openldap-technical May 2022

openldap-technical@openldap.org

24 participants
27 discussions

changes in own schema in multi provider setup
by Stefan Kania 17 May '22

17 May '22

Good morning, we having a own schema with a lot of own attributes. We have a multi provider replication of cn=config. What is the right way to add a new attribute to our schema and get it into the configuration? Stefan

2 1

Can a Bind result in a Referral?
by Mike Stevens 16 May '22

16 May '22

Good day. I’m an LDAP novice and am attempting to modify an LDAP client to accommodate an LDAP server environment that makes use of referrals. I have installed openLDAP 2.4.44 on 2 RHEL 7.9 servers. The initial entries in the tree on serverA contains : # xxx.com dn: dc=xxx,dc=com description: xxx.com dc: xxx o: xxx.com objectClass: top objectClass: dcObject objectClass: organization # Users, xxx.com dn: ou=Users,dc=xxx,dc=com ou: Users description: xxx Users objectClass: organizationalUnit # search reference *ref: ldap://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com??sub <http://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com??sub>* # mike, Users, xxx.com dn: uid=mike,ou=Users,dc=xxx,dc=com cn: mike ou: Users uid: mike givenName: Mike mail: mike(a)uk.xxx.com objectClass: Person objectClass: organizationalPerson objectClass: inetOrgPerson I believe the "ref" entry is known as a subordinate referral; it was created by populating the tree from an LDIF file that contained the following: dn: dc=uk,dc=xxx,dc=com objectClass: referral objectClass: extensibleObject dc: uk ref: ldap://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com The intent is to redirect any requests received by serverA that refer to the subtree uk.xxx.com to serverB. The tree on serverB contains: # xxx.com dn: dc=xxx,dc=com description: xxx.com dc: xxx o: xxx.com objectClass: top objectClass: dcObject objectClass: organization # uk.xxx.com dn: dc=uk,dc=xxx,dc=com dc: uk o: uk.xxx.com description: xxx Users in the UK objectClass: dcObject objectClass: organization # mike, uk.xxx.com dn: uid=mike,dc=uk,dc=xxx,dc=com cn: mike uid: mike givenName: Mike mail: mike(a)uk.xxx.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson Now, if I perform a search on serverA specifying a base of uk.xxx.com, I get an RC=10 Referral result as expected: [root@serverA ~]# ldapsearch -x '(uid=mike)' -b dc=uk,dc=xxx,dc=com -LL version: 1 Referral (10) Matched DN: dc=uk,dc=xxx,dc=com Referral: ldap://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com??sub ... and I can chase that referral using the -C option to retrieve the entry from serverB: [root@Mike21 ~]# ldapsearch -x '(uid=mike)' -b dc=uk,dc=ibm,dc=com -LL -C version: 1 dn: uid=mike,dc=uk,dc=xxx,dc=com cn: mike uid: mike givenName: Mike mail: mike(a)uk.xxx.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson But, if I attempt a bind to serverA using the user that exists in serverB, I get an authentication failure: [root@serverA ~]# ldapsearch -x -b 'dc=uk,dc=xxx,dc=com' -D uid=mike,dc=uk,dc=xxx,dc=com -w passw0rD ldap_bind: Invalid credentials (49) Now, I realise that the failure would be expected as the bind DN doesn't exist at serverA. But I read that every request apart from unbind and abandon can result in a referral. So why doesn't the bind follow the "ref" to serverB? Is that possible and have I not configured my server correctly? Ultimately, what I'd like to do in my client is something like: ld_user = ldap_init( "ldap://serverA:389/dc=uk,dc=xxx,dc=com" , 0 ); ... followed by : err = ldap_simple_bind_s( ld_user, "uid=mike,dc=uk,dc=xxx,dc=com" , password); ... and have LDAP authenticate the given user against serverB based on the referral in serverA. Is this sort of set up possible? Many thanks for your advice, Mike

2 4

issues with kqueue on OpenBSD
by Stuart Henderson 15 May '22

15 May '22

I'm working on updating the OpenBSD port of OpenLDAP to 2.6.2 (it's currently stuck at 2.4.59). In 2.5 kqueue support was added to slapd for BSDs, but it's not working correctly on OpenBSD. If slapd runs as a daemon, errors like these are seen: slap_client_connect: URI=ldaps://XXX Warning, ldap_start_tls failed (1) mdb_opinfo_get: err Invalid argument(22) However if slapd is run in the foreground with -d, things are ok. They are also OK if kqueue is disabled (by neutering the autoconf check) so this isn't blocking me updating the port but I thought I'd write up what I have in case someone has any ideas what might be up or anything they'd like me to try and report back on. Here are some log excerpts: 17:23:44.692: slapd starting 17:23:44.692: daemon: added 3r listener=0x0 17:23:44.692: daemon: added 6r listener=0x100263797200 17:23:44.692: daemon: added 7r listener=0x100263785400 17:23:44.692: daemon: kqueue: listen=6 active_threads=0 tvp=zero 17:23:44.692: daemon: kqueue: listen=7 active_threads=0 tvp=zero 17:23:44.692: daemon: activity on 1 descriptor 17:23:44.692: daemon: activity on: 17:23:44.692: 17:23:44.692: daemon: kqueue: listen=6 active_threads=0 tvp=zero 17:23:44.692: daemon: kqueue: listen=7 active_threads=0 tvp=zero 17:23:44.692: >>> dnNormalize: <cn=Consumer 101> 17:23:44.692: <<< dnNormalize: <cn=consumer 101> 17:23:44.692: =>do_syncrepl rid=101 17:23:44.763: slap_client_connect: URI=ldaps://XXXXXXXXXXXXXXX Warning, ldap_start_tls failed (1) 17:23:44.781: => mdb_entry_get: ndn: "dc=XXXXXXX,dc=XXX" 17:23:44.782: => mdb_entry_get: oc: "(null)", at: "contextCSN" 17:23:44.782: mdb_opinfo_get: err Invalid argument(22) 17:23:44.782: =>do_syncrep2 rid=101 17:23:44.782: daemon: added 9r listener=0x0 17:23:44.783: daemon: activity on 1 descriptor 17:23:44.783: daemon: activity on: 17:23:44.783: 17:23:44.783: daemon: kqueue: listen=6 active_threads=0 tvp=NULL 17:23:44.783: daemon: kqueue: listen=7 active_threads=0 tvp=NULL 17:23:44.800: daemon: activity on 1 descriptor 17:23:44.800: daemon: activity on: 17:23:44.800: 9r 17:23:44.800: 17:23:44.800: daemon: read active on 9 17:23:44.800: daemon: kqueue: listen=6 active_threads=0 tvp=NULL 17:23:44.800: daemon: kqueue: listen=7 active_threads=0 tvp=NULL 17:23:44.800: connection_get(9) 17:23:44.800: connection_get(9): got connid=0 17:23:44.801: =>do_syncrepl rid=101 17:23:44.801: =>do_syncrep2 rid=101 Not sure if it's any help but looking at kdump(1) output after a run under ktrace(1) I didn't spot the immediate problem resulting in "ldap_start_tls failed (1)" however the "mdb_opinfo_get: err Invalid argument(22)" occurs after attempting to call fcntl with F_SETLK on the fd 5 which is the kqueue fd: 65304 slapd RET write 97/0x61 65304 slapd CALL poll(0x89d39cb9004,1,INFTIM) 65304 slapd STRU struct kevent [2] { ident=9, filter=EVFILT_READ, flags=0x1005<EV_ADD|EV_ENABLE>, fflags=0<>, data=0, udata=0x231a1bea } { ident=9, filter=EVFILT_EXCEPT, flags=0x1005<EV_ADD|EV_ENABLE>, fflags=0x4<>, data=0, udata=0x231a1bea } 65304 slapd STRU struct kevent { ident=9, filter=EVFILT_READ, flags=0x1005<EV_ADD|EV_ENABLE>, fflags=0<>, data=36, udata=0x231a1bea } 65304 slapd STRU struct pollfd { fd=9, events=0x3<POLLIN|POLLPRI>, revents=0x1<POLLIN> } 65304 slapd RET poll 1 65304 slapd CALL read(9,0x89ccfb103e0,0x5) 65304 slapd GIO fd 9 read 5 bytes "\^W\^C\^C\0\^_" 65304 slapd RET read 5 65304 slapd CALL read(9,0x89ccfb349c5,0x1f) 65304 slapd GIO fd 9 read 31 bytes "\M^W\M-r\M-f\M^C\M-2\M^V\M-E\^O\M-hdgq\M-"\M-o\M-&\M^[*\M-9\M^E\M-Sd\M^A2\M-QE\M-cb |\M^VI" 65304 slapd RET read 31/0x1f 65304 slapd CALL mmap(0,0x2000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 65304 slapd RET mmap 9468564512768/0x89c926ca000 65304 slapd CALL fcntl(5,F_SETLK,0x8ef465d0) 65304 slapd RET fcntl -1 errno 22 Invalid argument 65304 slapd CALL getpid() 65304 slapd RET getpid 65304/0xff18 65304 slapd CALL sendsyslog(0x89c8ef44040,59,0<>) 65304 slapd GIO fd -1 wrote 59 bytes "<167>slapd[65304]: mdb_opinfo_get: err Invalid argument(22)" Any suggestions would be welcome. Thanks!

2 2

set LDAPI_SOCK
by Michael Ströder 15 May '22

15 May '22

HI! I'm trying to get rid of this old patch by Ralf Haferkamp: https://build.opensuse.org/package/view_file/network:ldap/openldap2/0003-LD… Background: Today Linux distros prefer that you place temporary run-time files in a directory like /run/<service-name> with appropriate ownership and permissions. And also systemd can create a temporary run-time directory on-the-fly and removes it after service stopped. But if I e.g. use configure --runstatedir=/run/slapd the default pathname of the LDAPI socket is /run/slapd/run/ldapi Any way to set LDAPI_SOCK directly during build? Ciao, Michael.

1 0

(Updated) License issue about sleepycat license.
by s1k2c3＠naver.com 13 May '22

13 May '22

[박주현 / Ju Hyun Park] 2022-05-13 18:27 I am sorry I change my question like below... I just wonder license issue about sleepycat license. In sleepycat License, "Redistributions in any form must be accompanied by information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software." I do not know " any accompanying software that uses the DB software" When commercial SW uses OpenLDAP and OpenLDAP uses BDB, commercial SW should be disclosed? What was user's obligation? I want to know about it exactly about sleepycat License. This SW does not link with OpenLDAP directy.. For example, SW using GPL Licese does not need to disclose source code of SW, because it executes on seperate process. How about OpenLDAP? When SW connect to OpenLDAP on seperate process, source code of SW should be disclosed? please do not care about deprecated version.. I just want to know about Sleepycat License.. Thank you.

3 3

question on replica IDs
by A. Schulze 13 May '22

13 May '22

Hello, I'm running a Cluster of 4 Servers of openldap-2.6.1 ServerID 1 ldaps://member1.example/ ServerID 2 ldaps://member2.example/ ServerID 3 ldaps://member3.example/ ServerID 4 ldaps://member4.example/ syncrepl rid=1 provider=ldaps://member1.example/ syncrepl rid=2 provider=ldaps://member2.example/ syncrepl rid=3 provider=ldaps://member3.example/ syncrepl rid=4 provider=ldaps://member4.example/ multiprovider on the servers 1 and 2 are offline since a week or so. Now I like to remove servers 1 and 2 finally to fall back to a cluster of two members. The new config will look this way: ServerID 1 ldaps://member3.example/ ServerID 1 ldaps://member4.example/ syncrepl rid=1 provider=ldaps://member3.example/ syncrepl rid=2 provider=ldaps://member4.example/ multiprovider on Is this change of ID numbers a potential source of trouble? Andreas

2 3

BDB and License
by s1k2c3＠naver.com 12 May '22

12 May '22

Hi I want to use OpenLDAP.(GitHub - openldap/openldap: Mirror of OpenLDAP repository, The OpenLDAP Public License Version 2.8) OpenLDAP uses berkeley DB 5.3.21. In addition,, openLDAP version is 2.4.49. 1. Berkeley DB(BDB) 5.3.21 is sleepycat license, right? 2. When I use OpenLDAP, should I disclose source code of commercial SW? or Can I use OpenLDAP without disclosing source code of commercial SW? 3. When I do not link with OpenLDAP directly. I connect to another open source without link such as http, jmx etc and it connects to OpenLDAP, should I disclose source code of commercial SW? 4. When I distribute commercial SW using OpenLDAP, should I use sleepycat license for berkeley DB or should I purchase BDB? Thank you.

2 1

upgrade from Debian 2.4.x
by Udo Rader 09 May '22

09 May '22

Hi, we've been long using OpenLDAP as a backbone for almost everything (users, groups, DNS, DHCP, ...) and we've finally reached the point where we want or better NEED to migrate away from the vanilla debian packages. This is mostly due to the fact that our sync-repl based replication loses data every now and then, which is a real pain to detect and then to fix. So, as far as I understand, our best bet is to migrate to the latest packages from Symas :) However, I think to remember a discussion about the membersOf overlay not working reliably with sync-repl even with the Symas packages. Is this correct and if so, what would be the best way to have membersOf functionality? And, what would be the best way to upgrade? Are the symas packages just a drop in replacement from the debian packages or is better to start from scratch and import the LDAP tree? Thanks Udo -- Udo Rader, MBA, CTO BestSolution.at EDV Systemhaus GmbH Salurner Straße 15, A-6020 Innsbruck http://www.bestsolution.at/ Reg. Nr. FN 222302s am Firmenbuchgericht Innsbruck

2 1

RE Symas OpenLDAP Handbook: Operator and Administrator Guide with Training Labs
by Dr. Ogg 06 May '22

06 May '22

Any idea when the Symas OpenLDAP Handbook: Operator and Administrator Guide with Training Labs book will be available on kindle?

1 0

LDAP Proxy
by guillaume.briere＠bell.ca 05 May '22

05 May '22

Hello, Sorry if it has already been asked in the past. We have a use-case and I'm having difficulties to find if openldap could be a good fit for us. Let's say that we have 2 vlan. LDAP and active directory is inside the first vlan. The servers is inside the other vlan. We want to have a "ldap proxy" server inside the server vlan where only this server could communicate with the LDAP and active directory server. This ldap proxy server needs to listen on 3 ports (or could be 3 different instances), example:636,637 and 638 If we hit the port 636: The user password needs to be validate against the active directory and the user's membership needs to be validate against the LDAP server If we hit the port 637: The user password and user's group membership needs to be validate against LDAP If we hit the port 638: The user password and user's membership needs to be validate against Active Directory The LDAP server and ldap proxy would be openldap. Thanks in advance

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2022