LDAP Master/Slave replication
by asiani@free.fr
The log :
Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrepl
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: ndn:
"cn=syncrepl123,dc=myDomain,dc=com"
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: oc: "(null)", at:
"syncreplCookie"
Feb 5 13:11:37 dev5 slapd[2523]:
bdb_dn2entry("cn=syncrepl123,dc=myDomain,dc=com")
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_dn2id( "dc=myDomain,dc=com" )
Feb 5 13:11:37 dev5 slapd[2523]: <= bdb_dn2id: get failed: DB_NOTFOUND:
No matching key/data pair found (-30989)
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: cannot find entry:
"cn=syncrepl123,dc=myDomain,dc=com"
Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrep2
thanks for you help !
Alain
Hello,
I use the bottom file "slapd.conf" to mirror master server.
It was ok with 2.2.23-5 version of openldap.
I just installed a new version of openldap : 2.3.27-8
Now the slave server start ok... but slapcat is empty !!??
Do you have an idea ?
Thanks a lot,
Alain
slapd.conf
_________
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
loglevel 256
database bdb
suffix "dc=myDomain,dc=com"
rootdn "cn=Manager,dc=myDomain,dc=com"
rootpw {SSHA}wuapktMrH50PDG29WoffJcmvpblebsdT
directory /var/lib/ldap/myDomain.com
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryUUID eq
access to *
by * read
syncrepl rid=123
provider=ldap://10.0.0.242:389
type=refreshOnly
interval=00:00:01:00
searchbase="dc=myDomain,dc=com"
filter="(objectclass=*)"
attrs="*"
scope=sub
bindmethod=simple
binddn="cn=Manager,dc=myDomain,dc=com"
credentials="myPassword"
15 years, 7 months
LDAP Master/Slave replication
by asiani@free.fr
Hello,
I use the bottom file "slapd.conf" to mirror master server.
It was ok with 2.2.23-5 version of openldap.
I just installed a new version of openldap : 2.3.27-8
Now the slave server start ok... but slapcat is empty !!??
Do you have an idea ?
Thanks a lot,
Alain
slapd.conf
_________
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
loglevel 256
database bdb
suffix "dc=myDomain,dc=com"
rootdn "cn=Manager,dc=myDomain,dc=com"
rootpw {SSHA}wuapktMrH50PDG29WoffJcmvpblebsdT
directory /var/lib/ldap/myDomain.com
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryUUID eq
access to *
by * read
syncrepl rid=123
provider=ldap://10.0.0.242:389
type=refreshOnly
interval=00:00:01:00
searchbase="dc=myDomain,dc=com"
filter="(objectclass=*)"
attrs="*"
scope=sub
bindmethod=simple
binddn="cn=Manager,dc=myDomain,dc=com"
credentials="myPassword"
15 years, 7 months
Exporting LDAP info from Active Directory / Exchange Global Address List
by Clemson, Chris (IHG)
Hi everyone,
Hopefully I'm now sending this to the right list, apologies if not....
I am trying to find a way of exporting most information from the GAL
into an LDAP server.
It seems that OpenLDAP might do what I want, however I'm relatively new
to using LDAP, so I was wondering if someone could give me a few
pointers on how to do this.
It sounds like I need to use a slapd as a Proxy Cache Engine, so I can
cache an AD query (preferably the equivalent of the Exchange GAL) into
OpenLDAP.
People can then use the OpenLDAP server as a Directory source in Outlook
without needing to log in to anything.
I need to do something like this so that people who do not have access
to the Exchange Servers can see (and therefore email) accounts in
Exchange.
I have found some mailing list articles that allude to this, but nothing
specific.
Thank you,
Chris
15 years, 7 months
Getent fonction with ldap
by asiani@free.fr
Hello,
I'm looking for a documentation of "howto configure getent with ldap",
can you help me, i have problem with this fonction on centos 4.4
i can't get entries from ldap but i try to configure :
/etc/pam.d/system-auth
/etc/ldap.conf
slapcat is ok
i do :
smbpasswd -w mypassword
i put my conf at the bottom of this email,
thanks for your help !
Alain
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
# Modif by AS
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account required /lib/security/$ISA/pam_permit.so
account sufficient /lib/security/$ISA/pam_ldap.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
/etc/ldap.conf
host 127.0.0.1
#host 10.0.0.245
base dc=myDomain,dc=com
rootbinddn cn=Manager,dc=myDomain,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
15 years, 7 months
password-hashing scheme
by Vinh.CTR.Hoang@faa.gov
Hi, I'm have trouble trying to get a ldap client be authenicated by the
the ldap server. I think
the problem is that I might have the hash scheme configured wrongly or
something like that.
I'm on solaris 9 with Openldap 2.3.35. I have the password set as "clear"
in the ldap.conf and
password-hash as {MD5} in slapd.conf. Am I safe to assume that with these
settings, it
means that the client will be sent the passwords over the server as clear
text and the server
will hash it to MD5 before checking against its stored password list? If
it is not the case, then how
should I configure the client and server to be the case?
Thanks,
Vinh
15 years, 8 months
Best method to set access permissions to third parties application with LDAP
by Benjamin Watine
Hello the list,
I have to use LDAP to define access permissions for many third parties
applications.
So, I wonder what is the best way to organize my LDAP tree. I see two
possibilities :
- Set a LDAP group for each access level of each application, and create
users that belongs to those groups.
ex :
GlobalServiceGroup
|
|__Application1Group
| |__guestGroup
| | |__user1
| | |__user2
| |__userGroup
| | |__user3
| | |__user4
| |__adminGroup
|
|__Application2Group
|__devTeamGroup
| |__user1
| |__user2
| |__user3
| |__user4
|__testTeamGroup
|__adminTeamGroup
The problem of this solution is that I have to set a lot of groups, so
my LDAP tree would became very complex to administrate.
- Another way would be to define my own LDAP classes, with an attribute
for each application that define the access level (guest, user, admin, etc).
The problem of this solution is that I'm not anymore in the standard
LDAP schema, and loose interoperability with standards LDAP clients.
What is the best way to set that. Is there is another possibility than
the two I mentioned before ?
Thank you !
Ben
15 years, 8 months
Re: Export / import ldap database between 2.2.29 & 2.3.27
by asiani@free.fr
Ok thanks a lot !!!!!
It is working now !
thks,
Alain
Buchan Milne wrote:
> On Friday 01 February 2008 13:59:11 asiani(a)free.fr wrote:
>
>> # tail -n106 fichier_slapcat.ldif|head -n30
>>
>
> Now run this on both the old and the new server:
>
> # grep ^include /etc/openldap/slapd.conf
>
> It looks like your new server is missing inetorgperson.schema, and probably
> many more. You should add the missing include lines to slapd.conf on your new
> server, and try import again.
>
> Regards,
> Buchan
>
>
15 years, 8 months
Export / import ldap database between 2.2.29 & 2.3.27
by asiani@free.fr
Hello,
My source server :
openldap-clients-2.2.29-1.FC3
perl-Net-LDAP-0.3202-1.1.fc3.rf
nss_ldap-220-3
openldap-devel-2.2.29-1.FC3
php-ldap-4.3.11-2.8.4.legacy
smbldap-tools-0.9.1-1.1.fc3.rf
openldap-2.2.29-1.FC3
openldap-servers-2.2.29-1.FC3
My destination server :
openldap-2.3.27-8
openldap-devel-2.3.27-8
perl-LDAP-0.33-3.fc6
php-ldap-5.1.6-15.el5
python-ldap-2.2.0-2.1
nss_ldap-253-5.el5
openldap-servers-2.3.27-8
I export my database from source :
ldapsearch -LLL -x -h localhost -D "cn=Manager,dc=myDomain,dc=com" -w
password -b "dc=myDomain,dc=com" > /backups/ldap/ldap-fs4-$TODAY.ldif
dn: dc=myDomain,dc=com
objectClass: dcObject
objectClass: organization
o: myDomain
dc: myDomain
dn: ou=Users,dc=myDomain,dc=com
objectClass: organizationalUnit
ou: Users
dn: ou=Groups,dc=myDomain,dc=com
objectClass: organizationalUnit
ou: Groups
dn: ou=Computers,dc=myDomain,dc=com
objectClass: organizationalUnit
ou: Computers
dn: cn=NextFreeUnixId,dc=myDomain,dc=com
objectClass: inetOrgPerson
objectClass: sambaUnixIdPool
cn: NextFreeUnixId
sn: NextFreeUnixId
gidNumber: 1001
uidNumber: 1154
dn: uid=smbguest3,ou=Users,dc=myDomain,dc=com
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
(...)
and try to add in my destination server :
slapadd -l fichier.ldif
The system failed with this error :
str2entry: invalid value for attributeType objectClass #1 (syntax
1.3.6.1.4.1.1466.115.121.1.38)
slapadd: could not parse entry (line=69)
The database is working well on source server...do y have an idea ?
Thank you very much !
Alain
15 years, 8 months
Pagination behavior using ldap_ctrl_paged
by Faraz R. Khan
Hi,
Is there anyway I can navigate back and forth using the paged results
control? The only thing I can currently use is going forward a certain
pageSize. I realize this is exactly as per the RFC (2696) but is there
anyway I can achieve back and forth pagination (pageSize = -3 for
example)?
Thank you.
--
Faraz R Khan
Chief Architect
Emergen Consulting Pvt Ltd
www.emergen.biz
15 years, 8 months
