| View previous topic :: View next topic |
| Author |
Message |
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
 Posted: Thu Sep 28, 2006 3:17 pm Post subject: Open LDAP configuration error.... |
 |
|
im following this Howto LDAP but wgen i get to the Import the LDIF files into the database i get the following error...
| Code: |
localhost migrationtools # ldapadd -x -D "cn=Manager,dc=example,dc=com" \
> -W -f /etc/openldap/example.com.ldif
Enter LDAP Password:
ldapadd: attributeDescription "dn": (possible missing newline after line 6 of entry "dc=example,dc=com"?)
adding new entry "dc=example,dc=com"
ldap_add: Type or value exists (20)
additional info: objectClass: value #1 provided more than once
|
here is my example.conf.ldif file ,
| Code: |
dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People, dc=example,dc=com
ou: People
description: All people in organisation
objectClass: organizationalUnit
|
anybody know where i did something wrong????
Thk |
|
| Back to top |
|
 |
vad3r
Guru
Joined: 02 May 2004
Posts: 461
Location: Munich, Germany
|
| Posted: Thu Sep 28, 2006 3:46 pm Post subject: |
|
|
I think your ldif should look like this:
| Code: | n: dc=example,dc=com
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organization
o: rootobject
dc: example
dn: ou=People, dc=example,dc=com
description: All people in organisation
objectClass: organizationalUnit
ou: People |
|
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Thu Sep 28, 2006 4:24 pm Post subject: |
|
|
thk for the reply but it didnt work out...
| Code: |
dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People, dc=example,dc=com
ou: People
description: All people in organisation
objectClass: organizationalUnit
|
|
|
| Back to top |
|
|
vad3r
Guru
Joined: 02 May 2004
Posts: 461
Location: Munich, Germany
|
| Posted: Thu Sep 28, 2006 4:29 pm Post subject: |
|
|
| Have you realized that i made changes to your LDIF apart from sorting it differently?? Please try using exactly the LDIf i posted here |
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Thu Sep 28, 2006 4:38 pm Post subject: |
|
|
sorry but i thougt you forgeted something in your ldif file, the cn and the ou field in sted of n: and o:.
i did that but ... : 
| Code: |
localhost migrationtools # ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/example.com.ldif
Enter LDAP Password:
adding new entry "ou=People, dc=example,dc=com"
ldap_add: No such object (32)
|
my ldif file is like you said
| Code: |
n: dc=example,dc=com
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organization
o: rootobject
dc: example
dn: ou=People, dc=example,dc=com
description: All people in organisation
objectClass: organizationalUnit
ou: People
|
|
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Thu Sep 28, 2006 5:57 pm Post subject: |
|
|
sorry but i think that i allready did s***....
/etc/openldap/example.com.ldif
| Code: |
dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
dn: ou=People, dc=example,dc=com
ou: People
description: All people in organisation
objectClass: organizationalUnit
|
here is my /etc/openldap/slapd.conf
| Code: |
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}PvJXWnFJdA2MxnOLtJOLsRqxA+orrmYQ
directory /var/lib/openldap-data/example.com
|
and now when i try the localhost migrationtools # ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /etc/openldap/example.com.ldif i got the error :
| Code: |
Enter LDAP Password:
ldapadd: attributeDescription "dn": (possible missing newline after line 6 of entry "dc=example,dc=com"?)
adding new entry "dc=example,dc=com"
ldap_add: Type or value exists (20)
additional info: objectClass: value #1 provided more than once
|
what im doing wrong???where did i put soething wrong??
Thk |
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Tue Oct 03, 2006 9:03 am Post subject: |
|
|
| does anyone can give a help on this??? |
|
| Back to top |
|
|
marens
Apprentice
Joined: 05 Aug 2004
Posts: 173
|
| Posted: Fri Oct 06, 2006 1:31 pm Post subject: Just some ideas |
|
|
1. Set
and add
| Code: |
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
|
(don't really know if the additional schemata are needed ... just try it)
in your /etc/openldap/slapd.conf and restart your ldap-server
2. view the output of (as user root)
and clean out the db of the ldap if anything is already stored in it
3. view the output of
| Code: |
tail -f /var/log/messages
|
when you try to import the ldif-date, so you get more details of what is happening
use this ldif data like vad3r already said!!
| Code: |
dn: dc=example,dc=com
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organization
o: rootobject
dc: example
dn: ou=People, dc=example,dc=com
description: All people in organisation
objectClass: organizationalUnit
ou: People
|
4. net-nds/phpldapadmin can be a help, too 
_________________
If English was good enough for Jesus, then it's good enough for you! |
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Mon Oct 09, 2006 1:49 pm Post subject: |
|
|
| Quote: |
2. view the output of (as user root)
slapcat
and clean out the db of the ldap if anything is already stored in it
|
How can i clean the db??? when i try the slapcat it gives a lot of thingd, i think its the db data |
|
| Back to top |
|
|
vad3r
Guru
Joined: 02 May 2004
Posts: 461
Location: Munich, Germany
|
| Posted: Mon Oct 09, 2006 3:31 pm Post subject: |
|
|
Throw away the contents form your ldap data directory. After that the DB will be clear  |
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Mon Oct 09, 2006 3:34 pm Post subject: |
|
|
i dont know if you allready seen the openldap gentoo-wiki howto, i allready unmerged everything that i had from openldap and im trying to restart a new server configuration but dont know if it worth it that howto. Can you tell me if its a good howto , you that more experience in Ldap.
Thk, Regards |
|
| Back to top |
|
|
vad3r
Guru
Joined: 02 May 2004
Posts: 461
Location: Munich, Germany
|
| Posted: Mon Oct 09, 2006 3:43 pm Post subject: |
|
|
All i can say to you is the following:
- Emerge openldap
- Keep everything as it is and start with a small setup
- Create a ldif with just the root object and maybe a small o or ou
Here's my root object from my ldap. Please test it out:
| Code: | dn: dc=mycomp,dc=com
o: My Company
objectClass: dcObject
objectClass: organization
dn: c=de,dc=mycomp,dc=com
c: de
description: Germany
objectClass: country
dn: c=ch,dc=mycomp,dc=com
c: ch
objectClass: country |
|
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Mon Oct 09, 2006 4:11 pm Post subject: |
|
|
oki, but im going very slow, step by step
i've notice that using the TLS i need to have 2 certs, one for the CA and one certificate signed by the CA. The howto that im following uses a self signed certificate, and i wanted a certificate signed by the CA. I know howto create the CA and sign a cert by that CA but if i change the TLS directories on the sladp.conf when i try to restart the ldap server it gives me an error, i dont unsderstand why. Thus it only allow to use self signed certs??? or can i do like i want to ?
Thk, Regards |
|
| Back to top |
|
|
vad3r
Guru
Joined: 02 May 2004
Posts: 461
Location: Munich, Germany
|
| Posted: Mon Oct 09, 2006 4:21 pm Post subject: |
|
|
You will need 3 things to use TLS:
1. The CA Certificate (or the Chain if you use more than one CA)
2. The Certificate for the Server
3. The Key for the Server
Please post your slapd.conf and a "ls" inside your certificate directory. |
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Mon Oct 09, 2006 4:28 pm Post subject: |
|
|
my sldap.conf
| Code: |
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Use sha1 to hash the passwords
password-hash {md5}
# Define SSL and TLS properties (optional)
#TLSCertificateFile /etc/ssl/ldap.pem
#TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
#TLSCACertificateFile /etc/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/demoCA/cacert.pem
TLSCertificateFile /etc/openldap/ssl/newcert.pem
TLSCertificateKeyFile /etc/ssl/privkey.pem
loglevel 255
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib/openldap/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database ldbm
suffix "dc=mydomain,dc=org"
directory /var/lib/openldap-data/
index objectClass eq
rootdn "cn=root,dc=mydomain,dc=org"
rootpw {MD5}0PWbqtrdM0nkqbJnS8zq6A==
|
My ls -l to the dir where the certs are
CA Dir
| Code: |
localhost johnny # ls -l /etc/ssl/demoCA/
total 52
-rw-r--r-- 1 root root 3181 Oct 3 18:15 cacert.pem
-rw-r--r-- 1 root root 704 Oct 3 18:15 careq.pem
drwxr-xr-x 2 root root 4096 Oct 3 18:13 certs
drwxr-xr-x 2 root root 4096 Oct 3 18:13 crl
-rw-r--r-- 1 root root 3 Oct 3 18:13 crlnumber
-rw-r--r-- 1 root root 185 Oct 3 18:17 index.txt
-rw-r--r-- 1 root root 20 Oct 3 18:17 index.txt.attr
-rw-r--r-- 1 root root 21 Oct 3 18:15 index.txt.attr.old
-rw-r--r-- 1 root root 88 Oct 3 18:15 index.txt.old
drwxr-xr-x 2 root root 4096 Oct 3 18:17 newcerts
drwxr-xr-x 2 root root 4096 Oct 3 18:13 private
-rw-r--r-- 1 root root 17 Oct 3 18:17 serial
-rw-r--r-- 1 root root 17 Oct 3 18:15 serial.old
|
/etc/openldap/ssl
| Code: |
localhost johnny # ls -l /etc/openldap/ssl/
total 12
-rwxr-xr-x 1 root root 3505 Oct 9 17:22 gencert.sh
-rw-r----- 1 ldap ldap 887 Oct 3 18:47 ldap.pem
-rw-r----- 1 ldap ldap 887 Oct 3 19:05 privkey.pem
|
/etc/ssl/
| Code: |
localhost johnny # ls -l /etc/ssl/
total 88
lrwxrwxrwx 1 root root 10 Oct 3 18:59 86887720.0 -> cacert.pem
-rwxr-xr-x 1 root root 3583 Sep 5 17:53 CA.sh
-rw-r--r-- 1 root root 3181 Oct 3 18:19 cacert.pem
drwxr-xr-x 2 root root 8192 Sep 19 17:27 certs
lrwxrwxrwx 1 root root 13 Sep 5 18:01 client.pem -> localhost.pem
drwxr-xr-x 6 root root 4096 Oct 3 18:17 demoCA
-rw-r--r-- 1 root root 245 Sep 5 18:02 dh1024.pem
-rw-r--r-- 1 root root 1127 Oct 3 18:47 ldap.pem
-rw-r--r-- 1 root root 4968 Sep 5 18:01 localhost.pem
drwxr-xr-x 2 root root 4096 Sep 11 18:29 misc
drwxr-xr-x 3 root root 4096 Sep 5 18:00 newca
-rw-r--r-- 1 ldap ldap 3095 Oct 3 18:17 newcert.pem
-rw-r--r-- 1 root root 704 Oct 3 18:17 newreq.pem
-rw-r--r-- 1 root root 9374 Sep 25 13:28 openssl.cnf
-rw-r--r-- 1 root root 9374 Sep 11 18:33 openssl.cnf~
drwx------ 2 root root 4096 Sep 11 18:28 private
-rw-r--r-- 1 ldap ldap 887 Oct 3 18:17 privkey.pem
-rw-r--r-- 1 root root 1090 Sep 5 17:54 root.pem
lrwxrwxrwx 1 root root 13 Sep 5 18:01 server.pem -> localhost.pem
|
Hope it helps, thk
Regards |
|
| Back to top |
|
|
marens
Apprentice
Joined: 05 Aug 2004
Posts: 173
|
|
| Back to top |
|
|
vad3r
Guru
Joined: 02 May 2004
Posts: 461
Location: Munich, Germany
|
| Posted: Mon Oct 09, 2006 4:45 pm Post subject: |
|
|
Could you please post the error you get:
- messages
- Return from start
- lines in slapd.log |
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Mon Oct 09, 2006 4:54 pm Post subject: |
|
|
i only have yhe messages log, dont know why dont have a slap.log, hope it helps, i allready tried to get something from this but ...
| Code: |
Oct 9 18:51:31 localhost slapd[7729]: @(#) $OpenLDAP: slapd 2.3.24 (Oct 9 2006 17:19:58) $ johnny@localhost:/var/tmp/portage/openldap-2.3.24-r1/work/openldap-2.3.24/servers/slapd
Oct 9 18:51:31 localhost slapd[7729]: line 32 (pidfile /var/run/openldap/slapd.pid)
Oct 9 18:51:31 localhost slapd[7729]: line 33 (argsfile /var/run/openldap/slapd.args)
Oct 9 18:51:31 localhost slapd[7729]: line 83 (database ldbm)
Oct 9 18:51:31 localhost slapd[7729]: line 84 (suffix "dc=mydomain,dc=org")
Oct 9 18:51:31 localhost slapd[7729]: >>> dnPrettyNormal: <dc=mydomain,dc=org>
Oct 9 18:51:31 localhost slapd[7729]: <<< dnPrettyNormal: <dc=mydomain,dc=org>, <dc=mydomain,dc=org>
Oct 9 18:51:31 localhost slapd[7729]: line 85 (directory /var/lib/openldap-data/)
Oct 9 18:51:31 localhost slapd[7729]: line 86 (index objectClass eq)
Oct 9 18:51:31 localhost slapd[7729]: index objectClass 0x0004
Oct 9 18:51:31 localhost slapd[7729]: line 87 (rootdn "cn=root,dc=mydomain,dc=org")
Oct 9 18:51:31 localhost slapd[7729]: >>> dnPrettyNormal: <cn=root,dc=mydomain,dc=org>
Oct 9 18:51:31 localhost slapd[7729]: <<< dnPrettyNormal: <cn=root,dc=mydomain,dc=org>, <cn=root,dc=mydomain,dc=org>
Oct 9 18:51:31 localhost slapd[7729]: line 88 (rootpw ***)
Oct 9 18:51:31 localhost slapd[7729]: >>> dnNormalize: <cn=Subschema>
Oct 9 18:51:31 localhost slapd[7729]: <<< dnNormalize: <cn=subschema>
Oct 9 18:51:31 localhost slapd[7729]: matching_rule_use_init
Oct 9 18:51:31 localhost slapd[7729]: 1.2.840.113556.1.4.804 (integerBitOrMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcProxyCacheQueries $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
Oct 9 18:51:31 localhost slapd[7729]: 1.2.840.113556.1.4.803 (integerBitAndMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcProxyCacheQueries $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
Oct 9 18:51:31 localhost slapd[7729]: 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) )
Oct 9 18:51:31 localhost slapd[7729]: 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox $ gecos $ homeDirectory $ loginShell $ memberUid $ memberNisNetgroup $ ipHostNumber $ ipNetworkNumber $ ipNetmaskNumber $ macAddress $ bootFile $ nisMapEntry ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.35 (certificateMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.35 NAME 'certificateMatch' APPLIES ( userCertificate $ cACertificate ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.34 (certificateExactMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.30 (objectIdentifierFirstComponentMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.29 (integerFirstComponentMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcProxyCacheQueries $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.27 (generalizedTimeMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.24 (protocolInformationMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.23 (uniqueMemberMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.22 (presentationAddressMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.20 (telephoneNumberMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.17 (octetStringMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ queryid ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.16 (bitStringMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.14 (integerMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbIDLcacheSize $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbProtocolVersion $ olcProxyCacheQueries $ olcSpSessionlog $ mailPreferenceOption $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ ipServicePort $ ipProtocolNumber $ oncRpcNumber ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.13 (booleanMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcGentleHUP $ olcLastMod $ olcReadOnly $ olcReverseLookup $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ olcCacheURI $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbProxyWhoAmI $ olcSpNoPresent $ olcSpReloadHint ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.11 (caseIgnoreListMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.8 (numericStringMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.7 (caseExactSubstringsMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.6 (caseExactOrderingMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.5 (caseExactMatch):
Oct 9 18:51:31 localhost syslog-ng[3817]: Message length overflow, line is split, log_msg_size=2048
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSrvtab $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbConfig $ olcDbIndex $ olcDbLockDetect $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcProxyCache $ olcProxyAttrset $ olcProxyTemplate $ olcProxyResponseCB $ olcSpCheckpoint $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $
Oct 9 18:51:31 localhost documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ ipServiceProtocol $ nisMapName ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.4 (caseIgnoreSubstringsMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.3 (caseIgnoreOrderingMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.2 (caseIgnoreMatch):
Oct 9 18:51:31 localhost syslog-ng[3817]: Message length overflow, line is split, log_msg_size=2048
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSrvtab $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbConfig $ olcDbIndex $ olcDbLockDetect $ olcDbURI $ olcDbStartTLS $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbTFSupport $ olcDbTimeout $ olcDbIdleTimeout $ olcDbConnTtl $ olcDbNetworkTimeout $ olcProxyCache $ olcProxyAttrset $ olcProxyTemplate $ olcProxyResponseCB $ olcSpCheckpoint $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName
Oct 9 18:51:31 localhost $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage $ ipServiceProtocol $ nisMapName ) )
Oct 9 18:51:31 localhost slapd[7729]: 1.2.36.79672281.1.13.3 (rdnMatch):
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.1 (distinguishedNameMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ namingContexts $ aliasedObjectName $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcDbACLAuthcDn $ olcDbIDAssertAuthcDn $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) )
Oct 9 18:51:31 localhost slapd[7729]: 2.5.13.0 (objectIdentifierMatch):
Oct 9 18:51:31 localhost slapd[7729]: matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
Oct 9 18:51:31 localhost slapd[7729]: main: TLS init def ctx failed: -1
Oct 9 18:51:31 localhost slapd[7729]: slapd destroy: freeing system resources.
Oct 9 18:51:31 localhost slapd[7729]: slapd stopped.
|
Is there anyway to configure Openldap to have his own log file?
Thk |
|
| Back to top |
|
|
marens
Apprentice
Joined: 05 Aug 2004
Posts: 173
|
| Posted: Mon Oct 09, 2006 5:12 pm Post subject: |
|
|
From your slapd.conf
| Code: |
TLSCertificateFile /etc/openldap/ssl/newcert.pem
|
but ist's missing in your /etc/openldap/ssl folder
according to
| Quote: |
ocalhost johnny # ls -l /etc/openldap/ssl/
total 12
-rwxr-xr-x 1 root root 3505 Oct 9 17:22 gencert.sh
-rw-r----- 1 ldap ldap 887 Oct 3 18:47 ldap.pem
-rw-r----- 1 ldap ldap 887 Oct 3 19:05 privkey.pem
|
that causes the error
| Quote: |
Oct 9 18:51:31 localhost slapd[7729]: main: TLS init def ctx failed: -1
|
_________________
If English was good enough for Jesus, then it's good enough for you! |
|
| Back to top |
|
|
marens
Apprentice
Joined: 05 Aug 2004
Posts: 173
|
| Posted: Mon Oct 09, 2006 5:27 pm Post subject: |
|
|
I think it's much more convenient to store cacert, clientcert and clientkey in one place 
| Code: |
[19:26:10] marenz /etc/openldap/ssl $ ll
total 20
-rw-r--r-- 1 ldap ldap 1212 2005-12-19 01:34 cacert.pem
-rwxr-xr-x 1 root root 3505 2006-10-06 00:42 gencert.sh
-rw-r----- 1 root ldap 1709 2006-05-24 14:12 ldap.pem
-rw-r--r-- 1 ldap ldap 3559 2005-12-19 01:31 servercrt.pem
-rw-r--r-- 1 ldap ldap 1591 2005-12-19 01:29 serverkey.pem
[19:26:25] marenz /etc/openldap/ssl $
|
_________________
If English was good enough for Jesus, then it's good enough for you! |
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Mon Oct 09, 2006 5:42 pm Post subject: |
|
|
oki the certs phase was passed, i think it looks fine, at least it doesnt gives me no error. how can i test if the certs are ok?
another thing its that teh howto that im following its say to check my config,
| Code: |
Code: check config
slaptest
|
and this is the result,
| Code: |
WARNING: No dynamic config support for database ldbm.
config file testing succeeded
|
i think its allright but when i try the
ldapsearch -x -D "cn=root,dc=mydomain,dc=org" -W it shows me no results, and it says in the howto page that he has 77 entries!?!?!?!?!?!? i think its because my db its empty but i dont now howto import to the db...
Thk
Regards |
|
| Back to top |
|
|
marens
Apprentice
Joined: 05 Aug 2004
Posts: 173
|
| Posted: Mon Oct 09, 2006 6:22 pm Post subject: |
|
|
| johnny_martins00 wrote: | oki the certs phase was passed, i think it looks fine, at least it doesnt gives me no error. how can i test if the certs are ok?
|
why do i paste usefull links regarding exactly this point if you don't follow/read them at all?
Again http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0
| Quote: |
another thing its that teh howto that im following its say to check my config,
| Code: |
Code: check config
slaptest
|
and this is the result,
| Code: |
WARNING: No dynamic config support for database ldbm.
config file testing succeeded
|
|
And Mr. www.google.com told me "It's harmless, as soon as you do not intend to run-time modify
the configuration of slapd."
Perhaps you should consider using a Berkeley DB as backend (bdb instead of ldbm) anyway.
| Quote: |
i think its allright but when i try the
ldapsearch -x -D "cn=root,dc=mydomain,dc=org" -W it shows me no results, and it says in the howto page that he has 77 entries!?!?!?!?!?!? i think its because my db its empty
but i dont now howto import to the db...
|
have a look at man ldapsearch ... or use slapcat for first steps ..that's way easier
If you don't how to import sth to the db the db must still be empty. slapcat (as root) would show the content of the LDAP-Server / underlying DB
we told you several times how to build a minimal LDAP-Server with the commandline ...
But again: have a look at http://www.openldap.org/doc/admin23/quickstart.html
and there are many graphical tools that make it even easier for you
| Code: |
* net-nds/directoryadministrator
Available versions: 1.4 1.5.1 1.7.1
Installed: none
Homepage: http://diradmin.open-it.org
Description: GUI to manage users and groups in a LDAP directory
* net-nds/jxplorer
Available versions: 3.1_rc4 3.1
Installed: none
Homepage: http://jxplorer.org/
Description: A fully functional ldap browser written in java.
* net-nds/ldapvi
Available versions: 1.5
Installed: none
Homepage: http://www.lichteblau.com/src.html
Description: Manage LDAP entries with a text editor
* net-nds/led
Available versions: ~1.79.4
Installed: none
Homepage: http://led.sourceforge.net/
Description: led is a general purpose LDAP editor
* net-nds/luma
Available versions: 2.1.3 ~2.2.1 ~2.3
Installed: none
Homepage: http://luma.sourceforge.net/
Description: Luma is a graphical utility for accessing and managing data stored on LDAP servers.
* net-nds/phpldapadmin
Available versions: 0.9.8.2:0.9.8.2 0.9.8.3:0.9.8.3 1.0.1:1.0.1
Installed: 1.0.1
Homepage: http://phpldapadmin.sourceforge.net
Description: phpLDAPadmin is a web-based tool for managing all aspects of your LDAP server.
|
_________________
If English was good enough for Jesus, then it's good enough for you! |
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Mon Oct 09, 2006 9:05 pm Post subject: |
|
|
sorry man, but im no expert in linux, and my english its not the best language that i speak. i think i allready migrated to the db, i followed the gentoo oficial openldap howto. it worked , no errors were found but can you tell me what is the best software to use??? the ones that u mencioned??
Thk |
|
| Back to top |
|
|
|
Networking & Security
