I want to get last modified timestamps, etc, on individual entries in
OpenLDAP just as I get them in my about to be retired Netscape server.
But I noticed that that lastmod overlay is not built by default when you
compile from source (one needs to include the "--enable-lastmod" when
running configure). And so, of course, my current binary doesn't
support that function. Is there a downside to using the lastmod
overlay? Can I just recompile and reinstall and not have to actually
rebuild the database, or do I have to dump the database and reload it again?
UNIX Services Manager
Linfield College, McMinnville OR
I have bash script that does this:
hostDN=( $(ldapsearch .... | grep '^dn' | cut -d ' ' -f 2) )
The problem is that if the 'dn' line is too long, ldapsearch splits it
to several lines according to LDIF rules.
Is there any way to tell ldapsearch not to split lines (or does it
depends on server side?)
I am trying to setup a replication server using Openldap-2.3.27. I have set it
up (detailed below) and I get on the slave
TLS: can't accept.
TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580
What is really strange is that I can log on and make manual modifications to
the slave from the master as the replication user with the password specified
in slapd.conf (yes, over tls!).
I was thinking it might be because of differing ssl versions, but I tried
switching to SSLv3 and the config file and it had no effect.
Does any one have some tips that would help me additionally debug this problem
or get an idea of where the failure is?
// Relevant config file lines on master
// Relevant config lines on slave
113118113----- Original Message ----
From: Howard Chu <hyc(a)symas.com>
> This combination of switches makes no sense. See configure --help.
> There is no "--enable-openssl" option.
> When you use "--disable-slapd" all backends and overlays are disabled.
Hello OpenLDAP-software :)!
I have a working syncrepl replication and even managed to do fractional replication
(only a subset of attributes are replicated). The list of attributes that should be
replicated is defined via ACL on the provider, like this:
access to dn.subtree="ou=users,dc=org,dc=test,dc=si"
by dn="cn=rep1,ou=replicators,dc=org,dc=test,dc=si" read
by anonymous auth
Consumer configuration looks like this:
Everything is working fine, however the problem is that provider is
using some additional schema with attributes, which are of no interest
to the consumer. The unwanted attributes are filtered out via provider
ACL, however the data from the provider contains an additional objectClass
with a custom schema name. Becouse consumer doesn't have this schema
it denies replication with an error message:
... slapd: syncrepl_message_to_entry: mods check (objectClass: value #0 invalid per syntax)
Which is logical... the entry has an unknown objectClass.
Is it possible to somehow also filter out the unwanted "objectClass: unknownLocalStuff" ?
I tried googling for the fractional replication but it seems to be an obscure topic.
The OpenLDAP admin manual doesn't mention it so any help is welcome :).
Dave Horsfall wrote:
> Can someone please provide a succint response that I can relay in turn?
> They refuse to listen to reason.
Two things: slapd is known to crash in various ways when using BDB 4.3
under heavy load. Also, there was no database format change between BDB
4.3 and 4.4. There was a logfile format change though, so you'll want to
have a full checkpoint and remove all the obsolete log files.
> ---------- Forwarded message ----------
> Date: Wed, 15 Nov 2006 23:42:07 GMT
> From: Xin LI <delphij(a)FreeBSD.org>
> To: daveh(a)ci.com.au, delphij(a)FreeBSD.org, delphij(a)FreeBSD.org
> Subject: Re: ports/105585: OpenLDAP should not be linked with BDB 4.3
> Synopsis: OpenLDAP should not be linked with BDB 4.3
> State-Changed-From-To: open->feedback
> State-Changed-By: delphij
> State-Changed-When: Wed Nov 15 23:41:22 UTC 2006
> Have you ever hit a bug with the current linkage? The
> change would require a user to dump and re-import their
> database, so I need some evidence that BDB 4.3 is causing
> problem before I can make a change.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
I got a problem with the proxycache. I am trying to use it together with
back-shell. This is my configuration, partly take from the manual.
search /usr/bin/php /opt/scripts/shell.php
proxycache shell 100000 1 1000 100
proxyAttrset 0 objectClass cn sn mail postaladdress telephonenumber
proxyTemplate (sn=) 0 3600
proxyTemplate (&(sn=)(givenName=)) 0 3600
proxyTemplate (&(departmentNumber=)(secretary=*)) 0 3600
index cn,sn,uid pres,eq,approx,sub
index objectclass pres,eq
If I try to search for (sn=sth.) with the cn attribute as the result
attribute I get the result the first time from the script. The second
time the proxy gets in and this is the result:
result: 53 Server is unwilling to perform
text: search not implemented
Now I have to say that the script always returns all attributes, no
matter what you put in the request. But the frontend filters it. Might
that be a problem?
This may be OT, but after 3 days of trying to get my question answered on FreeBSD lists, I figured I'd come back here where I know you guys have the answer ;) I would like to run the following env/options in building OpenLDAP:
CPPFLAGS=-I/usr/local/include/db42 LDFLAGS=-L/usr/local/lib/db42 CC=gcc \
*However*, one has to perform some mystical incantation when doing this with the FreeBSD port system. I need someone to initiate me into this mystery. That is, can someone just give me the command I need to issue to build OpenLDAP the way I want to? Rewrite the above with whatever necessary wrappers to get FreeBSD to swallow it?
At 04:15 AM 11/15/2006, Giulio Federici wrote:
>test:~# ldapsearch -x -D "cn=admin,dc=burp" -w <xxx> -s sub -b "dc=burp" "(objectClass=*o*)"
Substring assertions are only sensible where the attribute type's
values are strings (as opposed to represented as strings) and has
been defined with an appropriate substrings matching rule. Values
of objectClass attribute are OIDs and sensibly the objectClass
is defined with no substrings matching rule. Hence, slapd(8)
properly regards the assertion as Undefined and the filter
evaluates to False.