I'm playing a bit with OpenLDAP. In the configuration LDIF files there are often numbers in braces like {0} or {1}, e.g: dn: olcDatabase={0}config,cn=config or olcAttributeTypes: {0}( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {1}( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absol ute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4 .1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26 SINGLE-VALUE ) Do the {0}, {1} and so on have any special meaning (like parameters) or are they just strings?

I'm practicing OpenLDAP replication with 2 Centos 6.9 64bit virtual machines. The setting-up process was fine, but after I insert data into the master server, nothing happens in the slave. **MASTER SETTING** *slapd.conf* overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 updatedn "cn=Manager,dc=example,dc=com" updateref ldap://192.168.1.11:389 **SLAVE SETTING** *slapd.conf* syncrepl rid=2 provider=ldap://192.168.1.10 type=refreshOnly interval=00:00:00:01 searchbase="dc=example,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off updatedn="cn=manager,dc=example,dc=com" bindmethod=simple binddn="cn=manager,dc=example,dc=com" credentials=secret updateref ldap://192.168.1.10 I'm using OpenLDAP 2.4.21, BerkeleyDB-4.8.

I'm playing around with the LDAP security plugin. I noticed that after a certain amount of grants I get an error that the ldap server can't be reached: SQL30082N Security processing failed with reason "26" ("UNEXPECTED SERVER ERROR"). SQLSTATE=08001 related entries from db2diag.log 2018-08-16-08.06.30.095156+120 E650341472E720 LEVEL: Severe PID : 87873 TID : 140137426052864 PROC : db2sysc 0 INSTANCE: db2inst1 NODE : 000 DB : WT000N11 APPHDL : 0-1814 APPID: *LOCAL.db2inst1.180816060533 AUTHID : DB2INST1 HOSTNAME: nya-50 EDUID : 581 EDUNAME: db2agent (NYA) 0 FUNCTION: DB2 UDB, bsu security, sqlex_get_authid_type, probe:300 MESSAGE : ADM13001E Plug-in "IBMLDAPgroups" received error code "-16" from the DB2 security plug-in API "db2secDoesGroupExist" with the error message "InitLDAP: bind failed rc=81 (Can't contact LDAP server) SearchDN='cn=admin,dc=its,dc=se'". 2018-08-16-08.06.30.095818+120 I650342193E845 LEVEL: Info PID : 87873 TID : 140137426052864 PROC : db2sysc 0 INSTANCE: db2inst1 NODE : 000 DB : WT000N11 APPHDL : 0-1814 APPID: *LOCAL.db2inst1.180816060533 AUTHID : DB2INST1 HOSTNAME: nya-50 EDUID : 581 EDUNAME: db2agent (NYA) 0 FUNCTION: DB2 UDB, SW- common services, sqlnn_cmpl, probe:670 MESSAGE : ZRC=0x805C0177=-2141453961=SQLEX_PLGN_SRV_CON_UNEXPECTED_ERROR "The server security plugin encountered an unexpected error" DATA #1 : String, 51 bytes An error was detected during statement compilation. DATA #2 : String, 156 bytes Compiler error stack for rc = -2141453961: sqlnn_cmpl sqlnp_main sqlnp_parser sqlnp_smactn sqlnq_auth_stmt sqlnq_auth_stmt_end A simple sh script to reproduce the problem: #!/bin/sh n=0 db2 connect to db e=$(db2 -x "with t(n) as ( values 1 union all select n+1 from t where n<300 ) select listagg('A' || n,', ') from t") for t in $(db2 -x "select rtrim(tabschema)||'.'||rtrim(tabname) from syscat.tables where tabschema not like 'SYS%'"); do db2 -v "grant select on table $t to group $e" if [ $? -ne 0 ]; then exit 1 fi n=$(expr $n + 1) done exit 0 There's a strong correlation between the number of groups in the grant and the number of iterations before the crash (the numbers is exactly the same every time I run), so I suspect that some resource gets exhausted. grant select on table Ti to group A1, A2, ...,An +----------------------------------------------------+ | Number of groups (n) | Iterations before crash (i) | |----------------------------------------------------+ | 100 | 141 | | 200 | 69 | | 300 | 46 | | 600 | 22 | +----------------------------------------------------+ I can't find any errors in the LDAP-side. I can repeatably run the test without restarting anything between, and the crash appears at the same iteration, every time. If I configure Db2 to use two ldaps: LDAP_HOST = host1 host2 it switches between ldaps when the crash appears, and the test-script continues. *** Edit: Additional observations *** Adding a sleep between each grant increases the number of iterations. For 600 groups: +------------------------------------------+ | Sleep seconds | Iterations before crash | |------------------------------------------+ | 0 | 22 | | 1 | 28 | | 2 | 31 | | 3 | *1166* | +------------------------------------------+ For the 3 second sleep, it ran all 1166 tables successfully. Unfortunately, such sleep won't be a very practical solution. Any clues anyone? *** Edit: Additional observations 2 *** Running several test-scripts in parallel causes the situation to appear really fast. I suspect now that it is a problem with LDAP rather than with Db2. I do notice that Db2 keep a connection open for some time, so it may help to increase some limit in LDAP. Will check tomorrow.

For a future project, I am looking into authenticating Db2 database users via LDAP and PAM. However, it seems that LDAP server is deprecated in RedHat: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.4_release_notes/chap-red_hat_enterprise_linux-7.4_release_notes-deprecated_functionality and it is suggested to migrate to Redhat Identity Management or Red Hat Directory Server. Before setting that up myself I'm curious if anybody knows if authentication for Db2 via any of these replacements work, and what steps that are required in Db2 to switch from LDAP to Identity Management or Red Hat Directory Server?

In our enterprise, we have a large number of Oracle databases and (obviously) large number of users with access to different databases. We would like to ease the procedure to create/drop/modify users on an enterprise level. A LDAP solution comes to mind but the solutions from Oracle Corp are too expensive. Needless to say, my mgmt asked me to research and come up with an alternative. I read about OpenLDAP. My questions: 1. How do I setup OpenLDAP for oracle user security authentication ? 2. Can I use OpenLDAP as a standalone or does it have to be integrated with any Oracle product like OID, OVD, ODSEE etc? 3. Are there are any certified install procedures for setting up OpenLDAP w/ Oracle database? I didn't find anything on the internet for setting up OpenLDAP. Any help/pointer would be appreciated. The goal is to avoid any products from Oracle Corp purely for cost reasons. Thanks

So I am running into a whirlwind of issues with my cyrus install. I am setting up a multi-domain kolab groupware solution. I am on centos 6.7 I am getting this flooding my error logs when I try to make a new user on a fresh multi domain setup: Aug 24 19:01:19 gmx1 imaps: badlogin: localhost [::1] PLAIN [SASL(-13): authentication failure: bad userid authenticated] Aug 24 19:01:23 gmx1 imaps: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication Aug 24 19:01:23 gmx1 imaps: SASL unable to open Berkeley db /etc/sasldb2: No such file or directory Aug 24 19:01:23 gmx1 imaps: SASL unable to open Berkeley db /etc/sasldb2: No such file or directory Aug 24 19:01:23 gmx1 imaps: ptload(): bad response from ptloader server: ptsmodule_canonifyid() failed Aug 24 19:01:23 gmx1 imaps: ptload completely failed: unable to canonify identifier: 'john'[0:1]doe@domain.com Aug 24 19:01:23 gmx1 imaps: SASL bad userid authenticated The users do NOT show up on kolab webadmin... It keeps trying to add a test user I made and won't stop trying. I reboot the server and it goes away. I tried playing with: /etc/imapd.conf ldap_domain_base_dn: cn=kolab,cn=config ldap_domain_filter: (&(objectclass=domainrelatedobject)(associateddomain=%s)) ldap_domain_name_attribute: associatedDomain ldap_domain_scope: sub ldap_domain_result_attribute: inetdomainbasedn (Should this be defined?) ldap_domain_base_dn: cn=kolab,cn=config I also noticed these at the top.. Should this be "PLAIN" ? see below.. sasl_pwcheck_method: auxprop saslauthd sasl_mech_list: PLAIN LOGIN allowplaintext: no My imapd config: configdirectory: /var/lib/imap partition-default: /var/spool/imap admins: cyrus-admin sievedir: /var/lib/imap/sieve sendmail: /usr/sbin/sendmail sasl_pwcheck_method: auxprop saslauthd sasl_mech_list: PLAIN LOGIN allowplaintext: no tls_server_cert: /etc/pki/cyrus-imapd/cyrus-imapd.pem tls_server_key: /etc/pki/cyrus-imapd/cyrus-imapd.pem # uncomment this if you're operating in a DSCP environment (RFC-4594) # qosmarking: af13 auth_mech: pts pts_module: ldap ldap_servers: ldap://localhost:389 ldap_sasl: 0 ldap_base: dc=domain,dc=com ldap_bind_dn: uid=kolab-service,ou=Special Users,dc=domain,dc=com ldap_password: WIY0DNbAYPc8uY5 ldap_filter: (|(&(|(uid=cyrus-admin)(uid=cyrus-murder))(uid=%U))(&(|(uid=%U)(mail=%U@%d)(mail=%U@%r))(objectclass=kolabinetorgperson))) ldap_user_attribute: mail ldap_group_base: dc=domain,dc=com ldap_group_filter: (&(cn=%u)(objectclass=ldapsubentry)(objectclass=nsroledefinition)) ldap_group_scope: one ldap_member_base: ou=People,dc=domain,dc=com ldap_member_method: attribute ldap_member_attribute: nsrole ldap_restart: 1 ldap_timeout: 10 ldap_time_limit: 10 unixhierarchysep: 1 virtdomains: userid annotation_definitions: /etc/imapd.annotations.conf sieve_extensions: fileinto reject envelope body vacation imapflags notify include regex subaddress relational copy date index allowallsubscribe: 0 allowusermoves: 1 altnamespace: 1 hashimapspool: 1 anysievefolder: 1 fulldirhash: 0 sieveusehomedir: 0 sieve_allowreferrals: 0 lmtp_downcase_rcpt: 1 lmtp_fuzzy_mailbox_match: 1 username_tolower: 1 deletedprefix: DELETED delete_mode: delayed expunge_mode: delayed postuser: shared ldap_domain_base_dn: cn=kolab,cn=config ldap_domain_filter: (&(objectclass=domainrelatedobject)(associateddomain=%s)) ldap_domain_name_attribute: associatedDomain ldap_domain_scope: sub ldap_domain_result_attribute: inetdomainbasedn Cyrus version: name : Cyrus IMAPD version : git2.5+0-Kolab-2.5-108.1.el6.kolab_3.4 vendor : Project Cyrus support-url: http://www.cyrusimap.org os : Linux os-version : 2.6.32-042stab108.7 environment: Built w/Cyrus SASL 2.1.23 Running w/Cyrus SASL 2.1.23 Built w/OpenSSL 1.0.1e-fips 11 Feb 2013 Running w/OpenSSL 1.0.1e-fips 11 Feb 2013 Built w/zlib 1.2.3 Running w/zlib 1.2.3 CMU Sieve 2.4 TCP Wrappers NET-SNMP mmap = shared lock = fcntl nonblock = fcntl idle = idled Kolab web-admin is in turn unable to write the entry to Cyrus as the user doesn't showin the roundcube DB. I think my main problem is that this "ptloader" cannot canonify the user. Should I turn on canonicalization? This article states to use it: https://docs.kolab.org/howtos/multi-domain.html#cyrus-imap-changes This one does not: http://bmts.us/wiki/doku.php?id=article:kolab:multidomain Running: testsaslauthd -u cyrus-admin -p mypassword Works fine also: 0: OK "Success."

I'm trying to create an ACL entry to allow users specified in the owner attribute of a group to manage the group, and also allow groups, including nested groups to be specified as owners. I've got this rule, which allows admin access to nested members of a specific group: {0}to * by ssf=128 set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member*" manage by * break And I've got this rule which works for granting management permissions to users that are directly specified as owners: {2}to dn.children="dc=Groups,dc=example,dc=com" by ssf=128 set="user & this/owner" manage but so far I haven't been able to figure out how to combine the two concepts to allow specifying groups as owners. Anyone gotten something like this working?

Is it possible to use dates in OpenLDAP's ACL entries? I'm looking to do something like to * by this/termDate < NOW none by * break