About the compatible version of openldap software for RHEL3
by sangeetha.ganesan@wipro.com
Hi All,
We are planning to implement Openldap in one of the RHEL 3
server.
Could you please suggest me any version which works fine with RHEL 3.
If there is no strict rule that only particular version of openldap has
to be installed on RHEL3 or RHEL 4, Please let me know if anyone has
idea on implementing a new openldap server in an existing environment of
servers of all flavours.
waiting for your inputs!!
thanks!!
regards,
sangeetha.
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
15 years
slapd shuts itself down.
by Curt Blank
OpenLDAP 2.2.28
Found this:
Sep 10 10:25:34 ldap03 slapd[2498]: conn=10878784 fd=57 ACCEPT from
IP=nn.nn.nn.nn:63038 (IP=0.0.0.0:389)
Sep 10 10:25:34 ldap03 slapd[2498]: connection_init(57,
IP=nn.nn.nn.nn:63042): set nonblocking failed
Sep 10 10:25:34 ldap03 slapd[2498]: conn=10878788 fd=57 ACCEPT from
IP=nn.nn.nn.nn:63042 (IP=0.0.0.0:389)
Sep 10 10:25:34 ldap03 slapd[2498]: slapd shutdown: waiting for 1
threads to terminate
Sep 10 10:26:08 ldap03 slapd[2498]: slapd stopped.
Is it shutting itself down because of the "set nonblocking failed"?
Anything I can do about that to stop it?
--
Curt Blank
Systems Administrator
Technical Services Specialist
University Information Technology Services
University of Wisconsin-Milwaukee
e-mail: curt(a)uwm.edu
phone : (414) 229-3814
15 years
Two samba related openldap overlays
by Joel Reed
Two openldap overlays that may be of interest to others.
In the first, I've hacked up Howard Chu's smbk5pwd openldap overlay to
include the automatic addition of sambaNTPassword, sambaLMPassword, and
sambaPwdLastSet attributes to any sambaSamAccount entries that are being
ADDED to the directory.
WARNING: This overlay is ONLY useful with cleartext passwords.
In the second, I've modified my automatic uidnumber generator overlay to
also add sambaSID's to sambaSamAccount entries that are being added to
the directory. The algorithm used to generate the SID is the same as
employed by smbldap-tools (2*uidNumber+1000). Currently, the samba
domain SID is hardcoded to "S-1-0-0-". If you want to use this overlay,
change this variable accordingly or teach the overlay how to read from
config.
jr
15 years
Syncrepl issues in multi-versions environment
by Thibault Le Meur
Hi openldap Gurus,
I'm sorry for the long post, but I try to give as much details as possible.
We are having serious issues with syncrepl replication and our 3
openldap servers. These issues first occurred when one of the servers
was upgraded to openldap 2.4.11 while the two others were (and still
are) openldap-servers-2.3.39 and openldap-servers-2.3.30.
My main goal in writing this email is to make sure our 3-servers
architecture is supported and to check if my setup is correct.
Just to let you know, the issues we've found so far include:
* having the openldap 2.3.x servers unable to restart (with a crash
report) [seems to be due to several contextCSN on the openlda2.4 server
database]
* sometimes the subtree obtained from the openldap2.4 by syncrepl
processes in openldap2.3 servers disapears (by reading the log, with
loglevel 16384,it seems that the NON PRESENT phase of the LdapSync
protocol decides that entries are no more in the openldap2.4 provider
[though they are still present]).
Since I have a doubt about our replication structure which uses syncrepl
and subordinate databases, I wonder if it is really supported by these
versions of openldap.
I would really appreciate if someone could have a look at this and say
if the following scenario is supported:
------------------------
AllServers have the following DIT:
dc=mycompany,dc=edu
|
|-dc=A,dc=mycompany,dc=edu
|
|-dc=B,dc=mycompany,dc=com
|
|-dc=B,dc=mycompany,dc=com
Each server replicates 2 subtrees from {dc=A, dc=B, dc=C} and is the
provider for the remaining one.
Server A has the following setup:
=================================
* a section used to glue the subordinate "dc=B,dc=mycompany,dc=com"
subtree, with content replicated from the ldap.B.supelec.fr
* section used to glue the subordinate "dc=C,dc=mycompany,dc=com"
subtree, with content replicated from the ldap.C.supelec.fr
* section having the root suffix "dc=mycompany,dc=com" and managing its
own subtree dc=A,dc=mycompany,dc=com
The configuration file looks like:
* First section is used to get data from the B server, and set it in the
dc=B,dc=mycompany,dc=com glued subtree (using subordinate keyword)
database bdb
suffix "dc=B,dc=mycompany,dc=com"
rootdn "cn=mgr,dc=mycompany,dc=com"
subordinate
directory /openldap/openldap-data-B
syncrepl rid=125
provider=ldaps://ldap.B.supelec.fr
type=refreshOnly
interval=00:00:03:00
retry="60 10 300 +"
searchbase="dc=B,dc=mycompany,dc=com"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=replicator,dc=mycompany,dc=com"
credentials="password"
* Second section is used to get data from the C server, and set it in
the dc=C,dc=mycompany,dc=com glued subtree (using subordinate keyword)
database bdb
suffix "dc=C,dc=mycompany,dc=com"
rootdn "cn=mgr,dc=mycompany,dc=com"
subordinate
directory /openldap/openldap-data-C
syncrepl rid=120
provider=ldaps://ldap.C.supelec.fr
type=refreshOnly
interval=00:00:03:00
retry="60 10 300 +"
searchbase="dc=C,dc=mycompany,dc=com"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=replicator,dc=mycompany,dc=com"
credentials="password"
* Third section is used to define data from the A server, it has a root
suffix of "dc=mycompany,dc=com" and owns his own subtree
dc=A,dc=mycompany,dc=com
database bdb
suffix "dc=mycompany,dc=com"
rootdn "cn=mgr,dc=mycompany,dc=com"
rootpw THEPASS
directory /openldap/openldap-data-A
overlay syncprov
syncprov-checkpoint 100 10
Server B has the symetric setup:
=================================
* section used to glue the subordinate "dc=C,dc=mycompany,dc=com"
subtree, with content replicated from the ldap.C.supelec.fr
* section used to glue the subordinate "dc=A,dc=mycompany,dc=com"
subtree, with content replicated from the ldap.A.supelec.fr
* section having the root suffix "dc=mycompany,dc=com" and managing its
own subtree dc=B,dc=mycompany,dc=com
Server C has the symetric setup:
=================================
* section used to glue the subordinate "dc=B,dc=mycompany,dc=com"
subtree, with content replicated from the ldap.B.supelec.fr
* section used to glue the subordinate "dc=A,dc=mycompany,dc=com"
subtree, with content replicated from the ldap.A.supelec.fr
* section having the root suffix "dc=mycompany,dc=com" and managing its
own subtree dc=C,dc=mycompany,dc=com
------------------------
Do you think this structure is supported by these versions of openldap?
Though not explicitely described in the "Upgrading from 2.3.x" section
of the Administrator guide, I've read in the slapd.conf manpage
(openldap2.4) that the "serverID" new parameter is required when using
"separate masters contributing to a glued set of databases." which, I
think, is a correct description of our structure. Thus I added a
"serverID 20" parameter to the openldap2.4 server's configuration.
Am I right in using serverID for our setup?
Adding this parameter had a side effect though: we end up having two
contextCSN cookies on the openldap2.4 database suffix entry. We managed
to get rid of these by:
* extracting the database content with "slapcat -g",
* deleting contextCSN and entryCSN lines form the file,
* then purging the bdb files and importing with 'slapadd -g -l'.
Do you think this is a correct procedure to restart from scratch our
openldap2.4 server ?
I thank you in advance for any information and advice you could give me
in order to get back to a working configuration.
Regards,
Thibault
15 years
SASL/GSSAPI authentication error
by Frederick Kramer
Hello,
I have authentication problems while accessing the LDAP database. Each
attempt to view or modify the DB leads to this error:
[root@mysystem]~> ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (No credentials cache
found)
On the other hand users can log on, change their passwords and so on - all
that's working fine.
I found some similar problems in the web but no answer to those helped me to
solve this. I suppose it's not a big thing and apologize for my limited
understanding of ldap and authentification procedures.
Thanks for any help
Best regards
Fred
15 years
synchronization problems
by Grzegorz Marszałek
Hello!
I'm using slapd 2.4.9 on ubuntu. I've got one master, and many read-
only slaves. Last week I've seen something very strage - I was
"playing" with acls, and there was small window of time, when one
slave couldn't see all entries I should on master. Problem is, that
after fixing this problem in acls slave haven't synchronized properly
(I could do ldapsearch at master from slave's shell and gen all
entries, but local replica haven't this data). Reestarting slapd
haven't helped. I have to stop slapd, delete everything but DB_CONFIG
in /var/lib/ldap and start it again.
So my question is: what could create such a problem? And, more
important: how can I monitor slapd slaves for such problems? Is there
any ready solution for this (nagios plugins, or maybe just some script)?
Cheers
---
Grzegorz Marszałek
graf0(a)post.pl
15 years
RE: ACL resolving
by JUNG, Christian
Hi Quanah,
thanks for your help. You're right; it works as expected.
I don't know what I've done exactly; maybe I had a typo in the DN of the uniqueMember...
Bye
Chris
> -----Original Message-----
> From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
> Sent: Monday, September 15, 2008 7:19 AM
> To: JUNG, Christian; OpenLDAP Software Mailinglist (E-Mail)
> Subject: Re: ACL resolving
>
>
> --On Wednesday, September 10, 2008 4:26 PM +0200 "JUNG, Christian"
> <christian.jung(a)saarstahl.com> wrote:
>
> > Hi,
> >
> > does slapd resolve the ACLs only at start time?
> >
> > I have following ACL defined:
>
> Using groups in acls has always worked for me, without having
> the results
> cached. Have you run slapd with acl tracing to see what it reports?
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
15 years
ACL resolving
by JUNG, Christian
Hi,
does slapd resolve the ACLs only at start time?
I have following ACL defined:
access to *
by group/groupOfUniqueNames/uniqueMember="cn=admins,dc=example,dc=com" write
by * read
which should allow only members of the group cn=admins write access to the whole directory. Others may only read.
The group looks like this:
dn: cn=admins,dc=example,dc=com
objectClass: groupOfUniqueNames
cn: admins
description: LDAP administrators
uniqueMember: cn=manager,dc=example,dc=com
uniqueMember: uid=chris,ou=user,dc=example,dc=com
If I add a member to the group, it seems that I have to restart slapd to allow the new member write access to the directory. Is this correct or am I missing something?
Bye
Chris
--
phone: +49 6898/10-4987
web : www.saarstahl.de
mail : Hofstattstraße 106a
D 66333 Voelklingen
15 years
Got Search entry without sync control
by Scott Briggs
Hi, I'm trying to figure out a problem I'm having with an ldap server
that stopped replicating with log entries like:
do_syncrep2: rid=002 got search entry without Sync State control
do_syncrepl: rid=001 retrying
So can anyone tell me what "got search entry without sync state
control" means? I could only find 1 other reference to someone who
had this error but nothing was mentioned about what this means. I'm
running openldap ver. 2.4.9 in a multimaster setup (2 servers) on
Ubuntu hardy. Thanks.
Scott
15 years
Resetting entryCSN and timestamps
by Mathieu MILLET
Hi everyone,
I would like to know if it is possible to make changes on the entryCSN
and/or Timestamps ? I know they are operational attributes and I can't
modify them through LDAP.
I see one useful interest to this is if I want to restore the content of a
directory and considered this content as autoritative in a mutli-master
replication environment.
For now, my main concerns are headaches with playing OpenLdap replication
between virtual machines (and the "special" time management). And I would
like to reset some of the CSN/Timestamps.
I have for example a lot of messages : dn_callback : new entry is older
than ours cn=schema,cn=config
Does anybody have any idea how to do that ?
I'm running OpenLDAP 2.4.11 from sources.
Thank you in advance for any answer,
Sincerely yours, Mathieu MILLET.
--
Mathieu MILLET
mailto:ldap@htam.net
----
15 years
