Re: Syncrepl and multipe values
by Quanah Gibson-Mount
--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio
Morais <matheus_morais(a)sicredi.com.br> wrote:
>
>
>
> Issue 8559 opened.
>
>
>
> I'm trying to work on a patch but I'm not sure if the best solution is to
> fix accesslog to avoid duplicated values or if the sample LDIF (in its
> description) should result in a constraint violation. What do you think?
The accesslog should never write an operation that can't be replicated. If
the MOD is a valid LDAP operation (which I think it is), then it should be
accepted at the frontend. The issue may be more in delta-syncrepl's
handling of the write op than anything else.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 7 months
How to enable memberOf overlay with posixGroup?
by MegaBrutal
Hi all,
I've spent days trying to figure out how could I enable the memberOf
overlay, and it doesn't seem to be easy for an LDAP-noob. I've read
like 50+ tutorials which didn't help me get it working.
Use case: I want to have 2 main groups which control access to
different services on my network. A "unixusers" which is a minimum to
log in to Linux servers (having a hostObject entry for the user is
another requirement, which is irrelevant to this question, as I
already solved that problem); and a "cloudusers" group which enables
log in to my ownCloud instance.
The groups should enforce the following rules:
– Only users in "cloudusers" should be allowed to log in to ownCloud.
– Users in "unixusers" are allowed to log in to a set of Linux servers
controlled by "host" (hostObject) entries.
– Users not in the "unixusers" group may not log in to any Linux
systems, even if they have "host" entries.
Problems:
– ownCloud complains that the memberOf overlay is not enabled, hence
it doesn't let me restrict access to the "cloudusers" group. It would
allow any users regardless of any group memberships, which is not
acceptable.
– I have a similar problem on Linux with PAM: I can't really get it to
consider "unixusers" membership for user logins, although I got the
"host" entries working correctly, so at least I can already restrict
access with that.
My guess is that it all boils down to the lack of memberOf overlay. I
also figured that memberOf would need groupOfNames groups, while I
need posixGroup type groups. I evaluated the possibility to use
groupOfNames, but it lacks the necessary gidNumber attribute which is
a requirement for Unix groups. But anyway, I can't enable memberOf
even for groupOfNames. I can't enable memberOf by any means.
My OpenLDAP uses the new configuration method and it completely
ignores slapd.conf, so the config must be injected with ldapadd to
cn=config.
Could you please help me with this?
Regards,
MegaBrutal
6 years, 1 month
[Q] "selective" ACL
by Zeus Panchenko
hi,
I'm trying to configure a not complex (as I believe) ACL ... but have some
difficulties
I have two posixGroup groups
cn=admins,ou=group,dc=foo
cn=coadmins,ou=group,dc=foo
my users resides in ou=People,dc=foo
so, in subtree ou=People,dc=foo I need to allow anything to admins (and
it is not difficult of course)
for example this works for me:
access to dn.subtree="ou=People,dc=foo"
by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
by self write
by users read
by * break
but in addition I need to allow my coadmins to do the same things except
manipulations upon the objects which belong to admins (
...anyobject,uid=adminuser,ou=People,dc=foo )
so, the question is: how? (if it is possible at all) :(
please, advise
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
6 years, 2 months
Re: 2.4.44 + ITS 8432 patch segfault in modify_add_values
by Quanah Gibson-Mount
--On Wednesday, February 15, 2017 6:36 PM -0800 "Paul B. Henson"
<henson(a)acm.org> wrote:
> On Wed, Feb 15, 2017 at 12:22:29PM -0800, Quanah Gibson-Mount wrote:
>
>> I would suggest filing an ITS with the full backtrace info, so I can
>> track it.
>
> Ok, will do.
>
>> It could be useful to have the entry data from the accesslog as
>> well for the failed replication op, as we can see the failed entry DN in
>> the output of your backtrace.
>
> That would be in the accesslog on the server that crashed? Hmm, the
> server that crashed is the master, and all updates were going to it. Am
> I confused, or did the update that caused the crash come in via syncrepl
> though, and hence originate from a different server? So the accesslog
> entry you want would be from that server, not the server that crashed?
> But given no other servers should have been receiving updates, how would
> an update have been received via replication? Or is this another issue
> like the memberOf problem where updates are being improperly replicated?
It appears to be crashing while writing the change to the accesslog
database. It's odd that the value for the attribute is NULL. Do we know
for sure what the client doing the write op to the server is sending?
> Hmm, looking at the logs that correspond with one of the crashes:
> This operation appears to succeed? Then there's this:
>
> Feb 14 04:00:13 fosse slapd[12524]: conn=37859 op=806 MOD
> dn="uid=vntruong,ou=user,dc=csupomona,dc=edu" Feb 14 04:00:13 fosse
> slapd[12524]: conn=37859 op=806 MOD attr=csupomonaEduPersonExpiration
Yeah, so this is the operation that actually failed... It'd be interesting
to know if it succeeded in the primary DB, but failed when writing to the
accesslog DB (I.e., the master and its consumers are now out of sync for
that entry), or if the entire write op failed (master and consumers are in
sync for the entry)
> when I restarted the server. I guess I am confused; the entryCSN has
> serverID 0, the ID of this server, so this isn't a replicated op, it's
> an op from this server. So why does the backtrace show the change coming
> in via syncrepl? It seems like it's getting applied twice. The change is
> deleting the attribute, so the second time it's getting applied you
> would get a no such attribute error...
Hm, so I guess my question would be is it doing the op like this:
dn: ...
changetype: modify
replace: csupomonaEduPersonExpiration
csupomonaEduPersonExpiration:
Or is it doing it like this:
dn: ...
changetype: modify
delete: csupomonaEduPersonExpiration
Because the NULL value seems to imply the former.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 6 months
Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
by Quanah Gibson-Mount
--On Tuesday, February 14, 2017 5:04 PM -0800 "Paul B. Henson"
<henson(a)acm.org> wrote:
> On Tue, Feb 14, 2017 at 04:13:17PM -0800, Quanah Gibson-Mount wrote:
>
>> I have a test setup from a coworker who managed to trigger this to
>> examine and see if I can push it into the test script. :)
>
> Cool, good to hear; it will be nice to track this down and quash it. I
> don't know what it is about my environment that triggers it so often,
> perhaps because we add/remove group members frequently.
Hi Paul,
In the ITS, you didn't provide your configuration -- I'm curious to see the
order in which you load the overlays. In the initial report from Mark, he
loads them in this order (on the primary data db):
dynlist
memberof
syncprov
accesslog
So I'd like to know the order in which your overlays are loaded.
Thanks,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 6 months
How correctly convert ldif dump size to mdb olcDbMaxSize value
by Ikonta
Hi everybody,
I use simple OpenLDAP installation (two servers in mirror mode, something above 30000 leafs tree).
Some time ago I've migrated it to mdb backend.
The database dump in ldif weight about 300M.
Initially I've set olcDbMaxSize to 2147483648 bytes (2G).
Imported into directory it became about 450M data.mdb on node1 and after mirror synced — 1.5G replicated data.mdb on node2.
Why instances database sizes are so different?
Am I right guessing olcDbMaxSize is maximum size of data.mdb file?
And how should I, starting with present and perspective ldif dump size, count proper value of olcDbMaxSize?
For example, if I expect ldif dump may grow up to 500 M?
WBR
6 years, 6 months
Dynamic groups/lists
by Saša-Stjepan Bakša
Hi,
I have access to LDAP server which doesn't have any groups defined. All
users have only attributes which are used to distinguish to which type of
users they belong and for application which I have intention to use groups
are necessary.
I don't have authority to change that but I can create my own LDAP proxy
server and direct my application to it.
Question is, can I create dynamic groups which will reside only on that
proxy server. I am already familiar with translucent and ordinary proxy
servers.
Br
Sasa
6 years, 7 months
user removed from ldap group but Linux groups command still shows user as member of the group
by Bernard Fay
Hi,
I removed a user from an LDAP group about a week ago. Today, this user
still shows as member of the group with the Linux command groups. Also, the
group (Administrators) appears twice in the output of the command id:
uid=10000(username) gid=10000(Administrators)
groups=10001(users),10005(devel),10011(video),10015(ansible),10000(Administrators)
The command getent though shows the proper group assignation:
getent group | grep username | cut -d: -f1
users
devel
video
ansible
All of those groups are LDAP group.
Does someone knows why and would know how to fix this?
Thanks,
6 years, 7 months
Fwd: user removed from ldap group but Linux groups command still shows user as member of the group
by Bernard Fay
On Fri, Feb 24, 2017 at 9:08 AM, Dan White <dwhite(a)cafedemocracy.org> wrote:
> On 02/24/17 08:55 -0500, Bernard Fay wrote:
>
>> I removed a user from an LDAP group about a week ago. Today, this user
>> still shows as member of the group with the Linux command groups. Also,
>> the
>> group (Administrators) appears twice in the output of the command id:
>> uid=10000(username) gid=10000(Administrators)
>> groups=10001(users),10005(devel),10011(video),10015(ansible)
>> ,10000(Administrators)
>>
>> The command getent though shows the proper group assignation:
>> getent group | grep username | cut -d: -f1
>> users
>> devel
>> video
>> ansible
>>
>> All of those groups are LDAP group.
>>
>
> Is this from a long running shell? If so, start a new shell or
> run newgrp.
>
> Otherwise, verify that it is not cached (such as with nscd), and trouble
> shoot as an nss ldap problem.
>
>
No, it is not from a long running shell. I logged out and logged back in
since I remove this user from the group. By the way the group in question
is Administrators.
How can I verify it is not cached? My guess is that it is cached. I tried
to use "nscd -i group" but that did not change anything.
6 years, 7 months
Long ldap session when ldap server failover
by Huynh Phuoc Tai
Hi,
I have an issue with long ldap session when ldap server failover.
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=-1 msgId=-1 - fd=89 slot=89 LDAPS connection from 10.14.97.45:55287 to 113.216.102.167
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=-1 msgId=-1 - SSL 128-bit AES-128; client CN=HRM3; issuer O=E,OU=eOAM,CN=jerarm003NECertCA
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=-1 msgId=-1 - SSL failed to map client certificate to LDAP DN (No such object)
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=0 msgId=1 - BIND dn="cn=ProxyUser,ou=proxyagent,ou=com,dc=jerarm,dc=roma,dc=te,dc=com" method=128 version=3
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyuser,ou=proxyagent,ou=com,dc=jerarm,dc=roma,dc=te,dc=com"
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=1 msgId=2 - SRCH base="dc=jerarm,dc=roma,dc=te,dc=com" scope=2 filter="(&(&(objectClass=posixAccount)(|(eUserAuthenticationScope=HLRALL)(eUserAuthenticationScope=HRM3)(eUserAuthenticationScope=\2a)))(&(objectClass=posixAccount)(|(eUserAuthenticationScope=HLRALL)(eUserAuthenticationScope=HRM3)(eUserAuthenticationScope=\2a)))(uid=us000001))" attrs=ALL
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=2 msgId=3 - BIND dn="uid=us000001,ou=people,dc=jerarm,dc=roma,dc=te,dc=com" method=128 version=3
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=2 msgId=3 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=us000001,ou=people,dc=jerarm,dc=roma,dc=te,dc=com"
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=3 msgId=4 - BIND dn="cn=ProxyUser,ou=proxyagent,ou=com,dc=jerarm,dc=roma,dc=te,dc=com" method=128 version=3
[01/Dec/2016:11:34:29 +0100] conn=7187095 op=3 msgId=4 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyuser,ou=proxyagent,ou=com,dc=jerarm,dc=roma,dc=te,dc=com"
[01/Dec/2016:11:40:01 +0100] conn=7187095 op=4 msgId=5 - UNBIND
[01/Dec/2016:11:40:01 +0100] conn=7187095 op=4 msgId=-1 - closing from 10.14.97.45:55287 - U1 - Connection closed by unbind client -
[01/Dec/2016:11:40:01 +0100] conn=7187095 op=-1 msgId=-1 - closed.
The openldap client didn't send UNBIND soon but sent after several minutes. Could you suggest me any way forward to find the root cause?openldap2-client-2.4.26-0.62.2
Regards,Tai
6 years, 7 months
