openldap-technical May 2015

openldap-technical@openldap.org

47 participants
42 discussions

Openldap Replication issues
by PRATIK SINGAL 06 May '15

06 May '15

Hello all, I have installed openldap on two machines and tried to setup multi-way replication.I am able to perform the multi-way replication (Add/Update/delete) when both the machines are up and ldap is running. But when my one machine goes down(server2) and records are added,deleted,modified on (server1) are not getting replicated on server2 when its is up and ldap service is running. **Below are the machine on which ldap is installed:** [root@localhost openldap]# cat /etc/*-release LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch Red Hat Enterprise Linux Server release 6.4 (Santiago) Red Hat Enterprise Linux Server release 6.4 (Santiago) **Openldap version:** [root@localhost openldap]# slapd -V @(#) $OpenLDAP: slapd 2.4.23 (Oct 31 2012 08:14:14) $ mockbuild@x86-022.build.eng.bos.redhat.com:/builddir/build/BUILD /openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd Attaching the complete logs and conf file used. Kindly let me know where am making mistake Regards, Pratik

2 1

About RDN values starting with #
by Pofelski, Lech 06 May '15

06 May '15

Hello openLDAP gurus, According to the RFC 4514, an RDN value may start with # and to be followed by a number of "hex pair" (pairs of hexadecimal values), representing octets of some binary value. There are two use cases involving such RDN syntax: · Case 1, where the RDN is of the form: <attribute OID (called also as attribute desc in dotted form)>=#<BER encoded attribute value in form of a sequence of hex pairs > · Case 2, where the RDN is of the form: <attribute name>=#<attribute value in form of a sequence of hex pairs> Case 1 is explicitly illustrated in the RFC 4514 by the example: 1.3.6.1.4.1.1466.0=#04024869 Although Case 2 is not explicitly illustrated in the RFC4514, it is implicitly correct, as it is in the conformity with the RDN syntax provided by this RFC. The example of Case2 equivalent to the example of Case1 given in the RFC would be: <name of the attribute with OID 1.3.6.1.4.1.1466.0>=#4869 I have tested using openLDAP 2.4.39 a number of cases involving RDNs starting with #, including an example very close to the example from the RFC. The results show that: · If RDN value is provided as e.g. string value, LDAP operations like add, search and delete work well · If RDN value is provided as # prefixed hexadecimal value corresponding to the cases 1 and 2, none of this cases work and in all the cases I get the error "Invalid DN syntax" The schema file, scripts used to run the test and the test results are in the attached zip file. I would like to know: · If you share our understanding of the problem and in particular our interpretation of the Case2, for which there is no explicit example in the RFC4514. · If this is a known limitation in openLDAP. · If there is already a plan to fix the problem. If not, I'd be glad to contribute to fixing it. Thanks in advance for your answer. Regards, Lech POFELSKI Lech POFELSKI, Software Development Engineer Hewlett-Packard Centre de Compétences France 5 Avenue Raymond Chanas 38320 Eybens - France lech.pofelski(a)hp.com<mailto:lech.pofelski@hp.com>

2 6

HP-UX: mdb_txn_commit and MDB_WRITEMAP
by Kristian Amlie 06 May '15

06 May '15

We have enabled MDB_WRITEMAP on our HP-UX 11.23 Itanium after previous discussions on the list, and that worked nicely for the most part. However now we face a different issue: Occasionally, mdb_txn_commit will return "Resource temporarily unavailable". I have not been able to determine exactly which resource it's talking about; I suspected shared memory limits, but raising this limit did not solve the problem. This issue did not occur without MDB_WRITEMAP. Any idea what else it could be? I can probably insert debug code into LMDB if that's needed. -- Kristian

2 2

RE24 testing call (2.4.41)
by Quanah Gibson-Mount 05 May '15

05 May '15

If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.41 release, please do so. Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> Configure & build. Execute the test suite (via make test) after it is built. Thanks! --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

5 6

Need migrationhelp for 1.3.6.1.4.1.1466.115.121.1.5 because of bug in slapcat
by Frank Offermanns 05 May '15

05 May '15

Hello, in our custom schema we have used several attributes with the syntax: 1.3.6.1.4.1.1466.115.121.1.5 attributetype ( myAttributeType:106 NAME ( 'casFileContent' ) DESC 'Contains the file' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE ) We defined this schema before this syntax was dropped. Everything worked for a long time. Now with OpenLDAP Version 2.4.39 and newer a slapcat does no longer export this attributes as MimeContent, but as plain text. So the ldif can't be used for importing. So I started a research why and found that this syntax was dropped. But for downward compatibility shouldn't it still export this syntax as mime content, shouldt it? This would be important, since in inetorgperson.schema the 2 attributes userSMIMECertificate and userPKCS12 still use it. What syntax should I use for files stored in LDAP? And even more important, how can I change the syntax of a attribute. Is there a migration strategy to change the syntax of a attribute? Regards, Frank

4 10

Fast key range iteration
by Александр Киранов 04 May '15

04 May '15

Hi all! Is there a way to iterate with all key-value pairs in LMDB database, where all keys is in specified range? I'm trying to use mdb_cursor_get() with MDB_SET_RANGE to search first pair. Then I see only one way - use mdb_cursor_get() with MDB_NEXT and compare key by memcmp(). But it seems absolutely not effective. Is there another solution for my task? Thanks!

3 2

Try out our new most advanced medication aimed to conquer you erectile dysfunction!
by Anibal 04 May '15

04 May '15

These simple medicines will bring you back to life in the bedroom Your boner will be back in no time with these low prices We will fill your life with joy! Free tablets this week! http://zzb.bz/34vXj World Anti-ED from FDA

1 0

[LMDB] Two API questions
by Klaus Malorny 04 May '15

04 May '15

Hi, during the implementation of my first project using LMDB I got two questions: 1. I wanted to write a small utility function that determines a rough estimation of the free space, using the mdb_env_stat, mdb_env_info and mdb_stat functions, summing up the block counts, multiplying it with the block size and putting this in relation to the map size. Typically I know which databases exist, but I wondered whether there would be a possibility to enumerate the existing databases and did not find anything. Is it correct that currently there is no way to get the names? 2. For one task, I needed to walk through a subset of the keys with a cursor and to delete key/value pairs that meet some criteria. From the documentation, it is unclear to me how to proceed after a deletion, i.e. which cursor operation should be used to access the next key/value pair. Both MDB_GET_CURRENT and MDB_NEXT seemed to work. Which one is preferred or the "officially" correct way? I guess MDB_NEXT. Thanks a lot. Regards, Klaus

2 1

OpenLDAP referrals and kerberos error for MAC
by Aimee He 03 May '15

03 May '15

Dear Technical of openLDAP, I use OpenLDAP development on the Mac platform, run into the following 2 questions, find a lot of information, still not resolved. Could you help me, Thank you. 1. Referrals error, Code flow: ld = ldap_init(host, port); rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); rc = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON); rc = ldap_set_rebind_proc(ld, bind_prompt, NULL); rc = ldap_set_option(ld, LDAP_OPT_SIZELIMIT,&sizelimit); rc = ldap_simple_bind_s(ld, adminDN, adminPwd); rc = ldap_search_s(ld, findDN, LDAP_SCOPE_ONELEVEL, [filter UTF8String], attrs, 0, &result); CallBack function： static int bind_prompt(LDAP *ld,LDAP_CONST char *url,ber_tag_t request, ber_int_t msgid, void *params) { static char *dnsuffix; static char dn[256],password[256]; int authmethod; NSLog(@"rebind for request=%ld,msgid=%ld,url=%s\n",request,(long)msgid,url); authmethod = LDAP_AUTH_SIMPLE; NSLog(@"re-bind dn?"); strcat(dn, dnsuffix); if (authmethod == LDAP_AUTH_SIMPLE && dn[0] != '\0') { NSLog(@"re-bind password?"); } else { password[0] = '\0'; } return ldap_bind_s(ld, dn, password, authmethod); } Description of the problem:ldap_search_s() return value is 10, which is LDAP_REFERRAL,an it did not call the function “bind_prompt()”. 2. Kerberos error, Code flow： ld = ldap_init(host, port); rc = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); rc = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); rc = ldap_set_option(ld, LDAP_OPT_SIZELIMIT,&sizelimit); rc = ldap_set_rebind_proc(ld, bind_prompt, NULL); rc = ldap_bind_s(ld, adminDN, adminPwd, LDAP_AUTH_KRBV4); Description of the problem:LDAP_AUTH_KRBV4,LDAP_AUTH_KRBV41,LDAP_AUTH_KRBV42,ldap_bind_s return value is -6, which is LDAP_AUTH_UNKNOWN. Windows Client with the same configuration connected to openLDAP server successfully. Does my code or interface call for errors. Regards! Aimee He Tel:15658 Confidential Information:This message is sent to the intended recipient and may contain privileged or confidential information. If you received this transmission in error, please notify the sender with a replying e-mail and delete the message and any attachment.Transmission Caveat and Virus Alert: Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.

1 0

idassert-bind seems to ignore binddn
by Ryan Lovett 01 May '15

01 May '15

Hello, I've setup a simple proxy so that local LDAP clients can get access to protected attributes on a remote server. My proxy is slapd 2.4.31 with this slapd.conf: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none modulepath /usr/lib/ldap moduleload back_ldap sizelimit 500 tool-threads 1 backend ldap database ldap suffix "dc=company,dc=com" uri ldap://ldap.company.com:389 idassert-bind bindmethod=simple binddn="uid=my_id,ou=my_dept,dc=company,dc=com" credentials="mypass" authcId="dn:uid=my_id,ou=my_dept,dc=company,dc=com" mode=legacy ldap.company.com permits the my_id DN to access privileged attributes that anonymous users cannot. I can run ldapsearch against ldap.company.com with simple auth, binding as my_id, and view the privileged attributes. ldapsearch -H ldap://ldap.company.com:389 -LLL -x \ -b ou=users,dc=company,dc=com \ -W -D uid=my_id,ou=my_dept,dc=company,dc=com \ "(uid=12345)" When I run ldapsearch against my proxy slapd with the above slapd.conf however... ldapsearch -H ldap://myproxy.company.com:389 -LLL -x \ -b ou=users,dc=company,dc=com \ "(uid=12345)" ... a packet trace shows that slapd is connecting to ldap.company.com without binding as my_id: LDAPMessage bindRequest(1) "<ROOT>" simple messageID: 1 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: simple (0) simple: <MISSING> As a result I do not see the privileged attributes. Based on the docs <http://manpages.ubuntu.com/manpages/trusty/man5/slapd-ldap.5.html>, I've chosen mode=legacy because I'd like for the proxy to "perform a simple bind as the authcDN ... and assert the client's identity when it is not anonymous." I've also tried following the advice at http://www.openldap.org/faq/data/cache/532.html which states: If no authzID is given, and mode is set to none (for instance because the > remote server does not support the proxyAuthz control), the clients will be > authorized as "cn=Proxy,dc=example,dc=com" even if they actually connected > anonymously to the proxy. yielding: idassert-bind bindmethod=simple binddn="uid=my_id,ou=my_dept,dc=company,dc=com" credentials="mypass" mode=none But an ldapsearch of my proxy then reports "Inappropriate authentication (48)" which I don't understand because client-to-proxy and proxy-to-remote all use simple auth. What am I doing wrong? Any advice is greatly appreciated! Ryan

4 7

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2015