openldap-technical October 2016

openldap-technical@openldap.org

44 participants
57 discussions

How to disable referrals when proxy windows AD?
by JWD 24 Oct '16

24 Oct '16

I config a proxy cache, using windows AD as backend. When I run ldapsearch, it always search reference for minuts, like this: # search reference ref: ldap://ForestDnsZones.test.com/DC=ForestDnsZones,DC=test,DC=com # search reference ref: ldap://DomainDnsZones.test.com/DC=DomainDnsZones,DC=test,DC=com # search reference ref: ldap://test.com/CN=Configuration,DC=test,DC=com Infact, there is no reference at all. How to disable proxy cache referrals? Below is my proxy cache config: database ldap suffix "dc=test,dc=com" uri ldap://192.168.127.15/ #uri ldap://192.168.127.15/dc=test,dc=com rootdn "cn=root,dc=test,dc=com" rootpw {SSHA}Hpc7nbJEdos8iCUAzRNa/rs5ffb0/+mD overlay pcache pcache bdb 100000 1 1000 100 #pcacheAttrset 0 name mail sAMAccountName telephonenumber pcacheAttrset 0 name mail telephonenumber pcacheTemplate (cn=) 0 3600 pcacheTemplate (&(sn=)(givenName=)) 0 3600 pcacheTemplate (&(departmentNumber=)(secretary=*)) 0 3600 directory /var/lib/ldap/test CacheSize 1000 DNcacheSize 2000 IDLcacheSize 3000 CacheFree 10 Checkpoint 1024 10 DbConfig set_cachesize 0 104857600 1 DbConfig set_data_dir db DbConfig set_lg_dir logs DbConfig set_lg_regionmax 1048576 DbConfig set_lg_max 20971520 DbConfig set_lg_bsize 2097152 DbConfig set_flags DB_LOG_AUTOREMOVE DbConfig set_flags DB_TXN_NOSYNC index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq,pres -------------- JWD

2 1

eDirectory LDAP To OpenLDAP Layout
by Shaun Glass 24 Oct '16

24 Oct '16

Good Day, I am having to migrate from eDirectory to OpenLDAP as we getting rid of eDirectory Services. When setting up OpenLDAP I have as example the following : cn=user,ou=Users,ou=Location,o=LDAP,dc=Company,dc=com ... but in eDirectory it was just : cn=user,ou=Users,ou=Location,o=LDAP OpenLDAP Would not let me create as above since I got the following error when not initially creating a dc= : LDAP: error code 53 - no global superior The reason I need this is, is that the user that binds to LDAP on all servers uses the notation : cn=user,ou=Users,ou=Location,o=LDAP ... and we do not want to reconfigure all servers, several hundred of them. Is there some way that we can partition so the above format can still be used ? Regards

3 3

delta-synrepl consumer randomly delete objects
by Raffael Sahli 24 Oct '16

24 Oct '16

Hi What can lead a consumer to "randomly" delete ~50% of all objects in his database? I have this problem now for ~1-2months and on 3 different master/slave groups. The consumer starts to delete objects (but those are all present on the master): Oct 19 17:16:22 ldap-slave002.xxx slapd[8554]: do_syncrep2: rid=999 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Oct 19 17:16:22 ldap-slave002.xxx slapd[8554]: do_syncrep2: rid=999 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 9c802b18-7c2c-1033-9f25-2d4a65066d19, dn uid=jasmin.mans,ou=none,o=dd,dc=xxx,dc=xxx Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 650ada00-e996-1035-80ac-a173474274df, dn uid=jasmine.suddr,ou=none,o=dd,dc=xxx,dc=xxx Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID ec5c9aa4-7c2c-1033-9fa4-2d4a65066d19, dn uid=jonas.beffrnn,ou=none,o=dd,dc=xxx,dc=xxx Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 7461d22e-e996-1035-80f6-a173474274df, dn uid=juerg.klegegeli,ou=none,o=dd,dc=xxx,dc=xxx Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 758c744c-e996-1035-8100-a173474274df, dn uid=julia.sxgegegea,ou=none,o=dd,dc=xxx,dc=xxx Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 47e4f6b4-7c2d-1033-8015-2d4a65066d19, dn uid=karin.vivwvwe,ou=none,o=dd,dc=xxx,dc=xxx Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 8d26a4f2-7c2d-1033-807b-2d4a65066d19, dn uid=larissa.fewfewf,ou=none,o=dd,dc=xxx,dc=xxx Oct 19 17:16:24 ldap-slave002.xxx slapd[8554]: nonpresent_callback: rid=999 nonpresent UUID 98310aa4-7c2d-1033-808b-2d4a65066d19, dn uid=laura.cfwfew,ou=none,o=dd,dc=xxx,dc=xxx syncrepl config: olcSyncrepl: {0}rid=999 provider=ldap://ldap-master002.xxx.xxx:389 bindmethod=simple timeout=0 network-timeout=10 binddn="uid=replicator,ou=system,o=de,dc=xxx,dc=xxx" credentials="pass" keepalive=0:0:0 starttls=yes tls_cacert="/etc/ssl/certs/SwissSign_Silver_CA_-_G2.pem" tls_reqcert=allow filter="(objectClass=*)" searchbase="dc=xxx,dc=xxx" scope=sub attrs="*,+" syncdata="accesslog" logbase="cn=accesslog_xxx" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=off type=refreshOnly interval="00:00:01:00" retry="10 5 60 +" Misconfiguration? (We've been running this configuration for years...) Workaround is to remove the whole mdb database and restart slapd to let it resync. I've found some posts with a similar problem but those are all related to pre 2.4.21, we're running slapd 2.4.44. Cheers

1 1

Configuring a relatively simple translucent proxy to override/add group memberships.
by Jeff Wiegley 23 Oct '16

23 Oct '16

Hopefully somebody can help as I am new to OpenLDAP and I've spent the whole day being overwhelmed and totally confused by the configration of this beast. (How did it get "Lightweight" as part of its name?) The problem I have is that I have a group of computers in my research lab at a university that I want to allow login to for campus users. I want to authenticate the logins against the campus LDAP server but I want to augment/add group-membership to the results. So for instance the campus LDAP server might authenticate a user named "bob" and a unix groups command for bob when logged in would show {"users", "student", "webuser"} but I want my machines to log him with his same campus credentials but see his group membership as {"users", "student", "webuser", "research", "cloud"}. From what I've read I can do this with the translucent overlay. The problem is that I have no idea how to get this working, let alone interface with the campus LDAP mess. So far I can get users authenticated and logged in with authentication solely against the campus LDAP server but nothing about the local translucent proxy is even understandable yet testable. I have Ubuntu 16.04 and I installed ldap/slapd do by essentially doing: apt-get install ldap-auth-client slapd ldap-utils I see both /etc/ldap/slapd.d and /usr/share/slapd/slapd.conf installed. And, as I said, I've got the machine configured via ldap.conf to authenticate against the campus LDAP server odir.csun.edu. But none of that even requires slapd installed. . I realize I'll eventually need to configure/understand slapd in order to allow it to authenticate against my local server but I'm totally lost in trying to figure that part out.) Couple of questions to start: 1) Should I be making configuration changes in /usr/share/slapd/slapd.conf or should I be using the dynamic config thingy and ldapadd/ldapmodify?? Several things I read say use ldapmodify but then EVERY example about translucent proxies that I can find demonstrate with slapd.conf. In fact almost every tutorial I've read is entrenched in slapd.conf. 2) How do I set up translucent overlay to proxy to the campus ldap server without making any changes to the results? If we could start there than maybe I could start getting a handle on at least a little understanding of how this starts to work. Thanks for any help, Jeff

2 1

Re: Disable Linux commands for LDAP users
by Mauricio Tavares 21 Oct '16

21 Oct '16

I think there was something called ldap-sudo, but there might be other ways to do it. On Oct 21, 2016 4:39 PM, "Bernard Fay" <bernard.fay(a)gmail.com> wrote: Hi, I would like to able to disable some Linux commands for LDAP users. One of those commands is passwd. Because of some specific needs, when the LDAP users have to change their password a special script has been created for this purpose. They MUST not use passwd but this command is still required by local users. Does one of you might have an idea to disable Linux commands for LDAP users only? Thanks, Bernard

1 0

slapo-rwm documentation
by Ralf Mattes 17 Oct '16

17 Oct '16

Dear collected list wisdom, I have successfully set up a relay database with Rwm suffix massaging. Now, for a client app I need to transform gorupOfNames into posixGroups and member attributes into memberUID. I was able to do the objectclass/attribute transformation with olcRwmMaps but now I need to transform the attribute _values_ (i.e. I need to strip the DN-valued member values to get uids). From the existing documentation I can't find out how to restrict a rwm-RewriteRule to (certain) attributes. Any help? TIA Ralf Mattes

1 0

Public LDAP server, what do I need to know?
by John Lewis 16 Oct '16

16 Oct '16

I want to host a LDAP server that contains a directory that contains the offices of local Representatives and Public Servants, the issues they are responsible for, and their names. I would like anyone who wants to to browse it or put up front ends. Is there anything in particular that I should keep in mind?

1 0

openldap 2.4.40 on RHEL7
by Real, Elizabeth (392K) 15 Oct '16

15 Oct '16

Hello, Quick question about replication, I’m setting up an ldapclient to talk to my two LDAP servers which are replicating fine. To be able to talk to both LDAP servers, do I need to scp the server certificate (cert.pem) from both servers into the ldapclient /etc/openldap/cacerts directory? I’m looking at this documentation to configure the ldap client using sssd: https://www.certdepot.net/ldap-client-configuration-authconfig/ Thank you, Liz

2 1

Re: group membership search performance
by Quanah Gibson-Mount 14 Oct '16

14 Oct '16

--On Friday, October 14, 2016 1:13 PM +0200 Rébeli-Szabó Tamás <tamas.rebeli.szabo(a)webvalto.hu> wrote: > Hi Quanah, > > yes, it takes 5–7 seconds for each search. I believe that's a general known issue with very large groups. I personally moved to using dynamic groups via slapo-dynlist for a variety of reasons, performance being one. You may want to test in a dev environment if your issues go away if you move to dynamic groups instead. --Quanah -- Quanah Gibson-Mount Product Engineer Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: group membership search performance
by Quanah Gibson-Mount 14 Oct '16

14 Oct '16

--On Wednesday, October 12, 2016 10:11 PM +0200 Rébeli-Szabó Tamás <tamas.rebeli.szabo(a)webvalto.hu> wrote: > Hi, > > we are on OpenLDAP 2.4.41 + MDB, Oracle Linux 6 (2.6 x86_64). > > In our DIT we have around 300 groups, with tens of thousands of members > in each group. When we want to know which groups a certain user belongs > to, it takes OpenLDAP several seconds to perform such a search. > > Here is a log excerpt showing that it took 6 seconds for the server to > answer: > > Oct 10 15:39:38 ldap-srv1 slapd[14776]: conn=1062 op=1 SRCH > base="ou=groups,dc=tt,dc=hu" scope=1 deref=0 > filter="(&(uniqueMember=uid=o10011,ou=users,dc=tt,dc=hu)(objectClass=grou > pOfUniqueNames))" > Oct 10 15:39:44 ldap-srv1 slapd[14776]: conn=1062 op=1 SEARCH RESULT > tag=101 err=0 nentries=127 text= > > We have eq indices on objectClass and uniqueMember, and the latter is > also listed after sortvals. > > The machine running OpenLDAP has 2 virtual cores of Intel Xeon E5 2637 v2 > (3.5GHz). During such searches, one of the CPU cores is almost fully > loaded, but the system is not overloaded (the average load is around > 0.8). Our whole dataset is under 1 GB, and there are several gigabytes > of free RAM with no swapping. > > Our expectation would be for OpenLDAP to give an answer to a group > membership question under 1 second. Is that a realistic expectation, and > if so, how should we tune OpenLDAP or what do you suggest we change? > Version 2.4.41 is more than a year old, so the question is if there is > any significant performance enhancement (an order of magnitude) possible > with this setup described above, or that's about all we can get from > OpenLDAP+MDB (or perhaps any in-memory LDAP)? Does it always take 6 seconds to return the 127 group entries that match, or is that only on the first search? --Quanah -- Quanah Gibson-Mount Product Engineer Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2016