openldap-technical

openldap-technical@openldap.org

9951 discussions

Alias dereferencing and performance
by Karol Chrapek 03 Sep '15

03 Sep '15

Hi, I have a question about the alias dereferencing and mdb performance. I installed from source ldap 2.4.42 with mdb support. In our current directory we have 367 007 objects and 42262 aliases. During the test I observed that the MDB is slower than the HDB during search with aliases dereferencing. I performed test search in small scope (11115 objects where 6991 is aliases to other part of structure) with filter objectClass=User and dereferencing aliases set to always. I see that query to HDB take about 20s and query to MDB about 29s. On both server the load are low. Are in ldap configuration any option than can tune the alias dereferencing or we should redesign the structure to reduce number of aliases? *Karol*

2 2

Permission management with LDAP
by Fischer, Johannes 02 Sep '15

02 Sep '15

Hi again, I didn’t want to do a thread high jacking so here a second mail with a complete other question If I’have a structure like: User - Role Role - User - Permission Permission - Role Now I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server My Question: Is it possible to send only the DN of a Permissions and tell the Server, that he/she need to extract the Role attributes and check in the DN of a user for those Roles? Can I Implement an overlay on the Server to manage this task or is it senseless to think about such a task for the server? Greetings John -- Johannes Fischer Wissenschaftlicher Angestellter Fraunhofer-Institut für Produktionstechnik und Automatisierung IPA Kompetenzzentrum Digitale Werkzeuge in der Produktion Nobelstraße 12 │ 70569 Stuttgart Telefon +49 711 970-1217 johannes.fischer(a)ipa.fraunhofer.de<mailto:johannes.fischer@ipa.fraunhofer.de> www.ipa.fraunhofer.de<http://www.ipa.fraunhofer.de/> [cid:image002.png@01D0E168.63E7FA20]

4 10

AW: Send Success with first found entry
by Fischer, Johannes 02 Sep '15

02 Sep '15

Hi Dieter, just thank you for your help. Now I'm able to learn the syntax of the logfile, step by step. Again, Thank you Greetings John -----Ursprüngliche Nachricht----- Von: Dieter Klünter [mailto:dieter@dkluenter.de] Gesendet: Mittwoch, 2. September 2015 21:55 An: Fischer, Johannes Betreff: Re: Send Success with first found entry Am Wed, 2 Sep 2015 13:49:13 +0000 schrieb "Fischer, Johannes" <johannes.fischer(a)ipa.fraunhofer.de>: > Hi again, > > > > Here the logfile from a search process. There are a few lines in the log that gives some hints. > > The Server find the right entry, but then search till all entries are > touched…. > > Any ideas? If you read the logs you will find some lines with ---- 55e6fd47 => bdb_equality_candidates (objectClass) 55e6fd47 => key_read 55e6fd47 bdb_idl_fetch_key: [b49d1940] 55e6fd47 <= bdb_index_read: failed (-30988) ---- this leads to the assumption that the objectClass index is corrupted, try to reindex (slapindex) this index database. ---- 55e6fd47 => bdb_equality_candidates (o) 55e6fd47 <= bdb_equality_candidates: (o) not indexed ---- this is an indication that some filter attributes are not indexed. ---- 55e6fd47 <= bdb_filter_candidates: id=-1 first=1 last=130485 55e6fd47 => bdb_filter_candidates 55e6fd47 EQUALITY ---- I presume thast most of this filter candidates are not indexed. [...] My advise, index all relevant filter attributes. There is no need to index any attribute but only filter attributes. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E

1 0

Problem with binary data inserted in octetstring attribute.
by Armando Martins 02 Sep '15

02 Sep '15

Hi, I'm trying to sync a active directory with a openldap and for update the entries i use the objectsid binary attribute of the active directory as the link attribute between the two directories. I'm having an issue with the binary data inserted in a octetstring attribute. There is no problem to insert the data in the attribute. but when i request the attribute there is no entries returned. Howerver, when i do the same request in active directory it returns me the right answer. Here is my attribute specification in openldap : attributetype ( 1.3.6.1.4.1.31631.1.1.2.1.1 NAME 'binarysid' DESC 'binary object' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) and here is the data inserted in this attribute : binarysid:: AQUAAAAAAAUVAAAA77+9OzJ577+9Ve+/vVEdA2pm77+977+9AAA= if i request my openldap with this filter : filter="(&(objectClass=inetOrgPerson)(binarysid=\01\05\00\00\00\00\00\05\15\00\00\00\CE;2y\C5U\C2Q\1D\03jf\ED\FB\00\00))" No answer is returned, but when i request the active directory with this filter : filter="(&(objectClass=user)(objectsid=\01\05\00\00\00\00\00\05\15\00\00\00\CE;2y\C5U\C2Q\1D\03jf\ED\FB\00\00))" He returns me the right answer... Do i have a problem with my attribute in openldap? if someone could help me, I will really appreciate. Thanks -- Armando Martins

2 2

Re: RHEL7 OpenLDAP server is not enforcing password expirations
by Real, Elizabeth (392K) 02 Sep '15

02 Sep '15

Dan, I have RHEL5 ldap clients using pam_unix.so and pam_ldap.so directives and these do honor the ldap user password expiration, no issues at all. The /var/log/secure file shows: error: PAM: User account has expired However, the two RHEL7 ldap clients using the pam_unix.so and pam_sss.so directives do not even see/know that the user ldap password has expired. When I change the directive from pam_sss.so to pam_ldap.so, the client cannot communicate with the ldap server. RHEL5 /ETC/PAM.D/system-auth file: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type=LINUX minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok md5 shadow remember=24 password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so RHEL7 CLIENTS /ETC/PAM.D/: password-auth file: auth sufficient pam_sss.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok session optional pam_sss.so system-auth file: auth sufficient pam_sss.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_sss.so password sufficient pam_sss.so use_authtok session optional pam_sss.so Thank you, Liz From: Dan White <dwhite(a)olp.net<mailto:dwhite@olp.net>> Date: Friday, August 28, 2015 at 7:13 AM To: Elizabeth Real Chavez <Elizabeth.Real(a)jpl.nasa.gov<mailto:Elizabeth.Real@jpl.nasa.gov>> Cc: "openldap-technical(a)openldap.org<mailto:openldap-technical@openldap.org>" <openldap-technical(a)openldap.org<mailto:openldap-technical@openldap.org>> Subject: Re: RHEL7 OpenLDAP server is not enforcing password expirations On 08/27/15 22:56 +0000, Real, Elizabeth (392K) wrote: I’ve done a lot or research and re-read the OpenLDAP configuration guides but I cannot get my OpenLDAP 2.39 server to not allow users with expired passwords to login to ldap enabled clients. What directive in the /etc/pam.d/ files controls the users password expiration attribute? pam_unix or pam_ldap? That depends on your configuration. Consult the pam project's to determine that: http://www.linux-pam.org/ pam_ldap is a 3rd party product, so you'll need to consult it's documentation to see how expiration is handled, if at all. nssov, which is distributed with OpenLDAP, explicitly supports it. In the case you are using, or wish to use, pam_unix with an ldap nss module, expiration might be represented as an attribute underneath the user's DN. See its documentation for details. Setup: Server: RHEL7 OS Software: OpenLdap 2.4.39 server using slapd service Client: RHEL7 OS Software: enabled Ldap via authconfig, using sssd service -- Dan White

1 2

Unique Overlay: attribute mail
by Simone Taliercio 02 Sep '15

02 Sep '15

Hi All! I'm trying to enforce the fact that the mail attribute has to be unique. In order to do it I tried to enable the unique overlay. Unfortunately, OpenLDAP still allow to insert an object with the same mail value. I cannot understand where the wrong configuration occurs. My config is still based con slapd.conf . I've recompiled OpenLDAP with the following steps: a) ./configure --enable-modules=yes --enable-rlookups=yes --with-tls --with-cyrus-sasl --enable-mdb=yes --enable-bdb=yes --enable-monitor=yes --enable-unique b) make depend c) make d) make install Then, I added those lines to my slapd.conf overlay unique unique_uri ldap:///?mail?sub So, my develop slapd.conf looks like the one below now. Thanks a lot for any hints you can give me! Simone === slapd.conf ==== include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args database config rootdn "cn=admin,cn=config" # Security - TLS section TLSCACertificateFile /certs/CA.pem TLSCertificateFile /certs/certificate.cer TLSCertificateKeyFile /certs/company.key TLSCipherSuite TLSv1+RSA:!NULL TLSVerifyClient never # Use LMDB database. database mdb overlay unique suffix "dc=com" rootdn "cn=Manager,dc=com" maxsize 16058941440 rootpw secret directory /usr/local/var/openldap-data/databases/com index mail eq index cn eq index objectClass eq # mail is a unique attribute unique_uri ldap:///?mail?sub? access to dn.subtree="ou=user,dc=company1,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company1,dc=com" search by anonymous auth access to dn.subtree="ou=user,dc=company2,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company2,dc=com" write by anonymous auth access to dn.subtree="dc=com" by users read by anonymous auth

3 10

load balancer
by Eileen(=^ω^=) 02 Sep '15

02 Sep '15

Hi team, I have two LDAP servers using mirrormode. I want to run a FREE service to achieve load balancer for these servers. Due to i can't find any load balancer information in OpenLDAP-Admin-Guide, so my question is which kind of service do you advice for load balancer, or which kind service openldap supported? THANKS & REGRADS

7 6

"olcSizeLimit: size.prtotal=disabled" ignored?
by Igor Shmukler 02 Sep '15

02 Sep '15

Hello, I am running OpenLDAP 2.4.31. Tried to disable simple paged results - rfc 2696 with: dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: size.prtotal=disabled The ldapmodify(1) does not complain, yet the change does not affect my server. My goal is to have clients receive something like "Unavailable Critical Extension" as a response. Is what I am attempting to do expected to disable simple paged results for all clients [and DITs]? Is it even possible? Am I going right about disabling paging control? Thank you, Igor Shmukler

2 12

Send Success with first found entry
by Fischer, Johannes 02 Sep '15

02 Sep '15

Hi again, more and more I get a feeling how all this work together. But often you don't know what you actually need to look up... I've looked on the LDAP server of the Institute to get a feeling how the real IT-guys managed their server... (It was a disaster from a data protection perspective...) Some things were quit nice, for example that the server send a "success" with the first found entry in a subtree. On my openLDAP instance I receive a entry of a subtree after 20-30ms but the success packet need 200ms. For me this behavior is not clear due to the fact, that the entries in the directory need to be unique. The Example: I'm using the Spring security framework and trigger with "ldapTemplate.lookup("cn=" + _name + ",dc=users");" a lookup. On wireshark I see a search request with the scope "baseObject" and The Filter "objectClass=*". After 33ms I receive a searchResEntry packet, so the Server found something and could also stop. But I think in the background all the other entries in the Subtree "dc=users", are looked through also. After 230ms the success packet arrive at my computer. (see also Attachment) My Question, is there a possibility to emit a success together with the first found entry? Greetings and thanks John -- Johannes Fischer Research Fellow Fraunhofer Institute for Manufacturing Engineering and Automation IPA Competence Centre Digital Tools for Manufactoring Nobelstrasse 12 │ 70569 Stuttgart | Germany Phone +49 711 970-1217 Johannes.Fischer(a)ipa.fraunhofer.de<mailto:Johannes.Fischer@ipa.fraunhofer.de> www.ipa.fraunhofer.de<http://www.ipa.fraunhofer.de/> [cid:image003.png@01D0E165.1BE01080]

2 4

SASL/EXTERNAL not available
by Frank Crow 02 Sep '15

02 Sep '15

Hi, I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use client-side certificates via the SASL/EXTERNAL mechanism. I have successfully configured server-side certs with TLS and was wanting to expand my configuration on the client-side. If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y EXTERNAL", I get the following message: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL (-4): no mechaism available: If I do a search on the DSE, I get the following available methods: dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN I know that other people are using this but nobody (here at work) knows why my particular configuration is getting this error. Can anyone help me figure this out? Thanks, -- Frank Crow

4 5

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical