openldap-technical May 2018

openldap-technical@openldap.org

33 participants
32 discussions

How to present the memberOf attribute in a syncrepl setup?
by Robert Minsk 12 May '18

12 May '18

/-----------------------------------\ | master1 <- mirror repl -> master2 | \-----------------------------------/ ^ ^ ^ | | | syncrepl syncrepl syncrepl | | | /-------\ /-------\ /-------\ |cache01| |cache02| ... |cache n| \-------/ \-------/ \-------/ The master servers are using mirror replication and are behind a load balancer setup for active/passive failover. All writes go to the active master where the "member" attribute is maintained for the groups. The cache servers get their data from the master servers using syncrepl replication. All the end clients connect to the cache servers. I need to be able to present the memberOf attribute on users on the cache servers. The man page for slapo-memberof states that it is not compatible with syncrepl. Because of this the cache servers are using slapo-dynlist to create the memberOf attribute. The problem is since I am using a dynamic list I can not search using the memberOf attribute only query its value. I need to be able to search by the memberOf attribute. What is the recommended way generate the memberOf atribute? Should I modify the schema for a user and somehow maintain the memberOf attribute on the masters? I am a bit worried about this since looking at the slapo-memberOf source the memberOf attribute it is flagged as a DSAOperation.

1 0

OpenLDAP, MySQL e MemberOf
by Arianna Milazzo 11 May '18

11 May '18

Hello! I installed openLDAP with MySQL. Now I don't know how can I do to use "memberOf" in my slapd.conf I added: overlay memberof > memberof-group-oc groupOfNames > memberof-member-ad member > memberof-memberof-ad memberOf > But in database? I tried to add member and memberon in ldap_attr_mappings... How can I do??? Thank you, Aria

1 0

SASL pass-through and changing passwords
by linux nuse 11 May '18

11 May '18

Hi, There was similar topic 5 years ago, but the problem wasn't completely solved. I've set `olcPasswordHash` to `{SASL}`, so ldappaswd is no longer smashing `userPassword` attribute. I get the same error which Tim Watts encountered 5 years ago. https://www.openldap.org/lists/openldap-technical/201302/msg00190.html namely, ldappaswd says: > Result: Other (e.g., implementation specific) error (80) > Additional info: scheme provided no hash function Tim wrote: > However, the kerberos principle does get updated - and userPassword is left alone. In my case I just get the error and the kerberos password is NOT updated. Also, 9 years ago it was asked (https://www.openldap.org/lists/openldap-software/200909/msg00010.html): > - salspasswd2 calls sasl_setpass(), and a look at OpenLDAP sources > shows that passwd_extop()/slap_sasl_setpass() does the same. That > suggests it is possible to have slapd doing the thing, but how does > it works? In passwd_extop(), slap_sasl_setpass() will only be > called if op-o_bd is NULL. In what situation does it happen? But the question is not answered. Does anyone remember how passwd_extop() works and how to get into the if-statement block with call to slap_sasl_setpass()?

1 0

Re: Optimal configuration for olcToolThreads and olcThreads
by Quanah Gibson-Mount 10 May '18

10 May '18

--On Thursday, May 10, 2018 1:10 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > Quanah, > > > Thank you, i am using MDB, so do you recommend me to change it from 1 to > 2? by setting it to 2 will improve any performance? also this property > doesnt have any impact on replication (syncrepl) ? Again, the tool threads setting only affects slapadd. So it will improve the performance of slapadd if you set it to "2" instead of "1". Since it only affects offline operations, it has no effect on syncrepl. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Optimal configuration for olcToolThreads and olcThreads
by Quanah Gibson-Mount 10 May '18

10 May '18

--On Thursday, May 10, 2018 12:58 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > To add more to the previous query, what are the operations used > by olcToolThreads and what are by olcThreads? what does syncrepl > uses olcToolThreads or olcThreads? olcToolThreads is used by slapadd. What value it should be depends on the backend being used. If it is LMDB, then you want it to be no higher than 2. If you set it to more than 2, it'll be set to 2 internally. For other backends, such as back-bdb/hdb, it can result in significant improvement when loading data via slapadd. olcThreads controls how many threads are available to the slapd process. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

pwdRESET not working
by Net Warrior 08 May '18

08 May '18

Hello there guys, when setting the pwsReset to TRUE I cannot login to the system anymore, just get the permission denied, then I found this. https://github.com/pwm-project/pwm/issues/155 Did I face that bug or maybe it's something else? My system CentOS Linux release 7.4.1708 (Core) 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux openldap-servers-2.4.44-5.el7.x86_64 openssl-libs-1.0.2k-8.el7.x86_64 openldap-clients-2.4.44-5.el7.x86_64 openldap-2.4.44-5.el7.x86_64 objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdMaxFailure: 5 pwdMinLength: 5 pwdSafeModify: FALSE sn: default structuralObjectClass: person pwdExpireWarning: 432000 pwdLockoutDuration: 1800 pwdMaxAge: 7776000 pwdMustChange: TRUE pwdMinAge: 0 Thanks Regards

2 1

Re: Missing structural object, ldapadd says it's there,
by Ole Nomann Thomsen 07 May '18

07 May '18

Oh. Answering my own question: The "missing" entry had turned into a glue entry, don't know how. I can modify it with "ldapmodify ... -M ..." (or maybe -MM), to turn it into a regular entry and make dotnet default auth work. Thanks for your time :-] - Ole. > Hi list, I am running @(#) $OpenLDAP: slapd 2.4.45 (Jan 23 2018 08:50:30) $ for > authentication. > > I can authenticate most of my clients, but some of them fail. It seems to be > the .net ones, not using fastbind: > One client tries to authenticate from .net, but can't bind. This is in the log: > > conn=12475338 fd=15 ACCEPT from IP=192.168.252.131:36473 > (IP=0.0.0.0:3890) > conn=12475338 op=0 BIND dn="uid=wscda,ou=Authentication,o=UNI- > C,c=DK" method=128 > conn=12475338 op=0 BIND dn="uid=wscda,ou=Authentication,o=UNI- > C,c=DK" mech=SIMPLE ssf=0 > conn=12475338 op=0 RESULT tag=97 err=0 text= > conn=12475338 op=1 srch base="ou=authentication,o=uni-c,c=dk" scope=0 > deref=0 filter="(objectclass=*)" > conn=12475338 op=1 srch attr=objectclass > conn=12475338 op=1 search result tag=101 err=0 nentries=0 text= > > Aha, "ou=authentication,o=uni-c,c=dk" (that default .net auth seems to > require) must be missing. Verify that: > > ldapsearch -x -H ldaps://host:3891/ -D "..." -w "..." -s base -b > ou=Authentication,o=UNI-C,c=DK objectClass=* + \* > > Gives me: > > # extended LDIF > # > # LDAPv3 > # base <ou=Authentication,o=UNI-C,c=DK> with scope baseObject > # filter: entryUUID=* > # requesting: + * > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > With this log-entry: > > conn=10181 fd=14 ACCEPT from IP=10.54.43.87:54312 (IP=0.0.0.0:3891) > conn=10181 fd=14 TLS established tls_ssf=256 ssf=256 > conn=10181 op=0 BIND dn="cn=AuthAdmin,ou=Authentication,o=UNI- > C,c=DK" method=128 > conn=10181 op=0 BIND dn="cn=AuthAdmin,ou=Authentication,o=UNI- > C,c=DK" mech=SIMPLE ssf=0 > conn=10181 op=0 RESULT tag=97 err=0 text= > conn=10181 op=1 SRCH base="ou=Authentication,o=UNI-C,c=DK" scope=0 > deref=0 filter="( objectClass=*)" > conn=10181 op=1 SRCH attr=+ * > conn=10181 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= > conn=10181 op=2 UNBIND > > That is "nentries=0", yup it is missing. > > I decide to add the missing structural object: > > ldapadd -h localhost -p 3890 -f missing.ldif -D "..." -w "..." > > with missing.ldif: > > dn: ou=Authentication,o=UNI-C,c=DK > ou: Authentication > objectClass: organizationalUnit > > Result: > > adding new entry "ou=Authentication,o=UNI-C,c=DK" > ldap_add: Already exists (68) > > And this log-entry: > > conn=10182 op=1 ADD dn="ou=Authentication,o=UNI-C,c=DK" > slap_queue_csn: queueing 0x7f63c811e390 > 20180501061454.852525Z#000000#000#000000 > conn=10182 op=1 RESULT tag=105 err=68 text= > > There or not? I try to delete it: > > ldapdelete -h localhost -p 3890 -f missing-delete.ldif -D "..." -w "..." > > missing-delete.ldif: > > ou=Authentication,o=UNI-C,c=DK > > Result: > > ldap_delete: No such object (32) > matched DN: ou=Authentication,o=UNI-C,c=DK > > Log: > > conn=10184 op=1 DEL dn="ou=Authentication,o=UNI-C,c=DK" > conn=10184 op=1 RESULT tag=107 err=32 text= > > I can't add it, beacause it's already there, and I can't delete it, because it isn't > there... > I can't figure out what the problem is; maybe som subtle difference between > what is in the base and what I am searching for? > I've a feeling that there is a face-palm answer, if so please bear with me.

3 2

MDB questions
by William Brown 07 May '18

07 May '18

Hi there, I have a few questions about MDB, and I have some things I'd like to work on. In the docs there are a few references that reference binary searching. It's not 100% clear but I assume this is a binary search of the keys in a BTree node, not that MDB is a bst. How does MDB provide crash resilience on the free pages? According to man, free() should only be called on memory from malloc but I see that you use free on mmaped pages in mdb_dpage_free. There must be something I'm missing here about this. Anyway, I have two things I want to work on. The simple one is when pages are moved from the txn free list to the env free list (I hope that's correct), it would be good to call madvise(MADV_REMOVE) on the data section. The reason for this is that the madvise call will allow supported filesystems to hole punch the sparse file, allowing space reclamation - without MDB needing to worry about it! The much more invasive change I want to work on is page checksumming. Basically there are 4 cases I have in mind * No checksumming (today) * Metadata checksumming only * Metadata and data checksumming These could be used in these scenarios: * write checksums but don't verify them at run time * write checksums, and only verify metadata on read (possibly a good default option) * write checksums, and verify metadata and data on read (slowest, but has strong integrity properties for some applications) And in all cases I want to add an "mdb_verify" command that would assert all of these are also correct offline. There are a few reasons for this * Hardware is unreliable. Ram, disk, cables, even cpu cache memory can all exhibt bit flips and other data loss. Changing a bit in a pointer can cause damage to any datastructure, and flows on to crashes or silent corruption * Software is never perfect - checksumming allows detection of over- writes of data from overflow or other mistakes that we as humans all make. I'd opt to use something fast like crc32c (intel provides hardware to accelerate this with -march=native). The only issue I see is that this would require an ondisk structure change because the current structs don't have space for this -and the csums have to be *first*. http://www.lmdb.tech/doc/group__internal.html#structMDB__page The checksum would have to be the first value *or* the last value of the page header, (so that it can be updated without affecting the result of the checksum). The checksum for the data would have to be within the header so that this is asserted as correct. Is this something I should pursue? Would this require a ondisk format change? Is there something that could be done to avoid this? Thanks, William

2 1

Missing structural object, ldapadd says it's there, ldapdelete says it isn't
by Ole Nomann Thomsen 02 May '18

02 May '18

Hi list, I am running @(#) $OpenLDAP: slapd 2.4.45 (Jan 23 2018 08:50:30) $ for authentication. I can authenticate most of my clients, but some of them fail. It seems to be the .net ones, not using fastbind: One client tries to authenticate from .net, but can't bind. This is in the log: conn=12475338 fd=15 ACCEPT from IP=192.168.252.131:36473 (IP=0.0.0.0:3890) conn=12475338 op=0 BIND dn="uid=wscda,ou=Authentication,o=UNI-C,c=DK" method=128 conn=12475338 op=0 BIND dn="uid=wscda,ou=Authentication,o=UNI-C,c=DK" mech=SIMPLE ssf=0 conn=12475338 op=0 RESULT tag=97 err=0 text= conn=12475338 op=1 srch base="ou=authentication,o=uni-c,c=dk" scope=0 deref=0 filter="(objectclass=*)" conn=12475338 op=1 srch attr=objectclass conn=12475338 op=1 search result tag=101 err=0 nentries=0 text= Aha, "ou=authentication,o=uni-c,c=dk" (that default .net auth seems to require) must be missing. Verify that: ldapsearch -x -H ldaps://host:3891/ -D "..." -w "..." -s base -b ou=Authentication,o=UNI-C,c=DK objectClass=* + \* Gives me: # extended LDIF # # LDAPv3 # base <ou=Authentication,o=UNI-C,c=DK> with scope baseObject # filter: entryUUID=* # requesting: + * # # search result search: 2 result: 0 Success # numResponses: 1 With this log-entry: conn=10181 fd=14 ACCEPT from IP=10.54.43.87:54312 (IP=0.0.0.0:3891) conn=10181 fd=14 TLS established tls_ssf=256 ssf=256 conn=10181 op=0 BIND dn="cn=AuthAdmin,ou=Authentication,o=UNI-C,c=DK" method=128 conn=10181 op=0 BIND dn="cn=AuthAdmin,ou=Authentication,o=UNI-C,c=DK" mech=SIMPLE ssf=0 conn=10181 op=0 RESULT tag=97 err=0 text= conn=10181 op=1 SRCH base="ou=Authentication,o=UNI-C,c=DK" scope=0 deref=0 filter="( objectClass=*)" conn=10181 op=1 SRCH attr=+ * conn=10181 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=10181 op=2 UNBIND That is "nentries=0", yup it is missing. I decide to add the missing structural object: ldapadd -h localhost -p 3890 -f missing.ldif -D "..." -w "..." with missing.ldif: dn: ou=Authentication,o=UNI-C,c=DK ou: Authentication objectClass: organizationalUnit Result: adding new entry "ou=Authentication,o=UNI-C,c=DK" ldap_add: Already exists (68) And this log-entry: conn=10182 op=1 ADD dn="ou=Authentication,o=UNI-C,c=DK" slap_queue_csn: queueing 0x7f63c811e390 20180501061454.852525Z#000000#000#000000 conn=10182 op=1 RESULT tag=105 err=68 text= There or not? I try to delete it: ldapdelete -h localhost -p 3890 -f missing-delete.ldif -D "..." -w "..." missing-delete.ldif: ou=Authentication,o=UNI-C,c=DK Result: ldap_delete: No such object (32) matched DN: ou=Authentication,o=UNI-C,c=DK Log: conn=10184 op=1 DEL dn="ou=Authentication,o=UNI-C,c=DK" conn=10184 op=1 RESULT tag=107 err=32 text= I can't add it, beacause it's already there, and I can't delete it, because it isn't there... I can't figure out what the problem is; maybe som subtle difference between what is in the base and what I am searching for? I've a feeling that there is a face-palm answer, if so please bear with me. Med venlig hilsen Ole Nomann Thomsen Seniorkonsulent [https://www.uvm.dk/-/media/Billeder/Mailsignatur/UVM_STIL_DK.png] Undervisningsministeriet Styrelsen for It og Læring Center for Digitale Overgange og it-styring Vester Voldgade 123 1552 København V Tlf.: 3587 8889 Direkte tlf.: +45 35 87 85 35 E-mail: ole.nomann(a)stil.dk

3 3

Separate trees openldap
by seguranca informacao 01 May '18

01 May '18

Hi guys, I'm trying to accomplish a configuration that I'm not aware of. I need to replicate several directories (AD, openldap, etc) to a unique repository (my openldap). The thing is I need to have completely separate trees for each domain (client). Any ideas in how to do that? bellow is an example what I'm thinking of: dc=example,dc=com cn=users cn=groups ------------------------------ complete separation dc=domain,dc=com cn=users cn=groups ------------------------------ complete separation dc=test,dc=ca cn=users cn=groups ------------------------------ complete separation thx, sergio

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2018