openldap-technical

openldap-technical@openldap.org

20 participants
9787 discussions

Single master/multislave and passwords
by Bryan Payne 23 Jul '08

23 Jul '08

Our master is in dallas. One slave is in ohio. Our ohio users bind to their local server for speed's sake. This is obviously a problem if they change their password. Is there a way to bind locally but when it comes to updating passwords, it inform the master instead?

2 1

Re: N-way multimaster
by Miguel Jinez 23 Jul '08

23 Jul '08

Hello, yes "dies" means shutdown I have made some changes in my config file, but the problem is the same, now I'm with openladap-2.4.11. Here my config file: Master A slapd.conf # Global Directives: # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 sizelimit 500 tool-threads 1 backend bdb database bdb suffix "dc=ar" overlay syncprov syncprov-sessionlog 100 syncprov-nopresent TRUE syncprov-reloadhint TRUE syncprov-checkpoint 1 1 rootdn "cn=admin,dc=dominio" rootpw secret directory "/usr/local/var/openldap-data" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index cn,sn,uid pres,sub,eq index uidNumber,gidNumber eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass pres,eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=ar" write by anonymous auth by self write by * none access to * by dn="cn=admin,dc=ar" write by * read access to * by dn.base="cn=admin,dc=ar" read by * break serverID 3 syncrepl rid=001 provider=ldap://10.100.130.164 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=ar" attrs="*" bindmethod=simple binddn="cn=admin,dc=ar" credentials=osde syncrepl rid=002 provider=ldap://10.100.130.181 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=ar" attrs="*" bindmethod=simple binddn="cn=admin,dc=dominio" credentials=secret mirrormode TRUE ##Accesslog overlay overlay accesslog logdb "cn=accesslog" logops writes logold (objectclass=auditModify) logoldattr reqOld logold (objectclass=auditDelete) logoldattr reqOld logsuccess TRUE logpurge 2+00:00 06:00 ##AccessLog DB database bdb suffix cn=accesslog rootdn "cn=accesslog" directory "/usr/local/var/access" index reqStart eq index default eq index entryUUID eq index entryCSN eq index objectClass,reqEnd,reqResult,reqDN,reqType access to * by dn="cn=admin,dc=dominio" read database monitor #******* 2008/7/23 Gavin Henry <ghenry(a)openldap.org>: > Miguel Jinez wrote: > >> Hello, I have upgrated openLDAP to 2.4.10, and I can t fix that situation >> Someone know what is the problem? or really is a bug? >> >> > Hi, > > I'm replying to this thread instead of: > > (ITS#5617) N-way multimaster replication problem > > Can we see your complete config? Also, "dies", do you mean shutdown? > > -- > Kind Regards, > > Gavin Henry. > OpenLDAP Engineering Team. > > E ghenry(a)OpenLDAP.org > > Community developed LDAP software. > > http://www.openldap.org/project/ >

1 0

openLDAP, DCHP and DNS
by openLDAP 23 Jul '08

23 Jul '08

I would like to configure my openLDAP network using DHCP for my client machines. Is it necessary to have DNS names for all my clients, e.g. something.domain.com, for OpenLDAP to work properly or will it work as long as my openldap servers have fully qualified domain names?

2 1

Re: Client connect issues with OpenLDAP 2.3 on RHEL 4
by Gustavo Mendes de Carvalho 22 Jul '08

22 Jul '08

Hi Martin, Upgrade your RHEL from 4 to 5 that will work. I faced exactly same situation earlier. --- Gustavo Mendes de Carvalho email: gmcarvalho(a)gmail.com > Date: Mon, 21 Jul 2008 18:33:42 +0100 > From: "Martin Benson" <martin_benson1972(a)hotmail.com> > Subject: Client connect issues with OpenLDAP 2.3 on RHEL 4 > To: <openldap-technical(a)openldap.org> > Message-ID: <BLU120-DAV199BFEDE2D0B7E6F309718B8A0(a)phx.gbl> > Content-Type: text/plain; charset="us-ascii" > > I have a Red Hat Enterprise Linux v4.4 installation that runs OpenLDAP 2.2 > using the provided Red Hat rpm's. I want to upgrade this to OpenLDAP 2.3 and > have created an LDAP server using the packages from > > > Thanks Martin

1 0

password changing problems
by Ron Echeverri 22 Jul '08

22 Jul '08

I've set up OpenLDAP 2.4.10 and have been using phpldapadmin for user management. The machines in our QA environment are set up to allow LDAP users to log in, and they are also able to change their password via the passwd command. However, they are only able to do this once; if they attempt it again, it bounces back with "LDAP Password incorrect: try again". They are able to log out and in regardless, but passwd will not accept their password in order to change it. If the user's password is reset in phpldapadmin, again they are able to change the password once, and no more. There is no password policy configured in slapd; should there be? I have loglevel set to 296, but i'm not sure what to look for. thanks rone

5 8

Automatically create home directory uppon Email login
by Stelios A. 22 Jul '08

22 Jul '08

Hello all, I've migrate an old Sun Directory Server to OpenLDAP (version 2.4.9 on Ubuntu 8.04 server) and setup a master/slave with syncrepl for data replication betwwen 2 servers. 1st server hold the master ldap and second the slave along with the email server (Sendmail + Dovecot). Email server requires ofcourse a home directory with a mbox file etc. Is there a way to avoid creating each users home directory and setup then his/her permissions? There are 980 users in the base dc and trying to figure out a way to avoid creating all this directories along with chmod manually. I've already setup pam to auto create home directory uppon user login but problem is that only 5 users will have access via ssh. Any ideas? Thanks a lot

3 4

Client connect issues with OpenLDAP 2.3 on RHEL 4
by Martin Benson 21 Jul '08

21 Jul '08

I have a Red Hat Enterprise Linux v4.4 installation that runs OpenLDAP 2.2 using the provided Red Hat rpm's. I want to upgrade this to OpenLDAP 2.3 and have created an LDAP server using the packages from http://staff.telkomsa.net/packages/rhel4/openldap/i386 . The problem I have is that I cannot get a client to attach or query the server. I have installed the openldap2.3-clients and openldap2.3 packages and the server with logging enabled does not even show a connection. I suspect it is a problem with the nss_ldap package that comes bundled with RHEL 4.4. I cannot compile the software on my system as it is a partial install for clients of ours and does not get delivered with compiler software. Does anyone know of an updated rpm for nss_ldap to be compatible with openldap2.3 and RHEL 4? Has anyone done the install and written an install guide? Thanks Martin

2 1

Reg:Design of openldap
by Chakri 21 Jul '08

21 Jul '08

Hi, i'm a newbie to this ldap world.But i have been spending so much time to understand the design of openldap-2.3.39. I wanted to understand the process flow during the functioning of slapd. can some one tell me where can i get the design documents of openldap....plz help...

1 0

memberOf search ACLs
by Andrew Bartlett 21 Jul '08

21 Jul '08

I've recently been trying to lock down Samba4's default ACLs, in it's generated LDAP backend configuration. I have memberOf configured to 'error' on dangling links, which I need for Samba. But I seem to be having some trouble with ACLs. I've attached my full config file, but the key part is: access to dn.base="" by dn=cn=samba-admin,cn=samba manage by anonymous read by * read access to dn.subtree="cn=samba" by anonymous auth access to dn.subtree="${DOMAINDN}" by dn=cn=samba-admin,cn=samba manage by * none If I change the last line to 'by * read', then the error is returned, but otherwise (due apparently to "" being unable to read the entry to validate it's existence). Shouldn't the search operations happen as the rootdn or memberof-dn, or am I missing some other configuration element here? In trying to fix this, I looked at what seemed to by typos in memberof.c, the patch of which I attach, but this didn't help. Any thoughts? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.

2 5

Re: BDB selection, et al.
by William Jojo 20 Jul '08

20 Jul '08

---- Original message ---- >Date: Sat, 19 Jul 2008 04:33:46 -0700 >From: Howard Chu <hyc(a)symas.com> >Subject: Re: BDB selection, et al. >To: Quanah Gibson-Mount <quanah(a)zimbra.com> >Cc: William Jojo <jojowil(a)hvcc.edu>,openldap-technical(a)openldap.org > >Quanah Gibson-Mount wrote: >> --On Friday, July 18, 2008 9:11 PM -0400 William Jojo<jojowil(a)hvcc.edu> >> wrote: > >>> I have noticed that the Symas packages user BDB 4.2 (with 2.3.42) as does >>> Ubuntu with 2.4.9+. I was wondering what the preference is over 4.4 >>> (which I use) and 4.[67]. >> >> 4.2.52 + patches has the longest history of being solid. >> >> 4.3 was a disaster >> >> 4.4 was likely okay >> >> 4.5 was likely okay >> >> 4.6 also seems okay, and has some useful improvements >> >> 4.7 is not yet supported, but will be in a future release, and has >> additional useful improvements over 4.6. > >4.7 can be made to work, if you're willing to tweak things a bit. The memory >manager in 4.6 is much improved over earlier versions; the memory manager in >4.7 is slightly better still. The lock manager in 4.7 is more efficient in >multi-core systems than in previous versions. > Do you, Howard, consider BDB 4.4 stable? I originally worked on 4.2 for initial rollout some years ago. Admittedly, I have no problems at present with 4.4, and I could be convinced to step backward if there is a compelling reason to do so. >>> I ask because I build OpenLDAP (among other things) for AIX 5.2/5.3/6.1 >>> at (shameless plug) http://pware.hvcc.edu/ and I was considering moving >>> to 2.4.10 with BDB 4.6, but now I am not certain where to go for a few of >>> reasons: >>> >>> * Why the choice to stay with BDB 4.2? >> >> Proven track record over later releases (4.4, 4.5) for stability and >> performance. >> >>> * And OpenSSL 0.9.7l (over the 0.9.8 series)? >> >> I use OpenSSL 0.9.8 in my builds and have for ages. > >The Symas OpenLDAP 2.4 packages also use OpenSSL 0.9.8. However, the OpenSSL >build system changed, making it more difficult to complete the Windows build. >That's one of the reasons we stayed with 0.9.7 for so long in our OpenLDAP 2.3 >packages. >> >>> * 2.3.39 has been *stable* since 11/2007 and I have not moved from that >>> point within the software suite offered. Is a later version of 2.3 going >>> to be marked stable (like 2.3.42.1 is in the Symas prodcut). >> >> Not likely. > >True, no further 2.3.x release will be marked Stable. > >> Stable is really a fairly meaningless term. > >False. At the time that a release was marked stable, it was considered the >most stable release. I.e., after sufficient amount of time in release, no >major issues were discovered. > >> Assigning meaning >> to it as a guideline as to what version to build is a very bad idea. >> There's a major DoS vulnerability in 2.3.39, for example, that was fixed in >> 2.3.43 and 2.4.11. > >It's important to note that the Stable marker only changes if there's a new >release that we consider stable. The subsequent discovery of bugs in a Stable >release won't trigger the removal of that marker. So 2.3.39 is still marked >Stable, even though important bug fixes are in 2.3.43, because those bugs were >discovered long after 2.3.39 was released. > So, I guess I will stay where I am in production and prepare for a 2.4 upgrade at some soon time after I finish my testing in 2.4 and when a stable release is announced. >In the meantime, when moving the Stable marker, the Project's practice has >been that it can only be moved to the Current release stream, which is 2.4. >But we haven't yet seen a 2.4 release remain long enough in public use without >new issues quickly being discovered. So there is not yet a new Stable release. > >>> * 2.4.x seems stable enough to me and certainly to Ubuntu x86[_64], but I >>> would like some other indication that I should make the leap before I >>> begin to change dependencies to several of the products I produce. Is >>> 2.4.x going to be marked stable in the near future? > >> Hopefully. Note that stable does not remotely mean bug free (or relatively >> low in bug count). It simply means stable as far as core (i.e., not new) >> functionality is concerned. > >No. It means low bug count as of a particular point in time, e.g., within a >couple weeks after the release. > >And as I recall, we need to get to a feature freeze in the core code first. I >think 2.4 is just about at this point now. > Superb. Thank you very much, Quanah and Howard. It has been a very enlightening discussion. Cheers, Bill >-- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical