N-Way replication
by Alexander Kriventsov
Hello.
I'm trying to do N-way replication, and I have some strange issue with
replication.
I have two servers ldap1 and ldap2. In ldap1 I did these:
#slapadd -F /usr/local/etc/openldap/slapd.d/ -n 0 <<EOF
dn: cn=config
objectClass: olcGlobal
cn: config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootPW: SECRET
EOF
#chown -R ldap /usr/local/etc/openldap/slapd.d/*
#/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -u ldap -g ldap -d Sync -h "ldap://"
#ldapadd -D cn=config -H ldap://localhost -w larati5nco6e << EOF
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: {0}back_bdb
olcModuleLoad: {1}back_hdb
EOF
#ldapmodify -D cn=config -H ldap://localhost -w larati5nco6e <<EOF
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap1
olcServerID: 2 ldap://ldap2
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldap1 binddn="cn=config" bindmethod=simple
credentials=SECRET searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://ldap2 binddn="cn=config" bindmethod=simple
credentials=SECRET searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
EOF
#slapcat -n 0 -l cn=config.ldif
And after that I copied cn=config.ldif to ldap2, and did
#slapadd -F /usr/local/etc/openldap/slapd.d/ -n 0 -l cn=config.ldif
#chown -R ldap /usr/local/etc/openldap/slapd.d/*
#/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -u ldap -g ldap -d Sync -h "ldap://"
When I did changes in cn=config in ldap1 replication works fine, but
if I did it in ldap2 replication doesn't work.
On console where I started slapd I don't see any tries to do
replication.
Please advise.
--
Best Regards,
Alexander Kriventsov
.masterhost
14 years
Schema repository?
by Jeff Blaine
I spent a good half hour last night massaging RFC3712.txt
into a schema to load into OpenLDAP. The entire time I
thought, "Surely I am missing something in my Google
searches -- others MUST have done this already."
Is there really no LDAP schema repository website? I've
found nothing in the openldap FAQ-o-matic either (which is
largely filled with information from around 2001 it seems).
Any tips would be great! If need be, *I'LL* make a
repository for everyone, but I'm not going to duplicate
effort.
Jeff
14 years
ldap backend problem
by Brett @Google
Hello,
I am trying to setup a ldap backend which is a filtered view of another
larger parent directory, with respect to exposing fewer object classes and
attributes.
The intent is to present a simpler view of the larger directory, and the
config below works, except for when i uncomment the line containing "rwm-map
attribute *", to hide the attributes i do not want visible, but after that
it stops returning any entries at all for any query. So may be there is some
important openldap attribute i am nuking ?
I'd appreciate any opinions / feedback on the config below, and if people
have used rwm-map sucessfully ?
The docs on the ldap/meta/etc., backends are somewhat sparse to say the
least, but i believe the below should in theory work.
Cheers
Brett
The structure of the parent directory is :
c=AU
o=My Org 1
ou=My Unit 1
o=My Org 2
ou=My Unit 2
Config is :
database ldap
suffix "c=AU"
uri "ldap://<parent ip>:<parent port>/"
overlay rwm
lastmod off
# attribute maps (ok except for final "rwm-map attribute *" map)
rwm-map attribute cn *
rwm-map attribute sn *
rwm-map attribute mail *
rwm-map attribute c *
rwm-map attribute o *
rwm-map attribute ou *
# does not like this, it stops any entries being returned
#rwm-map attribute *
# objectclass maps (ok)
rwm-map objectclass top *
rwm-map objectclass country *
rwm-map objectclass organization *
rwm-map objectclass organizationalRole *
rwm-map objectclass organizationalPerson *
rwm-map objectclass organizationalUnit *
rwm-map objectclass *
14 years
Re: Authenticated users can create new entries but then only creator can modify entry
by Pierangelo Masarati
----- "fathi engineer" <fathi.engineer(a)gnet.tn> wrote:
> Hi,
>
> In the proccess of setting up an openldap server as a pgp key server,
> I want to grant access to every authenticated user to create a new
> entry in a subtree of the basedn and every body to read entries in
> that subtree but only creator to be able to modify his entries.
>
> I tried with the following (unsuccessfully):
>
> access to dn.children="ou=PGP Keys,o=SNCFT,c=TN"
> by dn.regex="^uid=([^,]+),(ou=[^,]+,)+ou=Users,o=SNCFT,c=TN$"
> selfwrite
> by dn.regex="^uid=([^,]+),ou=Users,o=SNCFT,c=TN$" write
> by * read
>
> and also
> by dnattr=owner selfwrite
> by users write
> by * read
>
> but none worked.
>
> I am running openldap-2.3.27-8.el5_2.4
Did you read slapd.access(5)? Did you read the requirements for the add and modify operations? You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification. And "owner" is a specific attribute of some objectClasses; unless you're creating those objects with the correct "owner" value, the creator will not be able to write them. You should use
by dnattr=creatorsName write
The "self" is not needed; it refers to a user writing to a target corresponding to its own name, or to an attribute whose value consists in its own name.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
14 years
Building with MSYS/MinGW
by Pierangelo Masarati
I'm building OpenLDAP with MSYS/MinGW. Tests fail because apparently slapd is unable to handle full path files. For example, "directory /home/masarati/ldap-devel/tests/testrun/db.1.a" does not work, but if I rename it to "directory ./testrun/db.1.a" it works fine. I don't have version info handy right now, I just wanted a quick feedback: is this a known issue, or did I forget anything while installing MSYS/MinGW, or am I missing something trivial? I can look at this later, if any additional info is needed.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
14 years
Re: Authenticated users can create new entries but then only creator can modify entry
by fathi.engineer@gnet.tn
Hi,
Thinking of my subtree as a file system directory, I understood what you meant by your answer and this the solution to my problem:
access to dn="ou=PGP Keys,o=SNCFT,c=TN"
by users write
by * read
access to dn.children="ou=PGP Keys,o=SNCFT,c=TN"
by dnattr=creatorsName write
by * read
Now, an authenticated user can create a new entry but can't overwite someone else's entry.
Thank you.
Fathi B.N.
14 years
Re[2]: N-Way replication
by Alexander Kriventsov
Вы писали 6 августа 2008 г., 3:29:41:
> --On Tuesday, August 05, 2008 6:29 PM +0400 Alexander Kriventsov
> <akriventsov(a)masterhost.ru> wrote:
>>
>> Hello.
>> I'm trying to do N-way replication, and I have some strange issue with
>> replication.
>> I have two servers ldap1 and ldap2. In ldap1 I did these:
> OpenLDAP release?
OpenLDAP 2.4.11 - Freebsd 7.0 - amd64
> --Quanah
> --
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
--
Best Regards,
Alexander Kriventsov
.masterhost
14 years
attrs.regex?
by Pat Riehecky
In the interest of simplifying my life I was going to convert one of my
crazy ACLs to a regex (and a rather trivial one at that), but I am
finding a bit of an issue... seems I have misread the doc and am not
sure where...
I was aiming for something along the lines of: anything that has an
attribute name of IWU with something else attached afterward would be
captured (in practice my perl says I want /^IWU.*/ but for now the
simple and later the hard as first character on the line matching can be
added later once syntax errors go away)
Thus I wrote:
access to dn.sub="dc=testldap,dc=iwu,dc=edu" attrs.regex="IWU.*"
by self read
by * none
However, I get a happy syntax error on this line. That is fair as on a
closer reading of the syntax I have come to the conclusion that
attrs.regex is nonsense and that the regex entry near the attrs list
relates to values.
Am I right? Is there no way to do attrs regex matching?
OpenLDAP 2.4.11
Pat
14 years
Authenticated users can create new entries but then only creator can modify entry
by fathi.engineer@gnet.tn
Hi,
In the proccess of setting up an openldap server as a pgp key server, I want to grant access to every authenticated user to create a new entry in a subtree of the basedn and every body to read entries in that subtree but only creator to be able to modify his entries.
I tried with the following (unsuccessfully):
access to dn.children="ou=PGP Keys,o=SNCFT,c=TN"
by dn.regex="^uid=([^,]+),(ou=[^,]+,)+ou=Users,o=SNCFT,c=TN$" selfwrite
by dn.regex="^uid=([^,]+),ou=Users,o=SNCFT,c=TN$" write
by * read
and also
by dnattr=owner selfwrite
by users write
by * read
but none worked.
I am running openldap-2.3.27-8.el5_2.4
TIA
Fathi B.N.
14 years
Re: slapd does not start, where do I find the error?
by Buchan Milne
On Monday 04 August 2008 22:08:16 Brad Knowles wrote:
> Buchan Milne wrote:
> > See the repo file for some information on how to install:
> > http://staff.telkomsa.net/packages/OpenLDAP.repo
>
> Out of curiosity, how do you configure this repo to be used? I tried
> putting it into /etc/sysconfig/rhn/sources on a RHEL4 box, and it doesn't
> seem to work as either a yum-style or apt-style repo, so up2date ends up
> barfing on it.
RHEL4 is quite depressing, we use smart on our RHEL4 boxes (so that we have a
feature that was available on Mandrake 7.0, in 2000, being able to install
packages on the installation media after installation), but the repo file is
actually for yum.
Unfortunately, up2date on RHEL4 doesn't understand the new RPM meta-data repo
as used by yum/smart etc., only the old legacy yum 1.x format.
Let me see if I can run yum-arch on the repo ...
> Is there additional documentation somewhere that I've missed?
14 years
