Is back-sql production ready ?
by Mike Bloom
Hi,
I've been using ldap for a few years now, but I've come to the
realization that I have a lot of mysql databases lying around that
should be integrated and unified. Its time to move to something more robust.
I'm using openldap-24 and am thrilled with the responsiveness and
extensibility of the software, but I'm curious about using mysql as a
back end instead of bdb.
I've been able get unixODBC up and running without any problems, but I'm
stumbling a bit over the 10,000 foot view on metadata and how to
generate metadata to insert a samba 3 object.
After skimming for a few days, I found this lovely overview
(http://www.openldap.org/faq/data/cache/978.html) which didn't inspire a
lot of confidence in how easy it would be to support abstract schemas
that we might want to host on this system.
From this discussion and subsequent threads
(http://www.openldap.org/lists/openldap-software/200511/msg00504.html) ,
I'm concerns about the practicality and that I might have unrealistic
expectations for being able to deploy 250k records on my mysql cluster
to service a series of ldap servers over back-sql.
Does anyone run back-sql in production, and what kind of records on what
scale of system are you using ?
I have high confidence that I want to use ldap, but I'd rather right
provisioning software that talks to a mysql database than to talk to the
ldap database. To make things more complicated, I suspect we will be
moving to oracle in the next few years.
Does anyone have any suggestions on a 10000 foot view of metadata ?
Thanks.
15 years, 6 months
posixgroup & structuralobject errors
by jef peeraer
i am using openldap for many years now ( arround 300 users ) but
recently i encountered some problems. i installed a new server (
opensuse 10.1) and tried to import an ldap database which comes from a
suse 9.3
There seems to be a difference in schemas anyway. (opensuse 10.1 has
openldap version 2.3.19 , 9.3 -> 2.2.23)
I've get these errors during import ->
structuralObjectClass 'posixGroup' is not STRUCTURAL
The entry on which i've got the complaints ->
dn: cn=root,ou=Group,dc=deterp,dc=be
objectClass: posixGroup
objectClass: top
cn: root
userPassword:: xxxxxxx
gidNumber: 0
structuralObjectClass: posixGroup
I did a search in the faq and on google, but didn't find very much about it.
jef peeraer
15 years, 6 months
Hi people, about backend.
by Brivaldo Junior
What's the best backend for OpenLDAP...
Fastest, stable, the best.. or a explain about each one... if possible.
Thank's a lot.
--
Brivaldo Alves da Silva Jr
ITS/Shared Application Services
Federal University of Mato Grosso do Sul - Brazil
15 years, 6 months
ldapadd fails with "ldap_add: No such object (32)"
by Reed Kempf
Hello,
I am new to openldap and am having trouble with ldapadd. This is the error
I am getting when running the command.
[root@centutl1 openldap]# ldapadd -x -D "cn=ldapadmin,dc=cent,dc=lan" -w
"foo" -f /etc/openldap/passwd.LDIF
adding new entry "uid=root,ou=People,dc=cent,dc=lan"
ldap_add: No such object (32)
Here is my slapd.conf and the commands I used to get to this point.
database bdb
suffix "dc=cent,dc=lan"
rootdn "cn=ldapadmin,dc=cent,dc=lan"
rootpw {SSHA}M3xAuwK9FK6Oj28DiTpR0Pb/DBaVHUcU
issued service ldap start
[root@centutl1 openldap]# service ldap start
Checking configuration files for : config file testing succeeded
Starting slapd: [ OK ]
1. migrate_common.ph (changed to $DEFAULT_BASE = "dc=cent,dc=lan";)
2. migrate_passwd.pl /etc/password passwd.LDIF
3. migrate_group.pl /etc/group group.LDIF
4. Attempted to import the files with these commands.
Thanks in advance.
ReedK
15 years, 6 months
ppolicy implementation questions
by Lee Sheridan
I'm a little confused about a couple of things with ppolicy, I would
appreciate somone helping me to sort it out.
Here's my problem. I have a pwdMinAge set to some number X. The reason
is that the password policy I'm implementing says that passwords must
not be reused until some N days and Y number of changes have elapsed.
Thus, pwdMinAge is approximately N / Y, which means that even if a user
changes their password every X days, they won't go through all Y
passwords until all N days have passed. Clearly not the best option.
So my first question is this: I see that the pwdHistory attribute
stores time the password was used within it. Is there some way for
ppolicy to check if a password that is being reused has been reused in <
X days?
Failing in that (which would allow me to get rid of using pwdMinAge)...
When I set a user password with the rootdn or similar, the user can not
reset their password because it is too young. I can see no way to
modify pwdChangedTime. How exactly is this handled?
Third, apparently only the rootdn can set a password when the password
is < pwdMinAge. Users with an ACL that allows write access to
userPassword also go through the ppolicy policies (which makes sense).
Is there a way to exclude them also from ppolicy constraints when
setting another user's password?
TIA,
--
Lee Sheridan 301.286.5898 voice
NASA / Goddard Space Flight Center lsherida(a)nccs.nasa.gov
Computer Sciences Corporation Building 28, Room S230
Code 606.2
15 years, 6 months
2.3 admin guide
by Gerard Ranke
Hi all,
I wanted to read up on indexing, and I noticed that, in the admin guide,
the index directive is under par. 6.2.5.6. So it seems as if this is
specific to the ldbm backend ( par. 6.2.5 ). I was under the impression
that index directives were valid for bdb backends too. So, can I use
index directives for bdb? And is the syntax in 6.2.5.6 still valid?
Thanks for your answers.
Best regards,
Gerard Ranke
15 years, 6 months
ldapsearch hang
by Phillip
Hi all,
I do the following testing, use a running "ftp" to instead of existed
LDAP, and with its corresponding port,
# ldapsearch -x -H ldap://192.168.123.1:22
Here, 192.168.123.1 is a ftp server with port 22 open.
When I execute the command, it seems to be hung without any error
messages.
I think, if the ldap server or port is not available, it would return
with error message immediately.
How do you think of this interesting testing?
Regards,
Phillip
15 years, 6 months
slapo accesslog purge in 2.3.19 [auf Viren überprüft]
by Hans Moser
Hi!
I activated overlay accesslog in a 2.3.19 server. Everthing works fine
(changes are logged) as long as I do not activate logpurge:
line 69 (overlay accesslog)
line 70 (logdb "ou=log,ou=foo,o=bar,c=de")
>>> dnPrettyNormal: <ou=log,ou=foo,o=bar,c=de>
<<< dnPrettyNormal: <ou=log,ou=foo,o=bar,c=de>, <ou=log,ou=foo,o=bar,c=de>
line 71 (logops writes)
line 72 (logpurge 10+00:00 1+00:00)
/opt/mail//etc/openldap/slapd.conf: line 72: <logpurge> handler exited
with 1!
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
# in slapd.conf
overlay accesslog
logdb "ou=log,ou=foo,o=bar,c=de"
logops writes
logpurge 10+00:00 1+00:00
This seems not to be related to ITS#4505 or #4595, which occour in
CHANGES for "accesslog purge" for version >2.3.19.
Hans
15 years, 6 months