Enable debug output
Enable trace files with libopensync and libopensync-plugin-ldap
mkdir /tmp/trace export OSYNC_TRACE=/tmp/trace osynctool --listplugins (...)
Enable trace files with libsyncml
mkdir /tmp/trace export SYNCML_TRACE=/tmp/trace (...)
Enable debug output with the LDAP server slapd on fedora 10
vim /etc/rsyslog.conf *.* /var/log/debug service syslog restart vim /etc/sysconfig/ldap OPTIONS="-d 32767" vim /etc/openldap/slapd.conf logfile /tmp/slapd.log loglevel any service ldap configtest service ldap restart tail -f /tmp/slapd.log
How to debug the format conversions with the ldap-sync plugin
The transformation from the format understood by the libldap API to any format understood by libopensync is performed in several steps and can be observed by defining certain DEBUG_* constants:
LDAP <---> ldap plugin <---> libopensync <---> syncml plugin <---> phone
The conversation with the LDAP server API for getting data
out of the directory information tree (DIT) can be watched
by defining in ldap_plugin.h
DEBUG_ldapdata_from_server
The step from the LDAP server API to the xml format internally used by the ldap-sync plugin can be observed by this constant:
DEBUG_convert_ldap2xmldoc
The step from this plugin-internal xml format to xmlformat-contact,
for instance, or the other way round:
DEBUG_do_apply_stylesheet
The step from xmlformt-contact to the xml format used by the ldap
plugin internally:
DEBUG_convert_xmldoc2ldap
And the way how the ldap plugin talks to the LDAP server API,
in order to write data into the directory information tree:
DEBUG_ldapdata_to_server
CMakeError: MACRO_ENSURE_OUT_OF_SOURCE_BUILD
Problem
CMake Error at cmake/modules/MacroEnsureOutOfSourceBuild.cmake:13 (MESSAGE): libopensync-plugin-ldap doesn't allow to build within the source directory. Please, create a seperate build directory and run 'cmake /home/user1/dev/plugins/ldap-sync [options]'! Call Stack (most recent call first): /usr/local/share/libopensync1/cmake/modules/OpenSyncInternal.cmake:9 (MACRO_ENSURE_OUT_OF_SOURCE_BUILD) CMakeLists.txt:50 (INCLUDE)
Solution
tar -xvjf libopensync-plugin-ldap-0.39 cd libopensync-plugin-ldap-0.39 mkdir build cd build cmake ... make ...
Problem: But I did make a separate build directory! Why does cmake not realize this?
Solution
Delete all the cache files “CMakeCache.txt” that you can find inside the libopensync-plugin-ldap-0.xx source directory.
Debugging hints for SASL
Which SASL mechanisms are supported by the LDAP library
With unencrypted sessions
ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms
With encrypted sessions
ldapsearch -x -b "" -s base -LLL -Z supportedSASLMechanisms
Test SASL authentication with regard to read access, only
ldapwhoami -U "ldap_user" -w "secret" -Y DIGEST-MD5 ldapwhoami -U "ldap_user" -w "secret" -Y CRAM-MD5 ldapwhoami -U "ldap_user" -w "secret" -Z -Y LOGIN ldapwhoami -U "ldap_user" -w "secret" -Z -Y PLAIN ldapwhoami -Z -Y EXTERNAL kinit -V ldap_user (...) ldapwhoami -Y GSSAPI
In case of any problems, one could add “-V -d1” to the ldapwhoami command line.
Display the TLS certificates
of the LDAP server only
openssl s_client -connect localhost:636 -showcerts
both of the server and the client
openssl s_client -connect localhost:636 -cert /etc/openldap/cacerts/client.crt -key /etc/openldap/cacerts/client.key -showcerts
Make the debug output of slapd visible
vim /etc/rsyslog.conf *.* /var/log/debug service syslog restart vim /etc/sysconfig/ldap OPTIONS="-d 32767"
Example of a debug session
Problem
ldapwhoami -V -d 1 -Z -Y EXTERNAL (...) ldap_sasl_interactive_bind_s: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_int_sasl_open: host=host.example.com SASL/EXTERNAL authentication started ldap_err2string ldap_sasl_interactive_bind_s: Unknown authentication method (-6) tail -f /var/log/debug Feb 20 13:30:49 host slapd[6298]: connection_get(21): got connid=1 Feb 20 13:30:49 host slapd[6298]: connection_read(21): checking for input on id=1 Feb 20 13:30:50 host slapd[6298]: connection_read(21): unable to get TLS client DN, error=49 id=1 Feb 20 13:30:50 host slapd[6298]: conn=1 fd=21 TLS established tls_ssf=256 ssf=25 6
Solution
The variables TLS_CACERTDIR, TLS_CERT, TLS_KEY, TLSCipherSuite and TLS_REQCERT MUST NOT be configured in /etc/openldap/ldap.conf. They MUST be configured in ~/.ldaprc, instead.
Debugging the style sheets
How to observe the mapping step from xmlformat_contact to ldap_inetorgperson
Comment out #undef DEBUG_do_apply_stylesheet so that DEBUG_do_apply_stylesheet becomes defined:
vim ldap_plugin.h // undef DEBUG_do_apply_stylesheet
Example file contact4.xml
<?xml version="1.0"?> <contact> <Address Location="Home"> <PostOfficeBox>12345</PostOfficeBox> <ExtendedAddress>userstreet5 10000 Any City user1 Berlin Berlin 10000 Germany </ExtendedAddress> <Street>Mr. user1</Street> <Locality>Any City</Locality> <Region>Any State</Region> <PostalCode>10000</PostalCode> <Country>Any Country</Country> </Address> <AddressLabel Location="Home"> <Content>Mr. user1 userstreet5 10000 Any City user1 Berlin Berlin 10000 Germany Any City, Any State 10000 12345 Any Country</Content> </AddressLabel> <AddressLabel> <Content>user1 userstreet 5 Berlin, Berlin 10000 10000 Berlin Germany</Content> </AddressLabel> <Anniversary> <Content>20090302</Content> </Anniversary> <Assistant> <Content>workaholic</Content> </Assistant> <Birthday> <Content>20090301</Content> </Birthday> <BlogUrl> <Content>http://blog.example.com/</Content> </BlogUrl> <CalendarUrl> <Content>http://calendar.example.com/</Content> </CalendarUrl> <Categories> <Category>Hot Contacts</Category> </Categories> <EMail Location="Other" UI-Slot="1"> <Content>user1@home</Content> </EMail> <FileAs> <Content>user1</Content> </FileAs> <FormattedName> <Content>user1</Content> </FormattedName> <FreeBusyUrl> <Content>http://busy.example.com/</Content> </FreeBusyUrl> <IM-AIM Location="Home" UI-Slot="1"> <Content>aim_account</Content> </IM-AIM> <IM-ICQ Location="Home" UI-Slot="4"> <Content>icq_account</Content> </IM-ICQ> <IM-MSN Location="Home" UI-Slot="3"> <Content>msn_account</Content> </IM-MSN> <IM-Yahoo Location="Home" UI-Slot="2"> <Content>yahoo_account</Content> </IM-Yahoo> <Manager> <Content>dude1</Content> </Manager> <Name> <FirstName>user1</FirstName> </Name> <Nickname> <Content>one</Content> </Nickname> <Note> <Content>Here we could any notes.</Content> </Note> <Organization> <Name>creative.com</Name> <Unit>supervisory</Unit> <Unit>Second floor</Unit> </Organization> <Profession> <Content>creator</Content> </Profession> <Revision> <Content>20090315T124347Z</Content> </Revision> <Spouse> <Content>Betty</Content> </Spouse> <Telephone Location="Work" UI-Slot="1"> <Content>0000000000004</Content> </Telephone> <Title> <Content>Emperor</Content> </Title> <Uid> <Content>pas-id-49BCF74000000000</Content> </Uid> <Url> <Content>http://www.example.com/</Content> </Url> <VideoUrl> <Content>http://video.example.com/</Content> </VideoUrl> <WantsHtml> <Content>TRUE</Content> </WantsHtml> </contact>
Check the mapping step from xmlformat_contact to ldap_inetorgperson
xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | xmllint --noout - xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | xsltproc ldap_inetorgperson2xmlformat_contact.xsl - xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | xsltproc ldap_inetorgperson2xmlformat_contact.xsl - | xmllint --noout - xsltproc xmlformat_contact2ldap_inetorgperson.xsl contact4.xml | xsltproc ldap_inetorgperson2xmlformat_contact.xsl - | xmllint --noout --schema /usr/local/share/libopensync1/schemas/xmlformat-contact.xsd -
Alternative parsers
java -jar /usr/share/java/xalan-j2.jar -IN contact4.xml -XSL xmlformat_contact2ldap_inetorgperson.xsl java -jar /usr/share/java/saxon.jar contact4.xml xmlformat_contact2ldap_inetorgperson.xsl
ERROR: (mod->mod_vals.modv_strvals) is NULL
This error message:
ERROR: (mod->mod_vals.modv_strvals) is NULL.
means that a particular libldap call has not been told to use binary values rather than strings. The ldap plugin does NOT use “ modv_strvals”. Throughout the whole plugin “ mod->mod_vals.modv_bvals”, or shorter, “mod->mod_bvalues” are used. So there must always be a prior line “mod->mod_op = LDAP_MOD_BVALUES” or “mod->mod_op = LDAP_MOD_BVALUES | ANY_OTHER_OPTION | ...”. Apparently, such a line is missing in this case.
LDAP ERROR: No such object (32)
This error message may have different reasons, the most common one being that you simply have a typo in your search:
ldapsearch -Y GSSAPI -LLL -b "ou=addresssbook,dc=example,dc=com" -s sub dn SASL/GSSAPI authentication started SASL username: ldap_user@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. No such object (32) Matched DN: dc=example,dc=com
In this example, addressbook has been written with three s rather than with only two of them. So this particular object does indeed not exist. But the very same error message may also be triggered even in cases, where the particular object in question does actually exist, but the “ldap_user” has not enough access rights to have a view at this object. Pretty misleading, I must say. In such a case slapd has most probably to be reconfigured. Even if ldap_user could authenticate with the LDAP server, this does not say anything about the degree of rights he has for reading, writing and so on on the server. He also needs to have sufficient access rights.
Finally a third reason for “No such object” has absolutely nothing to do with the DIT or with any object, at all: If the filesystem where the LDAP server has its database stored is running out of space, the LDAP server is not able to perform regular database action, any more. In this case it seems, that the LDAP server reports “No such object”. This is not just a misleading message. It is simply wrong. “No space available” or something similar would have been the correct error message.
LDAP ERROR: Invalid credentials (49)
The error messages by slapd and libldap are often misleading. So are they in this case. You MAY have used wrong user name and/or password. But it is ALSO possible, that the LDAP server is simply wrongly configured: All the people, not just the authenticated people, need read access to "ou=people,dc=example,dc=com", if they are to be allowed to make use of the simple authentication method (which could very well be forbidden by the administrator). Otherwise slapd cannot check user name and password.
Problems like this one can be debugged by OPTIONS="-d ACL" in /etc/sysconfig/ldap on a fedora system.
LDAP ERROR: "Cannot modify object class". structural object class modification from 'inetOrgPerson' to evolutionPerson'not allowed
What has happened?
The database containes an entry for object type "contact", that has originally been stored as LDAP object class "inetOrgPerson". This very entry is now to be modified according to one of the peers, say the file-sync plugin. However, the LDAP plugin is currently configured to use the format "ldap-evolutionperson" for object type "contact". So it tries to perform the modification by the peer with the "ldap-evolutionperson" format in mind.
Solution:
Simply change the configuration of the LDAP plugin. Change the format from "ldap-evolutionperson" to "ldap-inetorgperson":
From:
(...)
<Resource>
<Enabled>1</Enabled>
<Formats>
<Format>
<Name>ldap-evolutionperson</Name>
</Format>
</Formats>
<ObjType>contact</ObjType>
</Resource>
(...)
To:
(...)
<Resource>
<Enabled>1</Enabled>
<Formats>
<Format>
<Name>ldap-inetorgperson</Name>
</Format>
</Formats>
<ObjType>contact</ObjType>
</Resource>
(...)
