I'm currently doing a review to see how OpenLDAP compares, *feature
wise* ATM, to other directory servers and specifically to the Sun DS -
i.e. to get a definitive list of features it's missing that Sun has and
what it has that Sun doesn't have, etc. For brevity, I haven't included
all the potentially useful features of OpenLDAP, but have just focused
on those associated with 1) RFC compliance (of which Sun may or may not
meet) and 2) features to match the Sun DS (which it would be replacing).
So far, here's what I have for OpenLDAP:
RFC 4510 (which includes 4511-4519). There was recent discussion on the
list around this, such that in some cases, not everything that changed
from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been
updated in OpenLDAP, but I think those issues are fairly minor.
The following additional RFC's are supported in OpenLDAP:
- RFC 2247 and RFC 3088
- RFC 2696 simple paged results
- RFC 2849 ldif
- RFC 3062 password mod op
- RFC 3296 named referals, manageDSAit
- RFC 3673 All Op attrs + feature
- RFC 3687 Component matching rules
- RFC 3866 Languange tag and range
- RFC 3876 matched values control
- RFC 4370 proxy auth
- RFC 4522 binary encoding
- RFC 4523 x.509 cert schema
- RFC 4524 COSINE schema
- RFC 4525 Mod-increment
- RFC 4526 Absolute true/false filters
- RFC 4527 pre/post read control
- RFC 4528 assertion control
- RFC 4529 request attrs by objectclass
- RFC 4530 entryUUID
- RFC 4532 whoamI
- RFC 4533 Content Sync op (replication)
RFC's NOT supported are:
- RFC 2589 dds Seems with 2.4, this has gone from experimental to
- RFC 2891 server side sorting
- RFC 3671 collective attributes
- RFC 3928 LCUP mainly for updating cached addressbooks, etc - not
replication between servers
- RFC 3384 looks like just reqs for replication, not an actual
replication protocol - RFC 4533 is used instead
- RFC 3672 (subentries)
- RFC 3698 and 3727 (additional matching rules)
- RFC 3909 LDAP Cancel operation
- RFC 5020 entryDN operational attribute
(There are some other, often obscure, LDAP related RFC's that I didn't
include, but this seems to be the major/useful ones)
Other features not supported:
- VLV browse indexes (per
http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09). Not an
RFC, but supported by Sun and MS directories, and used by things like
Outlook and Solaris.
Other supported features:
- dyngroup/dynlist/memberof overlay (A much more useful feature than
Sun's groupOfURLs "dynamic" group and "roles" mechanism)
- ppolicy overlay (matches Sun DS 5.x reasonably close, but is account
lockout replicated to all servers? Sun DS 6.x claims to)
- refint overlay (similar to Sun's referential integrity plugin)
- unique overlay (similar to Sun's uniqueness plugin)
- audit and accesslog overlays, syslog logging - much more
useful/complete than Sun's access/audit/error logs.
- live acl changes via LDAP
- Per user resource limits (sizelimit, timelimit, idletimeout, etc). I
think Howard Chu said OpenLDAP has some of this, but I haven't seen any
reference to it or how to use it in the docs (does this functionality
exist, and if so, is there any documentation?)
- Tracking of last login (i.e. last successful ldap authentication)
Is this still fairly accurate?
The ones that are really problematic are the lack of:
- VLV Browse indexes
- RFC 2891 (server side sorting)
- per user/entry resources limits (if they don't exist)
Are there any unofficial updates/patches/overlays/plans for any of this
I am trying out slapo-dds. I haver this in slapd.conf:
Then I created an entry with this:
I had this automatically generated.
But now this entry should be expired, and it is still in the tree. What
is wrong? Did I misunderstood the documentation, shoudln't it vanish
Is the kind of ACL below supported?
access to dn.regex="^uid=.+,(ou=.+),o=org$" attrs=foo val.regex="^(.*)$"
I expect $1 to hold ou=whatever and $2 to hold attribute foo value that
gets modified. I have trouble to get it working, and I wonder if
1) are $<digit> supported in val.regex ?
2) is it allowed touse $<digit> with multiples regex? Ot will the values
gathered by the last match overwrite the first one?
Since I upgraded one of my server from 2.4.11 to 2.4.12, I'm facing
heavy database issues:
[root@etoile ~]# slapcat -b dc=msr-inria,dc=inria,dc=fr
bdb(dc=msr-inria,dc=inria,dc=fr): pthread lock failed: Invalid argument
bdb(dc=msr-inria,dc=inria,dc=fr): PANIC: Invalid argument
bdb(dc=msr-inria,dc=inria,dc=fr): PANIC: DB_RUNRECOVERY: Fatal error,
run database recovery
bdb(dc=msr-inria,dc=inria,dc=fr): PANIC: fatal region error detected;
bdb_db_close: database "dc=msr-inria,dc=inria,dc=fr": close failed:
DB_RUNRECOVERY: Fatal error, run database recovery (-30975)
Even importing a backup ldiff file on a fresh installation triggers the
I tested this problem on two different environment (mandriva 2008.1,
mandriva cooker), and one user reported it against mandriva 2009.0
(https://qa.mandriva.com/show_bug.cgi?id=45034). This seems to either
imply an openldap or a packaging issue. Should I report an ITS for this,
or rather provide more informations ?
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
I use openldap 2.3.39.
The Openldap admin guide indicates that (in chapter 15 for the openldap
2.3 and 17.2.1 for 2.4) :
"Syncrepl supports both partial and sparse replications. The shadow DIT
fragment is defined by a general search criteria consisting of base,
scope, filter, and attribute list. The replica content is also subject
to the access privileges of the bind identity of the syncrepl
So, I understand that, in syncrepl, I could do a partial replication on
the slave with ACL limitation on the master.
I have tried this with delta-syncrepl (with accesslog) but it doesn't
seem to work with that kind of message on the slave :
slapd : syncrepl_message_to_op: rid 252 be_modify
The slave doesn't have the entry (due to ACL limitations) but see
modifications on it in the accesslog base and try to synchronize the entry.
With delta-syncrepl, is it possible to do partial replication on slave
with ACL limitation on master ?
master delta-syncrepl conf :
index entryCSN,objectClass,reqEnd,reqResult,reqStart eq
syncprov-checkpoint 100 10
logpurge 07+00:00 01+00:00
slave delta-syncrepl conf :
retry="60 10 300 +"
Dear list members,
i have just setted, in my environment, kerberos, cyrus-sasl and
openldap. My host operational plataform is Debian.
I am facing a situation like this: altough i configured cyrus SASL i
can't see its mech with the following command:
sioux@gustav:~/ldap$ ldapsearch -x -b "" -s base supportedSASLMechanisms
# extended LDIF
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
# search result
result: 0 Success
# numResponses: 2
# numEntries: 1
My ldap server ldd output is:
gustav:/etc/ldap# ldd `which slapd`
linux-gate.so.1 => (0xffffe000)
libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0xb7f1c000)
liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f10000)
libiodbc.so.2 => /usr/lib/libiodbc.so.2 (0xb7ec8000)
libslp.so.1 => /usr/lib/libslp.so.1 (0xb7eb9000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7ea3000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7e64000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8
(0xb7d2a000) libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7ce8000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7cd6000)
libltdl.so.3 => /usr/lib/libltdl.so.3 (0xb7ccf000)
libwrap.so.0 => /lib/libwrap.so.0 (0xb7cc7000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7b96000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b92000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7b7b000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7b67000)
May some one help with this stuff?
Thanks a lot for your time and cooperation.
I installed Openldap on Centos 4.7. However, it did not create database. So
when I connect to it there is no data. So I get exception - object not
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object];
remaining name 'dc=nodomain'
I have tried everything that is suggested in ldap documentation. However,
nothing works. I have impression that all documentation is only after you
have data base set up and how to add data to existing data, but there is
nothing how to create it from scratch.
Any help, I am stuck with this problem already for 3 days :(.
I looked in the online version of the Admin Guide for upgrade
instructions, but they don't seem to have been written. So I have come
to the experts for guidance.
I have successfully compiled and installed the new version, and run it
as a slave in our existing system. I allowed to create its database via
syncrepl, and that worked a treat (although it took longer than I
expected). It's been happily running for a while and I have no issues.
My question is really, what's the best way to approach the upgrade of
the master server?
Since we're going from BDB4.2 to BDB4.4, I assume it wouldn't be be a
good idea to just plug the existing database into the new code.
If I slapcat the old version and slapadd the data into the new version,
will that cause the entire database to be resynced out to all slave
servers? We have about 100 slave servers, and the thought of
(effectively) resetting all their sync cookies all at once makes me shudder.
My other option, since all servers run matching environments, would be
to take a copy of the database from a replicated 2.4.11 slave and plug
that straight in (having disallowed updates and replication, and taken
any other safety measures I can think of). Would this be a stupid risk,
or would you expect it to work okay?
Our site info:
All servers run Debian 4.0 (Etch) with near-as-dammit identically
Kernel is 2.6.22
One master server, many slaves with identical databases.
Replication is done by syncrepl
Bandwidth to some sites is limited
About 12000 records in the database
Linux Systems Administrator
Opus International Consultants Ltd
Tel +64 4 471 7002, Fax +64 4 473 3017
Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343
Wellington, New Zealand
Hi guys i need an acl like that
access to dn.subtree="ou=Company_People,dc=company,dc=com"
by dn="uid=testadmin,ou=People,dc=company,dc=com" write
by dn="uid=admin,ou=People,dc=company,dc=com" write
by users read
by * none
It works fine for me that uid=testadmin has only rights on two
attributs cn,member under "ou=Company_People,dc=company,dc=com" But i
need one more right to that uid=testadmin to create new cn (group)
under this "ou=Company_People,dc=company,dc=com"
when i try to add new cn under "ou=Company_People,dc=company,dc=com"
by using this uid=testadmin it gives me following error
ldapadd: Insufficient access (50)
additional info: no write access to paren
Please help me regarding this matter