Syncrepl fails with LDAP_RES_INTERMEDIATE - SYNC_ID_SET
by Serge Dubrouski
Hello -
I've had provider-consumer configuration working all right for about a
month. Today I had to upgrade OS (RedHat 5) and restart services.
After that one of my consumers failed with the following errors:
Jan 24 19:32:54 rome slapd[2236]: do_syncrep2: rid=012
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Jan 24 19:33:05 rome last message repeated 11 times
And then started to delete records:
Jan 24 19:33:40 rome slapd[2236]: syncrepl_entry: rid=012 be_modify (0)
Jan 24 19:33:40 rome slapd[2236]: do_syncrep2: rid=012 LDAP_RES_SEARCH_RESULT
Jan 24 19:33:40 rome slapd[2236]: do_syncrep2:
cookie=rid=012,csn=20090125022613.018210Z#000000#000#000000
Jan 24 19:33:40 rome slapd[2236]: nonpresent_callback: rid=012
nonpresent UUID e7d215a2-3cc4-102d-8ea2-9f51782b1a5b, dn c=GB
Jan 24 19:33:40 rome slapd[2236]: nonpresent_callback: rid=012
nonpresent UUID e7f0d37a-3cc4-102d-8ea3-9f51782b1a5b, dn o=....
Jan 24 19:33:40 rome slapd[2236]: nonpresent_callback: rid=012
nonpresent UUID e7f61ed4-3cc4-102d-8ea4-9f51782b1a5b, dn .....
To fix the problem I had to copy database from the provider to
consumer and then restart that consumer.
So what does that error mean and how to avoid it in the future?
OpenLdap 2.4.13
DB 4.6-21
Thanks.
--
Serge Dubrouski.
12 years, 10 months
[OPENLDAP] slapd password confusion
by Technical Home
Hello,
In my quest to install and understand how works a PDC Samba/OpenLDAP, I
encountered a strange problem when setting my slapd admin password.
Here is my server configuration :
@(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
I'm running ubuntu-server 8.10 Intrepid. My ubuntu is up to date. I
installed the slapd package from ubuntu repository.
dpkg asked me to specify a password for my admin account and I entered a
password like this one : totototo12;
And now when I try to modify my LDAP tree with the command "ldapmodify
-x -D cn=admin,cn=config -W", at the password prompt, I can connect with
all this password :
totototo12;
totototo12
totototo1
totototo
totototo23
tototototo
...
The only condition to login is that I wrote the beginning of my password
: totototo
Why slapd does not care about the end of my password ?
If I specify a smaller password like toto12; in slapd configuration with
dpkg-reconfigure, there is no problem...
If you need more informations to help me to undersatnd what happens,
just ask me ;) .
Thanks in advance,
Gilles
12 years, 10 months
How can I *really* disable schema-checking?
by Salim Fadhley
I've recently inherited responsibility for an LDAP server for a large
business critical operation.
Unfortunately the previous developer simply added data with schema-checking
off. They were using a very old version of OpenLDAP (which I can no longer
use) which allowed them to disable all schema-checking. As a consequence
the data is no longer compatible with the schema - all validation fails.
I want to disable all schema-checking on my new server, so I used the
slapd.conf directive "schemacheck off" - however this seems to be ignored.
I know this because when I attempt to add an un-declared attribute to an
entry in the database, the change is rejected. I understand that the
"schemacheck" config directive has been deprecated in recent versions of
slapd: But is there any other way to achive the same thing?
I've been told that there is a class called "ExtensibleObject" - might this
help? Please bear in mind that my database is big (approx 20Mb) and
changing the data may break compatibility with the application.
All I really want is to re-create the same kind of "anything-goes" platform
that we had with the old 2.2.19 slapd which allowed me to disable all
schema-checking.
Thanks,
Sal
12 years, 10 months
Threads Backload
by Bill MacAllister
In looking at some load issues on our servers we have starting recording
some cn=Monitor counters for analysis. In particular we would like to
understand what cn=Backload,cn=Threads,cn=Monitor contains. On our servers
we have threads set to 8 and we have seen maximum backload values of 56.
Does this means there are 56 connections waiting for an execution thread?
Bill
+--------------------------------------------------------
| Bill MacAllister <whm(a)stanford.edu>
| Systems Software Programmer, ITS Unix Systems, Stanford University
12 years, 10 months
Re: dynlist-overlay and requesting an attribute
by Harry Jede
Am Montag 08 Dezember 2008 schrieb Pierangelo Masarati:
> Wilhelm Meier wrote:
> >> What version?
> >
> > 2.4.11
>
> There have been at least two fixes to slapo-dynlist since 2.4.11.
> Please check whether your issue has already been addressed.
openldap Version 2.4.13
The definition:
slapd.conf:
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
The record:
ldapsearch -x -LLL -M '(&(cn=ab37)
(member=uid=jedeh,ou=LEHRER,o=SCHULE,dc=schule,dc=xx))' member
memberurl
dn: cn=ab37,ou=GRUPPEN,o=SCHULE,dc=schule,dc=xx
memberURL: ldap:///dc=schule,dc=xx??sub?(&(gidNumber=101)(sambasid=*))
member: uid=jedeh,ou=LEHRER,o=SCHULE,dc=schule,dc=xx
SUCCESS: simple search
ldapsearch -x -LLL cn=ab37 memberurl member dn:
cn=ab37,ou=GRUPPEN,o=SCHULE,dc=schule,dc=xx
memberURL: ldap:///dc=schule,dc=xx??sub?(&(gidNumber=101)(sambasid=*))
member: uid=jedeh,ou=LEHRER,o=SCHULE,dc=schule,dc=xx
member: uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx
SUCCESS: The search on a static attribute:
ldapsearch -x -LLL '(&(cn=ab37)
(member=uid=jedeh,ou=LEHRER,o=SCHULE,dc=schule,dc=xx))' member
memberurl
dn: cn=ab37,ou=GRUPPEN,o=SCHULE,dc=schule,dc=xx
memberURL: ldap:///dc=schule,dc=xx??sub?(&(gidNumber=101)(sambasid=*))
member: uid=jedeh,ou=LEHRER,o=SCHULE,dc=schule,dc=xx
member: uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx
SUCCESS: The compare on a dynamic attribute:
ldapcompare -x cn=ab37,ou=GRUPPEN,o=SCHULE,dc=schule,dc=xx
member:uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx
TRUE
FAIL: The search on a dynamic attribute:
ldapsearch -x -LLL '(&(cn=ab37)
(member=uid=schlotter,ou=LEHRER,o=SCHULE,dc=schule,dc=xx))' member
memberurl
Even if there is no static member attribute, the result is the same.
dynlist works only partial.
It is not possible to search for and find a dynamicly generated
attribute.
And this is the reason, why the command "id" will not enumerate group
membership correctly.
--
Gruss
Harry Jede
12 years, 10 months
OpenLDAP connecting to remote MySQL server with back-sql
by Jason B
Hi all,
Question for you. I've been racking my brains over this one for most the day
without much success, and it seems my Google-Fu is no match for this one.
I'm hoping you can help.
I'm attempting to setup OpenLDAP (2.4.13) with back-sql running as a module,
relying on a MySQL server as a backend.
My problem appears to be due to the fact I'm trying to run the database
server on a remote host, not the same box as OpenLDAP.
Attempting to start OpenLDAP gives the following error:
==>backsql_get_db_conn()
==>backsql_open_db_conn()
backsql_open_db_conn: SQLConnect() to database "ldap" as user "dc1auth1"
failed:
Return code: -1
Native error code: 2002
SQL engine state: 08S01
Message: [MySQL][ODBC 3.51 Driver]Can't connect to local MySQL
server through socket '/var/run/mysqld/mysqld.sock' (2)
backsql_get_db_conn(): could not get connection handle -- returning NULL
backsql_db_open(): connection failed, exiting
However, obdc.ini (which has been separately tested) is configured to
connect to the MySQL server on 192.168.1.34. My understanding is that the
dbhost attribute in slapd.conf is ignored - we've set this anyway just to
make sure.
Extracts from each:
Slapd.conf
database sql
suffix "dc=imagingthesouth,dc=com,dc=au"
rootdn "cn=Hostmaster,dc=imagingthesouth,dc=com,dc=au"
rootpw stat1c
dbname ldap
dbhost 192.168.1.36
dbuser dc1auth1
dbpass dc1auth1
subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)"
insentry_query "INSERT INTO ldap_entries (dn,oc_map_id,parent,keval) VALUES
(?,?,?,?)"
odbc.ini
[ldap]
Description = MySQL connection to Rhapsody
Driver = MySQL
DSN = ldap
Host = 192.168.1.34
Server = 192.168.1.34
Servername = 192.168.1.34
USER = dc1auth1
PASSWORD = passgoeshere
Database = rhapsody
Port = 3306
Option =
Stmt =
I'm slightly out of my depth here - any assistance would be greatly
appreciated!
Many thanks,
Jason.
12 years, 10 months
schema checking
by Andreas Schoe
Hello,
I installed and configured OpenLDAP to multimaster. The replication
works great. But there is one problem:
In Single Mode schema checking is still present. Since I configured to
multimaster there isn't any schema checking.
Example: In multimaster mode I can add multiple structural objecclasses
to one entry.
Is this a configuration problem? I read out that schema checking is
always included.
os: Solaris 10 8/07 s10s_u4wos_12b SPARC
openldap: OpenLDAP 2.4.11
config: dynamic
database: bdb
olcOverlay: syncprov
Best regards
Andreas
12 years, 10 months
Master to slave replycation - Size limit exceeded
by Proskurin Kirill
Hello.
I try to make a Master to slave replycation with LDAP 2.4.13.
Then it was beound 500 entries - all was fine, but now it bigger and
replycation fail on start with this error:
do_syncrep2: rid=123 LDAP_RES_SEARCH_RESULT (4) Size limit exceeded
do_syncrep2: rid=123 (4) Size limit exceeded
do_syncrepl: rid=123 retrying (9 retries left)
I google this and read few posts. Make all recomendation but nothing
helps. I stoped on this conf:
limits dn.exact="uid=replicator,ou=ServiceUsers,dc=CAS" size=unlimited
time=unlimited
limits anonymous size.soft=50 size.hard=100 size.unchecked=32767
time.soft=15 time.hard=60 size=unlimited
sizelimit unlimited
sizelimit size=unlimited
#######################################################################
# BDB database definitions
#######################################################################
syncrepl rid=123
provider=ldap://78.129.148.74:389
type=refreshAndPersist
interval=0:0:01:00
retry="60 10 300 3"
searchbase="dc=CAS"
filter="(objectClass=*)"
scope=sub
attrs="*,+"
schemachecking=off
bindmethod=simple
binddn="uid=replicator,ou=ServiceUsers,dc=CAS"
credentials=secret
timelimit=unlimited
sizelimit=unlimited
What else can I do?
--
Best regards,
Proskurin Kirill
12 years, 10 months
2.4.13, accesslog and logops
by Turbo Fredriksson
I just upgraded my 2.4 CVS from earlier this year to 2.4.13, but can't
get
the accesslog overlay to log _both_ reads and writes at the same time!
Either one by itself works fine, but not combined. If I specify 'reads
writes',
all I get is reads. Same if I specify all the operation types ('add
delete modify
modrdn compare search abandon bind unbind').
Actually, not 100% true - I get the deletes, but nothing else (other
than the read
types).
12 years, 10 months
