Syncrepl replication with a non-slapd master?
by Grant Gossett
Is it possible to use syncrepl replication with a non slapd master?
Being more specific, I would like to have a copy of several different
microsoft domains held on a slapd server. I've seen this question posed
in the archives but I haven't been able to find much in the way of an
answer anywhere.
Assuming that slapd + syncrepl will work with non-slapd masters, is the
next obstacle going to be making a schema that matches the active
directory shema so that replication can actually occur?
Are there any examples that anyone can point me to?
Many thanks
Grant
13 years, 3 months
overlay chain
by Ed Greenberg
Hi, folks,
I have a slave running syncrepl (just fine) which is getting hit with
update requests, which are, of course, failing. I'd like to have them
succeed. I could not find anything in the docs that would allow the
slave to issue a referral. That seems to be limited to slurpd, if I
understand correctly.
So I tried to implement chained updates. I put the following into my
slaves slapd.conf:
overlay chain
chain-rebind-as-user FALSE
chain-uri "ldap://master.mydomain.com"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod="simple"
binddn="cn=Manager,dc=mydomain,dc=com"
credentials="secret"
mode="self"
This does not seem to be sufficient, but I can't figure out from the
slapo manpage what else is required.
I get error 0x35, that the slave refuses to perform the operation. (I
tried whipping and otherwise punishing the slave, but it did not improve
it's attitude. :)
There does not seem to be a good howto for this.
Can somebody send me a pointer or an answer?
Thanks,
</edg>
Ed Greenberg
West Hollywood, CA
13 years, 3 months
slapd crash with access_log overlay
by Alexander Kriventsov
Hello.
I have crash slapd when I create new node in MirrorMode.
After start slapd, it transfer database from master and after transfer all
entires it crash by signal 6. In slapd.conf I have
# log database
database hdb
suffix "cn=db-log"
rootdn "cn=ldapadm,cn=db-log"
rootpw {SSHA}PASS
directory /var/db/openldap-data/db-log
checkpoint 32 8
# main database
database hdb
suffix "o=company"
rootdn "cn=ldapadm,o=company"
rootpw {SSHA}PASS
directory /var/db/openldap-data/company
checkpoint 32 8
overlay unique
unique_uri ldap:///ou=users,o=company?uidNumber?sub
overlay smbk5pwd
smbk5pwd-enable samba
overlay accesslog
logdb cn=db-log
logops writes
logold (objectClass=*)
logsuccess false
logpurge 182+00:00 1+00:00
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncrepl rid=001
provider=ldaps://ldap1
bindmethod=simple
binddn="uid=replication,ou=users,o=company"
credentials=secret
searchbase="o=company"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=002
provider=ldaps://ldap2
bindmethod=simple
binddn="uid=replication,ou=users,o=company"
credentials=secret
searchbase="o=company"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
In logs I didn't find any information of crash.
Only in messages
ldap2 kernel: pid 5242 (slapd), uid 389: exited on signal 6
I didn't find any use full information in slapd.core
#0 0x000000080163bfec in thr_kill () from /lib/libc.so.7
[New Thread 0x802605850 (LWP 100246)]
[New Thread 0x8026056e0 (LWP 100244)]
[New Thread 0x802605570 (LWP 100233)]
[New Thread 0x802605400 (LWP 100225)]
[New Thread 0x802605290 (LWP 100216)]
[New Thread 0x802605120 (LWP 100096)]
[New Thread 0x801901850 (LWP 100081)]
[New Thread 0x801901120 (LWP 100240)]
System: FreeBSD 7.0-amd64-20080719-RELENG_7_0
Openldap: 2.4.11
In log I have
oc_check_allowed type "contextCSN"
=> entry_encode(0x00000001):
hdb_modify: updated id=00000001 dn="o=company"
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=0 matched="" text=""
slap_queue_csn: queing 0x8043ed160 20080812170512.000000Z#000000#000#000000
==> hdb_add: reqStart=20080814112242.000033Z,cn=db-log
Assertion failed: (a->a_vals[0].bv_val != NULL), function entry_schema_check, file schema_check.c, line 88.
Abort trap: 6 (core dumped)
Please advise.
--
Best Regards,
Alexander Kriventsov
.masterhost
13 years, 3 months
pwdCheckQuality doesn't work
by Zhang Weiwu
My checklist:
1. RTFM slapo-ppolicy: done, 3 times;
2. check openldap version: 2.4, newly installed on Gentoo Linux;
3. check ppolicy overlay successfully loaded and being used: must be,
because operational attribute like pwdFailureTime was maintained;
4. pwdAttribute setting: correct, value is "userPassword";
5. pwdCheckQuality: correct, value is 2 (server always check password
syntax);
6. pwdMinLength: correct, value is 6, server do not accept password
short than 6 character;
7. ppolicy_default: correctly set, because change pwdMaxFailure on
default entry does have effect;
8. the entry being operated doesn't have pwdPolicySubentry, so
default should be applied: correct;
9. slapd server was restarted after all above check;
Test result: Still doesn't work:
$ldappasswd -vD uid=admin,st=jiangxi,o=LGOP -x -w secret -s 13456 ou=吉安市,st=jiangxi,o=LGOP
ldap_initialize( <DEFAULT> )
Result: Success (0)
(expected not successful here because new password was too short)
I am stuck here. Do I miss something on my checklist?
13 years, 3 months
strange bind error
by Dieter Kluenter
Hi,
I just updated to 2.4.11 and experience a strange bind error. A
strong bind with sasl digest-md5 is successfull but a simple bind
fails with error 49. Actually I found it only out because evolution
was not able to connect to ldap anymore. Following I unvail the real
password:
1. a ldapwhoami,
ldapwhoami -Y digest-md5 -w mailer -U admanager
SASL/DIGEST-MD5 authentication started
SASL username: admanager
SASL SSF: 128
SASL data security layer installed.
dn:cn=admanager,o=avci,c=de
2. a ldapsearch with simple bind
ldapsearch -d-1 -x -D "cn=admanager,o=avci,c=de" -w mailer -H
ldap://localhost -b ou=adressbuch,o=avci,c=de
"(&(objectclass=evolutionperson)(sn=*))" mail telephonenumber
ber_dump: buf=0x61c460 ptr=0x61c460 end=0x61c48c len=44
0000: 30 2a 02 01 01 60 25 02 01 03 04 18 63 6e 3d 61 0*...`%.....cn=a
0010: 64 6d 61 6e 61 67 65 72 2c 6f 3d 61 76 63 69 2c dmanager,o=avci,
0020: 63 3d 64 65 80 06 6d 61 69 6c 65 72 c=de..mailer
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
Any idea what is going on?
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
13 years, 3 months
User quota on openldap
by fathi.engineer@gnet.tn
Hi,
Having solved my previous problem (Authenticated users can create new entries but then only creator can modify entry) which resembles setting up a sticky bit on a file system directory, I am facing a new one:
How to limit the number of entries an authenticated user can add to a subtree where he has write access.
Think of it as limiting the number of entries on a user's addressbook to prevent denial of service by a user submitting a huge amount of addressbook entries or bookmark entries for an bookmark manager based on openldap.
Is there a way for openldap to count the number of entries a user has added before deciding whether to grant or deny write access to that user but always allow him to modify/delte existing entries.
13 years, 3 months
delta-syncrepl only replicates some data (attempting N-way master)
by Pat Riehecky
When I add a user to one of my test openldap systems (2.4.9), some but
not all, of that user's attributes are propagated.
The big obvious one is userPassword. When I play around with the
settings I have been able to figure out that the only attributes being
migrated are ones which are visible to anon binds. This doesn't make
any sense to me. When I do an ldapsearch as the user I setup for
syncrepl I can see everything in the user's ldif as well as in
cn=accesslog.
The sync user can see the attributes, and I haven't limited what
syncrepl will pull down.... any guesses as to what I have overlooked?
Pat
-----------------------------
syncprov-checkpoint 100 10
syncprov-sessionlog 200
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
# <snip>
serverID 2
syncrepl rid=1
provider=ldaps://testldap1.iwu.edu/
searchbase="dc=testldap,dc=iwu,dc=edu"
scope=sub
type=refreshAndPersist
interval=00:00:00:30
retry="15 +"
timeout=1
bindmethod=simple
# starttls=critical
tls_cert=/etc/ldap/ssl/testldap.iwu.edu.crt
tls_key=/etc/ldap/ssl/testldap_privkey.key
tls_cacert=/etc/ldap/ssl/IWU.crt
tls_reqcert=demand
tls_crlcheck=none
binddn="cn=syncrepl,dc=testldap,dc=iwu,dc=edu"
credentials=please
schemachecking=off
syncdata=accesslog
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
mirrormode on
13 years, 3 months
Ppolicy locking and replication
by Jiri Netolicky
Hi,
I have a one master and two slaves servers 2.3.27 from RHEL 5.2. Replication
is done by syncrepl. Now I have to use password policy overlay and account
locking after few unsuccessful bind. When the bind is on master
server, everything
works ok - the lock i replicated to the slaves. But when the user
binds on slave,
the lock is only on the slave and the account on master and second slave
is unlocked.
What is the best solution of this problem? I think some kind of multiple-master
replication of pwdAccountLockedTime and pwdFailureTime from slaves?
But multiple-master is since 2.4 version isnt' it?
Many thanks for advice, Netolish
13 years, 3 months
OpenLdap version 2.4.11
by Antonio Coloma Brotons
Hi All!
I want to use mirror mode feature in openldap software. But this feature is
only in version 2.4.11 (not stable yet) ... Anybody is using 2.4.11 version
in a producction environment? Any problems?
My purpose is to have 2 nodes (master - master) like a cluster active -
active. If a ldap-master fails I can make all ldap operations in the other
master. This is possible in 2.4.11 mirror mode ... It's possible in 2.3
stable openldap software? how?
Thanx in advance.
--
Antonio Coloma.
13 years, 3 months
A strange dn
by Ed Greenberg
I'm bringing up openldap, and I have almost everything working except:
The servers have an existing ldap.conf of:
uri ldap://ldap001.example.com ldap://ldap002.example.com
base dc=example,dc=com
binddn uid=server,cn=config
bindpw xxxxxx
ldap_version 3
...etc...
I'm having trouble figuring out how to create a user that looks like:
uid=server,cn=config,dc=example,dc=com
I'd prefer not to visit all the servers to change their ldap.conf files,
rather, I'd like to swap out the name service records to point to
openldap. To do this, I need to create the uid=server,cn=config user.
Any suggestions? Do I have to build up a new schema entry?
Thanks,
</edg>
Ed Greenberg
13 years, 3 months
