What was created with OpenLDAP is incredible. Truly.
Experienced with open source but never seen before a system that is so archaic. Amazing. The way that configuration works is something that has to be seen and experienced to be believed.
There must be strong commercial interest served here to create a system that works in this manner. It allows for configuration changes that corrupt the installation but will now allow manual correction of the configuration.
Chicken and egg. To correct the configuration you have start OpenLDAP and ldapmodify the config files. But.... OpenLDAP will not start because the configuration is not correct. Really funny. And if you try to manually undo your changes, OpenLDAP will completely refuse to put itself into something that resembles a working configuration.
It is fairly easy to make configuration changes that corrupt the database. Documentation is often incorrect or non-existing. For example try to add sha2 support. Accidentally add non existing hash method will create a corrupt configuration. If you slapd restart it will fail to start. To correct the configuration you need to start slapd. To start slapd you need correct configuration. It is the end of your efforts.
I'm not doing this on a production system of course, I am trying to create a production system where OpenLDAP is on of the many components. So far most of the effort is OpenLDAP effort. It is consuming most of the project budget. A project of a couple of days turns into a project for a couple of weeks.
We just need a LDAP user directory. OpenLDAP is not it.
If you not appreciate OpenLDAP, nobody force you to use it :-) You can choose a non-opensource software or develop your own :-)
Personally I have 6 OpenLDAP in a redundant architecture and they are running since 3 years and I never had a problem ! Never rebooted service, server etc. If I want to modify something in the configuration, I make it in a test server, and if it works, I make the same modification in the prod server (just on it and the configuration is automatically updated on the 5 other servers…). With the configuration stored in cn=config, you can modify server configuration without restarting service and you can synchronise server configuration :-)
I think you have not learning much about how to CORRECTLY use OpenLDAP. If you want a good introduction consult these links.
Basic installation : http://www.cyrill-gremaud.ch/linux/howto-install-openldap-2-4-server/ Setup multi-master replication : http://www.cyrill-gremaud.ch/linux/howto-setup-n-way-multi-master-replicatio... Add new custom schema : http://www.cyrill-gremaud.ch/linux/how-to-add-new-schema-to-openldap-2-4/ Remove custom schema : http://www.cyrill-gremaud.ch/linux/deleting-custom-schema-in-openldap-2-4/
Best regards,
cyrill gremaud
On 26 Nov 2014, at 06:43, Onno van der Straaten <onno.van.der.straaten@gmail.commailto:onno.van.der.straaten@gmail.com> wrote:
What was created with OpenLDAP is incredible. Truly.
Experienced with open source but never seen before a system that is so archaic. Amazing. The way that configuration works is something that has to be seen and experienced to be believed.
There must be strong commercial interest served here to create a system that works in this manner. It allows for configuration changes that corrupt the installation but will now allow manual correction of the configuration.
Chicken and egg. To correct the configuration you have start OpenLDAP and ldapmodify the config files. But.... OpenLDAP will not start because the configuration is not correct. Really funny. And if you try to manually undo your changes, OpenLDAP will completely refuse to put itself into something that resembles a working configuration.
It is fairly easy to make configuration changes that corrupt the database. Documentation is often incorrect or non-existing. For example try to add sha2 support. Accidentally add non existing hash method will create a corrupt configuration. If you slapd restart it will fail to start. To correct the configuration you need to start slapd. To start slapd you need correct configuration. It is the end of your efforts.
I'm not doing this on a production system of course, I am trying to create a production system where OpenLDAP is on of the many components. So far most of the effort is OpenLDAP effort. It is consuming most of the project budget. A project of a couple of days turns into a project for a couple of weeks.
We just need a LDAP user directory. OpenLDAP is not it.
There are alternative open source enterprise solutions to OpenLDAP… no need to start developing your own !
Regards,
Ludo -- Ludovic Poitou Product Manager for OpenDJ, open source LDAP directory services...
On 26 Nov 2014 at 07:29:18, Gremaud Cyrill (cyrill.gremaud@hefr.ch) wrote:
If you not appreciate OpenLDAP, nobody force you to use it :-) You can choose a non-opensource software or develop your own :-)
Yes i know, that was a joke... ________________________________ De : Ludovic Poitou [ludovic.poitou@gmail.com] Envoyé : mercredi 26 novembre 2014 07:53 À : Onno van der Straaten; Gremaud Cyrill Cc : openldap-technical@openldap.org Objet : Re: OpenLDAP incroyable!
There are alternative open source enterprise solutions to OpenLDAP… no need to start developing your own !
Regards,
Ludo -- Ludovic Poitou Product Manager for OpenDJ, open source LDAP directory services...
On 26 Nov 2014 at 07:29:18, Gremaud Cyrill (cyrill.gremaud@hefr.chmailto:cyrill.gremaud@hefr.ch) wrote:
If you not appreciate OpenLDAP, nobody force you to use it :-) You can choose a non-opensource software or develop your own :-)
So do i ;-)
-- Ludovic Poitou http://ludopoitou.wordpress.com
On 26 Nov 2014 at 07:57:27, Gremaud Cyrill (cyrill.gremaud@hefr.ch) wrote:
Yes i know, that was a joke... ________________________________ De : Ludovic Poitou [ludovic.poitou@gmail.com] Envoyé : mercredi 26 novembre 2014 07:53 À : Onno van der Straaten; Gremaud Cyrill Cc : openldap-technical@openldap.org Objet : Re: OpenLDAP incroyable!
There are alternative open source enterprise solutions to OpenLDAP… no need to start developing your own !
Regards,
Ludo -- Ludovic Poitou Product Manager for OpenDJ, open source LDAP directory services...
On 26 Nov 2014 at 07:29:18, Gremaud Cyrill (cyrill.gremaud@hefr.chmailto:cyrill.gremaud@hefr.ch) wrote:
If you not appreciate OpenLDAP, nobody force you to use it :-) You can choose a non-opensource software or develop your own :-)
--On Wednesday, November 26, 2014 6:43 AM +0100 Onno van der Straaten onno.van.der.straaten@gmail.com wrote:
If you slapd restart it will fail to start. To correct the configuration you need to start slapd. To start slapd you need correct configuration. It is the end of your efforts.
I would advise you to use the proper tools if you get into such a situation. Like slapcat and slapadd (for offline export/import). OpenLDAP 2.5 will also have offline modify (slapmodify).
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Second corruption in one day. Trying to add module using ldif
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap/ olcModuleLoad: slapd-sha2.so
As it was not working correctly I tried to remove this module. This is not implemented!!! You can delete a module once it is added.
I created a backup file of this config file. When manual edit failed, I moved the backup file back in. This is the result [user@server cn=config]# service slapd configtest Checking configuration files for slapd: [FAILED] 54758693 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/cn=module{0}.ldif" slaptest: bad configuration file!
This happened after I already did complete remove and install of OpenLDAP.
So OpenLDAP does perform world class checking of manual edits rendering instances useless when config files are changed. It is a lot more permissive accepting config changes through the official interface even accepting changes that corrupt the instance.
I know I can use other directory servers. But I also think that the OpenLDAP community should not claim to offer good encryption of password when out-of-the-bot you get NO encryption and you have to first become an OpenLDAP core developer to get this good encryption.
On Wed, Nov 26, 2014 at 6:43 AM, Onno van der Straaten < onno.van.der.straaten@gmail.com> wrote:
What was created with OpenLDAP is incredible. Truly.
Experienced with open source but never seen before a system that is so archaic. Amazing. The way that configuration works is something that has to be seen and experienced to be believed.
There must be strong commercial interest served here to create a system that works in this manner. It allows for configuration changes that corrupt the installation but will now allow manual correction of the configuration.
Chicken and egg. To correct the configuration you have start OpenLDAP and ldapmodify the config files. But.... OpenLDAP will not start because the configuration is not correct. Really funny. And if you try to manually undo your changes, OpenLDAP will completely refuse to put itself into something that resembles a working configuration.
It is fairly easy to make configuration changes that corrupt the database. Documentation is often incorrect or non-existing. For example try to add sha2 support. Accidentally add non existing hash method will create a corrupt configuration. If you slapd restart it will fail to start. To correct the configuration you need to start slapd. To start slapd you need correct configuration. It is the end of your efforts.
I'm not doing this on a production system of course, I am trying to create a production system where OpenLDAP is on of the many components. So far most of the effort is OpenLDAP effort. It is consuming most of the project budget. A project of a couple of days turns into a project for a couple of weeks.
We just need a LDAP user directory. OpenLDAP is not it.
Onno van der Straaten onno.van.der.straaten@gmail.com schrieb am 26.11.2014
um 09:10 in Nachricht CADKMi6JGxGB1i_XakcnxvxzN+q=2JgyDpj71fyEnyGwwhhU8WA@mail.gmail.com:
[...]
I created a backup file of this config file. When manual edit failed, I moved the backup file back in. This is the result [user@server cn=config]# service slapd configtest Checking configuration files for slapd: [FAILED] 54758693 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/cn=module{0}.ldif" slaptest: bad configuration file!
The best check program cannot check a file when it has no permission to open or read it!
[...]
Onno van der Straaten wrote:
Second corruption in one day. Trying to add module using ldif
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap/ olcModuleLoad: slapd-sha2.so
As it was not working correctly I tried to remove this module. This is not implemented!!! You can delete a module once it is added.
I created a backup file of this config file. When manual edit failed, I moved the backup file back in. This is the result [user@server cn=config]# service slapd configtest Checking configuration files for slapd: [FAILED] 54758693 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/cn=module{0}.ldif" slaptest: bad configuration file!
Most likely you're working as root and slapd is running as non-root user. If you manually modified back-config's files you should check ownership/permissions.
I know I can use other directory servers. But I also think that the OpenLDAP community should not claim to offer good encryption of password when out-of-the-bot you get NO encryption and you have to first become an OpenLDAP core developer to get this good encryption.
Personally I currently would not use slapd-sha2.so because SHA-2 hashes are optimizied for performance.
You could use a stronger {CRYPT} schema (not the default!).
E.g. I have in slapd.conf (static config):
password-hash {CRYPT} password-crypt-salt-format "$6$%.12s"
Make sure you understand crypt hash schemes in man-page crypt(3). The caveat is that {CRYPT} is not really platform-independent.
Ciao, Michael.
Michael Ströder wrote:
Onno van der Straaten wrote:
Second corruption in one day. Trying to add module using ldif
Based on personal experience [1] I can say about various LDAP server implementations: You will always have to learn something about the product-specific pros and cons. ;-]
Personally I'm still preferring OpenLDAP's static configuration especially for quick initial tests. But you have to take care of the slapd.conf structure in this case.
Ciao, Michael.
And....another one. Amazing. So hard to understand the OpenLDAP interface. Might just as well have been in Chinese.
$ ldapmodify -h zimbra.server.com -p 389 -D "cn=config" -f olc_password_hash.ldif -W ldap_initialize( ldap://zimbra.onknows.com:389 ) Enter LDAP Password: replace olcPasswordHash: {SSHA} modifying entry "olcDatabase={-1}frontend,cn=config" modify complete
So the "modify complete" sort of suggestive of some kind of success completion or change applied. One would think. No.
The olcPasswordHash was "modified complete" to have exact same value as before. Sort of expected OpenLDAP to be "unwilling to perform", which often it is. Not now. It just is "willing to ignore". Almost human.
On Wed, Nov 26, 2014 at 9:10 AM, Onno van der Straaten < onno.van.der.straaten@gmail.com> wrote:
Second corruption in one day. Trying to add module using ldif
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap/ olcModuleLoad: slapd-sha2.so
As it was not working correctly I tried to remove this module. This is not implemented!!! You can delete a module once it is added.
I created a backup file of this config file. When manual edit failed, I moved the backup file back in. This is the result [user@server cn=config]# service slapd configtest Checking configuration files for slapd: [FAILED] 54758693 ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/cn=module{0}.ldif" slaptest: bad configuration file!
This happened after I already did complete remove and install of OpenLDAP.
So OpenLDAP does perform world class checking of manual edits rendering instances useless when config files are changed. It is a lot more permissive accepting config changes through the official interface even accepting changes that corrupt the instance.
I know I can use other directory servers. But I also think that the OpenLDAP community should not claim to offer good encryption of password when out-of-the-bot you get NO encryption and you have to first become an OpenLDAP core developer to get this good encryption.
On Wed, Nov 26, 2014 at 6:43 AM, Onno van der Straaten < onno.van.der.straaten@gmail.com> wrote:
What was created with OpenLDAP is incredible. Truly.
Experienced with open source but never seen before a system that is so archaic. Amazing. The way that configuration works is something that has to be seen and experienced to be believed.
There must be strong commercial interest served here to create a system that works in this manner. It allows for configuration changes that corrupt the installation but will now allow manual correction of the configuration.
Chicken and egg. To correct the configuration you have start OpenLDAP and ldapmodify the config files. But.... OpenLDAP will not start because the configuration is not correct. Really funny. And if you try to manually undo your changes, OpenLDAP will completely refuse to put itself into something that resembles a working configuration.
It is fairly easy to make configuration changes that corrupt the database. Documentation is often incorrect or non-existing. For example try to add sha2 support. Accidentally add non existing hash method will create a corrupt configuration. If you slapd restart it will fail to start. To correct the configuration you need to start slapd. To start slapd you need correct configuration. It is the end of your efforts.
I'm not doing this on a production system of course, I am trying to create a production system where OpenLDAP is on of the many components. So far most of the effort is OpenLDAP effort. It is consuming most of the project budget. A project of a couple of days turns into a project for a couple of weeks.
We just need a LDAP user directory. OpenLDAP is not it.
Onno van der Straaten onno.van.der.straaten@gmail.com wrote:
And....another one. Amazing. So hard to understand the OpenLDAP interface. Might just as well have been in Chinese.
$ ldapmodify -h zimbra.server.com -p 389 -D "cn=config" -f olc_password_hash.ldif -W ldap_initialize( ldap://zimbra.onknows.com:389 ) Enter LDAP Password: replace olcPasswordHash: {SSHA} modifying entry "olcDatabase={-1}frontend,cn=config" modify complete
So the "modify complete" sort of suggestive of some kind of success completion or change applied. One would think. No.
The olcPasswordHash was "modified complete" to have exact same value as before. Sort of expected OpenLDAP to be "unwilling to perform", which often it is. Not now. It just is "willing to ignore". Almost human.
Without knowing olc_password_hash.ldif nobody can comment on this.
Ciao, Michael.
Onno,
Onno van der Straaten schrieb (26.11.2014 12:13 Uhr):
And....another one. Amazing. So hard to understand the OpenLDAP interface. Might just as well have been in Chinese.
$ ldapmodify -h zimbra.server.com http://zimbra.server.com -p 389 -D "cn=config" -f olc_password_hash.ldif -W
On Wed, Nov 26, 2014 at 9:10 AM, Onno van der Straaten <onno.van.der.straaten@gmail.com mailto:onno.van.der.straaten@gmail.com> wrote:
Second corruption in one day. Trying to add module using ldif
On Wed, Nov 26, 2014 at 6:43 AM, Onno van der Straaten <onno.van.der.straaten@gmail.com <mailto:onno.van.der.straaten@gmail.com>> wrote:
We just need a LDAP user directory. OpenLDAP is not it.
And still you try. :)
There have been two hints what you can do, if you cannot get along with ldapmodifying the online config. - change the config offline with slapcat/slapadd (If you fear to crash the server with modifying the online config you should have a slapcat backup anyway ...) - change to static config. (If it is a simple "LDAP user directory", it should be easy to transfer to static.)
Marc
On Wed, Nov 26, 2014 at 11:24 AM, Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Onno,
Onno van der Straaten schrieb (26.11.2014 12:13 Uhr):
And....another one. Amazing. So hard to understand the OpenLDAP interface. Might just as well have been in Chinese.
$ ldapmodify -h zimbra.server.com http://zimbra.server.com -p 389 -D "cn=config" -f olc_password_hash.ldif -W
On Wed, Nov 26, 2014 at 9:10 AM, Onno van der Straaten <onno.van.der.straaten@gmail.com mailto:onno.van.der.straaten@gmail.com> wrote:
Second corruption in one day. Trying to add module using ldifOn Wed, Nov 26, 2014 at 6:43 AM, Onno van der Straaten <onno.van.der.straaten@gmail.com <mailto:onno.van.der.straaten@gmail.com>> wrote:We just need a LDAP user directory. OpenLDAP is not it.And still you try. :)
There have been two hints what you can do, if you cannot get along with ldapmodifying the online config.
There is also a tool called ldapvi that has been useful to me before.
- change the config offline with slapcat/slapadd (If you fear to crash the server with modifying the online config you should have a slapcat backup anyway ...)
(Nightly) backups are always a good idea ;) And a few more if you are doing major changes.
- change to static config. (If it is a simple "LDAP user directory", it should be easy to transfer to static.)
Onno: if openldap is not your cup of tea, have you considered freeipa instead? It comes with a web interface.
Marc
Onno van der Straaten onno.van.der.straaten@gmail.com schrieb am 26.11.2014
um 06:43 in Nachricht CADKMi6L08GjUcW3LiKmHjzP0W0CVdW44RqpJq+kWek-ENxJ_bw@mail.gmail.com:
What was created with OpenLDAP is incredible. Truly.
Experienced with open source but never seen before a system that is so archaic. Amazing. The way that configuration works is something that has to be seen and experienced to be believed.
There must be strong commercial interest served here to create a system that works in this manner. It allows for configuration changes that corrupt the installation but will now allow manual correction of the configuration.
That isn't quite different from MS-Windows ;-)
Chicken and egg. To correct the configuration you have start OpenLDAP and ldapmodify the config files. But.... OpenLDAP will not start because the configuration is not correct. Really funny. And if you try to manually undo
You are wrong: slapadd can modify the config while slapd is down.
your changes, OpenLDAP will completely refuse to put itself into something that resembles a working configuration.
You can always have backups of your files and restore them!
It is fairly easy to make configuration changes that corrupt the database.
That's why to 1) be careful with changes, and 2) make backups
Documentation is often incorrect or non-existing. For example try to add sha2 support. Accidentally add non existing hash method will create a
What would you have done about 6 weeks ago if you wanted to add SHA-2 to Windows 7?
corrupt configuration. If you slapd restart it will fail to start. To
You can do that with Windows also. See about backup.
correct the configuration you need to start slapd. To start slapd you need correct configuration. It is the end of your efforts.
No, see above. You are wrong,
I'm not doing this on a production system of course, I am trying to create a production system where OpenLDAP is on of the many components. So far most of the effort is OpenLDAP effort. It is consuming most of the project budget. A project of a couple of days turns into a project for a couple of weeks.
We just need a LDAP user directory. OpenLDAP is not it.
I agreed that slapd can be improved in many way, and you can easily shoot yourself into the foot with it, but once you got some experience, you can keep it up and running. Even if it's not the latest version.
Regards, Ulrich
openldap-technical@openldap.org
-
Gremaud Cyrill -
Ludovic Poitou -
Marc Patermann -
Mauricio Tavares -
Michael Ströder -
Onno van der Straaten -
Quanah Gibson-Mount -
Ulrich Windl