openldap-technical

openldap-technical@openldap.org

18 participants
9897 discussions

Howto setup OpenLDAP as ACL for Servers?
by openbsd shen 23 Jun '09

23 Jun '09

I have many Windows 2003/Linux Server, and a OpenLDAP server as auth server, I want setup ACL in OpenLDAP server, maybe user A allowed to login in windows-1 server and Linux-1 server, and user B allowed to login in windows-2 server and Linux-2 server. How to setup it in OpenLDAP server?

3 2

Database error 22
by Olivier Nicole 23 Jun '09

23 Jun '09

Hi, After a reboot this morning I had the error: Jun 23 06:47:47 ldap slapd[512]: @(#) $OpenLDAP: slapd 2.3.40 (Jan 29 2008 12:27:46) $ root@fbsd35.cs.ait.ac.th:/usr/ports/net/openldap23-server/work/openldap-2.3.40/servers/slapd Jun 23 06:47:49 ldap slapd[522]: bdb_db_open: Database cannot be opened, err 22. Restore from backup! Jun 23 06:47:49 ldap slapd[522]: bdb(dc=cs,dc=ait,dc=ac,dc=th): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem Jun 23 06:47:49 ldap slapd[522]: bdb(dc=cs,dc=ait,dc=ac,dc=th): txn_checkpoint interface requires an environment configured for the transaction subsystem Jun 23 06:47:49 ldap slapd[522]: bdb_db_close: txn_checkpoint failed: Invalid argument (22) Jun 23 06:47:49 ldap slapd[522]: backend_startup_one: bi_db_open failed! (22) Jun 23 06:47:49 ldap slapd[522]: bdb_db_close: alock_close failed Jun 23 06:47:49 ldap slapd[522]: slapd stopped. Jun 23 06:47:49 ldap slapd[522]: connections_destroy: nothing to destroy. Yesterday I think I cleanly halted the LDAP server before the UPS ran out of battery (major power failure). This morning when I restarted the machine I find the above error. 1) What could cause this error? 2) How to do clean and regular backups? Best regards, Olivier

2 1

(no subject)
by Sai 22 Jun '09

22 Jun '09

Hi all, You can consider I am fairly new to LDAP Server, let alone OPENLDAP. But I went through most of the documentation and configured openldap for our Web Site almost year and half to 2 ago. Now I am required to configure passive fail over for this. I am trying to understand and weigh my options. 1) What I want to configure? Two LDAP servers, with their content being in sync at all times. 2) What should I use? Slurpd or syncrepl or some other configuration. 3) What version we are running on? 2.2.13. Sadly but truly, the project does not have the time and resources to update to the latest one. 4) How are we going to use this replication configuration? a. Currently the Web App points to server A. b. In case of a catastrophic failure of server A (Machine down, power plug pulled, disk failure, etc), they will point the Web App to server B. c. Fix server A. d. Point Web App back to server A (I know there is no harm in leaving it pointed to B but that is the way they want. "Return every thing back to how it was"). I think in order to satisfy 4.b (any updates while pointed to server B while server A is down), both the servers should be Master-Master (N-Way master). What I am trying to understand is question 2. I am currently going through chapter 14 and 15 of openldap documentation. I noticed there are some slight differences and I want to get your expert opinion so that I am on the right track and not doing my own little weird configuration. Any help in helping me understand this and decide what to use is much appreciated. Thanks, -Sai

2 3

control rules
by olivier morel 19 Jun '09

19 Jun '09

hy when I try to find a contact with outlook I see all computeur of my area of the ou=machines i would like to ban the route of the ou=machines for just to see the people how can i do . thank you very mutch for your help ------------------------- Olivier Morel - Service Informatique 4 allée de Seine - 93285 Saint Denis Cedex E-mail : olivier.morel(a)panoranet.com

3 2

Mirror Mode question
by Ivan Ordonez 19 Jun '09

19 Jun '09

Hi, I am trying to setup mirror mode on two identical machines. Previously, these two machine were setup as PDC and BDC, using syncrepl provider and comsumer method. All changes are done through the PDC, and will sync to BDC. We decided to use mirror mode for high availability but having issue getting it to work. When I try to create an account, I will get an error message regarding smbldap-tools. See below. Error: shadow context; no update referral at /usr/sbin//smbldap_tools.pm line 1083, <DATA> line 466. Is there anything on smbldap.conf that I need to change? I made sure that the master were pointing to each other. Below is my mirror mode configuration. Machine 1 - IP Address 192.0.0.201 ServerID 1 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=001 provider=ldap://192.0.0.202:389 type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" searchbase="dc=my,dc=domain,dc=com" scope=sub schemachecking=on bindmethod=simple binddn="cn=Manager,dc=my,dc=domain,dc=com" credentials=mypassword mirrormode on Machine 2 - IP Address 192.0.0.202 ServerID 2 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=001 provider=ldap://192.0.0.201:389 type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" searchbase="dc=my,dc=domain,dc=com" scope=sub schemachecking=on bindmethod=simple binddn="cn=Manager,dc=my,dc=domain,dc=com" credentials=mypassword mirrormode on Thanks in advance.

4 11

Update schema
by Olivier Nicole 19 Jun '09

19 Jun '09

Hi, I have an openldap server running and being used day to day for authentication. I developped a small schema, and all is working fine. Only I just noticed that in the definition of the object class, I ussed the OID 9999 instead of my own enterprise number: objectclass ( 1.3.6.1.4.1.9999.2.1.1 Should be objectclass ( 1.3.6.1.4.1.26754.4.1.1 I beleive I cannot just stop slapd, correct the schema and restart slapd. What would be the clean way to proceed to a schema upgrade? As this is a production server, I cannot afford to break it. Bestregards, Olivier

2 3

puzzling Open LDAP dn errors
by Frizzell, Ryan 18 Jun '09

18 Jun '09

Hi all, I'm trying to setup and ldap proxy and I'm running into a bunch of bad dn errors in my endeavors. Currently, my slapd.conf file looks like: Database ldap Suffix "" Uri "ldap://myLdapIP:389" Idassert-bind bindmethod=simple Binddn="cn=privilagedAcct" Credentials="privPass" Trying to keep it simple as this is only a sandbox setup. The issues I'm running into are when I try to change the suffix dn to something useful like Suffix "dc=mydomain,dc=net" Changing suffix to that will produce slaptest errors of "<suffix> invalid DN 21 (invalid syntax)" I can connect to my ldap server and perform searchs with: Ldapsearch -LLL "uid=mytestuser" -x -H "ldap://myLdapIP:389" -D "cn=privilagedAcct,OU=test,dc=mydomain,dc=net" -b "dc=mydomain,dc=net" -W I've also tired to change the binddn to cn=privilagedAcct,OU=test,dc=mydomain,dc=net slaptest will then produce Invalid bind config value binddn=cn=privilagedAcct,OU=test,dc=mydomain,dc=net I've worked quite a bit with DNs in the past and I can't seem to see anything wrong with the DNs especially since the ldapsearch commands will complete on the running ldap server. I'm guessing I'm overlooking something very simple. Any ideas? Thanks, Ryan

2 2

Re: ldap not finding internal CA?
by gruntler-ldap＠yahoo.com 18 Jun '09

18 Jun '09

--- On Wed, 6/17/09, Howard Chu <hyc(a)symas.com> wrote: > From: Howard Chu <hyc(a)symas.com> > Subject: Re: ldap not finding internal CA? > To: "Kurt Yoder" <ktyopenldap(a)yoderhome.com> > Cc: openldap-technical(a)openldap.org > Date: Wednesday, June 17, 2009, 8:55 PM > Kurt Yoder wrote: [... skip ...] > > My openldap is version 2.4.15 on Ubuntu Jaunty. [... skip ...] > The GnuTLS issues with X.509v1 certs were fixed in 2.4.16, > so you need to upgrade. Sorry about any confusion but Jaunty doesn't actually have 2.4.15 but a custom version ("2.4.15-1ubuntu3") from Ubuntu: https://launchpad.net/ubuntu/jaunty/amd64/slapd The diff for ITS#5992 is in Jaunty $ cat gnutls-enable-v1-ca-certs ## Mathias Gug <mathiaz-at-ubuntu.com> ## Enable V1 CA certs to be trusted. ## ITS: 5992 - http://www.openldap.org/its/index.cgi?findid=5992 ## LP: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/305264 ## Fixed in > 2.4.15 ## Patch: http://bazaar.launchpad.net/%7Evcs-imports/openldap/main-src/diff/17238 --- openldap.orig/libraries/libldap/tls_g.c 2009-03-02 02:01:41 +0000 +++ openldap/libraries/libldap/tls_g.c 2009-03-05 03:35:49 +0000 @@ -1,5 +1,5 @@ /* tls_g.c - Handle tls/ssl using GNUTLS. */ -/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.6.2.2 2009/02/10 16:41:01 quanah Exp $ */ +/* $OpenLDAP: pkg/ldap/libraries/libldap/tls_g.c,v 1.9 2009/03/05 03:35:49 hyc Exp $ */ /* This work is part of OpenLDAP Software <http://www.openldap.org/>. * * Copyright 2008-2009 The OpenLDAP Foundation. @@ -349,6 +349,13 @@ if ( rc < 0 ) return -1; rc = 0; } + + /* FIXME: ITS#5992 - this should go be configurable, + * and V1 CA certs should be phased out ASAP. + */ + gnutls_certificate_set_verify_flags( ctx->cred, + GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT ); + if ( is_server ) { gnutls_dh_params_init(&ctx->dh_params); gnutls_dh_params_generate2(ctx->dh_params, DH_BITS); However: Jaunty does not appear to contain the diff for ITS#5991. Both ITS#5991 and ITS#5992 are squashed into the same CVS delta for: openldap-*/libraries/libldap/tls_g.c diffs between version 1.6.2.3 and 1.6.2.4 of tls_g.c http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_g.c.diff?r1=… Mathias Gug writes in ITS#5991: << Thanks for the workaround. It works as expected. I haven't tested the patch applied to CVS and thus haven't included it in Ubuntu yet. >> Link to ITS#5991 - http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5991;selectid=5991… On a related note, Jaunty vs. pre-Jaunty does this: $ gnutls-cli -p 636 XXXX.XXX.XXX -d 4711 --x509cafile /etc/ldap/cacerts/my-ca.cert.pem --print-cert On Jaunty the output contains: - Peer's certificate is NOT trusted On previous Ubuntu releases (Intrepid, Hardy): - Peer's certificate is trusted Same certificate, same command line arguments, same /etc/ldap/ldap.conf file. Thanks, Ken

1 0

LDAP Sync Replication with Active Directory
by mailings＠atlantismedia.de 18 Jun '09

18 Jun '09

Hi, I have a Win 2k3 SBS and I want to replicate the users into my OpenLDAP 2.4.11. When I start slapd, I can see that one entry of a user is being sent, but after that I get the message "got search entry without Sync State control". I had hoped that replication not only works with OpenLDAP as a master, but also with Active Directory. Is it possible to get this to work? Lars

4 5

Cosine schema - RFC 4524
by Zdenek Styblik 18 Jun '09

18 Jun '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, my question is regarding updated Cosine schema [RFC 4524] which has been accepted in March 1991 by IANA. This obsoletes previous Cosine schema [RFC 1274]. OpenLDAP has support for RFC 4524, yet it comes with pre-defined older RFC 1274. So, I'm wondering, is there reason for keep using RFC 1274, or is it safe to define/create new Cosine schema by RFC 4524? Note: I've found ldif file which corresponds with RFC 4524, but no schema file. But I think [believe] it won't be that hard to define schema by published RFC. But, if somebody knows where I can get those files for OpenLDAP, I would be really happy. Thank you for your reply. Regards, Zdenek Styblik - -- Zdenek Styblik Net/Linux admin OS TurnovFree.net email: stybla(a)turnovfree.net jabber: stybla(a)jabber.turnovfree.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoeUiMACgkQ8MreUbSH7ilMtACgwoLkn1KtS/D84yxCRrRfZHHv F9IAnjl8PNOaJ3P6Wm783u9c/J3reit4 =EtIk -----END PGP SIGNATURE-----

2 4

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical