openldap-technical

openldap-technical@openldap.org

14 participants
9796 discussions

LDAP C API
by Покотиленко Костик 07 Jun '10

07 Jun '10

Did this message hit the list? Hi there, I'm writing GTK application for managing LDAP directory, a kind of GTK variant of phpldapadmin. As for now I'm able to browse directory, objects' probepries and their values. What is not clear is how to figure out the RDN and Required property, and Structural value. How it is done? -- Покотиленко Костик <casper(a)meteor.dp.ua>

2 4

Pam password authentication
by Indexer 07 Jun '10

07 Jun '10

Recently, i have hit a rather unique, and annoying, error with ldap. it seems that using pam with ldap, allows *any* password as valid. Im not really sure what i have done here, and any help would be apprecitaed. find my /etc/ldap.conf attached, as well as pam.d/ssh etc/ldap.conf base dc=chocolate,dc=lan suffix dc=chocolate,dc=lan uri ldap://ldap.chocolate.lan ldap_version 3 scope sub timelimit 3 bind_timelimit 3 bind_policy soft pam_filter objectclass=posixAccount pam_login_attribute uid pam_groupdn cn=login,ou=Nemo,ou=Group,dc=chocolate,dc=lan pam_member_attribute memberUid pam_password clear pam_password exop nss_base_passwd ou=Users,dc=chocolate,dc=lan?sub nss_base_shadow ou=Users,dc=chocolate,dc=lan?sub nss_base_group ou=Nemo,ou=Group,dc=chocolate,dc=lan?sub ssl on ssl start_tls tls_cacert /usr/local/etc/openldap/keys/cacert.crt tls_checkpeer no pam.d/sshd auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass auth sufficient pam_unix.so no_warn try_first_pass account required pam_nologin.so account required pam_login_access.so account optional pam_unix.so account optional /usr/local/lib/pam_ldap.so session required pam_permit.so session optional /usr/local/lib/pam_ldap.so password sufficient /usr/local/lib/pam_ldap.so no_warn use_athtok use_first_pass password sufficient pam_unix.so no_warn try_first_pass

5 6

ldap with squid auth helper
by Gerardo Herzig 07 Jun '10

07 Jun '10

Hi all. Im triyng to use squid with the squid_ldap_group auth helper. The schema looks like o=Company | -Groups |-ProxyUsers |-Managers |-Sales Managers and Sales are OrganizationalUnit, ProxyUsers is GroupofUniqueNames Each entry of Managers and Sales inherits from PosixAccount and InetOrgPerson ProxyUsers entry for the user foo is: UniqueMember: uid=foo,ou=Managers,o=Company UniqueMember: uid=anotherfoo,ou=Sales,o=Company Inside the ProxyUsers can be people from Managers, Sales, and so. Im faliling to test squid_ldap_group from command line (i think the filters part) 1) Is there a way to test if the user foo is part of the ProxyUsers group? 2) It is possible to tell squid_ldap_group to look for uid=foo in Manager AND Sales, and if there is one try to use it? Like if the filter could be "(uid=foo) _AND_ (ou=Managers _OR_ ou=Sales)"? I hope to be clear with the question. Thanks! Gerardo

2 1

Scaling bottom-up - best practices?
by Jan Lühr 07 Jun '10

07 Jun '10

Hello, for some time now, we're using openldap 2.4.11 on debian lenny and everything is fine - but: We've to scale. Up to now our root-dn is dc=abc - our new root-dn ought to be: dc=xyz, having a subtree dc=abc,dc=xyz The root-dn is set in some application's configs as base dn, furthermore, it's referenced in ldap-entries (dynamic overlay-groups). Basically I can think of two strategies. a) Change the root-dn within the directory and in all applications depending on it (con: error prone - pro: clean result) b) Install a new server, proxy all requests to the old instance, removing dc=xyz on queries, add dc=xyz on responses. (con: complexity, pro: no changes in apps / Information depending on dc=abc) Have you had similar problems? What did you do to solve 'em? What strategy do you recommend? Thanks, Keep smiling yanosz

3 2

how to get DIT structure info
by owen nirvana 07 Jun '10

07 Jun '10

hi, I have a question. I want to manage some data by OpenLDAP, and I hope show them by tree structure when I list. So I want to get the DIT structure info and create the corresponding nodes in my treeview. so , how to do? gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>

3 2

Bidirectional sync using openldap and active directory
by Benjamin MONTHOUEL 07 Jun '10

07 Jun '10

Hi, I'd like to know which method is recommended by openldap.org to perform a bidirectional sync with Microsoft Active Directory. This method has to notice that users changed their password by themselves. Kerberos token ??? Thanks for any information. -- Benjamin MONTHOUËL Systems Administrator Assistant NETASQ France - We Secure IT Villeneuve d'Ascq

2 2

Help with a referral
by Jason Voorhees 07 Jun '10

07 Jun '10

Hi: I'm trying to migrate an old LDAP server (that holds an ldap tree for Open-Xchange) to a new installation of OpenLDAP 2.3.43. A lot of users had configured their Outlook in a way that they make a base search for ou=Users,ou=OxObjects,dc=domain,dc=com in their LDAP address book. But my new LDAP tree won't have ou=OxObjects,dc=domain,dc=com entry, i'm creating a new ldap structure to be used with GOSA. So I decide to create a referral like this: dn: ou=Users,ou=OxObjects,dc=domain,dc=com ou: Users objectclass: referral objectclass: extensibleObject ref: ldap://HOSTNAME/ou=people,dc=domain,dc=com This works fine, now Outlook users can find their contacts using the same base search (ou=Users,ou=OxObjects,dc=domain,dc=com) but now GOSA got in problems because it finds two administrator users (cn=System administrator,ou=people,dc=domain,dc=com) because of the referral. I just would like to GOSA doesn't follow referrals or just searches for users under ou=people,dc=domain,dc=com instead of the root dc=domain,dc=com, but it seem that GOSA isn't good enough to customize this yet. So I think I could modify my referral to return not all attributes, just some of them (the attributes commonly used by an address book search) like this: dn: ou=Users,ou=OxObjects,dc=domain,dc=com ou: Users objectclass: referral objectclass: extensibleObject ref: ldap://HOSTNAME/ou=people,dc=domain,dc=com?cn,sn,givenName,telephoneNumber,mail After updating my referral and I make an ldapsearch: # ldapsearch -xLLL "(uid=admin)" I still get two entries (two administrators) and both of them returns all its attributes. Then I tried to modify my referral like this: dn: ou=Users,ou=OxObjects,dc=domain,dc=com ou: Users objectclass: referral objectclass: extensibleObject ref: ldap://HOSTNAME/ou=people,dc=domain,dc=com??sub?(!(uid=admin)) And still get two entries (two administrators). So I suspect that my referral URI isn't working. Am using a wrong referral? Or maybe OpenLDAP always returns all entries ignoring attributes and filters in a URI referral (ldap://HOSTNAME/ou=people,dc=domain,dc=com?cn,sn,givenName,telephoneNumber,mail)? I hope some one can help me because i'm stuck with this since two days ago. I just want to limit the entries returned by my referral. Thanks

4 8

ldap_sync* how to
by egemenozden＠gmail.com 06 Jun '10

06 Jun '10

hi, I needed to write a daemon which can react to changes on openldap server. It has to be an event driven application hence polling is ruled out. After some research, the most proper way seems to be through ldap sync however I could not find any documentation other than the man page of ldap_sync* which does not provide any example. Does any body know of an introductory document or another way to achieve my purpose? In the worst case I will dive into slapd's implementation to have a feeling or simply use the logs as an event channel. Thanks

3 2

input error=-2
by Joe Friedeggs 04 Jun '10

04 Jun '10

I just recently noticed 'input error=-2' when running in debug mode, and in my logs (loglevel sync shell stats ber conns). It seems to occur (always) when the connection it closed. Anyone know what might cause this? Is it anything I should be concerned with? I am not sure when this started. I have made numerous changes over the past few weeks; too many to back out. Thanks, Joe >From DEBUG:: ber_get_next on fd 25 failed errno=0 (Success) connection_read(25): input error=-2 id=20, closing. connection_closing: readying conn=20 sd=25 for close connection_close: conn=20 sd=25 =>ldap_back_conn_destroy: fetching conn 20 daemon: removing 25 Similarly in log: Jun 4 15:39:31 ldapserver slapd[7683]: daemon: read active on 16 Jun 4 15:39:31 ldapserver slapd[7683]: conn=150 op=2 UNBIND Jun 4 15:39:31 ldapserver slapd[7683]: connection_read(16): input error=-2 id=150, closing. Jun 4 15:39:31 ldapserver slapd[7683]: daemon: removing 16 Jun 4 15:39:31 ldapserver slapd[7683]: conn=150 fd=16 closed Jun 4 15:39:31 ldapserver slapd[7683]: daemon: epoll: listen=7 active_threads=0 tvp=zero Jun 4 15:39:31 ldapserver slapd[7683]: daemon: epoll: listen=8 active_threads=0 tvp=zero Jun 4 15:39:31 ldapserver slapd[7683]: daemon: activity on 1 descriptor Jun 4 15:39:31 ldapserver slapd[7683]: daemon: activity on: _________________________________________________________________ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:…

1 0

ldap search bug
by Jeremiah Martell 03 Jun '10

03 Jun '10

Just pinging the mailing list again. I'm hoping someone has some advice or guidance on this. Thanks, - Jeremiah ---------- Forwarded message ---------- From: Jeremiah Martell <inlovewithgod(a)gmail.com> Date: Thu, May 27, 2010 at 3:42 PM Subject: ldap search hangs forever To: openldap-technical(a)openldap.org I'm using openldap-2.4.18 as a client to bind and asynchronously search an active directory server. I have a domain, example.com, that has two domain controllers: one.example.com, and two.example.com. The ip of one.example.com is 12.34.56.1 The ip of two.example.com is 12.34.56.2 The reverse mapping of 12.34.56.1 is one.example.com The reverse mapping of 12.34.56.2 doesn't exist ----- / nslookup one.example.com Server: 12.34.56.99 Address 1: 12.34.56.99 dns1.example.com Name: one.example.com Address 1: 12.34.56.1 one.example.com / nslookup two.example.com Server: 12.34.56.99 Address 1: 12.34.56.99 dns1.example.com Name: two.example.com Address 1: 12.34.56.2 / nslookup example.com Server: 12.34.56.99 Address 1: 12.34.56.99 dns1.example.com Name: example.com Address 1: 12.34.56.2 Address 2: 12.34.56.1 one.example.com / nslookup 12.34.56.2 Server: 12.34.56.99 Address 1: 12.34.56.99 dns1.example.com Name: 12.34.56.2 Address 1: 12.34.56.2 / nslookup 12.34.56.1 Server: 12.34.56.99 Address 1: 12.34.56.99 dns1.example.com Name: 12.34.56.1 Address 1: 12.34.56.1 one.example.com / ----- I have given openldap a "rebind proc" to use when chasing the referrals. I do a sasl gssapi bind to one.example.com, which succeeds. I do a search, which returns three referrals: DomainDnsZones.example.com ForestDnsZones.example.com example.com openldap looks up these three names and gets 12.34.56.2, which doesn't reverse map to anything. Then I get error messages for each referral: May 27 16:26:18 xyz: GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/23.56.2(a)EXAMPLE.COM) unknown) May 27 16:26:18 xyz: GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/23.56.2(a)EXAMPLE.COM) unknown) May 27 16:26:18 xyz: GSSAPI Error: Miscellaneous failure (see text) (Server (krbtgt/23.56.2(a)EXAMPLE.COM) unknown) Then openldap hangs forever; I never get a LDAP_RES_SEARCH_RESULT. ----- If I modify my DNS server to return 12.34.56.1 first instead of 12.34.56.2, then everything works perfectly. If I don't chase referrals, then everything works perfectly minus chasing referrals of course. If I use "normal" binding instead of sasl gssapi, then everything works perfectly. If I use openldap's syncronous search instead of asyncronously polling with ldap_result, then the call times out and returns. I half-expected openldap to not be able to bind to the referrals, but still fail quickly and return. I don't understand why the ldap search never finishes. (I never get a LDAP_RES_SEARCH_RESULT) I did get a LDAP_RES_SEARCH_REFERENCE and a LDAP_NO_RESULTS_RETURNED, but those dont signify the search has finished, right? I've attached the ldap debugging. You'll see at the end the repeated calls to ldap_result with timeouts of 10 seconds. I don't know how to read them exactly, but the status seems to be "RequestCompleted" ? ----- 17:20:50.530 ldap_result ld 0x10097060 msgid 5 17:20:50.530 wait4msg ld 0x10097060 msgid 5 (timeout 10000000 usec) 17:20:50.530 wait4msg continue ld 0x10097060 msgid 5 all 2 17:20:50.530 ** ld 0x10097060 Connections: 17:20:50.530 * host: one.example.com port: 389 (default) 17:20:50.530 refcnt: 1 status: Connected 17:20:50.530 last used: Wed May 26 17:19:59 2010 17:20:50.530 17:20:50.530 ** ld 0x10097060 Outstanding Requests: 17:20:50.530 * msgid 5, origid 5, status RequestCompleted 17:20:50.530 outstanding referrals 0, parent count 0 17:20:50.530 ld 0x10097060 request count 1 (abandoned 0) 17:20:50.530 ** ld 0x10097060 Response Queue: 17:20:50.530 Empty 17:20:50.530 ld 0x10097060 response count 0 17:20:50.530 ldap_chkResponseList ld 0x10097060 msgid 5 all 2 17:20:50.530 ldap_chkResponseList returns ld 0x10097060 NULL 17:20:50.530 ldap_int_select ----- I got the latest 2.4.22 release and grabbed the majority of the changes, but the hang remains. You can see the full debugging information in the attached txt file. I'm asking if the forever hang could be a bug in openldap, or perhaps I'm doing something wrong? Thanks, - Jeremiah

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical