Re: Search memberOf
by Arianna Milazzo
Hello. Thank you for your reply.
I have many applications using a db to manage access and profiles.
Now I have to use even other application supporting ldap.
So I’m hoping to use same db, so I can manage only a datasource for all
Applications (same users!!!)
But I need to use memberOf to manage the access to theese applications
(profiling).
(Excuse me for My English!)
Thanks,
Arianna
Il giorno gio 2 ago 2018 alle 19:54 Quanah Gibson-Mount <quanah(a)symas.com>
ha scritto:
> --On Thursday, August 02, 2018 5:25 PM +0200 Arianna Milazzo
> <arianna(a)ariannamicrochip.it> wrote:
>
> >
> >
> > Hello!
> > I use OpenLDAP wuth MySQL backend.
>
> The MySQL backend is experimental and generally unsupported. It should
> not
> be used as a general purpose backend for an LDAP server.
>
> > Can someone help me?
>
> Is there a particular reason you're trying to wedge memberof support into
> mysql, which is likely not designed to handle it?
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
5 years, 1 month
daemon: bind(11) failed errno=2 (No such file or directory)
by Alan Lukens
I encountered a problem with openldap-2.4.40 on debian when a vm crashed. Upon restore i could not start slapd service. But typing slapd on the command line would start slapd. I tried defining the urls, and tried defining the configuration directory with the slapd command, however that only resulted in the same error.
After extensive searching i could only find one reference to the error "daemon: bind(11) failed errno=2 (No such file or directory)". and that was leading me in the direction of the directory /var/run/ldap didnt have the right permissions, but it was there and had openldap owner and group. I spent a number of hours double checking directories making sure everything was there and had the right permissions.
I finally found /var/run/slapd was missing! A file called ldapi is created there on startup.
What is /var/run/slapd/ldapi ??
And what does it do?
For future reference what is bind(11) referring to? Where can i find the reference to error codes?
Thanks for your help,
Alan Lukens
Identity Management Specialist
University of Massachusetts Amherst, IT NSS
voice: 413.545.1654
email: alan.lukens(a)umass.edu
5 years, 1 month
ldapi and StartTLS
by Norman Gray
Greetings.
I would have thought (possibly naively) that StartTLS was unnecessary
when connecting to slapd through a unix socket -- the client and the
server are on the same machine, and so don't need to be reassured about
each other's identity. However this seems not to be be the case:
% ldapsearch -LLL -H ldapi://%2Fvar%2Frun%2Fopenldap%2Fldapi
'(uid=foo)'
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: stronger confidentiality required
(same result with ldapi:///).
What am I misunderstanding?
In the slapd.ldif I have:
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcSecurity: ssf=128
olcTLSCertificateFile: /usr/local/etc/openldap/certs/XXX.crt
olcTLSCertificateKeyFile: /usr/local/etc/openldap/certs/XXX.key
olcTLSCACertificateFile: /usr/local/etc/openldap/certs/FOO
olcLogLevel: 0
The machine is also listening on ldap://0.0.0.0 and requiring TLS. I
don't see anything in the documentation which seems to suggest I can
have different TLS rules on different interfaces or protocols (ie, ldap:
vs ldapi:) -- am I just missing that?
The /usr/local/etc/ldap.conf doesn't mention TLS, so the TLS requirement
isn't coming in from there.
My practical problem is that I'm trying to get nslcd (on the same
machine) to talk to OpenLDAP locally. If there's a certificate problem
I can sort that out, but I can't help feeling that that ought to be
unnecessary -- that I'm missing something simple.
This is 2.4.45 on FreeBSD.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
5 years, 1 month
root server and subtree server replicate.
by Tian Zhiying
Dear all,
I'd like to have a subtree managed by a second LDAP server and its contents replicated to the "upper" root server.
server A(root server): suffix="dc=domain,dc=org"
server B(subtree server): suffix="ou=people,dc=domain,dc=org"
B's subtree should be replicated to A and should be searchable on A.
Is there any solutions can fix this case?
Thanks.
5 years, 1 month
<olcMirrorMode> database is not a shadow
by admin@genome.arizona.edu
Hello,
Was setting up replication for our LDAP server, and was following the
guide here,
https://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP#Se...
I had success with this guide but just a problem with authentication, I
could see in the ldap debug log for node1 entries like this:
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 fd=38 ACCEPT from
IP=<node1's IP>:34606 (IP=0.0.0.0:389)
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=0 BIND
dn="cn=Manager,dc=genome,dc=arizona,dc=edu" method=128
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=0 BIND
dn="cn=Manager,dc=genome,dc=arizona,dc=edu" mech=SIMPLE ssf=0
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=0 RESULT tag=97 err=0 text=
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=1 MOD
dn="olcDatabase={1}bdb,cn=config"
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=1 MOD attr=olcSyncrepl
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=1 RESULT tag=103 err=0
text=
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=2 MOD
dn="olcDatabase={1}bdb,cn=config"
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=2 MOD attr=olcMirrorMode
Jul 20 16:21:22 node1 slapd[10218]: slap_client_connect:
URI=ldap://node2.genome.arizona.edu
DN="cn=ldapreader,dc=genome,dc=arizona,dc=edu" ldap_sasl_bind_s failed (49)
Jul 20 16:21:22 node1 slapd[10218]: do_syncrepl: rid=001 rc 49 retrying
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=2 RESULT tag=103 err=0
text=
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 op=3 UNBIND
Jul 20 16:21:22 node1 slapd[10218]: conn=3497 fd=38 closed
and in the debug log for node2 entries like this:
Jul 20 16:21:22 node2 slapd[25327]: conn=14036 fd=17 ACCEPT from
IP=<node1's IP>:56460 (IP=0.0.0.0:389)
Jul 20 16:21:22 node2 slapd[25327]: conn=14036 op=0 BIND
dn="cn=ldapreader,dc=genome,dc=arizona,dc=edu" method=128
Jul 20 16:21:22 node2 slapd[25327]: conn=14036 op=0 RESULT tag=97 err=49
text=
Jul 20 16:21:22 node2 slapd[25327]: conn=14036 op=1 UNBIND
Jul 20 16:21:22 node2 slapd[25327]: conn=14036 fd=17 closed
It turns out i had literally used credentials="secret" in the
add-replication-node1/node2.ldif files! So I went back and used
slappasswd to generate a new password and put it into the
ldapreader.ldif and use ldapmodify instead this time with success on
both nodes,
[root@node1 openldap]# cat ldapreader.ldif
dn: cn=ldapreader,dc=genome,dc=arizona,dc=edu
changetype: modify
replace: userPassword
userPassword: <hash from slappasswd>
[root@node1 openldap]# ldapmodify -x -W -D
"cn=Manager,dc=genome,dc=arizona,dc=edu" -f ldapreader.ldif
Enter LDAP Password:
modifying entry "cn=ldapreader,dc=genome,dc=arizona,dc=edu"
[root@node1 openldap]#
[root@node2 openldap]# cat ldapreader.ldif
dn: cn=ldapreader,dc=genome,dc=arizona,dc=edu
changetype: modify
replace: userPassword
userPassword: <hash from slappwasswd>
[root@node2 openldap]# ldapmodify -x -W -D
"cn=Manager,dc=genome,dc=arizona,dc=edu" -f ldapreader.conf
Enter LDAP Password:
modifying entry "cn=ldapreader,dc=genome,dc=arizona,dc=edu"
[root@node2 openldap]#
Then I updated the add-replication-node1/node2.ldif to modify the entry
with the actual password instead of "secret"... on node1 i got two
success messages,
[root@node1 openldap]# cat add-replication-node1.ldif
dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcSyncrepl
olcSyncrepl:
rid=001
provider=ldap://node2.genome.arizona.edu
binddn="cn=ldapreader,dc=genome,dc=arizona,dc=edu"
bindmethod=simple
credentials="<actual password>"
searchbase="dc=genome,dc=arizona,dc=edu"
type=refreshAndPersist
timeout=0
network-timeout=0
retry="60 +"
dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcMirrorMode
olcMirrorMode: TRUE
[root@node1 openldap]# ldapmodify -x -W -D
"cn=Manager,dc=genome,dc=arizona,dc=edu" -f add-replication-node1.ldif
Enter LDAP Password:
modifying entry "olcDatabase={1}bdb,cn=config"
modifying entry "olcDatabase={1}bdb,cn=config"
[root@node1 openldap]#
However when I went to modify the entries on node2, I now got the error
<olcMirrorMode> database is not a shadow,
[root@node2 openldap]# cat add-replication-node2.ldif
dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcSyncrepl
olcSyncrepl:
rid=002
provider=ldap://node1.genome.arizona.edu
binddn="cn=ldapreader,dc=genome,dc=arizona,dc=edu"
bindmethod=simple
credentials="<actual password>"
searchbase="dc=genome,dc=arizona,dc=edu"
type=refreshAndPersist
timeout=0
network-timeout=0
retry="60 +"
dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcMirrorMode
olcMirrorMode: TRUE
[root@node2 openldap]# ldapmodify -x -W -D
"cn=Manager,dc=genome,dc=arizona,dc=edu" -f add-replication-node2.ldif
Enter LDAP Password:
modifying entry "olcDatabase={1}bdb,cn=config"
modifying entry "olcDatabase={1}bdb,cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
additional info: <olcMirrorMode> database is not a shadow
[root@node2 openldap]#
Now the replication has stopped and there are no connection entries in
the ldap debug logs. So what did i do wrong and how to get replication
going again?
Thanks,
--
Chandler / Systems Administrator
Arizona Genomics Institute
www.genome.arizona.edu
5 years, 1 month
Search memberOf
by Arianna Milazzo
Hello!
I use OpenLDAP wuth MySQL backend.
I added even memberOf and it's all ok on db and I see the correct members
(on groups) and memberOf (on people).
But I have a problem: I can't search if a user is member of a group.
filter:
(&
(objectClass=inetOrgPerson)
(uid=username)
(memberOf=cn=test,ou=group,dc=organization,dc=it)
)
on the log I read:
*get_ava: illegal value for attributeType memberOf*
Can someone help me?
Thanks,
Arianna
5 years, 1 month
Keeping a new n-master environment in sync with an old single master env during a migration
by Chris Cardone
Hello all, I have a question I'm sure some folks have already addressed and
hope there is a solution for my problem
I am in the process of migrating from an old single master --> multiple
slave env
running on OpenBSD 4.9
openldap-server-2.4.23p2 - configured with slapd.conf
over to 4-master (regional) to 4 slaves (now - more to come regionally)
running Ubuntu 16.04 and
openldap 2.4.42 - configured with a cn=config database
I am trying to keep the environments in sync as we migrate dozens of
different environments from the old slaves to the new slaves - which may
take as long as 4 months :(
I started out by using slapcat to export the contents of the old server,
then loading them into the new server. I would originally drop all the
data on the new servers and reload from the old.
this is now no longer an option, as we migrate to the new servers, i cannot
be dropping the entire database and replacing it with the new one - the
time it takes to execute such a task creates an outage for users as well as
applications that rely on the LDAP database.
So im looking for some guidance / options to keep my new LDAP environment
in sync with my old, without any service disruptions on either set of
systems.
Any help would be greatly appreciated!!
Christopher
5 years, 1 month
