openldap-technical

openldap-technical@openldap.org

9951 discussions

Meaning of "ppolicy_bind: Setting warning for password expiry for ... = 0 seconds"?
by Ulrich Windl 06 Nov '14

06 Nov '14

Hi! Can someone explain what this message is actually saying: slapd[3990]: ppolicy_bind: Setting warning for password expiry for uid=testuser,ou=domain,dc=org = 0 seconds Does this mean a user who mistyped his password before logged in successfully now? I saw no change to the LDAP database after this message, so what is changed, and where is it cahnged? Also those "0 seconds" don't match my password policy, which looks like this (still testing): -- objectClass: namedObject objectClass: pwdPolicy cn: PP-Default pwdAttribute: userPassword pwdMinAge: 30 pwdMaxAge: 86400000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 5 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 10 pwdFailureCountInterval: 1209600 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE -- I'm running SLES11 SP3... Regards, Ulrich

2 3

is there hardware inventory schema?
by Zeus Panchenko 05 Nov '14

05 Nov '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 greetings, please advise, is there schema or what will it be correct to use, for hardware inventory data to be stored in LDAP (except custom schema)? perhaps I'm not the first who asks that ... - -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRXWVUACgkQr3jpPg/3oyo4uwCgxUA5AwR6x2r2idQsAYXZSYgM UHYAoK6uQ87UL2K/k6NlW/1Ns6h1a+Hh =GvDb -----END PGP SIGNATURE-----

3 4

Migrating from BDB to LMDB
by Michael 04 Nov '14

04 Nov '14

Good evening - I would like to upgrade my OpenLDAP servers and migrate from BDB to LMDB. What is the recommended path for doing this? Can I simply take a dump with slapcat while using BDB and then run a slapadd on the resulting LDIF after changing the configuration to MDB? -Mike

2 2

Trying to switch from bdb to mdb
by Jerry 04 Nov '14

04 Nov '14

I am running OpenLDAP on a FreeBSD-10 amd 64 machine. It is installed via the FreeBSD ports system and I compile it on my machine. I recently wanted to switch from BDB since versions greater than 6 are not acceptable to OpenLDAP. I wanted to use "mdb", but I just cannot seem to get it configured correctly. I changed the "database bdb" to "database mdb" but when I try to start openLDAP, I get this error: Starting slapd Unrecognized database type (mdb) Warning: failed to start slapd I removed the existing database, so it should be starting up with a clean environment, but the problem continues. This is probably a problem specific to FreeBSD. If any user of FreeBSD has this working, I would love to see how they configured it. Feel free to contact me off list if it is more convenient. Thanks! -- Jerry

7 21

Kernel segfault slapd
by Scot Hollingsworth 04 Nov '14

04 Nov '14

Issue: slapd keeps crashing about twice a day on multiple servers. I updated the kernel and openldap but still see the problem. Anyone point me in the right direction? Log: kernel: slapd[4435]: segfault at 4 ip 00d1984f sp acc3d270 error 4 in slapd[bcc000+215000] System: openldap-2.4.39-8.el6.i686 openldap-clients-2.4.39-8.el6.i686 openldap-servers-2.4.39-8.el6.i686 Kernel: 2.6.32-504.el6.i686 -- Thanks. Scot H -- The mission of the Rankin County School District is to prepare every student with the cognitive and social skills necessary to be productive members of an ever-changing global society. -- This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error.

4 4

journal of changes
by Zeus Panchenko 03 Nov '14

03 Nov '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, is there way to have something like, I'd call, "journal of changes" where it could be saved all changes (modifications and deletions in particular) for each object what I'm talking about is *whole* history of the actions the object has undergone after creation - -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRHeGUACgkQr3jpPg/3oyrwuQCgygBCJzX239kZSvAWUj+eDarN adwAni+d1KSGElOeeHBw10zXb400pSzG =QEn7 -----END PGP SIGNATURE-----

2 2

Windows Server 2012 R2 - TLS 1.2 connection errors
by Jeff Lebo 02 Nov '14

02 Nov '14

Have had a public facing OpenLDAP server setup pointing to Windows Server 2008 on the back end for auth. AD servers are being migrated to Server 2012 R2, and I see this error on the Windows side when OpenLDAP tries to authenticate to them: "An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed." "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205." I've spent the last few days trying different configs, and reading Microsoft forums, and haven't been able to figure it out. Apparently MS changed the TLS configs with 2012R2 and it doesn't support a key length I am using. I've tried to disable TLS 1.2 on the OpenLDAP side using TLSCiperSuite in slapd.conf, but OpenLDAP fails to start with "main: TLS init def ctx failed: -1".

2 3

Re: Need information on alock file in data directory of OpenLDAP 2.4.39
by pramod kulkarni 01 Nov '14

01 Nov '14

I am runing slapcat command like this, slapcat -f slapd.conf -l backup.ldif is it wrong ? On Thu, Oct 30, 2014 at 10:20 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, October 30, 2014 11:16 PM +0100 pramod kulkarni < > pammu.kulkarni(a)gmail.com> wrote: > > > 5452a973 The first database does not allow slapcat; using the first >> available on e (2) >> > > You're running slapcat incorrectly if you get this message. > > In any case, as already noted, the correct solution is to move to using > back-mdb, and stop using the deprecated BDB based backend. > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Server Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

6 8

Re: Kernel segfault slapd
by Dominik George 31 Oct '14

31 Oct '14

Hi Scott, > Thanks for responding Nik. I have rsyslog 5.8.10-9 running but I do see > the following.... > > rsyslogd-2177: imuxsock lost 426 messages from pid 17944 due to > rate-limiting > > > This is repeated multiple times. I guess that 17944 is the PID of your running slapd. In this case, you are having the same issue as I once had - slapd will segfault sometimes when syslog drops its messages. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689025 Updatign to Debian wheeze fixes the issue. -nik

3 3

Re: Replication restores deleted user
by Quanah Gibson-Mount 31 Oct '14

31 Oct '14

--On Friday, October 31, 2014 4:13 PM -0400 kevin sullivan <kevin4sullivan(a)gmail.com> wrote: > > > > > > Quanah, > > Thank you for the suggestion to move to delta-syncrepl MMR. > Unfortunately, I am having problems setting this up properly. After > reading through some documentation, I thought it would be simple but when > I bring up slapd on my two servers, they both start using around 100% CPU > and in the debug output the two servers are constantly looping through > all of the objects in my DIT and saying that the objects have not changed: > > 5453d6b5 @(#) $OpenLDAP: slapd 2.4.39 (Jun 18 2014 05:19:18) $ > > mockbuild@x86-028.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap > -2.4.39/openldap-2.4.39/build-servers/servers/slapd > 5453d6b5 hdb_monitor_db_open: monitoring disabled; configure monitor > database to enable > 5453d6b5 slapd starting > ... > 5453d6b5 syncrepl_message_to_entry: rid=001 DN: dc=example,dc=com, UUID: > 1cfcd560-f564-1033-9f47-b521eabdb6ad > 5453d6b5 syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) > 5453d6b5 syncrepl_entry: rid=001 inserted UUID > 1cfcd560-f564-1033-9f47-b521eabdb6ad > 5453d6b5 dn_callback : entries have identical CSN dc=example,dc=com > 20141031161001.910968Z#000000#000#000000 > 5453d6b5 syncrepl_entry: rid=001 be_search (0) > 5453d6b5 syncrepl_entry: rid=001 dc=example,dc=com > 5453d6b5 syncrepl_entry: rid=001 entry unchanged, ignored > (dc=example,dc=com) > 5453d6b5 syncrepl_message_to_entry: rid=001 DN: > ou=users,dc=example,dc=com, UUID: 1cfe8cf2-f564-1033-9f48-b521eabdb6ad > 5453d6b5 syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) > 5453d6b5 syncrepl_entry: rid=001 inserted UUID > 1cfe8cf2-f564-1033-9f48-b521eabdb6ad > 5453d6b5 dn_callback : entries have identical CSN > ou=users,dc=example,dc=com 20141031161001.922234Z#000000#000#000000 > 5453d6b5 syncrepl_entry: rid=001 be_search (0) > 5453d6b5 syncrepl_entry: rid=001 ou=users,dc=example,dc=com > 5453d6b5 syncrepl_entry: rid=001 entry unchanged, ignored > (ou=users,dc=example,dc=com) > ..... > 5453d6b5 do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT > 5453d6b5 do_syncrep2: rid=001 cookie= > ... Repeated forever ... > > Am I configuring something incorrectly? > > To refresh your memory, I am running 2.4.39-8. I have two servers > (server1 and server2) that I want to setup in delta-syncrepl MMR > MirrorMode. Hi Kevin, I stopped using the deprecated slapd.conf format years ago, as it's prone to misuse and incorrect setup. Your supplied config is an example of why it's a bad idea to use slapd.conf (For example, you have serverID under the database section, when it's a global option, etc). I'd strongly advise you to switch to using cn=config so that you can have an actual validated configuration. It also makes troubleshooting a lot easier to do. Aside from that, your log simply shows the server comparing each entry between the two servers... Sounds like they didn't start out believing they were in sync and are trying to get there. Here's an example of my config, using cn=config (slapcat export) minus the schema: <http://pastebin.com/nv1WNX2y> --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical