openldap-technical May 2014

openldap-technical@openldap.org

68 participants
68 discussions

On-disk-format of back-mdb depends on LDAP syntax?
by Michael Ströder 29 May '14

29 May '14

HI! Does the on-disk-format of back-mdb depends on which LDAP syntax is used for an attribute? So if the LDAP syntax for an an existing attribute would change I have to reimport the MDB? Background: I've changed (as a work-around for a broken client software) the LDAP syntax of a custom attribute from Boolean to IA5String. After that I could still read the attribute. But when deleting the attribute slapd returned noSuchAttribute(16). I had to remove the whole entry. BTW: No index configured this attribute. Ciao, Michael.

2 3

Making sure this is a real issue before I submit it
by Mark Henning 29 May '14

29 May '14

Good Afternoon, I am in the process of building an LDAP schema which has a number of attributes which will be constrained to specific values. I have run into an issue where slaptest will build the ldif file without syntax errors, but when slapd starts up it can't find the X-ENUM syntax defined in the same file. # service slapd start Checking configuration files for slapd: [FAILED] olcAttributeTypes: value #0 olcAttributeTypes: Syntax not found: "1.3.6.1.4.1.39235.2.3.500" config error processing cn={5}test,cn=schema,cn=config: olcAttributeTypes: Syntax not found: "1.3.6.1.4.1.39235.2.3.500" slaptest: bad configuration file! [root@DNEAA18S2 openldap]# slapd -V @(#) $OpenLDAP: slapd 2.4.23 (Jan 28 2014 09:30:02) $ mockbuild(a)x86-022.build.eng.bos.redhat.com: /builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd I have simplified the problem to a single syntax, attribute and object class. The .schema file and resulting ldif are attached. Is this a legitimate issue to report, or have I made some subtle syntax / contextual error that is preventing the attribute from finding the syntax? Cordially, -Mark Henning

2 1

Use active directory to check password but keep all user data in LDAP
by Mattias Segerdahl 28 May '14

28 May '14

Hello, I was wondering if it is possible to configure OpenLDAP 2.4 to only check the password validation with Active Directory and have the rest of the user attributes, such as mail, loginShell, homeDirectory, etc. come from OpenLDAP? Any pointers, guides, howto’s or even “let me google that for you” are highly appreciated. Cheers Mattias

5 4

RDN
by Artur Nike 27 May '14

27 May '14

Hi all, Is the suffix dc=example,dc=com in tree is a valid rdn ? and whether the drawing http://www.zytrax.com/books/ldap/ch2/dit-dn-rdn.pngis correct? Regards Mariusz

5 6

Fwd: Re: ldapsearch utf-8 results
by Nicolas Cauchie 27 May '14

27 May '14

Le 26/05/2014 10:02, Matthias Apitz a écrit : > El día Monday, May 26, 2014 a las 09:18:38AM +0200, Nicolas Cauchie escribió: > >> Hello there >> I use a Debian 7.4 server with ldapsearch to search data about users >> on an Active Directory database. >> When a result of a search contains specials characters (such as é, >> è, à), no result is given, but if I delete special characters to the >> user profile, it works. >> How could I make it work with special caracters (guess it's a UTF-8 >> problem ?) ? >> Thanks in advance >> Nicolas > Hi Nicolas, > > Are you sure that no results are returned? Can you show the output of a > ldapsearch cmd-line tool? I saw that in the result values are encoded if > they contain non ASCII chars. > > matthias Yes, I wrote it in a previous answer. The result is base64 encoded if "-t" switch is not used, or sent to a temp file if this switch is used. But in both cases, I can't use the result "as is" without another manipulation, but i'm stuck.. Thanks signature -----

4 5

New LDAP installation ?
by Michael Maymann 27 May '14

27 May '14

Hi List, I'm new to setting up LDAP so please be nice... :) I would like to achieve: - SingleSignOn using AD username/password on my Linux servers (currently we are running NIS) - use strong encryption (very least no username/passwords in clear text) - be able to keep current NIS uid/gid(s) - use autofs on my linux servers - For my purpose - would I need to populate/maintain a LDAP tree or would other tools e.g. winbind be sufficient ? - Does anyone have experience with puppet module torian-ldap that could give an example of their manifest ? Thanks in advance :) ! Br. ~maymann

1 0

Locale dependent collation for server side sorting
by Jonas Israelsson 26 May '14

26 May '14

Greetings. We have some challenges regarding Server Side Sorting, where is does not really sort the way we want it to. In UTF-8 the character Ä/ä (c3 85/c3 a4) comes before Å/å (c3 84/c3 a5) whereas in our (swedish) alphabetic order it should be the other way around. Server Side Sorting seem to blindly fall back on the sorting order of UTF-8 isrjo@svarde:~> ldapsearch -E 'sss=sn:caseIgnoreOrderingMatch' -x -H ldaps://myserver:636 -D uid=myuser,ou=applications,o=myorg -w mypass -b ou=people,o=myorg -s sub gn=sortme sn gn description # extended LDIF # # LDAPv3 # base <ou=people,o=myorg> with scope subtree # filter: gn=sortme # requesting: sn gn description # with server side sorting control # # angla, people, Myorg dn:uid=angla,ou=people,o=Myorg givenName: sortme sn:: w4RuZ2x1bmQ= description: SN BEGINNING WITH LATIN CAPITAL LETTER A WITH DIAERESIS # 19f98ab4-7beb-4703-82ec-df970944ef30, people, Myorg dn: cn=19f98ab4-7beb-4703-82ec-df970944ef30,ou=people,o=Myorg sn:: w4VrZXNzb24= givenName: sortme description: SN BIGGING WITH LATIN CAPITAL LETTER A WITH RING ABOVE # search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.474 false MAMKAQA= sortResult: (0) Success # numResponses: 3 # numEntries: 2 I fail in openldap to find any matching rule or any other way such as setting the locale before starting the slapd daemon that changes the sorting order. Does anyone know if it is possible to specify a locale dependent collation for server side sorting? Rgds Jonas

3 4

Fwd: Re: ldapsearch utf-8 results
by Nicolas Cauchie 26 May '14

26 May '14

Le 26/05/2014 09:51, Howard Chu a écrit : > Nicolas wrote: >>> Hello there >>> >>> I use a Debian 7.4 server with ldapsearch to search data about users >>> on an >>> Active Directory database. >>> >>> When a result of a search contains specials characters (such as é, >>> è, à), no >>> result is given, but if I delete special characters to the user >>> profile, it >>> works. >>> >>> How could I make it work with special caracters (guess it's a UTF-8 >>> problem ?) ? >>> >>> Thanks in advance >>> >>> Nicolas >>> -- >>> signature ----- >>> >>> >>> >> No one could help me ? > > Sounds like a question for Microsoft. The OpenLDAP ldapsearch command > prints out whatever data it receives from the remote server. If the > remote server isn't sending you what you expect, then get help from > that server's support team. > Hello, (including others users reply) I just found one thing (obviously, you know it, not me...): - When a result containing specials caracters and when I use "-t" switch, my result is sent to a file under /tmp folder : the result is well-readable, with every accent everywhere they should be : it fits me. - When a result containing specials caracters and when I don't use "-t" switch, the result is base64 encoded. So, I have 2 solutions : - Read the /tmp/*.file and export the content to my scripts variable, but I can't guess the name of this file : for example, there's the name of a company's user search : "ldapsearch-company-_8K2vOo_" - Decode the result wich was base64 encoded, but I can't guess if the result will contain special caracter or not. And if i decode a string wich doesn't contain special caracters, it crashes, telling me it's not base64 content... What must I do ? Thanks a lot guys Nicolas

1 0

posixgroups vs groupofnames
by Doug OLeary 25 May '14

25 May '14

Hey; Here's the end goal: Have the ability to have posixgroup style support for gid <-> group_name translation and the ability to use memberof style searches without data duplication. In short: # ldapsearch -xLLL -s sub '(uid=doleary)' memberof dn: uid=doleary,ou=users,dc=oci,dc=com memberOf: cn=infra,ou=groups,dc=oci,dc=com memberOf: cn=ldap-Administrators,ou=groups,dc=oci,dc=com memberOf: cn=infosec,ou=groups,dc=oci,dc=com memberOf: cn=dba,ou=groups,dc=oci,dc=com and # groups doleary doleary : ldap-users ldap-Administrators infosec infra Using a standard rfc2307 install, the only way I was able to get there was by having duplicate groups, one posix and one groupofnames. I've been playing around with rfc2307bis the last few days. While I'm able to have one group, in order to support the desired functionality, I still have to have two member types in that group - member and memberuid: # ldap -search cn=infra ----------------------------------------------------------------------- dn:cn=infra,ou=groups,dc=oci,dc=com cn: infra objectClass: top groupOfNames posixGroup member: cn=admin,dc=oci,dc=com uid=doleary,ou=users,dc=oci,dc=com description: System Admins gidNumber: 610 memberUid: doleary Short version: is there a way to achieve this ability without duplicating data? Any info greatly appreciated. Thanks for your time. Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCE, CEH O'Leary Computers Inc dkoleary(a)olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html

2 3

Recovering a multi-master node after a server failure
by Richard Marshall 22 May '14

22 May '14

Hi, We have a multi master (2-node) cluster running 2.4.23 on CentOS 6. We're effectively using them as a failover active-standby pair. The 'Master' node failed last night and we failed over to the standby (they're behind a load balancer). I am now trying to bring the old 'Master' back online but it has become apparent there was a misconfiguration in the server id config. We did have 'Master' = serverid 1 and 'slave' = serverid 2 - i.e. it was missing the servers URI. I have now fixed this, but we have around 500 objects on the old master reporting " changed by peer, ignored in the sync log. The old master will get up to the latest CSN number after I restart it, but then get stuck with these " changed by peer, ignored" errors. My question is, how do I get past this? Is it possible to remove the objects and if so how (I don't want to delete them totally, just remove the conflict). Or, do I need to rebuild the 'old' master server database? If so, is the process to stop slapd, remove the content of the database and accesslog directories. Create an ldif export on the live server, slapadd that file back on to the 'old' master, start it and then allow it to replicate any new changes from it's partner? If this is the only way to do it, is there anything I need to look out for? If not this, then what do I do? I've looked but can't find any guidelines in how to recover a failed node. Any help appreciated! Thanks, Rich

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2014