openldap-technical

openldap-technical@openldap.org

9 participants
9868 discussions

help needed
by Piyush Joshi 28 Jan '10

28 Jan '10

Dear All, Is there any option to dump the ldap data in ldif format without base64 encoded value mainly for password field .... -- Regards ****************************** Piyush Joshi System administrator 9415414376 ****************************** "Ability is what you're capable of doing. Motivation determines what you do. Attitude determines how well you do it"

2 1

olcSyncrepl invalid URL - OpenLDAP 2.4.21
by Hung Luu 27 Jan '10

27 Jan '10

Hello everyone, Has anyone experienced the "<olcSyncrepl> invalid URL" error from starting up a consumer slapd? I've tried configuring the provider setting for the syncrepl directive as a domain name and IP address but neither works. Thanks in advance for your help. Here's the error from slapd: *olcSyncrepl: value #0: <olcSyncrepl> invalid URL config error processing olcDatabase={1}hdb,cn=config: <olcSyncrepl> invalid URL* Here's my consumer slapd.conf: include /opt/openldap-2.4.21/etc/openldap/schema/core.schema include /opt/openldap-2.4.21/etc/openldap/schema/cosine.schema include /opt/openldap-2.4.21/etc/openldap/schema/inetorgperson.schema pidfile /opt/openldap-2.4.21/var/run/slapd.pid argsfile /opt/openldap-2.4.21/var/run/slapd.args modulepath /opt/openldap-2.4.21/libexec/openldap moduleload back_hdb.la # Overlay for reverse group membership moduleload memberof.la loglevel 16383 # Global database directives overlay memberof memberof-group-oc groupOfNames memberof-member-ad member memberof-memberof-ad memberOf memberof-dangling error memberof-refint TRUE # Enable cn=config changes from LDAP browser database config rootdn "cn=admin,cn=config" rootpw secret database hdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw secret directory /opt/openldap-2.4.21/var/openldap-data/example-com # Indices to maintain index default eq index cn,uid,member index entryCSN,entryUUID eq index objectClass eq # Other BDB/HDB directives cachesize 10000 checkpoint 1024 10 # Replication syncrepl rid=000 provider=*ldap://192.168.56.3:389* type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials=secret

1 3

performance on Solaris
by Stefano Zanmarchi 27 Jan '10

27 Jan '10

Hi, I need to set up a LDAP production server with 800.000 entries. Performance and stability are my main concern, I expect around 250 binds and 50 ldapupdate/insert per minute. The machine is a SunFire6900 with 8 sparc US-IV+ CPUs and I'd like to dedicate around 500MB of ram to OpenLdap (more, if necessary). The OS is SunSolaris 10. I'd like to know if OpenLdap is sincerely a good choice with these numbers, and if anyone can share his on-the-field experience with so many users. Thank you very much, Stefano

2 1

Re: (ITS#6453) OpenLDAP memory leak on LDAP_TIMEOUT
by alin vasile 27 Jan '10

27 Jan '10

We found out that this call : ldap_msgfree(res); does not get executed because the LDAPMessage is NULL (res is null) in case the timeout is on the client side. There is any other way to clean it?

1 0

Load difference from 2.4.20 to 2.4.21
by Peter Mogensen 27 Jan '10

27 Jan '10

Hi, I've recently upgrade slapd from 2.4.20 to 2.4.21 and I'm a little surprised to see how huge a difference in load this made. With 2.4.20 idle-time for the machine was around 80%, now it's around 60%. I/O-wait time has also increased, but seems to fluctuate less now. Are there any know reason for large load differences from 2.4.20 to 2.4.21 ? /Peter

1 0

cn=config config problem
by Alex Samad 27 Jan '10

27 Jan '10

Hi I have setup a multimaster setup and some slave nodes, using cn=config. I am looking at trying to create a user in the cn=config space i have test.ldif that looks like dn: cn=test,cn=config objectClass: simpleSecurityObject objectClass: organizationalRole cn: test userPassword: test description: test structuralObjectClass: organizationalRole and I use ldapadd -D "cn=config" -w T25src1Rbe65RR6vwd53VTrB1x6EszFGMjhh7m8OOPjNyJ9h7nJO97p00lHMn08m -f test.ldif I get adding new entry "cn=test,cn=config" ldap_add: Server is unwilling to perform (53) additional info: shadow context; no update referral Which from my investigation tells me my ldap server doesn't know where to send the update, which is strange because I can make other changes to cn=config - add a olcsyncrepl and make changes to loglevel Alex

3 3

meta database - password problems with one target
by Matthew Harrell 27 Jan '10

27 Jan '10

Before I forget the link here is the config file I'm using http://alecto.bittwiddlers.com/files/slapd.conf I have two separate databases of user information and a meta database at the bottom of the file that joins them together so both can log in. The meta database is what's used for the system pam and nss settings. All of that seems to work fine - no problems with the logging in, groups, or any of that. Users that belong to the second database, zone2, can change their passwords using any of the standard commands including passwd. Users in the first database, zone1, are unable to change their passwords {153}: passwd New password: Re-enter new password: LDAP password information update failed: Strong(er) authentication required modifications require authentication passwd: Permission denied passwd: password unchanged I've looked at the ACL and stats logs for both the accounts that work and those that don't but there's a lot of information there and I can't tell what the problem is. I'm rather new to LDAP in general. Can someone give me some pointers or ideas for what I can look for? Thanks for any help

1 0

Bind accepts any password where the real password is a prefix?
by Christopher Kenna 27 Jan '10

27 Jan '10

Greetings, We are running OpenLDAP at our organization to do authentication for Linux machines. One strange thing I noticed is that I can bind to the server using my password, or *any* password that contains my actual password as a prefix. Let me explain with an example. Suppose my password is "banana" (it's not). Then these passwords work to bind to the database: - banana - banana2 - bananafjksdfs But these won't work: - mbanana - banan I'm testing this with this command: ldapsearch -x -W -ZZ -H ldap://<server_address>.com \ -b dc=mydomain,dc=com \ -D 'uid=<my_uid>,ou=people,dc=mydomain,dc=com' \ '(uid=<my_uid>)' Any ideas about why this happens? Thanks. -- Chris

2 1

LDAP logging
by Ivan Ordonez 26 Jan '10

26 Jan '10

Hi, I want to create logging for LDAP (version 2.4.19-r1) using syslog-ng on Gentoo box. Hope someone here can point me in the right direction. I'm lost here. Here is my syslog-ng conf file: @version: 3.0 # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3.0,v 1.1 2009/05/25 20:07:21 mr_bones_ Exp $ # # Syslog-ng default configuration file for Gentoo Linux options { chain_hostnames(no); # The default action of syslog-ng is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats_freq(43200); }; source src { unix-stream("/dev/log" max-connections(256)); internal(); file("/proc/kmsg"); }; #options { sync(n); }; destination messages { file("/var/log/messages"); }; destination authlog { file("/var/log/auth.log"); }; #destination syslog { file("/var/log/syslog"); }; destination ldap { file("/var/log/ldap.log"); }; destination cron { file("/var/log/cron.log"); }; # Create Filters filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_authpriv { facility(auth, authpriv); }; #filter f_syslog { not facility(auth, authpriv) and not match(slapd); }; filter f_ldap { match("regexp" value ("slapd")); }; filter f_cron { facility(cron); }; # By default messages are logged to tty12... destination console_all { file("/dev/tty12"); }; # ...if you intend to use /dev/console for programs like xconsole # you can comment out the destination line above that references /dev/tty12 # and uncomment the line below. #destination console_all { file("/dev/console"); }; # Connect Filters and Destinations #log { source(src); destination(messages); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_authpriv); destination(authlog); }; #log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_ldap); destination(ldap); }; log { source(src); filter(f_cron); destination(cron); }; # Default Log log { source(src); destination(console_all); }; Thanks in advance. -Ivan

5 9

Ppolicy, password lockout status
by Radosław Antoniuk 26 Jan '10

26 Jan '10

Hi, Quick question. How is it possible to check the account lock status? I've configured the ppolicy according to the guide, the lock is working, the account is locked. And now how can I find out which accounts are currently locked out? -- Best regards, Radek Antoniuk w: www.radek.org.pl

3 4

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical