Buchan Milne [mailto:email@example.com]
> > Well, I just ran db_archive and caused widespread chaos
> because most (all?)
> > of the replicas stopped responding to queries. (I have yet
> to perform a
> > post-mortem)
> You ran db_archive for the first time, on *all* replicas at
> the same time????
Yes. We administer 80+ servers that are more or less identically configured,
and typically perform small admin tasks in "for" loop, which is what I did
in this case.
> > I know that there's a bug in bdb 4.2 that causes logs to be
> held open even
> > though they're no longer required. Upgrading bdb is not on
> the cards right
> > now so I need to work around that problem by stopping and starting
> > openldap.
> This may or may not be the cause of your problems.
> Additionally, this is
> affected by your database configuration and checkpointing settings.
> > So the question I have just at the moment is, when I run
> db_archive, should
> > openldap be running or not running?
> It should be safe, depending on your configuration, to run
> However, due to the tasks it does (just deleting all the
> unused log files
> would have a similar effect), it can be quite IO intensive,
> and you may incur
> IO starvation when doing it, impacting performance of any
> other application
> using files on the same block devices (e.g. slapd).
As an additional piece of background, we are currently running all the
replication out of an intermediate server (it's a transistional setup). As
far as I can tell, it all hit the fan when the db_archive ran on that
intermediate server. Obviously I should have left that one out of the list
but I didn't think of it at the time.
These are all the non-comment entries in DB_CONFIG:
set_cachesize 0 268435456 1
Database definition entries in slapd.conf:
Replication entries on most servers:
And replication entries on the intermediate host:
syncprov-checkpoint 10 5
Linux Systems Administrator
Opus International Consultants Ltd
Tel +64 4 471 7002, Fax +64 4 473 3017
Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343
Wellington, New Zealand
So I have an interesting issue, and I'm wondering if there's an easy
solution (although I'm guessing it would take slapo-rwm reworking).
Basically, email id's can come in the form of
(basically, any combination of periods and hyphens). My own data is:
lsearch uid=quanah suseassunetid
which means that any form of quanah(a)stanford.edu,
qgibsonmount(a)stanford.edu, and quanahgibsonmount(a)stanford.edu are
In our directory, we store what we consider the normalized form (all
periods and hyphens stripped out). What I'd like is a way to make sure
that any incoming filter request for the attribute (suseassunetid) strips
the value(s) of periods and hyphens before the query is evaluated.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
As it goes...to import my data into OpenLdap server, i need to create a
schema file of my own, add the required attributes and ObjectClasses into
it... include the schema file into the "slapd.conf" and then create my ldif
file and run it.
...as i have seen in other schema files of OpenLdap, every Attribute and
ObjectClass have OIDs.
We, in our schema file for our previous Directory Server,have just created
the OIDs as "attributename-oid" or "ObjectClassname-oid" and i am using the
same here. Hence as a result of which, my schema file,though included in "
slapd.conf",isnt being referred by the server (thats what i think, correct
me if i am wrong!!).
So can i conclude that all this chaos is caused due to the lack of OIDs??
And as a final step i have put a request to "IANA" for a private OID, after
getting which i would create a new schema file and proceed.
LET ME KNOW IF WHAT I HAVE ASSUMED AND DONE IS RIGHT......if not......Kindly
help me out for doing the same!!!!!!!!!!
The actual error message i am getting is "objectclass invalid synatx".
The reason i thought my schema file isnt being referred is, server is not
recognizing the objectclasses that i have in that schema file( that shows
server hasnt seen my schema file).
So for that what exactly i have done is, i have selected few of the object
classes from my schema file and tried inserting them in openldap's schema
When i did that...one of the object class got recognized. Hence i went on
trying to insert few more of my object classes in that schema file but the
same thing dint happen. Thats is, when i try to start the service it dosnt
Just to sum up.....
When i simply include my schema file in the slapd.conf, and try to run my
ldif files..technically speaking it should work right....or anything more
should be done??
Just let me know......
On 2/28/07, Buchan Milne <bgmilne(a)obsidian.co.za> wrote:
> On Tuesday 27 February 2007, shilpa muramkar wrote:
> > I have installed openldap on my machine. In the slapd.conf file i have
> > included all the schema files. I need to import our directory server
> > into OpenLdap now. Hence i have done the below things....
> > 1) Created a schema file containing our data and included it in the
> > slapd.conf.
> > 2) Created an ldif file, and tried importing our data using "ldapmodify"
> > command.
> > I am facing few problems.
> > Looks like my schema file isnt being referred by openldap as....even
> when i
> > comment my schema file and run, the service is starting.
> Removing a schema file, and having the service start is no indication that
> schema file was not in use before.
> Rather, do a search on the schema available on your LDAP server, to see
> schemas it *has* loaded when you have configured it to load this schema.
> Alternatively, use a schema-aware GUI tool (such as luma).
> > That shows my
> > schema file isnt creating any impact there.
> What impact were you expecting? How did you check for this impact?
> (and no, failure to start is not a reasonable impact for removing an
> schema file from the configuration file)
> > What i did is,,,,,i took some of our required ObjectClasses and included
> > them in the "misc.schema" file of OpenLdap just for a trial. Few of them
> > worked properly and my data from ldif got added into the server.
> > I still have few attributes and ObjectClasses which i am neither able to
> > add into any of OpenLdap's schema files nor create a new schema file and
> > add( as OpenLdap isnt referring to it).
> Please, post some real error messages, as your interpretation of the
> doesn't seem to add up.
> > Can someone guide me as to how to easily get my schema and data added to
> > the server.
> The OpenLDAP Admin guide covers this in sufficient detail IMHO. If you
> succeed, you should provide sufficient details of what you have done, and
> error messages and relevant log file extracts which detail the errors you
> > If i have to create a schema file of my own.....in that case..how do i
> > the server refer to that as well...........
> You just add an include statement for your schema file in slapd.conf, as
> covered in the documentation ...
On Wed, Feb 28, 2007 at 11:18:26AM +0200, Buchan Milne wrote:
> Well, a lot of the aspects of setting this up are not unique to slurpd, but
> are covered in documentation relating to user authentication with
> certificates. The errors you posted don't seem to have anything to do with
> the certificate authentication itself, but seem to be the generic issue of
> your slurpd not authenticating to the slave as the updatedn.
Here is what I understood: my slurpd's certificate DN contains non ASCII
characters, and for that reason, I have been unable to get the slave slapd
matching the updatedn. The solution I finally found was to use authz-regex
to rewrite slurpd's DN into something that will match.
> (...) waste time on a "HOWTO".
Well, as an OpenLDAP user, I know that once you've readen the manual and the
FAQ and it's still not working, return of experience from other users
gathered with google is valuable. That's why I tend to post how I managed
to get the thing working. It will help people looking for the same problem I
had, and comments from contributors may help transforming that into some
I try to use replication with slurpd, using TLS to secure access to the
1) On the master, slapd.conf contains this:
replica uri=ldaps://ldap1.example.net bindmethod=sasl saslmech=EXTERNAL
I have a slurpd pseudo-user, with a .ldaprc file:
2) On the slave, slapd.conf contains:
access to *
by * none
updatedn is the information I have in slurpd's certificate.
When I update the master, slrupd sees the modification and attempt to
propagate it to the salve, but it fails:
Error: ldap_modify_s failed modifying DN "cn=foo,dc=example,dc=net": shadow context; no update referral
On the slave, the error is:
conn=19 op=7 RESULT tag=103 err=10 text=
I found in <ldap.h> that this err=1à is
#define LDAP_REFERRAL 0x0a /* LDAPv3 */
But it does not helps me fixing the problem.
What is wrong?
-----BEGIN PGP SIGNED MESSAGE-----
Apologies if this has been posted before - I had a search through the
archives but couldn't find anything.
We have a master slapd and slurpd feeding to a slave LDAP server - all
user info, including auth, comes from LDAP. The LDAP master machine
has /home and the slave runs the mail server. I had thought that I saw
something in the OpenLDAP manual that you could force any attempted
changes on the slave server to be redirected to the master (and then
obviously, the changes would get to the slave via a push from slurpd).
But after numerous searches, I can't find it. Was I imagining things
or is there such a directive?
Now this may sound stupid, but if you put the slave slapd into
readonly mode, can it accept updates from slurpd on the master? It
would reduce the chances of writes being made to the slapd on the
slave and causing synchronisation headaches.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
I see that with the 2.3.34 release that the auditlog overlay now has
dynamic config support added. The one overlay left that I use which
prevents me from using cn=config is the unique overlay.
Is anyone working on adding dynamic config support to the unique
overlay? If not, are there directions someplace on what is required to
add dynamic config support to an overlay? (I did search the developers
list archives and came up empty)
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
There a two directories: 1. o=inside 2. o=outside
Inside there the local entries, i.e. for persons
Outside is the CA's directory. The user's certificate is there under a
DN with the mail address in it.
Now CA's usercertificate must appear in the user's entry:
But: Outside directories can only be reached by an ldap proxy.
So there is a third server working as a proxy with ldap-meta backend.
By now a can manually search for certificates, which are
'suffixmassage'd into ou=ca,o=outside.
As far as I understand, slapo-translucent could add the usercertificate
attribute to user's entry.
But how to tell slapo-translucent to search by attribute mail to find
the corresponding entry in (ou=ca,o=inside or) o=outside?
Can / must this be done with slapo-rwm?
I can guess the outside DN from the user's mail attribute. (But not vice
versa; I can only search for the inside entry by attribute mail.) So I
know what entry I want / what to search for. But does this help me? [uri
search for certificate of employee #1
mail: user@inside --search--> mail: user@inside
... <--return-- usercertificate::
--return--> dn: employeenumber=1,ou=people,o=inside