openldap-technical September 2008

openldap-technical@openldap.org

54 participants
58 discussions

RFT0001 : Request For Thoughts
by Christopher Barry 24 Sep '08

24 Sep '08

Hi everyone, If this post here is in poor taste, please pardon my interruption. It's just that I figured those here would have a high probability of trying to do as I am trying to do. Background: I'm a debian-head from the early 90's, but I'm new to OpenLDAP, and this is my first post here. I'm about halfway done with Mastering OpenLDAP, and I've been lurking here for a month or so, trying to understand how things work, and looking for questions like mine. I also just read Kerberos, the definitive guide as a primer into understanding how my team can make everyone 'Just Get Along(tm)' in a multi-platform global enterprise, while leveraging open source projects. Rough Goals: * We're exploring ways in which we can have a single user/group database for everything, everywhere in our domain. * Additionally, we want as 'SSO' an environment as possible. * We also want to keep, and even extend all the other NIS functionality we use today - only without the NIS limitations. * We also need to be able to phase it in, or even have it overlap with our current situation for a period, so it's not an all-or-nothing kind of change. The Parts Bin: There's a bunch of parts around, and they all kind of fit together, but to my current understanding anyway, seem to create a few different incomplete solutions, such as: * Samba/Winbind/Kerberos (possibly backed by OpenLDAP) * OpenLDAP/Kerberos with trusts to AD * AD using 2003R2 and possibly custom schema modifications if required. My question really is what are others doing to solve this type of problem? Architecturally, what is the best approach given the above desired outcome? Thanks to all for your thoughts and insight on this, Regards, Christopher Barry Systems Engineer QLogic

2 3

Re: Configuring MirrorMode via cn=config
by p_pavlos＠freemail.gr 24 Sep '08

24 Sep '08

> > ----- "Pavlos Parissis" <p_pavlos(a)freemail.gr> wrote: > > > Hello all, > > > > I am writing to ask for a confirmation on the steps that I followed > > to > > configure MirrorMode replication via cn=config > > > > The step is the typical, 2 nodes where m1 is the first node and m2 is > > the second one. > > > > 1) start m1 > > 2) create dit > > 3) add mirrormode_user > > OK. > > > 4) slaptest -f slapd.conf -F slapd.d > > chown -R ds-ldap.ds-ldap slapd.d > > Why do this? Why not start m1 from a basic slapd.d and then add all > above on the fly via cn=config? Because I don't have a basic slapd.d, the dir is empty. The replica configuration are added via cn=config when I have converted my basic slapd.conf to slapd.d on both servers. I don't think that I do something wrong here or stupid, what do you think? > > 5) stop m1 ;start m1 > > 6) enable sync log > > 7) start m2 > > 8) slaptest -f slapd.conf -F slapd.d > > chown -R ds-ldap.ds-ldap slapd.d > > 9) stop m2;start m2 > > 10) enable sync log > > 11) add replication configuration on m1 [1] > > 12) add replication configuration on m2 [2] > > See above. Cheers, Pavlos

1 0

accesslog misses out on entries during slapd failure
by Sean Burford 23 Sep '08

23 Sep '08

Hi, An add operation was underway on my HDB backend. Around one second later, a large group modification ran slapd out of memory. Slapd was then unresponsive until a watchdog killed and restarted it two minutes later. The add operation successfully modified the database but never appeared in the audit log nor the syncrepl access log, so it was never replicated to the replicas. Is it by design that modifications hit the database before being recorded in the audit and access logs? This is with OpenLDAP 2.3.39, BDB 4.4. Logs: Sep 22 09:15:16 host slapd[27404]: conn=102591 op=5 ADD dn="uid=username,ou=people,dc=example,dc=com" ... Sep 22 09:15:17 host slapd[27404]: conn=99395 op=131974 MOD dn="cn=biggroup,ou=groups,dc=example,dc=com" Sep 22 09:15:17 host slapd[27404]: conn=99395 op=131974 MOD attr=member memberuid Sep 22 09:15:17 host slapd[27404]: ch_malloc of 242464 bytes failed Sep 22 09:15:17 host slapd[27404]: conn=102732 op=2 UNBIND Sep 22 09:15:17 host slapd[27404]: conn=102732 fd=124 closed Sep 22 09:17:33 host slapd: allocation failed: 0 Sep 22 09:17:33 host slapd: allocation failed: 12 Config snippet: database hdb suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw ... directory /var/lib/ldap cachesize 25000 idlcachesize 75000 checkpoint 512 1 lastmod on ... indexes ... ... ACLs ... overlay auditlog auditlog /var/lib/ldif/auditlog/example.com.ldif overlay syncprov syncprov-sessionlog 1000 overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE logpurge 02+23:46 01+23:46 -- Thanks, Sean Burford

2 1

slapd stops accepting connections - OpenSolaris
by Josh Rivel 23 Sep '08

23 Sep '08

Hello. I am running OpenLDAP 2.4.11 on OpenSolaris snv_91 on a Sun X2200. After a few minutes, the box stops accepting connections on port 389, even though the slapd process is still running, and the machine still shows itself listening on port 389. I am attaching my slapd.conf, ldap.conf, and DB_CONFIG files. I had the same behaviour with the Blastwave package which was version 2.3.39, so I figured "OK Let me upgrade to 2.4.11" but same behaviour. I have roughly 800 OpenSolaris clients that need to connect to the box, and I currently see roughly 300 established connections to the server on port 389. Thanks, Josh

1 0

Pls help : how to make mail id as unique attribute
by Somnath Pal 22 Sep '08

22 Sep '08

Hi list, We have an openldap server 2.4 on redhat enterprise linux 4 update 7. We import users from Windows Active Directory(AD) running Windows Server 2003. We are mapping the mail attribute from the source (AD) to the destination (openldap) & want the mail id to be unique accross the ldap directory so that no two email ids will be same while replicating from different Source . How to achive that ? Do we have to modify our schema ? We are using the following schema in our slapd.conf - include /opt/openldap/etc/openldap/schema/core.schema include /opt/openldap/etc/openldap/schema/cosine.schema include /opt/openldap/etc/openldap/schema/inetorgperson.schema Can you pls help ? Thanks & Regards, Somnath Pal Server Management Unit International Computing Centre (ICC) E-mail: pal(a)unicc.org

2 2

Configuring MirrorMode via cn=config
by Pavlos Parissis 21 Sep '08

21 Sep '08

Hello all, I am writing to ask for a confirmation on the steps that I followed to configure MirrorMode replication via cn=config The step is the typical, 2 nodes where m1 is the first node and m2 is the second one. 1) start m1 2) create dit 3) add mirrormode_user 4) slaptest -f slapd.conf -F slapd.d chown -R ds-ldap.ds-ldap slapd.d 5) stop m1 ;start m1 6) enable sync log 7) start m2 8) slaptest -f slapd.conf -F slapd.d chown -R ds-ldap.ds-ldap slapd.d 9) stop m2;start m2 10) enable sync log 11) add replication configuration on m1 [1] 12) add replication configuration on m2 [2] I did testing on the replication and it worked. But, I noticed that when I configured the syncpro overlay after the replicas both servers stopped responding. I will try to reproduce that issue and get some debug messages, may be I didn't something wrong or it is a bug. Cheers, Pavlos [1] Replication configuration for node m1 dn: cn=config changetype: modify add: olcServerID olcServerID: 1 dn: olcOverlay={0}syncprov,olcDatabase={2}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint: 100 600 olcSpSessionlog: 100 dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcLimits olcLimits: {0}dn.base="cn=mirrormode_user,o=solution.acision.com" size.soft=un limited size.hard=unlimited time.soft=unlimited time.hard=unlimited - add: olcSyncrepl olcSyncrepl: rid=002 provider=ldap://m2 bindmethod=simple timeout=0 network-ti meout=0 binddn="cn=mirrormode_user,o=solution.acision.com" credentials="mirro r" starttls=no filter="(objectclass=*)" searchbase="o=solution.acision.com" s cope=sub schemachecking=off type=refreshAndPersist retry="10 3 60 +" - add: olcSyncrepl olcSyncrepl: rid=001 provider=ldap://m1 bindmethod=simple timeout=0 network-ti meout=0 binddn="cn=mirrormode_user,o=solution.acision.com" credentials="mirro r" starttls=no filter="(objectclass=*)" searchbase="o=solution.acision.com" s cope=sub schemachecking=off type=refreshAndPersist retry="10 3 60 +" - add: olcMirrorMode olcMirrorMode: TRUE - add: olcDbIndex olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq ############################### [2] replication configuration for node m2 dn: cn=config changetype: modify add: olcServerID olcServerID: 2 dn: olcOverlay={0}syncprov,olcDatabase={2}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint: 100 600 olcSpSessionlog: 100 dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcLimits olcLimits: {0}dn.base="cn=mirrormode_user,o=solution.acision.com" size.soft=un limited size.hard=unlimited time.soft=unlimited time.hard=unlimited - add: olcSyncrepl olcSyncrepl: rid=002 provider=ldap://m2 bindmethod=simple timeout=0 network-ti meout=0 binddn="cn=mirrormode_user,o=solution.acision.com" credentials="mirro r" starttls=no filter="(objectclass=*)" searchbase="o=solution.acision.com" s cope=sub schemachecking=off type=refreshAndPersist retry="10 3 60 +" - add: olcSyncrepl olcSyncrepl: rid=001 provider=ldap://m1 bindmethod=simple timeout=0 network-ti meout=0 binddn="cn=mirrormode_user,o=solution.acision.com" credentials="mirro r" starttls=no filter="(objectclass=*)" searchbase="o=solution.acision.com" s cope=sub schemachecking=off type=refreshAndPersist retry="10 3 60 +" - add: olcMirrorMode olcMirrorMode: TRUE - add: olcDbIndex olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq

1 0

Auth issues with openldap proxy to AD
by Lynn York 20 Sep '08

20 Sep '08

Hello, I am having some issues with authentication with an openldap proxy to AD. When I query the user I am able to get back the userPassword attribute and everything looks to be correct. I can "su username" and it works properly, but when I attempt to "ssh user@localhost" it will not accept the password. The password is stored as {crypt}. I am trying to pin point whether this is a PAM issue or an ldap issue. Any help or suggestions would be greatly appreciated. Thanks, Lynn

2 1

Re: Differences between MirrorMode and 2-way mulit-master
by ghenry＠OpenLDAP.org 19 Sep '08

19 Sep '08

----- "Almir Karic" <redduck666(a)gmail.com> wrote: > On Fri, Sep 19, 2008 at 11:44 AM, Pavlos Parissis > <p_pavlos(a)freemail.gr> wrote: > > Well I must admit I can't read very so I will guess that > > the reason is to guarantee consistency in the database. > > > > How do you guarantee consistency in the database on N-way > Multi-Master > > replication where any member can accept write operations? > > AFAIK openldap can't do "true" write anywhere. the configuration is > one "true" master on which writes are happening, the remaining N-1 > masters just issue the referrals to the "true" master which can > optionally be server side followed with slapo-chain making writes on > the N-1 "non-true" masters transparent to the clients. You need to check what you know then ;-) Who told you above or did you make it up? http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master%2… Multi-Master means just that. Write to *any* master and replication is handled by Syncrepl not slapo-chain. It wouldn't be Multi-master is there was one "true" master, as that's not multi-master! slapo-chain can be used to "chain" writes back to a Master from a slave. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

2 1

Re: Differences between MirrorMode and 2-way mulit-master
by ghenry＠OpenLDAP.org 19 Sep '08

19 Sep '08

Please also cc the list. > http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replicati… > > If I understood it correctly, on N-way Multi-Master replication any > member can > accept write operations while on MirrorMode only must|should accept > write > operations. Correct. > I had a MirrorMode configured and I was able to send writes on > both servers and each server was replicating the changes without > problems. > The test which I did was very simple, first add/remove an entry on the > first > and then add/remove an entry on the second. > > So, the above test made to wonder about the differences between > MirrorMode and > 2-way mulit-master. > > what is the reason on a MirrorMode replication to force all write > operations to > one of the members of the replication? Did you read the above link? It doesn't look like you did. > BTW, what about the syncpro overlay settings which are not part of > the > MirrorMode configuration example? Again, please read the docs: http://www.openldap.org/doc/admin24/replication.html#MirrorMode It specifically says: "17.4.4.1. Mirror Node Configuration This is the same as the Set up the provider slapd section." where it links to the section that show the syncprov overlay config. Please read the docs. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

3 3

Regarding LDAP Replication(Repost)
by ashish mahamuni 19 Sep '08

19 Sep '08

Hello Everybody, I've one query regarding LDAP master/slave configuration. When we set replication,We put same root DN on master as well as on slave. Also If my organization have any unique OID that will also get replicated on slave. But as per my knowledge, ideally we should not use existing OID's and root DN(not sure about root DN) because it could cause inconsistency. How this replication works indeed? Regards, Ash Unlimited freedom, unlimited storage. Get it now, on http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2008