openldap-technical

openldap-technical@openldap.org

3 participants
9937 discussions

slawpo-rwm attributes concatenation
by Benin Technologies 10 Dec '12

10 Dec '12

Hi, What would be the best way to concatenate several attributes into one (maybe with slapo-rwm and back-relay ?). I know LDAP is a data container, and not a fancy string generator, but I see no other way around this. An example : my directory contain an inetOrgPerson (say John Doe) with 3 telephoneNumber attributes, say 101010, 202020 and 303030. I access this directory with 2 clients : the first client displays the data in the right fashion: cn: John Doe telephoneNumber:101010 telephoneNumber:202020 telephoneNumber:303030 But the second client only displays only one telephoneNumber attribute, so it displays: cn: John Doe telephoneNumber:101010 Given the fact that I have no way to modify the client's source code, how could I do to display all 3 phone numbers ? An idea would be to use rwm with back-relay and do some server side string generation, in order for the second client to retrieve : cn: John Doe telephoneNumber:101010/202020/303030 is there a way to do this ? BT

3 4

LDAP database timeout settings
by Bryce Powell 10 Dec '12

10 Dec '12

Hi, I have configured two LDAP backend databases, each pointing to a difference Active Directory domain (multiple domain controllers specified per domain). After a period of time after slapd starts, the ldap log file shows multiple entries like this for the various connections (conns=nnnn): Dec 10 13:18:03 vmxxxldap01 slapd[7826]: conn=1004 op=27 SEARCH RESULT tag=101 err=1 nentries=0 text=000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 Without going into too much detail regarding the configuration, I'm wondering if I need to specify LDAP database configuration settings for: idle-timeout network-timeout man slapd-ldap: idle-timeout <time> This directive causes a cached connection to be dropped an recreated after it has been idle for the specified time. network-timeout <time> Sets the network timeout value after which poll(2)/select(2) following a connect(2) returns in case of no activity. The value is in seconds, and it can be specified as for idle-timeout. I don't understand the explanation for network-timeout though, and am hoping someone can kindly explain it in more detail, and suggest a scenario for its appropriate usage. Also, when is it appropriate to use the ldap.conf NETWORK_TIMEOUT setting? man ldap.conf: NETWORK_TIMEOUT <integer> Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity. Could someone please suggest the best approach for my use case? Of course, I might also be completely off the mark here ... Thanks Bryce Powell

1 0

LDAP DIT Design
by Valentin Bud 10 Dec '12

10 Dec '12

Hello World, I am using OpenLDAP for quite some time now, a few months. I have set up a simple directory following DNS, RFC2247, directory structure, `dc=company,dc=com`. I use the directory to store POSIX accounts. Now I want to extend the directory to store application configuration, starting with Postfix virtual domains and maps. I would also like to store Kerberos principals in the future. For now I have three companies I want to use OpenLDAP for. Each of this companies have part of the above services in their premises and in some datacenters. I would like to configure replication between the datacenter and the premise. Maybe more companies will be added to the mix in the future. Do you think it would be safe to use an empty suffix "" and go with RFC2247 structure downwards? " " | | + - - - - - - - - + - - - - - - - - + | | dc=net dc=com | | dc=compX + - - - - - - + - - - - - - + | | dc=compA dc=compB I think this way it would be easy to replicate `dc=compA,dc=com` from the datacenter servers to the on-premise ones. Also this would keep things simple (?). Each company would get an `ou` for people and one for groups. I would also want to add the fact that some directories will also be used to store Samba ID maps but I guess this makes no difference on how the directory in structured. What do you people think about this approach? If some of you have some information on the topic of DIT Design please share so I can learn more. Thank you. Cheers and Goodwill, v

2 1

OpenLDAP Sandbox on AWS/Eucalyptus
by Harold Spencer Jr. 09 Dec '12

09 Dec '12

Hey guys, I wanted to share a blog I recently published. It shows how to build an OpenLDAP server (from git) on Ubuntu 12.04 LTS in Amazon Web Services and Eucalyptus using cloud-init. Hope you enjoy. Any feedback would be greatly appreciated. http://blogs.mindspew-age.com/2012/12/08/openldap-sandbox-in-the-clouds/ _________________________ Harold Spencer, Jr. - Technical Support Engineer Eucalyptus Systems www.eucalyptus.com +1 805 845-8400 IRC: #eucalyptus #eucalyptus-devel Follow us on Twitter Like our Facebook Page Keep up-to-date with us _________________________

2 1

Openldap schema for services like Skype, Jabber, AIM, ….
by Bas van der Vlies 08 Dec '12

08 Dec '12

Hello, I needed to store information how to reach people, e.g.: * Skype * Jabber * AIM * Facetime * … I wanted to know if there is a schema for it or people write there own schema? I have read that there is an URI schema for this kind of services: * http://en.wikipedia.org/wiki/URI_scheme regards -- Bas van der Vlies mail: basv(a)sara.nl<mailto:basv@sara.nl> SARA - Academic Computing Services , Amsterdam, The Netherlands

2 1

rwm searchAttrDN rewrite skipping some rewrites
by Scott Koranda 08 Dec '12

08 Dec '12

Hi, I am using OpenLDAP 2.4.33 and the rwm overlay. I am attempting to remove ("hide") certain DN entries from returned queries. The rwm configuration looks like overlay rwm rwm-rewriteEngine on rwm-rewriteContext searchAttrDN rwm-rewriteRule "^employeeNumber=.*$" "$0" ":@" rwm-rewriteRule "cn=.*" "" "#" Without the rwm overlay the query with filter '(&(objectClass=groupOfNames)(cn=LVCGroupMembers))' member returns dn: cn=LVCGroupMembers,ou=LVC,ou=Communities,ou=grouper,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=1377,ou=people,o=internal,dc=wiki,dc=myorg,dc=org member: cn=UWashingtonGroupMembers,ou=UWashington,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=grouper,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=19,ou=people,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=1331,ou=people,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=935,ou=people,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=459,ou=people,o=internal,dc=wiki,dc=myorg,dc=org member: employeeNumber=876,ou=people,o=internal,dc=wiki,dc=myorg,dc=org <snip> I want to "hide" the members with DNs of the form "cn=*" (I want to squash the nested groups). With the rwm configuration above the hiding almost works--93 of member DNs are "hidden", but 3 are not: $ ldapsearch -D "<some bind dn>" -w password -x -LLL -b 'dc=wiki,dc=myorg,dc=org' -H ldaps://server.somewhere '(&(objectClass=groupOfNames)(cn=LVCGroupMembers))' member | grep cn dn: cn=LVCGroupMembers,ou=LVC,ou=Communities,ou=grouper,o=internal,dc=wiki,dc= member: cn=AGWGGroupMembers,ou=AGWG,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=gro member: cn=GWUGroupMembers,ou=GWU,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=group member: cn=ULBGroupMembers,ou=ULB,ou=MOU,ou=LSC,ou=LVC,ou=Communities,ou=group I checked and the 3 DNs that survive are not different in any substantial way then the 97 DNs that are effectively hidden. Any ideas why the 3 DNs survive the rewriting? Thanks, Scott

2 2

slapd-meta configuration details
by Scott Koranda 07 Dec '12

07 Dec '12

Hello, As part of an evaluation and testing phase, on a Debian Squeeze system using version 2.4.23 of OpenLDAP I successfully configured and used the slapd-meta backend. The configuration looked like this: database meta suffix "dc=test,dc=myorg,dc=org" uri "ldapi:///o=external,dc=test,dc=myorg,dc=org" acl-authcDN uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org acl-passwd passwd idassert-bind bindmethod=simple binddn="uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org" credentials="passwd" mode=self uri "ldapi:///o=internal,dc=test,dc=myorg,dc=org" acl-authcDN uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org acl-passwd passwd idassert-bind bindmethod=simple binddn="uid=foswiki,ou=system,o=external,dc=test,dc=myorg,dc=org" credentials="passwd" mode=self To prepare for a production deployment I then compiled OpenLDAP 2.4.33 using this set of configure options: ./configure --prefix=/opt/openldap-2.4.33 --enable-slapd --enable-cleartext --enable-rewrite --enable-bdb --enable-hdb --enable-ldap --enable-meta --enable-rwm I attempted to use the same configuration for the slapd-meta backend. My queries to slapd no longer returned anything and I saw this in the debug ouput: 50c15573 conn=1000 op=1 meta_search_dobind_init[0] mc=0x22c2da0: non-empty dn with empty cred; binding anonymously 50c15573 conn=1000 op=1 meta_search_dobind_init[1] mc=0x22c2da0: non-empty dn with empty cred; binding anonymously I interpret this to mean that the slapd-meta backend is deciding it does not have a credential to use and is binding anonymously to the proxied services. How should I change my configuration above so that the most recent version of OpenLDAP will be able to bind to the proxied services in the way that happened with version 2.4.23? Note that I installed versions between 2.4.23 and 2.4.33 (bisection) and found that the change from 2.4.25 to 2.4.26 causes the configuration above to go from "working" to "not working". Versions 2.4.26 and above that I tested result in the "non-empty dn with empty cred" in the debug output. Thanks, Scott

3 5

DB_LOCK_DEADLOCK
by Pawan Kamboj 07 Dec '12

07 Dec '12

Hi, We are getting "bdb_idl_fetch_key: get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995)" error in Openldap debug log. We are using Openldap.2.3.31 and db.4.5 version and have configured master-slave. Any help on this? Is it something need to worry or we can ignore this. This error coming frequently when we do lots of write opration on ldap. Regards Pawan

3 5

how to speed up filtering of dn's
by Hanspeter Kunz 06 Dec '12

06 Dec '12

Hi all, I want to find all entries in my ldap directory that contain certain ou's, e.g. ldapsearch -x "(ou:dn:=Administration)" which returns (in my case) all entries that correspond to administrative staff. The query works but it is slow and puts a high load on the ldap server. I wonder if I can create an index which would speed things up, but I could not figure out what I should index. Note that I cannot do this using a specific basedn, because we have administrative staff in several subtrees of our ldap hierarchy. Best

2 4

dnMatch flooding logs and access blocked
by Al Dispennette 05 Dec '12

05 Dec '12

Hello, I am seeing the following get repeated in my slapd logs for hundreds of line. I know it is due to the logging level. However, when this starts happening no one can access the server because what ever is logging this is blocking. Can anyone tell me what is causing this log entry? slapd[20616]: dnMatch -1#012#011"uid=item1,ou=users,dc=example,dc=com"#012#011"uid=user,ou=users,dc=example,dc=com" slapd[20616]: dnMatch 2#012#011"uid=item2,ou=users,dc=example,dc=com"#012#011"uid=user,ou=users,dc=example,dc=com" slapd[20616]: dnMatch 2#012#011"uid=item3,ou=users,dc=example,dc=com"#012#011"uid=user,ou=users,dc=example,dc=com" slapd[20616]: dnMatch -2#012#011"uid=item4,ou=users,dc=example,dc=com"#012#011"uid=user,ou=users,dc=example,dc=com" slapd[20616]: dnMatch -1#012#011"uid=item5,ou=users,dc=example,dc=com"#012#011"uid=user,ou=users,dc=example,dc=com" slapd[20616]: dnMatch -2#012#011"uid=item6,ou=users,dc=example,dc=com"#012#011"uid=user,ou=users,dc=example,dc=com" Al Dispennette Sr. Software Engineer t: 415 526 7206 m: 309 868 1401 al.dispennette(a)monitise.com<mailto:al.dispennette@monitise.com> [Description: Description: Description: http://mailmedia.monitisegroup.com/MonitiseUpdate/Images/Email_logo.gif] www.monitisegroup.com<http://www.monitisegroup.com/> [Description: Description: Description: http://mailmedia.monitisegroup.com/MonitiseUpdate/Images/linked_in_sig.gif]<http://www.linkedin.com/company/monitise>[Description: Description: Description: http://mailmedia.monitisegroup.com/MonitiseUpdate/Images/twitter_sig.gif]<http://twitter.com/#!/MonitiseGroup>

3 4

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical