migrating to another server - restore problem - slapcat slapadd
by Christophe Dumonet
Hello,
I'm migrating from an old openldap server to a new one.
So, I have done a dump of the ldap database with a " slapcat -l
mydump.ldap -f /etc/openldap/slapd.conf -b "dc=mycompany,dc=com"
--> So I had a dump ldif file where organisational units and dn are
not in hierarchical order.
In my new server ( which works fine , I can ldapadd some ou,dn , no
problem)
--> The slapadd command doesn't work because my ldap data in the ldif
file is not in hierarchical order.
I can't re-order manually this because it's a important database ( the
ldif --> 50Mo).
My slapadd command to restore is : slapadd -l mydump.ldif -f
/etc/openldap/slapd.conf -b "dc=mycompany,dc=com"
and the errors are relative to the ldif OU order, I had trying to
cut/paste in the ldif file some OUs to reorder and errors are reporting
to another OUs...which are not in hierachical order !
How can I do to restore quickly my data to my new server ?
Any help would be appreciated,
Christophe Dumonet, From france
--
----------------------------------------------------
Christophe Dumonet
Centre de Ressources Informatiques
Institut Francais de Mecanique Avancee (IFMA)
Campus des Cezeaux
BP 265
63175 AUBIERE Cedex
Tel : +33 - 4.73.28.80.64
Fax : +33 - 4.73.28.81.00
Mail : Christophe.Dumonet(a)ifma.fr
----------------------------------------------------
14 years, 6 months
Syncrepl multimaster replication issue
by Penza Kenneth at MITTS
People,
I am currently trying to setup a multi-master ldap setup.
The setup is running on CentOS 5.1 with kernel 2.6.18-53.el5. In this
setup I have migrated the UNIX authentication files using MigrationTools
and everything worked fine. When I am trying to setup the replication I
am encountering a strange behavior. The initial synchronization was
performed by copying /var/lib/ldap directory when openldap was shutdown.
On starting both nodes query each other and everything seems operating
correctly. When I perform a change on either node, the node performs the
local change however it is not propagated on the other node and in the
/var/log/ldap.log I get the following message:
When ever the change is made on ldap1 it reports:
Jan 23 10:10:43 ldap1 slapd[5787]: null_callback : error code 0x10
Jan 23 10:10:43 ldap1 slapd[5787]: syncrepl_updateCookie: rid=002
be_modify failed (16)
When ever the change is made on ldap2 it reports:
Jan 23 10:40:31 ldap2 slapd[5677]: null_callback : error code 0x10
Jan 23 10:40:31 ldap2 slapd[5677]: syncrepl_updateCookie: rid=002
be_modify failed (16)
Setup details:
cd /root/ldap_inst
tar xvzf db-4.6.21.tar.gz
tar xvzf openldap-2.4.7.tgz
cd db-4.6.21
cd build_unix/
../dist/configure --prefix=/usr
make clean (as root)
make (as root)
cd /usr/share/libtool/libltdl
configure --prefix=/usr
make
make install (as root)
cd /root/ldap_install/openldap-2.4.7
./configure --prefix=/usrd /usr/share/libtool/libltdl./configure
--prefix=/usr --sysconfdir=/etc --libexecdir=/usr/sbin
--mandir=/usr/share/man --with-tls --without-cyrus-sasl
-enable-modules -enable-bdb=mod -enable-hdb=mod -enable-ldap=mod
--enable-crypt
make depend
make
make install (as root)
This procedure was completed on two nodes, namely ldap1 and ldap2. This
slapd.conf of each nodes is as follows:
Ldap1:
cat /etc/openldap/slapd.conf | grep -v ^# | grep -v ^$
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
modulepath /usr/sbin/openldap
moduleload back_bdb.la
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem
serverID 1 ldap://ldap1:389/
serverID 2 ldap://ldap2:389/
database bdb
suffix "dc=linuxldap,dc=org"
rootdn "cn=Manager,dc=linuxldap,dc=org"
rootpw secret
directory /var/lib/ldap
checkpoint 128 15
cachesize 10000
dncachesize 5000
idlcachesize 30000
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
index objectClass,entryUUID,entryCSN eq
#syncRepl rid=001
# provider=ldap://ldap1:389
# binddn="cn=Manager,dc=linuxldap,dc=org"
# bindmethod=simple
# credentials=secret
# searchbase="dc=linuxldap,dc=org"
# type=refreshOnly
# interval=00:00:00:05
# retry="5 5 300 5"
# timeout=1
syncRepl rid=002
provider=ldap://ldap2:389
binddn="cn=Manager,dc=linuxldap,dc=org"
bindmethod=simple
credentials=secret
searchbase="dc=linuxldap,dc=org"
type=refreshOnly
interval=00:00:00:05
retry="5 5 300 5"
timeout=1
mirrormode true
sockbuf_max_incoming 5000
sockbuf_max_incoming_auth 5000
database monitor
Ldap2:
cat /etc/openldap/slapd.conf | grep -v ^# | grep -v ^$
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
modulepath /usr/sbin/openldap
moduleload back_bdb.la
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /etc/openldap/slapd-key-ldap1.pem
serverID 1 ldap://ldap1:389/
serverID 2 ldap://ldap2:389/
database bdb
suffix "dc=linuxldap,dc=org"
rootdn "cn=Manager,dc=linuxldap,dc=org"
rootpw secret
directory /var/lib/ldap
checkpoint 128 15
cachesize 10000
dncachesize 5000
idlcachesize 30000
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
index objectClass,entryUUID,entryCSN eq
syncRepl rid=001
provider=ldap://ldap1:389
binddn="cn=Manager,dc=linuxldap,dc=org"
bindmethod=simple
credentials=secret
searchbase="dc=linuxldap,dc=org"
type=refreshOnly
interval=00:00:00:05
retry="5 5 300 5"
timeout=1
#syncRepl rid=002
# provider=ldap://ldap2:389
# binddn="cn=Manager,dc=linuxldap,dc=org"
# bindmethod=simple
# credentials=secret
# searchbase="dc=linuxldap,dc=org"
# type=refreshOnly
# interval=00:00:00:05
# retry="5 5 300 5"
# timeout=1
mirrormode true
sockbuf_max_incoming 5000
sockbuf_max_incoming_auth 5000
database monitor
Regards,
Kenneth Penza
14 years, 6 months
Ldap ppolicy schema entries
by Ljunghammar, Darryl K
I would like to view the ppolicy schema attributes for a user when I do
a "ldapsearch" but they don't show up. For example, I would like to see
the "pwdHistory" attribute for a user. I know it is being updated
because if I enter a previously used password it tells me it can't be
reused.
I am using openldap 2.3.39-3 on a Redhat 5.1 system.
TIA,
Darryl
14 years, 6 months
Adding new LDIF entries
by David Moderski
I am having trouble finding the correct information about adding new
entries. For example, if I am loading the initial directory, do the
entries need to have changetype: add or is changetype: add only used for
adding attributes to existing entries?
--
Dave Moderski
Programmer/Analyst
Atlantic Cape Community College
609-625-1111 ext. 5298
14 years, 6 months
Need a multi-client schema
by Carr, Chris
[deep breath, disclaimer: I am a knowledgeable end user, having
administered a LAN of Linux and Windows PCs at home for several years,
but I don't code and I knew nothing of LDAP until recently. I originally
submitted this to openldap-software, but the moderator said it was more
appopriate for this list. I have lurked for a week with increasing
agitation at my lack of technical knowledge - apologies if this question
is too stupid for most of you.]
I run an IMAP server on my Linux box at home (Debian Etch), so that I
can read my mail from anywhere, using any IMAP client (Outlook at work,
Evolution at home, Thunderbird at my in-laws, etc.). I got frustrated
with having to export and import my contacts all the time, never
remembering which client had the most up-to-date set. So I looked into
setting up my own LDAP server so they could live in one place, available
to any client, just like the email.
Sadly it doesn't seem to be that simple. Apt-get install slapd went fine
- Debian was even so kind as to set up a bdb database for me with suffix
"dc=mydomain", so all I had to do was create a rootdn and rootpw in
slapd.conf. I painstakingly exported my contacts from Outlook as CSV,
via Evolution as vCard then via http://labs.brotherli.ch/vcfconvert/
into LDIF. But trying to import the result into slapd gave lots of
errors, and this is when I discovered the joys of schemata. The
vCard-to-LDIF converter uses a variant Mozilla-address-book schema which
slapd doesn't understand. I tried tweaking the LDIF file with this
python script
(http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/476224) but
that fell over because some of my contacts don't have email addresses.
So slapd is up and running but I have no way of importing my contact
info without doing some Python hacking or re-keying the info (about 400
records).
Basic question: is there an existing schema that I can include in
slapd.conf which will allow my contacts to be intelligible to all the
clients I use (let alone might use)? They are just basic person data:
names, postal addresses, phone/fax numbers, email addresses, etc.
Assuming no, can I combine a schema for each client, if I can find one?
For example, the Mozilla one is here
(https://bugzilla.mozilla.org/attachment.cgi?id=166746), which will work
for Thunderbird, SeaMonkey etc. If I can find one for Evolution and one
for Outlook, could I just include them all, or would there be
incompatibilities? (Even if there aren't, a quick look at the Mozilla
one leads me to suspect that I would need to duplicate numerous fields.)
Does anyone successfully use LDAP with multiple clients? Is there an
easy way to do it? Judging from the 'AD-style AUX classes' thread there
are some issues with Outlook - in the first instance I would be happy if
both Evolution and Thunderbird/SeaMonkey could see and edit the same
contact data.
Thanks in advance for any help, and apologies for the lengthy footer
over which I have no control,
CC
This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer
14 years, 6 months
Openldap / windows active directory sync
by अनुज Anuj Singh
Hi,
I have one microsoft windows active directory server,
1. How to implement Openldap and Windows dircetory sync so that any
user can get authorized from Openldap or M$ active directory.
2. User information/password sync
How to sync windows Active directory with Openldap vice-versa.
any tutorial/ how to?
Thanks and regards
Anuj
14 years, 6 months
openldap 2.4.7 Segfault when deleting olcAccess parameter from cn=config
by Faraz Khan
When trying to delete a single olcAccess attribute from cn=config the
openldap server crashes. The client library (php) returns error code
-1 (cant contact LDAP Server) and the openldap server crashes.
The delete operation is:
dn: olcDatabase={2}bdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: 2
This behavior is not consistent. Sometimes the server crashes while
sometimes it will report back :
modifying entry "olcDatabase={2}bdb,cn=config"
ldap_modify: No such attribute (16)
It might continue to say Error 19 for a while (3-4 times) and on the
5th time the operation completes successfully. However, the dn at this
time seems to contain NO entries. After this slapd crashes. Restarting
will show that the operation was never ACTUALLY completed. The
segfault trace is:
ber_dump: buf=0x82c1ef0 ptr=0x82c1ef3 end=0x82c1f2c len=57
0000: 66 37 04 1c 6f 6c 63 64 61 74 61 62 61 73 65 3d f7..olcdatabase=
0010: 7b 32 7d 62 64 62 2c 63 6e 3d 63 6f 6e 66 69 67 {2}bdb,cn=config
0020: 30 17 30 15 0a 01 01 30 10 04 09 6f 6c 63 61 63 0.0....0...olcac
0030: 63 65 73 73 31 03 04 01 32 cess1...2
conn=0 op=3 do_modify: dn (olcdatabase={2}bdb,cn=config)
ber_scanf fmt ({e{m[W]}}) ber:
ber_dump: buf=0x82c1ef0 ptr=0x82c1f15 end=0x82c1f2c len=23
0000: 30 15 0a 01 01 30 10 04 09 6f 6c 63 61 63 63 65 0....0...olcacce
0010: 73 73 31 03 04 01 32 ss1...2
>>> dnPrettyNormal: <olcdatabase={2}bdb,cn=config>
=> ldap_bv2dn(olcdatabase={2}bdb,cn=config,0)
<= ldap_bv2dn(olcdatabase={2}bdb,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(olcDatabase={2}bdb,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(olcDatabase={2}bdb,cn=config)=0
<<< dnPrettyNormal: <olcDatabase={2}bdb,cn=config>,
<olcDatabase={2}bdb,cn=config>
conn=0 op=3 modifications:
delete: olcaccess
one value, length 1
conn=0 op=3 MOD dn="olcDatabase={2}bdb,cn=config"
conn=0 op=3 MOD attr=olcaccess
<= acl_access_allowed: granted to database root
Segmentation fault
--
Faraz R Khan
Chief Architect
Emergen Consulting Pvt Ltd
www.emergen.biz
14 years, 6 months
> posixGroup & memberOf
by vip43@mail.ru
Hi colleagues,
HOW to make posixGroup a memberOf another posixGroup?? ...
: nis.schema > posixGroup objectclass :
----------
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
DESC 'Abstraction of a group of accounts'
SUP top STRUCTURAL
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ member $ description ) )
-----------
and where is "memberOf" ??
it seems it must present in MUST..,
IMHO openldapAdminGuide promised to add "memberOf attr to posixGroup..,. can
i do it myself ??
And what GUI-tool can rule this moment ??,- i'm using
http://ldapadmin.sourceforge.net/ , but it can't.
14 years, 6 months
AD-style AUX classes
by Andrew Bartlett
I'm not quite sure what I'm looking for here, sorry:
In Samba4, we don't yet have full schema validation. In some ways it
just has not been a priority - we validate that the attribute and
objectClasses exist, but not that they match up.
In using OpenLDAP, I'm hoping to avoid having to write that logic, so I
stopped adding extensibleObject to all our objectClass values, and
replaced it with samba4Top, contaning all the things that AD's top
contains, but OpenLDAPs does not.
So far so good, but AD has:
dn: CN=Domain-DNS,${SCHEMADN}
objectClass: top
objectClass: classSchema
subClassOf: domain
systemAuxiliaryClass: samDomain
Looking at http://www.grotan.com/ldap/microsoft.ext.schema
I created entries in my schema file like:
dITContentRule (
1.2.840.113556.1.5.67
NAME 'domainDNS'
AUX ( samDomain )
)
dITContentRule (
1.2.840.113556.1.5.3
NAME 'samDomain'
AUX ( samDomainBase )
)
This created two problems: It appears that you cannot create a
ditContentRule for a non-structural objectClass (samDomain is
AUXILIARY), and even if I do, I can't tack on the samba4Top on the end,
because of:
Adding DomainDN: DC=samba,DC=example,DC=com (permitted to fail)
ldb load failed: LDAP error 65 LDAP_OBJECT_CLASS_VIOLATION - <class
'samba4Top' not allowed by content rule 'domainDNS'> <>
Is there a different approach I should be taking? I need to extend
'top' without extending OpenLDAP's hardcoded top, and I need something
that looks like dITcontentRule without the restrictions. Any hints?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
14 years, 6 months
MinGW, OpenLDAP and OpenSSL
by Jonathan Bowman
Greetings all,
I recently set out to compile OpenLDAP with SSL/TLS on Windows using
MinGW, so that I could compile Ruby/LDAP and python-ldap. It took me a
while to find my way, and I frequently wished there were easy
instructions online, all in one place.
Once I successfully finished, I posted my instructions here:
http://bowmansolutions.com/mingw-openldap/
I would love feedback on these instructions, affirmation or criticism.
My apologies if they duplicate what is already out there.
Regards,
Jonathan Bowman
14 years, 6 months