openldap-technical June 2015

openldap-technical@openldap.org

50 participants
49 discussions

Re: Syncrepl issue with one node
by Quanah Gibson-Mount 15 Jun '15

15 Jun '15

--On Tuesday, June 09, 2015 8:50 AM -0500 espeake(a)oreillyauto.com wrote: > > We are running openLDAP 2.4.39 in an MMR replication on Ubuntu 14.04. I > have one node that is not wanting to sync with other nodes giving the > following error: > > Jun 9 06:51:35 tn-ldap-a-1 slapd[3138]: do_syncrep2: rid=005 CSN too old, > ignoring 20150609115135.153480Z#000000#003#000000 > > As you can see the CSN shows the exact same time the time that is being > logged. We are in the U.S. Central timezone. I have checked our ntp > service on my three nodes. All three are pointed to the same ntp and are > in sync. Would be possible that one node might still be just a few > miliseconds too fast and the csn timestamp would appear wrong? Is there a > logging level I can set for that specific issue? I am currently logging > the sync records. I can go to debug in needed. a) Please don't resend your emails to the list. The first one got through fine, which you could easily verify by looking at the list archives. b) Not enough information provided here to go on. Are all server IDs unique? Are all syncrepl clauses unique per DB? Personally I've never found ntpd particularly good at keeping clocks in sync. I've generally resorted to running ntpdate frequently out of cron, particularly for VMs. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

3 3

why is userPassword transferred binary?
by Jephte Clain 15 Jun '15

15 Jun '15

hello, just wondering: when I ldapsearch the userPassword attribute, it is returned as binary: $ ldapsearch -LLL -H "ldap://xxx:389/" -x -D xxx -W "(uid=xxx)" userPassword dn: uid=xxx,dc=domain,dc=tld userPassword:: Z290Y2hhCg== however, I created a new attribute with the same schema as userPassword: attributetype ( runUniv:1.1.2 NAME 'runUnivPassword' DESC 'RFC2256/2307 password for special needs' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) when I search this attribute, it is returned as text: $ ldapsearch -LLL -H "ldap://xxx:389/" -x -D xxx -W "(uid=xxx)" runUnivPassword dn: uid=xxx,dc=domain,dc=tld runUnivPassword: gotcha so my question is: does ldapsearch process userPassword as a special case and ask for binary transfer type? or does slapd return userPassword as binary by default? if so, how do I configure runUnivPassword to be handled the same? thanks in advance. best regards, -- *Jephté CLAIN | Développeur, Intégrateur d'applications* Service Systèmes d'Information Direction des Systèmes d'Information <http://numerique.univ-reunion.fr> Tél: +262 262 93 86 31 <tel:+262262938631> || Gsm: +262 692 29 58 24 <tel:+262692295824> www.univ-reunion.fr <http://www.univ-reunion.fr> || Facebook <http://www.facebook.com/pages/Universit%C3%A9-de-La-R%C3%A9union-OFFICIEL/1…> || Twitter <http://twitter.com/univ_reunion>

3 4

problem with olcAccess - can not change own userPassword field
by Stefan Bauer 14 Jun '15

14 Jun '15

Dear Users, I'm trying to change my own password in field userPassword with some gui and receive access denied - permission denied message. The access rules are .. and I'm binding with "cn=benutzer1,ou=Benutzer,dc=example,dc=com" olcAccess: {0}to * by * read by * break olcAccess: {1}to dn.subtree="ou=Benutzer,dc=example,dc=com" attrs=userPassword by self write by * break What do i miss? # benutzer1, Benutzer, example.com dn: cn=benutzer1,ou=Benutzer,dc=example,dc=com cn: benutzer1 objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: posixAccount sn: Mustermann gidNumber: 777 homeDirectory: /home/benutzer1 uid: benutzer1 uidNumber: 777 loginShell: /bin/bash userPassword:: known # {2}bdb, config dn: olcDatabase={2}bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {2}bdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=Manager,dc=example,dc=com olcRootPW:: known olcSyncUseSubentry: FALSE olcMonitoring: TRUE olcDbCacheSize: 1000 olcDbCheckpoint: 1024 15 olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: objectClass pres,eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: mail pres,eq,sub olcDbIndex: ou pres,eq,sub olcDbIndex: loginShell pres,eq olcDbIndex: sn pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbIndex: memberUid pres,eq,sub olcDbIndex: nisMapName pres,eq,sub olcDbIndex: nisMapEntry pres,eq,sub olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 olcAccess: {0}to * by * read by * break olcAccess: {1}to dn.subtree="ou=Benutzer,dc=example,dc=com" attrs=userPassword by self write by * break

2 1

process slapd 99 % CPU
by Fabián M Sales 11 Jun '15

11 Jun '15

Hello, I have problem with My LDAP-server. The process /usr/sbin/slapd the process consumes 99% cpu, As you can see it? I enable the logs but can not find the problem, because this sometimes 99% and sometimes remains low. It is at times. Sorry for My poor English, -- Firma Institucional *Fabián* *M. Sales *Soporte Técnico & I.T.I Linux *DonWeb * La Actitud Es Todo www.DonWeb.com ------------------------------------------------------------------------ Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida. DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo. De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elim?elo de su sistema. Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com. DonWeb.com shall not be liable for the message if altered or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados. Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente. É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas. Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.

2 1

bdb_equality_candidates: (uniqueMember) not indexed
by Fabián M Sales 11 Jun '15

11 Jun '15

Hello list. :) I have got this error y My logs: bdb_equality_candidates: (uniqueMember) not indexed How create this index uniqueMember? I create a ldif file, as it should be? Steps anyone know? Thanks- -- Firma Institucional *Fabián* *M. Sales *Soporte Técnico & I.T.I Linux *DonWeb * La Actitud Es Todo www.DonWeb.com ------------------------------------------------------------------------ Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida. DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo. De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elim?elo de su sistema. Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com. DonWeb.com shall not be liable for the message if altered or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados. Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente. É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas. Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.

3 3

olcMirrorMode FALSE - yet - error code 53 - shadow context; no update referral
by lejeczek 11 Jun '15

11 Jun '15

hi everybody one of databases in my slapd has nor referrals and olcMirrorMode=FALSE in config yet I get infamous: - [LDAP: error code 53 - shadow context; no update referral] why would it be, something I am missing in the config of that database? other databases configs affect this one somehow? many thanks

4 5

OpenLDAP storing password in SSHA
by parakrama55 . 11 Jun '15

11 Jun '15

Hi Guys Im adding users data to the ldap from external program or client , There im sending UserPasswrd in clear text . So Is there any configuration directive in opendap where we can force openldap to store receiving clear text password in SSHA format . Please advice Thank You Dhanushka

3 2

Error: ldap_back_is_proxy_authz returned 0
by Dominique Voest 11 Jun '15

11 Jun '15

Hi everyone, I have been testing and debugging a lot lately and cannot come to a solution, maybe you can help. I recently installed a new OpenLDAP Server (Debian Jessy) (OpenLDAP Version 2.4.40) which is used to proxy parts of the Active Directory. However, from time to time it is not able to get Entries (does not answer to querys but returns success) from the Active Directory. What I see in the logs is the following: Jun 10 11:37:38 openldap-proxy slapd[41657]: conn=1166 op=1 ldap_back_retry: retrying URI="ldaps://dc.ourdomain.com" DN="cn=ldap-binder,ou=serviceaccounts,dc= ourdomain,dc=com" Jun 10 11:37:38 openldap-proxy slapd[41657]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI? First of all, the URI is correct and the System works well during most of the time(except for this error), those "errors" only happen from time to time. The Strange thing is, that this new LDAP Server is running via the exactly same configuration as another OpenLDAP-Server which has been running over 2 Years now and the old OpenLDAP Server (Debian Wheezy) (OpenLDAP Version 2.4.31) does also show the first Log Entry from time to time (the ldap_back_retry one), But does not show the ldap_back_is_proxy_authz error afterwards. Furthermore it does also always return the right answer. For Debugging reasons I tried Wiresharking the Domain Controller, TCP-Dumping the LDAP-Server and the Client. The Traffic looks okay, in case of that error the OpenLDAP Server simply is asking the Domain Controller which returns Success but no results. Might it be Possible that the LDAP-Bind from the OpenLDAP System to the Active Directory expired and the OpenLDAP is not able to re-establish a new bind via the current Query? Since once this error occurs, the query right after the error works and then it takes some time until that error occurs again and due to the fact that in the older OpenLDAP Version it is working, could it be a Bug in the new OpenLDAP Version? I also looked in the Logs of the Domain Controller, everything is fine there. Furthermore I installed test OpenLDAP Systems (Centos[yum], OpenBSD[pkg] and one via compilation from sources via minimal module configuration) (2.4.40) and tried the same configuration there, same Problem. While googling and searching for a solution I stumbled across a guy having the same problem, reporting this 2013 to this mailing list. Someone suggested to add the Active Directory Schema to the OpenLDAP, which I did and which did not solve this issue. I tried adding the full schema as well as adding only Attributes and Object classes that are used. Problem still persists. Anyone of you has any suggestions? Does anyone have similar problems? Thank you for your time. Best Regards, Dominique Voest

1 0

Syncrepl issue with one node
by espeake＠oreillyauto.com 10 Jun '15

10 Jun '15

We are running openLDAP 2.4.39 in an MMR replication on Ubuntu 14.04. I have one node that is not wanting to sync with other nodes giving the following error: Jun 9 06:51:35 tn-ldap-a-1 slapd[3138]: do_syncrep2: rid=005 CSN too old, ignoring 20150609115135.153480Z#000000#003#000000 As you can see the CSN shows the exact same time the time that is being logged. We are in the U.S. Central timezone. I have checked our ntp service on my three nodes. All three are pointed to the same ntp and are in sync. Would be possible that one node might still be just a few miliseconds too fast and the csn timestamp would appear wrong? Is there a logging level I can set for that specific issue? I am currently logging the sync records. I can go to debug in needed. Thank you, Eric Speake Senior Systems Administrator Information Systems O'Reilly Auto Parts (417) 862-2674 Ext. 1975 This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

1 1

Get the decoded ldap password for openldap2.4.40
by PRATIK SINGAL 10 Jun '15

10 Jun '15

Hello Can any one help me to get the plain text password for ldap. While configuring ldap i have used the slappasswd to get teh encrypted value and stored in slapd.conf Is there any way to get the palin password based the encrypted one.I am using openldap 2.4.40 Regards, Pratik

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2015