Is it possible to use syncrepl replication with a non slapd master?
Being more specific, I would like to have a copy of several different
microsoft domains held on a slapd server. I've seen this question posed
in the archives but I haven't been able to find much in the way of an
Assuming that slapd + syncrepl will work with non-slapd masters, is the
next obstacle going to be making a schema that matches the active
directory shema so that replication can actually occur?
Are there any examples that anyone can point me to?
I have a slave running syncrepl (just fine) which is getting hit with
update requests, which are, of course, failing. I'd like to have them
succeed. I could not find anything in the docs that would allow the
slave to issue a referral. That seems to be limited to slurpd, if I
So I tried to implement chained updates. I put the following into my
This does not seem to be sufficient, but I can't figure out from the
slapo manpage what else is required.
I get error 0x35, that the slave refuses to perform the operation. (I
tried whipping and otherwise punishing the slave, but it did not improve
it's attitude. :)
There does not seem to be a good howto for this.
Can somebody send me a pointer or an answer?
West Hollywood, CA
1. RTFM slapo-ppolicy: done, 3 times;
2. check openldap version: 2.4, newly installed on Gentoo Linux;
3. check ppolicy overlay successfully loaded and being used: must be,
because operational attribute like pwdFailureTime was maintained;
4. pwdAttribute setting: correct, value is "userPassword";
5. pwdCheckQuality: correct, value is 2 (server always check password
6. pwdMinLength: correct, value is 6, server do not accept password
short than 6 character;
7. ppolicy_default: correctly set, because change pwdMaxFailure on
default entry does have effect;
8. the entry being operated doesn't have pwdPolicySubentry, so
default should be applied: correct;
9. slapd server was restarted after all above check;
Test result: Still doesn't work:
$ldappasswd -vD uid=admin,st=jiangxi,o=LGOP -x -w secret -s 13456 ou=吉安市,st=jiangxi,o=LGOP
ldap_initialize( <DEFAULT> )
Result: Success (0)
(expected not successful here because new password was too short)
I am stuck here. Do I miss something on my checklist?
I just updated to 2.4.11 and experience a strange bind error. A
strong bind with sasl digest-md5 is successfull but a simple bind
fails with error 49. Actually I found it only out because evolution
was not able to connect to ldap anymore. Following I unvail the real
1. a ldapwhoami,
ldapwhoami -Y digest-md5 -w mailer -U admanager
SASL/DIGEST-MD5 authentication started
SASL username: admanager
SASL SSF: 128
SASL data security layer installed.
2. a ldapsearch with simple bind
ldapsearch -d-1 -x -D "cn=admanager,o=avci,c=de" -w mailer -H
ldap://localhost -b ou=adressbuch,o=avci,c=de
"(&(objectclass=evolutionperson)(sn=*))" mail telephonenumber
ber_dump: buf=0x61c460 ptr=0x61c460 end=0x61c48c len=44
0000: 30 2a 02 01 01 60 25 02 01 03 04 18 63 6e 3d 61 0*...`%.....cn=a
0010: 64 6d 61 6e 61 67 65 72 2c 6f 3d 61 76 63 69 2c dmanager,o=avci,
0020: 63 3d 64 65 80 06 6d 61 69 6c 65 72 c=de..mailer
ldap_bind: Invalid credentials (49)
Any idea what is going on?
Dieter Klünter | Systemberatung
GPG Key ID:8EF7B6C6
Having solved my previous problem (Authenticated users can create new entries but then only creator can modify entry) which resembles setting up a sticky bit on a file system directory, I am facing a new one:
How to limit the number of entries an authenticated user can add to a subtree where he has write access.
Think of it as limiting the number of entries on a user's addressbook to prevent denial of service by a user submitting a huge amount of addressbook entries or bookmark entries for an bookmark manager based on openldap.
Is there a way for openldap to count the number of entries a user has added before deciding whether to grant or deny write access to that user but always allow him to modify/delte existing entries.
When I add a user to one of my test openldap systems (2.4.9), some but
not all, of that user's attributes are propagated.
The big obvious one is userPassword. When I play around with the
settings I have been able to figure out that the only attributes being
migrated are ones which are visible to anon binds. This doesn't make
any sense to me. When I do an ldapsearch as the user I setup for
syncrepl I can see everything in the user's ldif as well as in
The sync user can see the attributes, and I haven't limited what
syncrepl will pull down.... any guesses as to what I have overlooked?
syncprov-checkpoint 100 10
I have a one master and two slaves servers 2.3.27 from RHEL 5.2. Replication
is done by syncrepl. Now I have to use password policy overlay and account
locking after few unsuccessful bind. When the bind is on master
works ok - the lock i replicated to the slaves. But when the user
binds on slave,
the lock is only on the slave and the account on master and second slave
What is the best solution of this problem? I think some kind of multiple-master
replication of pwdAccountLockedTime and pwdFailureTime from slaves?
But multiple-master is since 2.4 version isnt' it?
Many thanks for advice, Netolish
I want to use mirror mode feature in openldap software. But this feature is
only in version 2.4.11 (not stable yet) ... Anybody is using 2.4.11 version
in a producction environment? Any problems?
My purpose is to have 2 nodes (master - master) like a cluster active -
active. If a ldap-master fails I can make all ldap operations in the other
master. This is possible in 2.4.11 mirror mode ... It's possible in 2.3
stable openldap software? how?
Thanx in advance.
I'm bringing up openldap, and I have almost everything working except:
The servers have an existing ldap.conf of:
I'm having trouble figuring out how to create a user that looks like:
I'd prefer not to visit all the servers to change their ldap.conf files,
rather, I'd like to swap out the name service records to point to
openldap. To do this, I need to create the uid=server,cn=config user.
Any suggestions? Do I have to build up a new schema entry?