architecture and DIT change strategy
by Guillaume Rousse
Hello.
I'm trying to find the best way to conduct a consequent change in our
data model and servers topology, with the fewer service disturbing.
Before the reorganisation, we were a single entity, splitted on three
different sites. As a consequence, we had a single database for all our
users and groups:
dc=new,dc=foo,dc=tld
|-users
| |-site1
| |-site2
| |-site3
|-groups
|-site1
|-site2
|-site3
The master server is hosted on one site, and we have slave servers on
three sites
After the reorganisation, we are three different entities, and I'd like
to break the tree in the three different databases, each site hosting a
server acting as the master for its own base, a slave for the two others:
dc=site1,dc=foo,dc=tld
|-users
|-groups
dc=site2,dc=foo,dc=tld
|-users
|-groups
dc=site3,dc=foo,dc=tld
|-users
|-groups
The change also involves dropping the last part of the original suffix,
which is no longer relevant.
I'm currently investigating the usage slapo-rwm to provide virtual views
of the current database according to the new structure, so as to
progressively migrate applications configuration first, then write an
automated conversion tool, and finally convert the virtual bases to new
ones. But maybe they are better strategies ?
--
BOFH excuse #193:
Did you pay the new Support Fee?
13 years, 8 months
SASL /usr/lib/sasl2/App.conf configuration
by Francis Swasey
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am attempting to set up OpenLDAP 2.4 on an RHEL5 system. I have applied patches that rename
the OpenLDAP binaries to append 2.4 to the name, so it can co-exist with the standard RHEL5
rpms without causing issues.
However, one unexpected side effect is that I don't know what it is now using as the name of
the conf file in /usr/lib/sasl2. In reading the SASL section of the Admin Guide, I was
directed to read the cyrus sasl sysadmin.html which tells me to "Check your application's
documentation for specifics". Sadly, I can't find the specifics about how OpenLDAP is setting
the SASL configuration file name in OpenLDAP's documentation. Which of the fine documents do I
need to read?
Thanks,
- --
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJLe/7IAAoJEK5S4SsZ5NvS6lwP/1dyEWZys18QLCGW8wv23J9I
4YlbPe5Ci3TsxNWZAcUkAOgp1EEhOTqkJ3yboX2xDsS+gymIciJmtNWJrZmUpZLj
BGdtMmLR9NTsgngk7Wta+HUeZ6iQcyLdnYRiF6hlXTpXB49TH2a9kgkbYXjLFcFb
KWI90By0IZaQFZGC4kcLKLVH0OIvsO2akIH8gJL6q6lVefLHyaL0TCuA1xC7zWvK
OHk/v8RhS3m1fuBtWcRnDLIezwI29z6tk2RpuL0rHP87y13UUw0UQIkgv2gzkQuw
fxjErrIM2tkmwxeIyi+s4mAek94Y8794qD/xPpHdqHH0+qGkJfwL1FTiWkH4VQZU
FbU+SJIzpc4WOL1GpudS+IXGE3XdcGGTgXynDdt3LQMx9xLfBXtadj5AbJnuyfvu
BZXoVdcH+Cbr35nimYSGyqI/jfVJuNezMbQYwv/R39myJ0MDuNWNulCppq40tHDU
UsTAMDvC2r4PsSNMbmeb7JqC5JP+AUwKtWWEi8otCuo6/UdVl5U8OpqZ9XbxaP69
U2ca8MplczCOzC0WNLajcccrqlT8UNvUzpVJCh3crpx5GTgKElPHUxGxTeutchu3
5EC5QpPZyD7eB5McMUNA2/3CtYq7Uf1cC5xtP1up6l9rw7kh4otxuvXd/b6MrxvA
BVKlfNKdwBnKFDNr3OXC
=eNRN
-----END PGP SIGNATURE-----
13 years, 8 months
Re: Ambiguous SSL/TLS error messages from slapd
by Brian A. Seklecki (CFI NOC)
Steve, I agree:
This error gets printed with "-1" under too many
conditions. Just look at:
libraries/libldap/tls2.c::ldap_pvt_tls_set_option()
RC Return Code -1 could happen in about a dozen places.
I think we need to take a two step approach to fixing this:
1) Long term, implement OpenSSL's err(3)
2) Short term, in servers/slapd/main.c:
Debug( LDAP_DEBUG_ANY,
"main: TLS init def ctx failed: %d\n",
rc, 0, 0 );
We should change / append to this to clarify:
if (rc < 0)
Debug( LDAP_DEBUG_ANY, "main: something has gone terribly
wrong in creation of the SSL data structure. Check
filesystem permissions, ownership bits, ACLs, configuration
file paths. Resort to strace(1)/ktrace(1)
debugging.\n",rc,0,0);
if (rc > 0)
Debug( LDAP_DEBUG_ANY, "main: something has gone wrong
in creation of the SSL socket data structure. Please
check the OpenSSL error code above against:
/usr/include/openssl/ssl until we err(3) support\n",rc,0,0);
I will submit a patch.
~BAS
13 years, 9 months
pass through authentication problem
by Geoff Baker
Hi,
I have a Red Hat 5 machine that I have compiled openldap-2.4.19 with the --enable-spasswd option. I have configured saslauth to do its thing as per the instructions on http://www.openldap.org/doc/admin24/security.html#Authentication%20Methods
I cannot seem to add the userPassword:: {SASL} user@domain part though. If i try to import a ldif like the following:
dc: uid=user,dc=domain
changetype: modify
replace: userpassword
userPassword:: {SASL} user@domain
I get an error saying ldapmodify: invalid format (line 4) entry: ""
if i change it to be userpassword: {SASL} user@domain - that works but the entry is hashed (is that ok?)
Then when i try to do a bind with that user account i get invalid credentials... Can somebody please help me try to work out why openldap doesn't seem to be passing on the request to SASL?
13 years, 9 months
Upgrade openldap, os and backend - pointers for best performance ?
by Leon de Rooij
Hi all,
I recently decided it was time for some upgrades, so I installed a new
OpenLDAP server with the following changes:
Old New
os: Ubuntu Hardy Server 32bit FreeBSD 8.0-Release-p2
kernel: 32bit 2.6.24-24-server 32bit 8.0-Release-p2
fs: XFS UFS (soft-updates)
ldap: 2.3.37 2.4.21
bdb: 4.6.21-6 4.7.25.4
The rest is the same, dual 3.06Ghz P4 Xeon with only 4GB RAM. I'm
using hdb as backend and have about 170k entries in the directory.
Slapd configuration is the same. Oh and I'm only using syncprov overlay.
DB_CONFIG is the same on both machines, only containing this:
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
set_lk_detect DB_LOCK_EXPIRE
On the new server, slapcat is faster, search returning single entry is
slower, but search returning ~10k entries is faster (these are all
second tries so cached data is used):
time ldapsearch filter=(uid=someusername) > /dev/null, returning one
entry on localhost
old (on linux):
real 0m0.006s
user 0m0.000s
sys 0m0.000s
new (on freebsd):
real 0m0.033s
user 0m0.010s
sys 0m0.008s
---
time ldapsearch filter=(uid=a*) > /dev/null, returning ~10k entries on
localhost
old (on linux):
real 0m1.728s
user 0m0.870s
sys 0m0.220s
new (on freebsd):
real 0m0.611s
user 0m0.074s
sys 0m0.015s
---
time slapcat > /dev/null
old (on linux):
real 0m26.834s
user 0m17.220s
sys 0m1.080s
new (on freebsd):
real 0m9.589s
user 0m8.884s
sys 0m0.699s
---
Now I know that too many variables have changed to point exactly at
what's the reason for the speed changes, but does anyone else have
experience with these version differences ? I need to be able to do
about 100 searches/sec which will probably not be a problem, but I am
curious whether someone has some pointers on how I can optimize for
example some sysctl's, UFS mount settings, DB_CONFIG or something else
on this new setup to get the best performance possible ?
Thanks a lot & kind regards,
Leon de Rooij
leon(a)scarlet-internet.nl
PS: Thanks to all the developers of OpenLDAP, I've been using it
without any problems for a couple of years already and it rocks very
much!
13 years, 9 months
RE: Failure to delete entry with multi-master replication
by Kyle Blaney
I can now reliably reproduce this problem in 2.4.21 and 2.4.20 on a
multi-master setup that only has five entries:
1. Stop service on server A.
2. Delete one entry on server B.
3. Start service on server A.
After step 3, the entry is never deleted from server A.
I have changed many aspects of configuration (replication with and
without TLS, syncprov-sessionlog enabled and disabled,
syncprov-checkpoint enabled and disabled, syncprov-nopresent TRUE and
FALSE, syncprov-reloadhint TRUE and FALSE) and the problem still occurs.
Is this problem the same one outlined in "test 058 failure" at
http://www.openldap.org/lists/openldap-software/201002/msg00031.html?
Kyle
-----Original Message-----
From: openldap-software-bounces+kblaney=avaya.com(a)OpenLDAP.org
[mailto:openldap-software-bounces+kblaney=avaya.com@OpenLDAP.org] On
Behalf Of Blaney, Kyle AVAYA (BVW:9T16)
Sent: February 9, 2010 4:46 PM
To: openldap-software(a)openldap.org
Subject: Failure to delete entry with multi-master replication
I have encountered a situation with multi-master replication in OpenLDAP
2.4.21 where an entry deleted on one server is not deleted from its
peer. I'm using Redhat Enterprise Linux 5.
Here's what I did:
1. Configure Network Time Protocol with server A as the NTP master and
server B as the NTP slave.
2. Configure multi-master replication between server A (server ID=1) and
server B (server ID=2).
3. Start OpenLDAP service on servers A and B.
4. Add an entry to server A and ensure it's replicated to server B.
5. Add an entry to server B and ensure it's replicated to server A.
6. Stop OpenLDAP service on server A.
7. Delete an entry on server B.
8. Start OpenLDAP service on server A with sync debugging enabled (-d
sync).
At this point, I expected that the entry deleted from server B would be
deleted from server A. Instead, the entry remained on server A and
slapd displayed the following (with the entry's DN X'ed out):
slapd starting
do_syncrep2: rid=001 LDAP_RES_INTERMEDIATE - REFRESH_DELETE Entry XXXXXX
CSN 20100209193028.621799Z#000000#001#000000 older or equal to ctx
20100209193028.621799Z#000000#001#000000
syncprov_search_response:
cookie=rid=001,sid=001,csn=20100202210831.101462Z#000000#000#000000;2010
0209193028.621799Z#000000#001#000000;20100209193118.342038Z#000000#002#0
00000
Why wouldn't the entry deleted on server B also deleted from server A?
Is the failure to delete the entry related to the "entry CSN older or
equal to context CSN" message?
Unfortunately, I have been unable to reproduce the failure since I first
saw it. All subsequent tests have shown that the entry deleted from
server B is deleted from server A when the OpenLDAP service on server A
is restarted.
Kyle Blaney
13 years, 9 months
test 058 fail
by Joseph Guerra
I am consistently failing test 058 (syncrepl-asymmetric) with the errors:
second site1 backend not replicated to central master
second site1 backend not replicated to central search
and occasionally
race error found on iteration 'X' out of 10
Entry not removed on central search
What can I do to fix this or can it simply be ignored?
I am running this on a red hat 3.4 machine.
13 years, 9 months
ldapsearch using GSSAPI failed to run from other machine ...
by huican ping
hello All,
Finally I had the "openldap-2.2.5 + cyrus-sasl-2.1.23 + krb5-1.6.3"
running on my AS5_64 machine. But now I can only do ldapsearch with
GSSAPI on the same machine as the slapd and other suite running, if I
ran it from other machine, then it failed with (Unknown code krb5 7).
Of course, simple auth worked well.
This is a dummy question. I just newly contacted with sasl+krb5 with
ldap. Can anyone else kindly people tell me how to make ldapsearch
working from other machine? E.g, what kind of setup/procedure I should
do on the other machine before I can do ldapsearch with gssapi
effectively?
FYI, on the other machine, I had the same version of
"cyrus+krb5+openldap" installed, so I think the "ldapsearch" links to
the enough libraries to do sasl.
Output when run on the different machine
=============================
/tmp_proj/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p 9001
-Y gssapi -U admin -b "sn=admin,ou=People,o=Acme" '(objectclass=*)'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Unknown code krb5 7)
Run on the same machine, it seems working.
=======================
/tmp_proj/test/cyrus-sasl-2.1.23/sample>kinit lablogin
Password for lablogin(a)IC.ACME.COM:
/tmp_proj/test/cyrus-sasl-2.1.23/sample>ldapsearch -h 10.230.34.88 -p
9001 -Y gssapi -U admina(a)iclab062.ic.acme.com -b
"sn=admin,ou=People,o=Acme" '(objectclass=*)'
SASL/GSSAPI authentication started
SASL username: lablogin(a)IC.ACME.COM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <sn=admin,ou=People,o=Acme> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# admin, People, Acme
dn: sn=admin,ou=People,o=Acme
objectClass: top
objectClass: person
objectClass: organizationalPerson
userPassword:: e1NTSEF9bGZMNXZNNFR1T1VrSm51eVk3RGJWODJFUUpvYVRNWWY=
cn: Administrator
sn: admin
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
13 years, 9 months
TLS Replication
by anjan.prasad@wipro.com
Hi,
I am configuring Open LDAP TLS replication on Ubuntu 8.10. the normal
replication works fine without any issues. But if I enable the TLS
certificates. I get the below error messages.
slap_client_connect: URI=ldap://<ldap URL> Warning, ldap_start_tls
failed (-1)
Feb 10 23:42:03 ldapserver slapd[6884]: slap_client_connect:
URI=ldap://<LDAP URL> DN="cn=admin,dc=xxx,dc=xxx,dc=xxx"
ldap_sasl_bind_s failed (-1)
Require help to solve the above error.
Regards,
Anjan
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
13 years, 9 months
Ambiguous SSL/TLS error messages from slapd
by Steve Polyack
I've noticed that some of the error messages presented by slapd can be
quite ambiguous in nature. For example, if TLSCertificateKeyFile is
specified in slapd.conf, yet is not readable by the user slapd runs as,
the following error is observed:
2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug]
slapd[6261]: @(#) $OpenLDAP: slapd 2.3.43 (Feb 5 2010 10:47:47) $
root@host:/usr/obj/usr/ports/net/openldap23-server/work/openldap-2.3.43/servers/slapd
2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug]
slapd[6261]: main: TLS init def ctx failed: -1
2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug]
slapd[6261]: slapd stopped.
2010 Feb 5 10:52:34 -08:00 host [slapd][6261] [local4] [debug]
slapd[6261]: connections_destroy: nothing to destroy.
For reference, this is on FreeBSD 7.2-RELEASE, base OpenSSL v0.9.8e.
Looking briefly at the code, this error message is returned when
ldap_pvt_init_def_ctx() fails. I'm not sure which OpenSSL SSL_*
function call fails within this function, however I do notice that the
only call made to an OpenSSL library's ERR_* function is if the initial
SSL_CTX_new() method fails.
Am I looking at this wrong altogether, is it simply a question of my
slapd loglevel not being high enough or including TLS errors? It will
indeed typically list TLS negotation failures.
Thanks
13 years, 9 months