openldap-technical September 2014

openldap-technical@openldap.org

48 participants
64 discussions

slap_client_connect error
by Gremaud Cyrill 08 Sep '14

08 Sep '14

Hello ! I’m trying to setup N-way multi master replication with openLDAP 2.4 but I have an error when I reload my servers. slapd_client_connect : URI=ldap://lda2.gremaud.local DN=“cn=config” ldap_sasl_bind_s failed (-1) How this error is possible ? I can make a ldapsearch with dn=config and correct password on all my servers… thanks for your help.

1 0

LMDB : MDB_BAD_RSLOT on mdb_txn_begin
by Venkat Murty 06 Sep '14

06 Sep '14

Hello, What is the reason I get MDB_BAD_RSLOT on mdb_txn_begin? This is a read transaction. -venkat

1 0

Mail System Error - Returned Mail
by dieter＠dkluenter.de 05 Sep '14

05 Sep '14

Your message could not be delivered

1 0

sha2 module and 2.4.39, iterations question
by bitsofinfo 04 Sep '14

04 Sep '14

Hi - openldap version = 2.4.39 With: moduleload pw-sha2.la I have an application that generates SHA256 b64 encoded hashes w/ a 4byte (16bit) salt and stores them in userPassword and binds work fine When I add this to slapd.conf: password-crypt-salt-format $5$rounds=1000$%.16s And change my application to add 1000 iterations when it writes to userPassword, then binds fail pw in userPassword is generated in this format: {SSHA256}b64Encoded(sha256Digest1000Iterations(pw+salt)+salt) Is "password-crypt-salt-format" the correct place to specify we want to use iterations on our hashes? Is this configurable?

2 2

Re[4]: Trying to Mirror 2 OpenLDAP servers
by Sterling Sahaydak 04 Sep '14

04 Sep '14

Thanks Quanah, Appreciate the prompt reply and as you advised, I'll try the other build you mentioned. Best Regards, Sterling ------ Original Message ------ From: "Quanah Gibson-Mount" <quanah(a)zimbra.com> To: "Sterling Sahaydak" <sterling.sahaydak(a)pi-coral.com>; openldap-technical(a)openldap.org Sent: 9/4/2014 7:12:22 PM Subject: Re: Re[2]: Trying to Mirror 2 OpenLDAP servers >--On Thursday, September 04, 2014 11:52 PM +0000 Sterling Sahaydak ><sterling.sahaydak(a)pi-coral.com> wrote: > >>I think your response, you may be getting confused with someone else? >> >>I haven't been on IRC - don't have an account there or even installed >>to >>check, so not sure of the dialog or reference you are referring to. >> >>As to the build, I'm on CentOS and not RHEL, so as to the build it's >>relatively up to date on that platform and definitely not 4 years old. >>Maybe a couple months old only. >> >>My understanding is this is not restricted to RHEL only, so still >>inquiring to the community assistance here. If there is another >>please, >>then please let me know. > >Ah, interesting timing... Someone was on IRC with a nick similar to >your name asking almost identical questions. ;) > >In any case, everything I noted still stands. Avoid the RHEL build >(that's what is in CentOS). Use a sane build. Otherwise you're just >wasting everyone's time. > >--Quanah > > >-- > >Quanah Gibson-Mount >Server Architect >Zimbra, Inc. >-------------------- >Zimbra :: the leader in open source messaging and collaboration

1 0

Re[2]: Trying to Mirror 2 OpenLDAP servers
by Sterling Sahaydak 04 Sep '14

04 Sep '14

I think your response, you may be getting confused with someone else? I haven't been on IRC - don't have an account there or even installed to check, so not sure of the dialog or reference you are referring to. As to the build, I'm on CentOS and not RHEL, so as to the build it's relatively up to date on that platform and definitely not 4 years old. Maybe a couple months old only. My understanding is this is not restricted to RHEL only, so still inquiring to the community assistance here. If there is another please, then please let me know. Running into the following: slapd -d sync @(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $ mockbuild@c6b10.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd /etc/openldap/slapd.conf: line 163: warning, destination attributeType 'sAMAccountName' is not defined in schema PROXIED attributeDescription "SAMACCOUNTNAME" inserted. /etc/openldap/slapd.conf: line 213: rootdn is always granted unlimited privileges. bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting TLS: error: the certificate '/etc/openldap/certs/ldap_example_net.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/certs/ldap_example_net.crt' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'CN=ldap.example.net,O="xx-xxxxxxx, INC.",L=xxxx,ST=xxxxxx,C=US'. do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE In my slapd.conf I have setup (Provider setup): TLSCertificateFile /etc/openldap/certs/ldap_example_net.crt TLSCertificateKeyFile /etc/openldap/certs/ldap_example_net.key TLSCACertificateFile /etc/openldap/certs/CAcompany.crt serverID 1 overlay syncprov #syncprov-checkpoint 100 10 syncprov-checkpoint 100 2 syncprov-sessionlog 100 #LDAP Sync - Slave - Consumer syncrepl rid=001 provider=ldaps://ldap-west.examplel.net bindmethod=simple binddn="cn=xxxxx,ou=Roles,dc=pcoral,dc=net" credentials=xxxxxxxxxxxx searchbase="dc=example,dc=net" filter="(objectclass=*)" attrs="*" schemachecking=on type=refreshAndPersist interval=00.00.00:30 retry="60 +" mirrormode on So, not sure why the synchronization isn't working? Thanks. ------ Original Message ------ From: "Quanah Gibson-Mount" <quanah(a)zimbra.com> To: "Sterling Sahaydak" <sterling.sahaydak(a)pi-coral.com>; openldap-technical(a)openldap.org Sent: 9/4/2014 5:47:38 PM Subject: Re: Trying to Mirror 2 OpenLDAP servers >--On Thursday, September 04, 2014 3:30 PM -0700 Quanah Gibson-Mount ><quanah(a)zimbra.com> wrote: > >>--On Thursday, September 04, 2014 10:14 PM +0000 Sterling Sahaydak >><sterling.sahaydak(a)pi-coral.com> wrote: >> >>> >>>Just updated slapd.conf with CA Certs and trying to get mirroring >>>synchronization to work. >>> >>>Running into the following: >>> >>>slapd -d sync >>>@(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $ >> >>Don't waste your time using this build, as you were already informed >>on >>IRC. > >Since you quit IRC in a huff, I'll give you some follow on thoughts: > >a) It is not the community's job to support the broken builds that RHEL >created. They are known to have numerous problems, some of which were >inflicted by RH itself by doing custom patches against OpenLDAP. > >b) 2.4.23 is over 4 years old at this point. There have been numerous >bugs fixed since that release, particularly around MMR. > >c) RHEL links to the non-standard NSS encryption libraries, which are >utterly broken in concept, which may be the cause of your cert issues > >d) There are freely available current alternatives to using the crap >shipped by RHEL if you are not comfortable with building OpenLDAP >yourself. You should investigate using them rather than complaining >that the community is refusing to support RHEL's garbage. > >Alternatives: ><http://www.symas.com/> - They offer free OpenLDAP builds sanely linked >to OpenSSL. They also provide support contracts, with extremely >knowledgable staff (The primary openldap developer works for them, for >example). > ><http://ltb-project.org/wiki/> - They offer free OpenLDAP builds sanely >linked to OpenSSL. They also have a support forum for their builds. > >--Quanah > >-- > >Quanah Gibson-Mount >Server Architect >Zimbra, Inc. >-------------------- >Zimbra :: the leader in open source messaging and collaboration

2 1

Trying to Mirror 2 OpenLDAP servers
by Sterling Sahaydak 04 Sep '14

04 Sep '14

Just updated slapd.conf with CA Certs and trying to get mirroring synchronization to work. Running into the following: slapd -d sync @(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $ mockbuild@c6b10.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd /etc/openldap/slapd.conf: line 163: warning, destination attributeType 'sAMAccountName' is not defined in schema PROXIED attributeDescription "SAMACCOUNTNAME" inserted. /etc/openldap/slapd.conf: line 213: rootdn is always granted unlimited privileges. bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting TLS: error: the certificate '/etc/openldap/certs/ldap_example_net.crt' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/certs/ldap_example_net.crt' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'CN=ldap.example.net,O="xx-xxxxxxx, INC.",L=xxxx,ST=xxxxxx,C=US'. do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE In my slapd.conf I have setup (Provider setup): TLSCertificateFile /etc/openldap/certs/ldap_example_net.crt TLSCertificateKeyFile /etc/openldap/certs/ldap_example_net.key TLSCACertificateFile /etc/openldap/certs/CAcompany.crt serverID 1 overlay syncprov #syncprov-checkpoint 100 10 syncprov-checkpoint 100 2 syncprov-sessionlog 100 #LDAP Sync - Slave - Consumer syncrepl rid=001 provider=ldaps://ldap-west.examplel.net bindmethod=simple binddn="cn=xxxxx,ou=Roles,dc=pcoral,dc=net" credentials=xxxxxxxxxxxx searchbase="dc=example,dc=net" filter="(objectclass=*)" attrs="*" schemachecking=on type=refreshAndPersist interval=00.00.00:30 retry="60 +" mirrormode on So, not sure why the synchronization isn't working? Thanks!!!

2 2

Re: slap_queue_csn and slap_graduate_commit_csn in log
by Stefano Zanmarchi 04 Sep '14

04 Sep '14

Thank you Quanah, it works, but now my doubt is: do the log lines containing slap_queue_csn and slap_graduate_commit_csn mean that replication is on and that a slave is syncing? On Wed, Sep 3, 2014 at 7:09 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Wednesday, September 03, 2014 10:55 AM +0200 Stefano Zanmarchi < > zanmarchi(a)gmail.com> wrote: > > >> Thank you very much for the hint Ulrich, >> does anyone else know if it is normal to have thousands of lines like >> these in the log: >> > > You will have one per commit as long as you have "sync" logging enabled in > your loglevel. If you don't want to see them, remove "sync" from your > loglevel. > > --Quanah > > -- > > Quanah Gibson-Mount > Server Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

FW: Openldap search results varies with search base
by Jeganathan S 03 Sep '14

03 Sep '14

Hi All, We are searching with same filter but with two different search bases and we are seeing results to be different. Case1: (working case) Search filter: (cn=monitorsoapnode*) Search base: o=itsmydomain.com Search result: cn=monitorsoapnode@np-m910-45-4,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com<mailto:cn=monitorsoapnode@np-m910-45-4,cn=soap%20nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com> cn=monitorsoapnode@ np-m910-87-8,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com Case2: (not working case) Search filter: (cn=monitorsoapnode*) Search base: cn=ucloud,o=itsmydomain.com Search result: cn=monitorsoapnode@np-m910-45-4,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com<mailto:cn=monitorsoapnode@np-m910-45-4,cn=soap%20nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com> It is observed that with search base "o=system,cn=cordys,cn=ucloud,o=itsmydomain.com" we are getting the expected results. We are seeing this behaviour with hdb database, but not with bdb. But we want to stick to hdb only. Is there any workaround to fix the issue(something like changing the configuration settings)? It is also observed that in both cases bdb_substring_candidates value is 2 but bdb_search_candidates value is different. I am not sure if this observation is relevant or not. You can check the logs for working and not working cases below. Please help. ########Not working case log ################## <= send_search_entry: conn 1000 exit. send_ldap_result: conn=1000 op=8 p=3 send_ldap_response: msgid=9 tag=101 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 118 contents: op tag 0x63, time 1409136356 ber_get_next conn=1000 op=9 do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <cn=ucloud,o=itsmydomain.com> <<< dnPrettyNormal: <cn=ucloud,o=itsmydomain.com>, <cn=ucloud,o=itsmydomain.com> ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" => hdb_search bdb_dn2entry("cn=ucloud,o=itsmydomain.com") search_candidates: base="cn=ucloud,o=itsmydomain.com" (0x00000002) scope=2 => hdb_dn2idl("cn=ucloud,o=itsmydomain.com") => bdb_substring_candidates (cn) => key_read <= bdb_index_read 6 candidates => key_read <= bdb_index_read 33 candidates => key_read <= bdb_index_read 3 candidates => key_read <= bdb_index_read 17 candidates => key_read <= bdb_index_read 6 candidates => key_read <= bdb_index_read 18 candidates <= bdb_substring_candidates: 2, first=267, last=198029 bdb_search_candidates: id=1 first=267 last=267 => send_search_entry: conn 1000 dn="cn=monitorsoapnode@np-m910-45-4,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com<mailto:cn=monitorsoapnode@np-m910-45-4,cn=soap%20nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com>" ber_flush2: 140 bytes to sd 12 <= send_search_entry: conn 1000 exit. send_ldap_result: conn=1000 op=9 p=3 send_ldap_response: msgid=10 tag=101 err=0 ber_flush2: 14 bytes to sd 12 ########Working case log ################## <= send_search_entry: conn 1000 exit. send_ldap_result: conn=1000 op=9 p=3 send_ldap_response: msgid=10 tag=101 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 108 contents: op tag 0x63, time 1409136444 ber_get_next conn=1000 op=10 do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <o=itsmydomain.com> <<< dnPrettyNormal: <o=itsmydomain.com>, <o=itsmydomain.com> ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" => hdb_search bdb_dn2entry("o=itsmydomain.com") search_candidates: base="o=itsmydomain.com" (0x00000001) scope=2 => hdb_dn2idl("o=itsmydomain.com") => bdb_substring_candidates (cn) => key_read <= bdb_index_read 6 candidates => key_read <= bdb_index_read 33 candidates => key_read <= bdb_index_read 3 candidates => key_read <= bdb_index_read 17 candidates => key_read <= bdb_index_read 6 candidates => key_read <= bdb_index_read 18 candidates <= bdb_substring_candidates: 2, first=267, last=198029 bdb_search_candidates: id=2 first=267 last=198029 => send_search_entry: conn 1000 dn="cn=monitorsoapnode@np-m910-45-4,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com<mailto:cn=monitorsoapnode@np-m910-45-4,cn=soap%20nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com>" ber_flush2: 140 bytes to sd 12 <= send_search_entry: conn 1000 exit. => send_search_entry: conn 1000 dn="cn=monitorsoapnode@np-m910-87-8,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com<mailto:cn=monitorsoapnode@np-m910-87-8,cn=soap%20nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com>" ber_flush2: 140 bytes to sd 12 <= send_search_entry: conn 1000 exit. send_ldap_result: conn=1000 op=10 p=3 send_ldap_response: msgid=11 tag=101 err=0 ber_flush2: 14 bytes to sd 12 Slapd config details you may be interested in are as follows ####### Config details start ###### database hdb suffix "o= itsmydomain.com" rootdn "cn=Directory Manager,o= itsmydomain.com" rootpw {SSHA}4tqAhskuvQm3wFz9EI3lqLI8pRRs6IfI sizelimit 2000 index default pres,eq index cn pres,eq,sub index objectClass eq index entryCSN,entryUUID eq index authenticationuser pres,eq,sub index osidentity pres,eq,sub cachesize 5000 checkpoint 1024 10 ####### Config details end ###### Regards, Jegan.

2 4

slap_queue_csn and slap_graduate_commit_csn in log
by Stefano Zanmarchi 03 Sep '14

03 Sep '14

Hi all, I can see thousands of lines like the following in my log: Sep 2 18:16:54 db51 slapd[16511]: slap_queue_csn: queing 0x432f20d0 20140902161654.626905Z#000000#000#000000 Sep 2 18:16:54 db51 slapd[16511]: slap_graduate_commit_csn: removing 0x2aaab801d1c0 20140902161654.626905Z#000000#000#000000 What are they related to? Could it be replication? Hope not because we used to have a syncrepl slave, but it has been turned off time ago and "moduleload syncprov.la" is commented out in slapd.conf. Thank you very much for your help!

3 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2014