git problems
by Mattes
Hello list,
while upgrading my local git checkout I just realized that the repository contains serveral
files under contrib/ldapc++ that should never be put under version control:
l$ git pull
Updating 7a7d941..ff7c0e5
error: Your local changes to the following files would be overwritten by merge:
contrib/ldapc++/Makefile.in
contrib/ldapc++/configure
contrib/ldapc++/examples/Makefile.in
contrib/ldapc++/src/Makefile.in
all these files are generated during the build process (by automake/autoconf)
Can someone with commit permission please fix this?
TIA Ralf Mattes
6 years
OpenLDAP permissions question
by Igor Shmukler
Hello,
I have been spamming this list, looking for insights into why I cannot
configure OpenLDAP to use cn=config to delete an entry inside a DIT.
Sorry.
Just now thought of and conducted another experiment. The results
surprised me. If someone can please explain why OpenLDAP behaves this
way, and whether this can be altered through configuration, it would
certainly get me further on my way.
When I try to delete an entry using LDAPI as below:
$ sudo ldapdelete -Y external -H ldapi:/// cn=john,dc=directory,dc=com
ldap_delete: Insufficient access (50)
additional info: no write access to parent
I do the same using domain administrator credentials and below and it
works fine:
$ ldapdelete -D cn=admin,dc=directory,dc=google,dc=com -W -x
cn=john,dc=directory,dc=com
Why LDAPI does not work? What can be done?
Thank you,
Igor Shmukler
6 years
Schema error: attributeType ...
by Zhang,Jun
This error with a yellow exclamation point caused nothing to be shown on the right panel of the phpldapadmin console.
Schema error: attributeType "olmdburilist" inherits from "managedInfo", but attributeType "managedInfo" does not exist.
OpenLDAP 2.4.23
RHEL 6
Putting phpldapadmin in debug mode, I did not find anything related to the error message.
Jun
6 years
slapd does not log neither to syslog nor systemd' sjournal
by lejeczek
hi everybody
on rhel 7 when I start slapd I see it is running:
/usr/sbin/slapd -u ldap -h ldapi:/// ldap://192.168.2.33/
ldaps://192.168.2.33/ -s 160
and yet I don't get anything in rsyslog logs nor in
systemd's journal
When I stick slapd to terminal with only -d instead of -s
everything is as expected.
weird, right?
any suggestions very appreciated.
6 years
Re: OpenLDAP permissions question
by Marc Patermann
Igor,
Igor Shmukler schrieb (20.03.2015 11:21 Uhr):
> Unfortunately, your email does not clear anything, FOR ME. It does not
> mean you are not 100% correct. I am just slow, I guess. Sorry.
do simple things first! Do more complex things later!
- Configure a rootdn with rootpw for each database. Use this to
authenticate to slapd und modify things.
This works? Fine, go on.
- Create a user entry inside your DIT.
Use this entry as rootdn.
This works? Fine, go on.
- Map this user entry from your local unix user with olcAuthzRegexp
to use with ldapi and EXTERNAL.
This works? Fine, go on.
- or make your first steps with ACLs and another user entry.
> I don't see why/how Michael's suggestion with olcAuthzRegexp could
> work. The way that could have worked - multiple remaps, different for
> each database is not allowed.
Read again what Michael said:
"authz-regexp is a global configuration option."
> The one permitted - inside config
> database, as far as I understand, does not do what I need.
Do you need multiple mappings?
As you are one user on your system, this maps to one user in ldap with
olcAuthzRegexp.
As Micheal already posted:
authz-regexp
"gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,dc=example,dc=com"
uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com.
Marc
6 years
back-meta: dependency on ldap.conf
by Liam Gretton
OpenLDAP 2.4.40, SLES x86_64.
This will seem crazy, but it looks to me that back-meta uses
/etc/openldap/ldap.conf for its TLS configuration instead of the
tls_options set explicitly within slapd.conf.
Within my meta configuration I have the following for idassert-bind:
idassert-bind bindmethod=simple
binddn="cn=user,dc=example,dc=com
credentials="password"
flags=prescriptive
tls_cacert=/etc/ssl/certs/ca.pem
tls_cacertdir=/etc/ssl/certs
tls_reqcert=demand
None of the TLS options seem to have any effect here at all (I can put
nonsensical values to the tls options here and slapd doesn't complain at
all).
Instead it's necessary to use /etc/openldap/ldap.conf for back-meta to
bind over SSL/TLS:
tls_cacert /etc/ssl/certs/ca.pem
tls_cacertdir /etc/ssl/certs
Any changes to ldap.conf get picked up by back-meta on a restart.
This can't be right, surely?
As an aside, I can't see why it's necessary to have to specify both
tls_cacert (pointing at the last CA in the chain) as well as
tls_cacertdir, but it is.
--
Liam Gretton liam.gretton(a)le.ac.uk
Systems Specialist http://www.le.ac.uk/its/
IT Services Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
6 years
OpenLDAP freeze
by Cyril Grosjean
I've an OpenLDAP 2.4.32 server with millions of entries, which uses to
serve tens of requests per second.
It works as a stand-alone master server (replication is setup but the slave
server is down)
I noticed several times, at different times and dates, that no lines are
logged in the OpenLDAP access log
for a few minutes, as if it was frozen. I try to figure out what could
explain that ? I checked the usual
system counters (CPU, IO, Memory, free disk space, ...) as well as the
running processes, but did not notice anything
suspicious.
Since the OpenLDAP server runs in a virtual machine, I'm currently trying
to monitor the ESX hypervisor.
Any idea of what could go wrong ?
6 years
FW: questions about LMDB
by Shu, Xinxin
CC technical list
Cheers,
xinxin
-----Original Message-----
From: openldap-devel [mailto:openldap-devel-bounces@openldap.org] On Behalf Of Shu, Xinxin
Sent: Friday, March 20, 2015 8:50 AM
To: Howard Chu; openldap-devel(a)openldap.org
Subject: RE: questions about LMDB
Sorry for the wrong mail list , I will forward this request to technical list
Cheers,
xinxin
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Thursday, March 19, 2015 11:52 PM
To: Shu, Xinxin; openldap-devel(a)openldap.org
Subject: Re: questions about LMDB
Shu, Xinxin wrote:
> Several other questions about lmdb
>
> 1) does lmdb store one key-value pair in a single page? How lmdb organizes these key-value pairs in a single page
> 2) if size is larger than single page size , how lmdb process this request?
This list is for developers to discuss actual coding issues inside the OpenLDAP code; your questions are too elementary and don't belong here. Use the -technical list for user-oriented questions.
>
> Any help will be appreciated ? thanks
>
> Cheers,
> xinxin
>
> -----Original Message-----
> From: Shu, Xinxin
> Sent: Thursday, March 19, 2015 3:49 PM
> To: openldap-devel(a)openldap.org
> Cc: Shu, Xinxin
> Subject: questions about LMDB
>
> Hi list ,
>
> Recently I read docs about lmdb , there are two sentences
> 1) readers do not block writers
> 2) writers do not block readers
> I can understand 'readers do not block writers' , but cannot understand the second one , can someone help explain , how lmdb achieve 'writers do not block readers', below is my understandings , please correct me if anything wrong.
> if the access pattern is write - read, since lmdb only support two version of data , when the write has been started but not committed , the concurrent read may read stale data since write has not been committed.
>
> Cheers,
> xinxin
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years
file descriptor setting
by Daniel Jung
Hi,
Running 2.4.39 on centos 6. I set the open file limit to 200000 today as
part of testing and it ran fine for a while and then an hour or so later
the daemon died with no trace in the logs. I am running stats and sync at
the moment. Would i need to run args to capture issue like this?
Thanks
6 years
what is wrong with my permissions?
by Igor Shmukler
Hello,
Sorry. I need help, again!
I am trying to configure my OpenLDAP so that cn=config has full
over-the-network write-access with a password.I thought at one point
that I got the permissions working. It turns out, those are not
working, now. Please say what I am doing wrong.
Last time, I had a similar problem with policy. Michael S. saved me a
bunch of time by advising to load ppolicy.ldif [with the appropriate
schema]. This is obviously no indicator of any kind, yet the problem
might be not in the LDIFs or ...
I understood that manage is the LDIF version of full permissions.
Found olcAccess syntax as "olcAccess: to <what> [ by <who>
[<accesslevel>] [<control>] ]+"
My OLC directives for ldapmodify(1) are below:
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to * by self write by dn="cn=config" write by * read
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}HyVltU836iL4aR0P0C6O8eHkOJt8nYGK
I tried various combinations, like: olcAccess: {1}to * by dn=cn=config
manage by * read
The old commands are valid, yet do not result in the desired
configuration. Instead, when ldapdelete(1) is invoked, I get:
ldap_delete: Insufficient access (50)
additional info: no write access to parent
Please advise.
I thank everyone on who has been reading my messages. People on this
list have been extremely helpful.
Sincerely,
Igor Shmukler
6 years
