openldap-technical August 2014

openldap-technical@openldap.org

62 participants
58 discussions

LMDB storing generated values
by Simon Majou 11 Aug '14

11 Aug '14

Hello, Is there a way to write a value one part at a time ? For instance a value which is being generated, or received. >From the doc I found 2 put methods, but they expect a pointer to the full value. -- Best regards, Simon

2 2

Migration process in detail
by Rodrigo Coutinho 11 Aug '14

11 Aug '14

Hi, in a near future I will need to migrate from Oracle OID to Openldap. Could you please share more details of your migration process, the approach taken, the problems you faced and how did you resolved them. Right now I can't see how can I migrate the encripted user passwords. Is it possible ? I would appreciate any information you could provide. Thank you in advance A transmiss�o de mensagens por e-mail n�o � absolutamente segura ou livre de erros. A mensagem pode ser intercetada, alterada, perdida, destru�da, chegar ao destinat�rio com atraso, ou mesmo com v�rus, n�o obstante o IFAP utilizar software anti-v�rus. Esta mensagem, incluindo eventuais ficheiros anexos, pode conter informa��o confidencial ou privilegiada e destina-se a uso exclusivo dos seus destinat�rios. Se n�o for o destinat�rio pretendido, informamos que a recebeu por engano, pelo que, qualquer utiliza��o, distribui��o, reencaminhamento ou outra forma de revela��o a terceiros, impress�o ou c�pia s�o expressamente proibidos. Se recebeu esta mensagem por engano, por favor contacte imediatamente o remetente por e-mail, e apague de imediato a mensagem do seu sistema inform�tico. O IFAP declina qualquer responsabilidade por erros ou omiss�es na presente mensagem e eventuais consequ�ncias, que resultem das situa��es referidas.

1 0

Auto Response
by Paul 10 Aug '14

10 Aug '14

1 0

Why cannot run slapadd -l backup.ldif which requires deprecated lsapd.conf?
by jupiter 09 Aug '14

09 Aug '14

Hi, I am running openldap version 2.4.23 on CentOS 6.5, there is no slapd.conf, according to the document it is deprecated. But when I run slapadd, it got an error. # slapadd -v -l /root/backup.ldif could not stat config file "/etc/openldap/slapd.conf": No such file or directory (2) slapadd: bad configuration file! Now I am confused, if the slapd.conf is deprecated why the slapadd sdepends on it? How can I generate the slapd.conf, or copy a template of slpad.conf? Thank you and appreciate your advice - j

3 6

LMDB and writes
by Bill Hastings 09 Aug '14

09 Aug '14

Hi All Just getting my feet wet with LMDB. Is it possible for multiple threads write into LMDB concurrently? Or should writes be serialized to LMDB? Thanks Bill

2 1

Help for encrypted password with Blowfish
by Franck Goirand 08 Aug '14

08 Aug '14

Hello, I have a text file containing users and their password encrypted blowfish. This password is in the form $ 2a $ 08 $ hNbsbhDlbaogpYL/2yeCkuxKPPGKcluKb5rk16R0Nwi/34eGVi8r2 I need to create a script for insert the users in a directory via ldap ldif file. For the password, I use the userPassword instruction. If I put the password as contained in the file, it does not work. My issue are: - Is it possible to type in a password (encrypted in blowfish) as such ldap directory? - What syntax i need to use to tag the userPassword ({crypt} password ...)? - Should i perform a specific configuration for the slapd.conf file for the pam authentication engine (pam-ldap is it sufficient)? I worked on the crypt library, pam_ldap, slapcat ... without success Any ideas would be welcome, Best regards Franck ps: before passwords were MD5 and I never encountered any problems.

1 0

Updating schema with ldapmodify
by Katherine Faella 07 Aug '14

07 Aug '14

I am running openldap on Redhat 6 at 2.4.23. I am using cn=config. I have a schema called uri was added during the initial setup of this server a few years ago. In this schema I have an dn: cn={12}uri,cn=schema,cn=config objectClass: olcSchemaConfig cn: {12}uri olcAttributeTypes: {0}( 1.3.6.1.4.1.14092.2.1.1 NAME 'uriid' EQUALITY caseIgno reMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) olcAttributeTypes: {1}( 1.3.6.1.4.1.14092.2.1.2 NAME 'dept' EQUALITY caseIgnor eMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{ 256} ) .... *olcObjectClasses: {7}( 1.3.6.1.4.1.14092.2.2.8 NAME 'URIEducmanager' DESC 'URI** ** Educmanager' STRUCTURAL MAY ( uid $ userPassword $ employeeNumber $ cn $ sn $** ** givenname $ telephoneNumber $ dc ) )* olcObjectClasses: {8}( 1.3.6.1.4.1.14092.2.2.9 NAME 'URIEdusakaiperson' DESC ' URIEdusakaiperson' STRUCTURAL MUST ( URIEduemplid $ URIEduecampusid $ URIEdus n $ URIEdustatus $ userPassword ) MAY ( mail $ URIEdugn ) ) I need to update the URIEducmanager objectclass to include the mail object so it will be: olcObjectClasses: {7}( 1.3.6.1.4.1.14092.2.2.8 NAME 'URIEducmanager' DESC 'URI Educmanager' STRUCTURAL MAY ( uid $ userPassword $ employeeNumber $ cn $ sn $ givenname $ mail $ telephoneNumber $ dc ) ) I have tried many combinations the last of which is ldapmodify -D "cn=admin,cn=config" -x -W -f /root/ldapscripts/updatecmanager.ldif -v -H ldap://locumtenens.uri.edu where updatecmanager.ldif contains: dn: cn={12}uri,cn=schema,cn=config changetype: modify delete: objectclass objectclass: ( 1.3.6.1.4.1.14092.2.2.8 NAME 'URIEducmanager' DESC 'URIEducmanager' STRUCTURAL MAY ( uid $ userPassword $ employeeNumber $ cn $ sn $givenname $ telephoneNumber $ dc ) ) - add: objectclass objectclass: ( 1.3.6.1.4.1.14092.2.2.8 NAME 'URIEducmanager' DESC 'URIEducmanager' SUP top AUXILIARY STRUCTURAL MAY ( uid $ userPassword $ employeeNumber $ cn $ sn $givenname $ mail $ telephoneNumber $ dc ) ) My run looks like ldapmodify -D "cn=admin,cn=config" -x -W -f /root/ldapscripts/updatecmanager.ldif -v -H ldap://locumtenens.uri.edu ldap_initialize( ldap://locumtenens.uri.edu:389/??base ) Enter LDAP Password: delete objectclass: ( 1.3.6.1.4.1.14092.2.2.8 NAME 'URIEducmanager'DESC 'URIEducmanager'STRUCTURAL MAY ( uid $ userPassword $ employeeNumber $cn $ sn $givenname $ telephoneNumber $ dc ) ) add objectclass: ( 1.3.6.1.4.1.14092.2.2.8 NAME 'URIEducmanager'DESC 'URIEducmanager' SUP top AUXILIARYSTRUCTURAL MAY ( uid $ userPassword $ employeeNumber $cn $ sn $givenname $ mail $ telephoneNumber $ dc ) ) modifying entry "cn={12}uri,cn=schema,cn=config" ldap_modify: Invalid syntax (21) additional info: objectclass: value #0 invalid per syntax I have checked for extra blanks on the line, I have tried it with replace instead of delete and add. I must be missing some important facts about how it should be done. Any help greatly appreciated! Kathy -- Katherine Faella tel: (401) 874-4469 Sr. Technical Programmer kmf(a)uri.edu University of Rhode Island University Computing Systems(UCS) 210 Flagg Road Kingston, Rhode Island 02881

5 5

Re: RE24 Testing call #3
by Patrick Laimbock 07 Aug '14

07 Aug '14

Hi Quanah, From the OPENLDAP_REL_ENG_2_4 branch I got the snapshot with git rev 140c8b8. On an up-to-date CentOS 6.5 x86_64 VM all tests succeeded. HTH, Patrick

1 0

ACL for object creation in subtree with specific attributes and object classes
by Simeon Ott 06 Aug '14

06 Aug '14

Hello, I'd like to refine my permission set of my openldap installation. The tree structure is: dc=mydomain - cn=admin (ldap admin) - ou=domains (customer domains) - ou=example1.com - cn=user1 - cn=user2 - cn=postmaster - ou=example2.com - cn=user1 - cn=user2 - cn=postmaster The user postmaster is able to change specific attributes of objects in its own "domain" (one level up). The current ACLs are defined as: access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by anonymous auth by * none access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by anonymous auth by * none access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=sn,description,vacationActive,vacationInfo,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read access to * by dn.base="cn=admin,dc=mydomain" write by * read ACL rule 4 allows the postmaster to add objects to it's "domain" without any restrictions. How can i restrict the object creation to specific object classes and attributes? Let's say postmaster should only be able to add objects like the following: dn: cn=user3,ou=example2.com,ou=domains,dc=mydomain objectClass: CourierMailAccount objectClass: inetOrgPerson objectClass: top objectClass: Vacation cn: user3 homeDirectory: user3/example2.com/ mail: user.3(a)exampl2.com sn: User3 vacationActive: TRUE gidNumber: 5000 smtpRelayFlag: 1 uidNumber: 5000 userPassword:: <crypted password> vacationInfo:: <binary data> I didn't find such an approach in Faq-O-Matic nor the manuals Thanks in advance for any advice

2 8

slapd core dumps on ldap add
by Celalettin KILINÇ 05 Aug '14

05 Aug '14

Hi, I have openldap 2.4.36 installed using mdb backend on Solaris 10. I am using this database for a while and suddenly I started getting core dumps while trying to add any data to database. Disk, memory usages seem fine. Database size is not exceeded, it is almost 1/10 full. What may be the reason for this? Please find the other information about the issue as below: slapd version: # ./slapd -VVV @(#) $OpenLDAP: slapd 2.4.36 (Oct 6 2013 13:56:57) $ myuser@myhost:/some/dir/openldap-2.4.36/servers/slapd Included static overlays: syncprov Included static backends: config ldif mdb slapd.conf for mdb backend: database mdb directory /some/dir/openldap/var/openldap-data suffix "dc=mycomp,dc=com" rootdn "cn=Manager,dc=mycomp,dc=com" rootpw password index objectClass eq maxsize 45899345920 dbnosync checkpoint 0 10 threads 32 listener-threads 16 concurrency 1024 envflags writemap,nometasync slapd debug log: 53e15b8d conn=1001 op=17 do_add ber_scanf fmt ({m) ber: 53e15b8d conn=1001 op=17 do_add: dn (BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com) ber_scanf fmt ({m{W}}) ber: ber_scanf fmt ({m{W}}) ber: ber_scanf fmt (}) ber: 53e15b8d >>> dnPrettyNormal: <BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com> => ldap_bv2dn(BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com,0) <= ldap_bv2dn(BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com)=0 53e15b8d <<< dnPrettyNormal: <BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com>, <BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com> 53e15b8d ==> mdb_add: BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com 53e15b8d oc_check_required entry (BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com), objectClass "RTEBatchGroup" 53e15b8d oc_check_allowed type "BatchGroupName" 53e15b8d oc_check_allowed type "objectClass" 53e15b8d oc_check_allowed type "structuralObjectClass" 53e15b8d mdb_dn2entry("BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com") 53e15b8d => mdb_dn2id("BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com") 53e15b8d <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798) 53e15b8d => mdb_entry_decode: 53e15b8d <= mdb_entry_decode 53e15b8d => mdb_dn2id_add 0x1a28eb: "BatchGroupName=test,uid=myuser,OperationType=create,o=cust,dc=mycomp,dc=com" zsh: bus error (core dumped) ./slapd -d5 gdb backtrace of the generated core file: # gdb slapd core GNU gdb 6.8 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "sparc-sun-solaris2.10"... (no debugging symbols found) Reading symbols from /some/dir/lib/libldap_r-2.4.so.2...(no debugging symbols found)...done. Loaded symbols for /some/dir/lib/libldap_r-2.4.so.2 Reading symbols from /some/dir/lib/liblber-2.4.so.2...(no debugging symbols found)...done. Loaded symbols for /some/dir/lib/liblber-2.4.so.2 Reading symbols from /usr/lib/sparcv9/libicuuc.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib/64/libicuuc.so.3 Reading symbols from /usr/lib/sparcv9/libicudata.so.3...(no debugging symbols found)...done. Loaded symbols for /usr/lib/64/libicudata.so.3 Reading symbols from /some/dir/lib/libsasl2.so.2... (no debugging symbols found)...done. Loaded symbols for /some/dir/lib/libsasl2.so.2 Reading symbols from /lib/sparcv9/libdl.so.1... warning: Lowest section in /lib/sparcv9/libdl.so.1 is .hash at 0000000000000120 (no debugging symbols found)...done. Loaded symbols for /lib/64/libdl.so.1 Reading symbols from /opt/csw/lib/sparcv9/libssl.so.0.9.8...(no debugging symbols found)...done. Loaded symbols for /opt/csw/lib/sparcv9/libssl.so.0.9.8 Reading symbols from /opt/csw/lib/sparcv9/libcrypto.so.0.9.8...(no debugging symbols found)...done. Loaded symbols for /opt/csw/lib/sparcv9/libcrypto.so.0.9.8 Reading symbols from /lib/sparcv9/libresolv.so.2... (no debugging symbols found)...done. Loaded symbols for /lib/64/libresolv.so.2 Reading symbols from /lib/sparcv9/libgen.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/64/libgen.so.1 Reading symbols from /lib/sparcv9/libnsl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/64/libnsl.so.1 Reading symbols from /lib/sparcv9/libsocket.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/64/libsocket.so.1 Reading symbols from /lib/sparcv9/librt.so.1... (no debugging symbols found)...done. Loaded symbols for /lib/64/librt.so.1 Reading symbols from /lib/sparcv9/libc.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/64/libc.so.1 Reading symbols from /opt/csw/gcc4/lib/sparcv9/libgcc_s.so.1...(no debugging symbols found)...done. Loaded symbols for /opt/csw/gcc4/lib/sparcv9/libgcc_s.so.1 Reading symbols from /lib/sparcv9/libpthread.so.1... warning: Lowest section in /lib/sparcv9/libpthread.so.1 is .dynamic at 00000000000000b0 (no debugging symbols found)...done. Loaded symbols for /lib/64/libpthread.so.1 Reading symbols from /lib/sparcv9/libm.so.2... (no debugging symbols found)...done. Loaded symbols for /lib/64/libm.so.2 Reading symbols from /usr/lib/sparcv9/libCrun.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/64/libCrun.so.1 Reading symbols from /lib/sparcv9/libaio.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/64/libaio.so.1 Reading symbols from /lib/sparcv9/libmd.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/64/libmd.so.1 Reading symbols from /platform/sun4v/lib/sparcv9/libc_psr.so.1... (no debugging symbols found)...done. Loaded symbols for /platform/SUNW,Netra-T2000/lib/sparcv9/libc_psr.so.1 Reading symbols from /lib/sparcv9/ld.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/sparcv9/ld.so.1 Core was generated by `./slapd -d5'. Program terminated with signal 10, Bus error. [New process 1335262 ] [New process 90078 ] [New process 155614 ] [New process 221150 ] [New process 286686 ] [New process 352222 ] [New process 417758 ] [New process 483294 ] [New process 548830 ] [New process 614366 ] [New process 679902 ] [New process 745438 ] [New process 810974 ] [New process 876510 ] [New process 942046 ] [New process 1007582 ] [New process 1073118 ] [New process 1138654 ] [New process 1204190 ] [New process 1269726 ] #0 0x0000000100159c3c in mdb_page_search_root () (gdb) bt #0 0x0000000100159c3c in mdb_page_search_root () #1 0x000000010015a2d0 in mdb_page_search () #2 0x000000010015c984 in mdb_cursor_first () #3 0x000000010015d93c in mdb_cursor_get () #4 0x000000010015204c in mdb_page_alloc () #5 0x0000000100152b6c in mdb_page_touch () #6 0x000000010015a264 in mdb_page_search () #7 0x000000010015dba0 in mdb_cursor_touch () #8 0x000000010015e314 in mdb_cursor_put () #9 0x000000010018f25c in mdb_dn2id_add () #10 0x0000000100184e94 in mdb_add () #11 0x0000000100060970 in fe_op_add () #12 0x00000001000601fc in do_add () #13 0x000000010005128c in connection_operation () #14 0x0000000100051a4c in connection_read_thread () #15 0xffffffff7f4164bc in ldap_int_thread_pool_wrapper () from /some/dir/lib/libldap_r-2.4.so.2 #16 0xffffffff7ced7374 in _lwp_start () from /lib/64/libc.so.1 #17 0xffffffff7ced7374 in _lwp_start () from /lib/64/libc.so.1 Backtrace stopped: previous frame identical to this frame (corrupt stack?) Thanks

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2014