I've been using ldap for a few years now, but I've come to the
realization that I have a lot of mysql databases lying around that
should be integrated and unified. Its time to move to something more robust.
I'm using openldap-24 and am thrilled with the responsiveness and
extensibility of the software, but I'm curious about using mysql as a
back end instead of bdb.
I've been able get unixODBC up and running without any problems, but I'm
stumbling a bit over the 10,000 foot view on metadata and how to
generate metadata to insert a samba 3 object.
After skimming for a few days, I found this lovely overview
(http://www.openldap.org/faq/data/cache/978.html) which didn't inspire a
lot of confidence in how easy it would be to support abstract schemas
that we might want to host on this system.
From this discussion and subsequent threads
I'm concerns about the practicality and that I might have unrealistic
expectations for being able to deploy 250k records on my mysql cluster
to service a series of ldap servers over back-sql.
Does anyone run back-sql in production, and what kind of records on what
scale of system are you using ?
I have high confidence that I want to use ldap, but I'd rather right
provisioning software that talks to a mysql database than to talk to the
ldap database. To make things more complicated, I suspect we will be
moving to oracle in the next few years.
Does anyone have any suggestions on a 10000 foot view of metadata ?
i am using openldap for many years now ( arround 300 users ) but
recently i encountered some problems. i installed a new server (
opensuse 10.1) and tried to import an ldap database which comes from a
There seems to be a difference in schemas anyway. (opensuse 10.1 has
openldap version 2.3.19 , 9.3 -> 2.2.23)
I've get these errors during import ->
structuralObjectClass 'posixGroup' is not STRUCTURAL
The entry on which i've got the complaints ->
I did a search in the faq and on google, but didn't find very much about it.
What's the best backend for OpenLDAP...
Fastest, stable, the best.. or a explain about each one... if possible.
Thank's a lot.
Brivaldo Alves da Silva Jr
ITS/Shared Application Services
Federal University of Mato Grosso do Sul - Brazil
At 10:05 AM 11/3/2006, Brivaldo Junior wrote:
> or a explain about each one...
>Thank's a lot.
>Brivaldo Alves da Silva Jr
>ITS/Shared Application Services
>Federal University of Mato Grosso do Sul - Brazil
I am new to openldap and am having trouble with ldapadd. This is the error
I am getting when running the command.
[root@centutl1 openldap]# ldapadd -x -D "cn=ldapadmin,dc=cent,dc=lan" -w
"foo" -f /etc/openldap/passwd.LDIF
adding new entry "uid=root,ou=People,dc=cent,dc=lan"
ldap_add: No such object (32)
Here is my slapd.conf and the commands I used to get to this point.
issued service ldap start
[root@centutl1 openldap]# service ldap start
Checking configuration files for : config file testing succeeded
Starting slapd: [ OK ]
1. migrate_common.ph (changed to $DEFAULT_BASE = "dc=cent,dc=lan";)
2. migrate_passwd.pl /etc/password passwd.LDIF
3. migrate_group.pl /etc/group group.LDIF
4. Attempted to import the files with these commands.
Thanks in advance.
I'm a little confused about a couple of things with ppolicy, I would
appreciate somone helping me to sort it out.
Here's my problem. I have a pwdMinAge set to some number X. The reason
is that the password policy I'm implementing says that passwords must
not be reused until some N days and Y number of changes have elapsed.
Thus, pwdMinAge is approximately N / Y, which means that even if a user
changes their password every X days, they won't go through all Y
passwords until all N days have passed. Clearly not the best option.
So my first question is this: I see that the pwdHistory attribute
stores time the password was used within it. Is there some way for
ppolicy to check if a password that is being reused has been reused in <
Failing in that (which would allow me to get rid of using pwdMinAge)...
When I set a user password with the rootdn or similar, the user can not
reset their password because it is too young. I can see no way to
modify pwdChangedTime. How exactly is this handled?
Third, apparently only the rootdn can set a password when the password
is < pwdMinAge. Users with an ACL that allows write access to
userPassword also go through the ppolicy policies (which makes sense).
Is there a way to exclude them also from ppolicy constraints when
setting another user's password?
Lee Sheridan 301.286.5898 voice
NASA / Goddard Space Flight Center lsherida(a)nccs.nasa.gov
Computer Sciences Corporation Building 28, Room S230
I wanted to read up on indexing, and I noticed that, in the admin guide,
the index directive is under par. 184.108.40.206. So it seems as if this is
specific to the ldbm backend ( par. 6.2.5 ). I was under the impression
that index directives were valid for bdb backends too. So, can I use
index directives for bdb? And is the syntax in 220.127.116.11 still valid?
Thanks for your answers.
I do the following testing, use a running "ftp" to instead of existed
LDAP, and with its corresponding port,
# ldapsearch -x -H ldap://192.168.123.1:22
Here, 192.168.123.1 is a ftp server with port 22 open.
When I execute the command, it seems to be hung without any error
I think, if the ldap server or port is not available, it would return
with error message immediately.
How do you think of this interesting testing?
I activated overlay accesslog in a 2.3.19 server. Everthing works fine
(changes are logged) as long as I do not activate logpurge:
line 69 (overlay accesslog)
line 70 (logdb "ou=log,ou=foo,o=bar,c=de")
>>> dnPrettyNormal: <ou=log,ou=foo,o=bar,c=de>
<<< dnPrettyNormal: <ou=log,ou=foo,o=bar,c=de>, <ou=log,ou=foo,o=bar,c=de>
line 71 (logops writes)
line 72 (logpurge 10+00:00 1+00:00)
/opt/mail//etc/openldap/slapd.conf: line 72: <logpurge> handler exited
slapd destroy: freeing system resources.
connections_destroy: nothing to destroy.
# in slapd.conf
logpurge 10+00:00 1+00:00
This seems not to be related to ITS#4505 or #4595, which occour in
CHANGES for "accesslog purge" for version >2.3.19.