openldap-technical

openldap-technical@openldap.org

9 participants
9902 discussions

Complex multi-master topology
by Patrick 04 Oct '15

04 Oct '15

I've been trying to create a complex multi-master replication of cn=config for a week now... I'm using the core debian package: slapd 2.4.40+dfsg-1+deb8u1 I've seen someone claiming it could work but cannot find configs related to this kind of topology. http://www.slideshare.net/ghenry/openldap-replication-strategies (slide #24) When building a simple multimaster (two or three nodes) everything works as planned. But in the case some nodes cannot talk to others, i cannot find a way to make it works. Let's take this example +-------+ +-------+ +-------+ | ldap1 | <---> | ldap2 | <---> | ldap3 | +-------+ +-------+ +-------+ and say: olcSyncRepl: rid=001 searchbase="cn=config" type=refreshAndPersist provider=ldap://ldap1 olcSyncRepl: rid=002 searchbase="cn=config" type=refreshAndPersist provider=ldap://ldap2 olcSyncRepl: rid=003 searchbase="cn=config" type=refreshAndPersist provider=ldap://ldap3 Where initialy: ldap1 have rid=002 ldap2 have rid=001 and rid=003 ldap3 have rid=002 Soon everyone get rid=001 rid=002 rid=003 and ldap3 cannot talk to ldap1 and it does not work... And even if i don't care about the connexion between ldap1 and ldap3 failing, the replication does not work either... if ldap1 change something, it gets replicated to ldap2 but not ldap3. Also, i've been trying to use exattrs=Syncrepl but if someone change his Syncrepl, it get deleted on the other node... Someone seems to have seen this with memberof overlay ? http://www.openldap.org/lists/openldap-technical/201505/msg00124.html Anyone have references to help me get to my goal? -- Patrick Brideau Administrateur Système Kronos Technologies - http://www.kronos-web.com tel: 418 877-5400 p.216

5 10

BP build OpenLDAP and lmdb packages
by Michael Ströder 02 Oct '15

02 Oct '15

HI! I wonder what's considered best practice for building OpenLDAP and lmdb packages e.g. for a Linux distribution. Fortunately lmdb seems to be leveraged by more and more other software. So Linux distributions start to ship lmdb libs and tools as separate packages. 1. Do I have a chance to build OpenLDAP against those packages? Which releases have to be aligned? 2. Or should I link back-mdb statically into slapd when producing OpenLDAP packages? This would probably also require to build separate version of the mdb tools. Of course personally I'd prefer 1. Ciao, Michael.

5 8

[LMDB] What pointer is returned with combination of MDB_WRITEMAP and MDB_RESERVE?
by Victor Baybekov 02 Oct '15

02 Oct '15

Hi, Docs for MDB_RESERVE say that a returned pointer to the reserved space is valid "before the next update operation or the transaction ends." Docs for MDB_WRITEMAP say that it "writes directly to the mmap instead of using malloc for pages." Does combining the two options return a pointer directly to a place in a mmap so that this pointer could be used after a transaction ends or after the next update? I have a use case where I want to somewhat abuse LMDB safety for convenience. If I could get a pointer to a place inside a mmap I could work with LMDB value as opaque blob or as a region inside the single big mmap. This could be more convenient than creating and opening hundreds of temporary memory mapped files and keeping open handles to them. For example, Aeron terms could be stored like this: a stream id per an LMDB db and a term id for a key in the db. Thanks! Victor

2 3

parent DN and deref control
by Michael Ströder 02 Oct '15

02 Oct '15

Hmm... I have a use-case where it would be handy to use the deref control to request attributes from an entry's parent entry. But this would require kind of a pseudo-attribute 'parentDN' (similar to 'entryDN'). Anybody aware whether such a thing is already available? [1] https://tools.ietf.org/html/draft-masarati-ldap-deref-00 Nope, I don't want to use collective attributes. Ciao, Michael.

3 5

cannot delete pwdFailureTime attribute
by David Magda 01 Oct '15

01 Oct '15

Hello, How do I delete the pwdFailureTime attribute on a slave? I have a DN where pwdFailureTime entries are growing and its slowly filling up /var/lib/ldap/. Ive tried the following LDIF: dn: uid=foo,ou=People,dc=example,dc=com changetype: modify delete: pwdFailureTime But since the system is slave, its giving ldapmodify(1) a redirect to the master. I've also tried the script in ITS#8185: http://www.openldap.org/lists/openldap-bugs/201507/msg00012.html that connects to ldapi:///, and that also referral/redirects (since we have olcUpdateRef configured). We are not using the slapo-chain(5) funcionality. Is there any way to manipulate pwdFailureTime on the slaves without going into the raw databases files? Or do we have to enable slapo-chain(5) when using slapo-ppolicy(5) and then do things on the master? Thanks for any info. Regards, David

2 2

How to build contrib pw-radius?
by dev 01 Oct '15

01 Oct '15

Hi, I'm trying to build the pw-radius module in the contrib directory but can't seem to find the right library to add to the incantation. I've tried installing the freeradius-dev package as well as the libradiusclient-ng-dev but still no radlib.h. A google on the error message[1] returns *exactly* two results so I'm kind of at a loss. Can someone point me in the direction of the correct radius package to install to get this built? [1] test# gcc -shared -I../../../include -Wall -g -o pw-radius.so radius.c -lradius radius.c:27:20: fatal error: radlib.h: No such file or directory compilation terminated.

3 3

Is it possible to create something like an alias or mapping
by Christian Balz 01 Oct '15

01 Oct '15

Hi for all, We have an application that search an attribute named 'manager', however in our OpenLDAP this attribute is called 'DomainGestor'. Is it possible to create something like an alias or mapping. So, when the application is called the attribute 'manager' the ldap return the value of 'DomainGestor' DomainGestor uid=userX,cn=u,cn=users,dc=mydomain,dc=com Regards Christian

3 3

SSHA hash are stores as '{ssha}......' and '{SSHA}......'
by Matthias Apitz 30 Sep '15

30 Sep '15

Hello, We are authenticating from some Java written software against an OpenLDAP system by reading the users 'userPassword' LDAP attribute, calculating the clear text password against the SSHA hash string. It turned out that some (a few number) of these hash are stored in the form: userPassword:: e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ== which decodes to: $ echo 'e3NzaGF9R2tSOU91SGhOakFoZzBWeVNtY0JHRUE5b2NMVU5GZWZnY0VaMXc9PQ==' | openssl base64 -d {ssha}GkR9OuHhNjAhg0VySmcBGEA9ocLUNFefgcEZ1w== i.e. with SSHA in small letters. It's only 1 of thousand users having the tag as '{ssha}'. Why is this? Thanks matthias -- Matthias Apitz, ✉ guru(a)unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045 No! Nein! ¡No! Όχι! -- Ευχαριστούμε!

4 4

ACL issue
by Varadi, Louis - 0442 - MITLL 30 Sep '15

30 Sep '15

Hello, I could please use your help regarding issues I am seeing with user access authenticating to my new LDAP server. I am new to LDAP, and am building my first server. I have created a new user (lou) and client (ldapServer) and am trying to authenticate the user through the client. I have configured the LDAP server to also be the LDAP test client. I am seeing the following errors in the /var/log/sssd/sssd_default.log when I run: getent passwd lou or su - lou (Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [sdap_get_rootdse_done] (0x0040): RootDSE could not be retrieved. Please check that anonymous access to RootDSE is allowed (Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'IP_Address' as 'working' (Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'IP_Address' as 'working' (Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [sdap_get_generic_op_finished] (0x0040): Unexpected result from ldap: Insufficient access(50), no errmsg set (Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed [5]: Input/output error (Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [sdap_get_users_done] (0x0040): Failed to retrieve users According to the doc for common-errors doc. http://www.openldap.org/doc/admin24/appendix-common-errors.html I believe I am having an issue with the Default ACLs. I have been doing much reading and am coming up short. My questions are: First: how to delete the current default ACLs using a command line entry, or using a ldapmodify on a .ldif file Second: how to add a new ACL allowing all users access using a command line entry or .ldif file. Once I get the user lou (and other test users) to connect, I will change the ACL access rules for restriction. I need to get it working first. Also, is there a step by step beginners guide for the ACL process? Any help is greatly appreciated. Thank you - Lou

2 1

Issues with Openldap upgrade 2.4.21 to 2.4.31
by Laurent Dumont 30 Sep '15

30 Sep '15

Hi gents, I'm currently trying to upgrade my "aging" Ubuntu 10.04 physical server with OpenLdap 2.4.21 to a brand new VM running 2.4.31 (which seems to be provided by default with the standard repository while being somewhat old?). That said, I'm running into a few issues. Am I correct in assuming that a standard migration would go something like this : #On the original LDAP server sudo slapcat -l /root/ldapdump #Copy that file over to the new LDAP server sudo slapadd -v -d 1 -l ldapdump Unfortunately, that's where it fails. I see : 560ade84 str2entry: invalid value for attributeType objectClass #2 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=1) It seems that I'm missing something pretty obvious here. Anyone has any pointers? Thanks

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical