dynlist: unable to fetch objectClass groupOfURLs
Playing on my test server with dynlist, trying to set it up via cn=config. I issue - awill...@linux-m3mt:~ ldapadd -x -h 172.16.55.129 -D 'cn=Adam Williams,ou=People,ou=Entities,ou=SAM,o=Morrison Industries,c=US' -W -f dynlist.ldif Enter LDAP Password: where dynlist.ldif is - dn: olcOverlay=dynlist,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: dynlist - and it fails with error - adding new entry olcOverlay=dynlist,olcDatabase={1}hdb,cn=config ldap_add: Other (e.g., implementation specific) error (80) additional info: unable to fetch objectClass groupOfURLs - and slapd crashes at the next operation. Anyone recognize that one or know how to work around? Am I somehow missing the groupOfURLs schema? If I dump my cn=SubSchema I don't see a reference to groupOfURLs. Version: Telkomsa openldap2.4-2.4.20-1.el5
Re: Schema repository?
On Thu, 2008-08-07 at 14:08 +0200, Buchan Milne wrote: On Wednesday 06 August 2008 15:08:07 Jeff Blaine wrote: I spent a good half hour last night massaging RFC3712.txt into a schema to load into OpenLDAP. The entire time I thought, Surely I am missing something in my Google searches 2nd hit for me is: http://www.whitemiceconsulting.com/system/files?file=ldap-printer.schema.gz Please point to the root page http://www.whitemiceconsulting.com/node/42 which contains a disclaimer: quote I don't endorse the suitability of any of these file for any purpose. If you are going to install schema in you DSA then you need to understand what you are doing. Last I knew all these files could coexist within an version 2.2 or later OpenLDAP DSA. If you have any problems relating to compatability with any of these scheme please let me know. /quote
Re: Troubles with Country (c) attribute limited to two characters
OK, I understand that this is happening because of schema violation, but nevertheless, I still need some advices or tips, how to avoid getting into trubles when upgrading the servers. Is there an easy way to get rid of the problem, but still using this type of suffix with country value longer that 2 characters? Slapcat and fix the values; the 2 character abbreviations are an ISO standard you can download. Modify your application to only accept legitimate country codes. http://www.iso.org/iso/country_codes/iso_3166_code_lists/english_country_names_and_code_elements.htm
Re: smbk5pwd and ppolicy working together
Let me ask two theoretical questions, before I submit my comments below. Windows XP/2000/et. al. send their passwords via SMB hashed. So, without configuring those workstations to send the passwords plaintext over the wire, is there any way for ppolicy to act on the ldapmodify initiated by Samba from Windows clients attempting to change their passwords? You do *NOT* need to configure the clients to use cleartext password - which BTW would break domain functionality anyway. Samba has a cleartext equivalent of the password when you do a password change, else how would password chat scripts work? Furthermore, if the above change is made so that ppolicy can evaluate the plaintext password, what exactly will the interaction between LDAP and the clients be if it fails to clear ppolicy constraints?
Re: smbk5pwd and ppolicy working together
Ok - I'll create an LDAP user specifically for changing passwords, and set that as my ldap admin dn in the smb.conf, so the change won't be done by the rootdn, as recommended by Adam and yourself. I'll then create an entry in the slapd.conf like the one below and give that a shot. Excellent, I'm very interested to see what happens at that point. # ACL's access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange by selfwrite by * auth access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange,pwdChangedTime,pwdHistory by dn=cn=pwchanger,dc=example,dc=com write access to * by * read -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
Re: smbk5pwd and ppolicy working together
I'm not even sure this is the path I ought to be going down. If smbk5pwd has no knowledge of ppolicy, and password changes from Windows clients won't adhere to those restrictions with any combination of configuration options in any currently known universe, perhaps what I really need is an alternate strategy. I'm open to suggestion; my only requirements are that password changes from a Windows workstation be subjected to the ppolicy constraints, and that the LDAP and Samba passwords all be in sync. rootdn cn=admin,dc=example,dc=com rootpw {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj Are you still using the rootdn as the Samba bind DN? If so, don't. -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
Re: smbk5pwd and ppolicy working together
The ppolicy overlay is adding extra functionality to the password extended operation. ldappasswd uses this. The restriction is not present if you update the password hash via the ldapmodify command. The key is in the extended operation. As an added tidbit only userPassword is monitored not any other attribute. That's not entirely true. The ppolicy overlay also intercepts regular Modify requests. But the sticking point is that if the incoming password is already hashed, then most of the policy checks cannot be performed. Typically, clients that use ldapmodify on the userPassword hash the value before sending it to the server, and so the overlay can't do anything. Well, if the 'passwd program' defined in the smb.conf is ldappasswd, then the ldapmodify doesn't come in to play, correct? The two things I'm confused about is The passwd program doesn't matter when using an LDAP SAM. Hopefully it is just ignored. Safe move would be to remove it altogether. 1. why there is a sambaPasswordHistory attribute if it's using ldappasswd (ldappasswd should modify the pwdHistory attribute, no?), and ? sambaPasswordHistory is part of the Samba schema and assumes that Samba is managing password integrity, repeated use, etc... But if you are using ppolicy I'd suspect you just don't care about sambaPasswordHistory. I'd really like ppolicy smbk5pwd to play nicely together and theoretically they should but I suspect you will run into one very interesting problem - what happens when Samba tries to change the password and ppolicy says no? What kind of meaningless error message will the end-user see? Samba does password changes via an ldapmodify rather than an ldappasswd (unless you have ldap passwd sync = Only which I have never personally used so I have no tests to back this up). This would explain why LDAP has the policy enforcing and Samba does not. Is your Samba server binding as your manager/admin DN? Don't do that, ever. Create a bind context for Samba and use ACLs to give that context the access it requires. I don't know if it will fix Samba +ppolicy but it is the correct thing to do either way. -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
Re: OpenLDAP migration to new server
I have a Fedora Core 2 server running openldap-servers-2.1.29-1. I have an address book with names stored there which I am using with Outlook. Can someone please tell me how do I migrate this address book to a newer server running CentOS 5 with openldap-servers-2.3.27-8? What commands do I run to export and import the data? slapcat / slapadd -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
Re: slapadd going for a very long time
I'm running RHEL4 and am bound by policy to only use RHEL4 packages so this is why I am only using v2.2.13. I'm sorry for you. Anyway... I need to add a new slave to the pool of LDAP servers. I ran slapcat -l /tmp/myfile.ldif on the master. Then copied the resultant ldif to the new slave. Then ran slapadd -v -l myfile.ldif myfile.ldif is ~250MB and the source LDAP directory contains # numEntries: 427839 I started the slapadd 20 hours ago and it is still running Is this normal, given the number of entries? Did you create a DB_CONFIG file? -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
Re: Writing an ACL for Anonymous Searches
I am new to ldap and ACL but I need to write an ACL that will prevent anonymous (cn=everyone?) users from viewing (read?) members of a certain group (e.g. cn=restricted_group,ou=groups,o=xxx) in their search/dump results. Any help or pointer to documentations is much appreciated. Thanks. Grant write and/or read access to authenticated users and anonymous users are implicitly denied access. This is explained in the slapd-access man page. Be sure to use a man page appropriate to your version of OpenLDAP. -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
RE: regarding custom schema
1) Second choice of making new objectClass STRUCTURAL is fine for me , but will there be any restrictions for new STRUCTURAL object classes to be created from any parent (for instance, organizationalUnit) Only that they be STRUCTURAL. And from this, new STRUCTURAL class, if I derive one more hierarchy down , will there be any restrictions for that grand child object class. None beyond what apply to all object classes. Proprietary/custom schema is treated no differently than standard schema. 2) Can I know why is that restriction that AUXILIARY cannot be derived from STRUCTURAL? Because it makes no sense. Look-up the meanings of AUXILIARY and STRUCTURAL. -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
Re: cn=config example
On Friday 21 September 2007 06:07:47 Howard Chu wrote: Use slaptest instead. except that slaptest doesn't have a run as another user flag, and -u is already taken :-(. I was just working with converting a conf file to a config backend and swear I saw a specific note somewhere to use slaptest (and I knew to use slaptest). Now poking around a bit I can't find it. Nor do the tools need such an option; you can just use su. The reason slapd can't be started with just su ldap is because it may need root privs to open the listener sockets. That's the only reason it has -u/-g options. Sure, and I use su in our init script when testing the configuration. But, some other distros don't, and don't use -u, and end up creating transaction log files as root, preventing startup later. I don't perceive this as an OpenLDAP problem; it is more of a bad distribution! bad! kind of issue. I am not aware of any recommendation of using su for slaptest (though it is quite obvious to many, it may be worth mentioning explicitly). And, it should certainly be mentioned in any documentation covering converting to back-config. Nah, it is simply obvious/standard practice. Configuring services as a user or root and then setting permissions as the last step is just how things are done. At present, it seems that if you want to do the conversion while slapd is running, and for a slapd that runs as non-root, something like this is the best option: # slapd -u ldap -g ldap -d none -h ldap://localhost:391/ -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d As then -The configuration will be converted -slapd won't start up What makes you say that? It will fail to open the database already opened by the running slapd. I'm confused by all of this; who is going to be converting their configuration (which one assumes would also include testing the resulting configuration) while slapd is hot? -you will see any relevant errors -all the files will be owned by the ldap user/group -if it succeeds, a restart of slapd is all that is necessary to continue That seems like far more trouble than just using su... It's aobut the same amount of typing: slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown -R ldap.ldap /etc/openldap/slapd.d -- Consonance: an Open Source .NET OpenGroupware client. http://code.google.com/p/consonance/ - Searching for a bored Cairo# hacker. Contact:[EMAIL PROTECTED] http://www.opengroupware.org
Re: cn=config example
can correct mistakes (which we can't do for all the broken howtos). What i don't understand is that (a) there is an official place for Samba documentation (b) there is an official place for PAM documentation (c) there is an official place for NSS documentation (d) there is an official place for ISC Bind documentation (e) there is an official place for ISC DHCPd documentation (f) there is an official place for Cyrus IMAPd documentation... so what is the problem? Either (1) the user chose not to look in the official place or (2) the project chose not to provide documentation related to LDAP. #1 is the user's problem and for #2 the user should contact that project, not complain to their DSA vendor. If the user chose to look in random places they must expect documentation of random quality. It's all very good having in depth guides, but sometimes it's better to get something running and come back to the main docs. Disagree; that is just a sloppy approach to system administration. -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
Re: printer and schema trouble
I'm using OpenLDAP 2.3.34 on CentOS 4.4. I'm trying to get some printer information stored in OpenLDAP and I'm having trouble getting the schema to work. I've obtained the ldap-printer.schema and ldap-slp.schema from http://www.kalamazoolinux.org/projects/awilliam/ldap.html. The problem seems to be with ldap-slp.schema. There error that I get is as follows: [:[EMAIL PROTECTED]:] /etc/init.d/ldap restart Checking config file /etc/openldap/slapd.conf: [FAILED] /usr/share/openldap/schema/ldap-slp.schema: line 38: Syntax not found: 1.3.6.1.4.1.6252.2.27.6.2.2 slaptest: bad configuration file! The part of the schema where the error occurs has the following entry: ...and the syntax not found error appears to reference an entry at the very top of the schema file: ( 1.3.6.1.4.1.6252.2.27.6.2.2 DESC 'SLP Service Type' ) The odd thing about this entry (to me) is that they don't have an attributetype or objectclass in the description. Does anybody have a working printer schema configuration that they would be willing to share or know why mine is not working? You'd have to ask the author of the Schema, most probably Adam Tauno Williams. Nope, as specifically stated on the page from which he retrieved the schema, they are provided AS IS: I don't endorse the suitability of any of these files for any purpose. If you are going to install schema in your DSA then you need to **understand** what you are doing.. I am not the author of most of the schemas on that page, they are simply collected. If the schema file is wrong it may contain an author in the comments, or it misrepresents the RFC, or the RFC is not viable; not impossible for something used as rarely as LDAP+SLP. -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
Re: could not parse entry
On Tue, 2007-06-26 at 13:07 +0200, Daniel Guerrero wrote: Dear list participants, I'm using OpenLDAP Software version 2.2.26. When I attempt to load an entry, slapadd errors with the message slapadd: could not parse entry (line=11). The input file is only 10 lines long. What does this message indicate? How do I obtain more detailed error information from slapadd(8)? Try putting a blank line at the end of the file.
Re: multi-value attribute search result
however, when I search with cn=foo*, and entry has multiple cn values, like cn=foo, cn=joe, cn=foobar, cn=foobarX, cn=bob, cn=nofoobar - is it possible to have cn returned, but only these values, which actually matched the filter ? Yes. Use RFC 3876 control. E.g. $ ldapsearch -E mv=(cn=foo*) Very cool.
Re: dynamic schema for database sql
Can I able to add new schema with database sql ? I can able to see the cn=schema, cn=config entries when I do ldapsearch But when the slapd starts, the warning states, No dynanmic config support for sql (Is that mean, I cant add new schemas?), if that’s the case , what is the cn=schema, cn=config when I do a ldapsearch. I think these are two separate issues. 1.) back-sql doesn't support dynamic config. 2.) Schema is global and has nothing to do with backend you are using (more or less). Please explain me in this regard Is this due to oc / attr mapping is not in the database With back-sql the oc/attr mapping IS in the database. You can map any field to any attribute - whether or not that attribute is defined in schema [which is obviously required] is strictly a slapd configuration issue.
Re: regarding backsql performance
Why , when we use the back-sql , the search performance reduces. Compared to back-bdb/back-hdb? Because SQL databases can't hold a candle to the performance you get via these backends. They are just faster. Is it because , all operations to database is through odbc manager No. And the ODBC manager has little to no effect on performance. Your specific ODBC driver does, so it depends on the quality and version of your ODBC driver. And you should check that the queries back-sql is generated aren't just slow. Capture then and use EXPLAIN (or your databases equivalent) to analyze performance [as with any database application that seems too slow]. Can I get some more details regarding the above?
Re: Mapping multiple object classes to one SQL table
I'm trying to create a SQL data and metadata that manages employees that have inetOrgPerson, shadowAccount, posixAccount and sambaSamAccount. I have an LDAP_PERSON table with the columns for the attributes on those object classes. How do I populate the ldap_oc_mapping table? This is entirely dependent on you data and database-of-choice. Views tend to be very useful for this; check out http://docs.opengroupware.org/Members/whitemice/OGo-Back-SQL/ogo-back-sql-create.sql for an example of how to use fancy SQL to automatically map a complex schema. -- Adam Tauno Williams, Network Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org
Re: server startup overhead
I continue to have trouble with getting a freshly started server to be responsive. One problem in particular is one that I thought had been resolved some time ago but is apparently biting me right now... With the hdb backend (at least in OL 2.3.34 and OL 2.3.35) if you perform a search with a search base deeper than the root suffix, the search takes a very long time to complete if the cache hasn't been established. In my case the difference is less than a second versus several hours. I'm not sure yet which bit of cache needs to be primed. I can switch back and forth searching with the same filter in the root and then a child search base with the same results. Have you set DB_CONFIG to reflect reasonable settings given the size of your database? Is this a bug recursion or something that I just hadn't been noticing? What would be the best search to perform to prepare whatever cache is getting hit to make searches outside of the root DN faster?
Re: Ldap 2 ldap
how can I configure a LDAP server to ask informations to another LDAP? back-ldap, back-meta, glue, man slapd-ldap man slapd-meta
Re: LDAP authenticaton against PAM how-to
But we know there are problems with this approach. First, using the google hunt-and-peck method does very little to give one a coherent picture of the workings of OpenLDAP. Second, we all know that there is an abundance of BAD information about OpenLDAP out there (owing, in part, to the fact that the vast majority of OpenLDAP installations are still on version 2.2, thanks to the reluctance of several mainstream Linux distributions). Emmanuel's point is worth noting: it is very difficult to learn the OpenLDAP jargon, and the official documentation (the admin guide plus the FAQ, plus the man pages) quite simply don't cut it. They are steeped through and through with LDAP technical jargon (often used inconsistently, like slave,shadow, replica, and subordinate all referring to the server receiving replication by SLURPD or SyncRepl). Sorry, but this is rubbish. Is the Samba documentation expected to explain how Windows works or serve as an introduction to SMB/CIFS networking? Half the terms above are generic LDAP terms; is someone wants to use LDAP then start with reading up on *LDAP*. Seems reasonable to become familiar with a technology before moving on to a specific implementation. If you think this applies only to OpenLDAP pop over to the Samba, Sendmail, Cyrus, etc... lists for people asking questions that are really about CIFS, SMTP, IMAP, etc... My opinion may be in the minority here, but I don't think that a prerequisite to running OpenLDAP ought to be the thorough and careful reading of the whole bundle of LDAP RFCs. It isn't. There is *LOTS* and *LOTS* and *LOTS* of well cooked LDAP documentation - see Amazon. http://www.amazon.com/gp/reader/0672323168/ref=sib_dp_pt/105-2231389-9349228#reader-link Asking the OpenLDAP project to re-document LDAP is unreasonable. Or SASL for that matter. Now, I'll agree 100% that SASL documentation is seriously wanting, but that doesn't have much to do with OpenLDAP. I've been using OpenLDAP + SASL and SASL with other services for years and I still find SASL frustrating. Besides, Emmanuel did his best in attempting to actually remedy the situation by providing some information in an organized form. He didn't get it all right, but instead of getting helpful feedback, he is getting flamed! Most of his questions go unanswered, though he's getting RTFM comments and the like. Starting with the first response, little positive information was given (aside from that's deprecated). deprecated seems pretty clear to me - don't use it. signature.asc Description: This is a digitally signed message part
Re: using jpegPhoto
I came across the . Database Creation and Maintenance Tools at http://www.openldap.org/doc/admin23/dbtools.html which outlined 2 methods of storing jpegPhoto (towards the end of the documentation). One using base64 encode and the other using location indicated by URL: jpegPhoto:: /9j/4AAQSkZJRgABAQABAAD/2wBDABALD A4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQ ERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVG jpegPhoto: file:///path/to/file.jpeg Which is the recommended method? Please advise. I don't understand, they are exactly equivalent; watch it with ethereal. Use whichever is more convenient for your application.
Re: LOG files
Hi! log files in $LDAPDIRECTORY/var/openldap-data/log.* as log.000146 . are very files. My directory openldap-data is 10 GB size because every log.* file is 11M and it's 780 files. http://www.openldap.org/faq/index.cgi?_highlightWords=logfile=738 http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/archival.html http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/logfile.html Note that most of the Berkley related links in the FAQ-O-Matic are broken since Orable redesigned the database. The Berkley DB reference quide is now rooted at http://www.oracle.com/technology/documentation/berkeley-db/db/ref/toc.html
Re: new user authentication
logged in as for the user to authenticate to ldap with (which isn't right since I'm specifying the same user mentioned above along with the password) and doing that I get an error 80 user not found: no secret in database The command line I use for that is: ldapsearch -b dc=mydomain,dc=com -D cn=user3,dc=mydomain,dc=com -w abcdef objectclass=* 1.1 If you are not using a SASL bind (the default), you must specify -x man ldapsearch -x Use simple authentication instead of SASL. Do I need to do anything with slapd.conf? I'm not sure what else to try. Any pointers?
Re: the last version of Berkeley DB
is the the last version of Berkeley BD work fine with openLdap ?. is it better to change for the last version or continue to use the 4.2 version ? http://www.openldap.org/faq/data/cache/44.html the parameter setting is the same ?
Re: concurrency problem
Hi, i'm using openldap-2.0.27 in a redhat 9 box. Dude! Using 2.0.27 in production is pure madness. Upgrade. This is like running Samba 1.9 or a 2.0 kernel and complaining that performance is bad. I have installed qmail-ldap, and it the hours of high traffic it can't get a connection to the ldap server, i wrote to the qmail-ldap list, and they toll me that it was a concurrency problem, so I rise the concurrency and the threads to 500, but i still have the same error. You are never going to get 500 concurrent threads, setting it that high won't accomplish anything. # rootdn can always write! disallow bind_anon #concurrency concurrency 500 threads 500 These values are not realistic. Just making them higher will not help performance. databaseldbm Performance with ldbm is terrible, upgrade and user BDB or HDB Seriously, 2.0.x is very very very old. Performance of late versions of 2.2.x is ORDERS OF MAGNITUDE higher. When we upgraded we didn't even need the benchmark to tell it was heckuva-lot-faster # Replicas to which we should propagate changes #replica host=ldap-1.example.com:389 tls=yes # bindmethod=sasl saslmech=GSSAPI # authcId=host/[EMAIL PROTECTED] And your sure that DNS performance and related factors are good and stable?
Re: problems on ldap:add: Invalid syntax (21)
i'm trying to add user.ldif and i keep getting this error: adding new entry uid=jrojas,ou=argentina,dc=example,dc=com ldap_add: Invalid syntax (21) additional info: objectclass: value #2 invalid per syntax I don't think your DSA knows what posixAccount is. Make sure the schema file is included. this is the user.ldif content: dn: uid=jrojas,ou=argentina,dc=example,dc=com uid: jrojas cn: Javier CN is generally used as the full name (first + last), use givenName for just the first name. sn: Rojas objectclass: top objectclass: person objectclass: posixaccount loginshell: /bin/bash uidnumber: 99 gidnumber: 99 homedirectory: /home/jrojas userpassword: argentina
Re: Server 2.3.4 back-sql (+ back.c dif) cannot modify database
No - insentry_stmt and similar are to customize __entry__ bookkeeping, not for data modification. What you need is the add_proc in ldap_attr_mappings for the inetOrgPerson objectClass. What RDBMS are you using, and where did you get the sample data from? Data for PostrgreSQL is the most complete and actually passes all sql-test* in the test suite. Did you succeed with that? No, I haven't tried using PostgreSQL.. I'm bound to an existing mysql server, so that's the sql-test* test suite I loaded, from the mysql dir. I will try the add_proc per your suggestion. You have to have a very recent version of MySQL (=5.0)in order to have SPL support. Incidentally, one could image all hierarchal data being stored in as little as one rdbms table (or two/three for storing schema and OID mappings), since there is already a field for the member's parent.. This also seems like a more simplified approach (vs the object--table model that the sample data seemed to create). Is there a way to achieve this currently? Actually, it is much more complicated then tat. http://www.openldap.org/faq/data/cache/378.html