Re: Syncrepl issue with one node
by Quanah Gibson-Mount
--On Tuesday, June 09, 2015 8:50 AM -0500 espeake(a)oreillyauto.com wrote:
>
> We are running openLDAP 2.4.39 in an MMR replication on Ubuntu 14.04. I
> have one node that is not wanting to sync with other nodes giving the
> following error:
>
> Jun 9 06:51:35 tn-ldap-a-1 slapd[3138]: do_syncrep2: rid=005 CSN too old,
> ignoring 20150609115135.153480Z#000000#003#000000
>
> As you can see the CSN shows the exact same time the time that is being
> logged. We are in the U.S. Central timezone. I have checked our ntp
> service on my three nodes. All three are pointed to the same ntp and are
> in sync. Would be possible that one node might still be just a few
> miliseconds too fast and the csn timestamp would appear wrong? Is there a
> logging level I can set for that specific issue? I am currently logging
> the sync records. I can go to debug in needed.
a) Please don't resend your emails to the list. The first one got through
fine, which you could easily verify by looking at the list archives.
b) Not enough information provided here to go on. Are all server IDs
unique? Are all syncrepl clauses unique per DB? Personally I've never
found ntpd particularly good at keeping clocks in sync. I've generally
resorted to running ntpdate frequently out of cron, particularly for VMs.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
5 years, 9 months
why is userPassword transferred binary?
by Jephte Clain
hello,
just wondering: when I ldapsearch the userPassword attribute, it is
returned as binary:
$ ldapsearch -LLL -H "ldap://xxx:389/" -x -D xxx -W "(uid=xxx)" userPassword
dn: uid=xxx,dc=domain,dc=tld
userPassword:: Z290Y2hhCg==
however, I created a new attribute with the same schema as userPassword:
attributetype ( runUniv:1.1.2
NAME 'runUnivPassword'
DESC 'RFC2256/2307 password for special needs'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
when I search this attribute, it is returned as text:
$ ldapsearch -LLL -H "ldap://xxx:389/" -x -D xxx -W "(uid=xxx)"
runUnivPassword
dn: uid=xxx,dc=domain,dc=tld
runUnivPassword: gotcha
so my question is: does ldapsearch process userPassword as a special
case and ask for binary transfer type?
or does slapd return userPassword as binary by default? if so, how do I
configure runUnivPassword to be handled the same?
thanks in advance. best regards,
--
*Jephté CLAIN | Développeur, Intégrateur d'applications*
Service Systèmes d'Information
Direction des Systèmes d'Information <http://numerique.univ-reunion.fr>
Tél: +262 262 93 86 31 <tel:+262262938631> || Gsm: +262 692 29 58 24
<tel:+262692295824>
www.univ-reunion.fr <http://www.univ-reunion.fr> || Facebook
<http://www.facebook.com/pages/Universit%C3%A9-de-La-R%C3%A9union-OFFICIEL...>
|| Twitter <http://twitter.com/univ_reunion>
5 years, 9 months
problem with olcAccess - can not change own userPassword field
by Stefan Bauer
Dear Users,
I'm trying to change my own password in field userPassword with some gui and receive access denied - permission denied message.
The access rules are .. and I'm binding with "cn=benutzer1,ou=Benutzer,dc=example,dc=com"
olcAccess: {0}to * by * read by * break
olcAccess: {1}to dn.subtree="ou=Benutzer,dc=example,dc=com" attrs=userPassword by self write by * break
What do i miss?
# benutzer1, Benutzer, example.com
dn: cn=benutzer1,ou=Benutzer,dc=example,dc=com
cn: benutzer1
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: posixAccount
sn: Mustermann
gidNumber: 777
homeDirectory: /home/benutzer1
uid: benutzer1
uidNumber: 777
loginShell: /bin/bash
userPassword:: known
# {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW:: known
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: ou pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
olcAccess: {0}to * by * read by * break
olcAccess: {1}to dn.subtree="ou=Benutzer,dc=example,dc=com" attrs=userPassword
by self write by * break
5 years, 10 months
process slapd 99 % CPU
by Fabián M Sales
Hello,
I have problem with My LDAP-server. The process /usr/sbin/slapd the
process consumes 99% cpu,
As you can see it?
I enable the logs but can not find the problem, because this sometimes
99% and sometimes remains low. It is at times.
Sorry for My poor English,
--
Firma Institucional
*Fabián* *M. Sales
*Soporte Técnico & I.T.I Linux
*DonWeb *
La Actitud Es Todo
www.DonWeb.com
------------------------------------------------------------------------
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son
confidenciales, de uso exclusivo para el destinatario del mismo. La
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por
favor, notifique al remitente y elim?elo de su sistema.
Confidentiality Note: This message and any attachments (the message) are
confidential and intended solely for the addressees. Any unauthorised
use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais
ela foi endereçada, por favor destrua-a e a todos os seus eventuais
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem,
retornando-a para o autor.
5 years, 10 months
bdb_equality_candidates: (uniqueMember) not indexed
by Fabián M Sales
Hello list. :)
I have got this error y My logs:
bdb_equality_candidates: (uniqueMember) not indexed
How create this index uniqueMember?
I create a ldif file, as it should be? Steps anyone know?
Thanks-
--
Firma Institucional
*Fabián* *M. Sales
*Soporte Técnico & I.T.I Linux
*DonWeb *
La Actitud Es Todo
www.DonWeb.com
------------------------------------------------------------------------
Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son
confidenciales, de uso exclusivo para el destinatario del mismo. La
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por
favor, notifique al remitente y elim?elo de su sistema.
Confidentiality Note: This message and any attachments (the message) are
confidential and intended solely for the addressees. Any unauthorised
use or dissemination is prohibited by DonWeb.com.
DonWeb.com shall not be liable for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais
ela foi endereçada, por favor destrua-a e a todos os seus eventuais
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem,
retornando-a para o autor.
5 years, 10 months
olcMirrorMode FALSE - yet - error code 53 - shadow context; no update referral
by lejeczek
hi everybody
one of databases in my slapd has nor referrals and
olcMirrorMode=FALSE in config
yet I get infamous:
- [LDAP: error code 53 - shadow context; no update referral]
why would it be, something I am missing in the config of
that database?
other databases configs affect this one somehow?
many thanks
5 years, 10 months
OpenLDAP storing password in SSHA
by parakrama55 .
Hi Guys
Im adding users data to the ldap from external program or client , There
im sending UserPasswrd in clear text .
So Is there any configuration directive in opendap where we can force
openldap to store receiving clear text password in SSHA format .
Please advice
Thank You
Dhanushka
5 years, 10 months
Error: ldap_back_is_proxy_authz returned 0
by Dominique Voest
Hi everyone,
I have been testing and debugging a lot lately and cannot come to a solution, maybe you can help.
I recently installed a new OpenLDAP Server (Debian Jessy) (OpenLDAP Version 2.4.40) which is used to proxy parts of the Active Directory.
However, from time to time it is not able to get Entries (does not answer to querys but returns success) from the Active Directory.
What I see in the logs is the following:
Jun 10 11:37:38 openldap-proxy slapd[41657]: conn=1166 op=1 ldap_back_retry: retrying URI="ldaps://dc.ourdomain.com" DN="cn=ldap-binder,ou=serviceaccounts,dc= ourdomain,dc=com"
Jun 10 11:37:38 openldap-proxy slapd[41657]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?
First of all, the URI is correct and the System works well during most of the time(except for this error), those "errors" only happen from time to time.
The Strange thing is, that this new LDAP Server is running via the exactly same configuration as another OpenLDAP-Server which has been running over 2 Years now
and the old OpenLDAP Server (Debian Wheezy) (OpenLDAP Version 2.4.31) does also show the first Log Entry from time to time (the ldap_back_retry one),
But does not show the ldap_back_is_proxy_authz error afterwards. Furthermore it does also always return the right answer.
For Debugging reasons I tried Wiresharking the Domain Controller, TCP-Dumping the LDAP-Server and the Client.
The Traffic looks okay, in case of that error the OpenLDAP Server simply is asking the Domain Controller which returns Success but no results.
Might it be Possible that the LDAP-Bind from the OpenLDAP System to the Active Directory expired and the OpenLDAP is not able to re-establish a new bind via the current Query?
Since once this error occurs, the query right after the error works and then it takes some time until that error occurs again and due to the fact that in the older OpenLDAP Version it is working,
could it be a Bug in the new OpenLDAP Version?
I also looked in the Logs of the Domain Controller, everything is fine there.
Furthermore I installed test OpenLDAP Systems (Centos[yum], OpenBSD[pkg] and one via compilation from sources via minimal module configuration) (2.4.40) and tried the same configuration there, same Problem.
While googling and searching for a solution I stumbled across a guy having the same problem, reporting this 2013 to this mailing list.
Someone suggested to add the Active Directory Schema to the OpenLDAP, which I did and which did not solve this issue.
I tried adding the full schema as well as adding only Attributes and Object classes that are used. Problem still persists.
Anyone of you has any suggestions?
Does anyone have similar problems?
Thank you for your time.
Best Regards,
Dominique Voest
5 years, 10 months
Syncrepl issue with one node
by espeake@oreillyauto.com
We are running openLDAP 2.4.39 in an MMR replication on Ubuntu 14.04. I
have one node that is not wanting to sync with other nodes giving the
following error:
Jun 9 06:51:35 tn-ldap-a-1 slapd[3138]: do_syncrep2: rid=005 CSN too old,
ignoring 20150609115135.153480Z#000000#003#000000
As you can see the CSN shows the exact same time the time that is being
logged. We are in the U.S. Central timezone. I have checked our ntp
service on my three nodes. All three are pointed to the same ntp and are
in sync. Would be possible that one node might still be just a few
miliseconds too fast and the csn timestamp would appear wrong? Is there a
logging level I can set for that specific issue? I am currently logging
the sync records. I can go to debug in needed.
Thank you,
Eric Speake
Senior Systems Administrator
Information Systems
O'Reilly Auto Parts
(417) 862-2674 Ext. 1975
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
5 years, 10 months
Get the decoded ldap password for openldap2.4.40
by PRATIK SINGAL
Hello
Can any one help me to get the plain text password for ldap.
While configuring ldap i have used the slappasswd to get teh encrypted
value and stored in slapd.conf
Is there any way to get the palin password based the encrypted one.I am
using openldap 2.4.40
Regards,
Pratik
5 years, 10 months