openldap-technical

openldap-technical@openldap.org

9 participants
9902 discussions

OpenLDAP storing password in SSHA
by parakrama55 . 11 Jun '15

11 Jun '15

Hi Guys Im adding users data to the ldap from external program or client , There im sending UserPasswrd in clear text . So Is there any configuration directive in opendap where we can force openldap to store receiving clear text password in SSHA format . Please advice Thank You Dhanushka

3 2

Error: ldap_back_is_proxy_authz returned 0
by Dominique Voest 11 Jun '15

11 Jun '15

Hi everyone, I have been testing and debugging a lot lately and cannot come to a solution, maybe you can help. I recently installed a new OpenLDAP Server (Debian Jessy) (OpenLDAP Version 2.4.40) which is used to proxy parts of the Active Directory. However, from time to time it is not able to get Entries (does not answer to querys but returns success) from the Active Directory. What I see in the logs is the following: Jun 10 11:37:38 openldap-proxy slapd[41657]: conn=1166 op=1 ldap_back_retry: retrying URI="ldaps://dc.ourdomain.com" DN="cn=ldap-binder,ou=serviceaccounts,dc= ourdomain,dc=com" Jun 10 11:37:38 openldap-proxy slapd[41657]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI? First of all, the URI is correct and the System works well during most of the time(except for this error), those "errors" only happen from time to time. The Strange thing is, that this new LDAP Server is running via the exactly same configuration as another OpenLDAP-Server which has been running over 2 Years now and the old OpenLDAP Server (Debian Wheezy) (OpenLDAP Version 2.4.31) does also show the first Log Entry from time to time (the ldap_back_retry one), But does not show the ldap_back_is_proxy_authz error afterwards. Furthermore it does also always return the right answer. For Debugging reasons I tried Wiresharking the Domain Controller, TCP-Dumping the LDAP-Server and the Client. The Traffic looks okay, in case of that error the OpenLDAP Server simply is asking the Domain Controller which returns Success but no results. Might it be Possible that the LDAP-Bind from the OpenLDAP System to the Active Directory expired and the OpenLDAP is not able to re-establish a new bind via the current Query? Since once this error occurs, the query right after the error works and then it takes some time until that error occurs again and due to the fact that in the older OpenLDAP Version it is working, could it be a Bug in the new OpenLDAP Version? I also looked in the Logs of the Domain Controller, everything is fine there. Furthermore I installed test OpenLDAP Systems (Centos[yum], OpenBSD[pkg] and one via compilation from sources via minimal module configuration) (2.4.40) and tried the same configuration there, same Problem. While googling and searching for a solution I stumbled across a guy having the same problem, reporting this 2013 to this mailing list. Someone suggested to add the Active Directory Schema to the OpenLDAP, which I did and which did not solve this issue. I tried adding the full schema as well as adding only Attributes and Object classes that are used. Problem still persists. Anyone of you has any suggestions? Does anyone have similar problems? Thank you for your time. Best Regards, Dominique Voest

1 0

Syncrepl issue with one node
by espeake＠oreillyauto.com 10 Jun '15

10 Jun '15

We are running openLDAP 2.4.39 in an MMR replication on Ubuntu 14.04. I have one node that is not wanting to sync with other nodes giving the following error: Jun 9 06:51:35 tn-ldap-a-1 slapd[3138]: do_syncrep2: rid=005 CSN too old, ignoring 20150609115135.153480Z#000000#003#000000 As you can see the CSN shows the exact same time the time that is being logged. We are in the U.S. Central timezone. I have checked our ntp service on my three nodes. All three are pointed to the same ntp and are in sync. Would be possible that one node might still be just a few miliseconds too fast and the csn timestamp would appear wrong? Is there a logging level I can set for that specific issue? I am currently logging the sync records. I can go to debug in needed. Thank you, Eric Speake Senior Systems Administrator Information Systems O'Reilly Auto Parts (417) 862-2674 Ext. 1975 This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

1 1

Get the decoded ldap password for openldap2.4.40
by PRATIK SINGAL 10 Jun '15

10 Jun '15

Hello Can any one help me to get the plain text password for ldap. While configuring ldap i have used the slappasswd to get teh encrypted value and stored in slapd.conf Is there any way to get the palin password based the encrypted one.I am using openldap 2.4.40 Regards, Pratik

3 2

Ldap-Back-SQL custom mysql
by Roger Ham 09 Jun '15

09 Jun '15

Hello all, this is my fisrt time. I hope you excume for my bad English. so, now my question I have a dhcp server who make queries to ldap, and ask for 2 fields: "sn" and "businessCategory" so I try to build a simple ldap schema on my poor experience i make a file.ldif like this: #################### dn: cn=00:03:13:bc:ba:10,ou=Customers,dc=atomsapp,dc=com sn: 1,6,00:03:13:bc:ba:10 businessCategory: 512kbps objectClass: inetOrgPerson #################### What I need to do or at least to get answer if is possible is know if I can make a unique mysql table to storage many data from customer, but 2 fiedls from the table are link to ldap "sn" and "businessCategory" I hope my explication was enoght about what I need. Thank you. -- Saludos! Atte. Roger Ham

1 0

Memory leak happening while using open ldap with free-radius and samba
by Adarsha S 07 Jun '15

07 Jun '15

Hi, I've integrated openldap-2.4.25 with free-radius 2.23 and samba 3.5.1 I've a setup where I used windows 2003 server for LDAP and debian Linux machine as radius server. when ever chase-referral is enabled, on restarting of windbind process, there is a memory jump happening in radiusd process. On disabling chase-refferal, the radiusd process works fine with no memory jump. radiusd process is using openlad 2.4.25 function calls for binding to LDAP server and search Please guide me how to identify this memory leak? Thanks, Adarsha

4 7

deleting pwdFailureTime attribute on slave
by David Magda 07 Jun '15

07 Jun '15

Hello, How do I delete the “pwdFailureTime” attribute on a slave? I have a DN where there are a bazillion pwdFailureTime entries and it’s filling up /var/lib/ldap/. I’ve tried the following LDIF: dn: uid=foo,ou=People,dc=example,dc=com changetype: modify delete: pwdFailureTime But since the system is slave, it’s giving ldapmodify(1) a redirect to the master. I’ve tried both the “-M” and “-e manageDSAit” options, and the redirects still occur. This is with 2.4.23 on Debian 6. Thanks for any info. Regards, David

1 0

slapo-accesslog and extended operations
by Michael Ströder 07 Jun '15

07 Jun '15

HI! First of all: For me slapo-accesslog is one of OpenLDAP's killer features. I'm currently wondering about logging of extended operations in particular Password Modify ext. op. I see the resulting auditModify entries but I'd also like to see eventually refused auditExtended entries (e.g. to see the Session Tracking Control sent by the client). Reading access.c it seems that this is currently not supported. Is that right? With a config directive logops writes extended(1.3.6.1.4.1.4203.1.11.1) like described in slapo-accesslog(5) slapd does not even start. Ciao, Michael.

1 0

DIT and ALC: design phase.
by Simone Taliercio 07 Jun '15

07 Jun '15

Hi all, I'm still a newbie about openLDAP, but I need already to get the right choice in this design phase in order to avoid terrible troubles in the next future :) *How would you map the following scenario as for DIT and ACL (olc) ?* We have two companies: *wiki.com <http://wiki.com>* and *grape.jp <http://grape.jp>*. # Data set a) *wiki.com <http://wiki.com>* is the one hosting openLDAP and has several user accounts registered into. b) *grape.jp <http://grape.jp>* can create user accounts in the same openLDAP hosted by *wiki.com <http://wiki.com>* # Authorization c) *wiki.com <http://wiki.com> *can see and manage all the user accounts. d) *grape.jp <http://grape.jp>* can manage only user accounts created by itself. I'm thinking at the following configuration: one database called "dn=wiki,dn=com" which requires objects with following schema dn: mail=user1(a)wiki.com <http://wikitude.com/>,dc=wiki,dc=com objectclass: inetOrgPerson cn: <user1 nickname> givenname: <user1 first name> mail: user1(a)wiki.com <test.fromcmdline(a)wikitude.com> sn: <user1 surname> userPassword: aNiceEncryptedPassword o:<either wiki.com or grape.jp depending on who has created the user> and then setting a proper ACL (olc) on the attribute '*o*' in order to defined who can access what (but on this side I need still to understand A LOT). My configuration is driven from the fact I need also to integrate Liferay 6.1 which needs to see all the user accounts :-( Let me thank you for having read till here! Any suggestion and/or reference would be highly appreciated. Best Regards, Simone P.s. I was looking also for a good guide/book on Amazon, but everything looks quite outdated...

1 0

how do I add olcDbCachesize to my ldap
by Greg Jetter 04 Jun '15

04 Jun '15

Greetings: I'm running openldap 2.4.31 on ubuntu 12.04 , I want to set the cache size for entries to 200,000 I created a ldif : -- leading blank line -- dn: olcDatabase={1},cn=config changetype: modify add: olcDbCachesize olcDbCacheSize: 200000 I get the following : greg@Catbert:~/LDAP3$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f AddCatchSize.ldif modifying entry "olcDatabase={1},cn=config" ldap_modify: No such object (32) matched DN: cn=config I tried a ldap modify as well : greg@Catbert:~/LDAP3$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f AddCatchSize.ldif [sudo] password for greg: modifying entry "olcDatabase={1},cn=config" ldap_modify: No such object (32) matched DN: cn=config The back end is "hdb" , with 140,000 entries ... my olcDatabase ldif is : # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 05be5fce dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=acsalaska,dc=net olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=acsalaska,dc=net" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=acsalaska,dc=net" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=acsalaska,dc=net olcRootPW:: ***** removed ********* olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: cdmadauserstatus eq,pres,sub olcDbIndex: cdmadamdn eq,pres,sub olcDbIndex: cdmadamin eq,pres,sub olcDbIndex: cdmaesn eq,pres,sub olcDbIndex: cdmamin eq,pres,sub olcDbIndex: cdmadaTetherAccess eq,pres olcDbIndex: username eq,pres,sub olcDbIndex: cdmameid eq,pres,sub olcDbIndex: cdmadaroamstatus eq,pres,sub olcDbIndex: uid eq,pres,sub structuralObjectClass: olcHdbConfig entryUUID: 1da37b42-815d-1034-96f3-b93aabbbf11e creatorsName: cn=config createTimestamp: 20150427191239Z entryCSN: 20150428201620.191818Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20150428201620Z What am I doing wrong ? all the documentation I have read says olcDbCachesize object should exist ... any thoughts would be greatly appreciated Than you Greg Jetter.

3 6

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical