openldap-technical May 2014

openldap-technical@openldap.org

68 participants
68 discussions

replica of schema info
by Francesco Malvezzi 16 May '14

16 May '14

good morning, I would like to be able to replicate the schema info only from cn=config. I tried to add the olcSyncrepl to cn=schema dn: cn=schema,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: .... but doesn't work: <olcSyncrepl> only allowed within database declaration I tried to push a whole new olcDatabase={0}config (next step would be to add glue overlay to olcDatabase={1}config,cn=config) dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.base="cn=config" by * none olcSuffix: cn=schema,cn=config olcRootDN: cn=admin,cn=schema,cn=config olcRootPW:: e1NTSEF9bnNNYkxIMFhFTm0zaXA5N0JXaHRVb3RwTlRsRXRxNTA= olcMonitoring: FALSE olcSyncrepl: .... but it doesn't work: olcSuffix: value #0: suffix <cn=schema,cn=config> not allowed in config database. It does work to add olcSyncrepl to olcDatabase={0}config,cn=config with a filter like: olcSyncrepl: {0}rid=001 provider=... binddn=... bindmethod=simple search base="cn=schema,cn=config" filter="(!(cn=core))" but then the whole olcDatabase={0}config,cn=config becomes a shadow context and I'm unable to ldapmodify anything (olcLoglevel for example). What am I missing? thank you for reading me, Francesco

2 5

Need Schema for aci attribute
by neel 16 May '14

16 May '14

Hi, I have compiled and configured OpenLDAP 2.4.39 with ACI. I am trying to integrate one application with LDAP. I have entered all settings. Authentication is working fine. Only thing when it tries to add some entries to ldap, it says that "err=17 text=aci: attribute type undefined" Can you please provide schema for aci attribute? Regards Neelesh

7 20

[LMDB] Choosing right environment flags
by Alain 14 May '14

14 May '14

I need to better understand the best way to configure the various environment flags related to sync and map. When we converted from BDB to LMDB, we instinctively kept #MDB_NOSYNC true. This proved to make the database subject to corruption if it was killed or stopped too harshly. It also had the effect on Windows at least to make Windows gradually use up all available RAM for the memory mapped file and to bring the server to its knees. After carefully reading the documentation about leaving "the system with no hint for when to write transactions to disk" when MDB_NOSYNC was turned on, we completely went without setting any options. The results were that we can't corrupt the database, but the speed degradation makes this approach unusable, as we are very heavily write focused (at least in this part of our process, where we perform analysis and load the database with 100's millions of records). In looking at the documentation I'm tempted to try MDB_WRITEMAP with MDB_MAPASYNC but do I then need to also issue some manual mdb_env_sync and if so at what frequency and what should trigger this? What are best practices combinations of those flags here. We absolutely can't afford database corruption, but we can deal with one (or maybe more with some re-design) transactions that are lost. Please guide us. Thanks Alain

2 1

password policy module memory leaks / excessive replication?
by Paul B. Henson 13 May '14

13 May '14

I've been testing the password policy module lately. I updated our development LDAP infrastructure Monday, basically loading and enabling the module, adding a default policy: dn: cn=default,ou=ppolicy,dc=csupomona,dc=edu cn: default objectClass: organizationalRole objectClass: pwdPolicy pwdAttribute: userPassword pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 100 pwdFailureCountInterval: 300 And a policy specific for service accounts: dn: cn=serviceaccount,ou=ppolicy,dc=csupomona,dc=edu cn: serviceaccount objectClass: organizationalRole objectClass: pwdPolicy pwdAttribute: userPassword After some initial testing and determining that the current implementation is not suitable for account lockouts, I haven't touched it since Monday. Yesterday, I started getting alerts that the systems were low on memory, and upon looking, found extremely bloated slapd processes. Next, I started getting alerts that the accesslog mdb was running out of space. Upon investigation, I found that the service account that is used to gather statistics was generating a considerable amount of churn every time it authenticated (every 30 seconds). This account was explicitly configured to use the service account password policy: dn: cn=slapd-monitor,ou=user,ou=service,dc=csupomona,dc=edu objectClass: person cn: slapd-monitor sn: LDAP monitoring account pwdPolicySubentry: cn=serviceaccount,ou=ppolicy,dc=csupomona,dc=edu Which should be pretty much "do nothing". (I realize now that this policy will actually result in pwdFailureTime entries being created for failed authentications, and accumulating forever until a successful authentication, but there are no failed authentications for this service account, only successful ones, in this case). There were 1662836 entries in the access log for this dn since Monday that as far as I can tell solely change the CSN: dn: reqStart=20140502031556.000000Z,cn=accesslog objectClass: auditModify structuralObjectClass: auditModify reqStart: 20140502031556.000000Z reqEnd: 20140502031558.000000Z reqType: modify reqSession: 2 reqAuthzID: cn=ldaproot,dc=csupomona,dc=edu reqDN: cn=slapd-monitor,ou=user,ou=service,dc=csupomona,dc=edu reqResult: 0 reqMod: entryCSN:= 20140501211559.348458Z#000000#003#000000 reqMod: modifiersName:= cn=ldaproot,dc=csupomona,dc=edu reqMod: modifyTimestamp:= 20140501211559Z reqEntryUUID: c16729b0-ce1e-4f9d-9123-e0b8f115133c entryUUID: 240ec245-0bac-4e20-b387-19243f720674 creatorsName: cn=accesslog createTimestamp: 20140501211559Z entryCSN: 20140501211559.348458Z#000000#003#000000 modifiersName: cn=accesslog modifyTimestamp: 20140501211559Z This explains why the accesslog was running out of space, it was full of these. It doesn't explain why the slapd process exploded in memory use, unless I suppose the steady-state memory usage of a slapd this busy processing replication is higher than one that's not quite so busy. But I'm confused as to why loading the password policy module, for an account with a policy configured to pretty much not do anything, results in a modification of the CSN for every authentication? I'm going to go peruse the source code to see if I can determine what's going on, but any expert opinions would be most welcome. Thanks much.

3 21

autoreconf failing with automake errors
by rajesh＠linux.vnet.ibm.com 13 May '14

13 May '14

Hi, I am trying to build the openldap package from the source following the release tarball from ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.39.tgz. I am building this package in a new architecture ppc64le ( IBM PowerPC Little endian ). As the config.guess and libtool did not have the required patches to identify this new architecture, I did autoreconf -f -i in my build system whose latest automake and libtool has the patches of ppc64le. but the autoreconf failed with the following error automake: error: no 'Makefile.am' found for any configure output autoreconf: automake failed with exit status: 1 As the config.guess and configure scripts were updated with the ppc64le patches, i went ahead building the package. IT subsequently failed during 'make' with the following errors make[2]: Entering directory `/home/rajesh/openldap/openldap/libraries/liblber' rm -f version.c ../../build/mkversion -v "2.X" liblber.la > version.c /bin/sh ../../libtool --mode=compile cc -g -O2 -I../../include -I../../include -DLBER_LIBRARY -c assert.c ../../libtool: 1: eval: base_compile+= cc: not found ../../libtool: 1: eval: base_compile+= -g: not found ../../libtool: 1: eval: base_compile+= -O2: not found ../../libtool: 1: eval: base_compile+= -I../../include: not found ../../libtool: 1: eval: base_compile+= -I../../include: not found ../../libtool: 1: eval: base_compile+= -DLBER_LIBRARY: not found ../../libtool: 1: eval: base_compile+= -c: not found libtool: compile: you must specify a compilation command libtool: compile: Try `libtool --help --mode=compile' for more information. make[2]: *** [assert.lo] Error 1 FYI, I also tried verified building the package in x86 ( Intel Box ) to get some clues if it is specific to ppc64le architecture. Without doing a autoreconf (which I dont require in my x86 laptop), the package building was sucessful. When I did autoreconf in my x86 laptop, I was struck with the similar errors as I had mentioned above. So, can anyone provide any clues how to progress or redirect this mail to the right person if this is not the right place to discuss this issue? Thanks and Regards Rajeshkumar S Linux Technology Center, IBM

2 1

LDAP_OPT_X_TLS_CACERTDIR not working.
by Seshadri, Anitha 13 May '14

13 May '14

Hi, I would like to open a discussion with OpenLDAP team. I hope this is the right email address. If not please let me know the correct to which this mail should be directed to. Issue: We are currently using OpenLdap 2.4.16 version on Win 64 .We are using RSA and MES Shareadapter internally to build the openldap libs. I am getting the below error when I use Sha-256 (2048 key length) certificates: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I am using the option LDAP_OPT_X_TLS_CACERTDIR and pass the cert directory which has the certificates. This fails. But the same passes when I use LDAP_OPT_X_TLS_CACERTFILE and point to the certicate which is of .pem format. Can you please let me know I am missing something here or is this a bug? Any help on this is appreciated. Thanks Anitha

3 2

Moving From Debian 2.4.31/hdb to LTB 2.4.39/mdb
by Andy Dorman 13 May '14

13 May '14

Hi. We have been using OpenLDAP for about 11 years now and have an MMR set up with 2 masters and 18 delta-syncrepl clients/slaves, all but 3 slaves are currently using back_hdb. Our beta test server and two load balancers are using back_mdb. The db is not too big with about 50,000 entries, 9 indexes (7 eq & 2 sub) and the slapdump ldif is about 41 MB. All our servers are Debian "testing" with a few packages from unstable and even experimental so we have the latest security and feature fixes for the work we do (email security filtering). Unfortunately, even the "bleeding edge" debian releases are waaaay behind in OpenLDAP. Last year we lost our system admin that set all this up, and I have been on a very steep learning curve since then. At this time I believe we need to move to a current version of OpenLDAP via ltb-project and switch to mdb, but I have run into a couple of questions we need to resolve first. FWIW, I would dearly like to help out the Debian community and compile & maintain an up-to-date version of OpenLDAP for them, but I need at least a couple more years of experience before it is even marginally safe to have other companies depending on my expertise with debian packaging. Anyway, after reading the OpenLDAP & ltb-project docs I have a couple of questions for anyone already using the ltb-project debian release, slapd.d & mdb. I hope the answers will help make our and others' transition go more smoothly. So here we go.... Question #1. I see that slapd.conf is deprecated and we should move to a slapd.d config db. However, the slapd.conf file (with git & cfengine) meets 3 key requirements for our service's configuration management: (1) audit trail, (2) peer review & staff notification, (3) automatic, staggered release to all servers so our users experience 0 downtime. I do not yet see an "easy" way to meet the first two requirements using slapd.d. To satisfy #3 I hope we can just update our master server slapd.d and config changes will be replicated to the slaves. Someone please correct me if I am wrong about that. To meet the requirement for an audit trail & staff review & notification, in the absence of someone's experience and/or knowledge from this group, we currently plan to use our ticket-tracking system (Request Tracker). Within an RT queue dedicated to our db systems we will document, review & manage slapd.d changes prior to actually making a change in the master which will then (I hope) propagate through delta-syncrepl. How does anyone else that is using slapd.d with an MMR setup with multiple client/slaves take care of their needs for an audit trail, peer review/staff notification, and release to all those servers? Question #2. This may be a simple one....When reading the latest OpenLDAP docs at http://www.openldap.org/doc/admin24/slapdconf2.html I noticed that there are no references to back_mdb in the configuration documentation...Specifically, "Table 5.2: Database Backends" and "Table 6.2: Database Backends" do not show an "mdb" option. Is this an oversight or is mdb going away already or am I completely confused? I suspect the answer is #3 ;-) Basically I need to know what to use in the "backend" & "database" directives (slapd.conf) or "olcBackend" attribute (slapd.d) if we want the mdb backend? Thank you for your insights and any information you can share. -- Andy Dorman Ironic Design, Inc. AnteSpam.com, ComeHome.net CONFIDENTIALITY NOTICE: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any erroneous transmission. If you receive this message in error, please immediately destroy it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, or copy any part of this message if you are not the intended recipient.

2 1

problems in memberof overlay
by goal jeff 13 May '14

13 May '14

hi. I configured the function of 'memberof overlay' these days. At first I used the methods on the webpage of http://www.openldap.org/doc/admin24/overlays.html, I add the codes of "overlay memeberof" in the file of slapd.conf,then I started the slapd service, the system give me an error "overlay "memberof" not found" . second,I googled the internet and found an article on this webpage:http://www.redmine.org/projects/redmine/wiki/RedmineLDAP,so I create two LDIF files as follow: the first file : dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: memberof the second file: dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config objectClass: olcMemberOf objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf after I entered the command "ldapadd -x -D 'cn=Manager,dc=example,dc=com' -W -f 1.ldif",the system give an error:"ldap_add: Insufficient access (50)" please help me ,thanks.

3 2

Help with SASL generic GSSAPI error
by Joshua Schaeffer 13 May '14

13 May '14

I'm looking for a little help concerning the below error I get when I do an ldapsearch: root@mytest:~# ldapsearch -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () That error is pretty generic to me and the searching I've done to find a solution has not yielded anything successful. I have MIT Kerberos and SASL setup and I'm able to successfully get a TGT from any machine that can see my KDC. I also can successfully search my ldap directory using simple authentication. I've run the sasl-sample-client and server between several machines including: ldap server to krb server, test server to krb server, test server to ldap server, etc. I can complete the sasl test on every one. Running slapd in debug mode doesn't provide me with any additional information: root@baneling:~# slapd -h "ldap:/// ldapi:///" -d 256 5371865b @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $ root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd 5371865c slapd starting 53718672 conn=1000 fd=13 ACCEPT from IP=10.1.10.10:53839 (IP=0.0.0.0:389) 53718672 conn=1000 op=0 BIND dn="" method=163 53718672 SASL [conn=1000] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () 53718672 conn=1000 op=0 RESULT tag=97 err=80 text=SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () 53718672 conn=1000 op=1 UNBIND 53718672 conn=1000 fd=13 closed 53718672 connection_read(13): no connection! I do have the keytab in a non-standard location on the ldap server (/etc/ldap/ldap.keytab), so I modified /etc/default/slapd and restarted slapd. I'm not really sure what I can provide from my cn=config that would help diagnose this issue let me know and I can respond with the details. Here is my ldap.conf from the server I'm running the ldapsearch from (my test server): root@mytest:~# cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=harmonywave,dc=com URI ldap://baneling.harmonywave.com #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca.harmonywave.com.pem TLS_REQCERT demand TLS_CHECKPEER yes TLS_CIPHER_SUITE SECURE256 # LDAP sudo settings sudoers_base ou=SUDOers,dc=harmonywave,dc=com # SASL Kerberos settings SASL_MECH GSSAPI SASL_REALM HARMONYWAVE.COM Thanks, Josh

4 6

Phantom certificates?
by Andrew D. Arenson 12 May '14

12 May '14

I am trying to understand how a ldap server's certificate is being verified in the absence of the appropriate CA certificates. I have openldap 2.4.23-34 installed. If I set TLS_CACERTDIR to a dummy directory (like /home/aarenson), ldapsearch tells me, as expected, that the server's certificate is not verified. If I set TLS_CACERTDIR to a directory where I have placed the file with my CA certificates, ldapsearch tells me, again as expected, that the server's certificate _IS_ verified. The situation that is surprising me, though, is that if I set TLS_CACERTDIR to /etc/openldap/certs, which has the cert8.db file, but as far as I can tell has no actuall certificates in that database, ldap search tells me, surprisingly, that the server's certificate _IS_ verified. How is openldap verifying my server's certificate? When I look in /etc/openldap/certs for certificates, I find none: =========================================================================== = [root@in-rtls-dev02 certs]# pwd /etc/openldap/certs [root@in-rtls-dev02 certs]# ls cert8.db key3.db less password secmod.db [root@in-rtls-dev02 certs]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI = =========================================================================== I have put a file with the appropriate chain of signing certificates in /etc/pki/tls/certs as incommon_chain_2013.pem: =========================================================================== = [root@in-rtls-dev02 certs]# pwd /etc/pki/tls/certs [root@in-rtls-dev02 certs]# ls 3641f99d.0 Makefile incommon-ie.pem make-dummy-cert 9de8458f.0 ca-bundle.crt incommon_chain_2013.pem renew-dummy-cert 9ef5f911.0 ca-bundle.trust.crt iu-bl-inter-ie.pem = =========================================================================== Here's the system ldap configuration I'm using: =========================================================================== = [root@in-rtls-dev02 openldap]# pwd /etc/openldap [root@in-rtls-dev02 openldap]# cat ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #TLS_REQCERT allow TLS_REQCERT demand #TLS_CACERTDIR /etc/openldap/certs #TLS_CACERTDIR /etc/pki/tls/certs TLS_CACERTDIR /home/aarenson = =========================================================================== Here is the user ldap configuration I'm using. It is all commented out: =========================================================================== = [in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> cat .ldaprc # Instruct client to try requesting a server's cert. #TLS_REQCERT allow #TLS_REQCERT demand # Define location of CA Cert #TLS_CACERTDIR /etc/openldap/certs #TLS_CACERTDIR /etc/pki/tls/certs #TLS_CACERTDIR /home/aarenson = =========================================================================== Here are the three invocations of ldapsearch: =========================================================================== = [in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> ldapsearch -d 9 -D "aarenson(a)ads.iu.edu" -w "<PASSWORD>" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)" ... TLS: certificate [CN=InCommon Server CA,OU=InCommon,O=Internet2,C=US] is not valid - error -8179:Peer's Certificate issuer is not recognized.. ... [in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> LDAPTLS_CACERTDIR=/etc/pki/tls/certs LDAPTLS_REQCERT=demand ldapsearch -d 9 -D "aarenson(a)ads.iu.edu" -w "<PASSWORD" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)" ... distinguishedName: CN=aarenson,OU=Accounts,DC=ads,DC=iu,DC=edu ... [in-rtls-dev02.uits.iupui.edu:/home/aarenson] bash> LDAPTLS_CACERTDIR=/etc/openldap/certs LDAPTLS_REQCERT=demand ldapsearch -d 9 -D "aarenson(a)ads.iu.edu" -w "<PASSWORD>" -H ldaps://ads.iu.edu:636 -b "ou=Accounts,dc=ads,dc=iu,dc=edu" -s sub "(sAMAccountName=aarenson)" ... distinguishedName: CN=aarenson,OU=Accounts,DC=ads,DC=iu,DC=edu ... = =========================================================================== Andy -- Andrew D. Arenson | aarenson (@) iu.edu Advanced Biomedical IT Core, Research Technologies, UITS | W (317) 278-1208 RT is a PTI Cyberinfrastructure & Service Center | C (317) 679-4669 Indiana University Purdue University Indianapolis | F (317) 278-1852

2 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2014