Full_Name: Andreas Schoe Version: 2.4.39 OS: linux/gentoo URL: Submission from: (NULL) (139.17.31.83) First I want to use a proxy to authenticate against another password attribute but with a proxy I can not "map" the userPassword Attirbute for bind operation. For search operations it worked. I recognized, that write operations can rewrite the userpassword attribute. I setup two ldap servers one Master and one Slave. On the Slave I use first refreshOnly and than refreshAndPersists. The issue are still the same for Syncrepl as refreshOnly and refreshAndPersists. On the Slave I also use the RWM Overlay to override the userPassword attribute. example for syncrepl: {0}rid=001 provider=ldaps://ldap.example.de/ tls_reqcert=never binddn="" bindmethod=simple credentials= searchbase=�dc=example,dc=de" filter="(|(ou=People)(uid=andi))" attrs=�sn,cn,mail,uid,nisPassword,+" schemachecking=off type=refreshOnly interval=00:00:01:00 retry="1 1 100 +" timeout=1 rwm config: {0}attribute nisPassword userPassword That works fine, I can bind against the Slave with the nisPassword from the Master, but when I try a ldapsearch with requesting all attributes the server crashes. Same with "ldapsearch (uid=andi) userpassword nispassword" "ldapsearch (uid=andi) cn sn" worked After crashing the server restarts when nisPassword on Master isn�t changed. After changing nisPassword on the Master the Server won�t start. The Error is: slapd: rwm.c:1286: rwm_attrs: Assertion `(*ap)->a_nvals == (*ap)->a_vals' failed. tried with hdb and bdb backend and schemacking=on, every time the same Error try the same with other attributes syncrepl:attrs=�sn,mail,uid,nisPassword,+" rwm config {0}attribute sn cn "ldapsearch (uid=andi) sn" worked
Hello, you could reproduce it on a Single instance with the following ldif file: ldapadd -h localhost -D "cn=ldapadmin,ou=conf,dc=example,dc=de" -w 'test' -f ldif.ldif <ldif.ldif> dn: dc=example,dc=de dc: example objectClass: top objectClass: organization objectClass: dcObject o: EXAMPLE dn: ou=People,dc=example,dc=de objectClass: top objectClass: organizationalUnit ou: People dn: uid=andi,ou=People,dc=example,dc=de uid: andi uidNumber: 12 gidNumber: 20 homeDirectory: /home/andi loginShell: /bin/tcsh objectClass: exPassword objectClass: top objectClass: posixAccount objectClass: person sn: Schoe cn: Andreas Schoe gfzNisPassword: {CRYPT}i.hBxh9rngIPE <ldif> schema for Attribute: {0}( 1.3.6.1.4.1.25398.511 NAME 'nisPassword' DESC 'Password for NIS' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'user defined' ) {0}( 1.3.6.1.4.1.25398.500 NAME 'exPassword' DESC 'additional attributes for accounts' SUP top AUXILIARY MAY ( nisPassword ) X-ORIGIN 'user defined‘ ) rwm config: olcRwmMap: {0}attribute gfzNisPassword userPassword ldapsearch -h rzc37 -D "uid=andi,ou=People,dc=example,dc=de" -w 'te' -b "dc=example,dc=de" -x -LLL '(uid=andi)' Still the same Error: slapd: rwm.c:1286: rwm_attrs: Assertion `(*ap)->a_nvals == (*ap)->a_vals' failed. that worked: ldapsearch -h localhost -D "uid=andi,ou=People,dc=example,dc=de" -w 'te' -b "dc=example,dc=de" -x -LLL '(uid=andi)' cn best regards andreas Am 24.07.2014 um 21:35 schrieb andreas.schoe@gfz-potsdam.de: > Full_Name: Andreas Schoe > Version: 2.4.39 > OS: linux/gentoo > URL: > Submission from: (NULL) (139.17.31.83) > > > First I want to use a proxy to authenticate against another password attribute > but with a proxy I can not "map" the userPassword Attirbute for bind operation. > For search operations it worked. I recognized, that write operations can rewrite > the userpassword attribute. I setup two ldap servers one Master and one Slave. > On the Slave I use first refreshOnly and than refreshAndPersists. The issue are > still the same for Syncrepl as refreshOnly and refreshAndPersists. On the Slave > I also use the RWM Overlay to override the userPassword attribute. > > example for syncrepl: > {0}rid=001 provider=ldaps://ldap.example.de/ tls_reqcert=never binddn="" > bindmethod=simple credentials= searchbase=„dc=example,dc=de" > filter="(|(ou=People)(uid=andi))" attrs=„sn,cn,mail,uid,nisPassword,+" > schemachecking=off type=refreshOnly interval=00:00:01:00 retry="1 1 100 +" > timeout=1 > > rwm config: > {0}attribute nisPassword userPassword > > That works fine, I can bind against the Slave with the nisPassword from the > Master, but when I try a ldapsearch with requesting all attributes the server > crashes. Same with "ldapsearch (uid=andi) userpassword nispassword" > "ldapsearch (uid=andi) cn sn" worked > > After crashing the server restarts when nisPassword on Master isn´t changed. > After changing nisPassword on the Master the Server won´t start. > > The Error is: > slapd: rwm.c:1286: rwm_attrs: Assertion `(*ap)->a_nvals == (*ap)->a_vals' > failed. > > tried with hdb and bdb backend and schemacking=on, every time the same Error > > try the same with other attributes > syncrepl:attrs=„sn,mail,uid,nisPassword,+" > rwm config > {0}attribute sn cn > > "ldapsearch (uid=andi) sn" worked >
andreas.schoe@gfz-potsdam.de wrote: > --Apple-Mail=_C218ED3F-A76E-4570-8833-063C70827424 > Content-Transfer-Encoding: quoted-printable > Content-Type: text/plain; > charset=windows-1252 > > Hello, > > you could reproduce it on a Single instance with the following ldif = > file: > > ldapadd -h localhost -D "cn=3Dldapadmin,ou=3Dconf,dc=3Dexample,dc=3Dde" = > -w 'test' -f ldif.ldif > <ldif.ldif> > dn: dc=3Dexample,dc=3Dde > dc: example > objectClass: top > objectClass: organization > objectClass: dcObject > o: EXAMPLE > > dn: ou=3DPeople,dc=3Dexample,dc=3Dde > objectClass: top > objectClass: organizationalUnit > ou: People > > dn: uid=3Dandi,ou=3DPeople,dc=3Dexample,dc=3Dde > uid: andi > uidNumber: 12 > gidNumber: 20 > homeDirectory: /home/andi > loginShell: /bin/tcsh > objectClass: exPassword > objectClass: top > objectClass: posixAccount > objectClass: person > sn: Schoe > cn: Andreas Schoe > gfzNisPassword: {CRYPT}i.hBxh9rngIPE > <ldif> > > schema for Attribute: > {0}( 1.3.6.1.4.1.25398.511 NAME 'nisPassword' DESC 'Password for NIS' = > EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 = > X-ORIGIN 'user defined' ) The schema of your nisPassword attribute is incompatible with userPassword. Your configuration is invalid. Closing this ITS. > {0}( 1.3.6.1.4.1.25398.500 NAME 'exPassword' DESC 'additional attributes = > for accounts' SUP top AUXILIARY MAY ( nisPassword ) X-ORIGIN 'user = > defined=91 ) > > rwm config: > olcRwmMap: {0}attribute gfzNisPassword userPassword > > ldapsearch -h rzc37 -D "uid=3Dandi,ou=3DPeople,dc=3Dexample,dc=3Dde" -w = > 'te' -b "dc=3Dexample,dc=3Dde" -x -LLL '(uid=3Dandi)'=20 > Still the same Error: slapd: rwm.c:1286: rwm_attrs: Assertion = > `(*ap)->a_nvals =3D=3D (*ap)->a_vals' failed. > > that worked: > ldapsearch -h localhost -D "uid=3Dandi,ou=3DPeople,dc=3Dexample,dc=3Dde" = > -w 'te' -b "dc=3Dexample,dc=3Dde" -x -LLL '(uid=3Dandi)' cn > > best regards > andreas > > Am 24.07.2014 um 21:35 schrieb andreas.schoe@gfz-potsdam.de: > >> Full_Name: Andreas Schoe >> Version: 2.4.39 >> OS: linux/gentoo >> URL:=20 >> Submission from: (NULL) (139.17.31.83) >> =20 >> =20 >> First I want to use a proxy to authenticate against another password = > attribute >> but with a proxy I can not "map" the userPassword Attirbute for bind = > operation. >> For search operations it worked. I recognized, that write operations = > can rewrite >> the userpassword attribute. I setup two ldap servers one Master and = > one Slave. >> On the Slave I use first refreshOnly and than refreshAndPersists. The = > issue are >> still the same for Syncrepl as refreshOnly and refreshAndPersists. On = > the Slave >> I also use the RWM Overlay to override the userPassword attribute.=20 >> =20 >> example for syncrepl: >> {0}rid=3D001 provider=3Dldaps://ldap.example.de/ tls_reqcert=3Dnever = > binddn=3D"" >> bindmethod=3Dsimple credentials=3D searchbase=3D=84dc=3Dexample,dc=3Dde"= > >> filter=3D"(|(ou=3DPeople)(uid=3Dandi))" = > attrs=3D=84sn,cn,mail,uid,nisPassword,+" >> schemachecking=3Doff type=3DrefreshOnly interval=3D00:00:01:00 = > retry=3D"1 1 100 +" >> timeout=3D1 >> =20 >> rwm config: >> {0}attribute nisPassword userPassword >> =20 >> That works fine, I can bind against the Slave with the nisPassword = > from the >> Master, but when I try a ldapsearch with requesting all attributes the = > server >> crashes. Same with "ldapsearch (uid=3Dandi) userpassword nispassword" >> "ldapsearch (uid=3Dandi) cn sn" worked >> =20 >> After crashing the server restarts when nisPassword on Master isn=B4t = > changed. >> After changing nisPassword on the Master the Server won=B4t start. >> =20 >> The Error is: >> slapd: rwm.c:1286: rwm_attrs: Assertion `(*ap)->a_nvals =3D=3D = > (*ap)->a_vals' >> failed. >> =20 >> tried with hdb and bdb backend and schemacking=3Don, every time the = > same Error >> =20 >> try the same with other attributes >> syncrepl:attrs=3D=84sn,mail,uid,nisPassword,+" >> rwm config >> {0}attribute sn cn >> =20 >> "ldapsearch (uid=3Dandi) sn" worked >> =20 -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed state Open to Closed