openldap-technical January 2017

openldap-technical@openldap.org

47 participants
80 discussions

Generic Referrals never received.
by BENICHOU Fabrice - Contractor 13 Jan '17

13 Jan '17

Hello, I have 2 LDAP servers: -machine 1:" localserver.domain.com" : the DIT is dn: dc=example dc: bsr-ivv objectClass: top objectClass: dcObject objectclass: organization o: AAA dn: ou=Users,dc=example objectClass: top objectClass: organizationalUnit ou: Users dn: ou=Groups,dc=example objectClass: top objectClass: organizationalUnit ou: Groups -machine 2: "centralserver.domain.com": the DIT is the SAME. and i want that request not found on "localserver.domain.com" should be delegated to "centralserver.domain.com" the configuration of "localserver.domain.com" is: dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcPidFile: /var/run/openldap/slapd.pid olcTLSCACertificatePath: /etc/openldap/certs olcTLSCertificateFile: "OpenLDAP Server" olcTLSCertificateKeyFile: /etc/openldap/certs/password structuralObjectClass: olcGlobal creatorsName: cn=config olcReferral: ldaps://centralserver.domain.com olcLogLevel: -1 I use the command "ldapsearch" on "localserver" to request data about "admincentral1" that only exists on "centralserver.domain.com" machine: >ldapsearch -H ldaps://localserver.domain.com -b ou=Users,dc=bsr-ivv -w password -D "cn=Admin,dc=example" uid=admincentral1 mail -x -C -d 129 But the client "ldapsearch" does not get the refferal of "centralserver" LDAP from "localserver". I look at slap logs and ldapsearch logs but the refferal is never received. Shall i activate anything else? NB: if i use referral Objects, this works fine: i found logs like : " Jan 13 13:44:55 m-deploy slapd[24898]: send_ldap_result: referral="ldaps://centralserver.external.domain.com/ou=Users,dc=example" " but with that configuration, no referral are received by client... Best regards Fabrice

1 0

Re: ppolicy overlay and MMR experiencing frequent delta-sync lost issue
by Quanah Gibson-Mount 12 Jan '17

12 Jan '17

--On Thursday, January 12, 2017 10:20 AM -0500 Beth Halsema <bhalsema(a)purdue.edu> wrote: > > Quanah, are you suggesting that the ppolicy attributes (i.e. > pwdGraceUseTime, pwdFailureTime, etc.) not be replicated? Hi Beth, This is clearly noted in the slapo-ppolicy(5) man page: Note that the current IETF Password Policy proposal does not define how these operational attributes are expected to behave in a replication environment. In general, authentication attempts on a slave server only affect the copy of the operational attributes on that slave and will not affect any attributes for a user's entry on the master server. Operational attribute changes resulting from authentication attempts on a master server will usually replicate to the slaves (and also overwrite any changes that originated on the slave). These behaviors are not guaranteed and are subject to change when a formal specification emerges. The correct fix is to modify your syncrepl configuration so that those attributes are ignored by the syncrepl client. There is no patch to the code necessary. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 3

Re: ppolicy overlay and MMR experiencing frequent delta-sync lost issue
by Quanah Gibson-Mount 12 Jan '17

12 Jan '17

--On Thursday, January 12, 2017 11:27 PM +0100 Michael Ströder <michael(a)stroeder.com> wrote: > Mark Cairney wrote: >> On 12/01/17 16:06, Quanah Gibson-Mount wrote: >> >>> The correct fix is to modify your syncrepl configuration so that those >>> attributes are ignored by the syncrepl client. There is no patch to the >>> code necessary. >>> >> >> Possibly a dumb question but do you have a worked example of this? The >> usual "get-all" stanza for this would "*, +" and as far as I'm aware you >> can't subtract attributes from the list returned i.e. search for all >> attributes *except* pwdFailureTime. > > You could try using option exattrs with syncrepl statement, see > slapd.conf(5). One could also change the olcAccess on the accesslog DB to exclude problem attributes from being visible. But exattrs is probably the best route. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: slapd-meta with olc
by Howard Chu 12 Jan '17

12 Jan '17

Quanah Gibson-Mount wrote: > --On Wednesday, January 11, 2017 10:23 AM +0000 Martin Stejskal > <mstejskal(a)alps.cz> wrote: > > I'll fix this LDIF for you, although I don't know the answers to the rest of > your questions. > >> $ cat add_meta_backend.ldif >> dn: cn=module{},cn=config >> objectClass: olcModuleList >> cn: module{} >> olcModulePath: /usr/lib/ldap >> olcModuleLoad: back_meta >> olcModuleLoad: back_ldap >> olcModuleLoad: rwm > > As for olc attribute names, you can trivially grab these out of the source > code. There is no need to read source code. Just read the cn=schema,cn=config entry using ldapsearch for all of the relevant definitions. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: slapd-meta with olc
by Quanah Gibson-Mount 12 Jan '17

12 Jan '17

--On Thursday, January 12, 2017 4:23 PM +0000 Martin Stejskal <mstejskal(a)alps.cz> wrote: > > > > Hi Quannah, > > thanks for support. Now I understand little bit more ldif syntax/rules. > Yes, the source code is option as well, but I tried to avoid it :) > > I know there is slapd.conf to cn=config converter, but unfortunately I > was not able to make it work (errors during conversion). I would note that slaptest will report errors during conversion sometime and then note that they should be ignored, since the configuration isn't actually being used against a running slapd. Since you provide no details about the errors encountered, it's impossible to determine if it was a valid error or simply a note about the difference between the conversion process and an active slapd. You could of course take the configurations from test035 and test036 to trivially come up with working configurations to be converted to cn=config as a starting point. :) Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Chain 2 master LDap
by BENICHOU Fabrice - Contractor 12 Jan '17

12 Jan '17

Hello, I try to chain 2 LDAP master (Provider): My system is : -1 Master "central" with suffix="dc=com" : I contains ldap posix user like "adminCentral". -1 Master "local" with suffix="dc=com": It contains ldap posix user like"adminlocal". The goal is to chain request when a ldapclient ask to Master "local" : this later shall chain the request to Master "central" and get back the result to client. For example, if "uid=adminCentral,User,dc=com" is not found in Master "local" LDAP, the Master "local" LDAP shall find if this Entry exists in Master "central" 1) Is it possible for a Master, to chain via overlay with "olcDbURI" parameter to another master? I only see example where Slave (Consummer) are chaining to Master (Provider).. 2) My Master "local" is configured with TLS : it has a Master_pem certificate, and a rootCA_local.pem (used in fact to authentify a local slave for replication). How to have TLS between "Master local" and "Master central"? If the rootCA_central.pem (trust chain) is not the same that the a rootCA_local.pem, how to complete the trust chain of the Master local? My work is based on documentation : http://www.zytrax.com/books/ldap/ch7/referrals.html#chaining (7.3.5). but the full documentation is not available and I use dynamic configuration with "olc". I have also found at http://serverfault.com/questions/518407/openldap-2-4-chain-overlay-minimal-… the Chain Overlay Minimal LDIF Configuration But the delegation does not work. Anyone does have a tutorial ? My platform: Centos 7 Best regards. Fab [@@ THALES ALENIA SPACE INTERNAL @@]

2 1

Re: Slapd.conf for doing stress
by Quanah Gibson-Mount 12 Jan '17

12 Jan '17

--On Thursday, January 12, 2017 2:39 PM +0530 PRATIK SINGAL <pratik.singal13(a)gmail.com> wrote: > > Hello , > > > Am new to openldap and need to perform stress on openldap2.4. > Can any one please provide me with some usefull link / optimized conf > file for stress. > we are using Berkley DB. <https://mishikal.wordpress.com/> has information about benchmarking with the relevant portions of the configuration noted. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: ppolicy overlay and MMR experiencing frequent delta-sync lost issue
by Quanah Gibson-Mount 12 Jan '17

12 Jan '17

--On Monday, January 09, 2017 9:53 AM -0500 Beth Halsema <bhalsema(a)purdue.edu> wrote: > We have submitted OpenLDAP-ITS #8561 with a unit test and a possible > patch to the ppolicy overlay. > > If anyone else has run into this, we would be interested in any other > work- arounds that have been used to address the issue. Hi Beth, I'm guessing that ppolicy is writing items that are not supposed to be replicated to the accesslog. This issue (ITS8561) and ITS8444 I think are generally similar items, in that while the accesslog is writing all write operations, replication requires that some write operations not be present in the accesslog. I'll be discussing with the other team members on how best to handle what are somewhat conflicting requirements. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 2

Re: Odd ldapsearch behavior
by Quanah Gibson-Mount 11 Jan '17

11 Jan '17

--On Wednesday, January 11, 2017 1:18 PM -0500 Frank Swasey <Frank.Swasey(a)uvm.edu> wrote: > Today at 12:44pm, Michael Ströder wrote: > >> Out of curiosity: >> What happens if you slapcat the data on your development server? > > slapcat dumps the data just fine (meaning that the two attributes are not > duplicated). If you are using cn=config, slapcat it and compare? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Odd ldapsearch behavior
by Frank Swasey 11 Jan '17

11 Jan '17

Today at 12:44pm, Michael Ströder wrote: > Out of curiosity: > What happens if you slapcat the data on your development server? slapcat dumps the data just fine (meaning that the two attributes are not duplicated). - Frank

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2017