openldap-technical August 2019

openldap-technical@openldap.org

33 participants
47 discussions

openldap replication
by sami's strat 21 Aug '19

21 Aug '19

I'm trying to configure replication between two hosts using the following as a guideline: https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=5 Here are some notes I have based on the setup I've done: ##### REPLICATION ON Master ##### [root@ldap01 ~]# more mod_syncprov.ldif dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/lib64/openldap olcModuleLoad: syncprov.la [root@ldap01 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f mod_syncprov.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" [root@ldap01 ~]# more syncprov.ldif dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpSessionLog: 100 [root@ldap01 ~]# [root@ldap01 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcOverlay=syncprov,olcDatabase={2}hdb,cn=config" [root@ldap01 ~]# ##### REPLICATION ON Slave ##### [root@ldap02 ~]# more syncrepl.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://172.19.33.42:389/ bindmethod=simple binddn="cn=admin,dc=ZZZ,dc=ZZZ" credentials=password searchbase="dc=ZZZ,dc=ZZZ" scope=sub schemachecking=on type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 [root@ldap02 ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f syncrepl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config" [root@ldap02 ~]# # Testing LDAP ldapsearch -x -b 'uid=testaccount,ou=People,dc=ZZZ,dc=ZZZ' Both LDAP hosts work in the sense that I can authenticate to them. But replication is not working. Please help. TIA

2 1

any working documentation?
by Dmitri Seletski 21 Aug '19

21 Aug '19

Hello. I am new to the list, so if you gonna beat me with your feet - please don't hit me in the face. I did not find help/user list. So post here. Where can I find working documentation for OpenLDAP? Most current i found: https://www.openldap.org/doc/admin24/quickstart.html It says nothing of TLS encryption. I fail to start service See output below: TLSMC: MozNSS compatibility interception begins. tlsmc_intercept_initialization: INFO: entry options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap/certs' tlsmc_intercept_initialization: INFO: certfile = `OpenLDAP Server' tlsmc_intercept_initialization: INFO: keyfile = `/etc/openldap/certs/password' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/openldap/certs'. tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/openldap` prefix `certs`. tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error -8015. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present. tlsmc_intercept_initialization: INFO: altered options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap' tlsmc_intercept_initialization: INFO: certfile = `OpenLDAP Server' tlsmc_intercept_initialization: INFO: keyfile = `/etc/openldap/certs/password' tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only. TLSMC: MozNSS compatibility interception ends. TLS: could not use certificate `OpenLDAP Server'. TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:402 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:404 TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib ssl_rsa.c:468 5d5af51b main: TLS init def ctx failed: -1 5d5af51b slapd destroy: freeing system resources. 5d5af51b slapd stopped. 5d5af51b connections_destroy: nothing to destroy. Where can I submit errata to documentation maintainer?(as quick start clearly doesn't work in my default install of OpenLDAP on CentOS 7) And how can I start SLAPD without encryption? I can generate self signed private/public key and make ln -s of my CA cert folder to 'cacertdir = `/etc/openldap'', but this seems SOOO unnecessary. At least on 'try out' step. Thanks in advance Dmitri

5 6

BDB to LMDB migration and Linux kernel parameters
by openldap-technical＠kolttonen.fi 21 Aug '19

21 Aug '19

Hello! OpenLDAP Admin Guide says: [LMDB] supports indexing like the BDB backends, but it uses no caching and requires no tuning to deliver maximum search performance. We are planning migration from deprecated BerkeleyDB to recommended LMDB. Our OpenLDAP runs on RHEL7. Since the LMDB uses mmap() system calls, is it necessary to tweak any Linux kernel parameters to allow better caching etc.? Thanks for any information. Best regards, Jokke Hämäläinen

1 0

Re: OpenLDAP 2.3 to 2.4 Migration Question
by Razi Ahmad 20 Aug '19

20 Aug '19

Thanks, I'll do that. -- Razi Ahmad Director, IT Infrastructure Services NYU Stern School of Business 14 East 4th Street, Room 327, New York, NY 10012 Phone: 212-998-0172 | Email: razi(a)stern.nyu.edu Follow us on Twitter: @nyustern An Education in *Possible* On Tue, Aug 20, 2019 at 6:36 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Tuesday, August 20, 2019 7:32 PM -0400 Razi Ahmad <razi(a)stern.nyu.edu> > > wrote: > > > > > Thanks, Quanah. I did that and see that memberof was populated. However, > > I also noticed that the number of groups returned when I query for the > > memberOf attribute on one account doesn't match the number of groups > > returned when I search for all groups that this particular user is a > > member of. Do you have any ideas what could be the cause of this mismatch > > or where I should look when troubleshooting? I checked a few other > > accounts and the numbers match. > > Hi Razi, > > Not without more information. What version of OpenLDAP 2.4 did you > upgrade > to? Are all the groups of the same objectClass type? I assume the other > users are also in those same groups? You could try deleting and re-adding > the user as a member to see if that resolves it. > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

Re: OpenLDAP 2.3 to 2.4 Migration Question
by Razi Ahmad 20 Aug '19

20 Aug '19

Thanks, Quanah. I did that and see that memberof was populated. However, I also noticed that the number of groups returned when I query for the memberOf attribute on one account doesn't match the number of groups returned when I search for all groups that this particular user is a member of. Do you have any ideas what could be the cause of this mismatch or where I should look when troubleshooting? I checked a few other accounts and the numbers match. Thanks, Razi -- Razi Ahmad Director, IT Infrastructure Services NYU Stern School of Business 14 East 4th Street, Room 327, New York, NY 10012 Phone: 212-998-0172 | Email: razi(a)stern.nyu.edu Follow us on Twitter: @nyustern An Education in *Possible* On Tue, Aug 20, 2019 at 4:31 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Tuesday, August 20, 2019 5:17 PM -0400 Razi Ahmad <razi(a)stern.nyu.edu> > > wrote: > > > > > Hi, > > > > > > I'm working on migrating from OpenLDAP 2.3 to 2.4. I've got my 2.4 > > provider set up and customized and have a copy of production data to > > load. I'd like to know if there's any way to have the memberof attribute > > populated during the process of loading the data. I used slapadd but when > > I searched for a user, I didn't see the memberOf attribute. Prior to > > running the slapadd command, I replaced the groupOfUniqueNames > > objectClass with groupOfNames and the uniqueMember attribute with member > > inside my LDIF file. > > You'll have to use ldapadd if you want memberOf populated. > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

OpenLDAP 2.3 to 2.4 Migration Question
by Razi Ahmad 20 Aug '19

20 Aug '19

Hi, I'm working on migrating from OpenLDAP 2.3 to 2.4. I've got my 2.4 provider set up and customized and have a copy of production data to load. I'd like to know if there's any way to have the memberof attribute populated during the process of loading the data. I used slapadd but when I searched for a user, I didn't see the memberOf attribute. Prior to running the slapadd command, I replaced the groupOfUniqueNames objectClass with groupOfNames and the uniqueMember attribute with member inside my LDIF file. Thanks. -- Razi Ahmad Director, IT Infrastructure Services NYU Stern School of Business 14 East 4th Street, Room 327, New York, NY 10012 Phone: 212-998-0172 | Email: razi(a)stern.nyu.edu Follow us on Twitter: @nyustern An Education in *Possible*

2 1

mdb index reporting available?
by Marc Roos 19 Aug '19

19 Aug '19

I used to have some help with what and how I should add indexes, but it looks like the new mdb backend is not telling me anymore. Is this correct? Anyway to get a warning when some index needs to be set? bdb_equality_candidates: (xxxx) not indexed bdb_inequality_candidates: (createTimestamp) not indexed etc https://mishikal.wordpress.com/2013/05/16/openldap-a-comparison-of-back-mdb…

4 16

PPolicy: Multiple pwdGraceUseTime attributes
by Ulrich Windl 19 Aug '19

19 Aug '19

Hi! I noticed that one user has multiple pwdGraceUseTime attributes like this: pwdGraceUseTime: 20190409095627Z pwdGraceUseTime: 20190605063107Z pwdGraceUseTime: 20190614121258Z pwdGraceUseTime: 20190723062401Z I don't understand: Doesn't the pwdGraceUseTime record how long/often the user may login despite of an expired password? For the example given, I assume the user has changed the password a few time since the inital grace login. So aren't the older pwdGraceUseTime attributes removed after the password was changed? Or can this happen if some admin chnages the password using some plain replace operation? Regards, Ulrich

2 1

Re: Multi-master replication : read_config: no serverID / URL match found. Check slapd -h arguments.
by HG 19 Aug '19

19 Aug '19

Hi, It is not as easy as you state it. I have a 2nd set up olcServerID: 1 ldap://abc1prdp01.abcgroup.com:1600 olcServerID: 2 ldap://abc2prdp01.abcgroup.com:1600 and SLAPD_URLS="ldapi:/// ldap://:1600/" This works too. Op wo 14 aug. 2019 om 17:03 schreef Quanah Gibson-Mount <quanah(a)symas.com>: > > > --On Wednesday, August 14, 2019 11:23 AM +0200 HG > <hanspeter.sloot(a)gmail.com> wrote: > > > > > olcServerID: 1 ldap://linux1014.ts.aa-srv.com > > olcServerID: 2 ldap://linux1015.ts.aa-srv.com > > Neither of those has a trailing slash. You noted: > > SLAPD_URLS="ldapi:/// ldap://linux1014.ts.aa-srv.com/" > > doesn't start, but > > SLAPD_URLS="ldapi:/// ldap://linux1014.ts.aa-srv.com" > > starts. > > I would expect this. As I said before, it's a MATCH between what's > provided in the olcServerID field and the -h option to slapd (SLAPD_URLS > in > your case). I.e., the software is functioning as documented. If you want > it to match on the trailing slash, adjust your olcServerID values to > include a trailing slash. > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

3 4

use-case for arg const char *dn of ldap_sasl_bind_s()
by Michael Ströder 18 Aug '19

18 Aug '19

HI! It seems I've never passed a DN to SASL bind functions. Could someone please elaborate on a valid use-case for argument dn of libldap function ldap_sasl_bind_s()? Thanks in advance. Ciao, Michael.

2 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2019