Hi list, We have a service ldap, version 2.4.11-1, debian lenny, but the times have been falling and does not even have a message in the log about the fall of it. Use it for e-mail service, jabber, ftp, and website. In the logs I have the following message:
Aug 8 09:34:41 ldap slapd[15338]: connection_input: conn=1332300 deferring operation: binding Aug 8 09:34:42 ldap slapd[15338]: connection_input: conn=1332301 deferring operation: binding Aug 8 09:47:46 ldap slapd[15338]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
My configuration
allow bind_v2
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/qmail.schema include /etc/ldap/schema/authldap.schema include /etc/ldap/schema/RADIUS-LDAPv3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 1024
modulepath /usr/lib/ldap moduleload back_hdb
TLSVerifyClient demand TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem
tool-threads 16 threads 32 backend hdb
database hdb
suffix "dc=auroraalimentos,dc=com,dc=br" rootdn "cn=suporte,dc=auroraalimentos,dc=com,dc=br" rootpw secret
directory "/var/lib/ldap" idletimeout 30 timelimit 320 schemacheck on checkpoint 1024 5 cachesize 100000
dbconfig set_cachesize 0 2097152 0
lastmod on
sizelimit unlimited
index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uniqueMember eq index uidNumber eq index gidNumber eq index memberUID eq index mailAlternateAddress eq index MailForwardingAddress eq index mail pres,eq index default sub index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index sambaSIDList,sambaGroupType eq index givenName eq
access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none
access to * by self write by users read by * read
when the service to have a big problem, mainly because the e-mail service is affected. thanks
Márcio Luciano Donada wrote:
Hi list, We have a service ldap, version 2.4.11-1, debian lenny, but the times have been falling and does not even have a message in the log about the fall of it. Use it for e-mail service, jabber, ftp, and website. In the logs I have the following message:
Aug 8 09:34:41 ldap slapd[15338]: connection_input: conn=1332300 deferring operation: binding Aug 8 09:34:42 ldap slapd[15338]: connection_input: conn=1332301 deferring operation: binding Aug 8 09:47:46 ldap slapd[15338]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
Your LDAP client seems to send the "Password Policy Control" along with the bind request (see draft-behera-ldap-password-policy). So you should either turn that off in your client's configuration if you don't need it or enable slapo-ppolicy in your slapd.conf file.
Ciao, Michael.
Michael Ströder escreveu:
Márcio Luciano Donada wrote:
Hi list, We have a service ldap, version 2.4.11-1, debian lenny, but the times have been falling and does not even have a message in the log about the fall of it. Use it for e-mail service, jabber, ftp, and website. In the logs I have the following message:
Aug 8 09:34:41 ldap slapd[15338]: connection_input: conn=1332300 deferring operation: binding Aug 8 09:34:42 ldap slapd[15338]: connection_input: conn=1332301 deferring operation: binding Aug 8 09:47:46 ldap slapd[15338]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
Your LDAP client seems to send the "Password Policy Control" along with the bind request (see draft-behera-ldap-password-policy). So you should either turn that off in your client's configuration if you don't need it or enable slapo-ppolicy in your slapd.conf file.
Hi Micheal Excuse my ignorance, but you can give me an example of how this would be setting in slapd.conf?
Márcio Luciano Donada wrote:
Michael Ströder escreveu:
Márcio Luciano Donada wrote:
Hi list, We have a service ldap, version 2.4.11-1, debian lenny, but the times have been falling and does not even have a message in the log about the fall of it. Use it for e-mail service, jabber, ftp, and website. In the logs I have the following message:
Aug 8 09:34:41 ldap slapd[15338]: connection_input: conn=1332300 deferring operation: binding Aug 8 09:34:42 ldap slapd[15338]: connection_input: conn=1332301 deferring operation: binding Aug 8 09:47:46 ldap slapd[15338]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
Your LDAP client seems to send the "Password Policy Control" along with the bind request (see draft-behera-ldap-password-policy). So you should either turn that off in your client's configuration if you don't need it or enable slapo-ppolicy in your slapd.conf file.
Excuse my ignorance, but you can give me an example of how this would be setting in slapd.conf?
The first question is whether you need password policy enabled. If yes, then see man page slapo-ppolicy(5). If no, then turn it off in the LDAP client in question (which one?). If that's pam_ldap then watch out the configuration in the accompanying ldap.conf file.
Ciao, Michael.
Michael Ströder escreveu:
The first question is whether you need password policy enabled. If yes, then see man page slapo-ppolicy(5). If no, then turn it off in the LDAP client in question (which one?). If that's pam_ldap then watch out the configuration in the accompanying ldap.conf file.
Error on adding default policie in the ldap database:
# ldap:/etc/ldap# /etc/init.d/slapd stop Stopping OpenLDAP: slapd.
# ldap:/etc/ldap# slapadd -l /tmp/polici.txt The first database does not allow slapadd; using the first available one (2) str2entry: invalid value for attributeType objectClass #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=1)
ldap:/etc/ldap# cat /tmp/polici.txt dn: cn=default,ou=Policies,dc=xxxx,dc=com,dc=br cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Some ideas?
Márcio Luciano Donada wrote:
Michael Ströder escreveu:
The first question is whether you need password policy enabled. If yes, then see man page slapo-ppolicy(5). If no, then turn it off in the LDAP client in question (which one?). If that's pam_ldap then watch out the configuration in the accompanying ldap.conf file.
Error on adding default policie in the ldap database:
Did you actually read the man page I mentioned above?
# ldap:/etc/ldap# slapadd -l /tmp/polici.txt The first database does not allow slapadd; using the first available one (2)
Well, you should rather use ldapadd for adding single entries into an existing tree.
str2entry: invalid value for attributeType objectClass #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=1)
ldap:/etc/ldap# cat /tmp/polici.txt dn: cn=default,ou=Policies,dc=xxxx,dc=com,dc=br cn: default objectClass: pwdPolicy objectClass: person objectClass: top
I guess you did not enable slapo policy in your slapd configuration. Please read the man page I referenced carefully.
Ciao, Michael.
Michael Ströder escreveu:
I guess you did not enable slapo policy in your slapd configuration. Please read the man page I referenced carefully.
I read admin configuration in the OpenLDAP.org [1] subsession slapo-ppolicy.
I initially added the following lines to my base ldap:
dn: ou=policies,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: policies
then I'm trying to add the default (standard) at the base, but I'm in trouble
dn: cn=default,ou=policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
# ldapadd -x -D "cn=suporte,dc=xxxxxxxxxx,dc=com,dc=br" -w secret -f /tmp/polici.txt adding new entry "cn=default,ou=Policies,dc=auroraalimentos,dc=com,dc=br" ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax
I followed the documentation and I can succeed in the same. Please can you help me.
[1]. http://www.openldap.org/doc/admin24/overlays.html#Password Policies
Márcio Luciano Donada wrote:
Michael Ströder escreveu:
I guess you did not enable slapo policy in your slapd configuration. Please read the man page I referenced carefully.
I read admin configuration in the OpenLDAP.org [1] subsession slapo-ppolicy.
And did you actually add these lines to your slapd.conf as described therein (tweaked to match your suffix)?
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
objectClass: pwdPolicy objectClass: person objectClass: top[..] ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax
Again: This strongly indicates that the object class 'pwdPolicy' is not defined in the subschema. This particular object class is hard-coded within slapo-ppolicy. So I suspect you did not enable this overlay in your slapd.conf.
I followed the documentation
Sorry, I suspect you didn't.
Ciao, Michael.
Michael Ströder escreveu:
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
objectClass: pwdPolicy objectClass: person objectClass: top[..] ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax
in the slapd.conf:
moduleload ppolicy suffix "dc=xxxxxxx,dc=com,dc=br" rootdn "cn=suporte,dc=xxxxxxxxx,dc=com,dc=br" rootpw secret overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=xxxxxxxx,dc=com,dc=br"
But, on restart slapd process on the message of error:
# /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd - failed: User Schema load failed for attribute "pwdAttribute". Error code 17: attribute type undefined
obviously, cn=default does not exist in the database, that is the question that I could not understand who should be first in slapd.conf
unless the problem is in my schemas:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/qmail.schema include /etc/ldap/schema/authldap.schema include /etc/ldap/schema/RADIUS-LDAPv3.schema
thanks.
Márcio Luciano Donada wrote:
Michael Ströder escreveu:
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
objectClass: pwdPolicy objectClass: person objectClass: top[..] ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax
in the slapd.conf:
moduleload ppolicy suffix "dc=xxxxxxx,dc=com,dc=br" rootdn "cn=suporte,dc=xxxxxxxxx,dc=com,dc=br" rootpw secret overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=xxxxxxxx,dc=com,dc=br"
But, on restart slapd process on the message of error:
# /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd - failed: User Schema load failed for attribute "pwdAttribute". Error code 17: attribute type undefined
Sorry, I was wrong. slapo-ppolicy does not define the subschema stuff. You have to include schema file /etc/ldap/schema/ppolicy.schema.
Ciao, Michael.
Michael Ströder escreveu:
Sorry, I was wrong. slapo-ppolicy does not define the subschema stuff. You have to include schema file /etc/ldap/schema/ppolicy.schema.
Thanks, I really go blank, sorry for the inconvenience.
openldap-technical@openldap.org
-
Michael Ströder -
Márcio Luciano Donada