HELP! After Upgrading OpenLDAP 2.4.15 DB 4.6 to DB4.7 LDAP isn't willing to operate: txn_checkpoint interface requires an
by O. Hartmann
Today I updated several FreeBSD 7.1-STABLE servers and so I did on one
of our OpenLDAP servers. The server was runnig OpenLDAP 2.4.15 with
Cyrus SASL2 support and DB backend was DB 4.6 as from the ports.
First, I made a backup from the OpenLDAP database via slapcat -l file.ldif.
I updated from DB 4.6 o DB 4.7 and rebuilt every port that relied on DB
4.6, deleted DB 4.6 libraries and other files and then rebuilt OpenLDAP
2.4.15.
When trying to recover the database via 'slapadd -c -l file.ldif' and/or
trying to restart the OpenLDAP server, I get this error message:
Starting slapd.
@(#) $OpenLDAP: slapd 2.4.15 (Mar 12 2009 13:06:18) $
root@fu-testbett:/usr/ports/net/openldap24-server/work/openldap-2.4.15/servers/slapd
bdb(dc=geoinf,dc=fu-berlin,dc=de): unable to initialize mutex: Invalid
argument
bdb(dc=geoinf,dc=fu-berlin,dc=de): unable to destroy mutex: Invalid argument
bdb(dc=geoinf,dc=fu-berlin,dc=de): PANIC: Invalid argument
bdb(dc=geoinf,dc=fu-berlin,dc=de): unable to join the environment
hdb_db_open: database "dc=geoinf,dc=fu-berlin,dc=de" cannot be opened,
err -30974. Restore from backup!
bdb(dc=geoinf,dc=fu-berlin,dc=de): txn_checkpoint interface requires an
environment configured for the transaction subsystem
bdb_db_close: database "dc=geoinf,dc=fu-berlin,dc=de": txn_checkpoint
failed: Invalid argument (22).
backend_startup_one: bi_db_open failed! (-30974)
bdb_db_close: database "dc=geoinf,dc=fu-berlin,dc=de": alock_close failed
slapd stopped.
So far. At this very moment I feel like a dead man in the water. I
searched the web and tried to find out what LDAP is complaining about,
but no success so far. Is anybody out here with some hints? Please eMail me,
thanks in advance,
Oliver
14 years, 9 months
TLSCipherSuite crashes slapd
by John G. Heim
I inherited an openldap installation and am trying to set up a copy of the
database on a test server so I can experiment with it. I copied the
slapd.conf file from the production machine and made the minimal
modifications I had to to get it to work. The production server is running
the debian etch version of slapd, 2.3.30 and the test server is running
lenny's slapd, 2.4.11. One line that I had to comment out was
#TLSCipherSuite HIGH:MEDIUM
I also tried this (which is supposed to be the default):
#TLSCipherSuite ALL:!ADH
If I uncomment either of those lines, slapd will not start. What really
puzzles me is that the second line is supposed to be the default and even
that doesn't work. If I leave them commented out, slapd starts and I can
query the database via ldapsearch specifying the -ZZ option or by specifying
ldaps.
$ ldapsearch -x -ZZ uid=jheim
$ ldapsearch -x -H ldaps://ldap3.math.wisc.edu uid=jheim
Both of those searches work. I'm using a cert from cacert.org. But it
appears to like the cert because the -ZZ works and ldaps works. I even ran
ldapsearch with the -d1 option and saw nothing unusual about the certs. The
only unusual line in the log is this:
Mar 11 11:17:03 lcyoung slapd[10432]: main: TLS init def ctx failed: -1
14 years, 9 months
solaris slapadd "Value too large for defined data type"
by Brett @Google
Hi All,
While loading some data into a 2.4.15 (release) database using slapadd, i
get :
/usr/local/openldap/sbin/slapadd -c -q -w -f
/usr/local/openldap/etc/openldap/slapd.conf -l
/data/openldap/backups/ldap_090302.ldif -d 99
/data/openldap/backups/ldap_090302.ldif: Value too large for defined data
type
Which is odd. The ldif is approx 9G in size, but i would have thought that
would not have been entirely unusual ?
Compiled under Sun cc, berkeleydb 4.7 with latest (3) patches.. any thoughts
would be welcome.
Cheers
Brett
14 years, 9 months
OpenLdap - trigger
by Joao Batista Mossmann
Hi,
Using OpenLdap there a way to call a trigger when a query is executed?
Best regards,
Joao Mossmann
14 years, 9 months
root-only configuration
by Peter Mogensen
Hi,
With slapd.conf you had to be root on the host to reconfigure slapd.
However, with cn=config anyone who can authenticate as rootdn for
cn=config can reconfigure slapd.
Is it in anyway possible to set up cn=config, so only root on the host
can make changes?
/Peter
14 years, 9 months
Problem with master-slaves synchronisation
by fida aljounaidi
Hello
I have a big problem with syncronisation between some openldap slaves and
the openldap Master.
In fact, i have a network of openldap slaves (8) and an openldap master who
send all the information to the slaves.
Actually when i add a new openldap slave, i get the old information from the
master but for all the newest one, i dont have synchronisation.
i have openldap 2.3.43 installed on the openldap Master
openldap 2.3.3 installed on the openldap slaves.
DB4.2-util installed on both openldap master and openldap slaves.
What can be the problem.
I dont have many thing on the logs.
Thanks a lot
14 years, 9 months
Overlays proxycache and failover
by Sébastien CAMELLINI
Hie,
I have one ldap proxy server and 2 ldap servers in mirror mode with syncrep.
My proxy ldap server ask all to one of the two servers in mirror mode. l'm
trying to find a way to specifie in the proxy ldap config to ask all to the
second server when the first is down.
Thank you for your help,
Sebastien CAMELLINI
14 years, 9 months
Re: set ACL specification/syntax
by Andrew Cobaugh
On Fri, Mar 6, 2009 at 4:10 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
>
> If you set the cn value on every group they are supposed to be able to write
> to, then they'll be able to write to any of those groups. I.e., "this/cn"
> is the group entry in question. I'm assuming you want them to be able to
> write to any group they have control of. If you don't, then simply remove
> the cn=uid value from the group.
Perhaps I didn't articulate my point well enough.
I want them to be able to *create* these entries on their own, they
won't be pre-created. So, I want them to be able to create entries
under ou=group but only if they are of the form uid:.+
--andy
14 years, 9 months
ACL and multiple mandatory conditions
by manu@netbsd.org
Hello
The goal is to give access to a ressource based on two mandatory
conditions.
I want user DN to match a rule, and attribute value to match another
rule, which depends on the user
This yields me two rules. The first one allow a user that has a given ou
in ouManager set to modify the authorizedService in this ou. I did not
test the second one yet, but the idea is that the user has a
serviceManager attribute telling which value of authorizedService he is
allowed to set.
access to dn.regex="^uid=.+,ou=.+,o=home$" attrs=authorizedService
by set.exact="user/ouManager & this/-1" write stop
access to attrs.regex=authorizedService val.regex="(.*)"
by set="user/serviceManager & ${v1}" write stop
But I need to perform a AND between the two rules. How can that be done?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
14 years, 9 months
