openldap-technical

openldap-technical@openldap.org

9897 discussions

Move from memberof to dynlist
by Magnus Morén 01 Dec '21

01 Dec '21

I am trying to move from memberof(overlay) to dynlist but can't get it to work. I have static groups with uniqueMembers cn=somegroup,ou=group,dc=domain,dc=net uniqueMember: uid=user1,ou=people,dc=domain,dc=net uniqueMember: uid=user2,ou=people,dc=domain,dc=net ... I want to have: memberOf: cn=somegroup,ou=group,dc=domain,dc=net on all users who is member of any group. In my test i use cn=config style and OpenLDAP 2.6.0 from Symas In my old ldap server (slapd.conf based) i have overlay memberof memberof-group-oc groupOfUniqueNames memberof-member-ad uniqueMember memberof-refint true I have tried this from man slapo-dynlist but I must have done something wrong or not understand how it is supposed to work. This example extends the dynamic memberOf feature to add the memberOf attribute to all the members of both static and dynamic groups: include /path/to/dyngroup.schema # ... database <database> # ... overlay dynlist dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames This dynamic memberOf feature can fully replace the functionality of the slapo-memberof(5) overlay.

3 6

Re: 2.6 rhel8 rpm pkg - lastbind module issue
by Dave Macias 01 Dec '21

01 Dec '21

> > Im looking at > > this: https://git.openldap.org/openldap/openldap/-/blob/6327f45d7de73f66 > > 9fa438d4f5823e139cf4e6b4/contrib/slapd-modules/lastbind/slapo-lastbind.5 > > > > slapadd -n 1 -F /opt/symas/etc/openldap/slapd.d -l data.ldif > > <= str2entry: str2ad(authTimestamp): attribute type undefined > > slapadd: could not parse entry (line=24) > > Closing DB... > > You need the fix for ITS#9725 to make use of authTimestamp. > I see. Thank you for the input! So then i guess i have to wait until the fix is applied to the OS pkgs. Best, Dave

2 1

ppolicy-question
by A. Schulze 01 Dec '21

01 Dec '21

Hello, using slapo-ppolicy I could configure slapd to hash a password if it's sent unhashed. moduleload ppolicy.la moduleload argon2.la password-hash {ARGON2} database mdb suffix dc=test ... overlay ppolicy ppolicy_default "cn=default,ou=ppolicies,dc=test" ppolicy_hash_cleartext That work and I could hash them using ARGON2. But clients could still hash a password them self and write '{MD5}...' as userPassword for example. Is it possible to reject any userPasswords prefixed with hash schema? Andreas

4 6

Multi-Master not syncing
by Enrico Weigelt, metux IT consult 30 Nov '21

30 Nov '21

Hello friends, I'm in huge trouble: my MMR setup (Zimbra) isn't syncing completely. * host A is the old master, host B a new one. * host B used to be a slave of A, but later was promoted to master (each has a syncrepl pointer to the other and mirrormode is TRUE) * sync from A to B seems to be fine, but the route back doesn't work * new objects (eg. new users) are synced up from B to A, but later changes don't get throught (eg. additional entries like mail aliases) On host B i get lots of repeated log messages like this: Nov 30 09:56:04 hz1-rz-mail-ldap-01 slapd[3999428]: conn=6002 op=1 syncprov_search_response: Entry uid=u37701,ou=people,dc=hs-harz,dc=de CSN 20211129215211.258933Z#000000#001#000000 older or equal to ctx 20211130085608.894386Z#000000#001#000000 On Host A I'm getting lots of log messages like this: Nov 30 10:12:38 inkataube slapd[17590]: dn_callback : new entry is older than ours uid=g50425,ou=people,dc=hs-harz,dc=de ours 20211130032044.897539Z#000000#001#000000, new 20211130032015.857165Z#000000#002#000000 It looks like both nodes can't agree on what's the most recent entries. Is there any way to force them taking either side's version ? thanks --mtx --- Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren GPG/PGP-Schlüssel zu. --- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info(a)metux.net -- +49-151-27565287

2 1

symas gpg-key
by Stefan Kania 30 Nov '21

30 Nov '21

I installed the symas OpenLDAP 2.6. The first step was getting the gpg-key but the command on your web-page is : ---------------- root@ldap:~# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys DA26A148887DCBEB Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). ---------------- is deprecated on debian 11. Do you provide a the key in .asc format so the key can be installed via: ---------------- wget -O- https://some-server.com/symas.gpg-key.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/symas.gpg > /dev/null ---------------- If you do, where can I find it? If not, could you provide it? :-) Stefan

2 2

delta-sync how to make sure
by frederic.goudal＠bordeaux-inp.fr 30 Nov '21

30 Nov '21

Hello, I have setup delta-sync replication on my servers, but how can I be sure it is used instead of just syncrepl ? What do I have to look at into the logs ? Thanks in advance -- Frédéric Goudal Administrateur Systèmes et Réseaux Bordeaux-INP

1 0

how to build dynacl now.c?
by Michael Ströder 29 Nov '21

29 Nov '21

HI! Hmm, I cannot see what I'm doing wrong here. Compiling other contrib modules works just fine. $ make -B -C contrib/slapd-modules/acl now make: Entering directory '/home/michael/src/openldap-git/re26/openldap/contrib/slapd-modules/acl' gcc now.c -o now now.c:28:10: fatal error: portable.h: No such file or directory 28 | #include <portable.h> | ^~~~~~~~~~~~ compilation terminated. make: *** [<builtin>: now] Error 1 make: Leaving directory '/home/michael/src/openldap-git/re26/openldap/contrib/slapd-modules/acl' Ciao, Michael.

2 2

Problem with attribute hasSubordinate
by frederic.goudal＠bordeaux-inp.fr 24 Nov '21

24 Nov '21

Hello, I'm upgrading an old ldap set of servers to a new one, going from 2.4.x to 2.6.0 What I'm currently doing is the following : old.2.4 <- multi-master syncrepl -> newMaster -> push-setup + delta-sync -> newSlave What I call push-setup is a hidden sufix on newMaster with newSlsave as ldap backend. The synchronisations occurs, but stop for now on the following error : Nov 23 14:47:47 ldap2021 slapd[57592]: conn=1000 op=662328 SRCH base="dc=ipb,dc=fr" scope=2 deref=0 filter="(entryUUID=d62c8932-e9aa-1034-9374-673a87a89e29)" Nov 23 14:47:47 ldap2021 slapd[57592]: conn=1000 op=662328 SRCH attr=* + Nov 23 14:47:47 ldap2021 slapd[57592]: conn=1000 op=662328 SEARCH RESULT tag=101 err=0 qtime=0.000046 etime=0.000808 nentries=1 text= Nov 23 14:47:47 ldap2021 slapd[57592]: conn=1000 op=662329 MOD dn="uid=xxxx,ou=people,dc=ipb,dc=fr" Nov 23 14:47:47 ldap2021 slapd[57592]: conn=1000 op=662329 MOD attr=entryCSN modifiersName modifyTimestamp hasSubordinates Nov 23 14:47:47 ldap2021 slapd[57592]: slap_queue_csn: queueing 0x7efedc155f70 20211123133002.586780Z#000000#00a#000000 Nov 23 14:47:47 ldap2021 slapd[57592]: conn=1000 op=662329 RESULT tag=103 err=16 qtime=0.000029 etime=0.000405 text=modify/delete: hasSubordinates: no such attribute Nov 23 14:47:47 ldap2021 slapd[57592]: slap_graduate_commit_csn: removing 0x7efedc155f70 20211123133002.586780Z#000000#00a#000000 I have donne slapcat on the old server, and on the the newMaster and there is no attribute hasSubordinates. I have dumped the schema ( ldapsearch -x -LLL -b cn=Subschema -s base '(objectClass=subschema)' +) and the attribute hasSubordinatess is defined both on newMaster and newSlave. I don't know what to do to fix this problem... Thanks in advance. -- Frédéric Goudal Administrateur Systèmes et Réseaux Bordeaux-INP

2 2

Failed LDAP Synchronization (openldap-servers-2.4.44)
by nabeel.tariq＠rapidcompute.com 23 Nov '21

23 Nov '21

Hi, I have configured LDAP successfully on Centos 7. I have integrated it with my Axigen email server. I can authenticate successfully with LDAP. I can search all the records using ldapsearch command. ldapsearch -H ldaps://cyberldap.cyber.net.pk:636 -b "o=intranet,dc=cyber,dc=net,dc=pk" -D "cn=manager,dc=cyber,dc=net,dc=pk" -W -x However, while synchronizing LDAP with my Axigen, I have faced below mentioned error. 2021-11-24 11:17:50 +0500 02 test USERDB:00000001: Failed OpenLdap search basedn(o=intranet,dc=cyber,dc=net,dc=pk), filter((&(objectClass=inetOrgPerson))), error(Other (e.g., implementation specific) error) on domain cyber.net.pk

1 0

Synchronisation ODSEE --> Openldap 2.5
by laurent.revillion＠ambre-systems.com 23 Nov '21

23 Nov '21

Hello, I want to synchronize the data in my ODSEE directory with the new Openldap directory. I have ODSEE [slapd 64-bit] Oracle Corporation. Sun-Directory-Server/11.1.1.7.3 B2015.0429.2115 64-bit ns-slapd : 11.1.1.7.3 B2015.0429.2115 ZIP Slapd Library : 11.1.1.7.3 B2015.0429.2115 Front-End Library : 11.1.1.7.3 B2015.0429.2115 end Openldap 2.5.X I did exactly what is indicated in the tests: openldap / tests / scripts / test072-dsee-sync openldap / tests / scripts / test075-dsee-persist The ODSEE directory starts correctly. When I start the Openldap instance with the indicated replication data / slapd-dsee-consumer1.conf data / slapd-dsee-consumer2.conf IN Openldap start i have (with -d -1 option) 61926439.1a909db2 0x7f7e26799880 slapd starting 61926439.1b711895 0x7f7e1e406700 daemon: added 4r listener=(nil) 61926439.1b718582 0x7f7e1e406700 daemon: added 7r listener=0x563d9bd87c10 61926439.1b71aee4 0x7f7e1e406700 daemon: added 8r listener=0x563d9bd87d00 61926439.1b728f00 0x7f7e1e406700 daemon: epoll: listen=7 active_threads=0 tvp=zero 61926439.1b729cbf 0x7f7e1e406700 daemon: epoll: listen=8 active_threads=0 tvp=zero 61926439.1b72aaf3 0x7f7e1e406700 daemon: activity on 1 descriptor 61926439.1b72b304 0x7f7e1e406700 daemon: activity on:61926439.1b72bbba 0x7f7e1e406700 61926439.1b72cd95 0x7f7e1e406700 daemon: epoll: listen=7 active_threads=0 tvp=zero 61926439.1b72d667 0x7f7e1e406700 daemon: epoll: listen=8 active_threads=0 tvp=zero 61926439.1c6896b8 0x7f7e1dc05700 >>> dnNormalize: <cn=Consumer 002> 61926439.1c691535 0x7f7e1dc05700 <<< dnNormalize: <cn=consumer 002> 61926439.1c69b3df 0x7f7e1dc05700 =>do_syncrepl rid=002 61926439.1c69eaae 0x7f7e1dc05700 ldap_create 61926439.1c6a1e25 0x7f7e1dc05700 ldap_url_parse_ext(ldap://127.0.0.1:3389) 61926439.1c6a3c1d 0x7f7e1dc05700 ldap_sasl_bind_s 61926439.1c6a4b7a 0x7f7e1dc05700 ldap_sasl_bind 61926439.1c6a8303 0x7f7e1dc05700 ldap_send_initial_request 61926439.1c6a9831 0x7f7e1dc05700 ldap_new_connection 1 1 0 61926439.1c6aa2a5 0x7f7e1dc05700 ldap_int_open_connection 61926439.1c6ab2ef 0x7f7e1dc05700 ldap_connect_to_host: TCP 127.0.0.1:3389 61926439.1c6aea76 0x7f7e1dc05700 ldap_new_socket: 12 61926439.1c6afeb6 0x7f7e1dc05700 ldap_prepare_socket: 12 61926439.1c6b1f47 0x7f7e1dc05700 ldap_connect_to_host: Trying 127.0.0.1:3389 61926439.1c6b2888 0x7f7e1dc05700 ldap_pvt_connect: fd: 12 tm: -1 async: 0 61926439.1c6b2fd3 0x7f7e1dc05700 attempting to connect: 61926439.1c6dd2fe 0x7f7e1dc05700 connect success 61926439.1c6e01eb 0x7f7e1dc05700 ldap_open_defconn: successful 61926439.1c6e0de0 0x7f7e1dc05700 ldap_send_server_request 61926439.1c6e1c57 0x7f7e1dc05700 ber_scanf fmt ({it) ber: 61926439.1c6e2774 0x7f7e1dc05700 ber_dump: buf=0x7f7e10001bb0 ptr=0x7f7e10001bb0 end=0x7f7e10001bda len=42 61926439.1c6e3112 0x7f7e1dc05700 0000: 30 28 02 01 01 60 23 02 01 03 04 14 63 6e 3d 64 0(...`#.....cn=d 61926439.1c6e3916 0x7f7e1dc05700 0010: 69 72 65 63 74 6f 72 79 20 6d 61 6e 61 67 65 72 irectory manager 61926439.1c6e40a5 0x7f7e1dc05700 0020: 80 08 70 61 73 73 77 6f 72 64 ..password 61926439.1c6e4fb6 0x7f7e1dc05700 ber_scanf fmt ({i) ber: 61926439.1c6e5814 0x7f7e1dc05700 ber_dump: buf=0x7f7e10001bb0 ptr=0x7f7e10001bb5 end=0x7f7e10001bda len=37 61926439.1c6e5fe9 0x7f7e1dc05700 0000: 60 23 02 01 03 04 14 63 6e 3d 64 69 72 65 63 74 `#.....cn=direct 61926439.1c6e6776 0x7f7e1dc05700 0010: 6f 72 79 20 6d 61 6e 61 67 65 72 80 08 70 61 73 ory manager..pas 61926439.1c6e6f8f 0x7f7e1dc05700 0020: 73 77 6f 72 64 sword 61926439.1c6e8145 0x7f7e1dc05700 ber_flush2: 42 bytes to sd 12 61926439.1c6e8afb 0x7f7e1dc05700 0000: 30 28 02 01 01 60 23 02 01 03 04 14 63 6e 3d 64 0(...`#.....cn=d 61926439.1c6e9274 0x7f7e1dc05700 0010: 69 72 65 63 74 6f 72 79 20 6d 61 6e 61 67 65 72 irectory manager 61926439.1c6e99ea 0x7f7e1dc05700 0020: 80 08 70 61 73 73 77 6f 72 64 ..password 61926439.1c6eec1c 0x7f7e1dc05700 ldap_write: want=42, written=42 61926439.1c6ef60f 0x7f7e1dc05700 0000: 30 28 02 01 01 60 23 02 01 03 04 14 63 6e 3d 64 0(...`#.....cn=d 61926439.1c6efd8d 0x7f7e1dc05700 0010: 69 72 65 63 74 6f 72 79 20 6d 61 6e 61 67 65 72 irectory manager 61926439.1c6f05c4 0x7f7e1dc05700 0020: 80 08 70 61 73 73 77 6f 72 64 ..password 61926439.1c6f2277 0x7f7e1dc05700 ldap_result ld 0x7f7e10000920 msgid 1 61926439.1c6f2c34 0x7f7e1dc05700 wait4msg ld 0x7f7e10000920 msgid 1 (infinite timeout) 61926439.1c6f34b0 0x7f7e1dc05700 wait4msg continue ld 0x7f7e10000920 msgid 1 all 1 61926439.1c6f3e6c 0x7f7e1dc05700 ** ld 0x7f7e10000920 Connections: 61926439.1c6f52a0 0x7f7e1dc05700 * host: 127.0.0.1 port: 3389 (default) 61926439.1c6f6877 0x7f7e1dc05700 * from: IP=127.0.0.1:56180 61926439.1c6f70a2 0x7f7e1dc05700 refcnt: 2 status: Connected 61926439.1c6f8693 0x7f7e1dc05700 last used: Mon Nov 15 14:44:25 2021 61926439.1c6f8f52 0x7f7e1dc05700 61926439.1c6f98a4 0x7f7e1dc05700 ** ld 0x7f7e10000920 Outstanding Requests: 61926439.1c6fa2a6 0x7f7e1dc05700 * msgid 1, origid 1, status InProgress 61926439.1c6fab71 0x7f7e1dc05700 outstanding referrals 0, parent count 0 61926439.1c6fb4ca 0x7f7e1dc05700 ld 0x7f7e10000920 request count 1 (abandoned 0) 61926439.1c6fbc72 0x7f7e1dc05700 ** ld 0x7f7e10000920 Response Queue: 61926439.1c6fc3fa 0x7f7e1dc05700 Empty 61926439.1c6fcb6c 0x7f7e1dc05700 ld 0x7f7e10000920 response count 0 61926439.1c6fd389 0x7f7e1dc05700 ldap_chkResponseList ld 0x7f7e10000920 msgid 1 all 1 61926439.1c6fdb88 0x7f7e1dc05700 ldap_chkResponseList returns ld 0x7f7e10000920 NULL 61926439.1c6fe4a8 0x7f7e1dc05700 ldap_int_select 61926439.1c728a2b 0x7f7e1dc05700 read1msg: ld 0x7f7e10000920 msgid 1 all 1 61926439.1c72a729 0x7f7e1dc05700 ber_get_next 61926439.1c72bcf8 0x7f7e1dc05700 ldap_read: want=8, got=8 61926439.1c72c592 0x7f7e1dc05700 0000: 30 0c 02 01 01 61 07 0a 0....a.. 61926439.1c72ddfd 0x7f7e1dc05700 ldap_read: want=6, got=6 61926439.1c72e594 0x7f7e1dc05700 0000: 01 00 04 00 04 00 ...... 61926439.1c72ef09 0x7f7e1dc05700 ber_get_next: tag 0x30 len 12 contents: 61926439.1c72f810 0x7f7e1dc05700 ber_dump: buf=0x7f7e100011c0 ptr=0x7f7e100011c0 end=0x7f7e100011cc len=12 61926439.1c73000c 0x7f7e1dc05700 0000: 02 01 01 61 07 0a 01 00 04 00 04 00 ...a........ 61926439.1c73242e 0x7f7e1dc05700 ldap_find_request_by_msgid: msgid 1, lr 0x7f7e100010a0 lr->lr_refcnt = 1 61926439.1c7331b9 0x7f7e1dc05700 read1msg: ld 0x7f7e10000920 msgid 1 message type bind 61926439.1c733b07 0x7f7e1dc05700 ber_scanf fmt ({eAA) ber: 61926439.1c73431c 0x7f7e1dc05700 ber_dump: buf=0x7f7e100011c0 ptr=0x7f7e100011c3 end=0x7f7e100011cc len=9 61926439.1c734ad7 0x7f7e1dc05700 0000: 61 07 0a 01 00 04 00 04 00 a........ 61926439.1c7357b8 0x7f7e1dc05700 read1msg: ld 0x7f7e10000920 0 new referrals 61926439.1c736002 0x7f7e1dc05700 read1msg: mark request completed, ld 0x7f7e10000920 msgid 1 61926439.1c736829 0x7f7e1dc05700 request done: ld 0x7f7e10000920 msgid 1 61926439.1c73709e 0x7f7e1dc05700 res_errno: 0, res_error: <>, res_matched: <> 61926439.1c737a4d 0x7f7e1dc05700 ldap_return_request: lrx 0x7f7e100010a0, lr 0x7f7e100010a0 61926439.1c738307 0x7f7e1dc05700 ldap_return_request: lrx->lr_msgid 1, lrx->lr_refcnt is now 0, lr is still present 61926439.1c738cab 0x7f7e1dc05700 ldap_free_request (origid 1, msgid 1) 61926439.1c739a8c 0x7f7e1dc05700 ldap_free_request_int: lr 0x7f7e100010a0 msgid 1 removed 61926439.1c73a4cd 0x7f7e1dc05700 ldap_do_free_request: asked to free lr 0x7f7e100010a0 msgid 1 refcnt 0 61926439.1c73bb4b 0x7f7e1dc05700 ldap_parse_result 61926439.1c73c76f 0x7f7e1dc05700 ber_scanf fmt ({iAA) ber: 61926439.1c73cf85 0x7f7e1dc05700 ber_dump: buf=0x7f7e100011c0 ptr=0x7f7e100011c3 end=0x7f7e100011cc len=9 61926439.1c73d701 0x7f7e1dc05700 0000: 61 07 0a 01 00 04 00 04 00 a........ 61926439.1c73e2d4 0x7f7e1dc05700 ber_scanf fmt (}) ber: 61926439.1c73eac1 0x7f7e1dc05700 ber_dump: buf=0x7f7e100011c0 ptr=0x7f7e100011cc end=0x7f7e100011cc len=0 61926439.1c73f201 0x7f7e1dc05700 61926439.1c73fad8 0x7f7e1dc05700 ldap_msgfree 61926439.1c746e58 0x7f7e1dc05700 => mdb_entry_get: ndn: "dc=ici,dc=fr" 61926439.1c74789d 0x7f7e1dc05700 => mdb_entry_get: oc: "(null)", at: "lastChangeNumber" 61926439.1c74ce52 0x7f7e1dc05700 mdb_dn2entry("dc=ici,dc=fr") 61926439.1c76894c 0x7f7e1dc05700 => mdb_dn2id("dc=ici,dc=fr") 61926439.1c76a201 0x7f7e1dc05700 <= mdb_dn2id: got id=0x1 61926439.1c76c985 0x7f7e1dc05700 => mdb_entry_decode: 61926439.1c76e088 0x7f7e1dc05700 <= mdb_entry_decode 61926439.1c76ec57 0x7f7e1dc05700 => mdb_entry_get: found entry: "dc=ici,dc=fr" 61926439.1c76f8d5 0x7f7e1dc05700 <= mdb_entry_get: failed to find attribute lastChangeNumber 61926439.1c770d36 0x7f7e1dc05700 mdb_entry_get: rc=16 61926439.1c7717f9 0x7f7e1dc05700 do_syncrep1: rid=002 starting refresh (sending cookie=(null)) slapd: memory.c:705: ber_bvreplace_x: Assertion `!((src)->bv_val == ((void *)0))' failed. ./start-consumer1.sh : ligne 4 : 15293 Abandon /opt/symas/lib/slapd -d -1 -u ldap -g ldap -h "ldap://:5389/" -f /opt/symas/config/static-test/slapd-dsee-consumer1.conf IN access log ODSEE i have : [15/Nov/2021:14:44:25 +0100] conn=18 op=0 msgId=1 - BIND dn="cn=directory manager" method=128 version=3 [15/Nov/2021:14:44:25 +0100] conn=18 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [15/Nov/2021:14:44:25 +0100] conn=18 op=1 msgId=0 - RESULT err=80 tag=120 nentries=0 etime=0 [15/Nov/2021:14:44:25 +0100] conn=18 op=-1 msgId=-1 - closing from 127.0.0.1:56180 - A1 - Client aborted connection - [15/Nov/2021:14:44:25 +0100] conn=18 op=-1 msgId=-1 - closed. I do not understand why ODSEE systematically gives an error 80 following the BIND of the consumer Openldap. Can you help me ? Thanks

2 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical