openldap-technical July 2019

openldap-technical@openldap.org

29 participants
23 discussions

Re: Switch OpenLDAP backend database from HDB to MDB
by SHarbich＠t-online.de 10 Jul '19

10 Jul '19

Hello, I can not change my config.ldif file from the HDB backend to the MDB backend. I have changed the following: ... dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap -olcModuleLoad: {0}back_hdb +olcModuleLoad: {0}back_mdb olcModuleLoad: {1}dynlist.so olcModuleLoad: {2}ppolicy.la structuralObjectClass: olcModuleList entryUUID: 9495e2a6-da11-1033-97d9-c1ceaf236428 creatorsName: cn=admin,cn=config createTimestamp: 20140926214112Z entryCSN: 20170201184048.317884Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170201184048Z -dn: olcBackend={0}hdb,cn=config +dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig -olcBackend: {0}hdb +olcBackend: {0}mdb structuralObjectClass: olcBackendConfig entryUUID: 94960592-da11-1033-97da-c1ceaf236428 creatorsName: cn=admin,cn=config createTimestamp: 20140926214112Z entryCSN: 20140926214112.940239Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20140926214112Z -dn: olcDatabase={1}hdb,cn=config +dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig -objectClass: olcHdbConfig +objectClass: olcMdbConfig -olcDatabase: {1}hdb +olcDatabase: {1}mdb +olcDbMaxSize: 1073741824 olcDbDirectory: /var/lib/ldap olcSuffix: dc=harnet,dc=de olcLastMod: TRUE olcRootDN: cn=admin,dc=harnet,dc=de olcRootPW:: -olcDbCheckpoint: 512 30 -olcDbConfig: {0}set_cachesize 0 2097152 0 -olcDbConfig: {1}set_lk_max_objects 1500 -olcDbConfig: {2}set_lk_max_locks 1500 -olcDbConfig: {3}set_lk_max_lockers 1500 -structuralObjectClass: olcHdbConfig entryUUID: 94960be6-da11-1033-97db-c1ceaf236428 creatorsName: cn=admin,cn=config createTimestamp: 20140926214112Z olcAccess: {0}to dn.subtree="dc=harnet,dc=de" by dn="uid=lamdaemon,ou=users, dc=harnet,dc=de" write by * none break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to attrs=userPassword by anonymous auth by * none olcAccess: {3}to dn.base="dc=harnet,dc=de" by * read olcAccess: {4}to dn.subtree="ou=users,dc=harnet,dc=de" by dn="cn=Harbich CA Server,ou=services,dc=harnet,dc=de" write by users read by * none olcAccess: {5}to dn.subtree="ou=services,dc=harnet,dc=de" by dn="cn=Harbich CA Server,ou=services,dc=harnet,dc=de" write by users read by * none olcAccess: {6}to * by dn="cn=admin,dc=harnet,dc=de" write by * read olcDbIndex: cn pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: uid pres,eq olcDbIndex: mail pres,eq,sub olcDbIndex: dcMailAlias pres,eq olcDbIndex: givenName pres,eq,sub olcDbIndex: dcSubMailAddress pres,eq olcDbIndex: dcMailAlternateAddress pres,eq olcDbIndex: dcAccountStatus pres,eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: dhcpHWAddress eq olcDbIndex: uniqueMember eq olcDbIndex: memberUid eq olcDbIndex: objectClass eq olcDbIndex: loginShell eq olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub olcDbIndex: ou pres,eq,sub entryCSN: 20190304162152.376029Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20190304162152Z -dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config +dn: olcOverlay={0}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {0}dynlist olcDlAttrSet: {0}dcPosixSubAccount dcPosixOwnerURL structuralObjectClass: olcDynamicList entryUUID: 6f6012cc-da16-1033-84a3-8399e4f67731 creatorsName: cn=admin,cn=config createTimestamp: 20140926221557Z entryCSN: 20140926221557.994629Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20140926221557Z ... When I play back the config and data ldif file after deleting the ldap directories, I get the following error message: "root@dsme01:/tmp# slapadd -F /etc/ldap/slapd.d -n 1 -l harnet.de.ldif Database number selected via -n is out of range Must be in the range 0 to 0 (the number of configured databases)" Did I change something wrong in my config file above? Thank you in advance for your support

3 2

Replication persistence
by Nebula WAN 08 Jul '19

08 Jul '19

Hello I have a replication problem between two OpenLDAP 2.44 servers configured as multimasters on CentOS 7.3 : The minimal configuration of both are correct (connection OK with admin credentials), I replicate the config and hdb databases as you can see in the configuration above, I use LDAPAdmin to connect to each of them and check if the replication works by creating a test OU: they replicate well. After a week or more, automatic replication no longer works: I have to restart the slapd service to see the data exchange between the two servers ... I have contextCSN for both but they are fixed at the installation date. Do you have an idea ? Thank you Here are the configuration (the olcServerID change in server2's configuration) : dn: olcDatabase={0}config,cn=config changeType: modify add: olcAccess olcAccess: to * by dn.exact="cn=ldapadm,dc=test,dc=factory" manage by * break dn: olcDatabase={2}hdb,cn=config changeType: modify add: olcAccess olcAccess: to * by dn.exact="cn=ldapadm,dc=test,dc=factory" manage by * break dn: cn=config changetype: modify add: olcServerID olcServerID: 1 dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=ldapadm,dc=test,dc=factory" read by * none ### Updating ID ### dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 ldap://server1.test.factory olcServerID: 2 ldap://server2.test.factory ### Enabling CONFIG Replication ### dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov ### Configuring CONFIG replication ### dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://server1.test.factory binddn="cn=config" bindmethod=simple credentials=password searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://server2.test.factory binddn="cn=config" bindmethod=simple credentials=password searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE ### Enabling HDB Replication ### dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov ### Configuring HDB replication ### dn: olcDatabase={2}hdb,cn=config add: olcSyncRepl olcSyncRepl: rid=004 provider=ldap://server1.test.factory binddn="cn=ldapadm,dc=test,dc=factory" bindmethod=simple credentials=password searchbase="dc=test,dc=factory" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=005 provider=ldap://server2.test.factory binddn="cn=ldapadm,dc=test,dc=factory" bindmethod=simple credentials=password searchbase="dc=test,dc=factory" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 - add: olcDbIndex olcDbIndex: entryUUID eq - add: olcDbIndex olcDbIndex: entryCSN eq - add: olcMirrorMode olcMirrorMode: TRUE

2 1

How to configure OpenLDAP on Debian Stretch to support SSLv3.0
by Jeremy Davis 02 Jul '19

02 Jul '19

Hi all, I'm writing on behalf of a user ragrading how to go about configuring LDAPS support for SSLv3.0 certificate under OpenLDAP v2.4.44 - running on Debian 9/Stretch (default Debian 'slapd' package install). I know that SSLv3.0 is insecure and generally a bad option, but a user needs to connect to LDAPS with an old application that only supports SSLv3.0. I understand that a complicating factor may be that the Debian OpenLDAP (slapd) package is compiled against GnuTLS, rather than OpenSSL. Any insight that might head me in the right direction would be greatly appreciated. Also please note that I'm a bit of an OpenLDAP newb and my knowledge of SSL/TLS is more related to web servers/browsers and more about "best practices" rather than tweaking to be more permissive. Regards, Jeremy Davis TurnKey Linux

3 2

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2019