Re: OpenLDAP keeps on dying sporadically
I'll deliver the gdb(1) results as soon as I'm able to compile with relevant options. Meanwhile, here is some more debugging results about the break down of 'slapd -d -1 [...]' # # [...] 553dfcc9 filter: ((associatedDomain= somedom.tld)(!(destinationIndicator=*))) ber_scanf fmt ({M}}) ber: ber_dump: buf=0x94b40f020 ptr=0x94b40f09a end=0x94b40f0ae len=20 : 00 12 04 10 61 73 73 6f 63 69 61 74 65 64 44 6f associatedDo 0010: 6d 61 69 6e main 553dfcc9 attrs:553dfcc9 associatedDomain553dfcc9 553dfcc9 conn=1007 op=331 SRCH base=ou=domains,ou=mail,dc=MyDomain,dc=Local scope=2 deref=0 filter=((associatedDomain=somedom.tld)(!(destinationIndicator=*))) ber_get_next: tag 0x30 len 105 contents: ber_dump: buf=0x943d502b0 ptr=0x943d502b0 end=0x943d50319 len=105 : 02 01 0c 63 64 04 28 6f 75 3d 61 63 63 6f 75 6e ...cd.(ou=accoun 0010: 74 73 2c 6f 75 3d 6d 61 69 6c 2c 64 63 3d 4e 65 ts,ou=mail,dc=Ne 0020: 74 4f 63 65 61 6e 2c 64 63 3d 4c 6f 63 61 6c 0a tOcean,dc=Local. 0030: 01 02 0a 01 00 02 01 00 02 01 0a 01 01 00 a3 1c 0040: 04 0b 6d 61 69 6c 41 64 64 72 65 73 73 04 0d 40 ..mailAddress..@ 0050: 6e 65 74 6f 63 65 61 6e 2e 64 65 20 30 0b 04 09 somedom.tld 0... 0060: 6d 61 69 6c 41 6c 69 61 73 mailAlias 553dfcc9 conn=1007 op=331 SRCH attr=associatedDomain 553dfcc9 op tag 0x63, time 1430125769 ber_get_next 553dfcc9 == limits_get: conn=1007 op=331 self=[anonymous] this=ou=domains,ou=mail,dc=mydomain,dc=local tls_read: want=5 error=Resource temporarily unavailable ldap_read: want=8 error=Resource temporarily unavailable Segmentation fault # # [...] 553dfd7c daemon: select: listen=6 active_threads=0 tvp=NULL 553dfd7c conn=1008 op=2 SRCH attr=associatedDomain TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A tls_read: want=5, got=5 553dfd7c == limits_get: conn=1008 op=2 self=[anonymous] this=ou=domains,ou=mail,dc=mydomain,dc=local 553dfd7c daemon: select: listen=7 active_threads=0 tvp=NULL 553dfd7c daemon: select: listen=8 active_threads=0 tvp=NULL 553dfd7c daemon: select: listen=9 active_threads=0 tvp=NULL 553dfd7c = mdb_equality_candidates (associatedDomain) Segmentation fault # # [...] 553dfdf3 = mdb_list_candidates 0xa1 553dfdf3 = mdb_filter_candidates 553dfdf3EQUALITY 553dfdf3 = mdb_equality_candidates (objectClass) 553dfdf3 = key_read 553dfdf3 mdb_idl_fetch_key: [b49d1940] 553dfdf3 = mdb_index_read: failed (-30798) 553dfdf3 = mdb_equality_candidates: id=0, first=0, last=0 553dfdf3 = mdb_filter_candidates: id=0 first=0 last=0 553dfdf3 = mdb_filter_candidates 553dfdf3EQUALITY 553dfdf3 conn=1002 op=1131 SRCH attr=associatedDomain 553dfdf3 = mdb_equality_candidates (mailAddress) 553dfdf3 = key_read 553dfdf3 mdb_idl_fetch_key: [a4af5673] 553dfdf3 == limits_get: conn=1002 op=1131 self=[anonymous] this=ou=domains,ou=mail,dc=mydomain,dc=local 553dfdf3 = mdb_index_read: failed (-30798) 553dfdf3 = mdb_equality_candidates: id=0, first=0, last=0 553dfdf3 = mdb_filter_candidates: id=0 first=0 last=0 553dfdf3 = mdb_list_candidates: id=0 first=0 last=0 553dfdf3 = mdb_filter_candidates: id=0 first=0 last=0 Segmentation fault Am 27.04.15 um 11:02 schrieb Leander Schäfer: Hi Michael, Hi Ulrich, Thanks for your reply. I'm running Version 2.4.40. As I said, I do not run binary version. I always compile OpenLDAP from sources / latest ports tree. The maximum core file size ulimit -c was already set to unlimited. I'm using bash-4.3.30 root@FreeBASD # ulimit -a socket buffer size (bytes, -b) unlimited core file size (blocks, -c) unlimited data seg size (kbytes, -d) 33554432 file size (blocks, -f) unlimited max locked memory (kbytes, -l) 131072 max memory size (kbytes, -m) 3012064 open files (-n) 87651 pipe size(512 bytes, -p) 1 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 7592 virtual memory (kbytes, -v) unlimited swap size (kbytes, -w) unlimited root@FreeBSD # /usr/local/libexec/slapd -d -1 -f /usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:/// # === # [...] I have removed the previous lines for this demo [...] 553ded5a mailUidNumber 0040: 2e e8 e7 5a 9a fe a0 8c 02 96 e9 58 48 e0 49 10 ...Z...XH.I. 0050: cd 10 08 6c 20 1f 9d bc ae dd 9a 4a 79 7e f2 3c ...l ..Jy~. 0060: 25 a2 72 fe ac cc d0 09 eb 62 d2 bd 95 c8 50 7f %.r..bP. 0020: b0 86 e3 1d 11 32 2d 8b fd 57 a6 a4 ce a2 ee 2f
Re: modifying cn=config with ldapmodify
Hi, Le 25/04/2015 15:10, Robert Munn a écrit : I have been trying to replace the SSL cert settings on my OpenLDAP instance running on Ubuntu using ldapmodify. I followed directions on the Ubuntu wiki: https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls using a modified ldif file for the replace: |dn: cn=config changetype: modify replace: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - replace: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem| |All right| When it didn’t work on my existing instance I built a new instance in a new Ubuntu VM (14.04) and tried the original directions from Ubuntu. That did not work either. May be you've missed some settings at build time like --with-tls The ldapmodify command executes correctly but it seems that the change is not registered by the server. This is the case in both the new instance and the old instance of OpenLDAP. No error message like Insufficient access (50) ? and you should check the write (manage)rights to cn=config database. I ended up replacing the values (or adding them in the new instance) in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the changes manually and restarting slapd works, but my understanding was that changes to cn=config should be made through ldapmodify. Bad practice, it's best to avoid. I also found a tech note at CentOS: https://www.centos.org/docs/5/html/CDS/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Accessing_and_Modifying_Server_Configuration.html in section 2.2.2.2 that indicates changes to cn=config will be ignored: If an attribute is added to |cn=config|, the server ignores it. So am I mistaken? Do I need to do something different? I would prefer to manage the config with ldapmodify, but since I don’t change cn=config that often, I can change it manually. Robert Cheers, -- *Abdelhamid MEDDEB* http://www.meddeb.net smime.p7s Description: Signature cryptographique S/MIME
Antw: Re: OpenLDAP keeps on dying sporadically
Leander Schäferi...@netocean.de schrieb am 27.04.2015 um 11:02 in Nachricht 553dfb24.5050...@netocean.de: [...] I'm currently trying to figure out a way to add -O0 -g gdb(1) support for the slapd(8C) command, since I'm compiling OpenLDAP sources from ports tree. I'll post it as soon as I got it. But maybe you can already assume some pre-diagnosis from the above output? No, but you should have a core file after segmentation fault. What about something like gdb /your_slapd /your/core and bt and info threads? Probably not very useful unless you have debugging symbols in the binary. Regards, Ulrich
Re: OpenLDAP keeps on dying sporadically
Here is another (3rd) output of 'slapd -d -1 [...]' debugging. It looks a little more different than the previous two. # # [...] 553dfbce = acl_get: [1] attr entry ldap_write: want=14, written=14 553dfbce = acl_mask: access to entry ou=domains,ou=mail,dc=mydomain,dc=local, attr entry requested 553dfbce daemon: activity on 2 descriptors 553dfbce daemon: waked 553dfbce connection_get(25): got connid=1011 0040: 3f 8e 7f 94 2d 99 3e 60 41 93 73 b3 0e de d3 96 ?...-.`A.s. 0050: 3f 93 74 5c 06 a4 c3 18 21 ec dd bd 87 5e 84 ed ?.t\!^.. 0560: 4c 6f 63 61 6c 87 04 c0 a8 32 65 87 04 7f 00 00 Local2e. 0060: a3 a1 03 5a cb 52 1c 75 db e9 bb ab 0d 5e 2d 97 ...Z.R.u.^-. 0070: 93 0e 73 71 62 20 93 ef 76 f0 b8 6e 44 73 1d f4 ..sqb ..v..nDs.. 553dfbce == limits_get: conn=1006 op=2 self=[anonymous] this=ou=accounts,ou=mail,dc=mydomain,dc=local 0080: c3 49 7f 6e 49 bd e4 e0 7d 70 8b 12 46 39 f1 2b .I.nI...}p..F9.+ : 30 0c 02 01 03 65 07 0a 01 00 04 00 04 00 0e ber_dump: buf=0x945c75180 ptr=0x945c75183 end=0x945c751f6 len=115 Segmentation fault # #
Re: Ldap challenge
Andrew Findlay wrote: On Mon, Apr 27, 2015 at 06:27:39PM +, Ross, Daniel B. wrote: ismemberof does not exist we have to use memberof Memberof is fairly common. I don't think I have ever found a system that used 'ismemberof'. 'isMemberOf' is used on Sun/Oracle DSSE, Netscape/Fedora/389-DS and OpenDS/OpenDJ. 'memberOf' was originally defined in MS Active Directory and is used as default in slapo-memberof. It's configurable though. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: OpenLDAP keeps on dying sporadically
Ok, here is the first result running the debugging mode with gdb(1) Procedure overview: (gdb) run (gdb) bt full (gdb) thread apply all bt (gdb) generate-core-file This came up: candidates = Error accessing memory address 0x7eafb6f0: Bad address. # == # root@FreeBSD [~]$ gdb --args /usr/local/libexec/slapd -d -1 -f /usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:/// GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as amd64-marcel-freebsd... (gdb) run Starting program: /usr/local/libexec/slapd -d -1 -f /usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/\ ldap:///\ ldaps:/// [New LWP 101138] [New Thread 802806400 (LWP 101138/slapd)] [...] 553e8a87 conn=1006 op=2 SRCH attr=mailAlias 553e8a87 send_ldap_result: err=0 matched= text= 0010: 51 bd aa 7d 3f 1c 50 fb 25 f8 59 9e 9d 9a ba 0f Q..}?.P.%.Y. 0020: d0 07 aa 95 ac 1c e7 3e 81 f6 e6 0b 6d 09 94 9b ...m... 0730: 1b 51 e3 08 4b 38 ec f1 ee 8c 0f 35 cd 55 eb 80 .Q..K8.5.U.. 553e8a87 == limits_get: conn=1006 op=2 self=[anonymous] this=ou=accounts,ou=mail,dc=mydomain,dc=local 0740: 83 e2 3b b5 13 fd 08 51 13 25 d9 7d 57 9f 6b e9 ..;Q.%.}W.k. [New Thread 943c11800 (LWP 100198/slapd)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 943c11800 (LWP 100198/slapd)] mdb_search (op=0x94581c400, rs=0x7ebfbb60) at search.c:404 404 search.c: No such file or directory. in search.c Current language: auto; currently minimal (gdb) bt full #0 mdb_search (op=0x94581c400, rs=0x7ebfbb60) at search.c:404 mdb = (struct mdb_info *) 0x80290a000 id = 0 cursor = 0 nsubs = 128 ncand = 0 cscope = 0 lastid = 18446744073709551615 candidates = Error accessing memory address 0x7eafb6f0: Bad address. (gdb) thread apply all bt [New Thread 943c15000 (LWP 101255/slapd)] [New Thread 943c14c00 (LWP 101213/slapd)] [New Thread 943c14800 (LWP 101202/slapd)] [New Thread 943c14400 (LWP 100898/slapd)] [New Thread 943c14000 (LWP 100884/slapd)] [New Thread 943c13c00 (LWP 100647/slapd)] [New Thread 943c13800 (LWP 100619/slapd)] [New Thread 943c13400 (LWP 100577/slapd)] [New Thread 943c13000 (LWP 100531/slapd)] [New Thread 943c12c00 (LWP 100515/slapd)] [New Thread 943c12800 (LWP 100347/slapd)] [New Thread 943c12400 (LWP 100311/slapd)] [New Thread 943c12000 (LWP 100296/slapd)] [New Thread 943c11c00 (LWP 100268/slapd)] [New Thread 943c11400 (LWP 100165/slapd)] [New Thread 802807800 (LWP 100103/slapd)] Thread 19 (Thread 802807800 (LWP 100103/slapd)): #0 0x000801aa78cc in __error () from /lib/libthr.so.3 #1 0x000801aa27f4 in pthread_mutex_destroy () from /lib/libthr.so.3 #2 0x000801dfc237 in flockfile () from /lib/libc.so.7 #3 0x000801dd7e64 in fputs () from /lib/libc.so.7 #4 0x000800bfd48f in lutil_debug () from /usr/local/lib/liblber-2.4.so.2 #5 0x0043b96f in slapd_daemon_task (ptr=0x8028afb08) at daemon.c:2530 #6 0x000801a9c4f5 in pthread_create () from /lib/libthr.so.3 #7 0x in ?? () Thread 18 (Thread 943c11400 (LWP 100165/slapd)): #0 0x000801aa78cc in __error () from /lib/libthr.so.3 #1 0x000801aa27f4 in pthread_mutex_destroy () from /lib/libthr.so.3 #2 0x000801dfc237 in flockfile () from /lib/libc.so.7 #3 0x000801dd7e64 in fputs () from /lib/libc.so.7 #4 0x000800bfcc66 in ber_error_print () from /usr/local/lib/liblber-2.4.so.2 #5 0x000800bfd002 in ber_bprint () from /usr/local/lib/liblber-2.4.so.2 #6 0x000800bfcf4a in ber_log_bprint () from /usr/local/lib/liblber-2.4.so.2 #7 0x000800c0017e in ber_int_sb_write () from /usr/local/lib/liblber-2.4.so.2 #8 0x0008009e1905 in ldap_start_tls_s () from /usr/local/lib/libldap_r-2.4.so.2 #9 0x000801807e84 in BIO_read () from /lib/libcrypto.so.7 #10 0x00080146ce97 in ssl3_read_n () from /usr/lib/libssl.so.7 #11 0x00080146db61 in ssl3_read_bytes () from /usr/lib/libssl.so.7 #12 0x000801470aa0 in ssl3_read () from /usr/lib/libssl.so.7 #13 0x0008009e16b8 in ldap_start_tls_s () from /usr/local/lib/libldap_r-2.4.so.2 #14 0x000800c00126 in ber_int_sb_write () from /usr/local/lib/liblber-2.4.so.2 #15 0x000800bff0f2 in ber_int_sb_read () from /usr/local/lib/liblber-2.4.so.2 #16 0x000800bfc720 in ber_get_next () from /usr/local/lib/liblber-2.4.so.2 #17 0x00444cf5 in connection_input (conn=0x8034099c0, cri=0x7f3fcc18) at connection.c:1572 #18 0x00444ac5 in connection_read
Re: OpenLDAP keeps on dying sporadically
Hi Michael, Hi Ulrich, Thanks for your reply. I'm running Version 2.4.40. As I said, I do not run binary version. I always compile OpenLDAP from sources / latest ports tree. The maximum core file size ulimit -c was already set to unlimited. I'm using bash-4.3.30 root@FreeBASD # ulimit -a socket buffer size (bytes, -b) unlimited core file size (blocks, -c) unlimited data seg size (kbytes, -d) 33554432 file size (blocks, -f) unlimited max locked memory (kbytes, -l) 131072 max memory size (kbytes, -m) 3012064 open files (-n) 87651 pipe size(512 bytes, -p) 1 stack size (kbytes, -s) 8192 cpu time (seconds, -t) unlimited max user processes (-u) 7592 virtual memory (kbytes, -v) unlimited swap size (kbytes, -w) unlimited root@FreeBSD # /usr/local/libexec/slapd -d -1 -f /usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:/// # === # [...] I have removed the previous lines for this demo [...] 553ded5a mailUidNumber 0040: 2e e8 e7 5a 9a fe a0 8c 02 96 e9 58 48 e0 49 10 ...Z...XH.I. 0050: cd 10 08 6c 20 1f 9d bc ae dd 9a 4a 79 7e f2 3c ...l ..Jy~. 0060: 25 a2 72 fe ac cc d0 09 eb 62 d2 bd 95 c8 50 7f %.r..bP. 0020: b0 86 e3 1d 11 32 2d 8b fd 57 a6 a4 ce a2 ee 2f .2-..W./ 0030: 52 59 da 4d 7b d1 5c 0c 22 34 29 86 c2 9c 80 72 RY.M{.\.4)r 0040: ca 94 4d 69 2e ..Mi. 0010: 73 2c 6f 75 3d 6d 61 69 6c 2c 64 63 3d 4e 65 74 s,ou=mail,dc=MyD 0020: 4f 63 65 61 6e 2c 64 63 3d 4c 6f 63 61 6c 0a 01 omain,dc=Local.. 0090: 8e 5f 68 e0 0a 31 26 07 da 21 c6 cd 27 0e 17 2b ._h..1..!..'..+ 00a0: fb 53 5e 0a 84 74 50 b8 74 13 a5 fa e2 02 9a ee .S^..tP.t... 00b0: 5e ee 8e 6c b2 d3 b6 6e 82 6d 01 ab eb 81 25 bd ^..l...n.m%. 00c0: f1 05 16 5b 7f 9e bb 76 7c ae ba a2 24 73 89 78 ...[...v|...$s.x 0070: ca 00 ec a3 7b 97 78 19 fe aa 56 fc a1 a5 9a 1e {.x...V. 0080: 65 f0 04 b7 04 08 af 7a 82 ef 77 e..z..w 553ded5a mailGidNumberldap_read: want=8, got=8 553ded5a mailQuotaStorage : 30 71 02 01 0b 63 6c 040q...cl. ldap_read: want=107, got=107 00d0: 6c ae 39 eb 15 85 4a f9 c1 6f 65 ca 4f c6 db 14 l.9...J..oe.O... ldap_write: want=14, written=14 00e0: c1 f4 fe b8 b5 a4 a3 75 96 b1 9b 9b 8f d5 d6 e5 ...u 00f0: 8d 3c 75 4c 50 cc 9d 85 cf bb a1 d8 50 21 93 fa .uLP...P!.. 0100: 38 ee 89 46 45 4e 06 17 7a 8c 4b 83 51 95 a9 ca 8..FEN..z.K.Q... 0110: 71 8c d0 b9 59 1a 14 f4 10 8d b9 bc 80 d5 cb e9 q...Y... 0120: 46 03 a2 ce 59 49 0b db fc ea a3 3b fa cd a1 99 F...YI.; 0030: 02 0a 01 00 02 01 00 02 01 78 01 01 00 a0 5a a3 .xZ. 0040: 1a 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 0b ...objectClass.. 0130: 14 90 d6 0a 55 da 84 b1 42 fe af 8d 14 92 ce 27 U...B..' 0050: 6d 61 69 6c 41 63 63 6f 75 6e 74 a3 1b 04 11 6d mailAccountm 0060: 61 69 6c 41 63 63 6f 75 6e 74 53 74 61 74 75 73 ailAccountStatus : 30 0c 02 01 06 65 07 0a 01 00 04 00 04 00 0e 0070: 04 06 61 63 74 69 76 65 a3 1f 04 0b 6d 61 69 6c ..activemail 0080: 41 64 64 72 65 73 73 04 10 69 6e 66 6f 40 6e 65 Address..info@So 0090: 74 6f 63 65 61 6e 2e 64 65 30 6f 04 14 6d 61 69 meDom.tld0o..mai 00a0: 6c 53 74 6f 72 61 67 65 44 69 72 65 63 74 6f 72 lStorageDirector 553ded5a mailQuotaMessages553ded5a 00b0: 79 04 14 6d 61 69 6c 53 74 6f 72 61 67 65 44 69 y..mailStorageDi 553ded5a conn=1008 op=5 SRCH base=ou=accounts,ou=mail,dc=MyDomain,dc=Local scope=2 deref=0 filter=((objectClass=mailAccount)(mailAccountStatus=active)(mailAddress=i...@somedom.tld)) 00c0: 72 65 63 74 6f 72 79 04 0d 6d 61 69 6c 55 69 64 rectory..mailUid : 28 6f 75 3d 61 63 63 6f 75 6e 74 73 2c 6f 75 3d (ou=accounts,ou= 553ded5a conn=1008 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text= 00d0: 4e 75 6d 62 65 72 04 0d 6d 61 69 6c 47 69 64 4e Number..mailGidN 553ded5a conn=1008 op=5 SRCH attr=mailStorageDirectory mailStorageDirectory mailUidNumber mailGidNumber mailQuotaStorage mailQuotaMessages ldap_read: want=8, got=8 : 30 82 01 0d 02 01 09 63 0..c ldap_read: want=265, got=265 : 82 01 06 04 28 6f 75 3d 61 63 63 6f 75 6e 74 73 (ou=accounts 0010: 2c 6f 75 3d 6d 61 69 6c 2c 64 63 3d 4e 65 74 4f ,ou=mail,dc=MyDo 553ded5a == limits_get: conn=1008 op=5 self=uid=dovecot,ou=systemuser,ou=mail,dc=mydomain,dc=local this=ou=accounts,ou=mail,dc=mydomain,dc=local 00e0: 75 6d 62 65 72 04 10 6d 61 69 6c 51 75 6f 74 61 umber..mailQuota Segmentation fault # === # ... and a second time the same debugging (-d -1) #
Re: Ldap challenge
Will any of this work with the secure 636 connection with TLS? Thats what I have to connect using. Its not a port 389 connection. I saw this documentation before but couldn't find anything that said it work over 636. For further consideration, I also don't have kerberos nor do I have the availability to install anything on a windows system that is bound to the domain, as that is forbidden. They would have to control the system and would then not allow anything to be installed on it. Daniel Operating Systems Analyst/Development, Lead Rollins School of Public Health at Emory University 404-727-9931 daniel.r...@emory.edu From: Clément OUDOT clem.ou...@gmail.com Sent: Friday, April 24, 2015 2:59 PM To: Dan White Cc: Ross, Daniel B.; openldap-technical@openldap.org Subject: Re: Ldap challenge 2015-04-24 19:02 GMT+02:00 Dan White dwh...@cafedemocracy.org: On 04/22/15 20:08 +, Ross, Daniel B. wrote: Ok I have looked a couple options but I really dont know how to accomplish what I need to do. Here is what I am trying to do. I have a greater organization that is stuck on using Microsoft products namely Microsoft LDS. To make matters worse they present the data to my linux servers in a completely non-standard way. Its driving my solaris and linux box nuts and they simply dont want to work with it. What i need to do is continue to use the campus usernames and passwords but present the Data in a format that my linux/unix hosts can use. Is this possible? i.e. userid would still be samwise but instead of a bizzarre OU=monkeypeople,dc=example,dc=com I want it to present as people,dc=example,dc=com. I looked at referral and aliasing but it does not seem to be doing what I am trying to do. Passthrough authentication looks close but I cant find sufficient documentation to actually configure a system to use it. See slapo-rwm(5). Pass-through is documented in section 14.5 of the Administrator's Guide: http://www.openldap.org/doc/admin24/ Supporting Cyrus SASL documentation: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/ And /saslauthd/LDAP_SASLAUTHD within the Cyrus SASL source. You'll find workable pass-through examples for authenticating to Exchange in this list's archives as well as the Cyrus SASL list archives. The 'ldap' and 'kerberos5' saslauthd backends should both be workable solutions. Hi, you can also find a documentation on SASL delegation here: http://ltb-project.org/wiki/documentation/general/sasl_delegation Clément.
Re: OpenLDAP keeps on dying sporadically
Howard Chu wrote: Howard Chu wrote: Assuming you compiled the latest snapshot, the SEGV at back-mdb/search.c:404 makes not much sense, it's a return statement. Also, as back-mdb didn't exist 5 years ago, this cannot be the same issue you've been running into all the time. Perhaps you've hit a stack overrun. Generally slapd uses 8MB stacks on 64bit machines. It seems from your ulimit output that 8MB should be fine, so that also seems unlikely. Ah, yes, this is a known issue with FreeBSD. http://www.openldap.org/lists/openldap-bugs/200506/msg00174.html Furthermore, in the intervening 10 years, the FreeBSD developers have not yet fixed this issue. http://lists.freebsd.org/pipermail/freebsd-current/2014-August/051646.html -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: OpenLDAP keeps on dying sporadically
Leander Schäfer wrote: Ok, here is the first result running the debugging mode with gdb(1) Procedure overview: (gdb) run (gdb) bt full (gdb) thread apply all bt (gdb) generate-core-file No need for a core file if you're just running slapd inside gdb. This came up: candidates = Error accessing memory address 0x7eafb6f0: Bad address. # == # root@FreeBSD [~]$ gdb --args /usr/local/libexec/slapd -d -1 -f /usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:/// GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as amd64-marcel-freebsd... (gdb) run Starting program: /usr/local/libexec/slapd -d -1 -f /usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h ldapi://%2fvar%2frun%2fopenldap%2fldapi/\ ldap:///\ ldaps:/// [New LWP 101138] [New Thread 802806400 (LWP 101138/slapd)] [...] 553e8a87 conn=1006 op=2 SRCH attr=mailAlias 553e8a87 send_ldap_result: err=0 matched= text= 0010: 51 bd aa 7d 3f 1c 50 fb 25 f8 59 9e 9d 9a ba 0f Q..}?.P.%.Y. 0020: d0 07 aa 95 ac 1c e7 3e 81 f6 e6 0b 6d 09 94 9b ...m... 0730: 1b 51 e3 08 4b 38 ec f1 ee 8c 0f 35 cd 55 eb 80 .Q..K8.5.U.. 553e8a87 == limits_get: conn=1006 op=2 self=[anonymous] this=ou=accounts,ou=mail,dc=mydomain,dc=local 0740: 83 e2 3b b5 13 fd 08 51 13 25 d9 7d 57 9f 6b e9 ..;Q.%.}W.k. [New Thread 943c11800 (LWP 100198/slapd)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 943c11800 (LWP 100198/slapd)] mdb_search (op=0x94581c400, rs=0x7ebfbb60) at search.c:404 404 search.c: No such file or directory. in search.c Current language: auto; currently minimal (gdb) bt full #0 mdb_search (op=0x94581c400, rs=0x7ebfbb60) at search.c:404 mdb = (struct mdb_info *) 0x80290a000 id = 0 cursor = 0 nsubs = 128 ncand = 0 cscope = 0 lastid = 18446744073709551615 candidates = Error accessing memory address 0x7eafb6f0: Bad address. (gdb) thread apply all bt [New Thread 943c15000 (LWP 101255/slapd)] [New Thread 943c14c00 (LWP 101213/slapd)] [New Thread 943c14800 (LWP 101202/slapd)] [New Thread 943c14400 (LWP 100898/slapd)] [New Thread 943c14000 (LWP 100884/slapd)] [New Thread 943c13c00 (LWP 100647/slapd)] [New Thread 943c13800 (LWP 100619/slapd)] [New Thread 943c13400 (LWP 100577/slapd)] [New Thread 943c13000 (LWP 100531/slapd)] [New Thread 943c12c00 (LWP 100515/slapd)] [New Thread 943c12800 (LWP 100347/slapd)] [New Thread 943c12400 (LWP 100311/slapd)] [New Thread 943c12000 (LWP 100296/slapd)] [New Thread 943c11c00 (LWP 100268/slapd)] [New Thread 943c11400 (LWP 100165/slapd)] [New Thread 802807800 (LWP 100103/slapd)] Thread 19 (Thread 802807800 (LWP 100103/slapd)): #0 0x000801aa78cc in __error () from /lib/libthr.so.3 #1 0x000801aa27f4 in pthread_mutex_destroy () from /lib/libthr.so.3 #2 0x000801dfc237 in flockfile () from /lib/libc.so.7 #3 0x000801dd7e64 in fputs () from /lib/libc.so.7 #4 0x000800bfd48f in lutil_debug () from /usr/local/lib/liblber-2.4.so.2 #5 0x0043b96f in slapd_daemon_task (ptr=0x8028afb08) at daemon.c:2530 #6 0x000801a9c4f5 in pthread_create () from /lib/libthr.so.3 Seems like something went wrong here. Am I using gdb wrong? Looks like your liblber was installed without debug symbols. Most of these stack traces look invalid. Am 27.04.15 um 19:04 schrieb Michael Ströder: Leander Schäfer wrote: Can you please provide me a link, cause I wasn't able to find current RE24 on the official website nor on the FTP mirror. Use git or this link to checkout snapshot of the RE24 branch: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/heads/OPENLDAP_REL_ENG_2_4;sf=tgz Assuming you compiled the latest snapshot, the SEGV at back-mdb/search.c:404 makes not much sense, it's a return statement. Also, as back-mdb didn't exist 5 years ago, this cannot be the same issue you've been running into all the time. Perhaps you've hit a stack overrun. Generally slapd uses 8MB stacks on 64bit machines. It seems from your ulimit output that 8MB should be fine, so that also seems unlikely. What was the full LDAP search request that was running at the moment of the crash? Mainly interested in seeing the search filter, and how complex it was, as well as the depth of the DIT. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: OpenLDAP keeps on dying sporadically
Howard Chu wrote: Assuming you compiled the latest snapshot, the SEGV at back-mdb/search.c:404 makes not much sense, it's a return statement. Also, as back-mdb didn't exist 5 years ago, this cannot be the same issue you've been running into all the time. Perhaps you've hit a stack overrun. Generally slapd uses 8MB stacks on 64bit machines. It seems from your ulimit output that 8MB should be fine, so that also seems unlikely. Ah, yes, this is a known issue with FreeBSD. http://www.openldap.org/lists/openldap-bugs/200506/msg00174.html -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: All entries belong to the top object class?
On 04/21/15 15:36, Andrew Findlay wrote: On Mon, Apr 20, 2015 at 11:06:07AM +0530, dE wrote: I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry? No. 'top' is defined in RFC4512: ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) so every entry MUST contain an objectclass attribute. It does not say anything about any other attributes. Yeah, so that's the question, can any attribute which is in the MAY of the top object class be added to any entry in the DIT regardless of what object class it belongs to?
Re: All entries belong to the top object class?
On 04/27/15 02:07, Dieter Klünter wrote: Am Sun, 26 Apr 2015 21:05:44 +0530 schrieb dE de.tec...@gmail.com: On 04/26/15 17:13, Michael Ströder wrote: dE wrote: Super this is the superclass chain -- A-B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn cxy ) Then an entry belonging to B (explicit) and A (implicit, automatically added) cannot have attributes abc and xyz. No! B would have MAY ( cn abc xyz cxy ). Example for A: objectclass ( some-oid-for-A NAME 'A' MAY ( cn $ abc $ xyz $ cxy ) ) These three variants have the same MAY attribute set ( cn $ abc $ xyz $ cxy ): objectclass ( some-oid-for-B NAME 'B' SUP A MAY ( cn $ cxy ) ) objectclass ( some-oid-for-B NAME 'B' SUP A MAY ( cn $ abc $ xyz $ cxy ) ) objectclass ( some-oid-for-B NAME 'B' SUP A ) Ciao, Michael. Ok. So the significance of subordinate classes is to add a MUST attributes only. The possible attributes that any object can have is defined in the TOP object class; regardless of what object class the entry belongs to, any attribute listed in the TOP object class can be added to it. NO! The abstract objectClass 'top' only provides the attribute 'objectClass'. From schema_prep.c ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRACT MUST objectClass ), -Dieter That's the MUST, I'm talking about the MAY.
LMDB:Transaction across multiple enviroments
Hi, I am trying to use LMDB and I would like to know if there a way to define a transaction across multiple environments? Thanks, Sabu Daniel
Re: All entries belong to the top object class?
On 04/26/15 23:37, Michael Ströder wrote: dE wrote: On 04/26/15 17:13, Michael Ströder wrote: dE wrote: Super this is the superclass chain -- A-B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn cxy ) Then an entry belonging to B (explicit) and A (implicit, automatically added) cannot have attributes abc and xyz. No! B would have MAY ( cn abc xyz cxy ). Example for A: objectclass ( some-oid-for-A NAME 'A' MAY ( cn $ abc $ xyz $ cxy ) ) These three variants have the same MAY attribute set ( cn $ abc $ xyz $ cxy ): objectclass ( some-oid-for-B NAME 'B' SUP A MAY ( cn $ cxy ) ) objectclass ( some-oid-for-B NAME 'B' SUP A MAY ( cn $ abc $ xyz $ cxy ) ) objectclass ( some-oid-for-B NAME 'B' SUP A ) Ok. So the significance of subordinate classes is to add a MUST attributes only. No! Which text in RFC 4512 says that? It's implied from When creating an entry or adding an 'objectClass' value to an entry, all superclasses of the named classes SHALL be implicitly added Also I don't understand what the term significance of subordinate classes means to you in this context. I mean object classes subordinate to the TOP object class. The possible attributes that any object can have is defined in the TOP object class; No! But that's what you said. These three variants have the same MAY attribute set ( cn $ abc $ xyz $ cxy ): objectclass ( some-oid-for-B NAME 'B' SUP A MAY ( cn $ cxy ) ) objectclass ( some-oid-for-B NAME 'B' SUP A MAY ( cn $ abc $ xyz $ cxy ) ) objectclass ( some-oid-for-B NAME 'B' SUP A ) So entries belonging to object class B can have all attributes of object class A, in a similar way the possible attributes that any object can have is defined by the TOP object class. regardless of what object class the entry belongs to, any attribute listed in the TOP object class can be added to it. You should really read RFC 4512 more carefully and look at existing subschema. I give up now to explain. That's the source of all confusion. There is no IETF mailing list to discuss these issues.
Re: All entries belong to the top object class?
On 04/27/15 01:13, Mattes wrote: Am Sonntag, 26. April 2015 20:07 CEST, Michael Ströder mich...@stroeder.com schrieb: Also I don't understand what the term significance of subordinate classes means to you in this context. Yes. Might it be possible that dE (miss)reads 'SUB' as 'subprdinate' when it actually means 'subclass'? When talking about LDAP the term 'subordinate' does have a well defined meaning (that is irrelevant to this discussion). Actually I meant subclass. The possible attributes that any object can have is defined in the TOP object class; No! regardless of what object class the entry belongs to, any attribute listed in the TOP object class can be added to it. Hmm - but while this might be true it's a tautology. Given: objectclass ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) What attributes of 'TOP' are you talking about? ;-) All MAY attributes. Of course the MUST must be there, but from what I understand all MAY attributes in top can also be added regardless of what subclass the entry belongs to. You should really read RFC 4512 more carefully and look at existing subschema. I give up now to explain. May I humbly reading suggest http://www.zytrax.com/books/ldap/ch3/ Cheers, RalfD What that book says is different from what the RFC says. besides I'm interested in reading the latest RFC.
Re: All entries belong to the top object class?
On 04/27/15 06:10, Quanah Gibson-Mount wrote: On Apr 26, 2015, at 12:45 PM, Mattes r...@mh-freiburg.de wrote: Am Sonntag, 26. April 2015 20:07 CEST, Michael Ströder mich...@stroeder.com schrieb: Also I don't understand what the term significance of subordinate classes means to you in this context. Yes. Might it be possible that dE (miss)reads 'SUB' as 'subprdinate' when it actually means 'subclass'? When talking about LDAP the term 'subordinate' does have a well defined meaning (that is irrelevant to this discussion). The possible attributes that any object can have is defined in the TOP object class; No! regardless of what object class the entry belongs to, any attribute listed in the TOP object class can be added to it. Hmm - but while this might be true it's a tautology. Given: objectclass ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) What attributes of 'TOP' are you talking about? ;- objectClass, clearly. No. Everything else. You should really read RFC 4512 more carefully and look at existing subschema. I give up now to explain. May I humbly reading suggest http://www.zytrax.com/books/ldap/ch3/ Zytrax should be avoided. Besides engaging in blatant illegal plagiarism, they often have completely erroneous information. --Quanah
Re: All entries belong to the top object class?
On 04/19/15 11:42, dE wrote: As per https://tools.ietf.org/html/rfc4512#section-3.3 When creating an entry or adding an 'objectClass' value to an entry, all superclasses of the named classes SHALL be implicitly added as well if not already present. That means the top object class will always be there. Or is it that only the most subordinate object class in the multivalued attribute is considered by the client and server? Ok. It appears that I've some other confusion. Starting a new discussion about that.
Re: separate loglevels for different databases?
Hello, 2015-04-17 17:18 GMT+02:00 Meike Stone meike.st...@googlemail.com: Dear list, I've configured two different databases (one ldap, one bdb) in openLDAP. Is it possible, to configure separate loglevels for each database? maybe at least different logfiles? No one who can help ? Thanks Meike
Re: Ldap challenge
On Wed, Apr 22, 2015 at 08:08:11PM +, Ross, Daniel B. wrote: What i need to do is continue to use the campus usernames and passwords but present the Data in a format that my linux/unix hosts can use. Is this possible? Probably, but I don't think you have given us enough information so far. i.e. userid would still be samwise but instead of a bizzarre OU= monkeypeople,dc=example,dc=com I want it to present as people,dc=example,dc= com. I assume the latter DN should be O=people,dc=example,dc=com If this is your main problem then it may not need solving on the server side. There is no fixed rule about the structure of a base DN used for Linux and Unix LDAP authentication. You should be able to work with any DN structure, provided that you know where to base your searches and provided you can do one-level or subtree searches on the AD service to find what you need. I looked at referral and aliasing but it does not seem to be doing what I am trying to do. Passthrough authentication looks close but I cant find sufficient documentation to actually configure a system to use it. Does the campus AD service contain everything that Linux/Unix would need? e.g. does it have: Username (almost certain - called samAccountName in AD) Unix numeric UID Unix numeric GID Unix homedir Unix shell Something to use for GECOS (optional) It does not matter what those attributes are called in AD as you can set the clients to work with whatever you have, but they *do* have to be present. It used to be necessary to load a Microsoft package called SFU (Services For Unix) to support this, but I think more recent versions of AD already have schema for it by default. If you don't have at least that set of attributes with sensible values to work with then you will have to maintain a parallel or overlay directory service. There are several ways to do that, so let's start by establishing what you have! Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: All entries belong to the top object class?
On Sat, Apr 25, 2015 at 05:58:43PM +0530, dE wrote: Does adding of the top object class (implicitly) make it possible to add all attributes in the DIT to the entry? I'm talking about attributes which are out of the 'MAY' in the most subordinate object class the entry belong to. If you really want to permit *any* attribute to be added to an entry, then you can add the ExtensibleObject objectclass. In general this is a *bad* thing to do. See RFC4512 section 4.3 for the definition. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: OpenLDAP keeps on dying sporadically
Leander Schäfer wrote: Can you please provide me a link, cause I wasn't able to find current RE24 on the official website nor on the FTP mirror. Use git or this link to checkout snapshot of the RE24 branch: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/heads/OPENLDAP_REL_ENG_2_4;sf=tgz Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: separate loglevels for different databases?
Meike Stone wrote: Hello, 2015-04-17 17:18 GMT+02:00 Meike Stone meike.st...@googlemail.com: Dear list, I've configured two different databases (one ldap, one bdb) in openLDAP. Is it possible, to configure separate loglevels for each database? maybe at least different logfiles? No one who can help ? Everything in slapd uses a single syslog facility, so no, there is no way to configure separate loglevels or route messages to separate logfiles. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: OpenLDAP keeps on dying sporadically
To be frank, I highly doubt it. Those problems have been there since I first used OpenLDAP five years ago. Neither do I use sync - so none except the collect fixes looks like it would apply in the first place. But I'll give it a quick shot. Can you please provide me a link, cause I wasn't able to find current RE24 on the official website nor on the FTP mirror. Thanks Am 27.04.15 um 18:32 schrieb Quanah Gibson-Mount: --On Monday, April 27, 2015 12:02 PM +0200 Leander Schäfer i...@netocean.de wrote: Hi Michael, Hi Ulrich, Thanks for your reply. I'm running Version 2.4.40. As I said, I do not run binary version. I always compile OpenLDAP from sources / latest ports tree. Please compile and run current RE24 and see if you can reproduce. There are multiple segfault fixes present. OpenLDAP 2.4.41 Engineering Fixed libldap segfault in ldap_sync_initialize (ITS#8001) Fixed slapd segfault when using matched values control (ITS#8046) Fixed slapo-collect segfault (ITS#7797) Fixed slapo-syncprov segfault on disconnect/abandon (ITS#5452,ITS#8012) Fixed slapo-syncprov segfault on disconnect/abandon (ITS#8043) --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: separate loglevels for different databases?
On Mon, Apr 27, 2015 at 05:19:54PM +0200, Meike Stone wrote: I've configured two different databases (one ldap, one bdb) in openLDAP. Is it possible, to configure separate loglevels for each database? maybe at least different logfiles? loglevel / olcLogLevel is a global option, so no I'm afraid you cannot do this. If you really want different logging you will have to put each backend in a separate server instance and join them together with a third using back-ldap or back-meta. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: OpenLDAP keeps on dying sporadically
--On Monday, April 27, 2015 12:02 PM +0200 Leander Schäfer i...@netocean.de wrote: Hi Michael, Hi Ulrich, Thanks for your reply. I'm running Version 2.4.40. As I said, I do not run binary version. I always compile OpenLDAP from sources / latest ports tree. Please compile and run current RE24 and see if you can reproduce. There are multiple segfault fixes present. OpenLDAP 2.4.41 Engineering Fixed libldap segfault in ldap_sync_initialize (ITS#8001) Fixed slapd segfault when using matched values control (ITS#8046) Fixed slapo-collect segfault (ITS#7797) Fixed slapo-syncprov segfault on disconnect/abandon (ITS#5452,ITS#8012) Fixed slapo-syncprov segfault on disconnect/abandon (ITS#8043) --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Antw: Re: All entries belong to the top object class?
--On Tuesday, April 28, 2015 10:58 AM +0530 dE de.tec...@gmail.com wrote: Yes, so subclasses do not define MAY; it's defined by the MAY of the top object class. The top objectClass does not contain *any* MAY attributes. I wonder if you are confused in thinking of top as a generic term. It is not. top is a very specific objectClass that is explicitly defined as noted previously. It contains a single MUST attribute. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
top object class contains all possible attributes?
From https://tools.ietf.org/html/rfc4512 it can be said that an object class inherits the sets of *allowed* and required attributes from its superclasses Therefore the top object class contains all possible attributes? OR A subclasses cannot contain any attribute which is not included in it's superclass? I'm running Apache directory studio, and I don't see that happening.
Re: Ldap challenge
I think you are getting to the root of the problem. So to give you some of the problems. ismemberof does not exist we have to use memberof nsUniqueId we have to use objectGUID no uniqueMember again can only use memberof. while there is a guarantee of person there is not the same for Posixaccount or shadowaccount. While I have been able to get linux with SSSD to work, to some extent, with this its rather hit and miss and the Solaris systems just wont work at all. This is why I was hoping to be able to use the campus for the username and password, and then provide the rest from a local ldap server. It doesnt sound like this is really possible. saslauthd did not work at all with the MS LDS. What is a parallel or overlay directory service? Daniel From: Andrew Findlay andrew.find...@skills-1st.co.uk Sent: Monday, April 27, 2015 12:07 PM To: Ross, Daniel B. Cc: openldap-technical@openldap.org Subject: Re: Ldap challenge On Wed, Apr 22, 2015 at 08:08:11PM +, Ross, Daniel B. wrote: What i need to do is continue to use the campus usernames and passwords but present the Data in a format that my linux/unix hosts can use. Is this possible? Probably, but I don't think you have given us enough information so far. i.e. userid would still be samwise but instead of a bizzarre OU= monkeypeople,dc=example,dc=com I want it to present as people,dc=example,dc= com. I assume the latter DN should be O=people,dc=example,dc=com If this is your main problem then it may not need solving on the server side. There is no fixed rule about the structure of a base DN used for Linux and Unix LDAP authentication. You should be able to work with any DN structure, provided that you know where to base your searches and provided you can do one-level or subtree searches on the AD service to find what you need. I looked at referral and aliasing but it does not seem to be doing what I am trying to do. Passthrough authentication looks close but I cant find sufficient documentation to actually configure a system to use it. Does the campus AD service contain everything that Linux/Unix would need? e.g. does it have: Username (almost certain - called samAccountName in AD) Unix numeric UID Unix numeric GID Unix homedir Unix shell Something to use for GECOS (optional) It does not matter what those attributes are called in AD as you can set the clients to work with whatever you have, but they *do* have to be present. It used to be necessary to load a Microsoft package called SFU (Services For Unix) to support this, but I think more recent versions of AD already have schema for it by default. If you don't have at least that set of attributes with sensible values to work with then you will have to maintain a parallel or overlay directory service. There are several ways to do that, so let's start by establishing what you have! Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: All entries belong to the top object class?
--On Tuesday, April 28, 2015 10:56 AM +0530 dE de.tec...@gmail.com wrote: objectclass ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass ) What attributes of 'TOP' are you talking about? ;- objectClass, clearly. No. Everything else. You are clearly confused. There *is* no everything else for the top objectclass. It defines one and only one attribute that MUST be present. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: top object class contains all possible attributes?
On Tue, Apr 28, 2015, at 07:21 AM, dE wrote: From https://tools.ietf.org/html/rfc4512 it can be said that an object class inherits the sets of *allowed* and required attributes from its superclasses Therefore the top object class contains all possible attributes? OR no A subclasses cannot contain any attribute which is not included in it's superclass? no A subclass contains definitions for all the MAY attributes that the superclass contains as MAY attributes, and all the MUST attributest that the superclass contains as MUST attributes. therefore, an entry including our inheriting subclass: MUST contain all the MUST attributes included in the superclass(es) MUST contain all the MUST attributes included in our subclass MAY contain all the MAY attributes included in the superclass(es) MAY contain all the MAY attributes included in our subclass as an example: given this objectClasses 'tree': objectClasses: ( 0.0.0.0 NAME 'myparent' MUST cn MAY uid ) objectClasses: ( 0.0.0.1 NAME 'mysub' SUP myparent MUST mail MAY mobile ) an entry containing the sub objectClass mysub MUST contain: cn (inherited from myparent), mail MAY contain: uid (inherited from myparent), mobile hope this helps bye, dario
Re: Ldap challenge
On Mon, Apr 27, 2015 at 06:27:39PM +, Ross, Daniel B. wrote: ismemberof does not exist we have to use memberof Memberof is fairly common. I don't think I have ever found a system that used 'ismemberof'. Note that maintaining memberof takes some work so it is not enabled on all LDAP servers by default. nsUniqueId we have to use objectGUID What do you use nsUniqueId for? Probably not a problem anyway as you may be able to use other similar attributes as you mention above. no uniqueMember again can only use memberof. uniqueMember and memberOf have completely different use-cases: uniqueMember is used just like 'member' in most cases, to indicate which entries are members of the group that it appears in. memberOf indicates which groups the entry that it appears in is a member of (i.e. it is the inverse mapping). while there is a guarantee of person there is not the same for Posixaccount or shadowaccount. Ah - if you lack those attributes then AD is certainly not going to do the job on its own. While I have been able to get linux with SSSD to work, to some extent, with this its rather hit and miss and the Solaris systems just wont work at all. This is why I was hoping to be able to use the campus for the username and password, and then provide the rest from a local ldap server. It doesnt sound like this is really possible. Yes - it should be possible but it will take a bit more work. saslauthd did not work at all with the MS LDS. Did you try following the instructions here?: http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication Note that you will need the DN and password of an existing AD user to allow saslauthd to do LDAP searches on AD. You can try the ldapsearch commands from section 14.5.3 without any other setup to test that you have a good user account. In principle it may be better to do Kerberos authentication against AD rather than LDAP, but I didn't have a Kerberos server handy when I wrote that bit. What is a parallel or overlay directory service? Parallel would be where you replicate some subset of data from AD into a local LDAP server, which then operates as a self-contained system. You could have the replication process create or look up Unix-specific attributes like UID and GID for new accounts. Overlay would be where you use what you can get from AD, and put a translucent overlay on top containing Unix-specific data that you administer locally. In either case you need to decide how to handle password checking and account locking. All of my customers so far have chosen the parallel approach, as that allows the Unix LDAP to continue working if it loses access to AD. Ideally this includes installing a module on the AD Domain Controllers that detects password changes and forwards them immediately to the Unix LDAP. I have generally used Microsoft's SFU password-capture module for this as AD admins seem happier to install Microsoft code than things from other sources. It does have its problems though, and the code quality of the Unix end that they provide leaves a lot to be desired. I believe newer AD versions come with an updated version of this built in, but I have not tested it. Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---