Hi folks,
My new Debian stretch slapd consumer configuration is suffering from a
Kerberos authentication problem that looks like a bug. It is
apparently unable to read the Kerberos keytab file and instead
authenticates to its provider as (for my realm)
ldap/localh...@example.com. The
,
the name included with the source email address is just Jaap when I
would like it to be Jaap Winius. I suspect libnss_ldap is responsible.
Is there an easy way to change how these names are mapped, so that
user names would be composed of cn + space + sn?
Thanks,
Jaap
Hi folks,
Compiling the Debian sources for the OpenLDAP packages can take over
an hour on my relatively fast workstation. Much of that time seems to
be spent running a slapd server with all kinds of test routines. Is
that what's actually going on? Whatever, perhaps someone could explain.
Quoting masar...@aero.polimi.it:
Perhaps someone at Debian could. You need to explicitly request make
test to run the test suite using OpenLDAP's make. That's all that ships
with OpenLDAP. The rest isn't ours.
I think I found the cause. It's the last three lines in Makefile.in
(Apr 13
Quoting E.S. Rosenberg esr+openl...@g.jct.ac.il:
How do I get to see the contents of cn=config?
There are two main methods that I know of and for both you have to be
logged in as root. First:
~# slapcat -b cn=config
Slapd does not even have to be running. This command will dump the
Quoting Quanah Gibson-Mount qua...@zimbra.com:
... He is probably missing having it configured as a backend entirely.
That wasn't literally his question, but I would not be surprised if
Dan was right. I've been running Debian squeeze since June and started
with a slapd.conf configuration.
Quoting masar...@aero.polimi.it:
To determine why the referral was chased anonymously we need to know the
configuration of your slapo-chain(5). I assume the configuration you
posted in an earlier message
http://www.openldap.org/lists/openldap-technical/201012/msg00209.html is
still valid
Quoting masar...@aero.polimi.it:
ldap_url_parse_ext(ldap://ldapks.example.com:389)
=ldap_back_getconn: conn=1001 op=3: lc=0x960e6f8 inserted refcnt=1 rc=0
ldap_sasl_bind
^^^ this call shouldn't be here; on the contrary, this should result in
calling ldap_sasl_interactive_bind_s() from within
Hi folks,
When clients bind with a provider and the provider's loglevel is set
to stats, bind events show up frequently in the log. Often, some
logged bind events have only a blank dn along with a method code.
Here are two separate examples:
slapd[903]: conn=1021 op=0 BIND dn=
Quoting Jaap Winius jwin...@umrk.nl:
... The last time I followed these instructions to the letter, proxy
authorization worked. Now I've booted up the same machines again a
few days later and it no longer works: the consumer still uses SASL
to bind with the provider for replication
Quoting Jaap Winius jwin...@umrk.nl:
... and I've been able to get it to work on Debian squeeze using
2.4.23 (with Pierangelo's 2010-04-29 patch) and clear-text
passwords, ...
Sorry, that's apparently not the case. Now I'm getting the same error
with the simple bind configuration
Quoting Jaap Winius jwin...@umrk.nl:
adding new entry cn=ccolumbus,ou=groups,dc=example,dc=com
ldap_add: Strong(er) authentication required (8)
There must be something else going on...
Following my own instructions for the simple bind configuration, I
reinstalled both the provider
Hi folks,
Although I've been able to get proxy authorization to work on Debian
lenny systems using OpenLDAP 2.4.11 and Kerberos authentication with
SASL-GSSAPI, and I've been able to get it to work on Debian squeeze
using 2.4.23 (with Pierangelo's 2010-04-29 patch) and clear-text
Quoting Howard Chu h...@symas.com:
The chain overlay needs to be configured on the frontendDB in order
to catch these update referrals.
Excellent. Thanks to your advice together with Pierangelo's patch of
29 April 2010 (which I hope will soon be committed), my test
configuration is now
Quoting Jaap Winius jwin...@umrk.nl:
Quoting Pierangelo Masarati masar...@aero.polimi.it:
That patch was never committed because the reporter of ITS#6540
said his initial report was not actually relevant for the real
issue he was suffering from. Please try that patch and report
about
Hi folks,
While testing the current Debian squeeze version of OpenLDAP,
v2.4.23-6, in a provider/consumer syncprov/syncrepl
(refreshAndPersist) configuration, using a patch(1) written by
Pierangelo, I have not been able to get chaining to work.
The consumer, ldaps2, was configured with a
Quoting Pierangelo Masarati masar...@aero.polimi.it:
That patch was never committed because the reporter of ITS#6540 said
his initial report was not actually relevant for the real issue he
was suffering from. Please try that patch and report about its
effect; I'll be glad to commit it if
Quoting Tim Dunphy bluethu...@gmail.com:
I was just wondering if anyone happened to know of a good guide to
use for configuring centos clients to authenticate pam modules (such
as su, sudoers, ssh, system authentication and the like) against
openLDAP? I am running a FreeBSD openLDAP server,
Hi folks,
After applying some changes to a consumer server used for testing
purposes, my attempts to run slapcat result in the following error:
slapd-chain: first underlying database
olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={1}hdb,cn=config
Quoting Jaap Winius jwin...@umrk.nl:
Attempting to answer my own question, my current configuration doesn't
seem to want to work just yet, but the chain setup now looks like this:
#
dn: cn=module{0},cn=config
changetype: modify
add
Quoting Howard Chu h...@symas.com:
You're welcome to submit a patch for the docs.
I may very well do that... once I develop a better understanding of it all.
As lead developer on the Project I focus on working on the things
that would be difficult for anyone else to do. For stuff like this
Hi folks,
My old chain configuration in slapd.conf works fine and looks like this:
#
moduleload back_ldap
overlay chain
chain-uri ldap://ldaps.example.com:389/
chain-rebind-as-userTRUE
Quoting Quanah Gibson-Mount qua...@zimbra.com:
I do it via ldapmodify:
dn: olcOverlay=syncprov,olcDatabase={3}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 20 10
olcSpSessionlog: 500
Thanks, Quanah. Just a bit
Quoting Howard Chu h...@symas.com:
Jaap Winius wrote:
.. but these configuration attributes are not well documented
yet, at least not for cn=config. They're not yet included in the
slapo-syncprov man page and (correct me if I'm wrong) the online
documentation doesn't seem to mention them
Hi folks,
When configuring a sync provider with cn=config, it was not too
difficult to figure out how to load the syncprov module and create the
entry for its overlay, but it is unclear how to configure two
associated statements that appear as follows when using slapd.conf:
Quoting Jaap Winius jwin...@umrk.nl:
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Can anyone say how this might be accomplished?
Never mind. FYI:
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
changetype: modify
add: olcSpCheckpoint
olcSpCheckpoint: 100 10
-
add
Quoting Buchan Milne bgmi...@staff.telkomsa.net:
IIRC nss_ldap by supports DNS discovery, if you omit the URI. ...
Did you mean to say that nss_ldap uses DNS discovery by default?
Indeed, that is the way it seems to behave; I just ran some more
tests, and apparently the nss_srv_domain
Hi all,
After more research, I discovered that the actual cause of the problem
is indeed a file descriptor leak: not in slapd, but in krb524d -- the
Kerberos V to IV ticket conversion service -- which is part of the
krb5-kdc package in Debian. It occurs when Kerberos is configured to
use
Quoting Dieter Kluenter die...@dkluenter.de:
What is the output of ulimit -Sn and ulimit -Hn ?
If the output differs increase the value of -Sn to max. -Hn
~# ulimit -Sn
1024
~# ulimit -Hn
1024
~# _
Would you suggest that e.g. ulimit -n unlimited be added to /etc/profile?
Thanks,
Jaap
Hi all,
My latest test system includes a Kerberos server that uses OpenLDAP
via IPC as its back-end database. It usually works, but not always.
For example, recently, after failing to get kadmin to add a new
principal to the Kerberos database, I found this error in the
provider's syslog:
Hi all,
Now that I'm satisfied with my OpenLDAP/Kerberos server configuration,
I'm attempting to devise a suitable (Debian lenny) client setup for it.
Although I hear that it may not be the best approach, I'm currently
pursuing a client configuration that includes kstart, libnss-ldap,
Quoting sgm...@mail.bloomfield.k12.mo.us:
Everything has been running fine for months. ...
Sounds familiar.
... it seems after the LDAP daemon was stopped, it could not restart.
Have you tried to figure out why this is?
Jan 20 11:27:56 school1 rpc.statd[1522] nss_ldap: failed to bind to
Quoting Jaap Winius jwin...@umrk.nl:
authz-regexp
uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
ldap:///dc=example,dc=com??sub?
((|(entryDN:dnSubtree:=ou=eng,dc=example,dc=com)
(entryDN:dnSubtree:=ou=bio,dc=example,dc=com))
(uid=$1
Quoting Michael Ströder mich...@stroeder.com:
uid=([^,]*) looks strange to me. How about trying uid=([^,]+) instead?
That would only help to avoid matching an empty uid. Anyway, we've
already established that the problem is not the search pattern, but
the authz-regexp replacement pattern.
Hi all,
My OpenLDAP 2.4 test system uses Kerberos, SASL and GSSAPI. I've got
person objects located in two different org. units and want to search
both of them for a potential match, so I included these two statements
in slapd.conf:
authz-regexp
Quoting Jaap Winius jwin...@umrk.nl:
Although I know how to configure syncrepl with the simple bindmethod,
using a clear-text password exchange and clear-text database
replication, and I know how to setup an provider server with MIT
Kerberos V encryption support, can anyone explain how
Quoting Quanah Gibson-Mount qua...@zimbra.com:
Before I begin, let me say that, in this case, Kerberos only offers
encrypted authentication and not data encryption for the OpenLDAP
replication phase; for that it is necessary to set up a Certificate
Authority and use TLS (LDAP over SSL, slapd on
Quoting Andrew Debenham adeben...@sotech1.com:
Checking configuration files for slapd:[FAILED]
overlay syncprov not found
slaptest: bad configuration file!
As you probably already know, the syncprov module needs to be loaded
*before* the syncprov overlay is invoked. From
Hi all,
On my test system, which uses OpenLDAP simple authentication, I'm
unable to get clients to authenticate to a consumer server, although
they can authenticate to its provider server without a problem. Here's
a snippet of the consumer's syslog, for which I've set the slapd.conf
Hi all,
This question has to do with syncrepl and the use of the rootdn option
in slapd.conf.
My understanding is that on a provider server (where writes are
possible), it is not necessary to use the rootdn option in slapd.conf.
Instead it is enough to have an account that only exists in
Hi all,
Today I have two questions involving indexing. First, my understanding
is that if a new index has been added to slapd.conf, it won't be used
until slapd is stopped, slapindex is run and slapd is started again.
However, if there aren't any entries yet in the database that carry a
Quoting Jaap Winius jwin...@umrk.nl:
Even stranger, if I supply the account's DN and password (although this
would seem a useless thing to do, since it's the very same info I'm
asking for), I get this error:
~$ ldapwhoami -x -D cn=testuser,dc=umrk,dc=nl -w testpass
ldap_bind: Invalid
Hi all,
The utility of the ldapwhoami tool is a mystery to me. As opposed to
the usual Unix whoami command, which prints the effective userid,
ldapwhoami doesn't seem to print the matching LDAP DN... at least
not for me.
My test setup includes an OpenLDAP server and a separate client.
43 matches
Mail list logo