openldap-technical October 2015

openldap-technical@openldap.org

50 participants
44 discussions

Delta-syncrepl not syncing entire directory: Entry CSN greater than snapshot
by Pedro Roger 21 Oct '15

21 Oct '15

Hello, i'm trying to setup a master/slave replication via delta-syncrepl, but for the most of the entries i get the message: "Entry CSN greater than snapshot". I had search in the archive of the mail list but i couldn't get a solution for this. Any help is appreciate. Some entrie i get in the syslog: Oct 20 20:23:57 temperance slapd[7645]: Entry uid=ari_oliveira,ou=uvanet.br,ou=mail,dc=uvanet,dc=br CSN 20151015141738.689470Z#000000#000#000000 greater than snapshot 20150709142425.146445Z#000000#000#000000 Oct 20 20:23:57 temperance slapd[7645]: Entry cn=SAPLIC,ou=groupOfNames,ou=intranet,dc=uvanet,dc=br CSN 20151020152042.450209Z#000000#000#000000 greater than snapshot 20150709142425.146445Z#000000#000#000000 Oct 20 20:23:57 temperance slapd[7645]: Entry cn=SIGU,ou=groupOfNames,ou=intranet,dc=uvanet,dc=br CSN 20151020152042.636081Z#000000#000#000000 greater than snapshot 20150709142425.146445Z#000000#000#000000 I have the following config in the provider (slapd 2.4.23): ... moduleload accesslog.la moduleload syncprov.la database hdb suffix cn=accesslog directory /opt/ldap/accesslog rootdn cn=accesslog index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart eq dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE database hdb suffix "dc=uvanet,dc=br" rootdn "xxxxxx" directory "/var/lib/ldap" overlay syncprov syncprov-checkpoint 1000 60 #syncprov-checkpoint 500 30 syncprov-reloadhint TRUE syncprov-sessionlog 500 # accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00 index objectClass eq,pres index ou,cn,sn,mail,givenname eq,pres,sub index uidNumber,gidNumber,memberUid eq,pres index loginShell eq,pres index memberOf eq ## required to support pdb_getsampwnam index uid pres,sub,eq # required to support pdb_getsambapwrid() index displayName pres,sub,eq index nisMapName,nisMapEntry eq,pres,sub index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub index uniqueMember eq index sambaGroupType eq index sambaSIDList eq # syncprov specific indexing index entryUUID eq index entryCSN eq overlay memberof In the consumer server we have: syncrepl rid=1 provider=ldap://X.X.X.X type=refreshAndPersist retry="5 + 5 +" interval=00:00:00:01 searchbase="dc=uvanet,dc=br" filter="(objectClass=*)" scope=sub starttls=no logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog attrs="*" schemachecking=on bindmethod=simple binddn="XXXX" credentials="XXXX" # Refer updates to the master updateref ldap://X.X.X.X Thanks in advance -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Pedro Roger Magalhães Vasconcelos http://www.proger.eti.br

2 1

openldap chain overlay: does not seem to be functioning/referenced
by Peter Heinemann 21 Oct '15

21 Oct '15

openldap 2.4-39 RHEL 6.5 I'm trying to get one ldap server configured to chain queries to a second server when specific OUs that are on the 2nd server (but not the 1st) are referenced in a query/ldapsearch. Note that these are read-only consumers, so I am not dealing with modifications, only searches. Both servers share the top level suffix. An ldapsearch against the first server involving an OU that is on the second server returns "no such Object"; and the logfile on the first server (loglevel 1) shows no reference to the chain-uri or attempt to search outside the first server. overlay chain chain-uri ldap://chained-server.domain.com chain-idassert-bind bindmethod="simple" binddn="cn=admin,dc=domain,dc=com" credentials="<password>" mode="self" chain-tls start chain-return-error TRUE slapd.conf is valid per slaptest, and starts successfully. However, an ldapsearch against the initial target server simply returns "No such object", because it appears the chain is never followed or these directives are inactive. In the local4.log with loglevel set to 1, there's never any attempt/reference to the chain-uri, and no subsequent entry in the log file for the second server. - should there be logfile entries on the first server referencing the chain-uri (or on the client ldapsearch with -d1)? - is there a missing directive or incorrect configuration? Thanks for any assistance. Peter

1 1

OpenLDAP as a Caching Proxy server
by Christian Tardif 21 Oct '15

21 Oct '15

Hi, I've been trying to setup a caching proxy server with OpenLDAP for quite a long time, and it seems, from what I can see right now, that the proxy stuff is working (I can log on on a server that points to the proxy as its LDAP server), but the caching stuff doesn't seem to work at all. EVERY request I'm doing is transferred to the AD (the real LDAP server) behind the proxy LDAP. Here's how my pcache module is set. Not too sure though, how to setup pcacheTemplates. Maybe that my error. One thing to note is that no database is even created in /var/tmp/cache directory, as I would expect. moduleload pcache.la overlay pcache pcache bdb 100000 3 1000 60 directory /var/tmp/cache cachesize 150 index objectClass eq index sAMAccountName eq pcacheMaxQueries 100 pcacheAttrset 0 objectClass name objectSid pcacheAttrset 1 objectClass sAMAccountName pcacheAttrset 2 * pcacheTemplate (&(member=)(objectClass=)(name=)) 0 60 pcacheTemplate (objectClass=) 0 60 pcacheTemplate (&(objectSid=)(objectClass=)(name=)) 0 60 pcacheTemplate (&(?sAMAccountName=)(?objectClass=)(sAMAccountName=)(objectSid=)) 2 60 pcacheTemplate (sAMAccountName=) 2 60 pcachePersist true -- CHRISTIAN TARDIF -------------------------

2 3

slapd: No database support for /var/heimdal/heimdal
by Francesco Malvezzi 16 Oct '15

16 Oct '15

hi all, while adding the smbk5pwd overlay 1) to a mdb database, on ldapmodify command slapd dies suddently with the following last lines: [...] 5620d62f >>> dnPrettyNormal: <olcOverlay={3}smbk5pwd,olcDatabase={1}mdb,cn=config> 5620d62f <<< dnPrettyNormal: <olcOverlay={3}smbk5pwd,olcDatabase={1}mdb,cn=config>, <olcOverlay={3}smbk5pwd,olcDatabase={1}mdb,cn=config> 5620d62f oc_check_required entry (olcOverlay={3}smbk5pwd,olcDatabase={1}mdb,cn=config), objectClass "olcSmbK5PwdConfig" 5620d62f oc_check_allowed type "objectClass" 5620d62f oc_check_allowed type "olcOverlay" 5620d62f oc_check_allowed type "olcSmbK5PwdEnable" 5620d62f oc_check_allowed type "structuralObjectClass" slapd: No database support for /var/heimdal/heimdal openldap is 2.4.42 compiled on debian jessie, heimdal is compiled too (heimdal-1-5-branch). The module in contrib/slapd-modules/smbk5pwd compiles fine apart a few warnings. I think I am missing a library, but I am not able to figure out which one. thank you, Francesco 1) dn: olcOverlay={3}smbk5pwd,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcSmbK5PwdConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {3}smbk5pwd olcSmbK5PwdEnable: samba olcSmbK5PwdEnable: krb5

1 1

Can a ppolicy be applied to a subtree?
by Campbell, Courtney 15 Oct '15

15 Oct '15

I am curious if a ppolicy can be applied to a subtree so that it is added to a user account when newly created? ________________________________ This message (including any attachments) is confidential and intended for a specific individual and purpose. If you are not the intended recipient, please notify the sender immediately and delete this message.

3 3

Allowing users to update their passwords
by Kartik Vashishta 13 Oct '15

13 Oct '15

Team, I am not anything but new to ldap. I have however successfully installed and configured Openldap on CentOS7. Online material was a BIG help. I am trying to figure out how to allow users to change their own passwords. Googling pointed me out to this: access to attrs=userPassword by self write by anonymous auth by users none access to * by * read But where and how does this get input into the ldap db. There is no more a slapd.conf. Please advise. Regards, Kartik Vashishta

3 2

bind/queries through multiple backends
by Steffen Kaiser 10 Oct '15

10 Oct '15

Hi, I currently have a local OpenLDAP v2.4.40 with a bdb backend and another instance with a ldap backend proxying binds and queries to an AD. The bdb backend serves just one suffix: dc=example,dc=com The AD serves several suffixes: dc=example,dc=com (same as local one) dc=example,dc=net dc=otherexample,dc=com dc=anotherexample,dc=net I would like to merge both configurations. The entries of the suffix dc=example,dc=com, which is served by both servers, are disjunct. There is no DN, which is located on both servers. There will be some name problems, but these can be handled by organisational means. ==== My first problem is that I cannot make bind work for DNs with suffix dc=example,dc=com, which are located on the 2nd backend. In fact, there are very few DNs of that suffix on the 2nd server, but there are. I would like that bind first tries the first (local) server and, if the DN is missing there, the second server (the proxy). Currently, only the local backend is queried. ==== What would be the best solution to forward a bunch of suffixes to the LDAP backend? -- Steffen Kaiser

2 1

empty ldapmodify refused with slapo-unique
by Geert Hendrickx 08 Oct '15

08 Oct '15

When slapo-unique constraints are in effect, it seems empty updates are no longer allowed: > $ ldapmodify -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret > dn: cn=test1,dc=my-domain,dc=com > changetype: modify > > modifying entry "cn=test1,dc=my-domain,dc=com" > ldap_modify: Invalid syntax (21) > additional info: unique_modify() got null op.orm_modlist Why is this considered invalid syntax? Without slapo-unique constraint, empty updates like these are accepted. Geert -- geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages!

2 2

SSL based LDAP client verification
by Aneela Saleem 08 Oct '15

08 Oct '15

Hi all, I have followed this link <http://www.openldap.org/faq/data/cache/185.html> to generate self-signed certificates. I have successfully performed server side validation. What if i want to access LDAPS:// from other client. I have copied servercrt.pem and serverkey.pem file on client machine, also added servercrt.pem file to client trust store. I'm using LDAPjs client for authentication. I have provided trust store path and serverkey.pem file in the code, but i still get the following error: crypto.js:104 if (options.cert) c.context.setCert(options.cert); ^ Error: error:0906D06C:PEM routines:PEM_read_bio:no start line at Object.exports.createCredentials (crypto.js:104:31) at Object.exports.connect (tls.js:1334:27) at Client._connect (/home/aneela/node_modules/ldapjs/lib/client/client.js:736:18) at new Client (/home/aneela/node_modules/ldapjs/lib/client/client.js:247:22) at Object.createClient (/home/aneela/node_modules/ldapjs/lib/client/index.js:60:12) at authDN (/home/aneela/client-ldapjs/app.js:15:21) at Object.<anonymous> (/home/aneela/client-ldapjs/app.js:90:1) at Module._compile (module.js:456:26) at Object.Module._extensions..js (module.js:474:10) at Module.load (module.js:356:32) Please guide me if i'm doing something wrong. Which PEM files need to be copied on client machine? Or i need to create client side certificates separately as well?

2 1

slapd-ldap quarantine, manual slapd restart is required
by Nikos Voutsinas 07 Oct '15

07 Oct '15

Hi, I am using the quarantine option of back-ldap, using the following setting: olcDbQuarantine 10,30;60,+ which AFAIK it means that proxy ldap will try to unset the quarantine in 10 seconds for 30 times, and then will try every 60 seconds, forever. In my case when proxy ldap put the backend target into quarantine the following lines were written in slapd.log, and after that proxy ldap never managed to remove the target from quarantine. Oct 7 21:30:58 proxy slapd[330]: conn=632725 op=0 ldap_back_retry: retrying URI="ldap://back01 ldap://back02" DN="" Oct 7 21:30:58 proxy slapd[330]: conn=632725 op=0: ldap_back_quarantine enter. Oct 7 21:31:08 proxy slapd[330]: conn=632759 op=0: ldap_back_getconn quarantine retry block #0 try #0. It seems to me that back ldap tried once to check the target status in 10 seconds, and after that nothing..... 1. Is the config syntax correct? 2. Is there any case this to be a regression of ITS#5592 Thanks, Nikos

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2015