Online config, delta syncrepl and overlay chain
by Christian Roessner
Hi,
I had bought a german book (OpenLDAP 2.4 - Das Praxisbuch) and could
successfully setup a delta-sync replication. Now I read about the
ability to add the overlay chain on the consumer side to automatically
redircet write rquests for the consumer to the provider.
I am using an online configuration and I am not able to find answers how
to add this overlay.
I am using Ubuntu, which has built openldap with module-support. So I
have already added the back_ldap.la module.
Two questions I can not get answers:
1.) Do I need to add the overlay to the thb-backend or to the frontend?
2.) Could please somebody point me to the corresponting objectClasses
that need to be added and the required attributes?
The book lists the follwing:
overlay chain
chain-uri ldap://foo/
chain-idassert-bind bindmethod=simple
binddn="..." credentials="..."
mode=self
flags=non-prescriptive
chain-rebind-as-user true
chain-return-error true
I can not find the olcXYZ options.
So, I thank you really very much for any help. :-)
Christian
13 years, 10 months
[Openldap 2.4.16] Unable to use DB_CONFIG
by Lepoutre Lionel
Hello,
I am trying to use the DB_CONFIG file as it seems to be the good way to
configure my hdb database.
My LDAP start without any DB_CONFIG, but when I put a DB_CONFIG file I have
an error:
"unrecognized name-value pair: dn:"
Here is an extract of my files (I have changed my personal information by
MY...)
- slapd.conf:
------------------------------------
database hdb
suffix "MY_LDAP_SUFFIX"
rootdn "MY_ROOT_DN"
rootpw MY_ROOT_PASS
directory /opt/local/openldap/var/openldap-data
- DB_CONFIG:
-----------------------------------
# global configuration settings
dn: cn=config
objectClass: olcGlobal
cn: config
# schema definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
dn: cn=core,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: core
#backend definitions
dn: olcBackend=hdb,cn=config
objectClass: olcBackendConfig
olcBackend: hdb
# database definitions
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
olcDatabase: hdb
olcSuffix: MY_LDAP_SUFFIX
....
It seems to be because of the first line of my DB_CONFIG file but I have
copied it from the documentation (
http://www.openldap.org/doc/admin24/slapdconf2.html). Did I miss something?
Is it not the good file for such configuration?
Any help is welcome and sorry if it is a stupid question.
Lionel
13 years, 10 months
Re: tls init def ctx failed: -1 with my cacert signed certs
by Jelle de Jong
Brian A. Seklecki wrote:
> On Fri, 2009-07-24 at 15:11 +0200, Jelle de Jong wrote:
>> Hello everybody,
>>
>> This is my first post to this list so thank you for making and
>> supporting openldap and be gentle on me :)
>>
>> I have a server that has cacert.org signed certificats, I use them for
>> apache
>
> Does:
> /usr/share/ca-certificates/cacert.org/root.crt
>
> Have an entire concatenated CA Chain? Are there intermediate certs?
>
> try:
>
> $ openssl x509 -text -in /usr/share/ca-certificates/cacert.org/root.crt
>
>
> ~BAS
>
>
>> https, postfix and dovecot. Now I am trying to use them to get a
>> secure only access to openldap. I am still a bit new to openldap but I
>> get this output:
>>
>> http://debian.pastebin.com/m449836db
>>
>> What is going on?
>>
Hi BAS, thank you for helping, I gathered some more information I hope
it can help to see what is going on, I can't make anything from the
debug output of the openldap server
http://debian.pastebin.com/m56aaee1e
Thanks in advance,
Jelle
13 years, 10 months
LDAP and SASL problem
by Gildas Bayard
Hello,
I'm setting up a new ldap server on ubuntu server 8.04.3 LTS.
man slapd.conf encourages me into using SASL auth for rootdn instead of
setting the rootpw parameter in slapd.conf.
So I created a user in sasldb with saslpasswd2. sasldblistusers2 give me
admin@coruscant: userPassword which is what is expected.
But then I see that the password there is in plain text so I don't
really get the advantage of using SASL then. So I decide to use
saslauthd instead (which in turn will use pam by default).
My problem is that I could not find how to tell openldap to use
saslauthd instead of sasldb.
I tried to add a /usr/lib/sasl2/slapd.conf file with this inside (world
readable):
pwcheck_method: saslauthd
But it seems that this file is not read. I see that ubuntu created a
/etc/ldap/sasl2 directory for me but how could I know if sasl is looking
in it? How does sasl know it has to look for a slapd.conf file and not
openldap.conf or whatever.conf?
Could someone shed some light on this subject for me?
Cheers,
Gildas
13 years, 10 months
tls init def ctx failed: -1 with my cacert signed certs
by Jelle de Jong
Hello everybody,
This is my first post to this list so thank you for making and
supporting openldap and be gentle on me :)
I have a server that has cacert.org signed certificats, I use them for
apache https, postfix and dovecot. Now I am trying to use them to get a
secure only access to openldap. I am still a bit new to openldap but I
get this output:
http://debian.pastebin.com/m449836db
What is going on?
Thanks in advance,
Jelle de Jong
13 years, 10 months
Unique overlay usage with filter
by Kyle Blaney
I'm using the unique overlay in OpenLDAP 2.4.16 and finding it too easy
to violate the uniqueness constraints I have defined.
For example, if I have the following in my slapd.conf (taken from
slapo-unique man page):
overlay unique
unique_uri ldap:///?cn?sub?(sn=e*)
I can violate the uniqueness constraints as follows:
1. Add an entry with cn=a and sn=e.
2. Add a second entry with cn=a and sn=f.
3. Modify the sn of the second entry so that sn=e.
The attribute modification succeeds but causes a violation of the
uniqueness constraints.
Is there any way to configure OpenLDAP so that the attribute
modification fails due to a constraint violation?
Kyle Blaney
13 years, 10 months
OpenLDAP 2.4.16: can not add multiple 'member' attributes to object groupOfNames
by O. Hartmann
Hello,
I try to add multiple member attributes to an object of type
groupOfNames and I fail. The same is for objectClass groupOfUniqueNames.
Whenever I try to add the multi-attribute, I receive an error like
'info: member: value #1 invalid per syntax, dec: invalid syntax'. I can
add exactly one attribute of type 'member' for this object.
Well, I'm confused, since this worked in older OpenLDAP versions (I'm
now using 2.4.16). The client(s) I try to add attributes are 'ldapadd'
with a regular LDIF file (file works well if only ONE member-attribute
is specified), LUMA and LAM. All have their described problems.
I guess there is a knob I've overseen or I do something conceptionally
wrong with OpenLDAP 2.4.
Can you help?
Regards,
Oliver
P.S. Server is OpenLDAP 2.4.16 on FreeBSD 7.2 and 8.0, for information.
13 years, 10 months
Re: performance issue behind a a load balancer 2.3.32
by Tom Ryan
I notice that you are talking about only one F5? How do you have your secondary F5 configured?? Perhaps the issue is in that?
Granted, I realize this doesn't contribute to the conversation, but it does raise a point.
Just saying...
----- Original Message -----
From: openldap-software-bounces+tomryan=camlaw.rutgers.edu(a)openldap.org <openldap-software-bounces+tomryan=camlaw.rutgers.edu(a)openldap.org>
To: John Madden <jmadden(a)ivytech.edu>
Cc: openldap-software(a)openldap.org <openldap-software(a)openldap.org>
Sent: Tue Jul 21 22:03:52 2009
Subject: Re: performance issue behind a a load balancer 2.3.32
yep, for a production environment, running on only one, is a sure fire way to earn myself a sparkling new pink slip...
-- David J. Andruczyk
----- Original Message ----
From: John Madden <jmadden(a)ivytech.edu>
To: David J. Andruczyk <djandruczyk(a)yahoo.com>
Cc: openldap-software(a)openldap.org
Sent: Tuesday, July 21, 2009 4:47:07 PM
Subject: Re: performance issue behind a a load balancer 2.3.32
On Tue, 2009-07-21 at 12:39 -0700, David J. Andruczyk wrote:
> This is a large production environment (several hundred servers,
> thousands of requests per minute) and the F5-LB is used to balance the
> load and take care if a node needs to be taken out of service for maint
Given, I run a smaller environment, but even on a several-years-old
v2.2.x install I regularly see several thousand requests per second --
not minute -- with tons of logging enabled -- handled while hardly
touching the CPU. Are you sure you really need multiple machines?
John
--
John Madden
Sr UNIX Systems Engineer
Ivy Tech Community College of Indiana
jmadden(a)ivytech.edu
13 years, 10 months
DetlaSync rid
by Peter Clark
Hello,
This is probably easy to but I did not find a straight forward answer
posted. When using Delta Syncrepl do you use a unique number for the rid
on each consumer in the slapd.conf?
ie: 1 master and 3 slaves:
slave 1:
syncrepl rid=0
blah...
slave 2:
syncrepl rid=1
blah...
slave 3:
syncrepl rid=2
blah...
Or can I just use syncrepl rid=0 on all 3 slaves?
Thank you.
Peter
13 years, 10 months
