openldap-technical

openldap-technical@openldap.org

5 participants
9955 discussions

LDAP_MOD_BVALUES / "Binary option"
by Peter Mogensen 09 Mar '10

09 Mar '10

Hi, I'm trying to make sense of the use of "binary" in misc client API's. Some API's (like perl Net::LDAPapi) seem to offer a "b" option do add/modify operations which controls whether the ";binary" AttributeOption is set on an attribute. For Net::LDAPapi this translates (from what I see in the libldap source) to LDAP_MOD_BVALUES But when reading the sources and RFC it seems to me that LDAP_MOD_BVALUES and ";binary" is two completely different things. (Also ";binary" has been removd from RFC4511). Am I right in concluding that LDAP_MOD_BVALUES (and thus "b" in Net::LDAPapi) only controls which BER type is used and as such is completely orthogonal to whether one chooses to set the ";binary" attributedescription options? ";binary" use often used with jpegPhoto, but does it have any influence on which BER type the server uses to send data to the client? I would assume that it would be completely safe to ignore ";binary" and the only reason to set LDAP_MOD_BVALUES would be if the attribute value data contained "\0" bytes. (which would prevent using a string) Is this correct? /Peter

2 3

getting ca/ca subordinate cert to work with openldap
by Chris Jacobs 09 Mar '10

09 Mar '10

Hello, I'm having a heck of a time getting certs to function correctly. This server is being setup with another server in mirrormode - and currently they cannot talk to each other (or themselves when using ldapsearch). We have a root CA, with a subordinate CA used to sign the cert our ldap server is using. I have both appended to the /etc/pki/tls/certs/ca-bundle.crt file (CentOS5) - root first, sub second. I have both (also in the same order) in the cacert.pem used by slapd.conf. TLS directives: TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/ldapcrt.pem TLSCertificateKeyFile /etc/openldap/cacerts/ldapkey.pem When I test the cacert.pem file or the ldapcrt.pem file using "openssl verify [cert]", everything comes back with OK (I tested removing those from the ca-bundle.crt file and they fail - those are below too). I have those certs available separately and tested them too. ------ Test with CA and Sub-CA in ca-bundle.crt ------ # openssl verify cacert.pem cacert.pem: OK # openssl verify ldapcrt.pem ldapcrt.pem: OK # openssl verify carootcrt.pem carootcrt.pem: OK # openssl verify casubcrt.pem casubcrt.pem: OK ------ Test without CA and Sub-CA in ca-bundle.crt ------ # openssl verify cacert.pem cacert.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA error 18 at 0 depth lookup:self signed certificate OK # openssl verify ldapcrt.pem corp-ldapcrt.pem: [verify specific cert subject snipped] error 20 at 0 depth lookup:unable to get local issuer certificate # openssl verify carootcrt.pem carootcrt.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA error 18 at 0 depth lookup:self signed certificate OK # openssl verify casubcrt.pem casubcrt.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Subordinate CA error 20 at 0 depth lookup:unable to get local issuer certificate I'm using OpenLDAP build: 2.4.21 built with the following options: ./configure --with-tls=openssl \ --enable-crypt \ --enable-dynamic \ --enable-ldap \ --enable-lmpasswd \ --enable-modules \ --enable-overlays \ --enable-spasswd \ --sysconfdir=/etc After loading ldif data from our older 2.2 openldap servers, I verified the data was there using Apache Directory Studio (even got some work done on removing/re-adding/comparing ldifs). Ldapsearch though is another beast all together though. # ldapsearch -H ldaps://localhost/ ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) If you're interested in more details: # ldapsearch -H ldaps://localhost/ -d5 ldap_url_parse_ext(ldaps://localhost/) ldap_create ldap_url_parse_ext(ldaps://localhost:636/??base) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA, issuer: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain). ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain) Help? - chris This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

2 1

DNS discovery for OpenLDAP?
by Jaap Winius 08 Mar '10

08 Mar '10

Hi all, In the course of my research into a solution involving Kerberos, OpenLDAP and OpenAFS (a.k.a. the Magic Trio), I've discovered that both Kerberos and OpenAFS support methods of DNS discovery, but that OpenLDAP apparently does not. Is this correct? If so, might there be a reason for this, other than that it has occurred to the developers, but that they just haven't had time yet to create it? It seems to me that it would be great to have. Thanks, Jaap

4 5

Many entries, deletes getting painfully slow
by Peter Mogensen 06 Mar '10

06 Mar '10

Hi, I have a database with close to 11 million entries and lately deletes have started to get painfully slow. I've set up a new server with a lot of improvements, but if anyone have an idea about what the deciding factor for the performance difference is, then I would be grateful. On the old server: -16 cores. 42Gb RAM, entire database in memory -XFS file system on (hw)RAID-1 -Database and BerkeleDB log on same filesystem -some, but not much load (~35 read waiters) -time to delete 157 entries: 9 minutes. New server: -16 cores, 48Gb RAM, entire database in memory -ext3 filesystem on (hw)RAID-10 -Database and log on difference disk -no load. -time to delete the same 157 entries: 6.2 seconds I'm aware that the new server has all the benefits, but even under low load conditions, the old server is only able to delete an entry every 3 seconds and there's orders of magnitude difference between 6 and 540 seconds. My suspicion is that there's one of the above factors (XFS?, db/log on same fs?) which get very pronounced when the database gets above a certain size, since this slowdown for deletes seem to have accelerated with the growth of the database the last few months. /Peter

2 1

rwm-map like functionality that copies attributes
by Alexander 'Leo' Bergolth 05 Mar '10

05 Mar '10

Hi! I'd like to implement some kind of attribute-mapping so that the attributes cn and displayName contain the same values. I am thinking about something similar to rwm-map attribute displayName cn However, I don't want to map the attribute names but I want to copy the attribute values, so I guess rwm-map won't be the right way to do it. I found an old mail in the archives that suggests to write an own overlay for that job... http://www.mail-archive.com/openldap-software@openldap.org/msg12720.html I wonder if such kind of functionality has already been developed since that time? Thanks, --leo -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria

1 0

OpenLDAP authentication problem, need help
by Veikko "Wexi" Skurnik 05 Mar '10

05 Mar '10

Hi all, my OpenLDAP server was working fine, user authentication for workstations and the postfix/dovecot mail server worked as they should, I was about to configure gnarwl and now for some reason users cannot authenticate using the LDAP server. Dovecot also say that it cannot connect to the server (the mail server and OpenLDAP are running on the same machine). I can login to the LDAP server using phpLDAPadmin but i cannot find anything that would be the cause of the problem. The starnge thing is that I did not do any modifications to the OpenLDAP config files that could cause the problem (or at least i think so =)). I've been looking through the config files and made sure that OpenLDAP is running and now I'm running out of ideas. Any help would be greatly appreciated and I'll be more than happy to provide more info needed to solve this problem. Thanks in advance Veikko "Wexi" Skurnik -- * Veikko "Wexi" Skurnik: +358(44)5288338 * * wexi(a)wexin.net Wexi@IRCNet * * Näyttämönkatu 4 B 12 33720 Tampere * * "Kosminen balanssi ei saa järkkyä" *

1 0

SASL Auth with -d ok, otherwise internal error 80
by lists＠supported.de 05 Mar '10

05 Mar '10

Hello list, this is my first time trying to set up SASL, I'm probably doing something wrong. Anyhow: - I'm on OpenSolaris snv_127 - using SUNWopenldap from IPS (which links with bdb 4.7.25) I got strange slapd (and slapcat) hangs (probably in bdb). This forced me to set it all up from source. - I've compiled latest bdb 4.8 from source - I've compiled latest OpenLDAP 2.4.21 from source with this configure args: $ cat myconfigure export CFLAGS="-I/usr/local/BerkeleyDB.4.8/include" \ CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include" \ LDFLAGS="-L/usr/local/BerkeleyDB.4.8/lib \ -R/usr/local/BerkeleyDB.4.8/lib" ./configure -C \ --prefix=/usr/local/openldap \ --enable-spasswd \ --with-cyrus-sasl \ --enable-syslog - I've got my slapd.conf [1] in place and initialized my directory - simple bind always works - I want SASL with DIGEST-MD5 auth. - when starting slapd with -d XXX (-d 256) SASL auth. works !! $ ldapsearch -v -h localhost -p 10389 -LLL -U ldapadmin -D "cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" -b "ou=Users,dc=hh,dc=supported,dc=de" -s sub "cn=ldapadmin" '*' ldap_initialize( ldap://localhost:10389 ) SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: ldapadmin SASL SSF: 128 SASL installing layers filter: cn=ldapadmin requesting: * dn: cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de cn: ldapadmin gidNumber: 5000 objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: posixAccount objectClass: person objectClass: top sn: Admin uid: ldapadmin uidNumber: 5000 homeDirectory: /tmp userPassword:: ******** - when starting slapd without -d I get: $ ldapsearch -v -h localhost -LLL -U ldapadmin -D "cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" -b "ou=Users,dc=hh,dc=supported,dc=de" -s sub "cn=ldapadmin" ldap_initialize( ldap://localhost:10389 ) SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-1): generic failure: There's an additional problem in that slapd is not logging to syslogd. Cf. below I configured "loglevel 8191", my syslog.conf contains: local4.debug /var/log/openldap.log Upon slapd startup I get two entries in the log, but nothing else, no debugging: Mar 4 12:48:10 os slapd[8083]: [ID 702911 local4.debug] @(#) $OpenLDAP: slapd 2.4.21 (Mar 4 2010 12:12:43) $ Mar 4 12:48:10 os ralph@os:/export/home/ralph/openldap-2.4.21/servers/slapd Can anybody point me in the right direction? Thanks! Cheers, Ralph [1] slapd.conf: include /usr/local/openldap/etc/openldap/schema/core.schema include /usr/local/openldap/etc/openldap/schema/cosine.schema include /usr/local/openldap/etc/openldap/schema/nis.schema include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema pidfile /var/run/slapd.pid argsfile /var/run/slapd.args loglevel 8191 moduleload back_hdb.la ############## # I've added these in sick attempts security ssf=0 sasl=0 sasl-secprops none ############ authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth cn=$1,ou=Users,dc=hh,dc=supported,dc=de access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,shadowLastChange by dn="cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" write by anonymous auth by self write by * none access to * by dn="cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" write by self write by users read by anonymous auth rootdn "cn=root,ou=Users,dc=hh,dc=supported,dc=de" rootpw ****** database hdb suffix "dc=hh,dc=supported,dc=de" directory /var/openldap index objectClass eq

2 2

OpenLdap mirrormode cluster with 2 slaves.
by Jan Hugo Prins 04 Mar '10

04 Mar '10

Hello, I have the following setup that gives me some issues at the moment. I have 2 servers running Fedora 10 with OpenLDAP 2.4.19 that are running in Mirrormode. The sync between those 2 servers works just fine. Besides that we have 2 frontend servers that rely heavily on ldap for mail delivery and mail transfers. To make this workable we thought about creating a readonly replica on these servers and tell the sendmail to use the local ldap as primary. When we had an old version on these servers (I think 2.4.12) everything worked fine. We now upgraded all servers to 2.4.19 and the configuration moved to slapd.d format, and now it looks like those 2 servers don't see the updates on the mirrormode backend anymore. I have to following config's, this was from before the migration to slapd.d: ================== master 1 ================== overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 3 # # Configure a replication consumer # syncrepl rid=1 provider=ldap://server2:389 type=refreshAndPersist retry="60 10 300 +" interval=00:00:05:00 searchbase="dc=domain,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncrepl,dc=domain,dc=com" credentials=password mirrormode on ================== master 2 ================== overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 serverID 4 # # Configure a replication consumer # syncrepl rid=1 provider=ldap://server1:389 type=refreshAndPersist retry="60 10 300 +" interval=00:00:05:00 searchbase="dc=domain,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncrepl,dc=domain,dc=com" credentials=password mirrormode on =================== slaves =================== overlay syncprov syncprov-checkpoint 100 10 # # Configure a replication consumer # syncrepl rid=1 provider=ldap://ldap:389 type=refreshOnly retry="60 1 120 1" interval=00:00:05:00 searchbase="dc=domain,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncrepl,dc=domain,dc=com" credentials=password updateref ldap://ldap.svc.be.nl:389 updateref ldap://ldap.lan.domain.com:389 ============================================ When I empty the DIT on a slave and start it again it gets the full DIT just fine and I checked this. But after that it is not updated anymore. Does anyone see here some obvious things I'm missing in these slave or master configs? Thanks a lot, Jan Hugo Prins

1 2

combine/link entries in different ou' s
by Marc Mertes 03 Mar '10

03 Mar '10

Hi everybody, I'm not a real pro in ldap yet, so I have a question about ou' s. I have here the main ou=people, where all users are in. Now I want to create a 2nd ou=radar. The goal is that I have a 2nd ou with just a few users, for authentication on some special servers. I want to have that seperated. My question is, if I can link or combine some users from ou=people to ou=radar, that I don't have to create the user a 2nd time? regards marc

2 1

Adding ipHost for Hout based authentication
by Tech Only 03 Mar '10

03 Mar '10

Hello, I am trying to add hosts to the LDAP server for more control on logins. I have nis.schema in the slapd.conf file. Below is host.ldif file dn: cn=mldap,ou=hosts,dc=aaa objectClass: ipHost ipHostNumber: 10.10.5.115 cn: mldap When I try to add it I get following error. ldap_add: Object class violation (65) additional info: no structural object class provided My aim is to add all the network servers under ou=hosts, and then assign access to users depending on the need. Please help!!!!!!

3 3

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical