Is back-sql production ready ?
by Mike Bloom
Hi,
I've been using ldap for a few years now, but I've come to the
realization that I have a lot of mysql databases lying around that
should be integrated and unified. Its time to move to something more robust.
I'm using openldap-24 and am thrilled with the responsiveness and
extensibility of the software, but I'm curious about using mysql as a
back end instead of bdb.
I've been able get unixODBC up and running without any problems, but I'm
stumbling a bit over the 10,000 foot view on metadata and how to
generate metadata to insert a samba 3 object.
After skimming for a few days, I found this lovely overview
(http://www.openldap.org/faq/data/cache/978.html) which didn't inspire a
lot of confidence in how easy it would be to support abstract schemas
that we might want to host on this system.
From this discussion and subsequent threads
(http://www.openldap.org/lists/openldap-software/200511/msg00504.html) ,
I'm concerns about the practicality and that I might have unrealistic
expectations for being able to deploy 250k records on my mysql cluster
to service a series of ldap servers over back-sql.
Does anyone run back-sql in production, and what kind of records on what
scale of system are you using ?
I have high confidence that I want to use ldap, but I'd rather right
provisioning software that talks to a mysql database than to talk to the
ldap database. To make things more complicated, I suspect we will be
moving to oracle in the next few years.
Does anyone have any suggestions on a 10000 foot view of metadata ?
Thanks.
14 years, 11 months
posixgroup & structuralobject errors
by jef peeraer
i am using openldap for many years now ( arround 300 users ) but
recently i encountered some problems. i installed a new server (
opensuse 10.1) and tried to import an ldap database which comes from a
suse 9.3
There seems to be a difference in schemas anyway. (opensuse 10.1 has
openldap version 2.3.19 , 9.3 -> 2.2.23)
I've get these errors during import ->
structuralObjectClass 'posixGroup' is not STRUCTURAL
The entry on which i've got the complaints ->
dn: cn=root,ou=Group,dc=deterp,dc=be
objectClass: posixGroup
objectClass: top
cn: root
userPassword:: xxxxxxx
gidNumber: 0
structuralObjectClass: posixGroup
I did a search in the faq and on google, but didn't find very much about it.
jef peeraer
14 years, 11 months
Hi people, about backend.
by Brivaldo Junior
What's the best backend for OpenLDAP...
Fastest, stable, the best.. or a explain about each one... if possible.
Thank's a lot.
--
Brivaldo Alves da Silva Jr
ITS/Shared Application Services
Federal University of Mato Grosso do Sul - Brazil
14 years, 11 months
ldapadd fails with "ldap_add: No such object (32)"
by Reed Kempf
Hello,
I am new to openldap and am having trouble with ldapadd. This is the error
I am getting when running the command.
[root@centutl1 openldap]# ldapadd -x -D "cn=ldapadmin,dc=cent,dc=lan" -w
"foo" -f /etc/openldap/passwd.LDIF
adding new entry "uid=root,ou=People,dc=cent,dc=lan"
ldap_add: No such object (32)
Here is my slapd.conf and the commands I used to get to this point.
database bdb
suffix "dc=cent,dc=lan"
rootdn "cn=ldapadmin,dc=cent,dc=lan"
rootpw {SSHA}M3xAuwK9FK6Oj28DiTpR0Pb/DBaVHUcU
issued service ldap start
[root@centutl1 openldap]# service ldap start
Checking configuration files for : config file testing succeeded
Starting slapd: [ OK ]
1. migrate_common.ph (changed to $DEFAULT_BASE = "dc=cent,dc=lan";)
2. migrate_passwd.pl /etc/password passwd.LDIF
3. migrate_group.pl /etc/group group.LDIF
4. Attempted to import the files with these commands.
Thanks in advance.
ReedK
14 years, 11 months
ppolicy implementation questions
by Lee Sheridan
I'm a little confused about a couple of things with ppolicy, I would
appreciate somone helping me to sort it out.
Here's my problem. I have a pwdMinAge set to some number X. The reason
is that the password policy I'm implementing says that passwords must
not be reused until some N days and Y number of changes have elapsed.
Thus, pwdMinAge is approximately N / Y, which means that even if a user
changes their password every X days, they won't go through all Y
passwords until all N days have passed. Clearly not the best option.
So my first question is this: I see that the pwdHistory attribute
stores time the password was used within it. Is there some way for
ppolicy to check if a password that is being reused has been reused in <
X days?
Failing in that (which would allow me to get rid of using pwdMinAge)...
When I set a user password with the rootdn or similar, the user can not
reset their password because it is too young. I can see no way to
modify pwdChangedTime. How exactly is this handled?
Third, apparently only the rootdn can set a password when the password
is < pwdMinAge. Users with an ACL that allows write access to
userPassword also go through the ppolicy policies (which makes sense).
Is there a way to exclude them also from ppolicy constraints when
setting another user's password?
TIA,
--
Lee Sheridan 301.286.5898 voice
NASA / Goddard Space Flight Center lsherida(a)nccs.nasa.gov
Computer Sciences Corporation Building 28, Room S230
Code 606.2
14 years, 11 months
2.3 admin guide
by Gerard Ranke
Hi all,
I wanted to read up on indexing, and I noticed that, in the admin guide,
the index directive is under par. 6.2.5.6. So it seems as if this is
specific to the ldbm backend ( par. 6.2.5 ). I was under the impression
that index directives were valid for bdb backends too. So, can I use
index directives for bdb? And is the syntax in 6.2.5.6 still valid?
Thanks for your answers.
Best regards,
Gerard Ranke
14 years, 11 months
ldapsearch hang
by Phillip
Hi all,
I do the following testing, use a running "ftp" to instead of existed
LDAP, and with its corresponding port,
# ldapsearch -x -H ldap://192.168.123.1:22
Here, 192.168.123.1 is a ftp server with port 22 open.
When I execute the command, it seems to be hung without any error
messages.
I think, if the ldap server or port is not available, it would return
with error message immediately.
How do you think of this interesting testing?
Regards,
Phillip
14 years, 11 months
slapo accesslog purge in 2.3.19 [auf Viren überprüft]
by Hans Moser
Hi!
I activated overlay accesslog in a 2.3.19 server. Everthing works fine
(changes are logged) as long as I do not activate logpurge:
line 69 (overlay accesslog)
line 70 (logdb "ou=log,ou=foo,o=bar,c=de")
>>> dnPrettyNormal: <ou=log,ou=foo,o=bar,c=de>
<<< dnPrettyNormal: <ou=log,ou=foo,o=bar,c=de>, <ou=log,ou=foo,o=bar,c=de>
line 71 (logops writes)
line 72 (logpurge 10+00:00 1+00:00)
/opt/mail//etc/openldap/slapd.conf: line 72: <logpurge> handler exited
with 1!
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
# in slapd.conf
overlay accesslog
logdb "ou=log,ou=foo,o=bar,c=de"
logops writes
logpurge 10+00:00 1+00:00
This seems not to be related to ITS#4505 or #4595, which occour in
CHANGES for "accesslog purge" for version >2.3.19.
Hans
14 years, 11 months
