openldap-software April 2007

openldap-software@openldap.org

90 participants
96 discussions

Promoting consumer to provider (hot standby)
by Sam Tran 24 Apr '07

24 Apr '07

Hi All, I have an OL 2.3.x provider where all updates are performed, and several OL 2.3.x consumers that are read-only. I'd like to introduce another OL server as a "hot standby" (as mirror mode is officially available only in OL 2.4.x). That new server would be initially configured as a consumer. Should the initial provider fail (hardware), the configuration of the "hot standby" would be changed so that it becomes the new provider. No change would be needed on the consumer side since the new provider would grab the virtual IP address that the initial provider was holding (Heartbeat), and the consumers would keep on connecting to that virtual IP. My question is the following: Will the consumers see the content of the new provider as exactly the same as the content of the initial provider right before the failure, and then only perform timely updates upon content changes? Thanks in advance. Sam

1 0

Search filter ? wildcard
by Alina Dubrovska 24 Apr '07

24 Apr '07

Hello! Is it possible to create a filter for OpenLDAP search containing a wildcard: ? (matches zero or one character). I received an answer that it is not possible with the standard matching rules. Maybe OpenLDAP support an extension which supports it, e.g. a matching rule which takes regular expressions? Or some another trick to achive this? Thanks in advance, Alina. ---------- Forwarded message ---------- From: Hallvard B Furuseth <h.b.furuseth(a)usit.uio.no> Date: Apr 24, 2007 2:06 PM Subject: Re: [ldap] Search filter ? wildcard To: Alina Dubrovska <alina.second(a)gmail.com> Cc: ldap(a)listserver.itd.umich.edu Alina Dubrovska writes: > Is it possible to create a filter for LDAP search containing a wildcard: > ? (matches zero or one character) No, not with the standard matching rules. Your LDAP server implementation might support an extension which supports it, e.g. a matching rule which takes regular expressions. -- Regards, Hallvard

1 0

Syncrepl, and some objectClass errors
by Lesley Walker 24 Apr '07

24 Apr '07

Lesley Walker wrote: > I have spent today dissecting the logs from two incidents this week in > which entries were erroneously deleted. Although the circumstances of > the two incidents are quite different, from examining the logs I > believe it is the same thing happening in each case. I'm still unable to pinpoint the trigger condition, but I have a better idea of what happens. I believe it *may* be covered by ITS#4626 and ITS#4813, so I have built 2.3.35 to run on a test server. On starting this new version for the first time and letting it build the database by replication from its provider, I get these messages in the log: is_entry_objectclass("", "2.5.17.0") no objectClass attribute is_entry_objectclass("", "2.5.6.1") no objectClass attribute is_entry_objectclass("", "2.16.840.1.113730.3.2.6") no objectClass attribute I freely admit that I am not clued-up on schema design, but I have tried grepping for those numbers in the schema files and in an ldif of the database and I don't find them. I note that these same messages were reported in ITS#4626, and wonder whether there's a connection, or is it a mere coincidence? I also note that these exact same messages were discussed in December: http://www.openldap.org/lists/openldap-software/200612/msg00046.html but this discussion went over my head, so I would welcome any words-of-one-syllable explanations. The main problem I'm trying to troubleshoot is this: In every case, there's a log entry: do_syncrep2: rid 123 LDAP_RES_INTERMEDIATE - SYNC_ID_SET followed by some number of these: syncrepl_entry: rid 123 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) ("some number" is MUCH less than the number of records) then: do_syncrep2: rid 123 LDAP_RES_INTERMEDIATE - REFRESH_PRESENT followed by some (other) number of these: syncrepl_del_nonpresent: rid 123 be_delete uid=whatever,ou=Accounts,dc=example,dc=co,dc=nz (0) *INCLUDING* be_deletes for nearly ALL the top-level entries: be_delete cn=root,dc=example,dc=co,dc=nz (0) be_delete ou=Accounts,dc=example,dc=co,dc=nz (66) be_delete ou=Mailbox,dc=example,dc=co,dc=nz (66) be_delete ou=Services,dc=example,dc=co,dc=nz (66) be_delete ou=Offices,dc=example,dc=co,dc=nz (66) be_delete ou=Networks,dc=example,dc=co,dc=nz (66) be_delete ou=Rooms,dc=example,dc=co,dc=nz (66) be_delete ou=Group,dc=example,dc=co,dc=nz (66) be_delete ou=EmailLists,dc=example,dc=co,dc=nz (66) be_delete ou=People,dc=example,dc=co,dc=nz (66) be_delete ou=Computers,dc=example,dc=co,dc=nz (66) This would seem to leave the database completely empty, and in a state where nothing and nobody can authenticate to it. No amount of stopping/restarting has any effect (because it thinks it is in sync) until we repair it by starting with the empty sync cookie. There have been at least 10 instances of this fault on different servers in the last 1-2 weeks. Because I can't reproduce the problem on demand, I won't know for sure whether or not the new version fixes it, but I have built the new version and am now running it on a test server. > Here's the environment: > OpenLDAP 2.3.32 running on Debian 3.1 (Sarge) > compiled with sync logging patch discussed about 4 months ago > loglevel config sync on all servers > BDB 4.2 backend > Syncrepl replication all round > A "master" server (com) > - holds the master copy of the database > A number of servers that replicate directly from com > An "intermediate" server (wwsv04) that > - is on the same LAN and subnet as com > - replicates from com > - acts as provider for all other servers > 88 servers/replicas in total > Approx 9000 records > All replicas are supposed to be complete copies > Nothing particularly fancy or clever going on -- Lesley Walker Linux Systems Administrator Opus International Consultants Ltd Email lesley.walker(a)opus.co.nz Tel +64 4 471 7002, Fax +64 4 473 3017 http://www.opus.co.nz Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343 Wellington, New Zealand

2 4

back-ldap: how to bind to remote server?
by Székelyi Szabolcs 23 Apr '07

23 Apr '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm trying to use OpenLDAP as a proxy. I want it to bind to the remote LDAP server with a fixed dn, and use that dn for searches. This way, any dn binding to the proxy (even anonymously) could see objects and attributes that the dn used to bind to the real LDAP server can see. My problem is that it seems that the proxy does not bind to the remote server (in other words, it binds anonymously), just forwards searches, which fail this way, because the remote server requires authentication. The binddn and bindpw configuration options are correct, I can use ldapsearch to retrieve objects directly from the remote server. Looking at the network traffic, I can't see the proxy attempting to bind using the dn given in the binddn option. Here is the relevant part of my slapd.conf: == database ldap suffix dc=company,dc=local chase-referrals no lastmod off uri ldap://remotehost binddn <binddn> bindpw <bindpw> == Is it possible to configure back-ldap this way? Thanks, - -- cc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGLR/EGJRwVVqzMkMRAtG6AJ4kcCsQ3P+AdvwypvSAOx636WrlWgCfaPcO y05t2kWjfb4CUZh5kpMzVY4= =Puce -----END PGP SIGNATURE-----

2 1

Syncrepl logging question
by Lesley Walker 23 Apr '07

23 Apr '07

Hi all, Can somebody please confirm for me, when a log entry on a consumer says: do_syncrep2: rid 123 Can't contact LDAP server I've been assuming it means the provider server, is that correct? It's just occurred to me it could possibly be referring to the local server since I believe there are multiple threads involved in a single slapd process. -- Lesley Walker Linux Systems Administrator Opus International Consultants Ltd Email lesley.walker(a)opus.co.nz Tel +64 4 471 7002, Fax +64 4 473 3017 http://www.opus.co.nz Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343 Wellington, New Zealand

2 4

OpenLDAP 2.3.x on RHEL 5 or Centos 5?
by Sam Tran 20 Apr '07

20 Apr '07

Hi All, Has anyone built RPM packages for RHEL 5 or Centos 5 on i386 or x86_64? Thanks, Sam

3 4

used timezone
by Frank Lohfeld 20 Apr '07

20 Apr '07

hello, how can i changed that openldap used the systemtime from my server to store it as modifytimestamp? in this time, openldap used the gmt time but in germany we have gmt+1+summertime (gmt+2). and my system get me not the gmt time, the system get me the actual local time and i want that openldap stored the local time. when he stored the gmt time (current status), we have problems with applications by search for entrys that changed in the last hour. (sorry for my bad english) thank you very mutch Frank

5 6

Build error 2.3.35 on Debian
by Lesley Walker 20 Apr '07

20 Apr '07

I'm getting this error when I run "make depend": cd slapi; make -w depend make[3]: Entering directory `/vol01/developer/openldap/openldap-2.3.35/servers/slapd/slapi' ../../../build/mkdep -l -d "." -c "cc" -m "-M" -I../../../include -I.. -I. -I../../../include -I./.. -I. plugin.c slapi_pblock.c slapi_utils.c printmsg.c slapi_ops.c slapi_dn.c slapi_ext.c slapi_overlay.c plugin.c:32:18: ltdl.h: No such file or directory make[3]: Leaving directory `/vol01/developer/openldap/openldap-2.3.35/servers/slapd/slapi' Given the configure switches I'm using, I don't think it should even be attempting to build slapi: ./configure \ --prefix=/opt/$OPENLDAP_VERSION \ --localstatedir=/var/local/$OPENLDAP_VERSION \ --sharedstatedir=/var/local/$OPENLDAP_VERSION/com \ --enable-cleartext \ --enable-crypt \ --enable-lmpasswd \ --enable-ldbm \ --enable-syncprov \ --enable-slurpd \ --without-cyrus-sasl \ --disable-slapi This error has also occurred with previous versions (at least 2.3.27, 2.3.31, 2.3.32) but it doesn't seem to cause any functional errors as far as I can tell. (unless it's somehow related to the syncrepl problems, but that seems unlikely) -- Lesley Walker Linux Systems Administrator Opus International Consultants Ltd Email lesley.walker(a)opus.co.nz Tel +64 4 471 7002, Fax +64 4 473 3017 http://www.opus.co.nz Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343 Wellington, New Zealand

3 3

syncrepl failure monitoring
by Donn Cave 20 Apr '07

20 Apr '07

We use slurpd, and I have gone to some pains to make our home-grown service monitor software check the replication files, on the master hosts, so we have timely notification when replication has stalled. How do sites that use syncrepl do this? For example, my new replica is failing right away. I can see it in the master syslog: a bind, a search for * +, then a search result with err=3. On the replica side, however - not a peep. After a little tinkering, I can get "do_syncrep2 result: rid=101 Timed out", but that requires changes to the code. This exercise convinced me that the syncrepl engine isn't supposed to syslog success or failure of its queries, presumably for some good reason and there must be a better way to diagnose problems. The monitoring objective is to verify that the server is either synched, or is making satisfactory progress in that direction. Is there a good way to monitor the state of that syncrepl thread? Thanks, Donn Cave, donn(a)u.washington.edu

2 1

Server Certificate Chain
by Krasimir Ganchev 20 Apr '07

20 Apr '07

Hello guys, I am using a globally recognized certificate with my openldap server which is issued by a Child CA trusted by the Root CA of my certificate provider. Is there any possible way to include the Child CA certificate within the server certificate chain? The thing is that I have couple of windows based clients using my openldap server and I can't make them verify the server certificate. The Root CA is included in the trusted Root CAs Windows store, but since the Child CA ain't there and doesn't appear in the certificate chain the clients could not verify the server certificate and give up with an error unless they are being configured to ignore errors. That's the reason why I would like to include the Child CA /Signing CA/ certificate within the server certificate chain which will allow those clients to confirm server's certificate and its signing CA certificate against the trusted root CA. Is there any possible way to achieve that and is it up to configuration? Any help is appreciated! All my best, Krasimir Ganchev

5 6

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2007