openldap-technical September 2014

openldap-technical@openldap.org

48 participants
64 discussions

unique overlay on a per branch basis
by Craig White 24 Sep '14

24 Sep '14

Assuming branches like: ou=people,ou=company1,dc=example,dc=com ou=people,ou=company2,dc=example,dc=com Is it possible to use a regular expression in the configuration to ensure a unique uid attribute in each branch but allow an identical uid attribute in different companies like: uid=Bob,ou=people,ou=company1,dc=example,dc=com uid=Bob,ou=people,ou=company2,dc=example,dc=com I ask because the man page for slapo-unique seems to suggest only absolute dn's Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png@01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032

2 1

troubles while setting-up ldap server + pam
by Ivaylo Ganchev 24 Sep '14

24 Sep '14

Hello, I am installing openldap in my cathedra and am running into a strange problem. Currently I configured the server and imported some entries (from the existing nis base). Then I set-up a client station. Unfortunately I am currently unable to log-in with a user account on the client station. The strange problem consists in the following : - When I use libnss_ldap and libpam_ldap the client sends multiple requests, receives multiple answers (with correct values for the given user), but then at one moment the server sends a FIN,ACK packet and in the auth.log of the client machine I see a message saying "failed to bind to ldap server" or something like this. I get this information from a network analyzer. From the server side everything seems OK. - When I use libnss_ldapd and libpam_ldapd, the communication is OK, but it seems that the client is not asking for the userPassword agrument and so, there is no way to login (it only asks for "loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid" and then in another request "shadowExpire shadowInactive shadowFlag shadowWarning shadowLastChange uid shadowMin shadowMax" I am able to make a ldapsearch from the client side with the binddn specified in the pam_ldap.conf and libnss_ldap.conf and all the information is successfully retrieved. Any advices are welcomed. Thanks, -- Ivaylo

3 3

Hi Need some help regarding OpenLDAP customize schema configuration.
by Abhishek koserwal 24 Sep '14

24 Sep '14

To generate slapd.conf to xyzschema.ldif Using this *slapcat -f slapd.conf.schemaname -F /tmp/schema -n0 -s cn=schema,cn=config* Schema file has been created. But when I am trying to add this schema using *ldapadd -D cn=admin, cn=config -W -f cn\=\{0\}schemaname.ldif* Getting *Error ldap_bind: Invalid credentials (49)* I figure out that my credentials are not configured properly. So, I create a: manage.ldif file dn: olcDatabase={1}bdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SHA}GvyYSUqNK/Uo/Cva399YZUPUFNM= Used *ldapmodify -Y EXTERNAL -H ldapi:/// -f manager.ldif* *SASL/EXTERNAL authentication started* *SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth* *SASL SSF: 0* *modifying entry "olcDatabase={1}bdb,cn=config"* But still, when I am trying to add my customize schema, getting same error *Error ldap_bind: Invalid credentials (49)* Please fine the Attachment, * /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif* System configuration: Ubuntu 14.04 Installed slapd: apt-get install slapd ldap-utils Than, Configured by:- dpkg reconfigure slapd dc=my-xyxdomain, dc=com used: bdb Later configured phpldapadmin. Working fine. Regards Abhishek Koserwal Final year, CSE, IET-DAVV The capacity to learn is a gift; The ability to learn is a skill; The > willingness to learn is a choice -- Brian Herbert >

2 1

Problem: LDAP installation without internet
by Patrick Pat 23 Sep '14

23 Sep '14

Hi, I would like all LDAP installation procedure without internet in linux (ubuntu (9.10 or other), Debian, ...), but by its compressed file namely: openldap-2.4.8.tgz or openldap-2.4.7.tgz or openldap-2.4.9.tgz or openldap-2.0-beta.tgz ... And any configuration environment variables. best regards !

2 1

for aia and cdp; crl and ca publishing in ldap
by lux-integ 23 Sep '14

23 Sep '14

Greetings, I am learning to use openldap. I want to publish CA certificates and crls ( in der format ) in an ldap database. I came accross this link http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/certificates.h… ) it relates to publishing 1 certificate. However, I would like to be able to use one entry in the database to later access 2 objects by URL entry (i) so called AuthorityInformationAccess (CA certificate location ) and (ii) CDP (crl distribution point. So I have 2 questions: QUESTION1 ========= I would like to know if I can publish 2 certififates and in the ldif have someting such as :- #----------- dn: cn=certs,dc=example,dc=com ObjectClass: Top ObjectClass: ApplicationProcess ObjectClass: SimpleSecurityObject CertificateRevocationList::-------someBinaryFile CACertificate::-------------------someBinaryFile cn: certs UserPassword: cert-password QUESTION2 ========= if I have the files binary File_crl and CAcertificate can I replace lines 5 and 6 above like this?: CertificateRevocationList;binary: < /path/to/someBinaryFile_File_crl CACertificate;binary: < /path/to/someBinaryFile_CACertificate and if so which is the recommended file insertion or use of pointer? Advice on the above or better methods to proceed will be gratefully received. thanks in advance luxInteg

1 0

Hi, I need help regarding customize schema regarding OpenLDAD 2.4.39 configuration.
by Abhishek koserwal 21 Sep '14

21 Sep '14

Hi, I need some reference material regarding "How to configure customize schema" in OpenLdap2.4.x. I have some schema files of version 2.3<, when slapd.conf were used. I am want to import those schema into new Openldap.2.4.39 . I have gone through Admin guide tried some methods but, I didn't get much help from it. Kindly help me or whom should I contact or any specific materials. Thank You, Abhishek koserwal,

4 4

Updates to OIDs
by Brendan Kearney 18 Sep '14

18 Sep '14

list, i am wondering what the right way is to introduce new OIDs, or request that new OIDs be introduced, to existing schemas. the ipNetwork class could benefit with a couple new optional attributes. the ipNetworkVLAN (only a suggested name) can be used to indicate the VLAN associated with an ipNetworkNumber. due to the increasing use of VLANs, the datapoint being represented in LDAP makes sense to me. another seemingly logical OID would be ipNetCIDR (suggestion only) which would be similar to the ipNetmaskNumber, but would be the short form notation. thank you, brendan kearney

3 4

Trying to perform mirror sync , but getting - TLS: error: the certificate '/etc/openldap/certs/xxx.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.
by Sterling Sahaydak 18 Sep '14

18 Sep '14

I've recently updated both my openldap servers to 2.4.39 version and everything seems to be working EXCEPT the mirror synchronization which was the issue I had previously with 2.4.23 Running on CentOS 6.5 Setup - Server1(provider): ldap-east.xxxxx.net Server2(consumer): ldap-west.xxxxx.net Not using self signed certs. Instead have a SAN(Subject Alternative Name)cert from DigiCert with 4 hostnames: ldap.xxxxx.net ldap-1.xxxxx.net ldap-2.xxxxx.net ldap-alt.xxxxx.net I'm using slapd.conf vs cn=config. The details: [root@ldap-east certs]# slapd -d sync 541b16ed @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $ root@admin.pcoral.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd 541b16ed /etc/openldap/slapd.conf: line 165: warning, destination attributeType 'sAMAccountName' is not defined in schema 541b16ed PROXIED attributeDescription "SAMACCOUNTNAME" inserted. 541b16ed /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges. 541b16ed bdb_monitor_db_open: monitoring disabled; configure monitor database to enable 541b16ed slapd starting TLS: error: the certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/certs/ldap_xxxxx_net.crt' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'CN=ldap.xxxxx.net,O="xxxxxx, INC.",L=Alviso,ST=California,C=US'. 541b16ed do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE *** I wonder if there is something about SAN certs where ldap is having issues ? *** Since it is a signed CA cert in a mirror sync setup do I need to set it up in the local CA(using certutil) and add it? (didn't have to for non-sync use) *** Unclear of 'not found in database' - which one? I've tried adding it using certutil in various permutations of setting adding the cert to the local CA database with all the various SAN names as different nick names *** I've also setup symlinks in /etc/openldap/certs pointing from the hashes -> certs - but all of these with the exact same output as above. >From the debug log: Sep 18 13:39:30 ldap-east slapd[18966]: @(#) $OpenLDAP: slapd 2.4.39 (Sep 16 2014 19:42:16) $#012#011root@admin.xxxxx.net:/root/rpmbuild/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd Sep 18 13:39:30 ldap-east slapd[18966]: /etc/openldap/slapd.conf: line 165: warning, destination attributeType 'sAMAccountName' is not defined in schema Sep 18 13:39:30 ldap-east slapd[18966]: PROXIED attributeDescription "SAMACCOUNTNAME" inserted. Sep 18 13:39:30 ldap-east slapd[18966]: /etc/openldap/slapd.conf: line 215: rootdn is always granted unlimited privileges. Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn=Subschema> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn=subschema> Sep 18 13:39:30 ldap-east slapd[18966]: matching_rule_use_init Sep 18 13:39:30 ldap-east slapd[18966]: 1.2.840.113556.1.4.804 (integerBitOrMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 1.2.840.113556.1.4.803 (integerBitAndMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ sudoRunAsUser $ sudoRunAsGroup ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry $ sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ sudoRunAsUser $ sudoRunAsGroup ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.39 (certificateListMatch): Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.38 (certificateListExactMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.38 NAME 'certificateListExactMatch' APPLIES ( authorityRevocationList $ certificateRevocationList $ deltaRevocationList ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.35 (certificateMatch): Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.34 (certificateExactMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.30 (objectIdentifierFirstComponentMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.29 (integerFirstComponentMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.28 (generalizedTimeOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.28 NAME 'generalizedTimeOrderingMatch' APPLIES ( createTimestamp $ modifyTimestamp $ sudoNotBefore $ sudoNotAfter ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.27 (generalizedTimeMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp $ sudoNotBefore $ sudoNotAfter ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.24 (protocolInformationMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.23 (uniqueMemberMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.22 (presentationAddressMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.20 (telephoneNumberMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.18 (octetStringOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.18 NAME 'octetStringOrderingMatch' APPLIES ( userPassword $ olcDbCryptKey ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.17 (octetStringMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.16 (bitStringMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.15 (integerOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.15 NAME 'integerOrderingMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.14 (integerMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcListenerThreads $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcWriteTimeout $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ olcDbMaxReaders $ olcDbMaxSize $ olcSpSessionlog $ olcDbProtocolVersion $ olcDbConnectionPoolMax $ olcChainMaxReferralDepth $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber $ sudoOrder ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.13 (booleanMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcSyncUseSubentry $ olcDbChecksum $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ olcAccessLogSuccess $ olcRwmNormalizeMapped $ olcRwmDropUnrequested $ olcSpNoPresent $ olcSpReloadHint $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbProxyWhoAmI $ olcDbSingleConn $ olcDbUseTemporaryConn $ olcDbSessionTrackingRequest $ olcDbNoRefs $ olcDbNoUndefFilter $ olcChainCacheURI $ olcChainReturnError ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.11 (caseIgnoreListMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.9 (numericStringOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.9 NAME 'numericStringOrderingMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.8 (numericStringMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.7 (caseExactSubstringsMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber $ destinationIndicator $ dnQualifier $ homePhone $ mobile $ pager ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.6 (caseExactOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOffi Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.5 (caseExactMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.4 (caseIgnoreSubstringsMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ c $ telephoneNumber $ destinationIndicator $ dnQualifier $ homePhone $ mobile $ pager ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.3 (caseIgnoreOrderingMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOff Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.2 (caseIgnoreMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcExtraAttrs $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTCPBuffer $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ olcDbEnvFlags $ olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase $ olcRwmRewrite $ olcRwmTFSupport $ olcRwmMap $ olcSpCheckpoint $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcDbCancel $ olcDbQuarantine $ olcDbOnErr $ olcDbIDAssertPassThru $ olcDbKeepalive $ olcChainingBehavior $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName Sep 18 13:39:30 ldap-east slapd[18966]: 1.2.36.79672281.1.13.3 (rdnMatch): Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.1 (distinguishedNameMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcAccessLogDB $ olcDbACLAuthcDn $ olcDbIDAssertAuthcDn $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) ) Sep 18 13:39:30 ldap-east slapd[18966]: 2.5.13.0 (objectIdentifierMatch): Sep 18 13:39:30 ldap-east slapd[18966]: matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) ) Sep 18 13:39:30 ldap-east slapd[18966]: slapd startup: initiated. Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting "cn=config" Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context Sep 18 13:39:30 ldap-east slapd[18966]: config_back_db_open: No explicit ACL for back-config configured. Using hardcoded default Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=config" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=module{0}" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn=schema" Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={0}core> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={0}core> Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={0}core" Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={1}cosine> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={1}cosine> Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={1}cosine" Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={2}inetorgperson> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={2}inetorgperson> Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={2}inetorgperson" Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={3}nis> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={3}nis> Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={3}nis" Sep 18 13:39:30 ldap-east slapd[18966]: >>> dnNormalize: <cn={4}sudo> Sep 18 13:39:30 ldap-east slapd[18966]: <<< dnNormalize: <cn={4}sudo> Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "cn={4}sudo" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={-1}frontend" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={0}config" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={1}ldap" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcOverlay={0}rwm" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcDatabase={2}bdb" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcOverlay={0}syncprov" Sep 18 13:39:30 ldap-east slapd[18966]: config_build_entry: "olcOverlay={1}glue" Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting "ou=Users,ou=xxxxx,dc=ad,dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: ldap_back_db_open: URI=ldap://ad1.xxxxx.net Sep 18 13:39:30 ldap-east slapd[18966]: backend_startup_one: starting "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_db_open: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_db_open: database "dc=xxxxx,dc=net": dbenv_open(/var/lib/ldap). Sep 18 13:39:30 ldap-east slapd[18966]: bdb_monitor_db_open: monitoring disabled; configure monitor database to enable Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: ndn: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: oc: "(null)", at: "contextCSN" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_dn2entry("dc=xxxxx,dc=net") Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_dn2id("dc=xxxxx,dc=net") Sep 18 13:39:30 ldap-east slapd[18966]: <= bdb_dn2id: got id=0x7 Sep 18 13:39:30 ldap-east slapd[18966]: entry_decode: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: <= entry_decode(dc=xxxxx,dc=net) Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: found entry: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_entry_get: rc=0 Sep 18 13:39:30 ldap-east slapd[18966]: slapd starting Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 4r listener=(nil) Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 7r listener=0x7f37cb13f7c0 Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 8r listener=0x7f37cb13f8a0 Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7 active_threads=0 tvp=zero Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8 active_threads=0 tvp=zero Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on 1 descriptor Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on: Sep 18 13:39:30 ldap-east slapd[18966]: Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7 active_threads=0 tvp=zero Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8 active_threads=0 tvp=zero Sep 18 13:39:30 ldap-east slapd[18966]: =>do_syncrepl rid=001 Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: ndn: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: oc: "(null)", at: "contextCSN" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_dn2entry("dc=xxxxx,dc=net") Sep 18 13:39:30 ldap-east slapd[18966]: => bdb_entry_get: found entry: "dc=xxxxx,dc=net" Sep 18 13:39:30 ldap-east slapd[18966]: bdb_entry_get: rc=0 Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result not in cache (contextCSN) Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: read access to "dc=xxxxx,dc=net" "contextCSN" requested Sep 18 13:39:30 ldap-east slapd[18966]: <= root access granted Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: read access granted by manage(=mwrscxd) Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result was in cache (contextCSN) Sep 18 13:39:30 ldap-east slapd[18966]: => access_allowed: result was in cache (contextCSN) Sep 18 13:39:30 ldap-east slapd[18966]: =>do_syncrep2 rid=001 Sep 18 13:39:30 ldap-east slapd[18966]: do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE Sep 18 13:39:30 ldap-east slapd[18966]: daemon: added 13r listener=(nil) Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on 1 descriptor Sep 18 13:39:30 ldap-east slapd[18966]: daemon: activity on: Sep 18 13:39:30 ldap-east slapd[18966]: Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=7 active_threads=0 tvp=zero Sep 18 13:39:30 ldap-east slapd[18966]: daemon: epoll: listen=8 active_threads=0 tvp=zero slapd.conf [root@ldap-east openldap]# cat slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/sudo.schema allow bind_v2 TLSCertificateFile /etc/openldap/certs/ldap_xxxxx_net.crt TLSCertificateKeyFile /etc/openldap/certs/ldap_xxxxx_net.key TLSCACertificateFile /etc/openldap/certs/CAcompany.crt pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib/openldap modulepath /usr/lib64/openldap moduleload accesslog.la moduleload rwm.la moduleload syncprov.la disallow bind_anon moduleload back_bdb moduleload back_ldap backend bdb moduleload syncprov database ldap suffix "ou=Users,ou=xxxxx,dc=ad,dc=xxxxx,dc=net" uri ldap://ad1.xxxxx.net/ rebind-as-user idassert-bind bindmethod=simple binddn="cn=username,ou=users,ou=xxxxxx,dc=ad,dc=xxxxx,dc=net" credentials="xxxxxxxxx" mode=none idassert-authzFrom "*" chase-referrals yes subordinate overlay rwm rwm-map attribute uid sAMAccountName database bdb suffix "dc=xxxxx,dc=net" checkpoint 1024 15 rootdn "cn=Manager,dc=xxxxx,dc=net" rootpw {SSHA}xxxxxxxxxxx directory /var/lib/ldap access to * by dn.base="cn=TestSync,ou=Roles,dc=xxxxx,dc=net" write by * break # Generic ACL section access to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=xxxxx,dc=net" write by anonymous auth by self write by * none # Specific ACL section to restrict userPassword to be used for authentication only - 8-15-14 #access to to dn.children="ou=People,dc=xxxxx,dc=net" write # attrs=userPasswrod # by self write # by * auth # by dn.children="ou=Customers,ou=People,dc=xxxxx,dc=net" write # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq #LDAP Sync - Master serverID 1 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 #LDAP Sync - Slave syncrepl rid=001 provider=ldaps://ldap-west.xxxxx.net bindmethod=simple binddn="cn=TestSync,ou=Roles,dc=xxxxx,dc=net" credentials=xxxxxxx searchbase="dc=xxxxx,dc=net" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on loglevel -1

2 1

Re: Issues with Ppolicy Overlay and chaining (master/slave)
by Raul Hernandez 18 Sep '14

18 Sep '14

Hi Quanah, I really appreciate your help. I just started some debugging on the master side, and I found out that the root of my issue was permission. I got the following messages on the masters side: 5418a353 conn=1064 op=6 MOD dn="cn=Lisa Hayes,ou=Quality,dc=example,dc=com" 5418a353 conn=1064 op=6 MOD attr=pwdFailureTime 5418a353 conn=1064 op=6 RESULT tag=103 err=50 text= tag=103 err=50 ----> This usually means insufficient access. I look over the my HDB access configuration, and realize that my chaining (cn=syncrepluser,ou=security,dc=example,dc=com) user had "write" permissions on userPassword, pwdFailuretime, pwdChangedTime, pwdHistory, pwdAccountLockedTime attributes and that wasn't enough. I changed the "write" permission to "manage" and everything started working. #----- # Master #----- dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,pwdFailuretime,pwdChangedTime,pwdHistory,pwdAccountLockedTime by self write by dn="cn=admin,dc=example,dc=com" write by dn="cn=syncReplUser,ou=Security,dc=example,dc=com" manage by * none Hope this can help others. Thanks a lot for your help!

4 3

Re: Issues with Ppolicy Overlay and chaining (master/slave)
by Raul Hernandez 16 Sep '14

16 Sep '14

OpenLDAP 2.4.39 running on Debian SID I also forgot to post my ppolicy conf for both master and slave: #----- # Master #----- dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: ppolicy dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE olcPPolicyDefault: cn=default,ou=policies,dc=bandes,dc=gob,dc=ve #----- # Slave #----- dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: ppolicy dn: olcOverlay=ppolicy, olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=bandes,dc=gob,dc=ve olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: TRUE On Tue, Sep 16, 2014 at 2:30 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, September 16, 2014 3:27 PM -0430 Raul Hernandez < > hernandezr(a)gmail.com> wrote: > > >> >> >> >> Hello! >> >> >> I've been experiencing some issues with ppolicy overlay and chaining. >> I've implemented a simple openldap master and consumer architecture.This >> implementation works fine. I have data from the master, replicated into >> the slave, and all writes sent to the slave (add/edit ous and users), are >> forwarded to the master. >> > > OpenLDAP version? > > --Quanah > > -- > > Quanah Gibson-Mount > Server Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2014