Q: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
by Ulrich Windl
Hi!
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted:
slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
The next line logged was:
slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389)
(the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice)
The server is one of three MM servers that all have the same configuration and the same version.
The schema knows in olcAttributeTypes (olcSchemaConfig):
( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
Regards,
Ulrich
2 years, 10 months
pwdChangedTime not defined when creating new entry
by Manuela Mandache
Hello all,
We have a directory running on OpenLDAP 2.4.44 with the ppolicy overlay on the main database. When a new entry with a userPassword defined is created, pwdChangedTime is not defined, so this initial userPassword never expires.
The directory has been migrated from its OpenLDAP 2.3.34 instance (yes, we missed some steps...), and there the pwdChangedTime is set, and naturally equal to createTimestamp.
The overlay is configured as follows:
dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {2}ppolicy
olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
Is there a parameter I missed which would switch on setting pwdChangedTime at entry creation? Do I have to provide some other configuration elements?
Or is it unreasonable to expect this initialisation of the attribute this way, and only a password change can set it? I think the setting at creation is rather handy... Using pwdMustChange would be difficult, we have a lot of client apps which would be forced to check and probably adapt their authentication procedures.
Thank you and regards,
Manuela
Sent with [ProtonMail](https://protonmail.com) Secure Email.
2 years, 12 months
MDB Backend database definition
by Beker
Hello
I'm getting an error while trying to use MDB backend. The section that's
giving issue is the following one:
#######################################################################
# LMDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcSuffix: dc=test,dc=local
olcRootDN: cn=mdbadm,test,dc=local
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
olcDbDirectory: /var/db/openldap-data
# Indices to maintain
olcDbIndex: objectClass eq
with this section added to the end of slapd.ldif i get the error *5ea9641d
<= str2entry: str2ad(olcDbMaxSize): attribute type undefined* while testing
the import using *slapadd -v -n0 -F /etc/openldap/slapd.d -l
/etc/openldap/slapd.ldif*
if i comment the offending line *olcDbMaxSize: 1073741824* then I just get
an error with another line in the same section.
This is a fresh install, the slapd.d folder is empty and I'm using the
example slapd.ldif.sample that comes with the software (it has mdb lodaded
as module by default)
#
# Load dynamic backend modules:
#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/openldap
#olcModuleload: back_bdb.so
#olcModuleload: back_hdb.so
#olcModuleload: back_ldap.so
olcModuleload: back_mdb.so
#olcModuleload: back_passwd.so
#olcModuleload: back_shell.so
Thanks in dvance for any hint or help you can provide
Best regards
3 years
LDAP performance
by Technology Server
Dears,
How to get a response time curve showing how fast queries are answered by
each instance of LDAP ?
How can we measure LDAP performance based on all possible aspects ?
Regards,
Tech Sever.
3 years, 1 month
2.4.50 and pw-argon2
by Michael Ströder
HI!
Anything special with installing the man-page of pw-argon2?
It fails in openSUSE Build Service:
[ 112s] mkdir -p `grep -e "^prefix =" ../../../../Makefile | cut -d=
-f2`/share/man/man5
[ 112s] /usr/bin/install -m 644 slapd-pw-argon2.5 `grep -e "^prefix ="
../../../../Makefile | cut -d= -f2`/share/man/man5
[ 112s] /usr/bin/install: cannot create regular file
'/usr/share/man/man5/slapd-pw-argon2.5': Permission denied
[ 112s] make: *** [Makefile:70: install-man] Error 1
[ 112s] make: *** Waiting for unfinished jobs....
Ciao, Michael.
3 years, 1 month
-DLDAP_USE_NON_BLOCKING_TLS (was: OpenLDAP 2.4.50 available)
by Michael Ströder
On 4/28/20 7:16 PM, project(a)openldap.org wrote:
> OpenLDAP 2.4.50 is now available for download as detailed on our download page:
Building with -DLDAP_USE_NON_BLOCKING_TLS now fails. It worked with 2.4.49.
Ciao, Michael.
---------------------------------------------
cc -g -O0 -DNDEBUG -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES
-DSLAP_CONFIG_DELETE -DLDAP_USE_NON_BLOCKING_TLS -Wl,-R/usr/lib
-Wl,-R/usr/lib -Wl,-R/usr/lib -Wl,-R/usr/lib -o .libs/apitest apitest.o
-L/usr/lib ./.libs/libldap.so
/home/michael/src/openldap-git/re24/openldap/libraries/liblber/.libs/liblber.so
../../libraries/liblber/.libs/liblber.so
../../libraries/liblutil/liblutil.a -lsasl2 -lssl -lcrypto -lcrypt
-lresolv -Wl,--rpath -Wl,/opt/openldap-re24/lib64
/usr/lib64/gcc/x86_64-suse-linux/9/../../../../x86_64-suse-linux/bin/ld:
./.libs/libldap.so: undefined reference to `Debug1'
/usr/lib64/gcc/x86_64-suse-linux/9/../../../../x86_64-suse-linux/bin/ld:
./.libs/libldap.so: undefined reference to `Debug3'
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:309: apitest] Error 1
make[2]: Leaving directory
'/home/michael/src/openldap-git/re24/openldap/libraries/libldap'
make[1]: *** [Makefile:296: all-common] Error 1
make[1]: Leaving directory
'/home/michael/src/openldap-git/re24/openldap/libraries'
make: *** [Makefile:312: all-common] Error 1
3 years, 1 month
Can't delete olcAccess entries
by Gao
Hello,
I am using OpenLDAP 2.4.40 on CentOS 7.6. I tried to remove 2 ACL
entries and failed. I must missed something so please help me.
I now have:
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=van,dc=company,dc=com
olcRootDN: cn=Manager,dc=van,dc=company,dc=com
olcRootPW:: e1NTSEF9cEpWbEIzOEh4UXJpcjNVSUl2enZz0sm1akt4Nnd6OTk=
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
structuralObjectClass: olcHdbConfig
entryUUID: 3b7e5722-d26f-1035-8835-91213c5bb357
creatorsName: cn=config
createTimestamp: 20160629180122Z
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by
dn.ba
se="cn=Manager,dc=van,dc=company,dc=com" write by * none
olcAccess: {1}to * by self write by dn="cn=Manager,dc=van,dc=company,dc=
com" write by * read
entryCSN: 20200427230612.038641Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20200427230612Z
Then I created a LDIF file:
# cat delete_acl.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
olcAccess: {1}
Now try to delete the ACL:
# ldapmodify -Y EXTERNAL -H ldapi:/// -f delete_acl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
#
When I check with "slapcat -n 0" I see the 2 olcAssess entires is still
exist.
Please help. Thanks.
Gao
3 years, 1 month
dn with space space in olcRefintNothing
by Sébastien Chaumat
Hello,
When configuring refint on slapd 2.4.49 the following is accepted :
dn: olcOverlay={2}refint,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
olcOverlay: {2}refint
olcRefintAttribute: seeAlso
olcRefintNothing: cn=admin,dc=test
but
olcRefintNothing: cn=admin space,dc=test
is rejected when I ldapadd the configuration with the message :
ldap_add: Constraint violation (19)
additional info: <olcRefintNothing> extra cruft after <string>
I tried various quoting :
cn="admin space",dc=test
cn=admin\20space
"cn=admin space"
Do I miss something ?
THX
Sébastien
3 years, 1 month
Re: Openldap Master-Slave setup
by Quanah Gibson-Mount
--On Thursday, April 23, 2020 9:41 PM -0700 rammohan ganapavarapu
<rammohanganap(a)gmail.com> wrote:
> olcDatabase={2}bdb,cn=config:
BDB is deprecated. I'd advise using a non-deprecated backend.
> olcReadOnly: TRUE
> olcSyncrepl: {0}rid=001 provider=ldap://10.126.0.21:10389/
> binddn="cn=manager,dc=example,dc=com" bindmethod=simple
> credentials=TopSecret searchbase="dc=example,dc=com" attrs="*,+"
> type=refreshAndPersist retry="60 1 300 12 7200 +" timeout=1
> olcUpdateRef: ldap://10.126.0.21:10389
> olcMirrorMode: TRUE
Is it a consumer or a multimaster node? You have enabled multiprovider
(which is horribly misnamed as "mirrormode", and really just means you're
defining it as part of a multiprovider cluster).
> Chain overlay on frontendDB:
>
>
> dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcChainConfig
> olcOverlay: {0}chain
> olcChainReturnError: TRUE
>
> dn:
> olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
> objectClass: olcLDAPConfig
> objectClass: olcChainDatabase
> olcDatabase: {0}ldap
> olcDbURI: ldap://10.126.0.21:10389/
> olcDbIDAssertBind: bindmethod=simple
> binddn="cn=manager,dc=example,dc=com" credentials=TopSecret mode=self
> olcDbRebindAsUser: TRUE
Why would chaning on the frontend database affect the ability of your
dc=example,dc=com database to forward updates? You've clearly
misconfigured your system.
> So with the above config, if i add entry in master it is replicating to
> slave but when i try to add entry in slave its not allowing write as
> expected but its not forwarding request to referral ( its because of
> ldapadd doesnt follow referral) is it expected? How do i make sure if
> updatereferral is working properly?
Configure your system correctly? You may also want to examine test032 in
the test suite which specifically configures this.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
3 years, 1 month
Specific outgoing IP for syncrepl
by Dale Thompson - NOAA Federal
I've been using openldap's multi-master syncrepl based sync for years
and it works great. But, I would like to be able to specify which IP
on a multi-IP system syncrepl makes outgoing connections to other
members of the sync cluster.
On my multi-IP servers I am able to get slapd to only bind to a
specific IP with the appropriate -h option. That works fine. But,
outgoing syncrepl connections come from the primary IP on the server.
Can anyone suggest a way to specify which IP syncrepl will use to make
outgoing replication queries?
--
Dale James Thompson, NWS
Radar Operations Center
IT Specialist, Configuration Management Team
1313 Halley Circle
Norman, OK 73069
Voice (405) 573-3472
Fax (405) 573-3480
Dale.J.Thompson(a)noaa.gov
3 years, 1 month