openldap-software August 2008

openldap-software@openldap.org

70 participants
81 discussions

Syncrepl replication with a non-slapd master?
by Grant Gossett 14 Aug '08

14 Aug '08

Is it possible to use syncrepl replication with a non slapd master? Being more specific, I would like to have a copy of several different microsoft domains held on a slapd server. I've seen this question posed in the archives but I haven't been able to find much in the way of an answer anywhere. Assuming that slapd + syncrepl will work with non-slapd masters, is the next obstacle going to be making a schema that matches the active directory shema so that replication can actually occur? Are there any examples that anyone can point me to? Many thanks Grant

3 2

overlay chain
by Ed Greenberg 14 Aug '08

14 Aug '08

Hi, folks, I have a slave running syncrepl (just fine) which is getting hit with update requests, which are, of course, failing. I'd like to have them succeed. I could not find anything in the docs that would allow the slave to issue a referral. That seems to be limited to slurpd, if I understand correctly. So I tried to implement chained updates. I put the following into my slaves slapd.conf: overlay chain chain-rebind-as-user FALSE chain-uri "ldap://master.mydomain.com" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=Manager,dc=mydomain,dc=com" credentials="secret" mode="self" This does not seem to be sufficient, but I can't figure out from the slapo manpage what else is required. I get error 0x35, that the slave refuses to perform the operation. (I tried whipping and otherwise punishing the slave, but it did not improve it's attitude. :) There does not seem to be a good howto for this. Can somebody send me a pointer or an answer? Thanks, </edg> Ed Greenberg West Hollywood, CA

3 7

slapd crash with access_log overlay
by Alexander Kriventsov 14 Aug '08

14 Aug '08

Hello. I have crash slapd when I create new node in MirrorMode. After start slapd, it transfer database from master and after transfer all entires it crash by signal 6. In slapd.conf I have # log database database hdb suffix "cn=db-log" rootdn "cn=ldapadm,cn=db-log" rootpw {SSHA}PASS directory /var/db/openldap-data/db-log checkpoint 32 8 # main database database hdb suffix "o=company" rootdn "cn=ldapadm,o=company" rootpw {SSHA}PASS directory /var/db/openldap-data/company checkpoint 32 8 overlay unique unique_uri ldap:///ou=users,o=company?uidNumber?sub overlay smbk5pwd smbk5pwd-enable samba overlay accesslog logdb cn=db-log logops writes logold (objectClass=*) logsuccess false logpurge 182+00:00 1+00:00 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=001 provider=ldaps://ldap1 bindmethod=simple binddn="uid=replication,ou=users,o=company" credentials=secret searchbase="o=company" schemachecking=on type=refreshAndPersist retry="60 +" syncrepl rid=002 provider=ldaps://ldap2 bindmethod=simple binddn="uid=replication,ou=users,o=company" credentials=secret searchbase="o=company" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on In logs I didn't find any information of crash. Only in messages ldap2 kernel: pid 5242 (slapd), uid 389: exited on signal 6 I didn't find any use full information in slapd.core #0 0x000000080163bfec in thr_kill () from /lib/libc.so.7 [New Thread 0x802605850 (LWP 100246)] [New Thread 0x8026056e0 (LWP 100244)] [New Thread 0x802605570 (LWP 100233)] [New Thread 0x802605400 (LWP 100225)] [New Thread 0x802605290 (LWP 100216)] [New Thread 0x802605120 (LWP 100096)] [New Thread 0x801901850 (LWP 100081)] [New Thread 0x801901120 (LWP 100240)] System: FreeBSD 7.0-amd64-20080719-RELENG_7_0 Openldap: 2.4.11 In log I have oc_check_allowed type "contextCSN" => entry_encode(0x00000001): hdb_modify: updated id=00000001 dn="o=company" send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=0 matched="" text="" slap_queue_csn: queing 0x8043ed160 20080812170512.000000Z#000000#000#000000 ==> hdb_add: reqStart=20080814112242.000033Z,cn=db-log Assertion failed: (a->a_vals[0].bv_val != NULL), function entry_schema_check, file schema_check.c, line 88. Abort trap: 6 (core dumped) Please advise. -- Best Regards, Alexander Kriventsov .masterhost

1 0

pwdCheckQuality doesn't work
by Zhang Weiwu 14 Aug '08

14 Aug '08

My checklist: 1. RTFM slapo-ppolicy: done, 3 times; 2. check openldap version: 2.4, newly installed on Gentoo Linux; 3. check ppolicy overlay successfully loaded and being used: must be, because operational attribute like pwdFailureTime was maintained; 4. pwdAttribute setting: correct, value is "userPassword"; 5. pwdCheckQuality: correct, value is 2 (server always check password syntax); 6. pwdMinLength: correct, value is 6, server do not accept password short than 6 character; 7. ppolicy_default: correctly set, because change pwdMaxFailure on default entry does have effect; 8. the entry being operated doesn't have pwdPolicySubentry, so default should be applied: correct; 9. slapd server was restarted after all above check; Test result: Still doesn't work: $ldappasswd -vD uid=admin,st=jiangxi,o=LGOP -x -w secret -s 13456 ou=吉安市,st=jiangxi,o=LGOP ldap_initialize( <DEFAULT> ) Result: Success (0) (expected not successful here because new password was too short) I am stuck here. Do I miss something on my checklist?

4 5

strange bind error
by Dieter Kluenter 14 Aug '08

14 Aug '08

Hi, I just updated to 2.4.11 and experience a strange bind error. A strong bind with sasl digest-md5 is successfull but a simple bind fails with error 49. Actually I found it only out because evolution was not able to connect to ldap anymore. Following I unvail the real password: 1. a ldapwhoami, ldapwhoami -Y digest-md5 -w mailer -U admanager SASL/DIGEST-MD5 authentication started SASL username: admanager SASL SSF: 128 SASL data security layer installed. dn:cn=admanager,o=avci,c=de 2. a ldapsearch with simple bind ldapsearch -d-1 -x -D "cn=admanager,o=avci,c=de" -w mailer -H ldap://localhost -b ou=adressbuch,o=avci,c=de "(&(objectclass=evolutionperson)(sn=*))" mail telephonenumber ber_dump: buf=0x61c460 ptr=0x61c460 end=0x61c48c len=44 0000: 30 2a 02 01 01 60 25 02 01 03 04 18 63 6e 3d 61 0*...`%.....cn=a 0010: 64 6d 61 6e 61 67 65 72 2c 6f 3d 61 76 63 69 2c dmanager,o=avci, 0020: 63 3d 64 65 80 06 6d 61 69 6c 65 72 c=de..mailer ldap_msgfree ldap_err2string ldap_bind: Invalid credentials (49) Any idea what is going on? -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E

2 2

User quota on openldap
by fathi.engineer＠gnet.tn 13 Aug '08

13 Aug '08

Hi, Having solved my previous problem (Authenticated users can create new entries but then only creator can modify entry) which resembles setting up a sticky bit on a file system directory, I am facing a new one: How to limit the number of entries an authenticated user can add to a subtree where he has write access. Think of it as limiting the number of entries on a user's addressbook to prevent denial of service by a user submitting a huge amount of addressbook entries or bookmark entries for an bookmark manager based on openldap. Is there a way for openldap to count the number of entries a user has added before deciding whether to grant or deny write access to that user but always allow him to modify/delte existing entries.

2 1

delta-syncrepl only replicates some data (attempting N-way master)
by Pat Riehecky 13 Aug '08

13 Aug '08

When I add a user to one of my test openldap systems (2.4.9), some but not all, of that user's attributes are propagated. The big obvious one is userPassword. When I play around with the settings I have been able to figure out that the only attributes being migrated are ones which are visible to anon binds. This doesn't make any sense to me. When I do an ldapsearch as the user I setup for syncrepl I can see everything in the user's ldif as well as in cn=accesslog. The sync user can see the attributes, and I haven't limited what syncrepl will pull down.... any guesses as to what I have overlooked? Pat ----------------------------- syncprov-checkpoint 100 10 syncprov-sessionlog 200 syncprov-nopresent TRUE syncprov-reloadhint TRUE # <snip> serverID 2 syncrepl rid=1 provider=ldaps://testldap1.iwu.edu/ searchbase="dc=testldap,dc=iwu,dc=edu" scope=sub type=refreshAndPersist interval=00:00:00:30 retry="15 +" timeout=1 bindmethod=simple # starttls=critical tls_cert=/etc/ldap/ssl/testldap.iwu.edu.crt tls_key=/etc/ldap/ssl/testldap_privkey.key tls_cacert=/etc/ldap/ssl/IWU.crt tls_reqcert=demand tls_crlcheck=none binddn="cn=syncrepl,dc=testldap,dc=iwu,dc=edu" credentials=please schemachecking=off syncdata=accesslog logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" mirrormode on

3 2

Ppolicy locking and replication
by Jiri Netolicky 13 Aug '08

13 Aug '08

Hi, I have a one master and two slaves servers 2.3.27 from RHEL 5.2. Replication is done by syncrepl. Now I have to use password policy overlay and account locking after few unsuccessful bind. When the bind is on master server, everything works ok - the lock i replicated to the slaves. But when the user binds on slave, the lock is only on the slave and the account on master and second slave is unlocked. What is the best solution of this problem? I think some kind of multiple-master replication of pwdAccountLockedTime and pwdFailureTime from slaves? But multiple-master is since 2.4 version isnt' it? Many thanks for advice, Netolish

2 1

OpenLdap version 2.4.11
by Antonio Coloma Brotons 13 Aug '08

13 Aug '08

Hi All! I want to use mirror mode feature in openldap software. But this feature is only in version 2.4.11 (not stable yet) ... Anybody is using 2.4.11 version in a producction environment? Any problems? My purpose is to have 2 nodes (master - master) like a cluster active - active. If a ldap-master fails I can make all ldap operations in the other master. This is possible in 2.4.11 mirror mode ... It's possible in 2.3 stable openldap software? how? Thanx in advance. -- Antonio Coloma.

3 2

A strange dn
by Ed Greenberg 13 Aug '08

13 Aug '08

I'm bringing up openldap, and I have almost everything working except: The servers have an existing ldap.conf of: uri ldap://ldap001.example.com ldap://ldap002.example.com base dc=example,dc=com binddn uid=server,cn=config bindpw xxxxxx ldap_version 3 ...etc... I'm having trouble figuring out how to create a user that looks like: uid=server,cn=config,dc=example,dc=com I'd prefer not to visit all the servers to change their ldap.conf files, rather, I'd like to swap out the name service records to point to openldap. To do this, I need to create the uid=server,cn=config user. Any suggestions? Do I have to build up a new schema entry? Thanks, </edg> Ed Greenberg

3 2

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software August 2008