openldap-technical

openldap-technical@openldap.org

9 participants
9902 discussions

authentication for users in referral branch
by Wu, James C. 03 Jan '13

03 Jan '13

Hi, I have sent out a relevant email about this issue before but the context was a little bit complicated. So I simplified the settings and post this issue again, hoping to get more attentions from this mailing list. I am trying to set up a testing environment in which there are two openldap servers and have one server (externalldap) refer to the second server (internalldap) for some users in a subtree (sub.example.com). Both servers contains some POSIX users. However, I could not get the authentication for the users in the referral branch to work. For example, this command fails. ldapwhoami -d -1 -x -H ldap://externalldap -D "uid=mark,ou=People,dc=sub,dc=example,dc=com" -w password The log of the externalldap shows as follows: 50e6279d bdb_dn2entry("uid=mark,ou=people,dc=sub,dc=example,dc=com") 50e6279d => bdb_dn2id("dc=example,dc=com") 50e6279d <= bdb_dn2id: got id=0x1 50e6279d => bdb_dn2id("dc=sub,dc=example,dc=com") 50e6279d <= bdb_dn2id: got id=0x6 50e6279d => bdb_dn2id("ou=people,dc=sub,dc=example,dc=com") 50e6279d <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) I am wondering why the externalldap did not just send the client the uri of the referral ldap box and have the client connect directly to the internalldap instead. Similarly error also happened when I use ldapsearch command ldapsearch -d -1 -x -H ldap:// externalldap -D "uid=mark,ou=People,dc=sub,dc=example,dc=com" -w password -CC The referral record is defined as follows and added into the external ldap using ldapadd command. dn: dc=sub,dc=example,dc=com objectClass: referral objectClass: extensibleObject dc: sub ref: ldap://10.42.13.212/dc=sub,dc=example,dc=com The slapd.conf of both the external and the internal ldap are defined as follows: #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=example;dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw password directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq TLSCACertificateFile /etc/pki/tls/certs/example_cert.pem TLSCertificateFile /etc/pki/tls/certs/example_cert.pem TLSCertificateKeyFile /etc/pki/tls/certs/example_key.pem # configure the SASL parameters sasl-host localhost sasl-secprops none For the client, I am just using the default settings. I believe referral chasing is enabled by default in the ldap client library. I have spent more than two weeks on this problem and the project is delayed quite a lot. Referral in LDAP has been in RFC for more than five years. I can not believe that OpenLDAP's implementation of referral can't handle authentication. Can anyone kindly let me know what is missing from my setup? Regards, James

1 0

referral authentication
by Wu, James C. 03 Jan '13

03 Jan '13

Hi Kurt, I saw you once replied a question by Ming Hou about referral authentication. Could you let me know how to do it? I read through the man pages slap and slapd-ldap and still could not have it work. http://linux.die.net/man/5/slapd-ldap http://linux.die.net/man/8/slapd the rebind-as-user option does not seem to be supported by openldap. Regards, James

1 0

Re: Multi-Master OpenLDAP Replication for 3 nodes -- slapadd command failing
by fal patel 03 Jan '13

03 Jan '13

Hey Quanah, Oh no, my question was whether an arbitrary external variable (eg. URI1) could be set (eg. to ldap://host1.hq.mycompany.com:389/) inside an LDIF file and used in subsequent places in the file. (to avoid having to type in the value in multiple places). I suppose not? Assuming not, I typed in each value into all its relevant places in my LDIF file and re-ran slapadd. Now it gives me the following error (on latest redhat 64bit): loaded module syncprov.la *module syncprov.la: null module registered* Surely the above message signifies an error? Anyway, processing continues until it gives the following final error: >>> dnPrettyNormal: <cn=config> <<< dnPrettyNormal: <cn=config>, <cn=config> *<= str2entry: str2ad(changetype): attribute type undefined* slapadd: could not parse entry (line=48) Could you please advise? I have no clue as to what is going wrong. I have attached the LDIF file "nwaymmr2s.ldif" and the debug output from running the command slapadd -d -1 -v -F /etc/openldap/slapd.d -n 0 -l /etc/openldap/nwaymmr2s.ldif >& output.txt. Also, do I need to run slappasswd and copy the hash value from it into my LDIF' file's olcRootPW field value? Or can I just keep the original value, "secret"? And a final question, please: Why does the data replication (unlike the config replication, which does operate in refreshAndPersist mode) have to operate in refreshOnly mode? Why can't it operate in refreshAndPersist mode? Thank you very much. Fal On Mon, Dec 31, 2012 at 12:49 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Monday, December 31, 2012 9:49 AM -0800 fal patel < > fal0patel(a)gmail.com> wrote: > > Hey Quanah, >> >> Thank you very much for the debugging tip! -- Using it I got further in. >> Now I get an error "<= str2entry: str2ad(UR1): attribute type undefined". >> I must be setting my external variables (such as UR1) incorrectly in my >> LDIF file. >> What is the correct syntax for setting them, please? >> I tried each of the following sentences, none of which worked: >> URI1: ldap://host1.hq.mycompany.com:**389/<http://host1.hq.mycompany.com:389/> >> URI1: ldap://host1.hq.mycompany.com:**389<http://host1.hq.mycompany.com:389> >> URI1: "ldap://host1.hq.mycompany.**com:389/<http://host1.hq.mycompany.com:389/> >> " >> URI1="ldap://host1.hq.**mycompany.com:389/<http://host1.hq.mycompany.com:389/> >> " >> URI1="ldap://host1.hq.**mycompany.com:389<http://host1.hq.mycompany.com:389> >> " >> URI1 ldap://host1.hq.mycompany.com:**389/<http://host1.hq.mycompany.com:389/> >> > > There is no URI bit in the admin guide. I highly advise you go re-read > it. What you posted is clearly invalid. > > From the admin guide: >> > > ------------------------------**----------------------- > > Now we setup the first Master Node (replace $URI1, $URI2 and $URI3 etc. > with your actual ldap urls): > > > dn: cn=config > changetype: modify > replace: olcServerID > olcServerID: 1 $URI1 > olcServerID: 2 $URI2 > olcServerID: 3 $URI3 > > ------------------------------**----------------------- > > I.e. the attribute name is "olcServerID". > > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

5 7

sasl Kerberos authentication with subordinate
by Wu, James C. 02 Jan '13

02 Jan '13

Hi, I am trying to set up an OpenLDAP and Kerberos authentication for testing purpose. The setup contains a pair of internal ldap server and Kerberos server and the pair of external ldap server and Kerberos server. I made the tree of the internal ldap server to be a subordinate of the external server and enabled the saslauthd for authentication on both the internal and the external ldap server to the respective Kerberos server. I have tested that the LDAP authentication through saslauthd using Kerberos works well on both the internal ldap and Kerberos pair and the external ldap Kerberos pair. However, when I point the client machine to the external ldap server and the add the subordinate relationship, I could not get the authentication for the uses in the internal ldap directory to work. For example, when I used "su - peter" where peter is a user in the external ldap server and the password is {SASL}peter(a)EXAMPLE.COM<mailto:%7bSASL%7dpeter@EXAMPLE.COM>. The authentication works. However, when I use "su - James" where james is a user defined in the internal ldap server with password {SASL}james(a)SUB.EXAMPLE.COM<mailto:%7bSASL%7djames@SUB.EXAMPLE.COM>, then the authentication failed. I check the log file, the internal server did get the search request forwarded from the external ldap server and returned the correct information back. However, I did not see the saslauthd process on either the external or the internal ldap server get any inquiry for the authentication. I tried to modify the /etc/krb5.conf and added the realms for both EXAMPLE.COM and SUB.EXAMPLE.COM. Still, the authentication does not work for users defined in the internal ldap server. Could anyone give me some hints for this issue? james

2 12

MDB Newbie
by Kyle Smith 02 Jan '13

02 Jan '13

Greetings and Salutations. December 20, I converted from bdb to mdb. Now my memory usage looks like this: http://faculty.ycp.edu/~ksmith8/openldap_stats.png I am concerned with the graph for "superman". How can I start tracking down the usage and why almost 50% of my memory is being consumed. These 4 are in MMR and are 2.4.33 and are nearly exact in server specification. Thanks in advance! Kyle Smith

2 1

Ldap db is corupt
by Jorge Armijo 02 Jan '13

02 Jan '13

Hi my friends i have the next problem when mi server is down for electrical fails my ldap db is corrupt I need some procedure to restore de db because until this moment I restore but from a backup but i thing that is not the better strategy I realy need your help!!!!!!! Atento a sus comentarios Jorge Armijo Ingeniero de Soporte Soporte Libre Cia. Ltda. D: Hernandez de Giron Oe4-175 y Vasco de Contreras T: +593 (2) 331-9027 F: +593 (2) 243-1103 @: jorge.armijo(a)soportelibre.com www.soportelibre.com

2 1

GDM + pwdPolicy problem
by cbulist 02 Jan '13

02 Jan '13

Hi, We have a problem using Red Hat 5.7, gdm 2.16.0-59 y pwdPolicy. When an account gets pwdMaxAge limit and the user try to login using GUI the user doesn't receive any warning about expiration account, it just requests the user and password like a normal login and it fail. The warning works if the user try login by SSH. If we use pwdReset the user get the warning message and it is able to change the password. We comment pwdPolicy rules and using shadow attributes gdm works fine. We tried the same configuration with a Red Hat 6 server and everything works fine but we are not able to change our Red Hat version now. Our requirements are keep the password history and we tried pam_unix remember=3 option in /etc/pam.d/system-auth with /etc/security/opasswd but It did not work. We can go with shadow attributes as long as we keep the password history. Any idea? Thanks in advance!

2 1

olcToolthreads and slapadd -n0
by Василий Молостов 01 Jan '13

01 Jan '13

i have migrated server side config for my db and I have found some strange behavior of slapadd: I've got started migration from converting slapd.conf containing my db config and a 'tool-threads' parameter (with value above 1) into common ldif file, in which an 'olcToolThreads' was defined appropriately (i.e above 1). It was the simplest and clear step. The next step was to 'slapadd -n 0' this ldif file into an empty server config (having slapd stopped), but just at adding 'cn=config' object (which contains olcToolThreads with value > 1) 'slapadd' stuck indefinitely at shed_yelds() call (I have observed this via strace tool from ubuntu). So as a result slapadd had been in processing its operation indefinitely without any output but was capable to stop working by Ctrl-C handler. Setting olcToolThreads to 0 or 1 has solved this problem. I dont know is this a bug or my misconfiguration?

3 2

missing structuralObjectClass
by Dusty Doris 01 Jan '13

01 Jan '13

I recently migrated a client's ldap directories to new servers. I setup replication from the new servers to the old servers to do the initial build of the directory and to keep up to date with changes before the cutover. In the process we also moved from 2.4.12 to 2.4.33. I've run into an issue since then with an object that was missing a structuralObjectClass. When we try to commit modifications to that object, we received an error that says: ldap_modify: Other (e.g., implementation specific) error (80) additional info: no structuralObjectClass operational attribute Doing a search on that object with +, shows that it is in fact missing a structuralObjectClass. Other users that we can modify, show that they do have that attribute. I was able to solve this problem by doing an ldapsearch on the user and saving to an ldif, ldapdelete the user, then ldapadd the user back from the ldif file. When re-adding that user, the structuralObjectClass was created. It looks like about 50% of our objects are missing that attribute. To get those numbers, I am searching with: '(&(objectClass=*)(!(structuralObjectClass=*)))' + VS '(&(objectClass=*)(structuralObjectClass=*))' + What would be the best way for me to fix these issues on every object that is missing the structuralObjectClass? Also, in the future, would you recommend I do a slapcat/slapadd or something like that to populate a new database instead of letting syncrepl load it for me? Would that have fixed this problem from the start? Thanks for any suggestions. - Dusty Doris

2 3

Re: Multi-Master OpenLDAP Replication for 3 nodes -- slapadd command failing
by fal patel 31 Dec '12

31 Dec '12

Hey Quanah, Thank you very much for the debugging tip! -- Using it I got further in. Now I get an error "<= str2entry: str2ad(UR1): attribute type undefined". I must be setting my external variables (such as UR1) incorrectly in my LDIF file. What is the correct syntax for setting them, please? I tried each of the following sentences, none of which worked: URI1: ldap://host1.hq.mycompany.com:389/ URI1: ldap://host1.hq.mycompany.com:389 URI1: "ldap://host1.hq.mycompany.com:389/" URI1="ldap://host1.hq.mycompany.com:389/" URI1="ldap://host1.hq.mycompany.com:389" URI1 ldap://host1.hq.mycompany.com:389/ This is the command I execute (after removing all contents from slapd.d): slapadd -d -1 -v -F /etc/openldap/slapd.d -n 0 -l /etc/openldap/nwaymmr.ldif >& output.txt For completeness I've attached my LDIF file "nwaymmr.ldif" and the output "output.txt" utilizing the first line above. Thank you very much, in advance. Fal On Sat, Dec 29, 2012 at 9:02 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Saturday, December 29, 2012 9:01 AM -0800 fal patel < > fal0patel(a)gmail.com> wrote: > > (3) Where It's Failing: >> ================= >> I first executed the following: >> >> slapadd -v -F /usr/local/etc/openldap/slapd.**d -b bdb -l mmr.ldif >> > > This is nonsensical. You are adding a cn=config DB. Thus you cannot use > a base of "bdb". Remember that -b is the suffix you are adding (in this > case, cn=config). Not the database type. > > > So I suppose I must create the database beforehand? >> > > No. But the directory (/usr/local/etc/openldap/**slapd.d) must exist > before slapadd will work. > > I would suggest you run: > > slapadd -d -1 -v -F /usr/local/etc/openldap/slapd.**d -n 0 -l mmr.ldif > > So you can see exactly why it is failing. My guess is you didn't create > the directory. > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical