openldap-technical September 2014

openldap-technical@openldap.org

48 participants
64 discussions

slapd doesn't start with openldap-2.4.39 and cyrus-sasl-2.1.26
by Jeganathan S 03 Sep '14

03 Sep '14

Hi All, I am trying to build openldap 2.4.39 with following dependencies in RHEL 5.5. BerkleyDB-5.1.29, cyrus-sasl-2.1.26 and openssl-1.0.1i. "make test" is failing due to failure in starting the ldap server. The content of the log file is given below. When I disable cyrus-sasl while building openssl, I don't get the issue. Is there any known issue with these combination? The configuration options are: export CPPFLAGS="-I/opt/cars-openldap-building/build_outputs/openldap_binaries/berkeleydb/include -I/opt/cars-openldap-building/build_outputs/openldap_binaries/openssl/include/openssl -I/opt/cars-openldap-building/build_outputs/openldap_binaries/cyrussasl/include/sasl" export LDFLAGS="-L/opt/cars-openldap-building/build_outputs/openldap_binaries/berkeleydb/lib -L/opt/cars-openldap-building/build_outputs/openldap_binaries/openssl/lib -L/opt/cars-openldap-building/build_outputs/openldap_binaries/cyrussasl/lib -L/opt/cars-openldap-building/build_outputs/openldap_binaries/cyrussasl/lib/sasl2" export LD_LIBRARY_PATH=/opt/cars-openldap-building/build_outputs/openldap_binaries/berkeleydb/lib:/opt/cars-openldap-building/build_outputs/openldap_binaries/openssl/lib:/opt/cars-openldap-building/build_outputs/openldap_binaries/cyrussasl/lib:/opt/cars-openldap-building/build_outputs/openldap_binaries/cyrussasl/lib/sasl2 ./configure --prefix=/opt/cars-openldap-building/build_outputs/openldap_binaries/openldap --exec-prefix=/opt/cars-openldap-building/build_outputs/openldap_binaries/openldap --with-tls=openssl --enable-bdb=mod --enable-hdb=mod --enable-mdb=mod Regards, Jeganathan ***************start of log file ********************* ldap_url_parse_ext(ldap://lap_sasl_init: auxprop add plugin failedocalhost/) 5406f5e9 @(#) $OpenLDAP: slapd 2.4.39 (Sep 3 2014 16:35:00) $ root@srv-ind-mdm6l.vanenburg.com:/opt/cars-openldap-building/openldap-2.4.39/servers/slapd ldap_pvt_gethostbyname_a: host=srv-ind-mdm6l.vanenburg.com, r=0 5406f5e9 daemon_init: ldap://localhost:9011/ 5406f5e9 daemon_init: listen on ldap://localhost:9011/ 5406f5e9 daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap://localhost:9011/) 5406f5e9 daemon: listener initialized ldap://localhost:9011/ 5406f5e9 daemon_init: 1 listeners opened ldap_create 5406f5e9 slapd init: initiated server. 5406f5e9 slap_sasl_init: auxprop add plugin failed 5406f5e9 slapd destroy: freeing system resources. 5406f5e9 slapd stopped. 5406f5e9 connections_destroy: nothing to destroy. *********************end of logfile***************

1 0

ppolicy and repeated password
by Stefano Zanmarchi 03 Sep '14

03 Sep '14

Hi all, we'd like to use the ppolicy overlay to implement password locking after a certain number of bind failures. Sadly ppolicy does not distinguish between failures with different passwords (probably a dictionary attack) and failures with the same password (a client using an old, expired, password). This would easily lead to locking out users shortly after password change. I read that Zytrax has developed for Mozilla a modified version of ppolicy: http://www.zytrax.com/books/ldap/ch6/ppolicy.html which can distinguish between unique and repeated passwords. The page states the modified mozilla-ppolicy is available for openldap 2.4.11 and 2.4.16. Has anyone tried it with a newer version of openldap? Is it working? Thank you in advance, Stefano

1 0

accesslog-based consumer stuck on objectClass modify on provider
by Francesco Malvezzi 02 Sep '14

02 Sep '14

Hi all, yesterday I changed a structural objectClass for a entry with the relax control (control: 1.3.6.1.4.1.4203.666.5.12): dn: uid=cognos,ou=agents,dc=example,dc=org control: 1.3.6.1.4.1.4203.666.5.12 changetype: modify replace: objectClass objectClass: inetOrgPerson - add: sn sn: cognos On provider all ok. Provider is mirrormode and other mirror side is ok. The accesslog-based syncrepl on a consumer was stuck. Neither the modify nor the other next modifies were propagated. Is relax control unsupported in this scenario? Did I forget something really important? thank you, Francesco PS: I deleted on provider from accesslog db the entry corresponding to the said modify, restarted both consumer and provider and replica started again.

3 3

ACLQuestion
by Karl Heinz Wichmann 01 Sep '14

01 Sep '14

Hallo I have a problem with acl. We have following sturctur. dc=a,dc=b,dc=c | |-ou=ww-a | |-ou=ww-b | |-ou=ww-c | |-ou=ww-x | |-ou=system In each ww-a,b,c...x have we users and groups. In system we have system account (in groups and users) When we search with an ldap client like thunderbird addressbook, the users in system should not be visible. I use follow rule didn't run: olcAccess: {1}to filter="(objectclass=inetOrgperson)" attrs=entry,uid,sn,cn,mail,givenName by dn="cn=ad,ou=sys_ad,ou=people,dc=a,dc=b,dc=c" read by * none the following rule, i found all users (incl. ad, admin and so on) olcAccess: {1}to filter="(objectclass=*)" attrs=entry,uid,sn,cn,mail,givenName by dn="cn=ad,ou=system,dc=a,dc=b,dc=c" read by * none I want to avoid regex when posible. Karl Heinz

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2014