openldap-technical

openldap-technical@openldap.org

14 participants
9796 discussions

Re: Re : OpenLDAP 2.4 - Problem with rewrite overlay
by Quanah Gibson-Mount 18 Dec '09

18 Dec '09

Please keep replies on the list. --Quanah --On Friday, December 18, 2009 2:36 AM -0800 KISTER RAPHAEL <kraph(a)yahoo.com> wrote: > Hello, > > My command to test the configuration is :su - openldap -c > "/opt/openldap/sbin/slaptest -v -u -F /opt/donnees/etc/openldap/slapd.d/" > If i use this commande line, i don't get any error or warning :su - > openldap -c "/opt/openldap/sbin/slaptest -v -u -f > /opt/donnees/etc/openldap/slapd.conf -F > /opt/donnees/etc/openldap/slapd.d/" > > But, when i want to start my openldap server, i get the same error. I > join you the result of the start command. > > > modulepath is commented out because all my module are includes in > openldap. I try to use modulepath and moduleload, but i still have the > error. > > Best resgards, > Raphael KISTER > > > > > ----- Message d'origine ---- > De : Quanah Gibson-Mount <quanah(a)zimbra.com> > À : KISTER RAPHAEL <kraph(a)yahoo.com>; openldap-technical(a)openldap.org > Envoyé le : Mer 16 Décembre 2009, 20 h 14 min 13 s > Objet : Re: OpenLDAP 2.4 - Problem with rewrite overlay > > --On Wednesday, December 16, 2009 8:07 AM -0800 KISTER RAPHAEL > <kraph(a)yahoo.com> wrote: > >> Hello, >> >> I have to configure an OpenLDAP directory that store some >> informations about users and groups and that is a proxy with Active >> Directory. To do this, i configure two suffix on my openldap server : the >> first one is to store informations about users and groups and the second >> is for the Active Directory proxy (second suffix is embedded in the first >> one. >> >> To configure the Active Directory proxy, i use an ldap backend with rwm >> overlay to rewrite some attributes and objectclass. >> >> When i test my configuration with slaptest binary, i get this error : >> config error processing olcOverlay={0}rwm,olcDatabase={2}ldap,cn=config: >> <olcRwmMap> handler exited with 1 slaptest: bad configuration directory! > > What is your exact slaptest command? Why is modulepath commented out in > your slapd.conf? > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > > > -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: Re : OpenLDAP 2.4 - Problem with rewrite overlay
by Pierangelo Masarati 18 Dec '09

18 Dec '09

KISTER RAPHAEL wrote: > Hello, > > Thank you for your response.I try to test the config file without the microsoft.schema, but i still have the problem. If i delete all the rwm-map lines, OpenLDAP have a good configuration file and start fine. > > The microsoft.schema is the file a find in OpenLDAP source (i just put in this file user objectclass, sAMAccountName attribut and all the user class attributes). > > When i try to start OpenLDAP, i get the same error. I join you the result in the openldap_start.txt file. Please keep replies in CC to the list. I see your problem, it's when you restart the server using the in-directory configuration. I couldn't investigate things further right now; please file an ITS <http://www.openldap.org/its/> p.

1 0

Half-created objects, objectClass: glue
by Peter Mogensen 18 Dec '09

18 Dec '09

Hi, I have a group of objects in my DIT which seems to haven been added at a time where the server was under heavy write load. They exist in a slapcat, but are not visible in a search. They are not fully created but have: objectClass: top objectClass: glue structuralObjectClass: glue Should this happen? slapd. 2.4.20. BDB 4.8, using a back_hdb database. /Peter

1 0

Two index questions
by Jaap Winius 17 Dec '09

17 Dec '09

Hi all, Today I have two questions involving indexing. First, my understanding is that if a new index has been added to slapd.conf, it won't be used until slapd is stopped, slapindex is run and slapd is started again. However, if there aren't any entries yet in the database that carry a new attribute to be indexed, then there's actually nothing to index. Also, the man page for it states that "Slapindex is used to regenerate slapd(8) indices based upon the current contents of a database." Could this also be a hint that slapindex does need relevant data to process before it can produce any indices? I expect to be wrong about this, but I'd rather be sure. Second, regarding consumers, if a new index is added to a provider, does the same index also have to be added and (re)generated with slapindex on its consumers before it will be available there as well? I would expect so, but again, I'm not completely certain. Thanks, Jaap

3 2

OpenLDAP 2.4 - Problem with rewrite overlay
by KISTER RAPHAEL 16 Dec '09

16 Dec '09

Hello, I have to configure an OpenLDAP directory that store some informations about users and groups and that is a proxy with Active Directory. To do this, i configure two suffix on my openldap server : the first one is to store informations about users and groups and the second is for the Active Directory proxy (second suffix is embedded in the first one. To configure the Active Directory proxy, i use an ldap backend with rwm overlay to rewrite some attributes and objectclass. When i test my configuration with slaptest binary, i get this error : config error processing olcOverlay={0}rwm,olcDatabase={2}ldap,cn=config: <olcRwmMap> handler exited with 1 slaptest: bad configuration directory! I am on a CentOS 5.4 server with OpenLDAP 2.4.20 (compile from sources) and Berkeley DB 4.6.21. I'll give you my slapd.conf file : # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # serverid 001 # Inclusion des schemas include /opt/openldap/etc/openldap/schema/core.schema include /opt/openldap/etc/openldap/schema/cosine.schema include /opt/openldap/etc/openldap/schema/inetorgperson.schema include /opt/openldap/etc/openldap/schema/nis.schema include /opt/donnees/etc/openldap/schema/microsoft.schema # Log level loglevel -1 # The maximum number of entries that is returned for a search operation sizelimit unlimited # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 # PID File pidfile /opt/donnees/var/run/slapd.pid argsfile /opt/donnees/var/run/slapd.args # Load dynamic backend modules: #modulepath /opt/openldap/lib #moduleload back_hdb #moduleload back_monitor moduleload rwm # Access control policy: access to attrs=userPassword by self write by anonymous auth by * none access to dn.base="" by * read access to dn.subtree="cn=Monitor" by dn.exact="cn=admin,cn=config" write by users read by * none access to * by self write by dn="cn=admin,cn=config" write by * none # Configuration du backend backend hdb ####################################################################### # BDB database definitions ####################################################################### database monitor # Dynamic Config database config rootdn "cn=admin,cn=config" rootpw secret ####################################################################### # Configuration Proxy Active Directory database ldap suffix ou=proxy,dc=my-company,dc=meta rootdn "cn=admin,cn=config" subordinate uri ldap://192.168.44.88:389 lastmod off acl-authcDN cn=admin,cn=config acl-passwd secret idassert-bind bindmethod="simple" binddn="CN=srv_ldap,OU=Services-account,OU=Administration,dc=my-company,dc=local" credentials="Azerty00" mode="legacy" overlay rwm rwm-suffixmassage dc=my-company,dc=local rwm-map attribute uid sAMAccountName rwm-map attribute cn cn rwm-map attribute displayName displayName rwm-map attribute givenName givenName rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute userPassword userPassword rwm-map attribute * rwm-map objectclass inetOrgPerson user ####################################################################### # Configuration Annuaire technique (habilitations, partenaires, internautes) database hdb suffix "dc=my-company,dc=meta" rootdn "cn=admin,cn=config" directory "/opt/donnees/var/openldap-data" checkpoint 512 30 dbconfig set_cachesize 0 128000000 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass,entryCSN,entryUUID eq index uid pres,eq,sub index sn pres,eq,sub index mail pres,eq,sub index cn pres,eq,sub lastmod on When i install OpenLDAP on my server, i execute this commands : CPPFLAGS="-I/usr/local/BerkeleyDB.4.6/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.6/lib" ./configure --prefix=/opt/openldap --enable-shared --enable-crypt=yes --enable-rewrite=yes --enable-bdb=yes --enable-hdb=yes --enable-ldap=mod --enable-meta=mod --enable-monitor=yes --enable-relay=mod --enable-overlays=yes --with-cyrus-sasl --with-threads=posix --with-tls=openssl make depend make make test make install What's wrong with my installation or my config file ? Is this error is an OpenLDAP bug ? Thank you for your help, Raphaël KISTER

3 2

changing userPassword from custom application
by Zdenek Styblik 15 Dec '09

15 Dec '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, let's open up old wounds. Ok, it sounds jerky, but I don't mean it. Anyway. As the subject suggests, my question is how to code application which allows user to change his password. Or better to ask, if there is some [to me] unknown LDAP function which figures out what password encryption [hash] is used and generates new hash of password, if application should have idea at all what kind of password encryption is used. I think this is just impossible. Login is one thing, changing password is another. Please, don't suggest using % slappasswd; for generating hash. This is really no good way to do it and also, % slappaswd; is not all knowing, or is it? Yeah, it could save up the need to code up for whatever hash is used, yet calling external application, which doesn't even have to be present at system since LDAP can be used over network, it's just no funky enough. Please, don't mind the tone if it doesn't look normal or neutral. There is no intention to be offensive or flame, but to get the answer and solution. So far, I've implemented functions for CRYPT and later for SSHA. Users can't choose what hash will be used - and of course, there is no such intention. The point is, I haven't figured out other way. And it's not just an application, but ldap-tools too. Add new user? Use % slappasswd; Changing password from cmd-line? Use % slappaswd; Regards, Zdenek PS: This question backtracks couple months back. I've tried to ask and clarify this, but ... let's say it got lost in the static :) - -- Zdenek Styblik Net/Linux admin OS TurnovFree.net email: stybla(a)turnovfree.net jabber: stybla(a)jabber.turnovfree.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksmz6wACgkQ8MreUbSH7imZRACeNDO2aY29mWShGTh2PGoZhkcR MFUAn39UYxN2e5oOfLO09YHspCswOtNf =Ww+H -----END PGP SIGNATURE-----

4 8

stuck transactions?
by Peter Mogensen 15 Dec '09

15 Dec '09

Hi, I notice that when I run db4.8tat -t the Active Transaction list does not change very often. I would have expected it to not be the same twice. So I guess I have a lot of stuck transactions? I use back_hdb and slapd is under some load. Could this be related to the messages in the log: Dec 15 15:09:19 server1 slapd[32060]: => bdb_idl_delete_key: c_del id failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994) Dec 15 15:09:19 server1 slapd[32060]: conn=40803 op=18: attribute "entryCSN" index delete failure /Peter Active transactions: 80000003: running; pid/thread 32060/47089260848688; begin LSN: file/offset 0/0 80000004: running; pid/thread 32060/47089260848688; begin LSN: file/offset 0/0 80000006: running; pid/thread 32060/1127287120; begin LSN: file/offset 0/0 80000007: running; pid/thread 32060/1110501712; begin LSN: file/offset 0/0 80000008: running; pid/thread 32060/1118894416; begin LSN: file/offset 0/0 8000006b: running; pid/thread 32060/1135679824; begin LSN: file/offset 0/0 8000006d: running; pid/thread 32060/1088940368; begin LSN: file/offset 0/0 80000076: running; pid/thread 32060/1144072528; begin LSN: file/offset 0/0 80000077: running; pid/thread 32060/1152465232; begin LSN: file/offset 0/0 8000007c: running; pid/thread 32060/1160857936; begin LSN: file/offset 0/0 80000081: running; pid/thread 32060/1169250640; begin LSN: file/offset 0/0 80000082: running; pid/thread 32060/1177643344; begin LSN: file/offset 0/0 800000b7: running; pid/thread 32060/1186036048; begin LSN: file/offset 0/0 ....

2 2

Useless ldapwhoami behavior?
by Jaap Winius 15 Dec '09

15 Dec '09

Hi all, The utility of the "ldapwhoami" tool is a mystery to me. As opposed to the usual Unix "whoami" command, which prints the effective userid, "ldapwhoami" doesn't seem to print the matching LDAP DN... at least not for me. My test setup includes an OpenLDAP server and a separate client. The server's slapd.conf includes these ACLs: access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=umrk,dc=nl" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=umrk,dc=nl" write by * read My LDAP DIT includes an account for a normal user with a password. Without any problem I can use this to login to the client host, but when I want to test, or verify, the account's LDAP DN, all I get is this: ~$ ldapwhoami -x anonymous ~$ _ Even stranger, if I supply the account's DN and password (although this would seem a useless thing to do, since it's the very same info I'm asking for), I get this error: ~$ ldapwhoami -x -D "cn=testuser,dc=umrk,dc=nl" -w testpass ldap_bind: Invalid credentials (49) ~$ _ On the other hand, this does work if I supply the admin DN and password: ~$ ldapwhoami -x -D "cn=admin,dc=umrk,dc=nl" -w adminpass dn:cn=admin,dc=umrk,dc=nl ~$ _ The "ldapsearch" command is the same: I can get a response when binding anonymously ("-x"), as well as when binding as the admin user, but not when I use a normal user account, which results in the same error 49 as above. This behavior seems rather useless to me. Surely I've made a mistake somewhere. Can anyone say what it might be? Thanks, Jaap

6 6

Valid configure options for 2.4.20
by J. Landamore 14 Dec '09

14 Dec '09

I'm trying to build 2.4.20 so that it stores the userPassword attribute crypt'ed rather than in clear text - yes I know it violates the RFC. I tried ./configure --enable-crypt --disable-cleartext This compiled fine but failed test002-populate for bdb Is this a valid configuration and will it achieve what I want? Is it possible to store the userPassword attribute crypt'ed? Thanks John -- John Landamore Department of Computer Science University of Leicester University Road, LEICESTER, LE1 7RH J.Landamore(a)mcs.le.ac.uk Phone: +44 (0)116 2523410 Fax: +44 (0)116 2523604

3 2

ApacheDS + openLDAP
by bren norris 14 Dec '09

14 Dec '09

Anyone using Eclipse based ApacheDS for works with openLDAP? I get a socket closed everytime I try and add a custom objectclass to the DIT... but it works fine with Softerra LDAP administrator. Server is a aptitude installed Ubuntu Karmic release and I thought I'd tap your heads just incase I'm missing the "bleedingly obvious". Happy DAPin'

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical