Hello openldap community,
I have openldap 2.4.6 running on 2 machines.
one master server with a BDB database acting as the syncrepl provider (the syncrep[l overlay has been added to the database configuration directive).
I now have set up a second machine also running openldap 2.4.6 and I've been playing around with it trying to get it to act as a syncrepl consumer.
I remember reading somewhere in the openldap documentation that it should be fairly straight forward with a simple 10-12 line LDIF file to get the synrepl consumer synched up with the provider.
Can someone please post an example of such a simple kickstart file?
I am implementing an OpenLDAP installation that utilizes inetOrgPerson
as the main user structure with roughly forty attributes that may be
used with each user. Of the forty attributes, I have added a custom
schema which includes 15 custom attributes. I am using MySQL 5 as the
backend via backsql.
The problem I am seeing is that for a given user, if I write values to
all 40 attributes and then read them back using an LDAP browser, three
of the attributes do not return their values. The three attributes
are: cn, userPassword, and employeeType.
I have run slapd with the debug level of -1 (all) to capture a trace
of what happens when I read an attribute that correctly returns its
value and also a trace of reading an attribute that does not return
its value (cn, userPassword, or employeeType). Comparing the two
traces, the only appreciable difference between the two is as follows,
which is in the failing trace:
backsql_id2entry(): custom attribute list
==>backsql_get_attr_vals(): oc="inetOrgPerson" attr="employeeType" keyval=8
backsql_get_attr_vals(): error executing attribute count query 'SELECT
COUNT(*) FROM users WHERE users.id=? AND '
Return code: -1
nativeErrCode=1064 SQLengineState=37000 msg="[MySQL][ODBC 3.51
Driver][mysqld-5.0.45-community-log]You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near '' at line 1"
==>backsql_get_attr_vals(): oc="inetOrgPerson" attr="objectClass" keyval=8
I also set up a MySQL error trace and ran the two attribute reads and
came up with the only appreciable difference being the SQL statement,
43 Query SELECT COUNT(*) FROM users WHERE users.id=8 AND
It appears to me that the SQL statement is not being completed for
some reason, since in the slapd trace where the attribute read is
successful, the backsql_get_attr_vals(); just prints out, number of
values in query: 1, followed by, number of values in query: 0,
followed by the actual data packets containing the value of the
I can provide additional information if needed. I was unable to find
information about this problem on the OpenLDAP site.
The fourth issue is out:
- More uptake on OpenLDAP 2.4
- Is OpenLDAP really that compliant?
- Update on Build Farm progress
- OpenLDAP Documentation updates
- How fast can it go!
- OpenLDAP Development
- Selected user issues and solutions discussed
OpenLDAP Engineering Team.
Community developed LDAP software.
I have problem getting ppolicy working..
I use 2.3.38 version(bichan rpms), and this is a part of my slapd.conf :
security ssf=1 update_ssf=112 simple_bind=64
syncprov-checkpoint 100 10
This is the ldiff file that I used to add the default policy:
I didn't see any errors in slapd log file nor when I add this entry!
But When I change new users password (after ppolicy installation and as
users (not rootdn), there is no password policy applied:
I changed pwdCheckQuality from 1 to 2, but the results is the same!!
Any help will be appreciated.
Ok... after a bit of a struggle, I have gotten OpenLDAP 2.4.6 going with
MIT kerberos 1.6.3 with some small caveats...
1: (and you know this already), the documentation for the slapd.d
format is.. uhm.. bad. For example the "slapd.ldif" in the source isn't
even valid, the "module" section (commented out, but there) is missing the
2: The documentation throughout for specifying entries like the RootDN
tells you (via example) to double quote it.. this generates errors.
2: There is something awry with the kerberos 5/gssapi setup for using a
krb5 credential as a RootDN; according to your documentation it should be
of the form:
This isn't working for me. After enabling Auth logging I found that it
authenticated me as:
(note the lack of realm...) "why?" have I botched something (which I may
have), or is there an error with the documentation?
David E. Cross
I am using:
on RHEL 4
Quick question. In the ldap_attr_mappings table there is a column
called param_order. I have discovered that if I set it to the default
of 3, that the information is passed to my stored procedures as
attribute value, keyval (id). What are the other possible settings for
this column and which setting will give me keyvalue (id), attribute
Thanks for creating a great product!
I just upgrade to 2.4.6 and also Berkeley db 4.6.
I'm using the same slapd.conf that was used with 2.3.38.
I have the problem in the sql backend.
Slapd cannot start if slapd.conf has more than 1 sql backend at the same time.
If I have 2 sql backend, from -d -1 will complain about the 2nd backend
as I snipped.
>Return code: -2
>backsql_db_open(): schema mapping failed, exiting
>backend_startup_one: bi_db_open failed! (1)
At first I thought it is about my mappings, but
If I comment the first sql backend out.
With same second database that slapd used to complain,
the slapd could start and run fine (so, the mappings is correct).
It seem like 2 of sql backend cannot stay in one slapd.conf
Anyway, dbd database still can have 2 or more at the same time;
slapd can start.
---------------- slapd.conf --------------------
## This following is for the sample database
subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)"
insentry_stmt "INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval)
# SQL database definitions
## This following is for the sample database
#subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)"
#insentry_stmt "INSERT INTO ldap_entries
(dn,oc_map_id,parent,keyval) VALUES (?,?,?,?)"
------------------------ END slapd.conf -------------------------------
<quote who="Gavin Henry">
> Dieter Kluenter wrote:
>> as in the past few years OpenLDAP will be present at the Systems,
>> Munich, http://www.systems-world.de/
>> as part of Open Source Community booth. We (Peter Gietz and me) are in
>> need of *volunteers* to man the booth. Whoever is willing to join the
>> team may contact either Peter Gietz or me asap.
> Is this you Dieter?
It's dated Jun 3rd. What event was this? What are their names? ;-)
> Kind Regards,
> Gavin Henry.
> OpenLDAP Engineering Team.
> E ghenry(a)OpenLDAP.org
> Community developed LDAP software.
as in the past few years OpenLDAP will be present at the Systems,
as part of Open Source Community booth. We (Peter Gietz and me) are in
need of *volunteers* to man the booth. Whoever is willing to join the
team may contact either Peter Gietz or me asap.
Dieter Klünter | Systemberatung
GPG Key ID:8EF7B6C6
<quote who="Patai Sangbutsarakum">
> Hope this make sense
> Please Please suggest
I suggest you try to explain to problem you are trying to solve here. Why
do you need the sql backend to start with? It's usually the very last
option to chose, where you are forced due to legacy applications and many