Openldap Replication issues
by PRATIK SINGAL
Hello all,
I have installed openldap on two machines and tried to setup multi-way
replication.I am able to perform the multi-way replication
(Add/Update/delete) when both the machines are up and ldap is running.
But when my one machine goes down(server2) and records are
added,deleted,modified on (server1) are not getting replicated on server2
when its is up and ldap service is running.
**Below are the machine on which ldap is installed:**
[root@localhost openldap]# cat /etc/*-release
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Red Hat Enterprise Linux Server release 6.4 (Santiago)
Red Hat Enterprise Linux Server release 6.4 (Santiago)
**Openldap version:**
[root@localhost openldap]# slapd -V
@(#) $OpenLDAP: slapd 2.4.23 (Oct 31 2012 08:14:14) $
mockbuild@x86-022.build.eng.bos.redhat.com:/builddir/build/BUILD
/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
Attaching the complete logs and conf file used.
Kindly let me know where am making mistake
Regards,
Pratik
8 years, 6 months
About RDN values starting with #
by Pofelski, Lech
Hello openLDAP gurus,
According to the RFC 4514, an RDN value may start with # and to be followed by a number of "hex pair" (pairs of hexadecimal values), representing octets of some binary value.
There are two use cases involving such RDN syntax:
· Case 1, where the RDN is of the form:
<attribute OID (called also as attribute desc in dotted form)>=#<BER encoded attribute value in form of a sequence of hex pairs >
· Case 2, where the RDN is of the form:
<attribute name>=#<attribute value in form of a sequence of hex pairs>
Case 1 is explicitly illustrated in the RFC 4514 by the example:
1.3.6.1.4.1.1466.0=#04024869
Although Case 2 is not explicitly illustrated in the RFC4514, it is implicitly correct, as it is in the conformity with the RDN syntax provided by this RFC.
The example of Case2 equivalent to the example of Case1 given in the RFC would be:
<name of the attribute with OID 1.3.6.1.4.1.1466.0>=#4869
I have tested using openLDAP 2.4.39 a number of cases involving RDNs starting with #, including an example very close to the example from the RFC.
The results show that:
· If RDN value is provided as e.g. string value, LDAP operations like add, search and delete work well
· If RDN value is provided as # prefixed hexadecimal value corresponding to the cases 1 and 2, none of this cases work and in all the cases I get the error "Invalid DN syntax"
The schema file, scripts used to run the test and the test results are in the attached zip file.
I would like to know:
· If you share our understanding of the problem and in particular our interpretation of the Case2, for which there is no explicit example in the RFC4514.
· If this is a known limitation in openLDAP.
· If there is already a plan to fix the problem. If not, I'd be glad to contribute to fixing it.
Thanks in advance for your answer.
Regards,
Lech POFELSKI
Lech POFELSKI,
Software Development Engineer
Hewlett-Packard Centre de Compétences France
5 Avenue Raymond Chanas
38320 Eybens - France
lech.pofelski(a)hp.com<mailto:lech.pofelski@hp.com>
8 years, 6 months
HP-UX: mdb_txn_commit and MDB_WRITEMAP
by Kristian Amlie
We have enabled MDB_WRITEMAP on our HP-UX 11.23 Itanium after previous
discussions on the list, and that worked nicely for the most part.
However now we face a different issue: Occasionally, mdb_txn_commit will
return "Resource temporarily unavailable". I have not been able to
determine exactly which resource it's talking about; I suspected shared
memory limits, but raising this limit did not solve the problem. This
issue did not occur without MDB_WRITEMAP.
Any idea what else it could be? I can probably insert debug code into
LMDB if that's needed.
--
Kristian
8 years, 6 months
RE24 testing call (2.4.41)
by Quanah Gibson-Mount
If you know how to build OpenLDAP manually, and would like to participate
in testing the next set of code for the 2.4.41 release, please do so.
Generally, get the code for RE24:
<http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs...>
Configure & build.
Execute the test suite (via make test) after it is built.
Thanks!
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8 years, 6 months
Need migrationhelp for 1.3.6.1.4.1.1466.115.121.1.5 because of bug in slapcat
by Frank Offermanns
Hello,
in our custom schema we have used several attributes with the syntax:
1.3.6.1.4.1.1466.115.121.1.5
attributetype ( myAttributeType:106 NAME ( 'casFileContent' )
DESC 'Contains the file'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
SINGLE-VALUE )
We defined this schema before this syntax was dropped.
Everything worked for a long time. Now with OpenLDAP Version 2.4.39 and
newer a slapcat does no longer export this attributes as MimeContent, but
as plain text. So the ldif can't be used for importing. So I started a
research why and found that this syntax was dropped. But for downward
compatibility shouldn't it still export this syntax as mime content,
shouldt it?
This would be important, since in inetorgperson.schema the 2 attributes
userSMIMECertificate and userPKCS12 still use it.
What syntax should I use for files stored in LDAP?
And even more important, how can I change the syntax of a attribute. Is
there a migration strategy to change the syntax of a attribute?
Regards,
Frank
8 years, 6 months
Fast key range iteration
by Александр Киранов
Hi all!
Is there a way to iterate with all key-value pairs in LMDB database, where
all keys is in specified range?
I'm trying to use mdb_cursor_get() with MDB_SET_RANGE to search first pair.
Then I see only one way - use mdb_cursor_get() with MDB_NEXT and compare
key by memcmp().
But it seems absolutely not effective.
Is there another solution for my task?
Thanks!
8 years, 6 months
[LMDB] Two API questions
by Klaus Malorny
Hi,
during the implementation of my first project using LMDB I got two questions:
1. I wanted to write a small utility function that determines a rough
estimation of the free space, using the mdb_env_stat, mdb_env_info and
mdb_stat functions, summing up the block counts, multiplying it with the
block size and putting this in relation to the map size. Typically I know
which databases exist, but I wondered whether there would be a possibility
to enumerate the existing databases and did not find anything. Is it
correct that currently there is no way to get the names?
2. For one task, I needed to walk through a subset of the keys with a cursor
and to delete key/value pairs that meet some criteria. From the
documentation, it is unclear to me how to proceed after a deletion,
i.e. which cursor operation should be used to access the next key/value pair.
Both MDB_GET_CURRENT and MDB_NEXT seemed to work. Which one is preferred
or the "officially" correct way? I guess MDB_NEXT.
Thanks a lot.
Regards,
Klaus
8 years, 6 months
OpenLDAP referrals and kerberos error for MAC
by Aimee He
Dear Technical of openLDAP,
I use OpenLDAP development on the Mac platform, run into the following 2 questions, find a lot of information, still not resolved.
Could you help me, Thank you.
1. Referrals error,
Code flow:
ld = ldap_init(host, port);
rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
rc = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON);
rc = ldap_set_rebind_proc(ld, bind_prompt, NULL);
rc = ldap_set_option(ld, LDAP_OPT_SIZELIMIT,&sizelimit);
rc = ldap_simple_bind_s(ld, adminDN, adminPwd);
rc = ldap_search_s(ld, findDN, LDAP_SCOPE_ONELEVEL, [filter UTF8String], attrs, 0, &result);
CallBack function:
static int bind_prompt(LDAP *ld,LDAP_CONST char *url,ber_tag_t request, ber_int_t msgid, void *params)
{
static char *dnsuffix;
static char dn[256],password[256];
int authmethod;
NSLog(@"rebind for request=%ld,msgid=%ld,url=%s\n",request,(long)msgid,url);
authmethod = LDAP_AUTH_SIMPLE;
NSLog(@"re-bind dn?");
strcat(dn, dnsuffix);
if (authmethod == LDAP_AUTH_SIMPLE && dn[0] != '\0')
{
NSLog(@"re-bind password?");
}
else
{
password[0] = '\0';
}
return ldap_bind_s(ld, dn, password, authmethod);
}
Description of the problem:ldap_search_s() return value is 10, which is LDAP_REFERRAL,an it did not call the function “bind_prompt()”.
2. Kerberos error,
Code flow:
ld = ldap_init(host, port);
rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
rc = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
rc = ldap_set_option(ld, LDAP_OPT_SIZELIMIT,&sizelimit);
rc = ldap_set_rebind_proc(ld, bind_prompt, NULL);
rc = ldap_bind_s(ld, adminDN, adminPwd, LDAP_AUTH_KRBV4);
Description of the problem:LDAP_AUTH_KRBV4,LDAP_AUTH_KRBV41,LDAP_AUTH_KRBV42,ldap_bind_s return value is -6, which is LDAP_AUTH_UNKNOWN.
Windows Client with the same configuration connected to openLDAP server successfully.
Does my code or interface call for errors.
Regards!
Aimee He
Tel:15658
Confidential Information:This message is sent to the intended recipient and may contain privileged or confidential information. If you received this transmission in error, please notify the sender with a replying e-mail and delete the message and any attachment.Transmission Caveat and Virus Alert: Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.
8 years, 6 months
idassert-bind seems to ignore binddn
by Ryan Lovett
Hello,
I've setup a simple proxy so that local LDAP clients can get access to
protected attributes on a remote server. My proxy is slapd 2.4.31 with this
slapd.conf:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_ldap
sizelimit 500
tool-threads 1
backend ldap
database ldap
suffix "dc=company,dc=com"
uri ldap://ldap.company.com:389
idassert-bind bindmethod=simple
binddn="uid=my_id,ou=my_dept,dc=company,dc=com"
credentials="mypass"
authcId="dn:uid=my_id,ou=my_dept,dc=company,dc=com"
mode=legacy
ldap.company.com permits the my_id DN to access privileged attributes that
anonymous users cannot. I can run ldapsearch against ldap.company.com with
simple auth, binding as my_id, and view the privileged attributes.
ldapsearch -H ldap://ldap.company.com:389 -LLL -x \
-b ou=users,dc=company,dc=com \
-W -D uid=my_id,ou=my_dept,dc=company,dc=com \
"(uid=12345)"
When I run ldapsearch against my proxy slapd with the above slapd.conf
however...
ldapsearch -H ldap://myproxy.company.com:389 -LLL -x \
-b ou=users,dc=company,dc=com \
"(uid=12345)"
... a packet trace shows that slapd is connecting to ldap.company.com
without binding as my_id:
LDAPMessage bindRequest(1) "<ROOT>" simple
messageID: 1
protocolOp: bindRequest (0)
bindRequest
version: 3
name:
authentication: simple (0)
simple: <MISSING>
As a result I do not see the privileged attributes.
Based on the docs
<http://manpages.ubuntu.com/manpages/trusty/man5/slapd-ldap.5.html>, I've
chosen mode=legacy because I'd like for the proxy to "perform a simple bind
as the authcDN ... and assert the client's identity when it is not
anonymous."
I've also tried following the advice at
http://www.openldap.org/faq/data/cache/532.html which states:
If no authzID is given, and mode is set to none (for instance because the
> remote server does not support the proxyAuthz control), the clients will be
> authorized as "cn=Proxy,dc=example,dc=com" even if they actually connected
> anonymously to the proxy.
yielding:
idassert-bind bindmethod=simple
binddn="uid=my_id,ou=my_dept,dc=company,dc=com"
credentials="mypass"
mode=none
But an ldapsearch of my proxy then reports "Inappropriate authentication
(48)" which I don't understand because client-to-proxy and proxy-to-remote
all use simple auth.
What am I doing wrong? Any advice is greatly appreciated!
Ryan
8 years, 7 months
