RE: LDAP Reference Works?
by Mark Mcdonald
Despite not understanding the architecture completely, it sounds like LDAP will fill your needs.
Have a read of the following man pages to see if it's what you're after:
slapd-ldap
slapo-translucent
slapo-chain
Good luck!
_____
From: Yang Sun [mailto:aegir.china@yahoo.com.cn]
Sent: Monday, April 30, 2007 10:59 PM
To: openldap-software(a)openldap.org
Subject: LDAP Reference Works?
Hi,
I am new to LDAP world. And I am trying to design a distribute data structure for storing the user information in our project. I am not sure whether using ldap reference is the right way to do this job. Please give me some suggestion. The detailed situation is:
We manage tens of sites. And the sites are orgnized in a tree structure. The requirement is to store the information in the local site (means no central place to store the information for all the sites). It will give the system the maximum flexiblity to expand and when the site is isolated the local site still works well. Sometimes, the local site will need information stored in other sites.
I think it is a distribute database architecture. And it reminds me to use the LDAP reference function. So each local site will have a reference to its parent site and some references to its child sites. It gives a logical view of the tree with information for all the sites. I am not sure whether it is possible to do that and whether it has some difficulties to implement it using OpenLDAP.
Any suggestion?
Thanks,
Yang Sun
16 years, 7 months
- 2
- 1
Re: cn=config howto?
by Wai Phang
Hi Dieter,
Thank you for the hint. Finally, I am able to add a new database.
Also, I figured that rootDN doesn't allow quotation marks as well.
Rgds
Wai Phang
>Hi,
>olcSuffix syntax does not allow quotation marks.
>-Dieter
16 years, 7 months
- 1
- 0
Syncrepl-Consumer deletes entries
by Joachim Hergeth
Hello list,
I have an OpenLDAP provider/consumer installation on two SLES10 systems.
One is set up as a provider LDAP, the second is a consumer LDAP using
"refreshOnly" synrepl synchronization. The LDAP provides user
information for a Samba installation.
The initial synchronization of the consumer works as expected. All LDAP
entries are copied to the consumer directory. But after some time,
usually when users log in into the Samba running with the provider LDAP,
nearly 50% of all LDAP entries on the consumer are deleted. This happens
without any change on the provider LDAP!
Checking the logs I found, that delete-messages can be found in the
consumers system log.
I do not understand the source of the problem. No entries in the
provider LDAP are deleted, so no entries should be deleted in the consumer.
To check the installation, I set up a second consumer in a VMWare
environment. And also in this system, which had been set up from scratch
and only holds the OpenLDAP-consumer, the entries are deleted at the
same time when they are deleted in the "real" OpenLDAP consumer system.
When I change an attribute of an entry in the provider LDAP which has
been deleted from the consumer by this process, like adding a
description, this change is forwarded to th consumer and the entry
"reappears" in the LDAP of the consumer.
Any help or suggestion is appreciated.
Thanks in advance
Joachim Hergeth
The providers slapd.conf is:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
#include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/samba3.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
## Yast2 samba hack ACL
## allow the "ldap admin dn" access, but deny everyone else
access to attrs=SambaLMPassword,SambaNTPassword
by dn="cn=Administrator,dc=master-ldap,dc=gts-systems.de" write
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
by * none
## Yast2 samba hack ACL done
access to dn.base=""
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
by self write
by * auth
access to dn.base="cn=Subschema"
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
by * read
access to attrs=userPassword,userPKCS12
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
by self write
by * auth
access to attrs=shadowLastChange
by self write
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
by * read
access to *
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
by * read
by anonymous auth
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
schemacheck on
idletimeout 30
loglevel 131
backend bdb
database bdb
suffix "dc=master-ldap,dc=gts-systems.de"
rootdn "cn=Administrator,dc=master-ldap,dc=gts-systems.de"
rootpw <some working password>
directory /var/lib/ldap/
checkpoint 1024 5
cachesize 10000
index objectClass,entryCSN,entryUUID,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
overlay syncprov
syncprov-checkpoint 100 1
syncprov-sessionlog 1
---------------------------------------------------------------------------
the consumers slapd.conf is:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
#include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/yast.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
access to dn.base=""
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
by self write
by * auth
access to dn.base="cn=Subschema"
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
by * read
access to attrs=userPassword,userPKCS12
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
by self write
by * auth
access to attrs=shadowLastChange
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
by self write
by * read
access to *
by dn="cn=repladmin,dc=master-ldap,dc=gts-systems.de" write
# by anonymous auth
by * read
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
schemackeck on
idletimeout 30
loglevel 15288
# TLSCertificateFile /etc/ssl/servercerts/servercert.pem
# TLSCACertificatePath /etc/ssl/certs/
# TLSCertificateKeyFile /etc/ssl/servercerts/serverkey.pem
database bdb
suffix "dc=master-ldap,dc=gts-systems.de"
rootdn "cn=Administrator,dc=master-ldap,dc=gts-systems.de"
rootpw "<some working password>"
directory /var/lib/ldap
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber,entryCSN,entryUUID eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
syncrepl rid=321
provider=ldap://192.168.1.210:389
type=refreshOnly
interval=00:00:00:30
searchbase="dc=master-ldap,dc=gts-systems.de"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=repladmin,dc=master-ldap,dc=gts-systems.de"
credentials=<another nice password>
---------------------------------------------------------------------------
16 years, 7 months
- 4
- 5