openldap-technical August 2016

openldap-technical@openldap.org

27 participants
36 discussions

nslcd listing users and groups twice
by John Lewis 28 Aug '16

28 Aug '16

This is surprisingly non-trivial especially when the nis schema for openldap is more documented than the samba one when I use to run samba-ad-dc. I have the nslcd.conf attatched.

2 5

rootDN problems with slapd-config
by Dave Schneider 28 Aug '16

28 Aug '16

I'm having problems getting the rootDN working when using slapd-config form of configuration, while the "exact" same configuration using slapd.conf works fine. Here are my stripped down test versions of the two configurations (hashed password is 'secret' from slappasswd): slapd.d/cn=e2config.ldif: ------------------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/openldap/run/slapd.args olcPidFile: /var/openldap/run/slapd.pid dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema include: file:///var/openldap/schema/core.ldif include: file:///var/openldap/schema/cosine.ldif dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcMaxsize: 1073741824 olcSuffix: dc=com olcRootDN: cn=reader,dc=com olcRootPW: {SSHA}RIC5hnBuWr4t857KR+dzTEOF/ekQaIVx olcDbDirectory: /var/openldap/data olcDbIndex: objectClass eq olcDbIndex: dc eq olcDbIndex: cn eq slapd.conf: ----------- include /var/openldap/schema/core.schema include /var/openldap/schema/cosine.schema backend mdb pidfile /var/openldap/run/slapd.pid argsfile /var/openldap/run/slapd.args database mdb maxsize 1073741824 suffix dc=com rootdn cn=reader,dc=com rootpw {SSHA}RIC5hnBuWr4t857KR+dzTEOF/ekQaIVx directory /var/openldap/data index objectClass eq index dc eq index cn eq When I run a simple search for slapd running with the slapd.conf configuration I get: $ ldapsearch -D cn=reader,dc=com -w secret -x -LLL -b dc=com -s base dc=* dn: dc=com objectClass: top objectClass: domain dc: com But when I run the same search with the slapd.d configuration I get: $ ldapsearch -D cn=reader,dc=com -w secret -x -LLL -b dc=com -s base dc=* ldap_bind: Invalid DN syntax (34) additional info: invalid DN Debug output on the server side isn't giving much info in addition to what's already displayed on the client: 57bf52df conn=1000 op=0 do_bind: invalid dn (cn=reader,dc=com) Any help on what I might be doing wrong is greatly appreciated. Oh yeah, I'm using version 2.4.44. Thanks, Dave

3 7

Re: libldap and libldap_r in the same process
by Howard Chu 28 Aug '16

28 Aug '16

Jan Engelhardt wrote: > > On Sunday 2016-08-28 15:03, Howard Chu wrote: >>> * Should Linux distributions make libldap and libldap_r be the same thing? >> >> I'm wary of doing that, but I suppose thread support on Linux today is a lot >> more stable than it was 7-15 years ago. > > The question really just is, will the openldap project combine ldap > and ldap_r, or do distributions have to copy the Debian-style solution? The OpenLDAP Project will not make such a change in the 2.x release family. What distributions decide to do is up to them. There are still embedded devices that use libldap, and have no thread support. We have no reason to make it harder for them to build their own projects. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: libldap and libldap_r in the same process
by Howard Chu 28 Aug '16

28 Aug '16

Jan Engelhardt wrote: > > A given (threaded) program makes use of libldap_r. It now also wants to > make use of, say, libcurl. On certain systems, libcurl happens to be > linked against libldap (not _r). > > Eventually, both libldap and libldap_r end up in the process image of my > program, and a symbol like "ldap_init" may point to the function of > either library file. The threaded program may end up unexpectedly been > given the non-threaded functions, depending on how the runtime linker > loaded said libraries and binds the symbols. (I am seeing crashes in a > large program's initialization because of this.) > > > There is a 7-year old post indicating libldap should get locking/ > be replaced by libldap_r. > http://www.openldap.org/lists/openldap-devel/200909/msg00018.html > To date, openldap still consists of the two libraries. > What are the preferred options to go forward here? > > * Killing non-threaded libldap in openldap for real > If not, > * Should curl have used -lldap_r instead of -lldap? Is curl already multithreaded? On Ubuntu curl is built with libldap_r already. If curl is a threaded program then yes, it should use libldap_r. > * Should Linux distributions make libldap and libldap_r be the same thing? I'm wary of doing that, but I suppose thread support on Linux today is a lot more stable than it was 7-15 years ago. > * Should libldap and libldap_r be augmented by ELF symbol versions? > * All of the above? :) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

libldap and libldap_r in the same process
by Jan Engelhardt 27 Aug '16

27 Aug '16

A given (threaded) program makes use of libldap_r. It now also wants to make use of, say, libcurl. On certain systems, libcurl happens to be linked against libldap (not _r). Eventually, both libldap and libldap_r end up in the process image of my program, and a symbol like "ldap_init" may point to the function of either library file. The threaded program may end up unexpectedly been given the non-threaded functions, depending on how the runtime linker loaded said libraries and binds the symbols. (I am seeing crashes in a large program's initialization because of this.) There is a 7-year old post indicating libldap should get locking/ be replaced by libldap_r. http://www.openldap.org/lists/openldap-devel/200909/msg00018.html To date, openldap still consists of the two libraries. What are the preferred options to go forward here? * Killing non-threaded libldap in openldap for real If not, * Should curl have used -lldap_r instead of -lldap? * Should Linux distributions make libldap and libldap_r be the same thing? * Should libldap and libldap_r be augmented by ELF symbol versions? * All of the above? :)

1 0

Re: Using LMDB safely with fork() and exec()
by Howard Chu 23 Aug '16

23 Aug '16

Lorenz Bauer wrote: > If this works, I'd like to contribute the changes necessary to not > leak fds on exec, which are mentioned in the other thread. > > * Are there contribution guidelines somewhere? How do I submit a patch? Read http://www.openldap.org/ "Contributing" -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Re: mirror mode vs multi master
by Howard Chu 23 Aug '16

23 Aug '16

Matwey V. Kornilov wrote: > Hello, > >>From Administrator's guide, it is not completely clear what is the > internal difference between mirror mode and n-way multi master. There is no internal difference. The difference is in how clients use the servers. In mirrormode you arrange for all write ops to only go to one provider. > 1) Can 2-way multi master configuration exist? If so, what should be > difference in slapd.conf between mirror mode and 2-way multi master? There is no difference in slapd configuration. > What is the difference in syncrepl behaviour? Or all difference is > that external proxy/balancer assumed when mirror mode is meant? All difference is in the external proxy. > 2) Is there quorum based consensus when 3-way multi master is used? If > not, how is the conflict resolution performed? No quorums needed. Conflict resolution is based on CSNs. In general, last writer wins. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

mirror mode vs multi master
by Matwey V. Kornilov 23 Aug '16

23 Aug '16

Hello, >From Administrator's guide, it is not completely clear what is the internal difference between mirror mode and n-way multi master. 1) Can 2-way multi master configuration exist? If so, what should be difference in slapd.conf between mirror mode and 2-way multi master? What is the difference in syncrepl behaviour? Or all difference is that external proxy/balancer assumed when mirror mode is meant? 2) Is there quorum based consensus when 3-way multi master is used? If not, how is the conflict resolution performed? -- With best regards, Matwey V. Kornilov http://blog.matwey.name xmpp://0x2207@jabber.ru

1 0

search right and attribute existence
by Emmanuel Dreyfus 21 Aug '16

21 Aug '16

Hello I would like to test if an attribute is set without disclosing it. Using an ACL that grants the search right does it: I can do ldapsearch -b dn attr=*' dn and see if I get a result. Problem: it is still possible to brute force the atribute value, by searching x* with x being the first lette,r, then xy* and so on. Is there a way to address this? -- Emmanuel Dreyfus manu(a)netbsd.org

4 4

Directory structure searching
by Gurjot Kaur 19 Aug '16

19 Aug '16

Hi, I am encountered a problem regarding the checking of the directory structure during ldapsearch request. I did slapadd on my LDAP server (OpenLDAP 2.4.44 with MDB backend) for few entries and found the below error as my top entry "ou=people,dc=my-domain,dc=com" was missing from the DB. ############################################################################### /usr/local/sbin/slapadd -v -c -w -f /usr/local/etc/openldap/slapd.conf -l 2_tmp.ldif 578c3c23 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable added: "ou=Test1,ou=people,dc=my-domain,dc=com" (00000005) added: "ou=Test2,ou=people,dc=my-domain,dc=com" (00000006) added: "ou=Test3,ou=people,dc=my-domain,dc=com" (00000007) added: "ou=Test4,ou=people,dc=my-domain,dc=com" (00000008) _#################### 100.00% eta none elapsed none fast! modified: "(null)" (00000001) Closing DB...Error, entries missing! entry 4: ou=people,dc=my-domain,dc=com ############################################################################### The above error is fine. Do the above entries get added to the DB, though the parent node for these entries was not present? Because when I search for the entry using the below ldapsearch command, this gives me the correct result. ############################################################################### ldapsearch -x -D cn=Manager, dc=my-domain,dc=com -w secret -b ou=Test1,ou=people, dc=my-domain,dc=com -s sub "(&(objectclass=organizationalUnit)(ou=Test1*))" -H ldap://0.0.0.0:2016 # extended LDIF # # LDAPv3 # base <ou=Test1,ou=people,dc=my-domain,dc=com> with scope subtree # filter: (&(objectclass=organizationalUnit)(ou=Test1*)) # requesting: ALL # # Test1, people, my-domain.com dn: ou=Test1,ou=people, dc=my-domain,dc=com ou: Test1 objectClass: organizationalUnit companyName: Test1 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ############################################################################### Does this means ldapsearch check just for the specific entry and not the complete directory structure? Thanks in advance. Regards, Gurjot Kaur "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2016