Hello guys, I got a problem while pulling information with the native ldap client on my various solaris 10 machines from an openldap2-2.4.23-116.1 Maybe someone has any ideas, because I am on the end of mine. I don't know what to do in the further steps to solve the problem. the important information are below.
thanks for your help.
kind regards, benjamin.
=============================================================
on the solaris box:
solaris profile pulled from DIT, runs absolutly fine, but is maybe not perfect for openldap # ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de NS_LDAP_BINDPASSWD= secret NS_LDAP_SERVERS= ldap01 ldap02 NS_LDAP_SEARCH_BASEDN= dc=example,dc=de NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= FALSE NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 60 NS_LDAP_PROFILE= solaris_profile NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=people,dc=example,dc=de?sub NS_LDAP_BIND_TIME= 10 NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixGroup NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= sudoers:sudoRole=sudoRole
# ldaplist passwd ldaplist: Object not found (LDAP ERROR (18): Inappropriate matching.) getent passwd/group dont show anything, but strangely, single "id <username>" show the user information I was expecting.
on sles11sp1/openldap2-2.4.23-116.1 (http://download.opensuse.org/repositories/network:/ldap:/OpenLDAP:/RE24/SLE_...)
thats what I see in the logs on the openldap-server, right after typing "ldaplist passwd" on the solaris box Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 fd=22 ACCEPT from IP=10.0.0.1:45604 (IP=0.0.0.0:389) Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=0 BIND dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" method=128 Oct 15 14:37:33 examplehost slapd[8339]: => bdb_entry_get: found entry: "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" Oct 15 14:37:33 examplehost slapd[8339]: => bdb_entry_get: found entry: "cn=default,ou=pwdpolicy,dc=example,dc=de" Oct 15 14:37:33 examplehost slapd[8339]: => access_allowed: result not in cache (userPassword) Oct 15 14:37:33 examplehost slapd[8339]: => access_allowed: auth access to "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" "userPassword" requested Oct 15 14:37:33 examplehost slapd[8339]: => acl_get: [1] attr userPassword Oct 15 14:37:33 examplehost slapd[8339]: => acl_mask: access to entry "cn=proxyuser,ou=system,ou=people,dc=example,dc=de", attr "userPassword" requested Oct 15 14:37:33 examplehost slapd[8339]: => acl_mask: to value by "", (=0) Oct 15 14:37:33 examplehost slapd[8339]: <= check a_dn_pat: cn=ldapadm,dc=example,dc=de Oct 15 14:37:33 examplehost slapd[8339]: <= check a_dn_pat: cn=proxyuser,ou=system,ou=people,dc=example,dc=de ## just for testing purpose Oct 15 14:37:33 examplehost slapd[8339]: <= check a_dn_pat: anonymous Oct 15 14:37:33 examplehost slapd[8339]: <= acl_mask: [3] applying auth(=xd) (stop) Oct 15 14:37:33 examplehost slapd[8339]: <= acl_mask: [3] mask: auth(=xd) Oct 15 14:37:33 examplehost slapd[8339]: => slap_access_allowed: auth access granted by auth(=xd) Oct 15 14:37:33 examplehost slapd[8339]: => access_allowed: auth access granted by auth(=xd) Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=0 BIND dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" mech=SIMPLE ssf=0 Oct 15 14:37:33 examplehost slapd[8339]: => bdb_entry_get: found entry: "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=0 RESULT tag=97 err=0 text= Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=1 SEARCH RESULT tag=101 err=18 nentries=0 text=serverSort control: No ordering rule Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=1 do_search: get_ctrls failed Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=2 UNBIND Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 fd=22 closed
that seems to be a problem with a supportedControl of the ldap-server which the solaris ldap client is unable to handle, because the local openldap-client in the sles-server has absolutly no problem binding and getting infos. is this kind of offtopic for this list?
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com....
says 18 LDAP_INAPPROPRIATE_MATCHING Inappropriate matchingFilter type not supported for the specified attribute.
but I don't know what to do this seems kind of related to this problem, maybe its the same: http://markmail.org/message/dgtk3rpihvkqndqx#query:serverSort%20control%3A%2...
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Hi Benjamin,
It looks like your LDAP client is asking the server to return ordered results from looking at this line:
tag=101 err=18 nentries=0 text=serverSort control: No ordering rule
You may want to take a look at the server-side sorting overlay (slapo-sssvlv) and/or the value sorting overlay (slapo-valsort) and see if activating them on the server will fix your problems.
Hi diego,
thanks for you advise. I created two new Overlays as you said and tried to set the attribute-set that I googled from some other guys. These are probably wrong. Finally, that solved the messages that appeared in the slapd log, but didn't solve the problem on the solaris hosts. Too bad. :/
While reading to the log file once again, I find it quite strange, that the client is asking for specific objectClasses and Attributes that doesn't exist in my DIT. I've imported the solaris.schema while preparing the DIT and setup the "nisDomainObject" in the root Object, because the Client asked for that in the autoconfig-process. But the rest is from duaconfig.schema. By looking through the solaris.schema, the requested obj and attr below are in there. But this is all in all just guess work.
for example:
Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=102 SRCH base="ou=people,dc=example,dc=de" scope=2 deref=3 filter="(&(objectClass=NisKeyObject)(uidNumber=3))" Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=102 SRCH attr=nisPublickey nisSecretkey
Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=103 SRCH base="ou=people,dc=example,dc=de" scope=2 deref=3 filter="(&(?objectClass=SolarisUserAttr)(uid=sys))" Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=103 SRCH attr=uid SolarisUserQualifier SolarisAttrReserved1 SolarisAttrReserved2 SolarisAttrKeyValue
Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=104 SRCH base="ou=projects,dc=example,dc=de" scope=2 deref=3 filter="(&(?objectClass=SolarisProject)(?=undefined))" Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=104 SRCH attr=SolarisProjectName SolarisProjectID description memberUid memberGid SolarisProjectAttr
LDIFs of the overlays:
version: 1
dn: olcOverlay={4}sssvlv,olcDatabase={1}hdb,cn=config objectClass: olcSssVlvConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {4}sssvlv
=========================================
version: 1
dn: olcOverlay={5}valsort,olcDatabase={1}hdb,cn=config objectClass: olcValSortConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {5}valsort olcValSortAttr: memberuid ou=groups,dc=example,dc=de alpha-ascend olcValSortAttr: uid ou=people,dc=example,dc=de alpha-ascend
Actually these seems to be a question to the Solaris LDAP Mailinglist, am I right? But if you have an further hints, these are much appreciated.
Thanks and kind regards, Benjamin.
On Fri, Oct 15, 2010 at 18:41, Diego Lima lists@diegolima.org wrote:
Hi Benjamin,
It looks like your LDAP client is asking the server to return ordered results from looking at this line:
tag=101 err=18 nentries=0 text=serverSort control: No ordering rule
You may want to take a look at the server-side sorting overlay (slapo-sssvlv) and/or the value sorting overlay (slapo-valsort) and see if activating them on the server will fix your problems.
-- Diego Lima http://www.diegolima.org
Update: the serverSort thing was a false-positive this morning, I guess the client was still caching. ... Oct 18 15:52:23 examplehost slapd[24946]: conn=9373 op=168 SEARCH RESULT tag=101 err=18 nentries=0 text=serverSort control: No ordering rule Oct 18 15:52:23 examplehost slapd[24946]: conn=9373 op=168 do_search: get_ctrls failed Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 fd=28 ACCEPT from IP=10.0.0.1:35464 (IP=0.0.0.0:389) Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=0 BIND dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" method=128 Oct 18 15:52:52 examplehost slapd[24946]: => bdb_entry_get: found entry: "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" Oct 18 15:52:52 examplehost slapd[24946]: => bdb_entry_get: found entry: "cn=default,ou=pwdpolicy,dc=example,dc=de" Oct 18 15:52:52 examplehost slapd[24946]: => access_allowed: result not in cache (userPassword) Oct 18 15:52:52 examplehost slapd[24946]: => access_allowed: auth access to "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" "userPassword" requested Oct 18 15:52:52 examplehost slapd[24946]: => acl_get: [1] attr userPassword Oct 18 15:52:52 examplehost slapd[24946]: => acl_mask: access to entry "cn=proxyuser,ou=system,ou=people,dc=example,dc=de", attr "userPassword" requested Oct 18 15:52:52 examplehost slapd[24946]: => acl_mask: to value by "", (=0) Oct 18 15:52:52 examplehost slapd[24946]: <= check a_dn_pat: cn=ldapadm,dc=example,dc=de Oct 18 15:52:52 examplehost slapd[24946]: <= check a_dn_pat: cn=proxyuser,ou=system,ou=people,dc=example,dc=de Oct 18 15:52:52 examplehost slapd[24946]: <= check a_dn_pat: anonymous Oct 18 15:52:52 examplehost slapd[24946]: <= acl_mask: [3] applying auth(=xd) (stop) Oct 18 15:52:52 examplehost slapd[24946]: <= acl_mask: [3] mask: auth(=xd) Oct 18 15:52:52 examplehost slapd[24946]: => slap_access_allowed: auth access granted by auth(=xd) Oct 18 15:52:52 examplehost slapd[24946]: => access_allowed: auth access granted by auth(=xd) Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=0 BIND dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" mech=SIMPLE ssf=0 Oct 18 15:52:52 examplehost slapd[24946]: => bdb_entry_get: found entry: "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=0 RESULT tag=97 err=0 text= Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=1 SEARCH RESULT tag=101 err=18 nentries=0 text=serverSort control: No ordering rule Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=1 do_search: get_ctrls failed Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=2 UNBIND Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 fd=28 closed ...
Is someone able to tell me what specific attributes I have to set for simple passwd/group/sudoers listing/sorting?
Thank you.
On Mon, Oct 18, 2010 at 09:45, Benjamin Griese der.darude@gmail.com wrote:
Hi diego,
thanks for you advise. I created two new Overlays as you said and tried to set the attribute-set that I googled from some other guys. These are probably wrong. Finally, that solved the messages that appeared in the slapd log, but didn't solve the problem on the solaris hosts. Too bad. :/
While reading to the log file once again, I find it quite strange, that the client is asking for specific objectClasses and Attributes that doesn't exist in my DIT. I've imported the solaris.schema while preparing the DIT and setup the "nisDomainObject" in the root Object, because the Client asked for that in the autoconfig-process. But the rest is from duaconfig.schema. By looking through the solaris.schema, the requested obj and attr below are in there. But this is all in all just guess work.
for example:
Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=102 SRCH base="ou=people,dc=example,dc=de" scope=2 deref=3 filter="(&(objectClass=NisKeyObject)(uidNumber=3))" Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=102 SRCH attr=nisPublickey nisSecretkey
Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=103 SRCH base="ou=people,dc=example,dc=de" scope=2 deref=3 filter="(&(?objectClass=SolarisUserAttr)(uid=sys))" Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=103 SRCH attr=uid SolarisUserQualifier SolarisAttrReserved1 SolarisAttrReserved2 SolarisAttrKeyValue
Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=104 SRCH base="ou=projects,dc=example,dc=de" scope=2 deref=3 filter="(&(?objectClass=SolarisProject)(?=undefined))" Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=104 SRCH attr=SolarisProjectName SolarisProjectID description memberUid memberGid SolarisProjectAttr
LDIFs of the overlays:
version: 1
dn: olcOverlay={4}sssvlv,olcDatabase={1}hdb,cn=config objectClass: olcSssVlvConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {4}sssvlv
=========================================
version: 1
dn: olcOverlay={5}valsort,olcDatabase={1}hdb,cn=config objectClass: olcValSortConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {5}valsort olcValSortAttr: memberuid ou=groups,dc=example,dc=de alpha-ascend olcValSortAttr: uid ou=people,dc=example,dc=de alpha-ascend
Actually these seems to be a question to the Solaris LDAP Mailinglist, am I right? But if you have an further hints, these are much appreciated.
Thanks and kind regards, Benjamin.
On Fri, Oct 15, 2010 at 18:41, Diego Lima lists@diegolima.org wrote:
Hi Benjamin,
It looks like your LDAP client is asking the server to return ordered results from looking at this line:
tag=101 err=18 nentries=0 text=serverSort control: No ordering rule
You may want to take a look at the server-side sorting overlay (slapo-sssvlv) and/or the value sorting overlay (slapo-valsort) and see if activating them on the server will fix your problems.
-- Diego Lima http://www.diegolima.org
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Hello there,
a short update on my problem for the ppl who care. :)
A colleague of mine could reproduce the situation with the same version of OpenLDAP 2.4.23 (from the OpenSUSE repo) and Solaris 10, but there was no problem with an older version of OpenLDAP 2.4.12 (default in sles11 w/o sp1) and said he had no problems getting listings of users and groups with ldaplist on Solaris 10. Thats the only problem I have currently on my version of OpenLDAP 2.4.20 (downgraded due to fiddling areount to a "supported" version from the sles11sp1 repo). Everything else like loging in, using sudoers, having pwdPolicy and so was and is working fine with 2.4.20/2.4.23.
I now think there may be a regression somewhere between 2.4.12 and 2.4.20 regarding sssvlv or valsort?! While I'm writing this I'm installing sles11 with the lower version of OpenLDAP 2.4.12 on a virtual machine to reproduce atleast the difference of these versions. Because this is going to be a production server, my boss is heading for a support contract with Novell, so I have to use the versions from the repository. :(
I was not able to find a suitable ticket in the ITS from the past that could have been related to the problem (to stupid to use this thing? :)).
Bye, Benjamin.
PS: Here are some examples what's working and what's not, no matter if overlays sssvlv or valsort are configured or not:
root@exampleclient # ldaplist -lv passwd testuser1 +++ database=passwd +++ filter=(&(objectclass=posixaccount)(uid=testuser1)) +++ template for merging SSD filter=(&(%s)(uid=testuser1)) dn: uid=testuser1,ou=people,dc=example,dc=de loginShell: /bin/bash sn: testuser1 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson gidNumber: 1000 mail: somewhere@somehow telephoneNumber: uidNumber: 1001 gecos: name name desc cn: testuser1 description: Systemadministrator Unix homeDirectory: /export/home/testuser1 uid: testuser1
root@exampleclient # ldaplist -lv passwd +++ database=passwd +++ filter=objectclass=posixaccount +++ template for merging SSD filter=%s ldaplist: Object not found (LDAP ERROR (18): Inappropriate matching.)
root@exampleclient # ldaplist -lv group admin +++ database=group +++ filter=(&(objectclass=posixgroup)(cn=admin)) +++ template for merging SSD filter=(&(%s)(cn=admin)) dn: cn=admin,ou=groups,dc=example,dc=de gidNumber: 1000 objectClass: posixGroup objectClass: top objectClass: labeledURIObject objectClass: groupOfURLs cn: admin labeledURI: ldap:///ou=people,dc=example,dc=de?uid?sub?(objectClass=posixAccount) memberUid: testuser1 memberUid: testuser2 ...
root@exampleclient # ldaplist -lv group +++ database=group +++ filter=objectclass=posixgroup +++ template for merging SSD filter=%s ldaplist: Object not found (LDAP ERROR (18): Inappropriate matching.)
On Mon, Oct 18, 2010 at 16:00, Benjamin Griese der.darude@gmail.com wrote:
Update: the serverSort thing was a false-positive this morning, I guess the client was still caching. ... Oct 18 15:52:23 examplehost slapd[24946]: conn=9373 op=168 SEARCH RESULT tag=101 err=18 nentries=0 text=serverSort control: No ordering rule Oct 18 15:52:23 examplehost slapd[24946]: conn=9373 op=168 do_search: get_ctrls failed Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 fd=28 ACCEPT from IP=10.0.0.1:35464 (IP=0.0.0.0:389) Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=0 BIND dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" method=128 Oct 18 15:52:52 examplehost slapd[24946]: => bdb_entry_get: found entry: "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" Oct 18 15:52:52 examplehost slapd[24946]: => bdb_entry_get: found entry: "cn=default,ou=pwdpolicy,dc=example,dc=de" Oct 18 15:52:52 examplehost slapd[24946]: => access_allowed: result not in cache (userPassword) Oct 18 15:52:52 examplehost slapd[24946]: => access_allowed: auth access to "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" "userPassword" requested Oct 18 15:52:52 examplehost slapd[24946]: => acl_get: [1] attr userPassword Oct 18 15:52:52 examplehost slapd[24946]: => acl_mask: access to entry "cn=proxyuser,ou=system,ou=people,dc=example,dc=de", attr "userPassword" requested Oct 18 15:52:52 examplehost slapd[24946]: => acl_mask: to value by "", (=0) Oct 18 15:52:52 examplehost slapd[24946]: <= check a_dn_pat: cn=ldapadm,dc=example,dc=de Oct 18 15:52:52 examplehost slapd[24946]: <= check a_dn_pat: cn=proxyuser,ou=system,ou=people,dc=example,dc=de Oct 18 15:52:52 examplehost slapd[24946]: <= check a_dn_pat: anonymous Oct 18 15:52:52 examplehost slapd[24946]: <= acl_mask: [3] applying auth(=xd) (stop) Oct 18 15:52:52 examplehost slapd[24946]: <= acl_mask: [3] mask: auth(=xd) Oct 18 15:52:52 examplehost slapd[24946]: => slap_access_allowed: auth access granted by auth(=xd) Oct 18 15:52:52 examplehost slapd[24946]: => access_allowed: auth access granted by auth(=xd) Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=0 BIND dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" mech=SIMPLE ssf=0 Oct 18 15:52:52 examplehost slapd[24946]: => bdb_entry_get: found entry: "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=0 RESULT tag=97 err=0 text= Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=1 SEARCH RESULT tag=101 err=18 nentries=0 text=serverSort control: No ordering rule Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=1 do_search: get_ctrls failed Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 op=2 UNBIND Oct 18 15:52:52 examplehost slapd[24946]: conn=10575 fd=28 closed ...
Is someone able to tell me what specific attributes I have to set for simple passwd/group/sudoers listing/sorting?
Thank you.
On Mon, Oct 18, 2010 at 09:45, Benjamin Griese der.darude@gmail.com wrote:
Hi diego,
thanks for you advise. I created two new Overlays as you said and tried to set the attribute-set that I googled from some other guys. These are probably wrong. Finally, that solved the messages that appeared in the slapd log, but didn't solve the problem on the solaris hosts. Too bad. :/
While reading to the log file once again, I find it quite strange, that the client is asking for specific objectClasses and Attributes that doesn't exist in my DIT. I've imported the solaris.schema while preparing the DIT and setup the "nisDomainObject" in the root Object, because the Client asked for that in the autoconfig-process. But the rest is from duaconfig.schema. By looking through the solaris.schema, the requested obj and attr below are in there. But this is all in all just guess work.
for example:
Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=102 SRCH base="ou=people,dc=example,dc=de" scope=2 deref=3 filter="(&(objectClass=NisKeyObject)(uidNumber=3))" Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=102 SRCH attr=nisPublickey nisSecretkey
Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=103 SRCH base="ou=people,dc=example,dc=de" scope=2 deref=3 filter="(&(?objectClass=SolarisUserAttr)(uid=sys))" Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=103 SRCH attr=uid SolarisUserQualifier SolarisAttrReserved1 SolarisAttrReserved2 SolarisAttrKeyValue
Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=104 SRCH base="ou=projects,dc=example,dc=de" scope=2 deref=3 filter="(&(?objectClass=SolarisProject)(?=undefined))" Oct 16 19:15:00 examplehost slapd[24946]: conn=1026 op=104 SRCH attr=SolarisProjectName SolarisProjectID description memberUid memberGid SolarisProjectAttr
LDIFs of the overlays:
version: 1
dn: olcOverlay={4}sssvlv,olcDatabase={1}hdb,cn=config objectClass: olcSssVlvConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {4}sssvlv
=========================================
version: 1
dn: olcOverlay={5}valsort,olcDatabase={1}hdb,cn=config objectClass: olcValSortConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {5}valsort olcValSortAttr: memberuid ou=groups,dc=example,dc=de alpha-ascend olcValSortAttr: uid ou=people,dc=example,dc=de alpha-ascend
Actually these seems to be a question to the Solaris LDAP Mailinglist, am I right? But if you have an further hints, these are much appreciated.
Thanks and kind regards, Benjamin.
On Fri, Oct 15, 2010 at 18:41, Diego Lima lists@diegolima.org wrote:
Hi Benjamin,
It looks like your LDAP client is asking the server to return ordered results from looking at this line:
tag=101 err=18 nentries=0 text=serverSort control: No ordering rule
You may want to take a look at the server-side sorting overlay (slapo-sssvlv) and/or the value sorting overlay (slapo-valsort) and see if activating them on the server will fix your problems.
-- Diego Lima http://www.diegolima.org
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Just for completion, this was the first reply to my problem who pointed me into the direction of sssvlv and valsort.
---------- Forwarded message ---------- From: Diego Lima lists@diegolima.org Date: Fri, Oct 15, 2010 at 18:41 Subject: Re: Error 18: Solaris 10 Native LDAP-Client To: Benjamin Griese der.darude@gmail.com Cc: openldap-technical@openldap.org
Hi Benjamin,
It looks like your LDAP client is asking the server to return ordered results from looking at this line:
tag=101 err=18 nentries=0 text=serverSort control: No ordering rule
You may want to take a look at the server-side sorting overlay (slapo-sssvlv) and/or the value sorting overlay (slapo-valsort) and see if activating them on the server will fix your problems.
-- Diego Lima http://www.diegolima.org
Benjamin Griese der.darude@gmail.com writes:
Just for completion, this was the first reply to my problem who pointed me into the direction of sssvlv and valsort.
May I point you to my answer about a week ago, where I mentioned that the client initiates a server side sorting extended operation control?
-Dieter
---------- Forwarded message ---------- From: Diego Lima lists@diegolima.org Date: Fri, Oct 15, 2010 at 18:41 Subject: Re: Error 18: Solaris 10 Native LDAP-Client To: Benjamin Griese der.darude@gmail.com Cc: openldap-technical@openldap.org
Hi Benjamin,
It looks like your LDAP client is asking the server to return ordered results from looking at this line:
tag=101 err=18 nentries=0 text=serverSort control: No ordering rule
You may want to take a look at the server-side sorting overlay (slapo-sssvlv) and/or the value sorting overlay (slapo-valsort) and see if activating them on the server will fix your problems.
-- Diego Lima http://www.diegolima.org
Hello there,
I feel like spamming the list, but I now think its a more and more OpenLDAP Server-related "problem" (for me its not a feature ;) ).
http://bacedifo.blogspot.com/2009/09/server-side-sort-with-openldap2418.html
I could reproduce the problem an 2.4.20, but havn't been able to setup an older version to test that, yet.
Some ideas related to that? :/
Bye.
On Fri, Oct 15, 2010 at 15:28, Benjamin Griese der.darude@gmail.com wrote:
Hello guys, I got a problem while pulling information with the native ldap client on my various solaris 10 machines from an openldap2-2.4.23-116.1 Maybe someone has any ideas, because I am on the end of mine. I don't know what to do in the further steps to solve the problem. the important information are below.
thanks for your help.
kind regards, benjamin.
=============================================================
on the solaris box:
solaris profile pulled from DIT, runs absolutly fine, but is maybe not perfect for openldap # ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de NS_LDAP_BINDPASSWD= secret NS_LDAP_SERVERS= ldap01 ldap02 NS_LDAP_SEARCH_BASEDN= dc=example,dc=de NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= FALSE NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 60 NS_LDAP_PROFILE= solaris_profile NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=people,dc=example,dc=de?sub NS_LDAP_BIND_TIME= 10 NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixGroup NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= sudoers:sudoRole=sudoRole
# ldaplist passwd ldaplist: Object not found (LDAP ERROR (18): Inappropriate matching.) getent passwd/group dont show anything, but strangely, single "id <username>" show the user information I was expecting.
on sles11sp1/openldap2-2.4.23-116.1 (http://download.opensuse.org/repositories/network:/ldap:/OpenLDAP:/RE24/SLE_...)
thats what I see in the logs on the openldap-server, right after typing "ldaplist passwd" on the solaris box Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 fd=22 ACCEPT from IP=10.0.0.1:45604 (IP=0.0.0.0:389) Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=0 BIND dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" method=128 Oct 15 14:37:33 examplehost slapd[8339]: => bdb_entry_get: found entry: "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" Oct 15 14:37:33 examplehost slapd[8339]: => bdb_entry_get: found entry: "cn=default,ou=pwdpolicy,dc=example,dc=de" Oct 15 14:37:33 examplehost slapd[8339]: => access_allowed: result not in cache (userPassword) Oct 15 14:37:33 examplehost slapd[8339]: => access_allowed: auth access to "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" "userPassword" requested Oct 15 14:37:33 examplehost slapd[8339]: => acl_get: [1] attr userPassword Oct 15 14:37:33 examplehost slapd[8339]: => acl_mask: access to entry "cn=proxyuser,ou=system,ou=people,dc=example,dc=de", attr "userPassword" requested Oct 15 14:37:33 examplehost slapd[8339]: => acl_mask: to value by "", (=0) Oct 15 14:37:33 examplehost slapd[8339]: <= check a_dn_pat: cn=ldapadm,dc=example,dc=de Oct 15 14:37:33 examplehost slapd[8339]: <= check a_dn_pat: cn=proxyuser,ou=system,ou=people,dc=example,dc=de ## just for testing purpose Oct 15 14:37:33 examplehost slapd[8339]: <= check a_dn_pat: anonymous Oct 15 14:37:33 examplehost slapd[8339]: <= acl_mask: [3] applying auth(=xd) (stop) Oct 15 14:37:33 examplehost slapd[8339]: <= acl_mask: [3] mask: auth(=xd) Oct 15 14:37:33 examplehost slapd[8339]: => slap_access_allowed: auth access granted by auth(=xd) Oct 15 14:37:33 examplehost slapd[8339]: => access_allowed: auth access granted by auth(=xd) Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=0 BIND dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" mech=SIMPLE ssf=0 Oct 15 14:37:33 examplehost slapd[8339]: => bdb_entry_get: found entry: "cn=proxyuser,ou=system,ou=people,dc=example,dc=de" Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=0 RESULT tag=97 err=0 text= Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=1 SEARCH RESULT tag=101 err=18 nentries=0 text=serverSort control: No ordering rule Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=1 do_search: get_ctrls failed Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=2 UNBIND Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 fd=22 closed
that seems to be a problem with a supportedControl of the ldap-server which the solaris ldap client is unable to handle, because the local openldap-client in the sles-server has absolutly no problem binding and getting infos. is this kind of offtopic for this list?
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com....
says 18 LDAP_INAPPROPRIATE_MATCHING Inappropriate matchingFilter type not supported for the specified attribute.
but I don't know what to do this seems kind of related to this problem, maybe its the same: http://markmail.org/message/dgtk3rpihvkqndqx#query:serverSort%20control%3A%2...
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Benjamin Griese der.darude@gmail.com writes:
Hello there,
I feel like spamming the list, but I now think its a more and more OpenLDAP Server-related "problem" (for me its not a feature ;) ).
http://bacedifo.blogspot.com/2009/09/server-side-sort-with-openldap2418.html
I could reproduce the problem an 2.4.20, but havn't been able to setup an older version to test that, yet.
Some ideas related to that? :/
I didn't follow this thread, so in fact I don't know what it is all about. All I can say is, that the search string mentioned in above link is wrong beause of lacking an ordering rule. The parameter of the extended operation should be something like -E'!sss=sn:2.5.13.3'
-Dieter
openldap-technical@openldap.org
-
Benjamin Griese -
Diego Lima -
Dieter Kluenter