Windl < > Ulrich.Windl(a)rz.uni-regensburg.de> wrote: > > Dieter Klünter<dieter(a)dkluenter.de> schrieb am 14.03.2014 um 21:50 in >>>>> >>>> Nachricht >> <20140314215009.33f39aee(a)pink.avci.de>: >> >>> Am Fri, 14 Mar 2014 09:27:10 +0100 >>> schrieb "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de>: >>> >>> >>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am 13.03.2014 um >>>> >>> 19:03 in >>>> Nachricht <34E9E18C6D0A7C6D92162635(a)[192.168.1.46]>: >>>> > --On Thursday, March 13, 2014 1:56 PM -0500 espeake(a)oreillyauto.com >>>> > wrote: >>>> > >>>> >> Version 2.4.31-1+nmu2 >>>> >> >>>> >> Plain syncrepl. >>>> >> >>>> >> As I said I hope to be upgrading to the latest version in the next >>>> >> couple of months. Right now I need to get through this problem >>>> >> the best I can. >>>> > >>>> > Known issue with 2.4.31. Solution is to upgrade and stop using the >>>> > crap shipped by Debian. The LTB project now has a deb repository >>>> > for their builds, I'd advise investigating switching to using it. >>>> >>>> >> A: >> One could also file a bug report for Debian, I guess. >> >>> >>> >> B: > Rubbish, have you ever seen a Debian or Ubuntu maintainer posting to >> >>> this mailing list? >>> >> >> C: > Actually there is no qualified Debian or Ubuntu maintainer. >> >> What has A to do with B, and how can you conclude C from A or B? >> > > B obviously has to do with A. A qualified maintainer would maintain some > presence with the upstream project. > > C you can conclude from years of interacting with the Debian project, like > I have. > > > --Quanah > > > -- > > Quanah Gibson-Mount > Architect - Server > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > >

3 2

RE: slapd shuts down for no reason
by Christian Kratzer 18 Mar '14

18 Mar '14

Hi, On Tue, 18 Mar 2014, Borresen, John - 0442 - MITLL wrote: > Only for logrotate. of which logs exactly ? > The -HUP in the logrotate.conf was not working. Even > on the command line kill the slapd process with a -HUP was not working. > Putting the /etc/init.d/slapd stop; sleep 5, /etc/init.d/slapd start does > make sense when nothing else was working. We tried numerous different > iterations, this was the only thing that worked for us. It worked...so, > thus it makes sense. restarting slapd does not make sense for syslog aus syslog has the file handle open, not slapd. >From my understanding it also does not make sense for auditlog. Greetings Christian > > -----Original Message----- > From: Christian Kratzer [mailto:ck-lists@cksoft.de] > Sent: Tuesday, March 18, 2014 8:51 AM > To: Borresen, John - 0442 - MITLL > Cc: Hallvard Breien Furuseth; openldap-technical(a)openldap.org > Subject: RE: slapd shuts down for no reason > > Hi, > > On Tue, 18 Mar 2014, Borresen, John - 0442 - MITLL wrote: > >> Fall back to legacy unix...sorry logrotate is more appropriate. Yes, >> yours is very similar to how ours looked and it would stop the daemon >> fine, and rotate the log but would not restart. I modified it to look > like this: >> >> .... >> /etc/init.d/slapd stop; sleep 5; /etc/init.d/slapd start > > why are you stopping and starting slapd ? This does not make any sense. > > Greetings > Christian > >> .... >> >> Commenting out the "/bin/kill -s HUP syslogd". >> >> Now, it does what it is supposed to do. >> >> John >> >> -----Original Message----- >> From: Hallvard Breien Furuseth [mailto:h.b.furuseth@usit.uio.no] >> Sent: Tuesday, March 18, 2014 4:26 AM >> To: Borresen, John - 0442 - MITLL >> Cc: openldap-technical(a)openldap.org >> Subject: RE: slapd shuts down for no reason >> >> On Mon, 2014-03-17 at 08:30 -0400, Borresen, John - 0442 - MITLL wrote: >>> We had a similar issue a few months back. I discovered that it was >>> dying at about the same time. Come to find out it was syslog >>> rotation that was doing it. Syslog sends a HUP signal to rotate the >>> logs and restart a daemon. I had to put a sleep statement in the syslog > for slapd. >> >> Your syslog rotates logs? On our host (RedHat) it's logrotate which >> does that. And it's logrotate which must kill -HUP syslogd, to make >> syslogd close and reopen the log. From logrotate.conf: >> >> notifempty >> missingok >> create 0640 ldap cerebrum >> start 0 >> >> /ldap/log/syslog/openldap.log { >> size=250M >> rotate 2500 >> compress >> delaycompress >> lastaction >> /bin/kill -s HUP syslogd >> endscript >> } >> >> > > -- Christian Kratzer CK Software GmbH Email: ck(a)cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/

1 0

Re: Antw: Re: Question on replication files.
by Quanah Gibson-Mount 17 Mar '14

17 Mar '14

--On Monday, March 17, 2014 9:00 AM +0100 Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> wrote: >>>> Dieter Klünter<dieter(a)dkluenter.de> schrieb am 14.03.2014 um 21:50 in > Nachricht > <20140314215009.33f39aee(a)pink.avci.de>: >> Am Fri, 14 Mar 2014 09:27:10 +0100 >> schrieb "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de>: >> >>> >>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am 13.03.2014 um >>> >>> 19:03 in >>> Nachricht <34E9E18C6D0A7C6D92162635(a)[192.168.1.46]>: >>> > --On Thursday, March 13, 2014 1:56 PM -0500 espeake(a)oreillyauto.com >>> > wrote: >>> > >>> >> Version 2.4.31-1+nmu2 >>> >> >>> >> Plain syncrepl. >>> >> >>> >> As I said I hope to be upgrading to the latest version in the next >>> >> couple of months. Right now I need to get through this problem >>> >> the best I can. >>> > >>> > Known issue with 2.4.31. Solution is to upgrade and stop using the >>> > crap shipped by Debian. The LTB project now has a deb repository >>> > for their builds, I'd advise investigating switching to using it. >>> > > A: >> One could also file a bug report for Debian, I guess. >> > > B: > Rubbish, have you ever seen a Debian or Ubuntu maintainer posting to >> this mailing list? > > C: > Actually there is no qualified Debian or Ubuntu maintainer. > > What has A to do with B, and how can you conclude C from A or B? B obviously has to do with A. A qualified maintainer would maintain some presence with the upstream project. C you can conclude from years of interacting with the Debian project, like I have. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

public ssh key access
by Ivan Upsons 17 Mar '14

17 Mar '14

dear all, i have openldap 2.4 running and phpldapadmin configured. one challenge i am facing is on how to include ssh keys to aid my authentication. i am running ubuntu 12.04. any ideas on how to go about this? Kind Regards Ivan

2 1

Question on replication files.
by espeake＠oreillyauto.com 17 Mar '14

17 Mar '14

We are having an issue with some users not replicating to all of servers. I have MMR setup with three nodes and there are a few times that a user is has an attribute changed, i.e. supervisor, and the change is replicated to one server and not to another. So the information is correct on 2 of 3 servers. My question is this after running a very long diff against two ldif's created by slapcat of the replication database. Shouldn't the replication databases be the same? The issues do happen with every change and every user, just a few times. I am n ot on the latest version and I cannot upgrade to the latest version with a better kernel until our staff upgrades our VM server due to migration issues with the kernel I would like have. We are on ubuntu 12.04 and if we can get the VM server updated soon we will start testing 14.04 when it is released. Any suggestions on a good way to test besides the obvious of turning on logging for sync which I have done in out test environment for now. Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts (417) 862-2674 Ext. 1975 This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

5 10

two entries, the same attribute
by Friedrich Locke 15 Mar '14

15 Mar '14

Hi folks, i am planning to use opendalp to build my email infra structure. What happens is two users (two entries) hold the same email address ? Thanks in advance. Best regards, gustavo.

5 5

← Newer
1
2
3
4
5
6
7
8
...
11
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2014