From 85784fee95c57b14a10003b24199c3f9b4dd31e2 Mon Sep 17 00:00:00 2001 From: Gavin Henry Date: Fri, 5 Oct 2007 21:49:17 +0000 Subject: [PATCH] Fix sections, 'make' and spell check. Still to tidy and filter out N/A stuff for 2.4. --- doc/guide/admin/appendix-common-errors.sdf | 209 ++++++++++++--------- doc/guide/admin/aspell.en.pws | 149 ++++++++------- 2 files changed, 209 insertions(+), 149 deletions(-) diff --git a/doc/guide/admin/appendix-common-errors.sdf b/doc/guide/admin/appendix-common-errors.sdf index 72a4db99f1..40177055de 100644 --- a/doc/guide/admin/appendix-common-errors.sdf +++ b/doc/guide/admin/appendix-common-errors.sdf @@ -31,7 +31,7 @@ operation cannot be located. This section details reasons common to all operations. You should also look for answers specific to the operation (as indicated in the error message). -The most common reason for this error is non-existance of the named object. First, +The most common reason for this error is non-existence of the named object. First, check for typos. Also note that, by default, a new directory server holds no objects @@ -60,46 +60,54 @@ One known common error in database creation is putting a blank line before the f It is generally recommended that ldapadd(1) be used instead of slapadd(8) when adding new entries your directory. slapadd(8) should be used to bulk load entries known to be valid. Another cause of this message is a referral entry to an unpopulated directory. Either remove the referral, or add a single record with the referral base DN to the empty directory. -This error may also occur when slapd is unable to access the contents of its database because of file permission problems. For instance, on a RedHat Linux system, slapd runs as user 'ldap'. When slapadd is run as root to create a database from scratch, the contents of /var/lib/ldap are created with user and group root and with permission 600, making the contents unaccessable to the slapd server. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_*: Can't chase referral +This error may also occur when slapd is unable to access the contents of its database because of file permission problems. For instance, on a Red Hat Linux system, slapd runs as user 'ldap'. When slapadd is run as root to create a database from scratch, the contents of /var/lib/ldap are created with user and group root and with permission 600, making the contents inaccessible to the slapd server. + +H3: ldap_*: Can't chase referral + This is caused by the line referral ldap://root.openldap.org in slapd.conf, It was provided as an example for how to use referrals in the original file. however if your machine is not permanently connected to the Internet, it will fail to find the server, and hence produce an error message. -To resolve, just place a # infront of line and restart slapd or point it to an available ldap server. +To resolve, just place a # in front of line and restart slapd or point it to an available ldap server. See also: ldapadd(1) ldapmodify(1) slapd.conf(5) -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_*: server is unwilling to perform + +H3: ldap_*: server is unwilling to perform + The OpenLDAP server will return an unwilling to perform error if the backend holding the target entry does not support the given operation. The password backend is only willing to perform searches. It will return an unwilling to perform error for all other operations. The shell backend is configurable and may support a limited subset of operations. Check for other errors indicating a shortage of resources required by the directory server. i.e. you may have a full disk etc -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_*: Insufficient access -This error occurs when server denies the operation due to insufficent access. This is usually caused by binding to a DN with insufficient priviledges (or binding anonymously) to perform the operation. You can bind as the rootdn/rootpw specified in slapd.conf(5) to gain full access. Otherwise, you must bind to an entry which has been granted the appropriate rights through access controls. + +H3: ldap_*: Insufficient access + +This error occurs when server denies the operation due to insufficient access. This is usually caused by binding to a DN with insufficient privileges (or binding anonymously) to perform the operation. You can bind as the rootdn/rootpw specified in slapd.conf(5) to gain full access. Otherwise, you must bind to an entry which has been granted the appropriate rights through access controls. See also: ldapadd(1) ldapdelete(1) ldapmodify(1) ldapmodrdn(1) ldapsearch(1) slapd.conf(5) (Xref) ldap_bind: Insufficient access (Xref) Access Control -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_*: Invalid DN syntax + +H3: ldap_*: Invalid DN syntax + The target (or other) DN of the operation is invalid. This implies that either the string representation of the DN is not in the required form, one of the types in the attribute value assertions is not defined, or one of the values in the attribute value assertions does not conform to the appropriate syntax. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_*: Referral hop limit exceeded + +H3: ldap_*: Referral hop limit exceeded + This error generally occurs when the client chases a referral which refers itself back to a server it already contacted. The server responds as it did before and the client loops. This loop is detected when the hop limit is exceeded. This is most often caused through misconfiguration of the server's default referral. The default referral should not be itself: That is, on ldap://myldap/ the default referral should not be ldap://myldap/ (or any hostname/ip which is equivalent to myldap). -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_*: operations error + +H3: ldap_*: operations error + In some versions of slapd(8), operationsError was returned instead of other. See also: (Xref) ldap_*: other error. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_*: other error + +H3: ldap_*: other error + The other result code indicates an internal error has occurred. While the additional information provided with the result code might provide some hint as to the problem, often one will need to consult the server's log files. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_add/modify: Invalid syntax + +H3: ldap_add/modify: Invalid syntax + This error is reported when a value of an attribute does not conform to syntax restrictions. Additional information is commonly provided stating which value of which attribute was found to be invalid. Double check this value and other values (the server will only report the first error it finds). Common causes include: @@ -109,9 +117,10 @@ Common causes include: empty values (few syntaxes allow empty values) -For certain syntax, like OBJECT IDENTIFER (OID), this error can indicate that the OID descriptor (a "short name") provided is unrecongized. For instance, this error is returned if the objectClass value provided is unrecongized. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_add/modify: Object class violation +For certain syntax, like OBJECT IDENTIFIER (OID), this error can indicate that the OID descriptor (a "short name") provided is unrecognized. For instance, this error is returned if the objectClass value provided is unrecognized. + +H3: ldap_add/modify: Object class violation + This error is returned with the entry to be added or the entry as modified violates the object class schema rules. Normally additional information is returned the error detailing the violation. Some of these are detailed below. Violations related to the entry's attributes: @@ -142,8 +151,9 @@ Violations related to the entry's class(es): Note that the above error messages as well as the above answer assumes basic knowledge of LDAP/X.500 schema. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_add: No such object + +H3: ldap_add: No such object + The "ldap_add: No such object" error is commonly returned if parent of the entry being added does not exist. Add the parent entry first... For example, if you are adding "cn=bob,dc=domain,dc=com" and you get: @@ -156,22 +166,24 @@ The entry "dc=domain,dc=com" likely doesn't exist. You can use ldapsearch to see If it doesn't, add it. See the Quick Start Guide (http://www.openldap.org/doc/admin/quickstart.html) for assistance. -Note: if the entry being added is the same as database suffix, it's parent isn't required. Ie: if your suffix is "dc=domain,dc=com", "dc=com" doesn't need to exist to add "dc=domain,dc=com". +Note: if the entry being added is the same as database suffix, it's parent isn't required. i.e.: if your suffix is "dc=domain,dc=com", "dc=com" doesn't need to exist to add "dc=domain,dc=com". This error will also occur if you try to add any entry that the server is not configured to hold. For example, if your database suffix is "dc=domain,dc=com" and you attempt to add "dc=domain2,dc=com", "dc=com", "dc=domain,dc=org", "o=domain,c=us", or an other DN in the "dc=domain,dc=com" subtree, the server will return a "No such object" (or referral) error. slapd(8) will generally return "no global superior knowledge" as additional information indicating its return noSuchObject instead of a referral as the server is not configured with knowledge of a global superior server. See also: ldapadd(1) ldapmodify(1) (Xref) ldap_add/delete/modify/rename: no global superior knowledge -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap add: invalid structural object class chain -This particular error refers to the rule about STRUCTURAL objectclasses, which states that an object is of one STRUCTURAL class, the structural class of the object. The object is said to belong to this class, zero or more auxiliaries classes, and their superclasses. While all of these classes are commonly listed in the objectClass attribute of the entry, one of these classes is the structural object class of the entry. Thus, it is OK for an objectClass attribute to contain inetOrgPerson, organizationalPerson, and person because they inherit one from another to form a single superclass chain. That is, inetOrgPerson SUPs organizationPerson SUPs person. On the other hand, it is invalid for both inetOrgPerson and account to be listed in objectClass as inetOrgPerson and account are not part of the same superclass chain (unless some other class is also listed with is a subclass of both). -To resolve this problem, one must determine which class will better serve structural object class for the entry, adding this class to the objectClass attribute (if not already present), and remove any other structural class from the entry's objectClass attribute which is not a superclass of the structural object class. +H3: ldap add: invalid structural object class chain + +This particular error refers to the rule about STRUCTURAL objectclasses, which states that an object is of one STRUCTURAL class, the structural class of the object. The object is said to belong to this class, zero or more auxiliaries classes, and their super classes. While all of these classes are commonly listed in the objectClass attribute of the entry, one of these classes is the structural object class of the entry. Thus, it is OK for an objectClass attribute to contain inetOrgPerson, organizationalPerson, and person because they inherit one from another to form a single super class chain. That is, inetOrgPerson SUPs organizationPerson SUPs person. On the other hand, it is invalid for both inetOrgPerson and account to be listed in objectClass as inetOrgPerson and account are not part of the same super class chain (unless some other class is also listed with is a subclass of both). + +To resolve this problem, one must determine which class will better serve structural object class for the entry, adding this class to the objectClass attribute (if not already present), and remove any other structural class from the entry's objectClass attribute which is not a super class of the structural object class. Which object class is better depends on the particulars of the situation. One generally should consult the documentation for the applications one is using for help in making the determination. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_add: no structuralObjectClass operational attribute + +H3: ldap_add: no structuralObjectClass operational attribute + ldapadd(1) may error: adding new entry "uid=XXX,ou=People,o=campus,c=ru" @@ -184,8 +196,9 @@ While this normally should produce an object class violation error, some version Kurt@OpenLDAP.org See also: (Xref) ldap add: invalid structural object class chain Kurt@OpenLDAP.org -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_add/modify/rename: Naming violation + +H3: ldap_add/modify/rename: Naming violation + OpenLDAP's slapd checks for naming attributes and distinguished values consistency, according to RFC 4512. Naming attributes are those attributeTypes that appear in an entry's RDN; distinguished values are the values of the naming attributes that appear in an entry's RDN, e.g, in @@ -229,15 +242,17 @@ Possible causes of error are: In any case, make sure that the attributeType definition for the naming attributes contains an appropriate EQUALITY field; or that of the superior, if they are defined based on a superior attributeType (look at the SUP field). See RFC 4512 for details. ando@sys-net.it, Kurt@OpenLDAP.org -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_add/delete/modify/rename: no global superior knowledge + +H3: ldap_add/delete/modify/rename: no global superior knowledge + If the target entry name places is not within any of the databases the server is configured to hold and the server has no knowledge of a global superior, the server will indicate it is unwilling to perform the operation and provide the text "no global superior knowledge" as additional text. Likely the entry name is incorrect, or the server is not properly configured to hold the named entry, or, in distributed directory environments, a default referral was not configured. Kurt@OpenLDAP.org -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_bind: Insufficient access -Current versions of slapd(8) requires that clients have authentication permission to attribute types used for authentication purposes before accessing them to perform the bind operation. As all bind operations are done anonymously (regardless of previous bind succuss), the auth access must be granted to anonymous. + +H3: ldap_bind: Insufficient access + +Current versions of slapd(8) requires that clients have authentication permission to attribute types used for authentication purposes before accessing them to perform the bind operation. As all bind operations are done anonymously (regardless of previous bind success), the auth access must be granted to anonymous. In the example ACL below grants the following access: @@ -249,7 +264,7 @@ In the example ACL below grants the following access: All other access is denied. - access to attr=userpassword + access to attr=userPassword by self =w by anonymous auth @@ -260,8 +275,9 @@ All other access is denied. Note that latest versions of slapd(8) will report invalid credentials in cases where the client has insufficient access to complete the operation. This is avoid inappropriate disclosure of the validity of the user's name. See also: ldapadd(1) ldapdelete(1) ldapmodify(1) ldapmodrdn(1) ldapsearch(1) slapd.conf(5) (Xref) Access Control -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_bind: Invalid credentials + +H3: ldap_bind: Invalid credentials + The error usually occurs when the credentials (password) provided does not match the userPassword held in entry you are binding to. The error can also occur when the bind DN specified is not known to the server. @@ -271,14 +287,16 @@ In addition to the cases mentioned above you should check if the server denied a To debug access rules defined in slapd.conf, add "ACL" to log level. See also: ldapadd(1) ldapdelete(1) ldapmodify(1) ldapmodrdn(1) ldapsearch(1) slapd.conf(5) (Xref) ldap_bind: No such object -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_bind: No such object -This answer is specific to OpenLDAP 1.2 and earlier releases. In later relases, ldap_bind returns (Xref) ldap_bind: Invalid credentials instead. + +H3: ldap_bind: No such object + +This answer is specific to OpenLDAP 1.2 and earlier releases. In later releases, ldap_bind returns (Xref) ldap_bind: Invalid credentials instead. 'No such object' is only returned by ldap_bind operation in a few special cases. Normally, the server returns (Xref) ldap_bind: Invalid credentials when the entry associated with the bind DN cannot be located. This error occurs when binding using the rootdn and the asserted value doesn't match configured password value. Rootpw values must be conform to RFC 2307 format defined for userPassword. See also: ldapadd(1) ldapdelete(1) ldapmodify(1) ldapmodrdn(1) ldapsearch(1) slapd.conf(5) (Xref) ldap_bind: Invalid credentials -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_bind: Protocol error + +H3: ldap_bind: Protocol error + There error is generally occurs when the LDAP version requested by the client is not supported by the server. The OpenLDAP Software 1.x server only accepts version 2 LDAP Bind requests. Note that 1.x server expects U-Mich LDAP, an LDAPv2 variant, to be used. This variant is sometimes referred to as LDAPv2+. @@ -287,60 +305,74 @@ The OpenLDAP Software 2.x server, by default, only accepts version 3 LDAP Bind r Use of LDAPv3! See also: (Xref) How to configure slapd(8) with LDAPv2 support (for legacy clients)?. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_modify: cannot modify object class + +H3: ldap_modify: cannot modify object class + This message is commonly returned when attempting to modify the objectClass attribute in a manner inconsistent with the LDAP/X.500 information model. In particular, it commonly occurs when one tries to change the structure of the object from one class to another, for instance, trying to change an 'apple' into a 'pear' or a 'fruit' into a 'pear'. Such changes are disallowed by the slapd(8) in accordance with LDAP and X.500 restrictions. To overcome this restriction in 2.3 (and prior releases), one must re-create the object with the desired new structural object class (e.g., delete old object then add new object). In 2.4, support for a new control will (hopefully) be introduced to allow the (authorized) user to request this (and various other model restrictions) be temporarily relaxed. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_sasl_interactive_bind_s: ... + +H3: ldap_sasl_interactive_bind_s: ... + If you intended to bind using a DN and password and get an error from ldap_sasl_interactive_bind_s, you likely forgot to provide a '-x' option to the command. By default, SASL authentication is used. '-x' is necessary to select "simple" authentication. Kurt@OpenLDAP.org -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_sasl_interactive_bind_s: No such Object + +H3: ldap_sasl_interactive_bind_s: No such Object + This indicates that LDAP SASL authentication function could not read the Root DSE. The error will occur when the server doesn't provide a root DSE. This may be due to access controls. Note, also, that LDAPv2 servers, such as those OpenLDAP 1.x's slapd(8), do not provide a root DSE. Use -P 2 when LDAPv2 is desired. LDAPv2 servers also do not support SASL binds, so you will need to use a "simple" bind instead. Note: SASL bind is the default for all OpenLDAP tools. To force use of "simple" bind, use the "-x" option. Use of "simple" bind is not recommended unless one has adequate confidentiality protection in place (e.g. TLS/SSL, IPSEC). -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_sasl_interactive_bind_s: No such attribute + +H3: ldap_sasl_interactive_bind_s: No such attribute + This indicates that LDAP SASL authentication function could read the Root DSE but it contained no supportedSASLMechanism attribute. The supportedSASLmechanism attribute lists mechanisms currently available. The list may be empty because none of the supported mechanisms are currently available. For example, EXTERNAL is listed only if the client has established its identity by authenticating at a lower level (e.g. TLS). Note: the attribute may not be visible due to access controls Note: SASL bind is the default for all OpenLDAP tools, e.g. ldapsearch(1), ldapmodify(1). To force use of "simple" bind, use the "-x" option. Use of "simple" bind is not recommended unless one has adequate confidentiality protection in place (e.g. TLS/SSL, IPSEC). -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_sasl_interactive_bind_s: Unknown authentication method + +H3: ldap_sasl_interactive_bind_s: Unknown authentication method + This indicates that none of the SASL authentication supported by the server are supported by the client, or that they are too weak or otherwise inappropriate for use by the client. Note that the default security options disallows the use of certain mechanisms such as ANONYMOUS and PLAIN (without TLS). Note: SASL bind is the default for all OpenLDAP tools. To force use of "simple" bind, use the "-x" option. Use of "simple" bind is not recommended unless one has adequate confidentiality protection in place (e.g. TLS/SSL, IPSEC). -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_sasl_interactive_bind_s: Local error (82) + +H3: ldap_sasl_interactive_bind_s: Local error (82) + Apparently not having forward and reverse DNS entries for the LDAP server can result in this error. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_search: Partial results and referral received -This error is returned with the server responses to an LDAPv2 search query with both results (zero or more matched entried) and references (referrals to other servers). + +H3: ldap_search: Partial results and referral received + +This error is returned with the server responses to an LDAPv2 search query with both results (zero or more matched entries) and references (referrals to other servers). See also: ldapsearch(1). -If the updatedn on the replica does not exist, a referral will be returned. It may do this as well if the ACL needs tweeking. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_start_tls: Operations error +If the updatedn on the replica does not exist, a referral will be returned. It may do this as well if the ACL needs tweaking. + +H3: ldap_start_tls: Operations error + ldapsearch(1) and other tools will return ldap_start_tls: Operations error (1) additional info: TLS already started when the user (though command line options and/or ldap.conf(5)) has requested TLS (SSL) be started twice. For instance, when specifying both "-H ldaps://server.do.main" and "-ZZ". -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ber_get_next on fd X failed errno=34 (Numerical result out of range) + +H2: Other Errors + +H3: ber_get_next on fd X failed errno=34 (Numerical result out of range) + This slapd error generally indicates that the client sent a message that exceeded an administrative limit. See sockbuf_max_incoming and sockbuf_max_incoming_auth configuration directives in slapd.conf(5). -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ber_get_next on fd X failed errno=11 (Resource temporarily unavailable) + +H3: ber_get_next on fd X failed errno=11 (Resource temporarily unavailable) + This message is not indicative of abnormal behavior or error. It simply means that expected data is not yet available from the resource, in this context, a network socket. slapd(8) will process the data once it does becomes available. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) daemon: socket() failed errno=97 (Address family not supported) + +H3: daemon: socket() failed errno=97 (Address family not supported) + This message indicates that the operating system does not support one of the (protocol) address families which slapd(8) was configured to support. Most commonly, this occurs when slapd(8) was configured to support IPv6 yet the operating system kernel wasn't. In such cases, the message can be ignored. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied; + +H3: GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied; + This message means that slapd is not running as root and, thus, it cannot get its Kerberos 5 key from the keytab, usually file /etc/krb5.keytab. A keytab file is used to store keys that are to be used by services or daemons that are started at boot time. It is very important that these secrets are kept beyond reach of intruders. @@ -361,7 +393,7 @@ Now you have to tell slapd (well, actually tell the gssapi library in Kerberos 5 export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" -Set that environment variable on the slapd start script (RedHat users might find /etc/sysconfig/ldap a perfect place). +Set that environment variable on the slapd start script (Red Hat users might find /etc/sysconfig/ldap a perfect place). jsanchez@openldap.org, hyc@openldap.org This only works if you are using MIT kerberos. It doesn't work with Heimdal, for instance. andreas@conectiva.com.br @@ -371,16 +403,19 @@ In Heimdal there is a function gsskrb5_register_acceptor_identity() that sets th to your application's SASL config file to use this feature. This only works with Heimdal. hyc@openldap.org -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) access from unknown denied + +H3: access from unknown denied + This related to TCP wrappers. See hosts_access(5) for more information. in the log file: "access from unknown denied" This related to TCP wrappers. See hosts_access(5) for more information. for example: add the line "slapd: .hosts.you.want.to.allow" in /etc/hosts.allow to get rid of the error. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_read: want=# error=Resource temporarily unavailable + +H3: ldap_read: want=# error=Resource temporarily unavailable + This message occurs normally. It means that pending data is not yet available from the resource, a network socket. slapd(8) will process the data once it becomes available. -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) `make test' fails + +H3: `make test' fails + Some times, `make test' fails at the very first test with an obscure message like make test @@ -425,20 +460,22 @@ There might well be other reasons; the contents of the log file should help clar Tests that fire up multiple instances of slapd typically log to tests/testrun/slapd..log, with a distinct for each instance of slapd; list tests/testrun/ for possible values of . ando@sys-net.it -[Append to This Answer] -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_*: Internal (implementation specific) error (80) - additional info: entry index delete failed + +H3: ldap_*: Internal (implementation specific) error (80) - additional info: entry index delete failed + This seems to be related with wrong ownership of the BDB's dir (/var/lib/ldap) and files. chmod -r openldap:openldap /var/lib/ldap fixes it in Debian Etch. I don't really know how the wrong permission went into place, but I suspect it has something to do with slapd's starting, no database existing (I had deleted it to get a new, fresh one), and slapd creating one before chroot. -After a bug report, some insightfull feedback, and some amount of testing, i found out that the 'wrong ownership of new files' problem is not with slapd but with slapadd. This happens when one initially populates the Directory. +After a bug report, some insightful feedback, and some amount of testing, i found out that the 'wrong ownership of new files' problem is not with slapd but with slapadd. This happens when one initially populates the Directory. Oh, and the right switch of chown is '-R', not '-r'. My God! What a mess! The right command to correct this problem is: chown -R /var/lib/ldap -[Append to This Answer] + pedrorandrade@gmail.com -(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Common Errors : (Answer) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) +H3: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) + Using SASL, when a client contacts LDAP server, the slapd service dies immediately and client gets an error : SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) -Then check the slapd service, it stoped. +Then check the slapd service, it stopped. This may come from incompatible of using different versions of BerkeleyDB for installing of SASL and installing of OpenLDAP. The problem arises in case of using multiple version of BerkeleyDB. Solution: - Check which version of BerkeleyDB when install Cyrus SASL. - Reinstall OpenLDAP with the version of BerkeleyDB above. It was my case and that was the solution I did and it worked :) Hope this gives you some information. -- Le Trung Kien diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws index 40ac78d622..0b98a5f5c4 100644 --- a/doc/guide/admin/aspell.en.pws +++ b/doc/guide/admin/aspell.en.pws @@ -1,4 +1,4 @@ -personal_ws-1.1 en 1425 +personal_ws-1.1 en 1448 nattrsets inappropriateAuthentication api @@ -8,8 +8,8 @@ reqEnd olcOverlayConfig shoesize olcTLSCACertificateFile -cdx CGI +cdx DCE DAP attributename @@ -20,8 +20,8 @@ kurt authzID authzid authzId -ddd DAs +ddd userApplications BNF attrs @@ -32,8 +32,8 @@ ldapport hallvard ASN acknowledgements -ava Chu +ava monitorCounter del DDR @@ -84,13 +84,13 @@ olcModulePath maxentries authc seeAlso -searchBase searchbase +searchBase realnamingcontext -dns -DN's -DNs dn's +DNs +DN's +dns dereference sortKey authzTo @@ -155,8 +155,8 @@ INADDR compareDN sizelimit unixODBC -blen APIs +blen attrsOnly attrsonly slappasswd @@ -192,8 +192,8 @@ basedn argv gss schemachecking -WhoAmI whoami +WhoAmI syslogd dataflow subentries @@ -232,10 +232,11 @@ ldb srcdir pwdExpireWarning localstatedir +ldd sockbuf PENs -IPv ipv +IPv ghenry hyc multimaster @@ -250,6 +251,7 @@ whitespaces ISP ldp monitorInfo +PDUs bjensen newPasswd irresponsive @@ -268,8 +270,8 @@ intermediateResponse myOID structuralObjectClass integerMatch -OpenLDAP openldap +OpenLDAP moddn rewriteEngine AVAs @@ -288,8 +290,8 @@ bool logins jts memberAttr -newPasswdFile newpasswdfile +newPasswdFile ucdata LLL confdir @@ -306,18 +308,21 @@ desc LTCOMPILE bindmethod olcDbCheckpoint +addprinc modme refreshOnly PIII pwdPolicySubentry +supportedSASLmechanism +supportedSASLMechanism FIXME realanonymous caseExactMatch olcSizeLimit Bourne attr -objectIdentifier objectidentifier +objectIdentifier refint msgtype OBJEXT @@ -346,6 +351,7 @@ strdup gsMatch adamson UniqueName +LVL ppErrStr DESTDIR oid @@ -367,8 +373,8 @@ Autoconf alloc PDU OLF -inetOrgPerson inetorgperson +inetOrgPerson deleteoldrdn monitorCounterObject pid @@ -427,9 +433,9 @@ OTP entrylimit attrdescN logold -PRD -sbi pos +sbi +PRD reqEntries pre bvals @@ -455,8 +461,8 @@ telephonenumber telephoneNumber DLDAP peernamestyle -SHA Sep +SHA filename rpath argsfile @@ -476,6 +482,7 @@ subdir searchAttrDN cctrls tcp +kadmin strlen spellcheck ludpp @@ -483,8 +490,8 @@ typedef olcDbIDLcacheSize ostring mwrscdx -UCD SMD +UCD cancelled crit organizationalUnit @@ -496,8 +503,8 @@ TGT modulepath quickstart mySNMP -UDP tgz +UDP RDBMs rdbms Matic @@ -516,9 +523,9 @@ olcDbConfig refreshDone ssf replogfile -vec -TOC rwm +TOC +vec LDAPDN compareAttrDN endmacro @@ -526,15 +533,15 @@ tls repl monitoringslapd referralsp -SRP tmp +SRP olcDbNosync conns SSL PDkzODdASFxOQ SRV -sss rwx +sss deallocators Contribware URLlist @@ -649,11 +656,11 @@ groupstyle ldapsearch cp displayName -bv eg +bv olcBackendConfig -fd dn +fd LDAPSync olcReplicationInterval fG @@ -737,8 +744,8 @@ sn ru UG ss -TP su +TP reqMethod XLIBS PhotoObject @@ -755,14 +762,16 @@ xf param MChAODQ caseExactIA -Za Vu +Za idlecachesize ws errSleepTime INSTALLFLAGS pthread pwdHistory +x's +Debian slen errUnsolicitedOID dyngroup @@ -778,8 +787,8 @@ ZZ entryCSNs dlopen continuated -newSuperior newsuperior +newSuperior Preprocessor XXLIBS deallocate @@ -790,6 +799,7 @@ sbindir apache's noidlen monitorContext +testrun resync fqdn authPassword @@ -830,6 +840,7 @@ pwdSafeModify contrib FQDNs bjorn +myldap myLDAP peercred SNMP @@ -850,10 +861,11 @@ ldapmodrdn ldapbis attributeoptions serverID -memberof memberOf +memberof pseudorootpw CFLAGS +operationsError substr pwdAllowUserChange rewriteRule @@ -868,8 +880,8 @@ modifyAttrDN dcedn olcOverlay exop -BerElement berelement +BerElement olcRootDN octetString SampleLDAP @@ -878,8 +890,8 @@ PostgreSQL bvstr filesystem pathtest -objectclass objectClass +objectclass submatches newrdn armijo @@ -890,11 +902,12 @@ SSHA func filterlist modifyDN +jane syncuser Masarati LDAPSyntax -oldPasswdFile oldpasswdfile +oldPasswdFile reqDN SSFs ietf @@ -912,13 +925,14 @@ multiclassing monitoredInfo LTLINK addrdnvalues +KTNAME ETCDIR reqId setspec scanf TLSv -distinguishedName distinguishedname +distinguishedName BerVarray caseIgnoreSubstrin ldapwhoami @@ -946,8 +960,8 @@ slaptest zeilenga WebUpdate numericoid -ChangeLog changelog +ChangeLog creatorsName ascii wahl @@ -967,6 +981,7 @@ simplebinddn authcDN TLSCipherSuite supportedSASLMechanisms +rootdse rootDSE dsaparam cachefree @@ -976,10 +991,10 @@ schemadir attribute's extern varchar -olcDbCachesize olcDbCacheSize -authcID +olcDbCachesize authcid +authcID POSIX hnPk ldapext @@ -994,12 +1009,14 @@ Supr olcDatabaseConfig rwxrwxrwx aeeiib +SUPs reqStart sasldb somevalue LIBRELEASE -StartTLS +randkey starttls +StartTLS LDAPSchemaExtensionItem reqReferral shtool @@ -1009,9 +1026,10 @@ backend portnumber subjectAltName errObject +gsskrb valsort -berval's bervals +berval's derefFindingBaseObj checkpointed keytab @@ -1022,6 +1040,7 @@ dbnum olcLdapConfig sessionlog attrset +organizationPerson entryCSN strcast kbyte @@ -1032,8 +1051,8 @@ README memcalloc inet saslargs -givenName givenname +givenName olcDbMode pidfile olcLimits @@ -1041,8 +1060,9 @@ memvfree tuple superset directoryString -proxytemplate +ktadd proxyTemplate +proxytemplate wildcards monitoredObject TTLs @@ -1055,8 +1075,8 @@ bvalues reqResult impl outvalue -returncode returnCode +returncode attributeDescription attrval dnssrv @@ -1079,20 +1099,20 @@ uncached ldapapiinfo groupOfUniqueNames dhparam -slapds slapd's +slapds inputfile RDBMSes wildcard Locator -errABsObject errAbsObject +errABsObject SASL's html searchResultDone olcBdbConfig -LDAPMod ldapmod +LDAPMod olcHidden userPassword TLSRandFile @@ -1120,10 +1140,10 @@ cacertdir queryid Warper XDEFS -URL's urls -postaladdress +URL's postalAddress +postaladdress passwd plugins george @@ -1136,17 +1156,18 @@ ldbm ursula LDAPModifying slapdconfig +sysconfig dnSubtreeMatch -olcSaslSecprops olcSaslSecProps +olcSaslSecprops auditModify groupOfNames jensen reloadHint prepending olcGlobal -matchingrule matchingRule +matchingrule SmVuc MSSQL hostnames @@ -1160,9 +1181,9 @@ whsp realusers dnstyle suffixalias -proxyattrset -proxyAttrSet proxyAttrset +proxyAttrSet +proxyattrset pwdMustChange ldif bvfree @@ -1170,11 +1191,12 @@ sleeptime pwdCheckQuality msgidp pwdAttribute +chown PRNGD LDAPRDN entryUUIDs -proxyCache proxycache +proxyCache SERATGCgaGBYWGDEjJR noanonymous accessee @@ -1227,8 +1249,8 @@ passwdfile errMatchedDN everytime mkdep -olcDbIndex olcDbindex +olcDbIndex syntaxOID reqData databasetype @@ -1276,8 +1298,8 @@ bitstring ACLs berptr olcModuleLoad -attributeType attributetype +attributeType auditModRDN cacert freebuf @@ -1328,29 +1350,30 @@ preallocated syntaxes memberURL monitorRuntimeConfig -binddn -bindDN bindDn +bindDN +binddn methodp timelimitExceeded pwdInHistory LTSTATIC -requestor's requestors +requestor's LDAPCONF saslauthd MKDEPFLAG gecos entryUUID -GnuTLS -GNUtls gnutls +GNUtls +GnuTLS postread timeval DHAVE caseIgnoreSubstringsMatch monitorIsShadow syncdata +BDB's olcPidFile hostport backload @@ -1365,8 +1388,8 @@ entryTtl LDAPControl pwdMinLength ldapcompare -readOnly readonly +readOnly RANDFILE attrlist aci @@ -1390,8 +1413,8 @@ userid Kumar AES bdb -ManageDsaIT manageDSAit +ManageDsaIT bindpw monitorContainer pEntry @@ -1403,8 +1426,8 @@ Blowfish mkln numericStringSubstringsMatch testgroup -OpenSSL openssl +OpenSSL ModName cacheable freeit @@ -1413,8 +1436,8 @@ ber ali mandir changetype -CA's CAs +CA's typeA bvecfree ODBC -- 2.39.5