openldap-technical August 2015

openldap-technical@openldap.org

55 participants
62 discussions

Start a nNew thread

LMDB docs unavailable: 403
by Kristoffer Sjögren 17 Aug '15

17 Aug '15

Hi The link to the documentation for LMDB is broken. http://symas.com/mdb/doc Cheers, -Kristoffer

2 1

LMDB docs refresh?
by Arto Bendiken 17 Aug '15

17 Aug '15

Perhaps the generated Doxygen output at http://symas.com/mdb/doc/ might use a refresh for the latest LMDB release? The docs currently published there are 11 months old, and do not include e.g. any information on the recently-added mdb_txn_id() function--a good function to have, by the way. -- Arto Bendiken | @bendiken | http://ar.to

2 3

ACL to allow all but one OU
by Olaf Hopp 17 Aug '15

17 Aug '15

Hi listers, I have ~40 departments in several ou's and I need an ACL to allow access for one user to all but one OU. I do not want to forbid that ou in question and thus implicitly allowing all the others. I want to formulate this explicitly, so I can directly see what is allowed. Moreover the names of the ou's are very similar to each other, something like: ou=aaaa,dc=... ou=abaa,dc=... ou=bbaa,dc=... ou=bbbb,dc=... and suppose I want to disallow access to the ou=abaa. I ended up with two ACLs: the first one to forbid ou=abaa: access to dn.sub=ou=abaa,dc=.... \ attrs=entry by dn=uid=foo,dc=.... none by * break and then allowing access to all ou's with access to dn.regex=ou=[^,]+,dc=... \ attrs=.... by dn=uid=foo,dc=... by * break Is it possible to formulate this with just one ACL ? I tried something like "ou=!abaa" with just the second ACL but failed. Then I tried ou=[^a][^b][^a][^a] but this matches also the ou=bbbb to wich the uid=foo should have access. Thanks, Olaf -- Karlsruher Institut für Technologie (KIT) ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik Dipl.-Geophys. Olaf Hopp - Leitung IT-Dienste - Am Fasanengarten 5, Gebäude 50.34, Raum 009 76131 Karlsruhe Telefon: +49 721 608-43973 Fax: +49 721 608-46699 E-Mail: Olaf.Hopp(a)kit.edu atis.informatik.kit.edu www.kit.edu KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.

1 1

Replication speed and data sizing (mdb)
by Brian Wright 14 Aug '15

14 Aug '15

We are using 2.4.39. I realize there are newer versions available, but at the time when we started our LDAP project, this was the version available. We are testing n-way master replication along with a large number of records using lmdb. Here's the config: * 8 way replication with 8 nodes (each node having 7 other connections) * 50k records * Inserting the records into one cluster node to replicate to all the rest The problems obvserved: * Some nodes are faster at replication than others. In general, the time to complete replication is slower than expected. In my test environment I found that 50k records can take up to 2 hours for some nodes to complete. The fastest nodes complete in 1.5 hours. Because these records are brand new insertions, delta based replication wouldn't help here. * When the replication is completed, some of the data.mdb files are larger than others (sometimes by an order of magnitude). We would like to understand the reason behind these two problems above. First, the replication system seems unusually slow. Second, we need to understand why the data.mdb file grows sometimes far larger on one node than the rest of the nodes. For example, in our production environment, while most nodes were around 1GB in data size, one node stored in excess of 40GB in data.mdb. In my testing lab, my the 50k record insertion left most nodes with a data.mdb size of 150MB. On one of the nodes, the data size was 262MB. Note that I've also tried alternative replication connectivity approaches to attempt to reduce the number of connections per server, but that did not improve replication performance or the varying data sizes in the end. If updating to a newer version helps resolve the above observed problems, please let me know. Any tuning or debugging advice here would be appreciated. Thanks. -- Signature *Brian Wright* *Sr. UNIX Systems Engineer * 901 Mariners Island Blvd Suite 200 San Mateo, CA 94404 USA *Email *brianw(a)marketo.com <mailto:brianw@marketo.com> *Phone *+1.650.539.3530** *****www.marketo.com <http://www.marketo.com/>* Marketo Logo

4 6

Adding Members to Groups
by Aneela Saleem 12 Aug '15

12 Aug '15

Hi all, I have used 'posixGroup' objectClass for creating groups, and 'posixAccount' object class for creating users, which uses 'gidNumber' property to associate to a specific group (created by posixGroup). I have to sync LDAP users/groups in Apache Ranger, that uses 'groupOfNames' object class and 'member/memberof' property in user object. But in 'groupOfNames' objectClass we have to add members at the time of creation of group. Is there any way that we can add members to already created groups later on?

4 6

Re: LDAP - Unix sync
by Mauricio Tavares 12 Aug '15

12 Aug '15

On Wed, Aug 12, 2015 at 11:31 AM, Aneela Saleem <aneela(a)platalytics.com> wrote: > Yes ldap works. and running ssh in verbose mode gives i.e., ssh -v > admin(a)127.0.0.1 > > OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 19: Applying options for * > debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22. > debug1: Connection established. > debug1: permanently_set_uid: 0/0 > debug1: identity file /root/.ssh/id_rsa type 1 > debug1: identity file /root/.ssh/id_rsa-cert type -1 > debug1: identity file /root/.ssh/id_dsa type 2 > debug1: identity file /root/.ssh/id_dsa-cert type -1 > debug1: identity file /root/.ssh/id_ecdsa type -1 > debug1: identity file /root/.ssh/id_ecdsa-cert type -1 > debug1: identity file /root/.ssh/id_ed25519 type -1 > debug1: identity file /root/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 > Ubuntu-2ubuntu2 > debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat > 0x04000000 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5-etm(a)openssh.com none > debug1: kex: client->server aes128-ctr hmac-md5-etm(a)openssh.com none > debug1: sending SSH2_MSG_KEX_ECDH_INIT > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug1: Server host key: ECDSA > 8e:24:39:c6:46:e1:03:31:b9:bb:7a:d4:89:16:72:6b > debug1: Host '127.0.0.1' is known and matches the ECDSA host key. > debug1: Found key in /root/.ssh/known_hosts:8 > debug1: ssh_ecdsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,password Poor ssh in the machine you are connecting to is completely oblivious to ldap. As of now it only knows about publickey and password. Try setting up sshd to use pam and then get ldap from there > debug1: Next authentication method: publickey > debug1: Offering RSA public key: /root/.ssh/id_rsa > debug1: Authentications that can continue: publickey,password > debug1: Offering DSA public key: /root/.ssh/id_dsa > debug1: Authentications that can continue: publickey,password > debug1: Trying private key: /root/.ssh/id_ecdsa > debug1: Trying private key: /root/.ssh/id_ed25519 > debug1: Next authentication method: password > admin(a)127.0.0.1's password: > debug1: Authentications that can continue: publickey,password > Permission denied, please try again. > admin(a)127.0.0.1's password: > > > On Wed, Aug 12, 2015 at 7:56 PM, Mauricio Tavares <raubvogel(a)gmail.com> > wrote: >> >> On Wed, Aug 12, 2015 at 10:37 AM, Aneela Saleem <aneela(a)platalytics.com> >> wrote: >> > Hi Aaron! >> > >> > Actually i'm trying to login LDAP users as local users from command >> > line. >> > >> > I have followed this guide but unable to perform 'ssh' >> > >> I think we need more than "unable to perform 'ssh'." Have you >> done the usual stuff like ssh in verbose mode and check the logs? Have >> you checked that ldap works in said machine? >> >> > On Wed, Aug 12, 2015 at 7:23 PM, Aaron Richton >> > <richton(a)nbcs.rutgers.edu> >> > wrote: >> >> >> >> On Wed, 12 Aug 2015, Aneela Saleem wrote: >> >> >> >>> Hi all, Can anyone please tell me how can i pull users from LDAP >> >>> server >> >>> and treat them as local users? So that i can login as an ldap user and >> >>> test >> >>> whether particular user have permissions to particular HDFS commands >> >>> or not. >> >> >> >> >> >> I'm not sure what you're referring to by "pull." In a typical *ix >> >> setup, >> >> you'd configure the system name services and/or authentication services >> >> to >> >> include an LDAP backend. >> >> >> >> The precise details and options depend on the exact flavor of the >> >> system >> >> you're using. nss_ldap, nss-pam-ldapd, and nssov are likely candidates >> >> on >> >> the name service side; nss-pam-ldapd also provides a pam_ldap on the >> >> authentication side. But again, this is somewhat system-dependent (no >> >> NSS on >> >> OS X/Darwin, for example). >> >> >> >> For nssov, see the LDAPCon paper >> >> http://ldapcon.org/2011/downloads/cheng-paper.pdf for starters. >> >> >> > > >

1 0

LDAP - Unix sync
by Aneela Saleem 12 Aug '15

12 Aug '15

Hi all, Can anyone please tell me how can i pull users from LDAP server and treat them as local users? So that i can login as an ldap user and test whether particular user have permissions to particular HDFS commands or not.

3 3

Is Openldap a Authorization or Authentication system?
by Kaushal Shriyan 11 Aug '15

11 Aug '15

Hi, I am not sure if i understand the difference between Authorization and Authentication. Does Openldap support both or it supports or configured as Authorization or Authentication server? I will appreciate if somebody can help me understand with some examples. Regards, Kaushal

5 5

When using the rwm, openldap down
by デージーネット大野公善 07 Aug '15

07 Aug '15

Hi. When I changed configuration for openldap, openldap stopped. (Aborted) I was carried out the following operations. (1) I created the following environment. ---- ---- ---- ---- # ldapsearch -LLL -Y EXTERNAL -b 'olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config' -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmRewrite: {0}rwm-rewriteEngine on olcRwmRewrite: {1}rwm-rewriteContext searchFilter olcRwmRewrite: {2}rwm-rewriteRule "aaa" "111" ":@" olcRwmRewrite: {3}rwm-rewriteRule "bbb" "222" ":@" ---- ---- ---- ---- (2) I created the following ldif file. ---- ---- ---- ---- dn: olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config changetype: modify delete: olcRwmRewrite olcRwmRewrite: rwm-rewriteRule "aaa" "111" ":@" - ---- ---- ---- ---- (3) I was carried out ldapmodify. ---- ---- ---- ---- # ldapmodify -Y EXTERNAL -H ldapi:/// -f down.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config" ldap_result: Can't contact LDAP server (-1) ---- ---- ---- ---- In this case, openldap has stopped. : : 55c45c8b connection_get(16) 55c45c8b ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 55c45c8b SASL Canonicalize [conn=1000]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 55c45c8b slap_sasl_getdn: conn 1000 id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55] 55c45c8b SASL Canonicalize [conn=1000]: slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 55c45c8b SASL proxy authorize [conn=1000]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 55c45c8b connection_get(16) 55c45c8b conn=1000 op=1 do_modify: dn (olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config) => ldap_bv2dn(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config,0) <= ldap_bv2dn(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config)=0 55c45c8b conn=1000 op=1 modifications: 55c45c8b delete: olcRwmRewrite 55c45c8b one value, length 32 55c45c8b [slapd:0] unknown command '' slapd: rwm.c:2195: rwm_cf_gen: Assertion `rc == 0' failed. Aborted Is this openldap BUG? -- Regards, Kimiyoshi Ohno DesigNET.INC.

3 2

Re: Manager Attribute
by mlstarling31＠hotmail.com 06 Aug '15

06 Aug '15

------ Original message------From: Michael StröderDate: Thu, Aug 6, 2015 2:30 PMTo: mlstarling31@hotmail.com;openldap-technical@openldap.org;Subject:Re: Manager Attribute mlstarling31(a)hotmail.com wrote:> could you expound on your statement below?"Think twice:> - namespace> - obsolete information, referential integrity> etc."Pretty soon free-form text fields tend to contain malformed and obsolete dataand hence are pretty unuseful.Ciao, Michael.I see. Thank you.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2015