date:20150427

I'll deliver the gdb(1) results as soon as I'm able to compile with 
relevant options. Meanwhile, here is some more debugging results about 
the break down of 'slapd -d -1 [...]'


#  #

[...]

553dfcc9 filter: ((associatedDomain= 
somedom.tld)(!(destinationIndicator=*)))

ber_scanf fmt ({M}}) ber:
ber_dump: buf=0x94b40f020 ptr=0x94b40f09a end=0x94b40f0ae len=20
  :  00 12 04 10 61 73 73 6f  63 69 61 74 65 64 44 6f associatedDo
  0010:  6d 61 69 6e main
553dfcc9 attrs:553dfcc9  associatedDomain553dfcc9
553dfcc9 conn=1007 op=331 SRCH 
base=ou=domains,ou=mail,dc=MyDomain,dc=Local scope=2 deref=0 
filter=((associatedDomain=somedom.tld)(!(destinationIndicator=*)))

ber_get_next: tag 0x30 len 105 contents:
ber_dump: buf=0x943d502b0 ptr=0x943d502b0 end=0x943d50319 len=105
  :  02 01 0c 63 64 04 28 6f  75 3d 61 63 63 6f 75 6e ...cd.(ou=accoun
  0010:  74 73 2c 6f 75 3d 6d 61  69 6c 2c 64 63 3d 4e 65 ts,ou=mail,dc=Ne
  0020:  74 4f 63 65 61 6e 2c 64  63 3d 4c 6f 63 61 6c 0a tOcean,dc=Local.
  0030:  01 02 0a 01 00 02 01 00  02 01 0a 01 01 00 a3 1c 
  0040:  04 0b 6d 61 69 6c 41 64  64 72 65 73 73 04 0d 40 ..mailAddress..@
  0050:  6e 65 74 6f 63 65 61 6e  2e 64 65 20 30 0b 04 09 somedom.tld 0...
  0060:  6d 61 69 6c 41 6c 69 61  73 mailAlias
553dfcc9 conn=1007 op=331 SRCH attr=associatedDomain
553dfcc9 op tag 0x63, time 1430125769
ber_get_next
553dfcc9 == limits_get: conn=1007 op=331 self=[anonymous] 
this=ou=domains,ou=mail,dc=mydomain,dc=local

tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8 error=Resource temporarily unavailable
Segmentation fault

#  #


[...]

553dfd7c daemon: select: listen=6 active_threads=0 tvp=NULL
553dfd7c conn=1008 op=2 SRCH attr=associatedDomain
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
tls_read: want=5, got=5
553dfd7c == limits_get: conn=1008 op=2 self=[anonymous] 
this=ou=domains,ou=mail,dc=mydomain,dc=local

553dfd7c daemon: select: listen=7 active_threads=0 tvp=NULL
553dfd7c daemon: select: listen=8 active_threads=0 tvp=NULL
553dfd7c daemon: select: listen=9 active_threads=0 tvp=NULL
553dfd7c = mdb_equality_candidates (associatedDomain)
Segmentation fault



#  #


[...]


553dfdf3 = mdb_list_candidates 0xa1
553dfdf3 = mdb_filter_candidates
553dfdf3EQUALITY
553dfdf3 = mdb_equality_candidates (objectClass)
553dfdf3 = key_read
553dfdf3 mdb_idl_fetch_key: [b49d1940]
553dfdf3 = mdb_index_read: failed (-30798)
553dfdf3 = mdb_equality_candidates: id=0, first=0, last=0
553dfdf3 = mdb_filter_candidates: id=0 first=0 last=0
553dfdf3 = mdb_filter_candidates
553dfdf3EQUALITY
553dfdf3 conn=1002 op=1131 SRCH attr=associatedDomain
553dfdf3 = mdb_equality_candidates (mailAddress)
553dfdf3 = key_read
553dfdf3 mdb_idl_fetch_key: [a4af5673]
553dfdf3 == limits_get: conn=1002 op=1131 self=[anonymous] 
this=ou=domains,ou=mail,dc=mydomain,dc=local

553dfdf3 = mdb_index_read: failed (-30798)
553dfdf3 = mdb_equality_candidates: id=0, first=0, last=0
553dfdf3 = mdb_filter_candidates: id=0 first=0 last=0
553dfdf3 = mdb_list_candidates: id=0 first=0 last=0
553dfdf3 = mdb_filter_candidates: id=0 first=0 last=0
Segmentation fault






Am 27.04.15 um 11:02 schrieb Leander Schäfer:

Hi Michael,
Hi Ulrich,

Thanks for your reply. I'm running Version 2.4.40. As I said, I do not 
run binary version. I always compile OpenLDAP from sources / latest 
ports tree.


The maximum core file size ulimit -c was already set to unlimited. 
I'm using bash-4.3.30


root@FreeBASD # ulimit -a
socket buffer size   (bytes, -b) unlimited
core file size  (blocks, -c) unlimited
data seg size   (kbytes, -d) 33554432
file size   (blocks, -f) unlimited
max locked memory   (kbytes, -l) 131072
max memory size (kbytes, -m) 3012064
open files  (-n) 87651
pipe size(512 bytes, -p) 1
stack size  (kbytes, -s) 8192
cpu time   (seconds, -t) unlimited
max user processes  (-u) 7592
virtual memory  (kbytes, -v) unlimited
swap size   (kbytes, -w) unlimited





root@FreeBSD # /usr/local/libexec/slapd -d -1 -f 
/usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h 
ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///


# === #

[...]
I have removed the previous lines for this demo
[...]

553ded5a  mailUidNumber  0040:  2e e8 e7 5a 9a fe a0 8c  02 96 e9 58 
48 e0 49 10   ...Z...XH.I.
  0050:  cd 10 08 6c 20 1f 9d bc  ae dd 9a 4a 79 7e f2 3c   ...l 
..Jy~.
  0060:  25 a2 72 fe ac cc d0 09  eb 62 d2 bd 95 c8 50 7f 
%.r..bP.
  0020:  b0 86 e3 1d 11 32 2d 8b  fd 57 a6 a4 ce a2 ee 2f

Re: modifying cn=config with ldapmodify

2015-04-27 Thread Abdelhamid MEDDEB

Hi,

Le 25/04/2015 15:10, Robert Munn a écrit :
I have been trying to replace the SSL cert settings on my OpenLDAP
instance running on Ubuntu using ldapmodify.

I followed directions on the Ubuntu wiki:

https://help.ubuntu.com/lts/serverguide/openldap-server.html#openldap-tls

using a modified ldif file for the replace:

|dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem|

|All right|
When it didn’t work on my existing instance I built a new instance in
a new Ubuntu VM (14.04) and tried the original directions from Ubuntu.
That did not work either.

May be you've missed some settings at build time like --with-tls

The ldapmodify command executes correctly but it seems that the change
is not registered by the server. This is the case in both the new
instance and the old instance of OpenLDAP.
No error message like Insufficient access (50) ? and you should check
the write (manage)rights to cn=config database.

I ended up replacing the values (or adding them in the new instance)
in the /etc/ldap/slapd.d/cn=config.ldif file manually. Making the
changes manually and restarting slapd works, but my understanding was
that changes to cn=config should be made through ldapmodify.

Bad practice, it's best to avoid.

I also found a tech note at CentOS:

https://www.centos.org/docs/5/html/CDS/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Accessing_and_Modifying_Server_Configuration.html
in section 2.2.2.2 that indicates changes to cn=config will be ignored:

If an attribute is added to |cn=config|, the server ignores it.

So am I mistaken? Do I need to do something different? I would prefer
to manage the config with ldapmodify, but since I don’t change
cn=config that often, I can change it manually.

Robert

Cheers,

--
*Abdelhamid MEDDEB*
http://www.meddeb.net

smime.p7s
Description: Signature cryptographique S/MIME

Antw: Re: OpenLDAP keeps on dying sporadically

2015-04-27 Thread Ulrich Windl

 Leander Schäferi...@netocean.de schrieb am 27.04.2015 um 11:02 in
Nachricht
553dfb24.5050...@netocean.de:

[...]
 I'm currently trying to figure out a way to add -O0 -g gdb(1) support 
 for the slapd(8C) command, since I'm compiling OpenLDAP sources from 
 ports tree. I'll post it as soon as I got it. But maybe you can already 
 assume some pre-diagnosis from the above output?

No, but you should have a core file after segmentation fault. What about
something like gdb /your_slapd /your/core and bt and info threads?
Probably not very useful unless you have debugging symbols in the binary.

Regards,
Ulrich

Re: OpenLDAP keeps on dying sporadically

Here is another (3rd) output of 'slapd -d -1 [...]' debugging. It looks 
a little more different than the previous two.


#  #

[...]

553dfbce = acl_get: [1] attr entry
ldap_write: want=14, written=14
553dfbce = acl_mask: access to entry 
ou=domains,ou=mail,dc=mydomain,dc=local, attr entry requested

553dfbce daemon: activity on 2 descriptors
553dfbce daemon: waked
553dfbce connection_get(25): got connid=1011
  0040:  3f 8e 7f 94 2d 99 3e 60  41 93 73 b3 0e de d3 96 ?...-.`A.s.
  0050:  3f 93 74 5c 06 a4 c3 18  21 ec dd bd 87 5e 84 ed ?.t\!^..
  0560:  4c 6f 63 61 6c 87 04 c0  a8 32 65 87 04 7f 00 00 Local2e.
  0060:  a3 a1 03 5a cb 52 1c 75  db e9 bb ab 0d 5e 2d 97 ...Z.R.u.^-.
  0070:  93 0e 73 71 62 20 93 ef  76 f0 b8 6e 44 73 1d f4   ..sqb 
..v..nDs..
553dfbce == limits_get: conn=1006 op=2 self=[anonymous] 
this=ou=accounts,ou=mail,dc=mydomain,dc=local

  0080:  c3 49 7f 6e 49 bd e4 e0  7d 70 8b 12 46 39 f1 2b .I.nI...}p..F9.+
  :  30 0c 02 01 03 65 07 0a  01 00 04 00 04 00 0e
ber_dump: buf=0x945c75180 ptr=0x945c75183 end=0x945c751f6 len=115
Segmentation fault

#  #

Re: Ldap challenge

2015-04-27 Thread Michael Ströder


Andrew Findlay wrote:

On Mon, Apr 27, 2015 at 06:27:39PM +, Ross, Daniel B. wrote:


ismemberof  does not exist  we have to use memberof


Memberof is fairly common. I don't think I have ever found a system
that used 'ismemberof'.


'isMemberOf' is used on Sun/Oracle DSSE, Netscape/Fedora/389-DS and 
OpenDS/OpenDJ.

'memberOf' was originally defined in MS Active Directory and is used as 
default in slapo-memberof. It's configurable though.


Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: OpenLDAP keeps on dying sporadically


Ok, here is the first result running the debugging mode with gdb(1)

 Procedure overview:
(gdb) run
(gdb) bt full
(gdb) thread apply all bt
(gdb) generate-core-file


 This came up:
candidates = Error accessing memory address 0x7eafb6f0: Bad address.

# == #

root@FreeBSD [~]$ gdb --args /usr/local/libexec/slapd -d -1 -f 
/usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h 
ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.

Type show copying to see the conditions.
There is absolutely no warranty for GDB.  Type show warranty for details.
This GDB was configured as amd64-marcel-freebsd...
(gdb) run
Starting program: /usr/local/libexec/slapd -d -1 -f 
/usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h 
ldapi://%2fvar%2frun%2fopenldap%2fldapi/\ ldap:///\ ldaps:///

[New LWP 101138]
[New Thread 802806400 (LWP 101138/slapd)]

[...]

553e8a87 conn=1006 op=2 SRCH attr=mailAlias
553e8a87 send_ldap_result: err=0 matched= text=
  0010:  51 bd aa 7d 3f 1c 50 fb  25 f8 59 9e 9d 9a ba 0f Q..}?.P.%.Y.
  0020:  d0 07 aa 95 ac 1c e7 3e  81 f6 e6 0b 6d 09 94 9b ...m...
  0730:  1b 51 e3 08 4b 38 ec f1  ee 8c 0f 35 cd 55 eb 80 .Q..K8.5.U..
553e8a87 == limits_get: conn=1006 op=2 self=[anonymous] 
this=ou=accounts,ou=mail,dc=mydomain,dc=local

  0740:  83 e2 3b b5 13 fd 08 51  13 25 d9 7d 57 9f 6b e9 ..;Q.%.}W.k.
[New Thread 943c11800 (LWP 100198/slapd)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 943c11800 (LWP 100198/slapd)]
mdb_search (op=0x94581c400, rs=0x7ebfbb60) at search.c:404
404 search.c: No such file or directory.
in search.c
Current language:  auto; currently minimal
(gdb) bt full
#0  mdb_search (op=0x94581c400, rs=0x7ebfbb60) at search.c:404
mdb = (struct mdb_info *) 0x80290a000
id = 0
cursor = 0
nsubs = 128
ncand = 0
cscope = 0
lastid = 18446744073709551615
candidates = Error accessing memory address 0x7eafb6f0: Bad 
address.

(gdb) thread apply all bt
[New Thread 943c15000 (LWP 101255/slapd)]
[New Thread 943c14c00 (LWP 101213/slapd)]
[New Thread 943c14800 (LWP 101202/slapd)]
[New Thread 943c14400 (LWP 100898/slapd)]
[New Thread 943c14000 (LWP 100884/slapd)]
[New Thread 943c13c00 (LWP 100647/slapd)]
[New Thread 943c13800 (LWP 100619/slapd)]
[New Thread 943c13400 (LWP 100577/slapd)]
[New Thread 943c13000 (LWP 100531/slapd)]
[New Thread 943c12c00 (LWP 100515/slapd)]
[New Thread 943c12800 (LWP 100347/slapd)]
[New Thread 943c12400 (LWP 100311/slapd)]
[New Thread 943c12000 (LWP 100296/slapd)]
[New Thread 943c11c00 (LWP 100268/slapd)]
[New Thread 943c11400 (LWP 100165/slapd)]
[New Thread 802807800 (LWP 100103/slapd)]

Thread 19 (Thread 802807800 (LWP 100103/slapd)):
#0  0x000801aa78cc in __error () from /lib/libthr.so.3
#1  0x000801aa27f4 in pthread_mutex_destroy () from /lib/libthr.so.3
#2  0x000801dfc237 in flockfile () from /lib/libc.so.7
#3  0x000801dd7e64 in fputs () from /lib/libc.so.7
#4  0x000800bfd48f in lutil_debug () from 
/usr/local/lib/liblber-2.4.so.2
#5  0x0043b96f in slapd_daemon_task (ptr=0x8028afb08) at 
daemon.c:2530

#6  0x000801a9c4f5 in pthread_create () from /lib/libthr.so.3
#7  0x in ?? ()

Thread 18 (Thread 943c11400 (LWP 100165/slapd)):
#0  0x000801aa78cc in __error () from /lib/libthr.so.3
#1  0x000801aa27f4 in pthread_mutex_destroy () from /lib/libthr.so.3
#2  0x000801dfc237 in flockfile () from /lib/libc.so.7
#3  0x000801dd7e64 in fputs () from /lib/libc.so.7
#4  0x000800bfcc66 in ber_error_print () from 
/usr/local/lib/liblber-2.4.so.2

#5  0x000800bfd002 in ber_bprint () from /usr/local/lib/liblber-2.4.so.2
#6  0x000800bfcf4a in ber_log_bprint () from 
/usr/local/lib/liblber-2.4.so.2
#7  0x000800c0017e in ber_int_sb_write () from 
/usr/local/lib/liblber-2.4.so.2
#8  0x0008009e1905 in ldap_start_tls_s () from 
/usr/local/lib/libldap_r-2.4.so.2

#9  0x000801807e84 in BIO_read () from /lib/libcrypto.so.7
#10 0x00080146ce97 in ssl3_read_n () from /usr/lib/libssl.so.7
#11 0x00080146db61 in ssl3_read_bytes () from /usr/lib/libssl.so.7
#12 0x000801470aa0 in ssl3_read () from /usr/lib/libssl.so.7
#13 0x0008009e16b8 in ldap_start_tls_s () from 
/usr/local/lib/libldap_r-2.4.so.2
#14 0x000800c00126 in ber_int_sb_write () from 
/usr/local/lib/liblber-2.4.so.2
#15 0x000800bff0f2 in ber_int_sb_read () from 
/usr/local/lib/liblber-2.4.so.2
#16 0x000800bfc720 in ber_get_next () from 
/usr/local/lib/liblber-2.4.so.2
#17 0x00444cf5 in connection_input (conn=0x8034099c0, 
cri=0x7f3fcc18) at connection.c:1572
#18 0x00444ac5 in connection_read

Re: OpenLDAP keeps on dying sporadically


Hi Michael,
Hi Ulrich,

Thanks for your reply. I'm running Version 2.4.40. As I said, I do not 
run binary version. I always compile OpenLDAP from sources / latest 
ports tree.


The maximum core file size ulimit -c was already set to unlimited. I'm 
using bash-4.3.30


root@FreeBASD # ulimit -a
socket buffer size   (bytes, -b) unlimited
core file size  (blocks, -c) unlimited
data seg size   (kbytes, -d) 33554432
file size   (blocks, -f) unlimited
max locked memory   (kbytes, -l) 131072
max memory size (kbytes, -m) 3012064
open files  (-n) 87651
pipe size(512 bytes, -p) 1
stack size  (kbytes, -s) 8192
cpu time   (seconds, -t) unlimited
max user processes  (-u) 7592
virtual memory  (kbytes, -v) unlimited
swap size   (kbytes, -w) unlimited





root@FreeBSD # /usr/local/libexec/slapd -d -1 -f 
/usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h 
ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///


# === #

[...]
I have removed the previous lines for this demo
[...]

553ded5a  mailUidNumber  0040:  2e e8 e7 5a 9a fe a0 8c  02 96 e9 58 48 
e0 49 10   ...Z...XH.I.
  0050:  cd 10 08 6c 20 1f 9d bc  ae dd 9a 4a 79 7e f2 3c   ...l 
..Jy~.

  0060:  25 a2 72 fe ac cc d0 09  eb 62 d2 bd 95 c8 50 7f %.r..bP.
  0020:  b0 86 e3 1d 11 32 2d 8b  fd 57 a6 a4 ce a2 ee 2f .2-..W./
  0030:  52 59 da 4d 7b d1 5c 0c  22 34 29 86 c2 9c 80 72 RY.M{.\.4)r
  0040:  ca 94 4d 69 2e ..Mi.
  0010:  73 2c 6f 75 3d 6d 61 69  6c 2c 64 63 3d 4e 65 74 s,ou=mail,dc=MyD
  0020:  4f 63 65 61 6e 2c 64 63  3d 4c 6f 63 61 6c 0a 01 omain,dc=Local..
  0090:  8e 5f 68 e0 0a 31 26 07  da 21 c6 cd 27 0e 17 2b ._h..1..!..'..+
  00a0:  fb 53 5e 0a 84 74 50 b8  74 13 a5 fa e2 02 9a ee .S^..tP.t...
  00b0:  5e ee 8e 6c b2 d3 b6 6e  82 6d 01 ab eb 81 25 bd ^..l...n.m%.
  00c0:  f1 05 16 5b 7f 9e bb 76  7c ae ba a2 24 73 89 78 ...[...v|...$s.x
  0070:  ca 00 ec a3 7b 97 78 19  fe aa 56 fc a1 a5 9a 1e {.x...V.
  0080:  65 f0 04 b7 04 08 af 7a  82 ef 77 e..z..w
553ded5a  mailGidNumberldap_read: want=8, got=8
553ded5a  mailQuotaStorage  :  30 71 02 01 0b 63 6c 
040q...cl.

ldap_read: want=107, got=107
  00d0:  6c ae 39 eb 15 85 4a f9  c1 6f 65 ca 4f c6 db 14 l.9...J..oe.O...
ldap_write: want=14, written=14
  00e0:  c1 f4 fe b8 b5 a4 a3 75  96 b1 9b 9b 8f d5 d6 e5 ...u
  00f0:  8d 3c 75 4c 50 cc 9d 85  cf bb a1 d8 50 21 93 fa .uLP...P!..
  0100:  38 ee 89 46 45 4e 06 17  7a 8c 4b 83 51 95 a9 ca 8..FEN..z.K.Q...
  0110:  71 8c d0 b9 59 1a 14 f4  10 8d b9 bc 80 d5 cb e9 q...Y...
  0120:  46 03 a2 ce 59 49 0b db  fc ea a3 3b fa cd a1 99 F...YI.;
  0030:  02 0a 01 00 02 01 00 02  01 78 01 01 00 a0 5a a3 .xZ.
  0040:  1a 04 0b 6f 62 6a 65 63  74 43 6c 61 73 73 04 0b ...objectClass..
  0130:  14 90 d6 0a 55 da 84 b1  42 fe af 8d 14 92 ce 27 U...B..'
  0050:  6d 61 69 6c 41 63 63 6f  75 6e 74 a3 1b 04 11 6d mailAccountm
  0060:  61 69 6c 41 63 63 6f 75  6e 74 53 74 61 74 75 73 ailAccountStatus
  :  30 0c 02 01 06 65 07 0a  01 00 04 00 04 00 0e
  0070:  04 06 61 63 74 69 76 65  a3 1f 04 0b 6d 61 69 6c ..activemail
  0080:  41 64 64 72 65 73 73 04  10 69 6e 66 6f 40 6e 65 Address..info@So
  0090:  74 6f 63 65 61 6e 2e 64  65 30 6f 04 14 6d 61 69 meDom.tld0o..mai
  00a0:  6c 53 74 6f 72 61 67 65  44 69 72 65 63 74 6f 72 lStorageDirector
553ded5a  mailQuotaMessages553ded5a
  00b0:  79 04 14 6d 61 69 6c 53  74 6f 72 61 67 65 44 69 y..mailStorageDi
553ded5a conn=1008 op=5 SRCH 
base=ou=accounts,ou=mail,dc=MyDomain,dc=Local scope=2 deref=0 
filter=((objectClass=mailAccount)(mailAccountStatus=active)(mailAddress=i...@somedom.tld))

  00c0:  72 65 63 74 6f 72 79 04  0d 6d 61 69 6c 55 69 64 rectory..mailUid
  :  28 6f 75 3d 61 63 63 6f  75 6e 74 73 2c 6f 75 3d (ou=accounts,ou=
553ded5a conn=1008 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
  00d0:  4e 75 6d 62 65 72 04 0d  6d 61 69 6c 47 69 64 4e Number..mailGidN
553ded5a conn=1008 op=5 SRCH attr=mailStorageDirectory 
mailStorageDirectory mailUidNumber mailGidNumber mailQuotaStorage 
mailQuotaMessages

ldap_read: want=8, got=8
  :  30 82 01 0d 02 01 09 63 0..c
ldap_read: want=265, got=265
  :  82 01 06 04 28 6f 75 3d  61 63 63 6f 75 6e 74 73 (ou=accounts
  0010:  2c 6f 75 3d 6d 61 69 6c  2c 64 63 3d 4e 65 74 4f ,ou=mail,dc=MyDo
553ded5a == limits_get: conn=1008 op=5 
self=uid=dovecot,ou=systemuser,ou=mail,dc=mydomain,dc=local 
this=ou=accounts,ou=mail,dc=mydomain,dc=local

  00e0:  75 6d 62 65 72 04 10 6d  61 69 6c 51 75 6f 74 61 umber..mailQuota
Segmentation fault

# === #


... and a second time the same debugging (-d -1)
#

Re: Ldap challenge

2015-04-27 Thread Ross, Daniel B.

Will any of this work with the secure 636 connection with TLS?   Thats what I 
have to connect using.  Its not a port 389 connection.   I saw this 
documentation before but couldn't find anything that said it work over 636.  
For further consideration,  I also don't have kerberos nor do I have the 
availability to install anything on a windows system that is bound to the 
domain, as that is forbidden.  They would have to control the system and would 
then not allow anything to be installed on it.
Daniel

Operating Systems Analyst/Development, Lead
Rollins School of Public Health at Emory University
404-727-9931
daniel.r...@emory.edu


From: Clément OUDOT clem.ou...@gmail.com
Sent: Friday, April 24, 2015 2:59 PM
To: Dan White
Cc: Ross, Daniel B.; openldap-technical@openldap.org
Subject: Re: Ldap challenge

2015-04-24 19:02 GMT+02:00 Dan White dwh...@cafedemocracy.org:
 On 04/22/15 20:08 +, Ross, Daniel B. wrote:

 Ok I have looked a couple options but I really dont know how to accomplish
 what I need to do.

 Here is what I am trying to do.


 I have a greater organization that is stuck on using Microsoft products
 namely Microsoft LDS.   To make matters worse they present the data to my
 linux servers in a completely non-standard way.   Its driving my solaris
 and linux box nuts and they simply dont want to work with it.

 What i need to do is continue to use the campus usernames and passwords
 but present the Data in a format that my linux/unix hosts can use.  Is
 this possible?

 i.e.  userid would still be samwise but instead of a bizzarre
 OU=monkeypeople,dc=example,dc=com I want it to present as
 people,dc=example,dc=com.

 I looked at referral and aliasing but it does not seem to be doing what I
 am trying to do.  Passthrough authentication looks close but I cant find
 sufficient documentation to actually configure a system to use it.


 See slapo-rwm(5).

 Pass-through is documented in section 14.5 of the Administrator's Guide:

 http://www.openldap.org/doc/admin24/

 Supporting Cyrus SASL documentation:

 http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/
 And /saslauthd/LDAP_SASLAUTHD within the Cyrus SASL source.

 You'll find workable pass-through examples for authenticating to Exchange
 in this list's archives as well as the Cyrus SASL list archives. The 'ldap'
 and 'kerberos5' saslauthd backends should both be workable solutions.


Hi,

you can also find a documentation on  SASL delegation here:
http://ltb-project.org/wiki/documentation/general/sasl_delegation


Clément.

Re: OpenLDAP keeps on dying sporadically


Howard Chu wrote:

Howard Chu wrote:

Assuming you compiled the latest snapshot, the SEGV at
back-mdb/search.c:404 makes not much sense, it's a return statement.

Also, as back-mdb didn't exist 5 years ago, this cannot be the same
issue you've been running into all the time.

Perhaps you've hit a stack overrun. Generally slapd uses 8MB stacks on
64bit machines. It seems from your ulimit output that 8MB should be
fine, so that also seems unlikely.


Ah, yes, this is a known issue with FreeBSD.

http://www.openldap.org/lists/openldap-bugs/200506/msg00174.html


Furthermore, in the intervening 10 years, the FreeBSD developers have 
not yet fixed this issue.


http://lists.freebsd.org/pipermail/freebsd-current/2014-August/051646.html

--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: OpenLDAP keeps on dying sporadically


Leander Schäfer wrote:

Ok, here is the first result running the debugging mode with gdb(1)

  Procedure overview:
(gdb) run
(gdb) bt full
(gdb) thread apply all bt
(gdb) generate-core-file


No need for a core file if you're just running slapd inside gdb.



  This came up:
candidates = Error accessing memory address 0x7eafb6f0: Bad address.

# == #

root@FreeBSD [~]$ gdb --args /usr/local/libexec/slapd -d -1 -f
/usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h
ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap:/// ldaps:///
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB.  Type show warranty for details.
This GDB was configured as amd64-marcel-freebsd...
(gdb) run
Starting program: /usr/local/libexec/slapd -d -1 -f
/usr/local/etc/openldap/slapd.conf -u ldap -g ldap -h
ldapi://%2fvar%2frun%2fopenldap%2fldapi/\ ldap:///\ ldaps:///
[New LWP 101138]
[New Thread 802806400 (LWP 101138/slapd)]

[...]

553e8a87 conn=1006 op=2 SRCH attr=mailAlias
553e8a87 send_ldap_result: err=0 matched= text=
   0010:  51 bd aa 7d 3f 1c 50 fb  25 f8 59 9e 9d 9a ba 0f Q..}?.P.%.Y.
   0020:  d0 07 aa 95 ac 1c e7 3e  81 f6 e6 0b 6d 09 94 9b ...m...
   0730:  1b 51 e3 08 4b 38 ec f1  ee 8c 0f 35 cd 55 eb 80 .Q..K8.5.U..
553e8a87 == limits_get: conn=1006 op=2 self=[anonymous]
this=ou=accounts,ou=mail,dc=mydomain,dc=local
   0740:  83 e2 3b b5 13 fd 08 51  13 25 d9 7d 57 9f 6b e9 ..;Q.%.}W.k.
[New Thread 943c11800 (LWP 100198/slapd)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 943c11800 (LWP 100198/slapd)]
mdb_search (op=0x94581c400, rs=0x7ebfbb60) at search.c:404
404 search.c: No such file or directory.
 in search.c
Current language:  auto; currently minimal
(gdb) bt full
#0  mdb_search (op=0x94581c400, rs=0x7ebfbb60) at search.c:404
 mdb = (struct mdb_info *) 0x80290a000
 id = 0
 cursor = 0
 nsubs = 128
 ncand = 0
 cscope = 0
 lastid = 18446744073709551615
 candidates = Error accessing memory address 0x7eafb6f0: Bad
address.
(gdb) thread apply all bt
[New Thread 943c15000 (LWP 101255/slapd)]
[New Thread 943c14c00 (LWP 101213/slapd)]
[New Thread 943c14800 (LWP 101202/slapd)]
[New Thread 943c14400 (LWP 100898/slapd)]
[New Thread 943c14000 (LWP 100884/slapd)]
[New Thread 943c13c00 (LWP 100647/slapd)]
[New Thread 943c13800 (LWP 100619/slapd)]
[New Thread 943c13400 (LWP 100577/slapd)]
[New Thread 943c13000 (LWP 100531/slapd)]
[New Thread 943c12c00 (LWP 100515/slapd)]
[New Thread 943c12800 (LWP 100347/slapd)]
[New Thread 943c12400 (LWP 100311/slapd)]
[New Thread 943c12000 (LWP 100296/slapd)]
[New Thread 943c11c00 (LWP 100268/slapd)]
[New Thread 943c11400 (LWP 100165/slapd)]
[New Thread 802807800 (LWP 100103/slapd)]

Thread 19 (Thread 802807800 (LWP 100103/slapd)):
#0  0x000801aa78cc in __error () from /lib/libthr.so.3
#1  0x000801aa27f4 in pthread_mutex_destroy () from /lib/libthr.so.3
#2  0x000801dfc237 in flockfile () from /lib/libc.so.7
#3  0x000801dd7e64 in fputs () from /lib/libc.so.7
#4  0x000800bfd48f in lutil_debug () from
/usr/local/lib/liblber-2.4.so.2
#5  0x0043b96f in slapd_daemon_task (ptr=0x8028afb08) at
daemon.c:2530
#6  0x000801a9c4f5 in pthread_create () from /lib/libthr.so.3



Seems like something went wrong here. Am I using gdb wrong?


Looks like your liblber was installed without debug symbols. Most of 
these stack traces look invalid.



Am 27.04.15 um 19:04 schrieb Michael Ströder:

Leander Schäfer wrote:

Can you please provide me a link, cause I wasn't able to find
current RE24 on the official website nor on the FTP mirror.


Use git or this link to checkout snapshot of the RE24 branch:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/heads/OPENLDAP_REL_ENG_2_4;sf=tgz


Assuming you compiled the latest snapshot, the SEGV at 
back-mdb/search.c:404 makes not much sense, it's a return statement.


Also, as back-mdb didn't exist 5 years ago, this cannot be the same 
issue you've been running into all the time.


Perhaps you've hit a stack overrun. Generally slapd uses 8MB stacks on 
64bit machines. It seems from your ulimit output that 8MB should be 
fine, so that also seems unlikely.


What was the full LDAP search request that was running at the moment of 
the crash? Mainly interested in seeing the search filter, and how 
complex it was, as well as the depth of the DIT.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: OpenLDAP keeps on dying sporadically


Howard Chu wrote:

Assuming you compiled the latest snapshot, the SEGV at
back-mdb/search.c:404 makes not much sense, it's a return statement.

Also, as back-mdb didn't exist 5 years ago, this cannot be the same
issue you've been running into all the time.

Perhaps you've hit a stack overrun. Generally slapd uses 8MB stacks on
64bit machines. It seems from your ulimit output that 8MB should be
fine, so that also seems unlikely.


Ah, yes, this is a known issue with FreeBSD.

http://www.openldap.org/lists/openldap-bugs/200506/msg00174.html

--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: All entries belong to the top object class?


On 04/21/15 15:36, Andrew Findlay wrote:

On Mon, Apr 20, 2015 at 11:06:07AM +0530, dE wrote:


I'm concerned about the attributes. Does adding of the top object
class (or person) add all attributes to the entry?

No. 'top' is defined in RFC4512:

( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )

so every entry MUST contain an objectclass attribute.
It does not say anything about any other attributes.


Yeah, so that's the question, can any attribute which is in the MAY of 
the top object class be added to any entry in the DIT regardless of what 
object class it belongs to?

Re: All entries belong to the top object class?


On 04/27/15 02:07, Dieter Klünter wrote:

Am Sun, 26 Apr 2015 21:05:44 +0530
schrieb dE de.tec...@gmail.com:


On 04/26/15 17:13, Michael Ströder wrote:

dE wrote:

Super this is the superclass chain --

A-B

A is defined by MUST ObjectClass MAY ( cn abc xyz cxy )
B is defined by MUST ObjectClass MAY ( cn cxy )

Then an entry belonging to B (explicit) and A (implicit,
automatically added)
cannot have attributes abc and xyz.

No!

B would have MAY ( cn abc xyz cxy ).

Example for A:

objectclass ( some-oid-for-A
   NAME 'A'
   MAY ( cn $ abc $ xyz $ cxy ) )

These three variants have the same MAY attribute set ( cn $ abc $
xyz $ cxy ):

objectclass ( some-oid-for-B
   NAME 'B'
   SUP A
   MAY ( cn $ cxy ) )

objectclass ( some-oid-for-B
   NAME 'B'
   SUP A
   MAY ( cn $ abc $ xyz $ cxy ) )

objectclass ( some-oid-for-B
   NAME 'B'
   SUP A )

Ciao, Michael.



Ok.

So the significance of subordinate classes is to add a MUST
attributes only. The possible attributes that any object can have is
defined in the TOP object class; regardless of what object class the
entry belongs to, any attribute listed in the TOP object class can be
added to it.

NO! The abstract objectClass 'top' only provides the attribute
'objectClass'. From schema_prep.c

( 2.5.6.0 NAME 'top' 
 DESC 'top of the superclass chain' 
 ABSTRACT MUST objectClass ),

-Dieter



That's the MUST, I'm talking about the MAY.

LMDB:Transaction across multiple enviroments

2015-04-27 Thread Daniel, Sabu

Hi,

I am trying to use LMDB and I would like to know if there a way to define a 
transaction across multiple environments?

Thanks,
Sabu Daniel

Re: All entries belong to the top object class?


On 04/26/15 23:37, Michael Ströder wrote:

dE wrote:

On 04/26/15 17:13, Michael Ströder wrote:

dE wrote:

Super this is the superclass chain --

A-B

A is defined by MUST ObjectClass MAY ( cn abc xyz cxy )
B is defined by MUST ObjectClass MAY ( cn cxy )

Then an entry belonging to B (explicit) and A (implicit, 
automatically added)

cannot have attributes abc and xyz.


No!

B would have MAY ( cn abc xyz cxy ).

Example for A:

objectclass ( some-oid-for-A
  NAME 'A'
  MAY ( cn $ abc $ xyz $ cxy ) )

These three variants have the same MAY attribute set ( cn $ abc $ 
xyz $ cxy ):


objectclass ( some-oid-for-B
  NAME 'B'
  SUP A
  MAY ( cn $ cxy ) )

objectclass ( some-oid-for-B
  NAME 'B'
  SUP A
  MAY ( cn $ abc $ xyz $ cxy ) )

objectclass ( some-oid-for-B
  NAME 'B'
  SUP A )


Ok.

So the significance of subordinate classes is to add a MUST 
attributes only.


No! Which text in RFC 4512 says that?



It's implied from

When creating an entry or adding an 'objectClass' value to an entry,
   all superclasses of the named classes SHALL be implicitly added

Also I don't understand what the term significance of subordinate 
classes means to you in this context.




I mean object classes subordinate to the TOP object class.

The possible attributes that any object can have is defined in the 
TOP object

class;


No!



But that's what you said.

   These three variants have the same MAY attribute set ( cn $ abc $
   xyz $ cxy ):

   objectclass ( some-oid-for-B
  NAME 'B'
  SUP A
  MAY ( cn $ cxy ) )

   objectclass ( some-oid-for-B
  NAME 'B'
  SUP A
  MAY ( cn $ abc $ xyz $ cxy ) )

   objectclass ( some-oid-for-B
  NAME 'B'
  SUP A )


So entries belonging to object class B can have all attributes of object 
class A, in a similar way the possible attributes that any object can 
have is defined by the TOP object

class.


regardless of what object class the entry belongs to, any attribute
listed in the TOP object class can be added to it.


You should really read RFC 4512 more carefully and look at existing 
subschema. I give up now to explain.


That's the source of all confusion.

There is no IETF mailing list to discuss these issues.

Re: All entries belong to the top object class?


On 04/27/15 01:13, Mattes wrote:
  
Am Sonntag, 26. April 2015 20:07 CEST, Michael Ströder mich...@stroeder.com schrieb:
  


Also I don't understand what the term significance of subordinate classes
means to you in this context.

Yes. Might it be possible that dE (miss)reads 'SUB' as 'subprdinate' when it 
actually
means 'subclass'?  When talking about LDAP the term 'subordinate'  does have a 
well
defined meaning (that is irrelevant to this discussion).


Actually I meant subclass.


The possible attributes that any object can have is defined in the TOP object
class;

No!


regardless of what object class the entry belongs to, any attribute
listed in the TOP object class can be added to it.

Hmm - but while this might be true it's a tautology. Given:

  objectclass ( 2.5.6.0 NAME 'top' ABSTRACT
MUST objectClass )

What attributes of 'TOP' are you talking about?  ;-)


All MAY attributes. Of course the MUST must be there, but from what I 
understand all MAY attributes in top can also be added regardless of 
what subclass the entry belongs to.



You should really read RFC 4512 more carefully and look at existing subschema.
I give up now to explain.

May I humbly reading  suggest http://www.zytrax.com/books/ldap/ch3/

Cheers, RalfD


What that book says is different from what the RFC says. besides I'm 
interested in reading the latest RFC.

Re: All entries belong to the top object class?


On 04/27/15 06:10, Quanah Gibson-Mount wrote:




On Apr 26, 2015, at 12:45 PM, Mattes r...@mh-freiburg.de wrote:


Am Sonntag, 26. April 2015 20:07 CEST, Michael Ströder mich...@stroeder.com 
schrieb:



Also I don't understand what the term significance of subordinate classes
means to you in this context.

Yes. Might it be possible that dE (miss)reads 'SUB' as 'subprdinate' when it 
actually
means 'subclass'?  When talking about LDAP the term 'subordinate'  does have a 
well
defined meaning (that is irrelevant to this discussion).


The possible attributes that any object can have is defined in the TOP object
class;

No!


regardless of what object class the entry belongs to, any attribute
listed in the TOP object class can be added to it.

Hmm - but while this might be true it's a tautology. Given:

objectclass ( 2.5.6.0 NAME 'top' ABSTRACT
MUST objectClass )

What attributes of 'TOP' are you talking about?  ;-

objectClass, clearly.


No. Everything else.


You should really read RFC 4512 more carefully and look at existing subschema.
I give up now to explain.

May I humbly reading  suggest http://www.zytrax.com/books/ldap/ch3/

Zytrax should be avoided. Besides engaging in blatant illegal plagiarism, they 
often have completely erroneous information.

--Quanah

Re: All entries belong to the top object class?


On 04/19/15 11:42, dE wrote:

As per https://tools.ietf.org/html/rfc4512#section-3.3

When creating an entry or adding an 'objectClass' value to an entry,
   all superclasses of the named classes SHALL be implicitly added as
   well if not already present.

That means the top object class will always be there.

Or is it that only the most subordinate object class in the 
multivalued attribute is considered by the client and server?


Ok.

It appears that I've some other confusion.

Starting a new discussion about that.

Re: separate loglevels for different databases?

2015-04-27 Thread Meike Stone

Hello,

2015-04-17 17:18 GMT+02:00 Meike Stone meike.st...@googlemail.com:
 Dear list,

 I've configured two different databases (one ldap, one bdb) in openLDAP.
 Is it possible, to configure separate loglevels for each database?

 maybe at least different logfiles?


No one who can help ?


 Thanks Meike

Re: Ldap challenge

On Wed, Apr 22, 2015 at 08:08:11PM +, Ross, Daniel B. wrote:

 What i need to do is continue to use the campus usernames and passwords but
 present the Data in a format that my linux/unix hosts can use.  Is this
 possible?

Probably, but I don't think you have given us enough information so far.

 i.e.  userid would still be samwise but instead of a bizzarre OU=
 monkeypeople,dc=example,dc=com I want it to present as people,dc=example,dc=
 com.

I assume the latter DN should be O=people,dc=example,dc=com

If this is your main problem then it may not need solving on the server side.
There is no fixed rule about the structure of a base DN used for Linux and Unix
LDAP authentication. You should be able to work with any DN structure, provided
that you know where to base your searches and provided you can do one-level or
subtree searches on the AD service to find what you need.

 I looked at referral and aliasing but it does not seem to be doing what I am
 trying to do.  Passthrough authentication looks close but I cant find
 sufficient documentation to actually configure a system to use it.

Does the campus AD service contain everything that Linux/Unix would need?
e.g. does it have:

Username (almost certain - called samAccountName in AD)
Unix numeric UID
Unix numeric GID
Unix homedir
Unix shell
Something to use for GECOS (optional)

It does not matter what those attributes are called in AD as you can set the
clients to work with whatever you have, but they *do* have to be present.
It used to be necessary to load a Microsoft package called SFU (Services For 
Unix)
to support this, but I think more recent versions of AD already have schema for 
it
by default.

If you don't have at least that set of attributes with sensible values to work 
with
then you will have to maintain a parallel or overlay directory service. There 
are
several ways to do that, so let's start by establishing what you have!

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: All entries belong to the top object class?

On Sat, Apr 25, 2015 at 05:58:43PM +0530, dE wrote:

 Does adding of the top object class (implicitly) make it possible to
 add all attributes in the DIT to the entry? I'm talking about
 attributes which are out of the 'MAY' in the most subordinate object
 class the entry belong to.

If you really want to permit *any* attribute to be added to an entry,
then you can add the ExtensibleObject objectclass. In general this is a *bad* 
thing
to do. See RFC4512 section 4.3 for the definition.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: OpenLDAP keeps on dying sporadically

2015-04-27 Thread Michael Ströder


Leander Schäfer wrote:

Can you please provide me a link, cause I wasn't able to find
current RE24 on the official website nor on the FTP mirror.


Use git or this link to checkout snapshot of the RE24 branch:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/heads/OPENLDAP_REL_ENG_2_4;sf=tgz

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: separate loglevels for different databases?


Meike Stone wrote:

Hello,

2015-04-17 17:18 GMT+02:00 Meike Stone meike.st...@googlemail.com:

Dear list,


I've configured two different databases (one ldap, one bdb) in openLDAP.
Is it possible, to configure separate loglevels for each database?


maybe at least different logfiles?



No one who can help ?


Everything in slapd uses a single syslog facility, so no, there is no 
way to configure separate loglevels or route messages to separate logfiles.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: OpenLDAP keeps on dying sporadically

To be frank, I highly doubt it. Those problems have been there since I 
first used OpenLDAP five years ago. Neither do I use sync - so none 
except the collect fixes looks like it would apply in the first place. 
But I'll give it a quick shot. Can you please provide me a link, cause I 
wasn't able to find current RE24 on the official website nor on the 
FTP mirror.


Thanks


Am 27.04.15 um 18:32 schrieb Quanah Gibson-Mount:
--On Monday, April 27, 2015 12:02 PM +0200 Leander Schäfer 
i...@netocean.de wrote:



Hi Michael,
Hi Ulrich,

Thanks for your reply. I'm running Version 2.4.40. As I said, I do not
run binary version. I always compile OpenLDAP from sources / latest 
ports

tree.


Please compile and run current RE24 and see if you can reproduce. 
There are multiple segfault fixes present.


OpenLDAP 2.4.41 Engineering
   Fixed libldap segfault in ldap_sync_initialize (ITS#8001)
   Fixed slapd segfault when using matched values control (ITS#8046)
   Fixed slapo-collect segfault (ITS#7797)
   Fixed slapo-syncprov segfault on disconnect/abandon 
(ITS#5452,ITS#8012)

   Fixed slapo-syncprov segfault on disconnect/abandon (ITS#8043)


--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: separate loglevels for different databases?

On Mon, Apr 27, 2015 at 05:19:54PM +0200, Meike Stone wrote:

  I've configured two different databases (one ldap, one bdb) in openLDAP.
  Is it possible, to configure separate loglevels for each database?
 
  maybe at least different logfiles?

loglevel / olcLogLevel is a global option, so no I'm afraid you cannot do this.

If you really want different logging you will have to put each backend in a
separate server instance and join them together with a third using back-ldap or
back-meta.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: OpenLDAP keeps on dying sporadically

2015-04-27 Thread Quanah Gibson-Mount

--On Monday, April 27, 2015 12:02 PM +0200 Leander Schäfer 
i...@netocean.de wrote:



Hi Michael,
Hi Ulrich,

Thanks for your reply. I'm running Version 2.4.40. As I said, I do not
run binary version. I always compile OpenLDAP from sources / latest ports
tree.


Please compile and run current RE24 and see if you can reproduce.  There 
are multiple segfault fixes present.


OpenLDAP 2.4.41 Engineering
   Fixed libldap segfault in ldap_sync_initialize (ITS#8001)
   Fixed slapd segfault when using matched values control (ITS#8046)
   Fixed slapo-collect segfault (ITS#7797)
   Fixed slapo-syncprov segfault on disconnect/abandon 
(ITS#5452,ITS#8012)

   Fixed slapo-syncprov segfault on disconnect/abandon (ITS#8043)


--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: Antw: Re: All entries belong to the top object class?

2015-04-27 Thread Quanah Gibson-Mount


--On Tuesday, April 28, 2015 10:58 AM +0530 dE de.tec...@gmail.com wrote:


Yes, so subclasses do not define MAY; it's defined by the MAY of the top
object class.


The top objectClass does not contain *any* MAY attributes.  I wonder if 
you are confused in thinking of top as a generic term.  It is not.  top 
is a very specific objectClass that is explicitly defined as noted 
previously.  It contains a single MUST attribute.


--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

top object class contains all possible attributes?


From https://tools.ietf.org/html/rfc4512

   it
   can be said that an object class inherits the sets of *allowed* and
   required attributes from its superclasses

Therefore the top object class contains all possible attributes? OR

A subclasses cannot contain any attribute which is not included in it's 
superclass?


I'm running Apache directory studio, and I don't see that happening.

Re: Ldap challenge

2015-04-27 Thread Ross, Daniel B.

I think you are getting to the root of the problem.
So to give you some of the problems.
ismemberof  does not exist  we have to use memberof

nsUniqueId we have to use objectGUID

no uniqueMember again can only use memberof.

while there is a guarantee of person there is not the same for Posixaccount or 
shadowaccount.


While I have been able to get linux with SSSD to work, to some extent, with 
this its rather hit and miss and the Solaris systems just wont work at all.  
This is why I was hoping to be able to use the campus for the username and 
password, and then provide the rest from a local ldap server.   It doesnt sound 
like this is really possible.

saslauthd did not work at all with the MS LDS.
What is a parallel or overlay directory service?

Daniel


From: Andrew Findlay andrew.find...@skills-1st.co.uk
Sent: Monday, April 27, 2015 12:07 PM
To: Ross, Daniel B.
Cc: openldap-technical@openldap.org
Subject: Re: Ldap challenge

On Wed, Apr 22, 2015 at 08:08:11PM +, Ross, Daniel B. wrote:

 What i need to do is continue to use the campus usernames and passwords but
 present the Data in a format that my linux/unix hosts can use.  Is this
 possible?

Probably, but I don't think you have given us enough information so far.

 i.e.  userid would still be samwise but instead of a bizzarre OU=
 monkeypeople,dc=example,dc=com I want it to present as people,dc=example,dc=
 com.

I assume the latter DN should be O=people,dc=example,dc=com

If this is your main problem then it may not need solving on the server side.
There is no fixed rule about the structure of a base DN used for Linux and Unix
LDAP authentication. You should be able to work with any DN structure, provided
that you know where to base your searches and provided you can do one-level or
subtree searches on the AD service to find what you need.

 I looked at referral and aliasing but it does not seem to be doing what I am
 trying to do.  Passthrough authentication looks close but I cant find
 sufficient documentation to actually configure a system to use it.

Does the campus AD service contain everything that Linux/Unix would need?
e.g. does it have:

Username (almost certain - called samAccountName in AD)
Unix numeric UID
Unix numeric GID
Unix homedir
Unix shell
Something to use for GECOS (optional)

It does not matter what those attributes are called in AD as you can set the
clients to work with whatever you have, but they *do* have to be present.
It used to be necessary to load a Microsoft package called SFU (Services For 
Unix)
to support this, but I think more recent versions of AD already have schema for 
it
by default.

If you don't have at least that set of attributes with sensible values to work 
with
then you will have to maintain a parallel or overlay directory service. There 
are
several ways to do that, so let's start by establishing what you have!

Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: All entries belong to the top object class?

2015-04-27 Thread Quanah Gibson-Mount


--On Tuesday, April 28, 2015 10:56 AM +0530 dE de.tec...@gmail.com wrote:


objectclass ( 2.5.6.0 NAME 'top' ABSTRACT
MUST objectClass )

What attributes of 'TOP' are you talking about?  ;-

objectClass, clearly.


No. Everything else.


You are clearly confused.  There *is* no everything else for the top 
objectclass.  It defines one and only one attribute that MUST be present.


--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: top object class contains all possible attributes?

2015-04-27 Thread Dario Zanzico

On Tue, Apr 28, 2015, at 07:21 AM, dE wrote:
  From https://tools.ietf.org/html/rfc4512
 
 it
 can be said that an object class inherits the sets of *allowed*
 and
 required attributes from its superclasses
 
 Therefore the top object class contains all possible attributes? OR

no

 A subclasses cannot contain any attribute which is not included in it's 
 superclass?

no

A subclass contains definitions for
all the MAY attributes that the superclass contains as MAY attributes,
and
all the MUST attributest that the superclass contains as MUST
attributes.

therefore, an entry including our inheriting subclass:
MUST contain all the MUST attributes included in the superclass(es)
MUST contain all the MUST attributes included in our subclass
MAY contain all the MAY attributes included in the superclass(es)
MAY contain all the MAY attributes included in our subclass

as an example:

given this objectClasses 'tree':
objectClasses: ( 0.0.0.0 NAME 'myparent' MUST cn MAY uid )
objectClasses: ( 0.0.0.1 NAME 'mysub' SUP myparent MUST mail MAY mobile
)

an entry containing the sub objectClass mysub
MUST contain: cn (inherited from myparent), mail
MAY contain: uid (inherited from myparent), mobile

hope this helps

bye,
dario

Re: Ldap challenge