slap_client_connect error
by Gremaud Cyrill
Hello !
I’m trying to setup N-way multi master replication with openLDAP 2.4 but I have an error when I reload my servers.
slapd_client_connect : URI=ldap://lda2.gremaud.local DN=“cn=config” ldap_sasl_bind_s failed (-1)
How this error is possible ? I can make a ldapsearch with dn=config and correct password on all my servers…
thanks for your help.
9 years, 3 months
sha2 module and 2.4.39, iterations question
by bitsofinfo
Hi -
openldap version = 2.4.39
With:
moduleload pw-sha2.la
I have an application that generates SHA256 b64 encoded hashes w/ a
4byte (16bit) salt and stores them in userPassword and binds work fine
When I add this to slapd.conf:
password-crypt-salt-format $5$rounds=1000$%.16s
And change my application to add 1000 iterations when it writes to
userPassword, then binds fail
pw in userPassword is generated in this format:
{SSHA256}b64Encoded(sha256Digest1000Iterations(pw+salt)+salt)
Is "password-crypt-salt-format" the correct place to specify we want to
use iterations on our hashes? Is this configurable?
9 years, 3 months
Re[4]: Trying to Mirror 2 OpenLDAP servers
by Sterling Sahaydak
Thanks Quanah,
Appreciate the prompt reply and as you advised, I'll try the other build
you mentioned.
Best Regards,
Sterling
------ Original Message ------
From: "Quanah Gibson-Mount" <quanah(a)zimbra.com>
To: "Sterling Sahaydak" <sterling.sahaydak(a)pi-coral.com>;
openldap-technical(a)openldap.org
Sent: 9/4/2014 7:12:22 PM
Subject: Re: Re[2]: Trying to Mirror 2 OpenLDAP servers
>--On Thursday, September 04, 2014 11:52 PM +0000 Sterling Sahaydak
><sterling.sahaydak(a)pi-coral.com> wrote:
>
>>I think your response, you may be getting confused with someone else?
>>
>>I haven't been on IRC - don't have an account there or even installed
>>to
>>check, so not sure of the dialog or reference you are referring to.
>>
>>As to the build, I'm on CentOS and not RHEL, so as to the build it's
>>relatively up to date on that platform and definitely not 4 years old.
>>Maybe a couple months old only.
>>
>>My understanding is this is not restricted to RHEL only, so still
>>inquiring to the community assistance here. If there is another
>>please,
>>then please let me know.
>
>Ah, interesting timing... Someone was on IRC with a nick similar to
>your name asking almost identical questions. ;)
>
>In any case, everything I noted still stands. Avoid the RHEL build
>(that's what is in CentOS). Use a sane build. Otherwise you're just
>wasting everyone's time.
>
>--Quanah
>
>
>--
>
>Quanah Gibson-Mount
>Server Architect
>Zimbra, Inc.
>--------------------
>Zimbra :: the leader in open source messaging and collaboration
9 years, 3 months
Re[2]: Trying to Mirror 2 OpenLDAP servers
by Sterling Sahaydak
I think your response, you may be getting confused with someone else?
I haven't been on IRC - don't have an account there or even installed to
check, so not sure of the dialog or reference you are referring to.
As to the build, I'm on CentOS and not RHEL, so as to the build it's
relatively up to date on that platform and definitely not 4 years old.
Maybe a couple months old only.
My understanding is this is not restricted to RHEL only, so still
inquiring to the community assistance here. If there is another please,
then please let me know.
Running into the following:
slapd -d sync
@(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $
mockbuild@c6b10.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
/etc/openldap/slapd.conf: line 163: warning, destination attributeType
'sAMAccountName' is not defined in schema
PROXIED attributeDescription "SAMACCOUNTNAME" inserted.
/etc/openldap/slapd.conf: line 213: rootdn is always granted unlimited
privileges.
bdb_monitor_db_open: monitoring disabled; configure monitor database to
enable
slapd starting
TLS: error: the certificate '/etc/openldap/certs/ldap_example_net.crt'
could not be found in the database - error -12285:Unable to find the
certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/certs/ldap_example_net.crt' successfully
loaded from PEM file.
TLS: no unlocked certificate for certificate
'CN=ldap.example.net,O="xx-xxxxxxx, INC.",L=xxxx,ST=xxxxxx,C=US'.
do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
In my slapd.conf I have setup (Provider setup):
TLSCertificateFile /etc/openldap/certs/ldap_example_net.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap_example_net.key
TLSCACertificateFile /etc/openldap/certs/CAcompany.crt
serverID 1
overlay syncprov
#syncprov-checkpoint 100 10
syncprov-checkpoint 100 2
syncprov-sessionlog 100
#LDAP Sync - Slave - Consumer
syncrepl rid=001
provider=ldaps://ldap-west.examplel.net
bindmethod=simple
binddn="cn=xxxxx,ou=Roles,dc=pcoral,dc=net"
credentials=xxxxxxxxxxxx
searchbase="dc=example,dc=net"
filter="(objectclass=*)"
attrs="*"
schemachecking=on
type=refreshAndPersist
interval=00.00.00:30
retry="60 +"
mirrormode on
So, not sure why the synchronization isn't working?
Thanks.
------ Original Message ------
From: "Quanah Gibson-Mount" <quanah(a)zimbra.com>
To: "Sterling Sahaydak" <sterling.sahaydak(a)pi-coral.com>;
openldap-technical(a)openldap.org
Sent: 9/4/2014 5:47:38 PM
Subject: Re: Trying to Mirror 2 OpenLDAP servers
>--On Thursday, September 04, 2014 3:30 PM -0700 Quanah Gibson-Mount
><quanah(a)zimbra.com> wrote:
>
>>--On Thursday, September 04, 2014 10:14 PM +0000 Sterling Sahaydak
>><sterling.sahaydak(a)pi-coral.com> wrote:
>>
>>>
>>>Just updated slapd.conf with CA Certs and trying to get mirroring
>>>synchronization to work.
>>>
>>>Running into the following:
>>>
>>>slapd -d sync
>>>@(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $
>>
>>Don't waste your time using this build, as you were already informed
>>on
>>IRC.
>
>Since you quit IRC in a huff, I'll give you some follow on thoughts:
>
>a) It is not the community's job to support the broken builds that RHEL
>created. They are known to have numerous problems, some of which were
>inflicted by RH itself by doing custom patches against OpenLDAP.
>
>b) 2.4.23 is over 4 years old at this point. There have been numerous
>bugs fixed since that release, particularly around MMR.
>
>c) RHEL links to the non-standard NSS encryption libraries, which are
>utterly broken in concept, which may be the cause of your cert issues
>
>d) There are freely available current alternatives to using the crap
>shipped by RHEL if you are not comfortable with building OpenLDAP
>yourself. You should investigate using them rather than complaining
>that the community is refusing to support RHEL's garbage.
>
>Alternatives:
><http://www.symas.com/> - They offer free OpenLDAP builds sanely linked
>to OpenSSL. They also provide support contracts, with extremely
>knowledgable staff (The primary openldap developer works for them, for
>example).
>
><http://ltb-project.org/wiki/> - They offer free OpenLDAP builds sanely
>linked to OpenSSL. They also have a support forum for their builds.
>
>--Quanah
>
>--
>
>Quanah Gibson-Mount
>Server Architect
>Zimbra, Inc.
>--------------------
>Zimbra :: the leader in open source messaging and collaboration
9 years, 3 months
Trying to Mirror 2 OpenLDAP servers
by Sterling Sahaydak
Just updated slapd.conf with CA Certs and trying to get mirroring
synchronization to work.
Running into the following:
slapd -d sync
@(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $
mockbuild@c6b10.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
/etc/openldap/slapd.conf: line 163: warning, destination attributeType
'sAMAccountName' is not defined in schema
PROXIED attributeDescription "SAMACCOUNTNAME" inserted.
/etc/openldap/slapd.conf: line 213: rootdn is always granted unlimited
privileges.
bdb_monitor_db_open: monitoring disabled; configure monitor database to
enable
slapd starting
TLS: error: the certificate '/etc/openldap/certs/ldap_example_net.crt'
could not be found in the database - error -12285:Unable to find the
certificate or key necessary for authentication..
TLS: certificate '/etc/openldap/certs/ldap_example_net.crt' successfully
loaded from PEM file.
TLS: no unlocked certificate for certificate
'CN=ldap.example.net,O="xx-xxxxxxx, INC.",L=xxxx,ST=xxxxxx,C=US'.
do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE
In my slapd.conf I have setup (Provider setup):
TLSCertificateFile /etc/openldap/certs/ldap_example_net.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap_example_net.key
TLSCACertificateFile /etc/openldap/certs/CAcompany.crt
serverID 1
overlay syncprov
#syncprov-checkpoint 100 10
syncprov-checkpoint 100 2
syncprov-sessionlog 100
#LDAP Sync - Slave - Consumer
syncrepl rid=001
provider=ldaps://ldap-west.examplel.net
bindmethod=simple
binddn="cn=xxxxx,ou=Roles,dc=pcoral,dc=net"
credentials=xxxxxxxxxxxx
searchbase="dc=example,dc=net"
filter="(objectclass=*)"
attrs="*"
schemachecking=on
type=refreshAndPersist
interval=00.00.00:30
retry="60 +"
mirrormode on
So, not sure why the synchronization isn't working?
Thanks!!!
9 years, 3 months
Re: slap_queue_csn and slap_graduate_commit_csn in log
by Stefano Zanmarchi
Thank you Quanah,
it works, but now my doubt is: do the log lines containing slap_queue_csn
and
slap_graduate_commit_csn mean that replication is on and that a slave is
syncing?
On Wed, Sep 3, 2014 at 7:09 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
> --On Wednesday, September 03, 2014 10:55 AM +0200 Stefano Zanmarchi <
> zanmarchi(a)gmail.com> wrote:
>
>
>> Thank you very much for the hint Ulrich,
>> does anyone else know if it is normal to have thousands of lines like
>> these in the log:
>>
>
> You will have one per commit as long as you have "sync" logging enabled in
> your loglevel. If you don't want to see them, remove "sync" from your
> loglevel.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Server Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
9 years, 3 months
FW: Openldap search results varies with search base
by Jeganathan S
Hi All,
We are searching with same filter but with two different search bases and we are seeing results to be different.
Case1: (working case)
Search filter: (cn=monitorsoapnode*)
Search base: o=itsmydomain.com
Search result:
cn=monitorsoapnode@np-m910-45-4,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com<mailto:cn=monitorsoapnode@np-m910-45-4,cn=soap%20nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com>
cn=monitorsoapnode@ np-m910-87-8,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com
Case2: (not working case)
Search filter: (cn=monitorsoapnode*)
Search base: cn=ucloud,o=itsmydomain.com
Search result:
cn=monitorsoapnode@np-m910-45-4,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com<mailto:cn=monitorsoapnode@np-m910-45-4,cn=soap%20nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com>
It is observed that with search base "o=system,cn=cordys,cn=ucloud,o=itsmydomain.com" we are getting the expected results.
We are seeing this behaviour with hdb database, but not with bdb. But we want to stick to hdb only. Is there any workaround to fix the issue(something like changing the configuration settings)?
It is also observed that in both cases bdb_substring_candidates value is 2 but bdb_search_candidates value is different. I am not sure if this observation is relevant or not.
You can check the logs for working and not working cases below. Please help.
########Not working case log ##################
<= send_search_entry: conn 1000 exit.
send_ldap_result: conn=1000 op=8 p=3
send_ldap_response: msgid=9 tag=101 err=0
ber_flush2: 14 bytes to sd 12
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 118 contents:
op tag 0x63, time 1409136356
ber_get_next
conn=1000 op=9 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <cn=ucloud,o=itsmydomain.com>
<<< dnPrettyNormal: <cn=ucloud,o=itsmydomain.com>, <cn=ucloud,o=itsmydomain.com>
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> hdb_search
bdb_dn2entry("cn=ucloud,o=itsmydomain.com")
search_candidates: base="cn=ucloud,o=itsmydomain.com" (0x00000002) scope=2
=> hdb_dn2idl("cn=ucloud,o=itsmydomain.com")
=> bdb_substring_candidates (cn)
=> key_read
<= bdb_index_read 6 candidates
=> key_read
<= bdb_index_read 33 candidates
=> key_read
<= bdb_index_read 3 candidates
=> key_read
<= bdb_index_read 17 candidates
=> key_read
<= bdb_index_read 6 candidates
=> key_read
<= bdb_index_read 18 candidates
<= bdb_substring_candidates: 2, first=267, last=198029
bdb_search_candidates: id=1 first=267 last=267
=> send_search_entry: conn 1000 dn="cn=monitorsoapnode@np-m910-45-4,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com<mailto:cn=monitorsoapnode@np-m910-45-4,cn=soap%20nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com>"
ber_flush2: 140 bytes to sd 12
<= send_search_entry: conn 1000 exit.
send_ldap_result: conn=1000 op=9 p=3
send_ldap_response: msgid=10 tag=101 err=0
ber_flush2: 14 bytes to sd 12
########Working case log ##################
<= send_search_entry: conn 1000 exit.
send_ldap_result: conn=1000 op=9 p=3
send_ldap_response: msgid=10 tag=101 err=0
ber_flush2: 14 bytes to sd 12
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 108 contents:
op tag 0x63, time 1409136444
ber_get_next
conn=1000 op=10 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <o=itsmydomain.com>
<<< dnPrettyNormal: <o=itsmydomain.com>, <o=itsmydomain.com>
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> hdb_search
bdb_dn2entry("o=itsmydomain.com")
search_candidates: base="o=itsmydomain.com" (0x00000001) scope=2
=> hdb_dn2idl("o=itsmydomain.com")
=> bdb_substring_candidates (cn)
=> key_read
<= bdb_index_read 6 candidates
=> key_read
<= bdb_index_read 33 candidates
=> key_read
<= bdb_index_read 3 candidates
=> key_read
<= bdb_index_read 17 candidates
=> key_read
<= bdb_index_read 6 candidates
=> key_read
<= bdb_index_read 18 candidates
<= bdb_substring_candidates: 2, first=267, last=198029
bdb_search_candidates: id=2 first=267 last=198029
=> send_search_entry: conn 1000 dn="cn=monitorsoapnode@np-m910-45-4,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com<mailto:cn=monitorsoapnode@np-m910-45-4,cn=soap%20nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com>"
ber_flush2: 140 bytes to sd 12
<= send_search_entry: conn 1000 exit.
=> send_search_entry: conn 1000 dn="cn=monitorsoapnode@np-m910-87-8,cn=soap nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com<mailto:cn=monitorsoapnode@np-m910-87-8,cn=soap%20nodes,o=system,cn=cordys,cn=ucloud,o=itsmydomain.com>"
ber_flush2: 140 bytes to sd 12
<= send_search_entry: conn 1000 exit.
send_ldap_result: conn=1000 op=10 p=3
send_ldap_response: msgid=11 tag=101 err=0
ber_flush2: 14 bytes to sd 12
Slapd config details you may be interested in are as follows
####### Config details start ######
database hdb
suffix "o= itsmydomain.com"
rootdn "cn=Directory Manager,o= itsmydomain.com"
rootpw {SSHA}4tqAhskuvQm3wFz9EI3lqLI8pRRs6IfI
sizelimit 2000
index default pres,eq
index cn pres,eq,sub
index objectClass eq
index entryCSN,entryUUID eq
index authenticationuser pres,eq,sub
index osidentity pres,eq,sub
cachesize 5000
checkpoint 1024 10
####### Config details end ######
Regards,
Jegan.
9 years, 3 months
slap_queue_csn and slap_graduate_commit_csn in log
by Stefano Zanmarchi
Hi all,
I can see thousands of lines like the following in my log:
Sep 2 18:16:54 db51 slapd[16511]: slap_queue_csn: queing 0x432f20d0
20140902161654.626905Z#000000#000#000000
Sep 2 18:16:54 db51 slapd[16511]: slap_graduate_commit_csn: removing
0x2aaab801d1c0 20140902161654.626905Z#000000#000#000000
What are they related to? Could it be replication?
Hope not because we used to have a syncrepl slave, but it has been turned
off
time ago and "moduleload syncprov.la" is commented out in slapd.conf.
Thank you very much for your help!
9 years, 3 months
