schemacheck && valid objects check - just to note slapd behaviour
by Piotr Wadas
Hello,
Using openldap 2.4.10 (x86), bdb backend.
I had custom objectClass. I made it to be structuralObjectClass ,
and then created some object of this class in DIT. Everything works
fine.
Then (actually weeks later), I edited my objectClass definitionas,
and made my custom objectClass to be an auxiliary class, and
restarted slapd - everything was still working fine. Schema syntax
is still valid, no schemacheck warnings.
Then I did a slapcat dump - I realized what happened when came up,
that I cannot load dump back with slapadd, because it contains
objects, which, actually should generate errors. slapcat backups
I did in the meantime was actually useless and I didn't note it.
Now, I don't expect slapd to remove or ignore such objects, anyway while
SERVING (returning), or indexing existing object of such kind, I'd expect
some warning, that existing object does not conform existing schema.
Or some tool to verify existing directory objects to find out
about such situation - imagine if I hadn't been trying to retrieve
from it for months, I wouldn't have learned it became useless :)
May I please for some comments on such issue ?
Regards,
Piotr Wadas
14 years, 9 months
Re: OpenLDAP replication
by Justin Lintz
Quanah,
Looking at http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master
it appears the example is with using cn=config to store the
configuration. Is there an example somewhere with just using
slapd.conf?
- Justin Lintz
On Thu, Dec 11, 2008 at 6:13 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Thursday, December 11, 2008 4:30 PM -0500 Justin Lintz
> <jlintz(a)gmail.com> wrote:
>
>> Quanah,
>>
>> I'm still seeing the issue after making the change. I am able to
>> however add entries to ldap02 and have them appear on ldap01, but not
>> have them appear on ldap02. And adding anything to ldap01 does not
>> get replicated to ldap02. Any other suggestions?
>> - Justin Lintz
>
> Your email confuses me. I thought you were doing simple single
> master/replica replication, but if you can modify on ldap02, then that means
> it is not a replica. Or, it means you're writing to it via slapadd? That's
> not legal. If you have a single master, writes must only occur to that
> server. Otherwise, you need to set up MMR. The configs you sent before
> certainly didn't indicate you were trying to do MMR.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
14 years, 9 months
Synchronizing Openldap with Windows Active Directory
by Aravind Arjunan
hi,
I like to know wheather it is possible to synchronize Windows Active
directory with RHEL Openldap.
Some of my users are in openldap and some of them in Active Directory all i
want to synchronize these users.
Am trying for synchronizing the above two,but am not finding any proper link
to refer.
If any one knows plz help me with the link to refer.
with regards
aravind
14 years, 9 months
Re: OpenLDAP replication
by Justin Lintz
Quanah,
Thanks for your quick reply. I've made the change. I thought I had
taken it from the openldap documents but clearly did not after
reviewing them, I must have gotten mixed up with all the tabs I had
open. Looks like its best to stick to the official documents (and
this mailing list) rather than the how-tos out there
- Justin Lintz
On Tue, Dec 9, 2008 at 9:21 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, December 09, 2008 6:05 PM -0800 Quanah Gibson-Mount
> <quanah(a)zimbra.com> wrote:
>
>> --On Tuesday, December 09, 2008 4:45 PM -0500 Justin Lintz
>> <jlintz(a)gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I am currently working on trying to configure replication between 2
>>> ldap servers. Here is my current setup....
>>>
>>>
>>> slapd.conf on ldap02 is":
>>>
>>> directory /var/lib/ldap2.4
>>> checkpoint 256 5
>>> index objectClass eq
>>> index cn,mail,surname,givenname
>>> eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember
>>> eq index uid
>>> eq,subinitial index sambaSID,sambaDomainName,displayName
>>> eq referral ldaps://ldap01/
>>> syncrepl rid=123
>>> provider=ldaps://ldap01/
>>> type=refreshAndPersist
>>> searchbase="dc=example,dc=net"
>>> scope=sub
>>> schemachecking=off
>>> bindmethod=simple
>>> binddn="cn=manager,dc=example,dc=net"
>>> attrs="*"
>>> credentials=
>>
>> You should specify an attrs= line unless you know what you're doing. You
>
> s/should/should NOT/
>
> :)
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
14 years, 9 months
Batch delete can't sync to other servers
by Bad Guy
Dear all,
I have 4 LDAP servers running 2.4.11 and configured as 4 way masters. The sync type is refreshOnly and the interval is 30 sec.
I create a LDIF file and contains about 500 entries in it.
Then, I use ldapdelete -x -W -D "cn=Manager" -f delete.ldif to delete the 500 entries in server 1. Then, I check the other 3 servers, the 500 entries still exists. Only in server 1, those entries are not here.
If I delete the entries one by one, the data can be deleted in the other 3 servers.
Any idea ?
Thanks
_________________________________________________________________
下載 Windows Live Messenger 8.5 搶鮮版,多元溝通、盡情分享,和即時傳訊好友線上同樂!— 立即下載
http://get.live.com/zh-cht-tw/betas/messenger_betas
14 years, 9 months
not able to delete schema (using back-config)
by benjamin thielsen
hi-
i've been experimenting with using back-config (2.4.11 courtesy of
debian), and am able to add schema, but not able to delete the schema
after being added. iirc, this should be possible in recent versions?
i'm confident that the schema's not in use by any entries.
adding the schema is successful:
>ldapadd -xWD 'cn=admin,cn=config' -f java_schema.ldif
Enter LDAP Password:
adding new entry "cn={13}java,cn=schema,cn=config"
ldapsearch confirms this:
>ldapsearch -xWLLLb 'cn=schema,cn=config' -D 'cn=admin,cn=config'
"(cn=*java*)" dn
Enter LDAP Password:
dn: cn={13}java,cn=schema,cn=config
ldapdelete says:
>ldapdelete -vxWD 'cn=admin,cn=config'
'cn={13}java,cn=schema,cn=config'
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
deleting entry "cn={13}java,cn=schema,cn=config"
ldap_delete: Server is unwilling to perform (53)
i'm not seasoned at interpreting slapd debug output, but nothing
specifically jumps out at me when running with -d -1:
>>> dnPrettyNormal: <cn=admin,cn=config>
=> ldap_bv2dn(cn=admin,cn=config,0)
<= ldap_bv2dn(cn=admin,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,cn=config)=0
<<< dnPrettyNormal: <cn=admin,cn=config>, <cn=admin,cn=config>
conn=1 op=0 BIND dn="cn=admin,cn=config" method=128
do_bind: version=3 dn="cn=admin,cn=config" method=128
conn=1 op=0 BIND dn="cn=admin,cn=config" mech=SIMPLE ssf=0
do_bind: v3 bind: "cn=admin,cn=config" to "cn=admin,cn=config"
send_ldap_result: conn=1 op=0 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 13
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00
0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00
0....a........
conn=1 op=0 RESULT tag=97 err=0 text=
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
connection_get(13)
connection_get(13): got connid=1
connection_read(13): checking for input on id=1
ber_get_next
ldap_read: want=8, got=8
0000: 30 24 02 01 02 4a 1f 63 0$...J.c
ldap_read: want=30, got=30
0000: 6e 3d 7b 31 33 7d 6a 61 76 61 2c 63 6e 3d 73 63
n={13}java,cn=sc
0010: 68 65 6d 61 2c 63 6e 3d 63 6f 6e 66 69 67
hema,cn=config
ber_get_next: tag 0x30 len 36 contents:
ber_dump: buf=0x8578290 ptr=0x8578290 end=0x85782b4 len=36
0000: 02 01 02 4a 1f 63 6e 3d 7b 31 33 7d 6a 61 76
61 ...J.cn={13}java
0010: 2c 63 6e 3d 73 63 68 65 6d 61 2c 63 6e 3d 63
6f ,cn=schema,cn=co
0020: 6e 66 69 67 nfig
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=1 op=1 do_delete
ber_scanf fmt (m) ber:
ber_dump: buf=0x8578290 ptr=0x8578293 end=0x85782b4 len=33
0000: 4a 1f 63 6e 3d 7b 31 33 7d 6a 61 76 61 2c 63 6e
J.cn={13}java,cn
0010: 3d 73 63 68 65 6d 61 2c 63 6e 3d 63 6f 6e 66 69
=schema,cn=confi
0020: 67 g
>>> dnPrettyNormal: <cn={13}java,cn=schema,cn=config>
=> ldap_bv2dn(cn={13}java,cn=schema,cn=config,0)
<= ldap_bv2dn(cn={13}java,cn=schema,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn={13}java,cn=schema,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn={13}java,cn=schema,cn=config)=0
<<< dnPrettyNormal: <cn={13}java,cn=schema,cn=config>,
<cn={13}java,cn=schema,cn=config>
conn=1 op=1 DEL dn="cn={13}java,cn=schema,cn=config"
send_ldap_result: conn=1 op=1 p=3
send_ldap_result: err=53 matched="" text=""
send_ldap_response: msgid=2 tag=107 err=53
ber_flush2: 14 bytes to sd 13
0000: 30 0c 02 01 02 6b 07 0a 01 35 04 00 04 00 0....k...
5....
ldap_write: want=14, written=14
0000: 30 0c 02 01 02 6b 07 0a 01 35 04 00 04 00 0....k...
5....
conn=1 op=1 RESULT tag=107 err=53 text=
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=0 tvp=NULL
connection_get(13)
connection_get(13): got connid=1
connection_read(13): checking for input on id=1
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 03 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x85e1d60 ptr=0x85e1d60 end=0x85e1d65 len=5
0000: 02 01 03 42 00 ...B.
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=1, closing.
connection_closing: readying conn=1 sd=13 for close
connection_close: deferring conn=1 sd=13
conn=1 op=2 do_unbind
conn=1 op=2 UNBIND
connection_resched: attempting closing conn=1 sd=13
connection_close: conn=1 sd=13
daemon: removing 13
conn=1 fd=13 closed
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
what am i doing wrong?
-ben
14 years, 9 months
trouble with regex type constraint overlay
by benjamin thielsen
i'm experimenting with the constrain overlay, and have what i think is
a fairly simply constraint that's giving me trouble. below are the
details. i believe i've followed slapo-constraint(5) (and regex(7))
accurately, but i must be missing something.
>cat montage_admin.ldif
dn:
uid
=
admin,ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com
changetype: modify
replace: uidNumber
uidNumber: 5000
>ldapmodify -vxWD 'cn=admin,dc=ltn,dc=lvc,dc=com' -f montage_admin.ldif
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
replace uidNumber:
5000
modifying entry
"uid
=
admin
,ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=com"
ldap_modify: Constraint violation (19)
additional info: modify breaks constraint on uidNumber
>ldapsearch -vvxWLLLD 'cn=admin,dc=ltn,dc=lvc,dc=com' "(uid=admin)"
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
filter: (uid=admin)
requesting: All userApplication attributes
dn:
uid
=admin,ou=montage_test,ou=other,ou=users,ou=accounts,dc=ltn,dc=lvc,dc=c
om
userPassword:: e1NTSEF9TkF5TGVabXFWTU9zT01EZVNWdHA1Mm9uUWtOalg3cXY=
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
homeDirectory: /dev/null
cn: admin
uid: admin
sn: admin
givenName: admin
gidNumber: 5001
uidNumber: 2016
>ldapsearch -vvxWLLLb 'cn=config' -D 'cn=admin,cn=config'
"(objectClass=olcConstraintConfig)"
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
filter: (objectClass=olcConstraintConfig)
requesting: All userApplication attributes
dn: olcOverlay={3}constraint,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConstraintConfig
olcOverlay: {3}constraint
olcConstraintAttribute: uidNumber regex ^[:digit:]*$
thanks
-ben
14 years, 9 months
olcMonitoring attribute
by benjamin thielsen
hi-
i've recently begun using back-config and was looking for some more
detail on the purpose of the olcMonitoring attribute. my googling and
searching of the list archives have revealed not much beyond
references in cn=schema.ldif.
thanks
-ben
14 years, 9 months
Re: bdb encryption
by ghenry@OpenLDAP.org
----- "Howard Chu" <hyc(a)symas.com> wrote:
> ghenry(a)OpenLDAP.org wrote:
> > Hi All,
> >
> > I'm just testing bdb encryption and it works as expected out of the
> box.
> >
> > But I'm trying to decrypt it using the bdb tools:
> >
> > [ghenry@suretec openldap-data]$
> /usr/local/BerkeleyDB.4.7/bin/db_verify objectClass.bdb
> > db_verify: Encrypted environment: no encryption key supplied
> > Segmentation fault
>
> Interesting. It shouldn't segfault, perhaps you should report that as
> a bug to
> Oracle.
Will do. If I use "cryptkey testing" all tools work. If I enter the wrong
password using cryptkey is segfaults again after stating wrong pass.
> > So it segfaults, but it's the same with the key:
> >
> > [ghenry@suretec openldap-data]$
> /usr/local/BerkeleyDB.4.7/bin/db_verify -P "testing" objectClass.bdb
> > db_verify: Invalid password
> > Segmentation fault
> >
> > testing is set in slapd.conf via "cryptfile" and has the word
> "testing" in it:
>
> How did you create the file? If you simply created it as a plain text
> file,
> then it probably has a trailing NewLine as well. In which case, the
> NewLine is
> part of the password...
Checked this and recreated vi vim and just:
echo testing > cryptfile.
All results in the same invalid password and
segfault.
Cheers.
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
14 years, 9 months
OpenLDAP replication
by Justin Lintz
Hi,
I am currently working on trying to configure replication between 2
ldap servers. Here is my current setup....
2 servers, ldap01 and ldap02, both running centos 5.2 x86_64 with
openldap2.4 installed from
http://staff.telkomsa.net/packages/rhel5/openldap/x86_64/
openldap2.4-servers-2.4.11-1.rhel5
my slapd.conf on ldap01 is:
modulepath /usr/lib64/openldap2.4
moduleload syncprov.la
TLSCertificateFile /etc/ssl/openldap2.4/ldap.pem
TLSCertificateKeyFile /etc/ssl/openldap2.4/ldap.pem
TLSCACertificateFile /etc/ssl/openldap2.4/ldap.pem
loglevel 32 256 1024
database bdb
suffix "dc=example,dc=net"
rootdn "cn=Manager,dc=example,dc=net"
rootpw
directory /var/lib/ldap2.4
checkpoint 256 5
index objectClass eq
index cn,mail,surname,givenname eq,subinitial
index uidNumber,gidNumber,memberuid,member,uniqueMember eq
index uid eq,subinitial
index sambaSID,sambaDomainName,displayName eq
index entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 200
slapd.conf on ldap02 is":
directory /var/lib/ldap2.4
checkpoint 256 5
index objectClass eq
index cn,mail,surname,givenname eq,subinitial
index uidNumber,gidNumber,memberuid,member,uniqueMember eq
index uid eq,subinitial
index sambaSID,sambaDomainName,displayName eq
referral ldaps://ldap01/
syncrepl rid=123
provider=ldaps://ldap01/
type=refreshAndPersist
searchbase="dc=example,dc=net"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=manager,dc=example,dc=net"
attrs="*"
credentials=
This appears to work but it seems after some time the replication
stops working , not seeing anything in the logs either.
Also with this setup, given a situation where ldap01 died and ldap02
took over, when I brought ldap01 back online, would configuration
changes need to be made to ensure any changes that were made to ldap02
were replicated back properly or am I not using the proper replication
technique for this situation? I'm still a bit new to OpenLDAP so I
apologize if I explained anything incorrrectly. My end goal is to
have 2 ldap servers in place where in the event of a failure the
secondary could take over and when the primary is restored, have it
fail back over without any loss of changes.
- Justin Lintz
14 years, 9 months