openldap-technical October 2016

openldap-technical@openldap.org

44 participants
57 discussions

Re: Syncrepl and missing entries
by Quanah Gibson-Mount 05 Oct '16

05 Oct '16

--On Wednesday, October 05, 2016 12:17 PM +0200 Thomas Hummel <thomas.hummel(a)pasteur.fr> wrote: > I'm answering some parts of my own question : > > as a matter of fact, the entry missing in my replica has an entryCSN > lesser than the contestCSN. I guess that's the reason why it is not > synchronised. > > Does that mean that, if for some reason, the replica gets out of sync in > a similar manner, missing entries will never get synch'ed again unless - > by "chance" - touched (modified) again (in which case they'll get a new > entryCSN) ? Correct > Of course, I still don't undestand why this entry disapeared in the first > place... What release? There are known issues with syncrepl in various releases. --Quanah -- Quanah Gibson-Mount Product Engineer Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 4

User Import Problem with n-way multimaster setup
by robert.lindner＠delivion.de 05 Oct '16

05 Oct '16

Hi, I have a Problem importing a large batch of users into the following setup: Two Nodes of openldap running n-way multimaster replication with mdb backend, version is 2.4.44. Everything looks good, replication is working. Now I am trying to import a ldif file with 110362 Users to be added and 956419 group modify operations: 1. When both nodes are online and replication is running, after slapd on the importing node quickly starts using all available memory until the kernel oom-killer decides it uses too much and kills the process. This seems to be caused by the group modifications: It did not happen before, when we had an error in the ldif which caused the group modify statements to be ignored, so only users were imported. We tried to circumvent this behavior by adding up to 32GB of Memory, but this only postponed the problem. 2. When I shut down the second node, so no replication is happening, then start the user and group membership import, this runs fine (takes about 10 hours) without exhausting memory, but if I join the second node afterwards none of the new entries is replicated to the second node. Does anyone have an idea what I might be doing wrong? Currently I try to batch import with the ldif split into chunks of 1000 entries, with a 30s pause in between. Best Regards, Robert Lindner Cloud Platform Engineer | Delivion GmbH Nachbarsweg 25a | D-45481 Mülheim an der Ruhr Tel.: [+49] 170 7727967 | Web: www.delivion.de This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Company Name is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.

1 0

Syncrepl and missing entries
by Thomas Hummel 05 Oct '16

05 Oct '16

Hello, I'm planning a migration from openldap-2.4.35 (FreeBSD 9.1-RELEASE-p12) to openldap-2.4.40 (CentOS 7). On BSD, I have 3 slapd.conf/hdb servers : one provider and 2 consumers (classical syncprov overlay / syncrepl refreshAndPersist setup). On linux, I've set up 3 new cn=config/lmdb servers in a simliar manner. For a smooth migration, I also configured syncrepl on the linux provider so that it is also a consumer of the BSD provider. So this is a simple BSD provider -> linux provider-and-consumer -> linux consumer chain, not a multi-master setup. Everything worked fine and I could indeed check that modifying, say an attribute of my dn, on the FreeBSD provider was replicated to the BSD consumers, the Linux provider and then the Linux consumers. Unfortunately, I noticed that, after a while (at least it seems that it occurred after a while, I'd swear the entry was there from the start), the sssd entry (cn=sssd,ou=ldap,dc=pasteur,dc=fr) - used by sssd to bind - was missing on the Linux provider-and-consumer. That in itself may be an mystery I must figure out. But more important, I noticed that this entry would not be replicated although it IS present on the BSD provider, even after slapd restarts. Only if I remove the database files and restart from scratch get all the entries - including this one - get replicated from the BSD provider to the linux provider-consumer. Is my setup only supposed to work ? Is the difference of slapd versions a problem ? Is the fact that both providers manage the same rootDSE a problem ? Thanks -- Thomas HUMMEL

1 1

Mapping attribute from ppolicy shemas to shadowaccount
by Alexis Lameire 05 Oct '16

05 Oct '16

Hello, Despite my search I can't find a good solution to my issue. I would like to implement passord policy inside my LDAP server. So I will use the password policy overlay. The policy applyed to the user is located on the pwdPolicySubentry attribute of the user entry. I would like to configure the password expiration warning on my policy. I would also that this warning will be displayed on my linux based server. Due to the deprecation of pam_ldap module on recent system, I'm using SSSD. Despite my search, SSSD is only able to fetch the password expiration attribut inside the shadowAccount objectClass (so on the user entry). To be able to define my policy once, I have to show and rename the ppolicy objectClass attribut referenced by the pwdPolicySubentry dn inside the user entry. with the slapo-rwm I can map the attribute of the same leaf objectClass to another name but I'm not able to follow the pwdPolicySubentry DN and map the value of this object inside the posixAccount objectClass. How to acheave this ? Regards

1 0

Openldap with Active Directory
by Matthew Pulis 03 Oct '16

03 Oct '16

Hi, I have a freeradius server which is authenticating users against Openldap and according to the attribute memberOf is assigned a VLAN (this part works fine). Now I would like to extend this functionality for the users in Active Directory (2012 R2). My OpenLdap's main DN is: dc=seminary,dc=local, and has 5 OU's each with their own users. My Active Direcotry's main ND is: dc=seminary,dc=local too but has only 1 OU which distinguishedName is ou=School,dc=seminary,dc=local. A few questions: 1) Will this be possible? I need only to authenticate the user and that's it - any password modifications will be done only through Active Directory domain. 2) I was thinking to use the back_ldap and rwm Openldap modules. But ended up entering a problem with this ldif: (since the olcDbACLPasswd is deprecated) radius@radius:~$ cat proxy2.ldif dn: olcDatabase={1}mdb,cn=config changetype: add olcdatabase: ldap olcReadOnly: TRUE olcDbProtocolVersion: 3 olcSuffix: dc=seminary,dc=local olcRootDN: ou=school,dc=seminary,dc=local olcDBUri: "ldap://192.168.100.129:389" olcDbRebindAsUser: TRUE olcoverlay: rwm olcRwmMap: attribute cn distinguishedName olcRwmMap: attribute mail mail olcRwmMap: attribute uid sAMAccountName olcRwmMap: objectClass posixAccount person olcRwmMap: objectClass memberUid member olcRwmMap: attribute memberOf memberOf #olcDbIDAssertBind: bindmethod=simple #olcDbIDAssertMode: none olcDbIDAssertBind: cn=Ldap Binder,dc=seminary,dc=local olcDbACLPasswd: PASS! Any idea how I can go through this issue? Will this work after all? Thanks and best regards Matthew Matthew Pulis web: www.matthewpulis.info mob: +356 79539404

1 0

RedHat 6 & 7 disable TLSv1.0
by Gaurav Swami 03 Oct '16

03 Oct '16

Hello, I have Redhat 6 where am trying to disable TLSv1.0 protocol.I have tried below configuration RHEL6 ----------------------------------------- [root@ldap1 ~]# rpm -qa | grep -we openldap -we openssl -we nss krb5-pkinit-openssl-1.10.3-10.el6_4.6.x86_64 openldap-servers-2.4.40-12.el6.x86_64 nss-util-3.21.0-2.el6.x86_64 nss-3.21.0-8.el6.x86_64 openssl-devel-1.0.1e-48.el6_8.1.x86_64 openssl-1.0.1e-48.el6_8.1.x86_64 openldap-clients-2.4.40-12.el6.x86_64 nss-softokn-freebl-3.14.3-23.3.el6_8.x86_64 nss-sysinit-3.21.0-8.el6.x86_64 nss-tools-3.21.0-8.el6.x86_64 openldap-2.4.40-12.el6.x86_64 nss-softokn-3.14.3-23.3.el6_8.x86_64 ---------------------------------------------------------------------------- RHEL6 Configuration ---------------------------------------- TLSProtocolMin 3.2 TLSCipherSuite HIGH ----------------------------------------- But still when I ran third party tool to check offered protocol am getting --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN) SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) SPDY/NPN not offered --> Testing ~standard cipher lists TLSv1.0 is still offered ,I want to disable TLSv1.0 also Any suggestiosn? -- Thanks & Regards, **Gaurav Swami**

4 3

Test
by dieter＠dkluenter.de 01 Oct '16

01 Oct '16

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2016