openldap-technical May 2021

openldap-technical@openldap.org

23 participants
23 discussions

Using the openldap c api
by matt_hannay1＠yahoo.com.au 26 May '21

26 May '21

We are in the throw of migrating to openldap however we have a problem. we currently have the 2.4 release of the client libraries. I have a problem in the mean time. we have a ldap repository that does not support TLS but only supports the SSL v1.3 standard .....yes I know about the security risks that's why we are migrating. Currently the Old Mozilla C api is in use which I have to replace. From looking at the 2.4 API docs would I be correct in saying the API does not support SSL v1.3 ? Would the Deprecated API calls get me over the line in replacing the mozilla and establishing a SSL connection, Or should I look at going to an older openldap API version? Thanks Matt

1 0

Updating schema in cn=config
by Nick Milas 19 May '21

19 May '21

Hello, We are using PowerDNS with LDAP Backend. At some point the backend schema changed so in order to upgrade we need to change the schema loaded in OpenLDAP. Unfortunately, something seems to be going wrong in the process. What I did: First, I converted the new schema to ldif by creating a dummy conf file: # cat /root/work/dnsdomain2-new.conf include /root/work/core.schema include /root/work/cosine.schema include /root/work/dnsdomain2.schema include /root/work/pdns-domaininfo.schema and then running: # slaptest -f dnsdomain2-new.conf -F dnsdomain2-new.d # slapcat -F dnsdomain2-new.d -bcn=config > dd2new-schema.ldif Then, on the actual config I exported initial config: # slapcat -n0 -F /usr/local/openldap/etc/openldap/slapd.d/ -l /root/work/ldapconf-01.ldif and edited the output (ldapconf-01.ldif) by replacing the whole dnsdomain2 section with the new one (as is in dd2new-schema.ldif file). The initial dnsdomain2 section was {10} so I renumbered the copied schema section from {2} to {10}. In the end of schema definitions section I added pdns-domaininfo definition (copied from dd2new-schema.conf), to which I gave the last number +1, which was {16} (rather than {3}, as it was in the converted file). However, when I try to load this config to a new (empty) slapd.d directory, I get: ========================================================================================== # rm -rf slapd.d # mkdir slapd.d # chown ldap:ldap slapd.d # slapadd -n0 -F ./slapd.d -l /root/work/ldapconf-01.ldif 60a2e22a olcAttributeTypes: value #2 olcAttributeTypes: Unexpected token before SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) AttributeTypeDescription = "(" whsp numericoid whsp ; AttributeType identifier [ "NAME" qdescrs ] ; name used in AttributeType [ "DESC" qdstring ] ; description [ "OBSOLETE" whsp ] [ "SUP" woid ] ; derived from this other ; AttributeType [ "EQUALITY" woid ] ; Matching Rule name [ "ORDERING" woid ] ; Matching Rule name [ "SUBSTR" woid ] ; Matching Rule name [ "SYNTAX" whsp noidlen whsp ] ; see section 4.3 [ "SINGLE-VALUE" whsp ] ; default multi-valued [ "COLLECTIVE" whsp ] ; default not collective [ "NO-USER-MODIFICATION" whsp ]; default user modifiable [ "USAGE" whsp AttributeUsage ]; default userApplications ; userApplications ; directoryOperation ; distributedOperation ; dSAOperation whsp ")" slapadd: could not add entry dn="cn={10}dnsdomain2,cn=schema,cn=config" (line=2256): _############### 76.98% eta none elapsed none spd 1001.2 k/s Closing DB... ========================================================================================== What am I doing wrong in updating the schemas in cn=config? I find the above message difficult to interpret. Note that there are numerous "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )" statements in the schema definition. I include the new dnsdomain2 section for your reference: ========================================================================================== dn: cn={10}dnsdomain2,cn=schema,cn=config objectClass: olcSchemaConfig cn: {10}dnsdomain2 olcAttributeTypes: {0}( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integ er denoting time to live' EQUALITY integerMatch ORDERING integerOrderingMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' DESC 'The cl ass of a resource record' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14 66.115.121.1.26 ) olcAttributeTypes: {2}( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord' DESC 'a we ll known service description, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {3}( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'doma in name pointer, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5 SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {4}( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' DESC 'ho st information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5S ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {5}( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' DESC 'ma ilbox or mail list information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBST R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {6}( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' DESC 'text string, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrin gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {7}( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord' DESC 'for R esponsible Person, RFC 1183' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreI A5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {8}( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' DESC 'fo r AFS Data Base location, RFC 1183' EQUALITY caseIgnoreIA5Match SUBSTR case IgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {9}( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Sign ature, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {10}( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key , RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {11}( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord' DESC 'Ge ographical Position, RFC 1712' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {12}( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' DESC 'IP v6 address, RFC 1886' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {13}( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' DESC 'Loc ation, RFC 1876' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {14}( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' DESC 'non -existant, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {15}( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' DESC 'ser vice location, RFC 2782' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {16}( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'N aming Authority Pointer, RFC 2915' EQUALITY caseIgnoreIA5Match SUBSTR caseI gnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {17}( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Exchange Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {18}( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'ce rtificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {19}( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 R ecord Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {20}( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'N on-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUB STR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {21}( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord' DESC 'Lis ts of Address Prefixes, RFC 3123' EQUALITY caseIgnoreIA5Match SUBSTR caseIg noreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {22}( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' DESC 'Dele gation Signer, RFC 3658' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {23}( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' DESC 'S SH Key Fingerprint, RFC 4255' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnore IA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {24}( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord' DESC 'SSH Key Fingerprint, RFC 4025' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {25}( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'R RSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {26}( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NS EC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {27}( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord' DESC ' DNSKEY, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {28}( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord' DESC 'D HCID, RFC 4701' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {29}( 1.3.6.1.4.1.2428.20.1.50 NAME 'nSEC3Record' DESC 'N SEC record version 3, RFC 5155' EQUALITY caseIgnoreIA5Match SUBSTR caseIgno reIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {30}( 1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord' DE SC 'NSEC3 parameters, RFC 5155' EQUALITY caseIgnoreIA5Match SUBSTR caseIgno reIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {31}( 1.3.6.1.4.1.2428.20.1.52 NAME 'tLSARecord' DESC 'TL SA certificate association, RFC 6698' EQUALITY caseIgnoreIA5Match SUBSTR ca seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {32}( 1.3.6.1.4.1.2428.20.1.59 NAME 'cDSRecord' DESC 'Chi ld DS, RFC7344' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {33}( 1.3.6.1.4.1.2428.20.1.60 NAME 'cDNSKeyRecord' DESC 'DNSKEY(s) the Child wants reflected in DS, RFC7344' EQUALITY caseIgnoreIA5 Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 .26 ) olcAttributeTypes: {34}( 1.3.6.1.4.1.2428.20.1.61 NAME 'openPGPKeyRecord' DE SC 'OpenPGP Key, RFC7929' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5S ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {35}( 1.3.6.1.4.1.2428.20.1.64 NAME 'SVCBRecord' DESC 'Se rvice binding, draft-ietf-dnsop-svcb-https-01' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {36}( 1.3.6.1.4.1.2428.20.1.65 NAME 'HTTPSRecord' DESC 'H TTPS service binding, draft-ietf-dnsop-svcb-https-01' EQUALITY caseIgnoreIA 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.26 ) olcAttributeTypes: {37}( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord' DESC 'Sen der Policy Framework, RFC 4408' EQUALITY caseIgnoreIA5Match SUBSTR caseIgno reIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {38}( 1.3.6.1.4.1.2428.20.1.108 NAME 'EUI48Record' DESC ' EUI-48 address, RFC7043' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {39}( 1.3.6.1.4.1.2428.20.1.109 NAME 'EUI64Record' DESC ' EUI-64 address, RFC7043' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {40}( 1.3.6.1.4.1.2428.20.1.249 NAME 'tKeyRecord' DESC 'T ransaction Key, RFC2930' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {41}( 1.3.6.1.4.1.2428.20.1.256 NAME 'uRIRecord' DESC 'UR I, RFC7553' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {42}( 1.3.6.1.4.1.2428.20.1.257 NAME 'cAARecord' DESC 'Ce rtification Authority Restriction, RFC6844' EQUALITY caseIgnoreIA5Match SUB STR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {43}( 1.3.6.1.4.1.2428.20.1.32769 NAME 'dLVRecord' DESC ' DNSSEC Lookaside Validation, RFC4431' EQUALITY caseIgnoreIA5Match SUBSTR ca seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {44}( 1.3.6.1.4.1.2428.20.1.65226 NAME 'TYPE65226Record' DESC '' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {45}( 1.3.6.1.4.1.2428.20.1.65534 NAME 'TYPE65534Record' DESC '' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcObjectClasses: {0}( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2' SUP dNSDomain STRUCTURAL MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $ HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $ AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ APLRecord $ DSRecord $ S SHFPRecord $ IPSECKEYRecord $ RRSIGRecord $ NSECRecord $ DNSKEYRecord $ DHC IDRecord $ NSEC3Record $ NSEC3PARAMRecord $ TLSARecord $ CDSRecord $ CDNSKE YRecord $ OPENPGPKEYRecord $ SVCBRecord $ HTTPSRecord $ SPFRecord $ EUI48Re cord $ EUI64Record $ TKEYRecord $ URIRecord $ CAARecord $ DLVRecord $ TYPE6 5226Record $ TYPE65534Record ) ) structuralObjectClass: olcSchemaConfig entryUUID: 15113670-9f95-49b9-a483-b7d7bf2629ec creatorsName: cn=config createTimestamp: 20111017141815Z entryCSN: 20111017141815.387018Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20111017141815Z ========================================================================================== I even tried to keep the original entryUUID, createTimestamp, entryCSN, modifyTimestamp values (just in case), but it did not make a difference. I appreciate your help. (Note that export of the intial config was done on v2.4.56 and import of the modified config was done on a test server with 2.4.58.) If there is any additional info you may require, I will be glad to provide it. Thanks, Nick

4 12

MDB page growth
by Zetan Drableg 10 May '21

10 May '21

openldap 2.4.57 On 4/14 I ran mdb_copy -c to compact the DB and remove free pages. At that point I had 736k pages/2.9G file size. After compact the database is 41k pages and 140M. This solved my ldap request latency problem (seeing 30 second delays in simple queries when ldap updates are happening). 22 days later, we're at 244k pages and auth latency is up to 2 seconds during updates. The database is now 1G. What accounts for MDB free/unused page growth? We make lots of incremental inserts and removals (Add new user, add user to group, remove user from group, remove user). Removal actions seem to trigger the query latency. Why does a large amount of free pages impact single user removals from large groups? mdb_stat -e /opt/slapd/data Environment Info Map address: (nil) Map size: 17179869184 Page size: 4096 Max pages: 4194304 Number of pages used: 244657 Last transaction ID: 58158791 Max readers: 126 Number of readers used: 18 Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 22

5 6

How to enable argon2 module
by Francesco Malvezzi 10 May '21

10 May '21

hi everybody, my problem with argon2 is just the casus belli pointing to something I actually didn't understand in the modules setup. My configure options are: /configure --prefix=/opt/openldap --localstatedir=/var/lib/ --enable-crypt --enable-ppolicy --with-cyrus-sasl --with-tls=openssl --enable-modules --enable-mdb=yes --enable-argon2=yes --with-systemd --enable-accesslog everything compiles and builds fine. test #83 passes: >>>>> Starting test083-argon2 for mdb... running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to check that slapd is running... Adding basic structure... Testing ldapwhoami as cn=argon2,dc=example,dc=com... dn:cn=argon2,dc=example,dc=com >>>>> Test succeeded >>>>> test083-argon2 completed OK for mdb after 1 seconds. $ /opt/openldap/sbin/slappasswd -o module-load=/opt/src/openldap-2.5.4/servers/slapd/pwmods/argon2.la -h {ARGON2} -s test {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$n/QsZfaaYWA7pcQmAPrq8A$3FVBbO5zjMzUPRX+YW10yREA7xG4ben2gR08dGoPW1A Without the -o module-load switch slappasswd doesn't recognize the {ARGON2} scheme, but it looked fine to me: I believed I would need to load the module in cn=config with a content like: $ cat ~/ldif/load_argon2_module.ldif dn: cn=module{1} objectClass: olcModuleList cn: module{1} olcModulePath: /opt/openldap/libexec/openldap/ <- argon2.so is not here olcModuleLoad: {0}argon2 structuralObjectClass: olcModuleList but argon2.so is only in the src dir. Of course I didn't understand something very basic, thank you for your time, Francesco

2 1

Maximum length of a value
by Aaron Bennett 07 May '21

07 May '21

Hi, What is the maximum length of an value? Is it defined in the schema, per-value, or is there a global maximum in OpenLDAP? Thanks, Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS

2 1

Re: Migrating From DSEE7 to OpenLDAP; Base64 Values Fail To Import Using ldapadd
by Felix Schmitt 06 May '21

06 May '21

Hi, The issues might come from the fact that ODSEE has implemented RFC 2307bis - which aimed to improve on the old RFC 2307. As far as I know this never got a real standard - even though some companies adopted it. RFC 2307bis defines some things slightly different. from RFC2307. One of those cases is the gecos field which is a Directory String (SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) and can take UTF-8 character. Have a look here https://docs.ldap.com/specs/draft-howard-rfc2307bis-02.txt Regards Felix -- Felix Schmitt Ingenieur für IT/TK Systemberatung Blumenweg 24 phone: +49 8092 20796 D-85567 Grafing mobile: +49 172 842 99 12 Germany <mailto:Felix-Schmitt@t-online.de> mailto:Felix-Schmitt@t-online.de

4 5

Re: idletimeout setting is not working
by aRaviNd 06 May '21

06 May '21

Yes, It was not using slapd.conf and I was making changes on slapd.conf. It was my mistake. Thanks Quanah On Thu, May 6, 2021 at 8:42 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Thursday, May 6, 2021 1:46 PM +0530 aRaviNd <ambadiaravind(a)gmail.com> > > wrote: > > > > > Hi, > > > > > > Eventhough we have configured idletimeout as 0 in our slapd.conf , every > > 5 mins slapd is closing the connection. > > > > Why the idletimeout setting is not taking effect? > > Did you restart slapd after making the change? Does your system even use > slapd.conf, or is it actually using cn=config? etc. > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

Migrating From DSEE7 to OpenLDAP; Base64 Values Fail To Import Using ldapadd
by harklib＠protonmail.com 06 May '21

06 May '21

Hi, I am in the process of migrating away from our ancient Oracle DSEE7 directory servers to OpenLDAP 2.4.44-23.el7_9.x86_64. One problem I'm experiencing when importing entries with attribute values encoded in base64 is: adding new entry "cn=LastName,ou=People,dc=cs,dc=university,dc=edu" ldap_add: Invalid syntax (21) additional info: gecos: value #0 invalid per syntax dn: cn=nis,cn=schema,cn=config objectClass: olcSchemaConfig cn: nis olcAttributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) In this example, the "gecos" attribute has the first name "Jérémie", e.g., "gecos:: SsOpcsOpbWll". When I decode it using `base64 -d` it decodes just fine. Why can I not import this base64 encoded value, and others, using ldapadd? I'm binding as olcRootDN which has the appropriate permission, manage, as far as I can tell but have also used SASL EXTERNAL--same results. Do I need to decode these values in my LDIF file first? I've scoured the internet and the archives here, so forgive me if I've missed a glaringly obvious thread. Another note, I've used `./dsconf export --no-repl [...]` to avoid the DSEE7 sync-repl operational cruft. I still had some cleaning up to do, but I still don't understand why the base64 values are a hard stop. Thanks in advance, Brian

3 2

idletimeout setting is not working
by aRaviNd 06 May '21

06 May '21

Hi, Eventhough we have configured idletimeout as 0 in our slapd.conf , every 5 mins slapd is closing the connection. May 06 06:54:07 example1 slapd[4919]: conn=10016 fd=731 closed (idletimeout) May 06 06:54:07 example1 slapd[4919]: conn=10017 fd=732 closed (idletimeout) May 06 06:54:07 example1 slapd[4919]: conn=10018 fd=734 closed (idletimeout) May 06 06:54:07 example1 slapd[4919]: conn=10019 fd=735 closed (idletimeout) Why the idletimeout setting is not taking effect? Operating system: Red Hat Enterprise Linux Server release 7.8 (Maipo) Openldap version: openldap-2.4.44-22.el7.x86_64 Regards, Aravind M D

2 1

SyncProv checkpointing
by thomaswilliampritchard＠gmail.com 06 May '21

06 May '21

Hi, Through testing we have discovered restoring from backup is most accurate when we have the syncprov checkpointing at "1 1". Or checkpoint after 1 operation or 1 minute (olcSpCheckpoint: 1 1). Are there any concerns with having this frequent of checkpointing? Thanks, Thomas

3 11

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2021