RFT0001 : Request For Thoughts
by Christopher Barry
Hi everyone,
If this post here is in poor taste, please pardon my interruption. It's
just that I figured those here would have a high probability of trying
to do as I am trying to do.
Background:
I'm a debian-head from the early 90's, but I'm new to OpenLDAP, and this
is my first post here. I'm about halfway done with Mastering OpenLDAP,
and I've been lurking here for a month or so, trying to understand how
things work, and looking for questions like mine. I also just read
Kerberos, the definitive guide as a primer into understanding how my
team can make everyone 'Just Get Along(tm)' in a multi-platform global
enterprise, while leveraging open source projects.
Rough Goals:
* We're exploring ways in which we can have a single user/group database
for everything, everywhere in our domain.
* Additionally, we want as 'SSO' an environment as possible.
* We also want to keep, and even extend all the other NIS functionality
we use today - only without the NIS limitations.
* We also need to be able to phase it in, or even have it overlap with
our current situation for a period, so it's not an all-or-nothing kind
of change.
The Parts Bin:
There's a bunch of parts around, and they all kind of fit together, but
to my current understanding anyway, seem to create a few different
incomplete solutions, such as:
* Samba/Winbind/Kerberos (possibly backed by OpenLDAP)
* OpenLDAP/Kerberos with trusts to AD
* AD using 2003R2 and possibly custom schema modifications if required.
My question really is what are others doing to solve this type of
problem? Architecturally, what is the best approach given the above
desired outcome?
Thanks to all for your thoughts and insight on this,
Regards,
Christopher Barry
Systems Engineer
QLogic
14 years, 6 months
Re: Configuring MirrorMode via cn=config
by p_pavlos@freemail.gr
>
> ----- "Pavlos Parissis" <p_pavlos(a)freemail.gr> wrote:
>
> > Hello all,
> >
> > I am writing to ask for a confirmation on the steps that I followed
> > to
> > configure MirrorMode replication via cn=config
> >
> > The step is the typical, 2 nodes where m1 is the first node and m2 is
> > the second one.
> >
> > 1) start m1
> > 2) create dit
> > 3) add mirrormode_user
>
> OK.
>
> > 4) slaptest -f slapd.conf -F slapd.d
> > chown -R ds-ldap.ds-ldap slapd.d
>
> Why do this? Why not start m1 from a basic slapd.d and then add all
> above on the fly via cn=config?
Because I don't have a basic slapd.d, the dir is empty. The replica
configuration are added via cn=config when I have converted my basic
slapd.conf to slapd.d on both servers.
I don't think that I do something wrong here or stupid, what do you think?
> > 5) stop m1 ;start m1
> > 6) enable sync log
> > 7) start m2
> > 8) slaptest -f slapd.conf -F slapd.d
> > chown -R ds-ldap.ds-ldap slapd.d
> > 9) stop m2;start m2
> > 10) enable sync log
> > 11) add replication configuration on m1 [1]
> > 12) add replication configuration on m2 [2]
>
> See above.
Cheers,
Pavlos
14 years, 6 months
accesslog misses out on entries during slapd failure
by Sean Burford
Hi,
An add operation was underway on my HDB backend. Around one second later, a
large group modification ran slapd out of memory. Slapd was then
unresponsive until a watchdog killed and restarted it two minutes later.
The add operation successfully modified the database but never appeared in
the audit log nor the syncrepl access log, so it was never replicated to the
replicas.
Is it by design that modifications hit the database before being recorded in
the audit and access logs?
This is with OpenLDAP 2.3.39, BDB 4.4.
Logs:
Sep 22 09:15:16 host slapd[27404]: conn=102591 op=5 ADD
dn="uid=username,ou=people,dc=example,dc=com"
...
Sep 22 09:15:17 host slapd[27404]: conn=99395 op=131974 MOD
dn="cn=biggroup,ou=groups,dc=example,dc=com"
Sep 22 09:15:17 host slapd[27404]: conn=99395 op=131974 MOD attr=member
memberuid
Sep 22 09:15:17 host slapd[27404]: ch_malloc of 242464 bytes failed
Sep 22 09:15:17 host slapd[27404]: conn=102732 op=2 UNBIND
Sep 22 09:15:17 host slapd[27404]: conn=102732 fd=124 closed
Sep 22 09:17:33 host slapd: allocation failed: 0
Sep 22 09:17:33 host slapd: allocation failed: 12
Config snippet:
database hdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
rootpw ...
directory /var/lib/ldap
cachesize 25000
idlcachesize 75000
checkpoint 512 1
lastmod on
... indexes ...
... ACLs ...
overlay auditlog
auditlog /var/lib/ldif/auditlog/example.com.ldif
overlay syncprov
syncprov-sessionlog 1000
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 02+23:46 01+23:46
--
Thanks,
Sean Burford
14 years, 6 months
slapd stops accepting connections - OpenSolaris
by Josh Rivel
Hello.
I am running OpenLDAP 2.4.11 on OpenSolaris snv_91 on a Sun X2200.
After a few minutes, the box stops accepting connections on port 389,
even though the slapd process is still running, and the machine still
shows itself listening on port 389.
I am attaching my slapd.conf, ldap.conf, and DB_CONFIG files.
I had the same behaviour with the Blastwave package which was version
2.3.39, so I figured "OK Let me upgrade to 2.4.11" but same behaviour.
I have roughly 800 OpenSolaris clients that need to connect to the box,
and I currently see roughly 300 established connections to the server
on port 389.
Thanks,
Josh
14 years, 6 months
Pls help : how to make mail id as unique attribute
by Somnath Pal
Hi list,
We have an openldap server 2.4 on redhat enterprise linux 4 update 7. We
import users from Windows Active Directory(AD) running Windows Server
2003.
We are mapping the mail attribute from the source (AD) to the destination
(openldap) & want the mail id to be unique accross the ldap directory so
that no two email ids will be same while replicating from different Source
.
How to achive that ? Do we have to modify our schema ?
We are using the following schema in our slapd.conf -
include /opt/openldap/etc/openldap/schema/core.schema
include /opt/openldap/etc/openldap/schema/cosine.schema
include /opt/openldap/etc/openldap/schema/inetorgperson.schema
Can you pls help ?
Thanks & Regards,
Somnath Pal
Server Management Unit
International Computing Centre (ICC)
E-mail: pal(a)unicc.org
14 years, 6 months
Configuring MirrorMode via cn=config
by Pavlos Parissis
Hello all,
I am writing to ask for a confirmation on the steps that I followed to
configure MirrorMode replication via cn=config
The step is the typical, 2 nodes where m1 is the first node and m2 is the second one.
1) start m1
2) create dit
3) add mirrormode_user
4) slaptest -f slapd.conf -F slapd.d
chown -R ds-ldap.ds-ldap slapd.d
5) stop m1 ;start m1
6) enable sync log
7) start m2
8) slaptest -f slapd.conf -F slapd.d
chown -R ds-ldap.ds-ldap slapd.d
9) stop m2;start m2
10) enable sync log
11) add replication configuration on m1 [1]
12) add replication configuration on m2 [2]
I did testing on the replication and it worked.
But, I noticed that when I configured the syncpro overlay after the replicas both servers stopped responding.
I will try to reproduce that issue and get some debug messages, may be I didn't something wrong or it is a bug.
Cheers,
Pavlos
[1] Replication configuration for node m1
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1
dn: olcOverlay={0}syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 600
olcSpSessionlog: 100
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcLimits
olcLimits: {0}dn.base="cn=mirrormode_user,o=solution.acision.com" size.soft=un
limited size.hard=unlimited time.soft=unlimited time.hard=unlimited
-
add: olcSyncrepl
olcSyncrepl: rid=002 provider=ldap://m2 bindmethod=simple timeout=0 network-ti
meout=0 binddn="cn=mirrormode_user,o=solution.acision.com" credentials="mirro
r" starttls=no filter="(objectclass=*)" searchbase="o=solution.acision.com" s
cope=sub schemachecking=off type=refreshAndPersist retry="10 3 60 +"
-
add: olcSyncrepl
olcSyncrepl: rid=001 provider=ldap://m1 bindmethod=simple timeout=0 network-ti
meout=0 binddn="cn=mirrormode_user,o=solution.acision.com" credentials="mirro
r" starttls=no filter="(objectclass=*)" searchbase="o=solution.acision.com" s
cope=sub schemachecking=off type=refreshAndPersist retry="10 3 60 +"
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
###############################
[2] replication configuration for node m2
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 2
dn: olcOverlay={0}syncprov,olcDatabase={2}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 600
olcSpSessionlog: 100
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcLimits
olcLimits: {0}dn.base="cn=mirrormode_user,o=solution.acision.com" size.soft=un
limited size.hard=unlimited time.soft=unlimited time.hard=unlimited
-
add: olcSyncrepl
olcSyncrepl: rid=002 provider=ldap://m2 bindmethod=simple timeout=0 network-ti
meout=0 binddn="cn=mirrormode_user,o=solution.acision.com" credentials="mirro
r" starttls=no filter="(objectclass=*)" searchbase="o=solution.acision.com" s
cope=sub schemachecking=off type=refreshAndPersist retry="10 3 60 +"
-
add: olcSyncrepl
olcSyncrepl: rid=001 provider=ldap://m1 bindmethod=simple timeout=0 network-ti
meout=0 binddn="cn=mirrormode_user,o=solution.acision.com" credentials="mirro
r" starttls=no filter="(objectclass=*)" searchbase="o=solution.acision.com" s
cope=sub schemachecking=off type=refreshAndPersist retry="10 3 60 +"
-
add: olcMirrorMode
olcMirrorMode: TRUE
-
add: olcDbIndex
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
14 years, 6 months
Auth issues with openldap proxy to AD
by Lynn York
Hello,
I am having some issues with authentication with an openldap proxy to AD.
When I query the user I am able to get back the userPassword attribute and
everything looks to be correct. I can "su username" and it works properly,
but when I attempt to "ssh user@localhost" it will not accept the password.
The password is stored as {crypt}. I am trying to pin point whether this
is a PAM issue or an ldap issue. Any help or suggestions would be greatly
appreciated.
Thanks,
Lynn
14 years, 6 months
Re: Differences between MirrorMode and 2-way mulit-master
by ghenry@OpenLDAP.org
----- "Almir Karic" <redduck666(a)gmail.com> wrote:
> On Fri, Sep 19, 2008 at 11:44 AM, Pavlos Parissis
> <p_pavlos(a)freemail.gr> wrote:
> > Well I must admit I can't read very so I will guess that
> > the reason is to guarantee consistency in the database.
> >
> > How do you guarantee consistency in the database on N-way
> Multi-Master
> > replication where any member can accept write operations?
>
> AFAIK openldap can't do "true" write anywhere. the configuration is
> one "true" master on which writes are happening, the remaining N-1
> masters just issue the referrals to the "true" master which can
> optionally be server side followed with slapo-chain making writes on
> the N-1 "non-true" masters transparent to the clients.
You need to check what you know then ;-) Who told you above or did you make it up?
http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master...
Multi-Master means just that. Write to *any* master and replication is handled by Syncrepl not
slapo-chain.
It wouldn't be Multi-master is there was one "true" master, as that's not multi-master!
slapo-chain can be used to "chain" writes back to a Master from a slave.
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
14 years, 6 months
Re: Differences between MirrorMode and 2-way mulit-master
by ghenry@OpenLDAP.org
Please also cc the list.
> http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replica...
>
> If I understood it correctly, on N-way Multi-Master replication any
> member can
> accept write operations while on MirrorMode only must|should accept
> write
> operations.
Correct.
> I had a MirrorMode configured and I was able to send writes on
> both servers and each server was replicating the changes without
> problems.
> The test which I did was very simple, first add/remove an entry on the
> first
> and then add/remove an entry on the second.
>
> So, the above test made to wonder about the differences between
> MirrorMode and
> 2-way mulit-master.
>
> what is the reason on a MirrorMode replication to force all write
> operations to
> one of the members of the replication?
Did you read the above link? It doesn't look like you did.
> BTW, what about the syncpro overlay settings which are not part of
> the
> MirrorMode configuration example?
Again, please read the docs:
http://www.openldap.org/doc/admin24/replication.html#MirrorMode
It specifically says:
"17.4.4.1. Mirror Node Configuration
This is the same as the Set up the provider slapd section."
where it links to the section that show the syncprov overlay config.
Please read the docs.
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
14 years, 6 months
Regarding LDAP Replication(Repost)
by ashish mahamuni
Hello Everybody,
I've one query regarding LDAP master/slave
configuration.
When we set replication,We put same root DN on master as
well as on slave. Also If my organization have any unique
OID that will also get replicated on slave.
But as per my knowledge, ideally we should not use existing
OID's and root DN(not sure about root DN)
because it could cause inconsistency.
How this replication works indeed?
Regards,
Ash
Unlimited freedom, unlimited storage. Get it now, on http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/
14 years, 6 months
