openldap-technical

openldap-technical@openldap.org

14 participants
9795 discussions

[LMDB] New product using LMDB
by Christian Sell 21 May '16

21 May '16

Hello all, I would like to introduce another product/tool that is based on LMDB and might be useful to some. Enter "LightningObjects", the High Performance embedded C++ Object Storage solution. LO is a template based mapping layer that turns LMDB (or any other key/value store that can be adapted to the internal abstract storage API) into a transactional C++ object store. Code is available at https://github.com/gsvitec/lightning-objects. Currently in alpha state, but used in a large commercial project already. I look forward to anyone's comments. regards, Christian Sell

2 1

pw-sha2, olcPasswordHash, SSHA512 & with cn=config
by Patrick Ohearn 17 May '16

17 May '16

Hi, I am running into an issue with changing olcPasswordHash to SSHA512, in cn=config . OpenLDAP appears not to load the pw-sha2 module from contrib, until after it reads cn=config, causing slaptest to fail. This looks to have already been reported in ITS 7802, however the ticket is closed and I don't see any obvious resolution to the issue. -- Email: pat(a)ge3k.net IM: pat(a)ge3k.net Site: http://ge3k.net

2 1

SLAPD WON'T START ON ONE OF THE MULTIMASTERS
by Borresen, John - 0444 - MITLL 16 May '16

16 May '16

We have a 3-way multimaster configuration running on CentOS 5.11, OpenLDAP 2.4.40. All three have been up for years, until the other day: Slapd is running on two of the three (server names: ldapserver1, ldapserver2, and ldapserver3). Slapd stopped and won't restart on ldapserver2. >From Logs on ldapserver2: May 10 04:02:13 gp42-admin4 slapd[4541]: slapd shutdown: waiting for 0 operations/tasks to finish May 10 04:02:19 gp42-admin4 slapd[15633]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 10 04:02:19 gp42-admin4 slapd[15633]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 10 04:02:19 gp42-admin4 slapd[15633]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 10 04:02:21 gp42-admin4 slapd[15634]: bdb_db_open: database "cn=accesslog": database already in use. May 10 04:02:21 gp42-admin4 slapd[15634]: backend_startup_one (type=bdb, suffix="cn=accesslog"): bi_db_open failed! (-1) May 10 04:02:21 gp42-admin4 slapd[15634]: slapd stopped. May 10 04:02:22 gp42-admin4 slapd[4541]: slapd stopped. When attempting to restart slapd on server2: May 13 10:13:54 gp42-admin4 slapd[12085]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 13 10:13:54 gp42-admin4 slapd[12085]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 13 10:13:54 gp42-admin4 slapd[12085]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 13 10:13:56 gp42-admin4 slapd[12086]: slapd starting May 13 10:13:56 gp42-admin4 slapd[12086]: do_syncrep2: rid=002 (4096) Content Sync Refresh Required May 13 10:13:56 gp42-admin4 slapd[12086]: do_syncrep2: rid=001 (4096) Content Sync Refresh Required May 13 10:13:57 gp42-admin4 slapd[12086]: => bdb_idl_insert_key: c_put id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995) May 13 10:13:57 gp42-admin4 slapd[12086]: => bdb_dn2id_add 0xfc6: parent (cn=accesslog) insert failed: -30995 May 13 10:13:57 gp42-admin4 slapd[12086]: => bdb_idl_delete_key: c_del id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995) May 13 10:13:57 gp42-admin4 slapd[12086]: => bdb_dn2id_delete 0xf50: parent (cn=accesslog) delete failed: -30995 May 13 10:15:55 gp42-admin4 slapd[12106]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 13 10:15:55 gp42-admin4 slapd[12106]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 13 10:15:55 gp42-admin4 slapd[12106]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 13 10:15:55 gp42-admin4 slapd[12106]: bdb_db_open: database "dc=example,dc=ldap": unclean shutdown detected; attempting recovery. May 13 10:15:57 gp42-admin4 slapd[12106]: bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. May 13 10:15:58 gp42-admin4 slapd[12106]: slapd starting May 13 10:28:49 gp42-admin4 slapd[12255]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 13 10:28:49 gp42-admin4 slapd[12255]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 13 10:28:49 gp42-admin4 slapd[12255]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 13 10:28:50 gp42-admin4 slapd[12255]: bdb_db_open: database "dc=example,dc=com": unclean shutdown detected; attempting recovery. May 13 10:28:50 gp42-admin4 slapd[12255]: bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. May 13 10:28:52 gp42-admin4 slapd[12255]: slapd starting May 13 10:29:24 gp42-admin4 slapd[12264]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 13 10:29:24 gp42-admin4 slapd[12264]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 13 10:29:24 gp42-admin4 slapd[12264]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 13 10:29:24 gp42-admin4 slapd[12264]: bdb_db_open: database "dc=example,dc=ldap": unclean shutdown detected; attempting recovery. May 13 10:29:24 gp42-admin4 slapd[12264]: bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. May 13 10:29:24 gp42-admin4 slapd[12264]: slapd starting May 13 10:29:53 gp42-admin4 slapd[12280]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 13 10:29:53 gp42-admin4 slapd[12280]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 13 10:29:53 gp42-admin4 slapd[12280]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 13 10:29:53 gp42-admin4 slapd[12280]: bdb_db_open: database "dc=example,dc=ldap": unclean shutdown detected; attempting recovery. May 13 10:29:53 gp42-admin4 slapd[12280]: bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. May 13 10:29:53 gp42-admin4 slapd[12280]: slapd starting May 13 10:32:35 gp42-admin4 slapd[12345]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd Attempting to restart slapd from the command-line: 5735ed50 slapd starting 5735ed50 => bdb_entry_get: ndn: "cn=accesslog" 5735ed50 => bdb_entry_get: oc: "(null)", at: "(null)" 5735ed50 bdb_idl_fetch_key: %cn=accesslog 5735ed50 bdb_idl_fetch_key: [b49d1940] 5735ed50 bdb_idl_fetch_key: 5735ed50 send_ldap_result: err=0 matched="" text="" 5735ed50 => bdb_entry_get: ndn: "dc=example,dc=com" 5735ed50 => bdb_entry_get: oc: "(null)", at: "contextCSN" ldap_build_search_req ATTRS: reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN ldap_build_search_req ATTRS: reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN => ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com,0) <= ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com,0) <= ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com,0) <= ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=jdoe,ou=Users,dc=example,dc=com)=0 5735ed50 => bdb_entry_get: ndn: "uid=jdoe,ou=Users,dc=example,dc=com" 5735ed50 => bdb_entry_get: oc: "(null)", at: "(null)" slapd: search.c:1125: oc_filter: Assertion `f != ((void *)0)' failed. Aborted I have run db_recover on the dbase(s) on ldapserver2 but to no avail. Does anyone have any suggestions? Thank you in advance for any assistance. John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Humanitarian Assistance and Disaster Relief (HADR) Systems 244 Wood St Lexington, MA 02420 Email: <mailto:john.borresen@ll.mit.edu> john.borresen(a)ll.mit.edu

2 7

SLAPD won't start
by Borresen, John - 0444 - MITLL 13 May '16

13 May '16

This is a resend as the original did not go out for some reason. We have a 3-way multimaster configuration running on CentOS 5.11, OpenLDAP 2.4.40. All three have been up for years, until the other day: Slapd is running on two of the three (server names: ldapserver1, ldapserver2, and ldapserver3). Slapd stopped and won't restart on ldapserver2. >From Logs on ldapserver2: May 10 04:02:13 gp42-admin4 slapd[4541]: slapd shutdown: waiting for 0 operations/tasks to finish May 10 04:02:19 gp42-admin4 slapd[15633]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 10 04:02:19 gp42-admin4 slapd[15633]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 10 04:02:19 gp42-admin4 slapd[15633]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 10 04:02:21 gp42-admin4 slapd[15634]: bdb_db_open: database "cn=accesslog": database already in use. May 10 04:02:21 gp42-admin4 slapd[15634]: backend_startup_one (type=bdb, suffix="cn=accesslog"): bi_db_open failed! (-1) May 10 04:02:21 gp42-admin4 slapd[15634]: slapd stopped. May 10 04:02:22 gp42-admin4 slapd[4541]: slapd stopped. When attempting to restart slapd on server2: May 13 10:13:54 gp42-admin4 slapd[12085]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 13 10:13:54 gp42-admin4 slapd[12085]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 13 10:13:54 gp42-admin4 slapd[12085]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 13 10:13:56 gp42-admin4 slapd[12086]: slapd starting May 13 10:13:56 gp42-admin4 slapd[12086]: do_syncrep2: rid=002 (4096) Content Sync Refresh Required May 13 10:13:56 gp42-admin4 slapd[12086]: do_syncrep2: rid=001 (4096) Content Sync Refresh Required May 13 10:13:57 gp42-admin4 slapd[12086]: => bdb_idl_insert_key: c_put id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995) May 13 10:13:57 gp42-admin4 slapd[12086]: => bdb_dn2id_add 0xfc6: parent (cn=accesslog) insert failed: -30995 May 13 10:13:57 gp42-admin4 slapd[12086]: => bdb_idl_delete_key: c_del id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995) May 13 10:13:57 gp42-admin4 slapd[12086]: => bdb_dn2id_delete 0xf50: parent (cn=accesslog) delete failed: -30995 May 13 10:15:55 gp42-admin4 slapd[12106]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 13 10:15:55 gp42-admin4 slapd[12106]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 13 10:15:55 gp42-admin4 slapd[12106]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 13 10:15:55 gp42-admin4 slapd[12106]: bdb_db_open: database "dc=example,dc=ldap": unclean shutdown detected; attempting recovery. May 13 10:15:57 gp42-admin4 slapd[12106]: bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. May 13 10:15:58 gp42-admin4 slapd[12106]: slapd starting May 13 10:28:49 gp42-admin4 slapd[12255]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 13 10:28:49 gp42-admin4 slapd[12255]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 13 10:28:49 gp42-admin4 slapd[12255]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 13 10:28:50 gp42-admin4 slapd[12255]: bdb_db_open: database "dc=example,dc=com": unclean shutdown detected; attempting recovery. May 13 10:28:50 gp42-admin4 slapd[12255]: bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. May 13 10:28:52 gp42-admin4 slapd[12255]: slapd starting May 13 10:29:24 gp42-admin4 slapd[12264]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 13 10:29:24 gp42-admin4 slapd[12264]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 13 10:29:24 gp42-admin4 slapd[12264]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 13 10:29:24 gp42-admin4 slapd[12264]: bdb_db_open: database "dc=example,dc=ldap": unclean shutdown detected; attempting recovery. May 13 10:29:24 gp42-admin4 slapd[12264]: bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. May 13 10:29:24 gp42-admin4 slapd[12264]: slapd starting May 13 10:29:53 gp42-admin4 slapd[12280]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd May 13 10:29:53 gp42-admin4 slapd[12280]: nss-ldap: do_open: do_start_tls failed:stat=-1 May 13 10:29:53 gp42-admin4 slapd[12280]: nss_ldap: reconnected to LDAP server ldap://ldapserver1.example.com May 13 10:29:53 gp42-admin4 slapd[12280]: bdb_db_open: database "dc=example,dc=ldap": unclean shutdown detected; attempting recovery. May 13 10:29:53 gp42-admin4 slapd[12280]: bdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. May 13 10:29:53 gp42-admin4 slapd[12280]: slapd starting May 13 10:32:35 gp42-admin4 slapd[12345]: @(#) $OpenLDAP: slapd 2.4.40 (Sep 30 2014 16:49:45) $#012#011clement@localhost.localdomain:/home/clement/build/BUILD/openldap-2. 4.40/servers/slapd Attempting to restart slapd from the command-line: 5735ed50 slapd starting 5735ed50 => bdb_entry_get: ndn: "cn=accesslog" 5735ed50 => bdb_entry_get: oc: "(null)", at: "(null)" 5735ed50 bdb_idl_fetch_key: %cn=accesslog 5735ed50 bdb_idl_fetch_key: [b49d1940] 5735ed50 bdb_idl_fetch_key: 5735ed50 send_ldap_result: err=0 matched="" text="" 5735ed50 => bdb_entry_get: ndn: "dc=example,dc=com" 5735ed50 => bdb_entry_get: oc: "(null)", at: "contextCSN" ldap_build_search_req ATTRS: reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN ldap_build_search_req ATTRS: reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN => ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com,0) <= ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com,0) <= ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com,0) <= ldap_bv2dn(uid=jdoe,ou=Users,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=jdoe,ou=Users,dc=example,dc=com)=0 5735ed50 => bdb_entry_get: ndn: "uid=jdoe,ou=Users,dc=example,dc=com" 5735ed50 => bdb_entry_get: oc: "(null)", at: "(null)" slapd: search.c:1125: oc_filter: Assertion `f != ((void *)0)' failed. Aborted I have run db_recover on the dbase(s) on ldapserver2 but to no avail. Does anyone have any suggestions? Thank you in advance for any assistance. John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Humanitarian Assistance and Disaster Relief (HADR) Systems 244 Wood St Lexington, MA 02420 Email: john.borresen(a)ll.mit.edu John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Humanitarian Assistance and Disaster Relief (HADR) Systems 244 Wood St Lexington, MA 02420 Ph: (781) 981-1609 Cell: (781) 382-5195 Email: <mailto:john.borresen@ll.mit.edu> john.borresen(a)ll.mit.edu

1 0

OpenLDAP logging and rsyslog
by jeevan kc 12 May '16

12 May '16

Hello everyone,We're migrating our LDAP servers to new RHEL 7. Previously we had RHEL 5.2 and Openldap logging was working just fine with the following config using syslog.· Set up OpenLDAP logging: o (as root user) mkdir /var/log/openldap o (as root user) chmod 755 /var/log/openldap o (as root user) touch /var/log/openldap/openldap.log o (as root user) vi /etc/syslog.conf § Add the line “Local6.* /var/log/openldap/openldap.log” o (as root user) kill –HUP <process ID of syslogd> The new servers have rsyslog instead of syslog and I did the same procedures in rsyslog.conf file, set olcloglevel as sync stats same as in the old server and restarted rsyslog with systemctl restart rsyslog.service .The openldap.log file is empty. I have tried local4 too and same result. My rsyslog.conf file looks like this . Can someone please help me with this? Any help is appreciated. # rsyslog v5 configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imklog # provides kernel logging support (previously done by rklogd)$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception$ModLoad imudp$UDPServerRun 514 # Provides TCP syslog reception$ModLoad imtcp$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Use default timestamp format$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required,# not useful and an extreme performance hit#$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/$IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### # Log all kernel messages to the console.# Logging much else clutters up the screen.#kern.* /dev/console # Log anything (except mail) of level info or higher.# Don't log private authentication messages!*.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access.authpriv.* /var/log/secure # Log all the mail messages in one place.mail.* -/var/log/maillogdaemon.* /var/log/daemon.logkern.* /var/log/kern.logsyslog.* /var/log/syslog # Log cron stuffcron.* /var/log/cron # Everybody gets emergency messages*.emerg * # Save news errors of level crit and higher in a special file.uucp,news.crit /var/log/spooler # Save boot messages also to boot.loglocal7.* /var/log/boot.log #OpenLDAP logginglocal6.* /var/log/openldap/openldap.log # ### begin forwarding rule #### The statement between the begin ... end define a SINGLE forwarding# rule. They belong together, do NOT split them. If you create multiple# forwarding rules, duplicate the whole block!# Remote Logging (we use TCP for reliable delivery)## An on-disk queue is created for this action. If the remote host is# down, messages are spooled to disk and sent when it is up again.#$WorkDirectory /var/lib/rsyslog # where to place spool files#$ActionQueueFileName fwdRule1 # unique name prefix for spool files#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown#$ActionQueueType LinkedList # run asynchronously#$ActionResumeRetryCount -1 # infinite retries if host is down# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional#*.* @@remote-host:514# ### end of the forwarding rule ### ## Nessus/CIS compliance items## Send everything to Unix syslog host## Following setting is per Chris Humphrey 6/19/2013*.err;kern.notice;auth.notice;auth.crit;daemon.notice @siem-unix.abc.com## Send httpd logs to Apache syslog host - requires additional apache configdaemon.notice @@SIEM-apache.abc.comauth,user.* /var/log/messages # A template to for higher precision timestamps + severity logging$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" Jeevan

2 2

debugging schema error
by Olivier 12 May '16

12 May '16

Hi, I have to modify the schema used by Mac OS X to access LDAP. What I am trying to do get slapd to fail starting, but I do not get a single error message: in /var/log/debug: May 12 13:08:33 ldap slapd[42028]: @(#) $OpenLDAP: slapd 2.4.41 (Aug 27 2015 15:14:47) $ root@ldap.cs.ait.ac.th:/usr/ports/net/openldap24-server/work/openldap-2.4.41/servers/slapd May 12 13:08:33 ldap slapd[42028]: DIGEST-MD5 common mech free May 12 13:08:33 ldap slapd[42028]: slapd stopped. May 12 13:08:33 ldap slapd[42028]: connections_destroy: nothing to destroy. in /var/log/messages May 12 13:08:33 ldap on: /usr/local/etc/rc.d/slapd: WARNING: failed to start slapd I cannot diagnose much out of that; what can I do to get some proper debug/error information? Best regards, Olivier --

1 0

Re: Cannot re-enable synchronization
by Olivier Nicole 11 May '16

11 May '16

Hi, On Monday I had a major issue, my root CA (for all my encryption) expired, so my LDAP server number 1 became inaccessible. I have a server number 2, running from another root certificate, that did not expire and that was properly replicating from the server number 1, using: syncrepl rid=0 provider=ldaps://ldap server 1/ type=refreshAndPersist bindmethod=simple binddn=cn=Manager,dc=xxx credentials="XXX" searchbase=dc=xxx tls_reqcert=try starttls=yes retry="60 10 300 +" But since I updated the root certificate on server 1, I cannot get the replication. I can still ldapsearch from server 2 to server 1. In the log of server 1 I see a proper connection, but I don't know how to further debug the replication. Best regards, Olivier

1 0

require authc and SASL GSSAPI
by Christian 09 May '16

09 May '16

Dear list, I use Kerberos/GSSAPI for authentication, and I recently locked down my ldap servers with "require authc". With Kerberos tickets, I used to be able to just enter ldapsearch on the command line. Now I have to do ldapsearch -Y GSSAPI I assume this is because ldapsearch has to do a nonauthenticated bind to find out about the SASL auth mechanisms (by looking for supportedSASLMechanisms), and that fails now. So it would be great if I had a way of setting the default SASL auth mechanism on a machine for all users. However, man ldap.conf tells me that the setting for SASL_MECH is a per user setting only. Is there any other way to achieve this, or am I doing the wrong thing by requiring authc? Thanks, Christian

3 5

Access auth granularity?
by Dora Paula 09 May '16

09 May '16

Dear List, I've two subtrees that contain user-accounts: ou=usersA,dc=example,dc=com and ou=usersB,dc=example,dc=com. Goal: Users below ou=userA,... should only be allowed to bind using sasl_bind, but not with simple_bind. Whereas users below ou=usersB,... should be allowed to bind using both (or any kind of bind). I searched the documentation but without success. All I found was disallow simplebind and sasl_ssf, but both seem to make no sense in this case: While the first disallows simple_binds globally, the combination of sasl_ssf and access auth is or at least seems contradicting to me. Question: Is it possible to achieve this goal using current openldap release? Thank you very much Dora

3 9

Any naming conventions to be followed wile creating groups/organizations
by Chaitanya Kumar Ch 09 May '16

09 May '16

Hi All, I would like to request you to provide naming conventions document if available. I am looking for better approach to name groups/organizations names with multiple words. For example: Computer Science group can be named as cs, Computer Science, ComputerScience, computer science, computer-science. what is the better way? -- Thank You, Chaitanya Kumar Ch, +91 9550837582

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical