Re: Tourble with my ldap config
by Quanah Gibson-Mount
--On Tuesday, January 20, 2009 7:28 PM +0100 Nathan Huesken
<ldap(a)lonely-star.org> wrote:
> Hi,
>
> Well, that makes sence. How can I find out where? The log does not tell
> me.
Please keep replies on the list. The log tells you that your config DB is
missing a valid DN, I think that's a good place to start.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
14 years, 10 months
LDAP Synchronisation
by Andi Gorhan
Hi,
I have a very big Master Slave Replication (about few millon entrys). Now I want to start with syncrepl and I started
both Servers. Now Slave got all information via syncrepl for the initial load. Is it possible to change the "initial load"-way?
Maybe simply copying the whole DB from Master to Slave at the beginning, so that LDAP doesn't have to sync the whole DB?
It is really slow.
Hopefully you can help me.
Andi
14 years, 10 months
Tourble with my ldap config
by Nathan Huesken
Hi,
I tried setting up a basic config under ubuntu. I get an erro. I posted the output of
slapd -g openldap -u openldap -F /etc/ldap/slapd.d/ -d -1
bellow.
I do not know what is wrong, something with my config I guess, but what?
Thanks!
Nathan
@(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=*********, r=0
daemon_init: <null>
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 2 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
backend_startup_one: starting "cn=config"
=> str2entry: "cn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: Stats
olcPidFile: /var/run/slapd/slapd.pid
#olcReferral: ldap://*********
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 71356238-744f-102d-9b10-b5fb67f677b6
creatorsName: cn=config
createTimestamp: 20090111171717Z
entryCSN: 20090111171717.754132Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090111171717Z
"
str2entry: entry -1 has no dn
=> ldif_enum_tree: failed to read entry for /etc/ldap/slapd.d//cn=config.ldif
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=51 matched="" text=""
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
14 years, 10 months
alock file
by Andi Gorhan
Hi,
I want manually recover my DB. Do I have to delete the alock file also?Which meaning has
the alock file?
Thx,
Andi
14 years, 10 months
LDAP Indexing
by Andi Gorhan
Hi,
Hopefully you can help me here. I only want to what the LDAP DB is doing if I start slapindex.
It is clear for me that LDAP reindex all attributes but antoher is strange for me. The folder
where LDAP is based grows up constantly. Is it writing in the cache? And when yes, why?
Thank you and have a nice day.
Andi
14 years, 10 months
linked values
by Александр Фомичёв
Hi, everybody!
Is there any possibility (via OpenLDAP, of course, without external
scripts) to get the following functionality:
When I change the value A, value C, combined from A + B, is updated
automatically.
For example, value "Full Name" has a form "Andrew W Markus". There are
three other fields - "First Name" (Andrew), "Middle Name" (W) and "Last
Name" (Markus). I want the "Full Name" to be automatically updated when,
for example, the "First Name" changes.
Best regards.
--
Alexander
14 years, 10 months
Re: syncrepl problem - nothing updated after initial syncronisation
by Dieter Kluenter
Rein Tollevik <rein(a)OpenLDAP.org> writes:
> Dieter Kluenter wrote:
>> "Carl Johnstone" <carl.johnstone(a)gmgrd.co.uk> writes:
>>
>>> Trying to get 2 slapd servers setup for multi-master replication -
>>> they will eventually be in different physical locations. Once I've got
>>> the 2 servers running OK, I'll be adding in a 3rd location. I've
>>> followed the admin guide, using cn=config and have attached a LDIF
>>> dump of the config (with schemas removed).
>>>
>>> When I bring up the second server, with a minimal config. It correctly
>>> replicates across cn=config and sets up the main DB. It then correctly
>>> copies across all the data in the main DB to bring itself up-to-date
>>> with the server that's already setup. However from the point I bring
>>> it online it doesn't replicate any further changes to the first
>>> server. If I restart the second server the contextCSN is updated,
>>> however no other changes are replicated across.
>>>
>>> Is there anything obviously wrong with my config? Or have I hit a
>>> known problem?
>> remove the URI part from serverID.
>
> No! This is required when using a common config, which again is
> implied by a replicated cn=config. Each server in a multi-master
> configuration *must* have separate serverIDs, and using the URI
> version of the serverID is the only way multiple servers with the same
> config can achieve that.
>
> The URI part of the serverID must match (one of the) listeners slapd
> uses (its -h arguments). Start the servers with "-d config" and
> verify that they report different and non-zero SID= values.
This will lead to a contextCSN with a serverID 000 reference and will
disable any synchronization.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
14 years, 10 months
Do we need to setup syncrepl along with back_ldap for proxying?
by Steven Truong
Dear, all. Do I need to set up syncrepl on the same proxy server that
use back_ldap in order to proxy to my master/provider openldap server.
(Master/provider openldap server) <-------- (consumer that does proxy
to openldap master/provider server) [MY CURRENT SETUP)
or should I set up
(Master/provider openldap server) <-------- (consumer that doest proxy
and _ALSO_ _SYNCREPL_ to openldap master/provider server)
With the following setup, I can not seem to get any data from that
provider openldap server...
---------------------
include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/core.schema
include
/usr/local/stow/openldap-2.4.13/etc/openldap/schema/cosine.schema
include
/usr/local/stow/openldap-2.4.13/etc/openldap/schema/inetorgperson.schema
include /usr/local/stow/openldap-2.4.13/etc/openldap/schema/nis.schema
include /usr/local/etc/samba.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
loglevel any
#modulepath /usr/local/stow/openldap-2.4.13/libexec/openldap
modulepath /usr/local/libexec/openldap/
#just for testing, load hdb
moduleload back_hdb
moduleload back_ldap
timelimit unlimited
sizelimit unlimited
threads 8
##################################################################
database ldap
uri "ldap://192.168.28.200"
suffix "ou=people,dc=mynetwork,dc=com"
rootdn "cn=admin,dc=mynetwork,dc=com"
idassert-bind
bindmethod=simple
binddn="uid=proxy,ou=proxy,dc=mynetwork,dc=com"
credentials="SunShine"
mode=none
# tls start
#tls_cacertdir=/usr/local/etc/openldap/cacerts
idassert-authzFrom dn.subtree="ou=people,dc=mynetwork,dc=com"
-------------------------------------
Here is my ldap.conf
[root@ext cache]# cat /usr/local/etc/openldap/ldap.conf
#URI ldap://localhost
URI ldap://192.168.28.111/
#URI ldap://192.168.28.200/
BASE ou=people,dc=mynetwork,dc=com
SIZELIMIT 0
TIMELIMIT 0
I did a ldapsearch and got nothing but "ldap_result: Can't contact
LDAP server (-1)"
[root@ext cache]# ldapsearch -d 1 -v -x -W -D
"uid=mydude,ou=people,dc=mynetwork,dc=com"
ldap_initialize( <DEFAULT> )
ldap_create
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.28.111:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.28.111:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 65 bytes to sd 3
ldap_result ld 0x102de7f0 msgid 1
wait4msg ld 0x102de7f0 msgid 1 (infinite timeout)
wait4msg continue ld 0x102de7f0 msgid 1 all 1
** ld 0x102de7f0 Connections:
* host: 192.168.28.111 port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Jan 15 13:51:05 2009
** ld 0x102de7f0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x102de7f0 request count 1 (abandoned 0)
** ld 0x102de7f0 Response Queue:
Empty
ld 0x102de7f0 response count 0
ldap_chkResponseList ld 0x102de7f0 msgid 1 all 1
ldap_chkResponseList returns ld 0x102de7f0 NULL
ldap_int_select
read1msg: ld 0x102de7f0 msgid 1 all 1
ber_get_next
ldap_free_connection 1 0
ldap_free_connection: actually freed
ldap_err2string
ldap_result: Can't contact LDAP server (-1)
--------------------
I read the http://www.openldap.org/doc/admin24/replication.html#Configuring%20the%20...
and found out that syncrepl were used in the examples but I had the
impression that I do not need syncrepl from reading the man page of
slapd-ldap.
Please provide me with the correct ways to implement an openldap proxy server.
Thank you.
14 years, 10 months
how to replace multiple attributes?
by Adam Williams
With openldap 2.3 the following ldif would load fine with ldapmodify:
dn: uid=panderson,ou=People,dc=mdah,dc=state,dc=ms,dc=us
changetype: modify
sambaProfilePath: \\preshs\profiles\panderson
sambaHomePath: \\preshs\panderson
sambaLogonScript: scripts\panderson.bat
sambaHomeDrive: R:
Over the weekend I upgraded to OpenLDAP 2.4.12. I was googling and I
think my ldif now needs to look like this, but I get an error when
trying to load it, and I'm not sure why, any ideas?
dn: uid=panderson,ou=People,dc=mdah,dc=state,dc=ms,dc=us
changetype: modify
replace: sambaProfilePath
sambaProfilePath: \\preshs\profiles\panderson
-
replace: sambaHomePath
sambaHomePath: \\preshs\panderson
-
replace: sambaLogonScript:
sambaLogonScript: scripts\panderson.bat
-
replace: sambaHomeDrive
sambaHomeDrive: R:
[root@roark ldap]# ldapmodify -D
"cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxxxxx -x -v -f
profilepaths.ldif
ldap_initialize( <DEFAULT> )
ldapmodify: invalid format (line 5) entry:
"uid=panderson,ou=People,dc=mdah,dc=state,dc=ms,dc=us"
if I take out the lines that are only a - and run it, it only replaces
the first attribute:
[root@roark ldap]# ldapmodify -D
"cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxxxxx -x -v -f
profilepaths.ldif
ldap_initialize( <DEFAULT> )
replace sambaProfilePath:
\\preshs\profiles\panderson
modifying entry "uid=panderson,ou=People,dc=mdah,dc=state,dc=ms,dc=us"
modify complete
how can I get ldapmodify to replace all 4 lines in one ldif file?
14 years, 10 months
Local rewrite and authz-regexp
by Mathieu MILLET
Hi everyone,
In this period, a "Happy new year" is most appropriate, isn't ?
I have setup two servers in multimaster replication, with using
SASL/EXTERNAL+authz_regexp (1 have to authz_regexp - one for cn=config and
one for the replicator dn in data context) to authenticate the replication
instances with SSL Certificates.
I would like to implement a "local" rewrite of incoming requests (mostly
BIND and Search operations) so that queries originating with dn like
"cn=jdoe,ou=people,dc=local" are transformed in
"uid=jdoe,ou=people,dc=local".
I have two problems and one question :
1. I can't implement any olcRwmRewrite attribute.
Any of the following lines in the olcOverlay={4}rwm.ldif file :
olcRwmRewrite: {0}rwm-rewriteEngine "on"
olcRwmRewrite: {1}rwm-rewriteContext "default"
olcRwmRewrite: {2}rwm-rewriteRule "cn=(.+),ou=people,dc=local$"
"uid=$1,ou=people,dc=local" ":"
give the error message (in debug mode) :
-------------
[/etc/openldap/slapd.d/:1] unknown command ''
olcRwmRewrite: value #0: <olcRwmRewrite> handler exited with 1!
config error processing olcOverlay={4}rwm,olcDatabase={2}hdb,cn=config:
<olcRwmRewrite> handler exited with 1
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=80 matched="" text=""
slaptest: bad configuration directory!
--------------
Those lines were generated by slaptest from a working slapd.conf file
2. Segfault at startup (or when pushing LDIF configuration - maybe at first
sync):
The segfault point varies from one startup to another, always after a TLS
negociation (it is the syncrepl instance with itself) and sometimes the
following lines appear:
ldap_msgfree
[rw] searchDN: "dc=app,dc=eiffage,dc=loc" -> "dc=app,dc=eiffage,dc=loc"
=> bdb_entry_get: ndn: "(null)"
=> bdb_entry_get: oc: "(null)", at: "contextCSN"
bdb_dn2entry("(null)")
Erreur de segmentation
Even when the overlay configuration LDIF file is reduced to the following :
dn: olcOverlay={4}rwm
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: {4}rwm
structuralObjectClass: olcRwmConfig
If I remove the overlay configuration LDIF file, the server starts working
immediately.
3. Where can I find documentation about olcRwmTFSupport and
olcRwmNormalizeMapped, that slaptest generated for me ?
For documentation, here are the authz_regexp :
{0}cn=.*_repl_config,ou=AC-LDAP,o=myorg cn=config
{1}cn=.*_replicator,ou=AC-LDAP,o=myorg
cn=Replicator,ou=replicators,dc=local
and the olcsyncrepl attributes look like this :
{0}rid=001 provider="ldap://slxp0059.app.local" bindmethod=sasl
saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist
starttls=critical retry="5 5 60 +" timeout=10
tls_cacert=/etc/openldap/cacerts/cacert.pem
tls_cert=/etc/openldap/repl_config.cert.pem
tls_key=/etc/openldap/repl_config.key.pem
{1}rid=002 provider="ldap://slxp0058.app.local" bindmethod=sasl
saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist
starttls=critical retry="5 5 60 +" timeout=10
tls_cacert=/etc/openldap/cacerts/cacert.pem
tls_cert=/etc/openldap/repl_config.cert.pem
tls_key=/etc/openldap/repl_config.key.pem
{0}rid=201 provider="ldap://slxp0059.app.local" bindmethod=sasl
saslmech="EXTERNAL" searchbase="dc=local" scope=sub type=refreshOnly
interval=00:00:00:30 retry="5 5 300 5" timeout=10 starttls=critical
tls_cacert=/etc/openldap/cacerts/cacert.pem
tls_cert=/etc/openldap/replicator.cert.pem
tls_key=/etc/openldap/replicator.key.pem
{1}rid=202 provider="ldap://slxp0058.app.local" bindmethod=sasl
saslmech="EXTERNAL" searchbase="dc=local" scope=sub type=refreshOnly
interval=00:00:00:30 retry="5 5 300 5" timeout=10 starttls=critical
tls_cacert=/etc/openldap/cacerts/cacert.pem
tls_cert=/etc/openldap/replicator.cert.pem
tls_key=/etc/openldap/replicator.key.pem
Thanks in advance for any answer.
Sincerely yours, Mathieu MILLET.
--
Mathieu MILLET
mailto:ldap@htam.net
----
14 years, 10 months
