Contact Us
If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.
mnormann@symas.com
Article
Last Month
Access Control Lists (ACLs) This article covers the basic and most commonly used features of ACLs. ACLs (Access Control Lists) control access to entries and attributes in an LDAP database ACLs are settings stored in the slapd configuration file (slapd.conf) or configuration database (cn=config) ACLs can be defined globally when configured in the fro
Date: 11-04-2022 slapd Logging By default, slapd uses rsyslog to handle log messages. If left unconfigured, log messages will be written to /var/log/messages. Because the slapd log messages will be mixed with various system log messages, it is recommended that OpenLDAP log messages are written to their own file. These steps are recommended for a RHE
Aug 23, 2022 Configure Password Policy in slapd.conf In the global section add the following to the included schemas: sudo vi /opt/symas/etc/openldap/slapd.conf Add the following to the modules list: moduleload ppolicy.la Add the policy overlay within the main database section, preferably below the syncprov and accesslog overlay(s): overlay ppolicy
Date: 11-04-2022 The group of offline LDAP/slapd command line utilities share a common set of parameters. Parameter Description -f config-file Path to a slapd configuration file. -F config-directory Path to a slapd configuration directory. -b basedn The base dn of the directory to work with. -n database-number The number of the backend database to w
Date: 01-13-2022 The accesslog is a database internal to OpenLDAP primarily used to support “delta syncreple” which only replicates the changed parts of entries. It can also be used to provide a more detailed history of database activity than the standard slapd logs provide. These examples set the accesslog database content to be retained for 3 days
General Upgrade Procedures Generally, you can add a node to an LDAP cluster without taking down the LDAP environment. A server with SOLD 2.4 will replicate with a SOLD 2.6 server, but this should only be temporary. The following scenario is for updating/upgrading during a maintenance window. Change dc=example,dc=com to the root suffix of your envi
Date: 5/16/2022 Symas makes two tools available for OpenLDAP log analysis and reduction: lr2 - the log analysis and reduction tool and ll2 - a log load analysis tool These programs are written in Python3 and have no special dependencies. The programs are available from Symas's git repository. README File Contents # Symas Logging Utilities > This
Date: 01-17-2022 We all know that databases were created to deal with data and its storage. We are all confused about which database to use as we have lots of options to pick from! Generally, we choose the database producer or the owner. We can select the right database for our needs by analyzing the different types such as hierarchical and relation
Date: 01-17-2022 This document describes how Apache Fortress and OpenLDAP can be placed into a highly-available configuration. Apache Fortress provides Identity and Access Management APIs over HTTP using either JSON or REST formats. OpenLDAP is where the data is stored and maintained. There are two identically configured machines, each with an insta
Date: 08-15-2024 Overview Since LDAP databases can store just about any type of sensitive information (birthdates, Social Security numbers, etc.) it is critical to protect the data from interception when it is being transmitted across a network between server and client. With OpenLDAP, this protection is achieved through encryption using Transport L
This article describes the autogroup, memberOf, nestgroup, and alias overlays, and which would be most appropriate based on the needs of the OpenLDAP installation. Most sites will not need all four. In particular, the alias overlay is likely not needed. We've included it because it's instructional and useful when more than one reverse lookup attribu
Date: 11-11-2015 CENTOS 6 OR OLDER Edit inittab sudo vi /etc/inittab Add/Change "5" to "3" in the following line at end: id:5:initdefault: becomes: id:3:initdefault: Reboot Log in with text mode NOTE: The system will just operate purely in CLI mode. If you should ever want to temporally use a GUI you can invoke one with a startx command. NOTE: 5 = R
Introduction There are two supported methods of backing up an OpenLDAP database: via the slapcat utility which produces a complete human-readable LDIF copy of the database, or via the mdb_copy utility that produces a binary copy of the LMDB database. With slapcat: The backup is a full snapshot of the database that includes critical operational att
Date: 11-04-2022 Introduction LMDB (the Lightning Memory-mapped Data Base) is an “in-memory database.” In OpenLDAP, LMDB is the database engine under the “mdb” database type. This is the only currently supported database type used in OpenLDAP. All of the contents of the database are loaded into Virtual Memory. As much of the contents are kept in th
Date: 17-01-2022 Note: A serverID of 000 (which is the default) is indicative of a single Producer. Note: The serverID is used to populate the "replica ID" field of all CSNs generated by the specified server. Stop Solserver/Slapd: sudo /opt/symas/etc/solserver stop Or sudo service solserver stop Or sudo systemctl stop solserver.service Export the c
Date: 10-11-2024 Using slapadd Overview The slapadd utility is part of OpenLDAP’s suite of tools for managing directory data. It allows administrators to add large amounts of data directly to an OpenLDAP database by bypassing the LDAP protocol itself. This makes it ideal for bulk imports or initial population of a database. However, because slapadd
Date: 11-11-2015 EPEL = Extra Packages for Enterprise Linux Option 1 Open a shell prompt. Install epel using the following command: sudo yum -y install epel-release Refresh repo by typing the following command: yum repolist Option 2 cd /tmp wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm sudo yum install epel-release-7.no
Date: 11-04-2022 To use the OpenLDAP command line utilities and man pages, several shell environment variables must be modified or added. This guide assumes that the Symas OpenLDAP Server and/or client utilities are installed in the default location, "/opt/symas" Root/Administrator privileges may be required for some changes. Setting LDAP Executable
Date: 11-04-2022 Most operations must be run with administrative privileges. Daemon/Service Operations Unix/Linux All Symas OpenLDAP daemon/service operations share the same control commands: status = Get daemon status start = Start the OpenLDAP daemon stop = Stop the OpenLDAP daemon restart = Stop and start the OpenLDAP daemon Using Traditional ini
Date: 08-15-2024 Chaining versus Referrals Chaining instructs the server to redirect writes aimed at a replica / slave / consumer to the appropriate master(s)/producer(s), while Referrals instruct the client to direct writes to any specified server. This can be accomplished by adding the chaining overlay and referral to the slapd.conf on the replica
Date: 11-04-2022 Some Linux distributions use an internal firewall service called iptables. Often times the default rules of iptables is very restrictive and will block LDAP/LDAPS traffic on the default ports of 389 and 636. The following is an example of how to update iptables to allow LDAP/LDAPS traffic: Note for RedHad Users: The IPTables config
Configure Password Policy in slapd.conf In the global section add the following to the included schemas: sudo vi /opt/symas/etc/openldap/slapd.conf include `/opt/symas/etc/openldap/schema/ppolicy.schema`. Add the following to the modules list: moduleload ppolicy.la Add the following to the MDB section below the maxsize setting: overlay ppolicy ppoli
If the server you are installing on does not have access to the internet then this is how to install Symas OpenLDAP locally for RedHat 7 or RedHat 8. Step 1: Downloading the Packages Download the packages needed onto a different machine for the OS on which you are going to install. NOTE: Packages can be found here, choose your release (2.5 or 2.6),
Date: May 23, 2024 Introduction OpenLDAP's server process, slapd, is a multi-threaded daemon that handles multiple incoming LDAP requests in parallel. The degree of parallelism is determined by the number of CPUs or the total number of CPU cores in the server and by the value of the threads setting in slapd's configuration. The default value of 16 i
Passwords, everyone loves to hate them and still, in the era of digital certificates, fingerprints, and voice recognition, we use them on a daily basis and want users to memorize tens of different complex passwords. So they cheat and passwords get reused, written down on a piece of paper, you name it. Not that producers always get this right either.
Date: 08-15-2024 PAM-Based Authentication for Linux Linux clients can use the Pluggable Authentication Modules (PAM) to authenticate against LDAP Servers. The client must be configured to utilize PAM and connect with the LDAP Server. Below are the instructions necessary to accomplish both tasks. Note: RedHat recommends SSSD, but can be configured to
Date: 4/11/2022 Overview Adobe Apache Directory Studio is a program used to allow the user to better visualize, edit and configure their existing database. This guide will discuss any steps needed before installation and the installation of the program on to your respective machine. Java Installation It is important to make sure you have Java up-to-
Date: 11-04-2022 This database contains all of the monitoring/managing objects. The information is held in operational attributes, which must be explicitly requested. The operational attribute monitorCounter contains the counter value for counter entries. Backend Subtree cn=Backends,cn=Monitor This subtree contains information about available backen
Setting Options olcLogFile: <filename> Specify a file for recording slapd debug messages. These messages are unrelated to messages exposed by the olcLogLevel configuration parameter. This setting only affects the slapd daemon and has no effect on the command line tools. By default these messages only go to stderr and are not recorded anywhere
Date: 08-02-2024 This is a fast way to set up an OpenLDAP database with a sample database. The sample database is a good learning tool. Installation Steps Your "Server" The Quick Start is written for an Ubuntu 22.04 server (real or VM). There are instructions on the OpenLDAP Repository Website for all of the other platforms we support. The differenc
Date: 13-01-2022 Attribute sharing It is not completely rare that, when managing a complex directory, some values need to be shared between entries. As LDAP is not a protocol that has a relational data model (e.g. being able to answer queries like "list entries having an attribute "a" with value "x" and whose parent doesn't have attribute "b" presen
This article provides information on the creation of basic certificate authority and security certificate with built-in Symas-provided OpenSSL CA tools. This article is oriented towards creating security certificates with a private certificate authority for use in test environments only. In production environments or where test data may still be con
Date: 09-16-2024 Overview Replication is an essential tool to allow multiple servers to maintain up-to-date information between many changing systems. From simply one primary machine updating a secondary machine, multiple primary machines updating each other, or multiple primary machines updating a numerous amount of secondary machines; replicated d
Date: 05-20-2022 Multi-Master Replication (MMR) MMR is a critical component in deploying highly available OpenLDAP services. MMR works for clusters containing many servers acting as "masters", taking updates from client applications. Symas tests 4-way and 6-way MMR clusters routinely. That doesn't make use of that many masters for production a good
Date: 12-14-2015 The short answer is yes, Referrals OpenLDAP can take requests from applications that result in instructions to the application to look elsewhere; a referral. The application has to be prepared to accept referrals or a data response and needs appropriate credentials to access any directory server for which a referral might be returne
Date: 11-04-2022 ldapsearch ldapsearch Man Page Syntax: ldapsearch <opts> [search filter] [return attributes] The ldapsearch command allows a user to query an LDAP directory. Entries matching the search are returned in LDIF format. In addition to the common options, ldapsearch requires (in bold) or uses the following: Option Description -b
Backend Choice Choosing the appropriate backend for OpenLDAP is critical for optimal performance and reliability. Below are best practices and considerations for each of the existing backends. MDB The MDB backend uses a single file to store all elements injected into the part of the Directory Information Tree (DIT) using this backend. This file has
Date: 11-04-2022 The group of online LDAP command line utilities share a set of common parameters. Parameter Description -H ldapuri BIND to the given ldapuri (server) -Z[Z] Use StartTLS to encrypt connection. -ZZ requires successful TLS validation for connection. -D binddn BIND using the given binddn. Ignored when using SASL -x Use simple (username/
Date: 11-04-2022 By default, the slapd process will run as the root user and listen on ldap:/// and ldapi:/// To change these settings requires making a systemd override file. Use a text editor to create the symas-openldap override file /etc/default/symas-openldap. Options that can be overridden: SLAPD_URLS - URLS to listen on SLAPD_OPTIONS - Addit
Date: 11-24-2015 Updated 5/15/2024 E. Resendiz Modifying the Solserver Script for Your Environment 1. If slapd is not in /opt/symas/etc/openldap configure /opt/symas/etc/openldap/symas-openldap.conf to point to slapd.conf. 2. Comment out the default EXTRA_SLAPD_ARGS line3. Add the following: EXTRA_SLAPD_ARGS=" -f /<path to>/slapd.conf" 4. Co
Date: 01-09-2022 Enabling Core Dumps on Red Hat Linux Systems Core dumps are an essential part of analyzing slapd crashes. Unfortunately, Red Hat systems do not save the Symas OpenLDAP core dumps by default. Some Red Hat installations have the abrt (abort) service installed. This service manages core dump saving and processing. The gdb debugging pro
Date: 10-08-2024 Introduction Replication is all about propagating updates from one server to other servers in a timely manner. There are many possible possible architectures for replication, mainly : Provider-Consumer Multi-Provider Combination of both Replication can also follow one of two possible algorithms: Full replication (send the entire ent
Directories are one of the most common database structures. They are lists of things with their various attributes. The things are objects, real or imaginary. Either way, they are treated the same. Examples of real world directories are old-school telephone directories (name, address, phone number), customer lists, library catalogs, password files,
Date: 11-04-2022, Updated 3/6/2024 Ryan Conover Do not modify standard schemas The standard schema files in /opt/symas/etc/openldap/schema are overwritten during upgrades of OpenLDAP and any changes made will be lost. Instead, all changes should be made in custom .schema files. Separate custom schemas from standard schemas Custom schemas should be s
Date: 17-01-2022 SystemD-Based Operating Systems Warning: RedHat/CentOS 7+, Ubuntu 16+, Debian 8+, SLES 12+ all use systemd which ignores /etc/security/limits.conf and /etc/security/limits.d/* settings. To permit core files without size limits on systemd-based systems use the following process instead. NOTE: these steps must be done as root Set Syst
14 Nov 2024 With systemd, there are two seperate types of configuration changes. Overriding system limitations such as the number of open files Overriding defaults for the slapd startup process Overriding System Limitations Sometimes it is necessary to provide more resources to the slapd process. Most commonly this is the number of file descriptors
Setting Options olcLogFile: <filename> Specify a file for recording slapd debug messages. These messages are unrelated to messages exposed by the olcLogLevel configuration parameter. This setting only affects the slapd daemon and has no effect on the command line tools. By default these messages only go to stderr and are not recorded anywhere
Date: 01-13-2022 Producer/Consumer Replication (PCR) Using slapd.conf Configure the Producer Server Adjusting credentials, URIs and directory paths as necessary. vi slapd.conf 1. In the global section include the following: SyncProv and Accesslog Modules moduleload syncprov.la moduleload accesslog.la 2. In the mdb database section include the foll
Overview The slapacl utility in OpenLDAP is used to test access control list (ACL) permissions for entries and/or attributes. It allows administrators to verify whether a specific user has the required access rights (read, write, etc.) to particular entries or attributes within the LDAP directory. This article provides an overview of the slapacl too
Set the keepalive setting if the connection to the remote server has timeout issues, e.g. it connects thru a firewall that drops idle connections without sending proper close messages to both endpoints, which is common for a lot of firewalls. This feature was added back in version 2.4.34 on 03-01-2013. Modify the slapd.conf file to look like this: o
Here's how to set up LetsEncrypt certificates on Ubuntu 22.04 for use in OpenLDAP. Requirements OpenLDAP/slapd installed without ssl certs in place (see Installing OpenLDAP (2.5 and later) .) LetsEncrypt installed (certs in /etc/letsencrypt structure). To get started with LetsEncrypt, go here. Set the correct access permissions for the LetsEncrypt d
Date: 11-04-2022 Linux Core Dumps Sometimes OpenLDAP crashes and baffles the experts. When there is a crash or a slapd behavior we can't diagnose from logs, the data, or your configuration then a deeper look is needed. In those situations, troubleshooting requires the analysis of a core dump. Default operating system settings often interfere with co
This is a auto-generated Article of all your definitions within the glossary. Glossary This is a auto-generated Article of all your definitions within the glossary. All A C D F M P R S T V ACL OpenLDAP Access Control Lists (ACLs) are settings that control who can access information stored in an OpenLDAP directory. What they do: ACLs define the privi
Date: 12-10-2015 Backing up the LDAP environment using slapd.conf or a static configuration. 1. Stop the slapd service. 2. Get the full path to the directory that contains all of the database files. For a single DB /opt/symas/sbin/slapcat -f /opt/symas/etc/openldap/slapd.conf -l /tmp/mydb_export.ldif For multiple DBs /opt/symas/sbin/slapcat -f
Date: 04-11-2022 Symas OpenLDAP provides OpenLDAP 2.5 and OpenLDAP 2.6 packaged binaries which can be installed for multiple Linux distributions. Below are the links to the location of the binaries and the instructions for installation and upgrade. Packages Packages can be found here (repo.symas.com.) Once you have selected the long term support re
Date: 11-04-2022 Updated 5/7/2024 R. Conover Problem Determination More often than not, an OpenLDAP error is caused by a (mis)configuration issue or a misunderstanding of what you are trying to implement and/or achieve. Checklist The following checklist/questions can help track down your OpenLDAP issue. Please try to use if before posting to the lis
Date: 11-04-2022 (0 | 0x00) success Indicates the successful completion of an operation. Note: this code is not used with the Compare operation. See compareFalse (5) and compareTrue (6). (1 | 0x01) operationsError Indicates that the operation is not properly sequenced with relation to other operations (of same or different type). For example, this c
Date: 01-17-2022 Error Codes Errors for LDAP requests are shown in "STATS" log entries as err=## Non-Error Results Codes Several error codes do not indicate an error condition: success (0) compareFalse (5) compareTrue (6) referral (10) saslBindInProgress (14) The success, compareTrue, and compareFalse result codes indicate successful completion (and
Date: 11-04-2022 When to back up Configuration backups should be taken: As a part of your daily or weekly system backup routine Prior to any server maintenance Prior to any upgrade of the OpenLDAP software Prior to any changes to the OpenLDAP configuration Prior to any changes to your OpenLDAP schemas What to back up By default, the entire Symas Ope
Date: 11-04-2022 Created by Marty Heyman, last modified by Greg Noe on Jul 16, 2015 Problem The POODLE SSL 3.0 Vulnerability is a relatively recently reported SSL (OpenSSL) vulnerability. For several reasons, the OpenLDAP Project and Symas are convinced that Symas OpenLDAP is not vulnerable to such an attack via any existing LDAP Client software. It
Date: 07-31-2024 When a program crashes, the first step in finding the cause is to get a stack trace, which shows what a program was executing at the function level at the time of the crash. Stack traces can be obtained using the common gdb debugging utility. If a system is configured to save a core dump (a snapshot of the memory used by the crashin
Date: 07-03-2023 Why is Password Complexity Important? Password management is an important security measure for any Linux system. Without a secure password, unauthorized people can access the system, leaving it vulnerable to malicious attacks. It’s therefore essential to define password policies that force the user to consider a complex password tha
Date: 11-04-2022 ldapmodify ldapmodify Man Page Syntax: ldapmodify <opts> -f <file.ldif> The ldapmodify command may be used to add, modify and delete entries. This section will focus on entry modifications Modification LDIFs ldapmodify uses "changetype" LDIF input. All entry modifications will have a changetype of "modify" and action spe
Date: 01-26-2016, updated 7/29/2024 If slapd ever crashes, it's useful to have the server save a core dump file that can be used later to analyze the cause of the crash. Core dump files contain a snapshot of all the in-memory data of slapd at the time of the crash. By default, most Linux systems don't create core dump files for slapd, but it's relat
Date: 01-17-2022 Slapo-dynlist - Dynamic List overlay to slapd The dynlist overlay to slapd(8) allows expansion of dynamic groups and more. Any time an entry with a specific objectClass (defined in the overlay configuration, e.g. groupOfURLs) is being returned, the LDAP URI-valued occurrences of a specific attribute (also defined in the overlay conf
Date: 11-04-2022 Introduction Symas OpenLDAP configured with LMDB has been extensively tested and its performance characteristics are well understood. Both OpenLDAP and LMDB's scaling characteristics are known to be linear within a wide range, allowing planners to determine hardware requirements through extrapolation from configurations with known p
Date: 01-13-2022 Database size issues Some databases can grow so much that it is very hard to store them on fast storage, let alone fit to RAM. This is where OpenLDAP's back-mdb comes in handy, showing that it is possible to reduce the DB footprint compared to other backends, often close to a factor of two when compared tòback-hdb/bdb`. But even tha
The basic LDAP "ldap:///" network protocol performs all communication unencrypted between a client and server. This means sensitive information like passwords and personal data can easily be intercepted and used by unauthorized third parties. To overcome this, OpenLDAP supports communications utilizing TLS (Transport Layer Security). TLS uses X.5
Date: 10-05-2022 How to Direct Write/Update Traffic It is technically acceptable to direct write traffic to any master in a multi-master replication (MMR) environment. To do so causes increased replication processing and network traffic. It is better to direct writes to only one master at a time and keep the others as standbys for failover or roll-o
Date: 11-04-2022 Overview Sometimes you only want part of the full directory available on a consumer. Fractional Replication (FR) makes that possible. Steps Design a query that isolates the subset of entries you want in the fraction, Use the same basic configuration as a full replica, Use you fractioning query for the search for replication, and Cha
Date: 01-13-2022 The remoteauth overlay to slapd provides pass-through authentication to remote directory servers, e.g. Active Directory, for LDAP simple bind operations. That means a user can login to a service or application using their Windows password even though the authentication request is going to an OpenLDAP server. The local LDAP entry r