openldap-technical September 2015

openldap-technical@openldap.org

59 participants
57 discussions

"olcSizeLimit: size.prtotal=disabled" ignored?
by Igor Shmukler 02 Sep '15

02 Sep '15

Hello, I am running OpenLDAP 2.4.31. Tried to disable simple paged results - rfc 2696 with: dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: size.prtotal=disabled The ldapmodify(1) does not complain, yet the change does not affect my server. My goal is to have clients receive something like "Unavailable Critical Extension" as a response. Is what I am attempting to do expected to disable simple paged results for all clients [and DITs]? Is it even possible? Am I going right about disabling paging control? Thank you, Igor Shmukler

2 12

Send Success with first found entry
by Fischer, Johannes 02 Sep '15

02 Sep '15

Hi again, more and more I get a feeling how all this work together. But often you don't know what you actually need to look up... I've looked on the LDAP server of the Institute to get a feeling how the real IT-guys managed their server... (It was a disaster from a data protection perspective...) Some things were quit nice, for example that the server send a "success" with the first found entry in a subtree. On my openLDAP instance I receive a entry of a subtree after 20-30ms but the success packet need 200ms. For me this behavior is not clear due to the fact, that the entries in the directory need to be unique. The Example: I'm using the Spring security framework and trigger with "ldapTemplate.lookup("cn=" + _name + ",dc=users");" a lookup. On wireshark I see a search request with the scope "baseObject" and The Filter "objectClass=*". After 33ms I receive a searchResEntry packet, so the Server found something and could also stop. But I think in the background all the other entries in the Subtree "dc=users", are looked through also. After 230ms the success packet arrive at my computer. (see also Attachment) My Question, is there a possibility to emit a success together with the first found entry? Greetings and thanks John -- Johannes Fischer Research Fellow Fraunhofer Institute for Manufacturing Engineering and Automation IPA Competence Centre Digital Tools for Manufactoring Nobelstrasse 12 │ 70569 Stuttgart | Germany Phone +49 711 970-1217 Johannes.Fischer(a)ipa.fraunhofer.de<mailto:Johannes.Fischer@ipa.fraunhofer.de> www.ipa.fraunhofer.de<http://www.ipa.fraunhofer.de/> [cid:image003.png@01D0E165.1BE01080]

2 4

SASL/EXTERNAL not available
by Frank Crow 02 Sep '15

02 Sep '15

Hi, I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use client-side certificates via the SASL/EXTERNAL mechanism. I have successfully configured server-side certs with TLS and was wanting to expand my configuration on the client-side. If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y EXTERNAL", I get the following message: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL (-4): no mechaism available: If I do a search on the DSE, I get the following available methods: dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN I know that other people are using this but nobody (here at work) knows why my particular configuration is getting this error. Can anyone help me figure this out? Thanks, -- Frank Crow

4 5

disable simple paged results control support?!
by Igor Shmukler 02 Sep '15

02 Sep '15

Hello, I am trying to make my client, developed for OpenLDAP also compatible with Oracle DSEE. Oracle DSEE is missing support for simple paged results, which I use. Yet, ODSEE supports virtual list view with server-side sorting. I adjusted my code, to use that - VLV+SSS as a fallback whenever the server does not support paged results and supports VLV+SSS, like ODSEE. Is it possible to disable OpenLDAP server-side support of simple paged results control, so the OpenLDAP server would respond that this control is unavailable? I don't have an LDAP proxy, nor ODSEE configured. OpenLDAP saved me many times, in past. Can OpenLDAP be configured to do what I need, so I could test my fallback code in the client using an OpenLDAP server? Thank you, Igor Shmukler

3 7

LMDB: Robust mutexes
by Kristian Amlie 02 Sep '15

02 Sep '15

Hey, there was some discussion about robust mutexes in LMDB about a year ago, and I was told there was a patchset being worked on. I'm just wondering what's the state of this project now. Is it likely to be included in upcoming releases? I don't see it in the latest release 0.9.16, and the "robust" branch hasn't moved for a while. -- Kristian

2 2

Unable to build LMDB on SUSE Linux: undefined reference to pthread_mutexattr_setrobust / pthread_mutex_consistent
by Pallav Gupta 01 Sep '15

01 Sep '15

Hello, I am trying to build LMDB libraries from source on SUSE Linux using gcc 4.7.2 to try for an experimental project at work. I am getting some build errors. I see pthread.h and libpthread.{a/so} installed in /usr/include and /usr/lib64, respectively. But I do not see these functions in the header file or in the library. Maybe the pthread library version is old. I am not sure. I tried searching on the web, but I was not able to understand how to install a different version of the pthread library (it seems to come packaged with the OS?). I do not have admin rights so I would try installing in my local area. Can someone please advise on things I can try to resolve this issue? Thank you for your time and help. (P.S. I had built LMDB successfully on a Mac OS X machine (home computer) without any issues) $ makegcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mdb.cmdb.c: In function ‘mdb_mutex_failed’:mdb.c:9827:4: warning: implicit declaration of function ‘pthread_mutex_consistent’ [-Wimplicit-function-declaration]gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c midl.car rs liblmdb.a mdb.o midl.oar: creating liblmdb.agcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -fPIC -c mdb.c -o mdb.lomdb.c: In function ‘mdb_mutex_failed’:mdb.c:9827:4: warning: implicit declaration of function ‘pthread_mutex_consistent’ [-Wimplicit-function-declaration]gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -fPIC -c midl.c -o midl.logcc -pthread -shared -o liblmdb.so mdb.lo midl.lo gcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized -c mdb_stat.cgcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized mdb_stat.o liblmdb.a -o mdb_statliblmdb.a(mdb.o): In function `mdb_env_setup_locks':/nfs/pdx/proj/dt/tctg03/pgupta6/lmdb-mdb.master/libraries/liblmdb/mdb.c:4642: undefined reference to `pthread_mutexattr_setrobust'liblmdb.a(mdb.o): In function `mdb_mutex_failed':/nfs/pdx/proj/dt/tctg03/pgupta6/lmdb-mdb.master/libraries/liblmdb/mdb.c:9827: undefined reference to `pthread_mutex_consistent'collect2: error: ld returned 1 exit statusmake: *** [mdb_stat] Error 1 My environment is as follows: $ more /etc/SuSE-release SUSE Linux Enterprise Server 11 (x86_64)VERSION = 11PATCHLEVEL = 2 $ uname -aLinux 3.0.101-0.7.29.1.8482.4.PTF-default #1 SMP Tue May 5 16:00:34 UTC 2015 () x86_64 x86_64 x86_64 GNU/Linux

1 0

ppolicy and pwdGraceUseTime
by Craig White 01 Sep '15

01 Sep '15

Openldap 2.4.39 Adding in policy in already running OpenLDAP installation. Mostly functional - I was locked out after failed password attempts as expected. Existing user with password beyond expiration is an issue. It is extended grace logins as expected but when I try to change the password, I get an error which appears to be "error 16 - modify/delete: pwdGraceUseTime: no such attribute" But there is that attribute. # ldapsearch -x -h localhost '(uid=craig.white)' + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=obscured> (default) with scope subtree # filter: (uid=craig.white) # requesting: + # # craig.white, People, obscured dn: uid=craig.white,ou=People,dc=obscured entryUUID: c4ae47b4-c3e9-1033-8b0f-497efc42df64 creatorsName: cn=root,dc=obscured createTimestamp: 20140829170048Z pwdChangedTime: 20150730153646Z structuralObjectClass: inetOrgPerson pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=obscured pwdGraceUseTime: 20150827230337Z pwdGraceUseTime: 20150827230344Z pwdGraceUseTime: 20150827230351Z pwdGraceUseTime: 20150827230430Z pwdGraceUseTime: 20150827230441Z pwdGraceUseTime: 20150827230847Z pwdGraceUseTime: 20150827230855Z pwdGraceUseTime: 20150827231032Z pwdGraceUseTime: 20150827231039Z pwdGraceUseTime: 20150828152032Z pwdGraceUseTime: 20150828152038Z pwdGraceUseTime: 20150828152404Z pwdGraceUseTime: 20150828152410Z pwdGraceUseTime: 20150828152527Z pwdGraceUseTime: 20150828152533Z pwdGraceUseTime: 20150828152643Z pwdGraceUseTime: 20150828152648Z pwdGraceUseTime: 20150828153349Z pwdGraceUseTime: 20150828153354Z pwdGraceUseTime: 20150828153619Z pwdGraceUseTime: 20150828153623Z entryCSN: 20150828154229.701657Z#000000#000#000000 modifiersName: cn=admin,dc=obscured modifyTimestamp: 20150828154229Z entryDN: uid=craig.white,ou=People,dc=obscured subschemaSubentry: cn=Subschema hasSubordinates: FALSE # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Why won't it let me change my password? Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png@01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2015