January 2021 - openldap-technical

Best way two update a full OpenLDAP database from LDIF file

by Prunk Dump

Hello ! My network infrastructure uses some special database not compatible with LDAP. But I need an OpenLDAP server to administer my Web Services accounts on my DMZ. So I have written a script to export our "special" database to an LDIF file. This works pretty well. I've successfully loaded it on my OpenLDAP server. But now I don't know how to update my OpenLDAP database from the new generated LDIF files (when users are added, updated or removed) without disturbing the whole LDAP service (it's not a very good idea to delete the entire database and recreate it from the new LDIF file as it stop the service completely during the operation). Is there a way to update an OpenLDAP database to fit a new given LDIF file ? -> Updating/deleting the OUs -> Deleting the objects that are not present. -> Deleting the attributes removed. -> Updating the attributes that have changed without deleting the object. Doing this step by step to disturb as little as possible the OpenLDAP service. Thanks for the help. Regards, Baptiste.

5 months, 3 weeks

5
6
0 / 0

Unable to bind with LDAP DN having encoded chars

by radiatejava

I am using openldap client library 2.4.44 on Centos 7.3, LDAP v3 setting. I am having an issue with LDAP bind when the DN has encoded representation of special characters like é (e acute). Actual DN is CN=mithun,OU=Groupes de Sécurité,DC=mytest,DC=net and when it is sent by the app (frontend) to our backend, it is coming as CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=insaaadev,DC=net. Basically, é comes encoded as \u00e9 which is as per the encoding mentioned here https://www.fileformat.info/info/unicode/char/e9/index.htm To further try out, I directly hardcoded the DN to CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=mytest,DC=net and that worked fine. I want to understand why it fails when the DN in the same format comes from the frontend app. Appreciate your help, thanks.

5 months, 4 weeks

3
4
0 / 0

Backup/Restore Overlays MemberOf

by Lars Päßler

Hello, I am running OpenLDAP 2.4.47 on Debian 10 for a while and now I enabled the overlay for memberOf. Is there any good option for backup and restore, because slapcat and slapadd aren't working. Thanks and kind regards Lars

5 months, 4 weeks

3
2
0 / 0

Re: How to set credential to ldap_gssapi_bind_s?

by Árpád Nagy

Hello, Thanks for the answer! What function should I use if I must supply username/password and I want to bind using GSSAPI? Is it possible somehow with Open LDAP? Regards, Arpad Quanah Gibson-Mount <quanah(a)symas.com> ezt írta (időpont: 2021. jan. 27., Sze, 18:10): > > > --On Wednesday, January 27, 2021 4:16 PM +0100 Árpád Nagy > <arpadnagy.bp(a)gmail.com> wrote: > > > > > According this it is executed only if 'dn' and 'creds' is NULL. > > My question is how can I set the user name and password which I want to > > authenticate on LDAP server? > > Using GSSAPI implies that the connecting client already has access to a > kerberos5 ticket, which is used for the authentication step and thus there > is no username or password to be supplied. > > If you must supply a username/password, then you're using the wrong > function. > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

6 months

2
1
0 / 0

OpenLDAP proxy to AD with client certificates

by David Cunningham

Hello, I would like to configure slaps.conf to proxy requests to an AD server. 1.) I want SLAPD to always connect to this AD server as a specific user 2.) I want SLAPD to run all queries including searches against this AD server using the defined user. 3.) I want clients connecting to SLAPD to query AD to be authenticated by revokable client certificate only. If the connecting client has a valid certificate that matches a CA, then it’s LDAP query is allowed and proxied to Active Directory. 4.) The client should also be able to rebind as user after doing a user DN search (to verify username/password). Does that make sense?

6 months

2
2
0 / 0

How to set credential to ldap_gssapi_bind_s?

by Árpád Nagy

Hello, I try to bind to LDAP server using GSSAPI. I try to use ldap_gssapi_bind_s method (gssapi.c): int ldap_gssapi_bind_s( LDAP *ld, LDAP_CONST char *dn, LDAP_CONST char *creds ) { if ( dn != NULL ) { return LDAP_NOT_SUPPORTED; } if ( creds != NULL ) { return LDAP_NOT_SUPPORTED; } return ldap_int_gss_spnego_bind_s(ld); } According this it is executed only if 'dn' and 'creds' is NULL. My question is how can I set the user name and password which I want to authenticate on LDAP server? Regards, Arpad

6 months

2
1
0 / 0

Read-only access on all the directory to a certain user

by Harri T.

Hi, Could someone please give an example of .ldif for granting *read-only* access on all the directory to the user "cn=query,dc=example,dc=com"? Kind regards, Harri

6 months

2
4
0 / 0

Syncprov shows issue with entry

by Nick Milas

Hello, I would like to ask you for your guidance regarding the following. We have an openldap (v2.4.56) master server syncing with three other openldap slaves. The master seems being unable to complete successfully syncing a particular entry and it keeps trying for ever. Logs follow. I have realized this only now, but it seems that this is happening for long. (It is recorded in all the logs I have available.) What is the suggested way to resolve this situation? ======================================================================================================= ... Jan 16 14:48:09 ldap.noa.gr slapd[1655]: conn=1048 op=1 syncprov_search_response: Entry cn=thermo,ou=Aliases,dc=noa,dc=gr CSN 20200910151806.461875Z#000000#000#000000 older or equal to ctx 20200910151806.461875Z#000000#000#000000 Jan 16 14:48:09 ldap.noa.gr slapd[1655]: conn=1048 op=1 syncprov_search_response: cookie=rid=601,csn=20210116055411.875566Z#000000#000#000000 Jan 16 14:48:09 ldap.noa.gr slapd[1655]: conn=1048 op=1 syncprov_sendinfo: refreshPresent cookie=rid=601,csn=20210116055411.875566Z#000000#000#000000 Jan 16 14:48:09 ldap.noa.gr slapd[1655]: conn=1048 op=1 syncprov_search_response: detaching op Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_op_search: got a persistent search with a cookie=rid=601,csn=20200910151806.461875Z#000000#000#000000 Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_findbase: searching Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_op_search: registered persistent search Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_findcsn: mode=FIND_CSN csn=20200910151806.461875Z#000000#000#000000 Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_findcsn: csn==20200910151806.461875Z#000000#000#000000 found Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_findcsn: mode=FIND_PRESENT csn= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_search_response: Entry cn=thermo,ou=Aliases,dc=noa,dc=gr CSN 20200910151806.461875Z#000000#000#000000 older or equal to ctx 20200910151806.461875Z#000000#000#000000 Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_search_response: cookie=rid=601,csn=20210116055411.875566Z#000000#000#000000 Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: refreshPresent cookie=rid=601,csn=20210116055411.875566Z#000000#000#000000 Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_search_response: detaching op ========================================================================================================= Thank you in advance for your advice! Cheers, Nick

6 months

3
4
0 / 0

openldap performance problems

by Zetan Drableg

Every time my "updater" process writes an LDIF to LDAP, clients start seeing timeouts during authentication. Even with a small number of inserts or removals, this problem shows up. openldap 2.4.47, MBD, 16 core Linux server, 6 nodes in a n-way multimaster replication configuration. The on disk database is 1.5gigs. Can anyone suggest tunables for this problem? I've tried "threads 64" but that didn't improve things. [2021-01-24 00:01:45] connection_input: conn=2721465 deferring operation: binding [2021-01-24 00:01:45] connection_input: conn=2721505 deferring operation: binding [2021-01-24 00:01:45] connection_read(17): no connection! [2021-01-24 00:01:46] connection_input: conn=2721694 deferring operation: binding [2021-01-24 00:01:47] connection_input: conn=2721844 deferring operation: binding [2021-01-24 00:01:48] connection_input: conn=2722210 deferring operation: binding [2021-01-24 00:01:48] connection_input: conn=2722208 deferring operation: binding [2021-01-24 00:01:48] connection_input: conn=2722283 deferring operation: binding Thank you

6 months

2
1
0 / 0

openldap mdb tuning

by olivier.chirossel＠sfr.com

Hi guys, I have an architecture with : 2 masters ( refresh and persist ) a load balanceur in front of the masters (vip main/sorry), to avoid write in the same time on the masters (stability) few consumers use back-mdb openldap version 2.4.45 my huge branche 3181406 entries, data.mdb 7.7G on the main master, 9.1G on the consumers and the sorry master ( use du -h to get the size ) I have three questions : why the size is smaller on the main master ? Sometimes i have to scripts a lot of ldapmodify ( ~100000 ), should i have to set olcDbEnvFlags: writemap olcDbEnvFlags: nometasync for increase performance ? This sets is recommended for production ? stability issues with theses set ? i have no stability issue for now, but considering this two questions, is it recommended to upgrade ? thank's in advance regards Olivier

6 months, 1 week

3
4
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2021