Promoting consumer to provider (hot standby)
by Sam Tran
Hi All,
I have an OL 2.3.x provider where all updates are performed, and
several OL 2.3.x consumers that are read-only. I'd like to introduce
another OL server as a "hot standby" (as mirror mode is officially
available only in OL 2.4.x). That new server would be initially
configured as a consumer. Should the initial provider fail (hardware),
the configuration of the "hot standby" would be changed so that it
becomes the new provider. No change would be needed on the consumer
side since the new provider would grab the virtual IP address that the
initial provider was holding (Heartbeat), and the consumers would keep
on connecting to that virtual IP.
My question is the following:
Will the consumers see the content of the new provider as exactly the
same as the content of the initial provider right before the failure,
and then only perform timely updates upon content changes?
Thanks in advance.
Sam
16 years, 1 month
Search filter ? wildcard
by Alina Dubrovska
Hello!
Is it possible to create a filter for OpenLDAP search containing a wildcard:
? (matches zero or one character).
I received an answer that it is not possible with the standard matching
rules.
Maybe OpenLDAP support an extension which supports it, e.g. a matching rule
which takes regular expressions?
Or some another trick to achive this?
Thanks in advance,
Alina.
---------- Forwarded message ----------
From: Hallvard B Furuseth <h.b.furuseth(a)usit.uio.no>
Date: Apr 24, 2007 2:06 PM
Subject: Re: [ldap] Search filter ? wildcard
To: Alina Dubrovska <alina.second(a)gmail.com>
Cc: ldap(a)listserver.itd.umich.edu
Alina Dubrovska writes:
> Is it possible to create a filter for LDAP search containing a wildcard:
> ? (matches zero or one character)
No, not with the standard matching rules.
Your LDAP server implementation might support an extension which
supports it, e.g. a matching rule which takes regular expressions.
--
Regards,
Hallvard
16 years, 1 month
Syncrepl, and some objectClass errors
by Lesley Walker
Lesley Walker wrote:
> I have spent today dissecting the logs from two incidents this week in
> which entries were erroneously deleted. Although the circumstances of
> the two incidents are quite different, from examining the logs I
> believe it is the same thing happening in each case.
I'm still unable to pinpoint the trigger condition, but I have a better
idea of what happens. I believe it *may* be covered by ITS#4626 and
ITS#4813, so I have built 2.3.35 to run on a test server.
On starting this new version for the first time and letting it build the
database by replication from its provider, I get these messages in the log:
is_entry_objectclass("", "2.5.17.0") no objectClass attribute
is_entry_objectclass("", "2.5.6.1") no objectClass attribute
is_entry_objectclass("", "2.16.840.1.113730.3.2.6") no objectClass attribute
I freely admit that I am not clued-up on schema design, but I have tried
grepping for those numbers in the schema files and in an ldif of the
database and I don't find them.
I note that these same messages were reported in ITS#4626, and wonder
whether there's a connection, or is it a mere coincidence?
I also note that these exact same messages were discussed in December:
http://www.openldap.org/lists/openldap-software/200612/msg00046.html
but this discussion went over my head, so I would welcome any
words-of-one-syllable explanations.
The main problem I'm trying to troubleshoot is this:
In every case, there's a log entry:
do_syncrep2: rid 123 LDAP_RES_INTERMEDIATE - SYNC_ID_SET
followed by some number of these:
syncrepl_entry: rid 123 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
("some number" is MUCH less than the number of records)
then:
do_syncrep2: rid 123 LDAP_RES_INTERMEDIATE - REFRESH_PRESENT
followed by some (other) number of these:
syncrepl_del_nonpresent: rid 123 be_delete
uid=whatever,ou=Accounts,dc=example,dc=co,dc=nz (0)
*INCLUDING* be_deletes for nearly ALL the top-level entries:
be_delete cn=root,dc=example,dc=co,dc=nz (0)
be_delete ou=Accounts,dc=example,dc=co,dc=nz (66)
be_delete ou=Mailbox,dc=example,dc=co,dc=nz (66)
be_delete ou=Services,dc=example,dc=co,dc=nz (66)
be_delete ou=Offices,dc=example,dc=co,dc=nz (66)
be_delete ou=Networks,dc=example,dc=co,dc=nz (66)
be_delete ou=Rooms,dc=example,dc=co,dc=nz (66)
be_delete ou=Group,dc=example,dc=co,dc=nz (66)
be_delete ou=EmailLists,dc=example,dc=co,dc=nz (66)
be_delete ou=People,dc=example,dc=co,dc=nz (66)
be_delete ou=Computers,dc=example,dc=co,dc=nz (66)
This would seem to leave the database completely empty, and in a state
where nothing and nobody can authenticate to it. No amount of
stopping/restarting has any effect (because it thinks it is in sync)
until we repair it by starting with the empty sync cookie.
There have been at least 10 instances of this fault on different servers
in the last 1-2 weeks.
Because I can't reproduce the problem on demand, I won't know for sure
whether or not the new version fixes it, but I have built the new
version and am now running it on a test server.
> Here's the environment:
> OpenLDAP 2.3.32 running on Debian 3.1 (Sarge)
> compiled with sync logging patch discussed about 4 months ago
> loglevel config sync on all servers
> BDB 4.2 backend
> Syncrepl replication all round
> A "master" server (com)
> - holds the master copy of the database
> A number of servers that replicate directly from com
> An "intermediate" server (wwsv04) that
> - is on the same LAN and subnet as com
> - replicates from com
> - acts as provider for all other servers
> 88 servers/replicas in total
> Approx 9000 records
> All replicas are supposed to be complete copies
> Nothing particularly fancy or clever going on
--
Lesley Walker
Linux Systems Administrator
Opus International Consultants Ltd
Email lesley.walker(a)opus.co.nz
Tel +64 4 471 7002, Fax +64 4 473 3017
http://www.opus.co.nz
Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343
Wellington, New Zealand
16 years, 1 month
back-ldap: how to bind to remote server?
by Székelyi Szabolcs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm trying to use OpenLDAP as a proxy. I want it to bind to the remote
LDAP server with a fixed dn, and use that dn for searches. This way,
any dn binding to the proxy (even anonymously) could see objects and
attributes that the dn used to bind to the real LDAP server can see.
My problem is that it seems that the proxy does not bind to the remote
server (in other words, it binds anonymously), just forwards searches,
which fail this way, because the remote server requires authentication.
The binddn and bindpw configuration options are correct, I can use
ldapsearch to retrieve objects directly from the remote server.
Looking at the network traffic, I can't see the proxy attempting to bind
using the dn given in the binddn option.
Here is the relevant part of my slapd.conf:
==
database ldap
suffix dc=company,dc=local
chase-referrals no
lastmod off
uri ldap://remotehost
binddn <binddn>
bindpw <bindpw>
==
Is it possible to configure back-ldap this way?
Thanks,
- --
cc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGLR/EGJRwVVqzMkMRAtG6AJ4kcCsQ3P+AdvwypvSAOx636WrlWgCfaPcO
y05t2kWjfb4CUZh5kpMzVY4=
=Puce
-----END PGP SIGNATURE-----
16 years, 1 month
Syncrepl logging question
by Lesley Walker
Hi all,
Can somebody please confirm for me, when a log entry on a
consumer says:
do_syncrep2: rid 123 Can't contact LDAP server
I've been assuming it means the provider server, is that correct?
It's just occurred to me it could possibly be referring to the local
server since I believe there are multiple threads involved in a single
slapd process.
--
Lesley Walker
Linux Systems Administrator
Opus International Consultants Ltd
Email lesley.walker(a)opus.co.nz
Tel +64 4 471 7002, Fax +64 4 473 3017
http://www.opus.co.nz
Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343
Wellington, New Zealand
16 years, 1 month
used timezone
by Frank Lohfeld
hello,
how can i changed that openldap used the systemtime from my server to
store it as modifytimestamp?
in this time, openldap used the gmt time but in germany we have
gmt+1+summertime (gmt+2).
and my system get me not the gmt time, the system get me the actual
local time and i want that openldap stored the local time. when he
stored the gmt time (current status), we have problems with
applications by search for entrys that changed in the last hour.
(sorry for my bad english)
thank you very mutch
Frank
16 years, 1 month
Build error 2.3.35 on Debian
by Lesley Walker
I'm getting this error when I run "make depend":
cd slapi; make -w depend
make[3]: Entering directory
`/vol01/developer/openldap/openldap-2.3.35/servers/slapd/slapi'
../../../build/mkdep -l -d "." -c "cc" -m "-M" -I../../../include -I..
-I. -I../../../include -I./.. -I. plugin.c slapi_pblock.c
slapi_utils.c printmsg.c slapi_ops.c slapi_dn.c slapi_ext.c slapi_overlay.c
plugin.c:32:18: ltdl.h: No such file or directory
make[3]: Leaving directory
`/vol01/developer/openldap/openldap-2.3.35/servers/slapd/slapi'
Given the configure switches I'm using, I don't think it should even be
attempting to build slapi:
./configure \
--prefix=/opt/$OPENLDAP_VERSION \
--localstatedir=/var/local/$OPENLDAP_VERSION \
--sharedstatedir=/var/local/$OPENLDAP_VERSION/com \
--enable-cleartext \
--enable-crypt \
--enable-lmpasswd \
--enable-ldbm \
--enable-syncprov \
--enable-slurpd \
--without-cyrus-sasl \
--disable-slapi
This error has also occurred with previous versions (at least 2.3.27,
2.3.31, 2.3.32) but it doesn't seem to cause any functional errors as
far as I can tell. (unless it's somehow related to the syncrepl
problems, but that seems unlikely)
--
Lesley Walker
Linux Systems Administrator
Opus International Consultants Ltd
Email lesley.walker(a)opus.co.nz
Tel +64 4 471 7002, Fax +64 4 473 3017
http://www.opus.co.nz
Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343
Wellington, New Zealand
16 years, 1 month
syncrepl failure monitoring
by Donn Cave
We use slurpd, and I have gone to some pains to make our home-grown
service monitor software check the replication files, on the master
hosts, so we have timely notification when replication has stalled.
How do sites that use syncrepl do this?
For example, my new replica is failing right away. I can see it in
the master syslog: a bind, a search for * +, then a search result
with err=3. On the replica side, however - not a peep.
After a little tinkering, I can get "do_syncrep2 result: rid=101
Timed out",
but that requires changes to the code. This exercise convinced me that
the syncrepl engine isn't supposed to syslog success or failure of its
queries, presumably for some good reason and there must be a better way
to diagnose problems.
The monitoring objective is to verify that the server is either synched,
or is making satisfactory progress in that direction. Is there a
good way
to monitor the state of that syncrepl thread?
Thanks,
Donn Cave, donn(a)u.washington.edu
16 years, 1 month
Server Certificate Chain
by Krasimir Ganchev
Hello guys,
I am using a globally recognized certificate with my openldap server which
is issued by a Child CA trusted by the Root CA of my certificate provider.
Is there any possible way to include the Child CA certificate within the
server certificate chain?
The thing is that I have couple of windows based clients using my openldap
server and I can't make them verify the server certificate. The Root CA is
included in the trusted Root CAs Windows store, but since the Child CA ain't
there and doesn't appear in the certificate chain the clients could not
verify the server certificate and give up with an error unless they are
being configured to ignore errors.
That's the reason why I would like to include the Child CA /Signing CA/
certificate within the server certificate chain which will allow those
clients to confirm server's certificate and its signing CA certificate
against the trusted root CA.
Is there any possible way to achieve that and is it up to configuration?
Any help is appreciated!
All my best,
Krasimir Ganchev
16 years, 1 month
