September 2008 - openldap-technical

Fw: Re: Differences between MirrorMode and 2-way mulit-master

by Pavlos Parissis

By mistake I replied to Gavin Henry and not the list, I am sorry for this. On Thu, 18 Sep 2008 20:40:17 +0100 (BST) Gavin Henry <ghenry(a)OpenLDAP.org> wrote: > > ----- "Pavlos Parissis" <p_pavlos(a)freemail.gr> wrote: > > > Hi all, > > > > I am experimenting with different replication configurations and I may > > have a rather silly question. > > > > Are any differences between a MirrorMode and 2 node Multi-Master > > replication? > > >From configuration point of view they look like the same, but are > > they? > > > > Reading the Admin guide I see that on the MirrorMode configuration > > example there are no syncpro overlay settings, shouldn't be? > > This explains it: > > http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replica... If I understood it correctly, on N-way Multi-Master replication any member can accept write operations while on MirrorMode only must|should accept write operations. I had a MirrorMode configured and I was able to send writes on both servers and each server was replicating the changes without problems. The test which I did was very simple, first add/remove an entry on the first and then add/remove an entry on the second. So, the above test made to wonder about the differences between MirrorMode and 2-way mulit-master. what is the reason on a MirrorMode replication to force all write operations to one of the members of the replication? BTW, what about the syncpro overlay settings which are not part of the MirrorMode configuration example? Thanks, Pavlos

14 years, 6 months

1
0
0 / 0

Differences between MirrorMode and 2-way mulit-master

by p_pavlos＠freemail.gr

Hi all, I am experimenting with different replication configurations and I may have a rather silly question. Are any differences between a MirrorMode and 2 node Multi-Master replication? >From configuration point of view they look like the same, but are they? Reading the Admin guide I see that on the MirrorMode configuration example there are no syncpro overlay settings, shouldn't be? Cheers, Pavlos

14 years, 6 months

1
0
0 / 0

Ldap and root access on workstations

by Nick Rathke

HI, I have what I hope is an easy question ( and I hope this is the right place to post this ). I have a situation where we are using openldap and a large number of users who also have local root level access to their own workstations. Is there a way in ldap to allow root access without letting them su to another user ? Is there some ACL that I can put into place that would prevent this ? -Nick

14 years, 6 months

5
6
0 / 0

Re: custom bind attribute

by Stefano Zanmarchi

Hi, what I am trying to achieve is to have both a Shibboleth IdP and an Imap server (that's why different IPs) authenticate against openldap, with different credentials. My aim is to let Openldap handle this difference and let the Imap and IdP server unaware of this, they'd just need to do a simple bind. Thanks again, Stefano

14 years, 6 months

2
1
0 / 0

Regarding LDAP Replication

by ashish mahamuni

Hello Everybody, I've one query regarding LDAP master/slave configuration. When we set replication,We put same base DN on master as well as on slave. Also If my organization have any unique OID that will also get replicated on slave. But as per my knowledge, ideally we should not use existing OID's and base DN's(not sure about base DN's) because it could cause inconsistency. How this replication works indeed? Regards, Ash Unlimited freedom, unlimited storage. Get it now, on http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/

14 years, 6 months

1
0
0 / 0

Re: pwd* Attributes and replication

by Eyal Marantenboim

Hi, here are the configs: Thanks! MASTER: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /opt/openldap-2.4.11/etc/openldap/schema/core.schema include /opt/openldap-2.4.11/etc/openldap/schema/cosine.schema include /opt/openldap-2.4.11/etc/openldap/schema/inetorgperson.schema include /opt/openldap-2.4.11/etc/openldap/schema/dnszone.schema include /opt/openldap-2.4.11/etc/openldap/schema/nis.schema include /opt/openldap-2.4.11/etc/openldap/schema/sudo.schema include /opt/openldap-2.4.11/etc/openldap/schema/DUAConfigProfile.schema include /opt/openldap-2.4.11/etc/openldap/schema/solaris.schema include /opt/openldap-2.4.11/etc/openldap/schema/ppolicy.schema include /opt/openldap-2.4.11/etc/openldap/schema/autofs.schema # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /opt/openldap-2.4.11/var/run/slapd.pid argsfile /opt/openldap-2.4.11/var/run/slapd.args allow bind_v2 password-hash {MD5} database monitor # TLS configuration TLSCipherSuite HIGH:MEDIUM:TLSv1:+SSLv2:+SSLv3 TLSCACertificateFile /etc/openldap/cacerts/ca-ldap.crt TLSCertificateFile /etc/openldap/ldap1.crt TLSCertificateKeyFile /etc/openldap/ldap1.key ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=empresa,dc=com" rootdn "cn=root,dc=empresa,dc=com" rootpw {SSHA}password # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /opt/openldap-2.4.11/var/openldap-data # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Database access list access to attrs=userPassword by self write by anonymous auth access to attrs=shadowLastChange by self write by * read access to * by * read # Replication overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # Password policies overlay ppolicy ppolicy_default "cn=Password,ou=Policies,dc=empresa,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout # Access Logging overlay accesslog logdb cn=log logops bind logsuccess TRUE # Access DB database bdb suffix "cn=log" directory /opt/openldap-2.4.11/var/openldap-accesslog rootdn "cn=log" index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart, eq,pres # Syncrepl overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE SLAVE: # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /opt/openldap-2.4.11/etc/openldap/schema/core.schema include /opt/openldap-2.4.11/etc/openldap/schema/cosine.schema include /opt/openldap-2.4.11/etc/openldap/schema/inetorgperson.schema include /opt/openldap-2.4.11/etc/openldap/schema/dnszone.schema include /opt/openldap-2.4.11/etc/openldap/schema/nis.schema include /opt/openldap-2.4.11/etc/openldap/schema/sudo.schema include /opt/openldap-2.4.11/etc/openldap/schema/DUAConfigProfile.schema include /opt/openldap-2.4.11/etc/openldap/schema/solaris.schema include /opt/openldap-2.4.11/etc/openldap/schema/ppolicy.schema include /opt/openldap-2.4.11/etc/openldap/schema/autofs.schema # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /opt/openldap-2.4.11/var/run/slapd.pid argsfile /opt/openldap-2.4.11/var/run/slapd.args allow bind_v2 password-hash {MD5} database monitor # TLS configuration TLSCACertificateFile /etc/openldap/cacerts/ca-ldap.crt TLSCertificateFile /etc/openldap/ldap2.crt TLSCertificateKeyFile /etc/openldap/ldap2.key ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=empresa,dc=com" rootdn "cn=root,dc=empresa,dc=com" rootpw {SSHA}password # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /opt/openldap-2.4.11/var/openldap-data # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Database Access list access to * attrs=userPassword by self write by anonymous auth access to * attrs=shadowLastChange by self write by * read access to * by * read # Replication # Transparently proxy updates to master overlay chain chain-uri "ldap://ldap1.empresa.com" chain-idassert-bind bindmethod="simple" binddn="cn=root,dc=empresa,dc=com" credentials="password" mode="self" chain-tls start chain-return-error TRUE # Replication agent syncrepl rid=123 provider=ldaps://ldap1.empresa.com type=refreshOnly interval=00:00:01:00 searchbase="dc=empresa,dc=com" filter="(objectClass=*)" scope=sub attrs="*,+" schemachecking=on retry="60 10 300 3" bindmethod=simple binddn="cn=root,dc=empresa,dc=com" credentials=password # Refer updates to master updateref ldap://ldap1.empresa.com/ # Password policies overlay ppolicy ppolicy_default "cn=Password,ou=Policies,dc=empresa,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout # Access Logging overlay accesslog logdb cn=log logops bind logsuccess TRUE # Access DB database bdb suffix "cn=log" directory /opt/openldap-2.4.11/var/openldap-accesslog rootdn "cn=log" index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart, eq,pres syncrepl rid=124 provider=ldaps://ldap1.empresa.com bindmethod=simple binddn="cn=root,dc=empresa,dc=com" credentials=password type=refreshOnly interval=00:00:01:00 filter="(objectClass=*)" retry="5 +" searchbase="cn=log" logbase="cn=log" syncdata=accesslog # type=refreshAndPersist # schemachecking=on updateref ldap://ldap1.empresa.com/ ----- Original Message ---- From: Gavin Henry <ghenry(a)OpenLDAP.org> To: Eyal Marantenboim <eyalmdiveo(a)yahoo.com> Cc: openldap-technical(a)openldap.org Sent: Monday, September 15, 2008 12:46:15 PM Subject: Re: pwd* Attributes and replication Eyal Marantenboim wrote: > Hi, > > We have 1 master and 1 secondary servers (version 2.4.11) using ppolicy. > When a user tries to bind with incorrect credential, the master server > gets populated with pwdFailureTime attribute. > After 4 times of entering wrong credentials, pwdAccountLockedTime is > added to that user. > > Our problem is that the secondary server (using syncrepl) is not > replicating the pwd* values. > I've noticed that neither entryCSN nor contextCSN are being updated (on > the master) when pwdFailureTime is added to the user (I'm not sure if it > should actually change). > But, when we change any other attribute (userPassword, etc) on the > master, that does change entryCSN, and all pwd* attributes do get > updated in the seconday server. > > appreciate your help. > Thanks! > Config? -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

14 years, 6 months

1
0
0 / 0

custom bind attribute

by Stefano Zanmarchi

Hi all, I'd like to let users bind against an attribute other than "userPassword". Is it possible or is userPassword hardcoded? Moreover I'd like to serve bind requests from one IP against "userPassword" and bind requests from another IP against another (custom) attribute. Is this possible by any chance? Thank you very much for your help, Stefano

14 years, 6 months

2
1
0 / 0

Migrating AD Users/Groups to samba-ldap server

by janskey

Hi All, I need advice on how i can pull down AD users/groups (password of each users) to samba-ldap server. I already configured my server using the howto: * http://www.howtoforge.com/openldap-samba-domain-controller-ubuntu7.10 * http://ubuntuforums.org/showthread.php?t=640760 I tried also ldifde to create ldif files and tried to populate in smbldap-tools. But it has an error, some sort of compatibility of ldif syntax. Our objective is to phase out or Win2003 AD server and user samba+ldap authentication scheme. cheers, janskey

14 years, 6 months

2
1
0 / 0

Active directory change notification using open ldap library: errorMessage: 00000057: LdapErr: DSID-0C09068F, comment: Error processing control, data 0, vece

by susant sahani

Hi , I am trying to syncing up with Active directory. When ever there is a change in active directory it should send the information. But It's keep on sending me this error message . errorMessage: 00000057: LdapErr: DSID-0C09068F, comment: Error processing control, data 0, vece LDAP_SERVER_NOTIFICATION_OID_W "1.2.840.113556.1.4.528" char* base="dc=ad,dc=hello123,dc=com"; char* filter="(objectClass=*)"; controls[0] = create_psearch_control (LDAP_SERVER_NOTIFICATION_OID_W, 1, 1); controls[1] = 0; ret = ldap_search_ext (ld, base, LDAP_SCOPE_SUBTREE, filter, 0, /* attrs */ 0, /* attrsonly */ controls, 0, /* clientctrls */ 0, /* timeout */ LDAP_NO_LIMIT, &msgid); while ((ret = ldap_result (ld, msgid, LDAP_MSG_RECEIVED, &timeout, &entries)) >= 0) { LDAPMessage *entry; LDAPControl **ec_controls; if (!ret) { printf ("Timed out\n"); continue; } } Please let me know what I am doing wrong. -- Thanks, Susant

14 years, 6 months

1
0
0 / 0

Syncrepl missing cn,sn and givenName

by Stelios A.

Hello all, I'm going mad with a problem during syncrepl. I have one master and one slave. When I add one entry to the master the record is replicated to the slave without a problem but without all fields and this is causing me problems as from a shell cannot resolve the user using for example the command 'id username'. That gives me an error, no such a user and cause further problems with existin email setup. Under master ldap everything works/resolves fine. If I manually add the whole tree of the master including the 'username' entry then it works fine. Master entry is like: dn: cn=Kostas Somelastname,ou=Users,dc=mydomain,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: top givenName: Kostas sn: Somelastname cn: Kostas Somelastname uid: kSomelastname userPassword: {MD5}gnzLDuqKcGxMNKFokfhOew== uidNumber: 1802 gidNumber: 100 homeDirectory: /home/kSomelastname loginShell: /bin/false mail: kSomelastname(a)mydomain.com and slave when replicated has: dn: cn=Kostas Somelastname,ou=Users,dc=mydomain,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: top uid: kSomelastname userPassword: {MD5}gnzLDuqKcGxMNKFokfhOew== uidNumber: 1802 gidNumber: 100 homeDirectory: /home/kSomelastname loginShell: /bin/false mail: kSomelastname(a)mydomain.com If you check the fields that missing from slave are: cn, sn and givenName My slave slapd.conf has: syncrepl rid=001 provider=ldap://192.168.1.110 type=refreshOnly interval=00:00:05:00 retry="30 10 600 20" searchbase="dc=mydomain,dc=com" attrs="*" scope=sub binddn="uid=syncrepl,ou=System,dc=mydomain,dc=com" credentials=smypassword updateref ldap://192.168.1.110 Any help is much appreciated. Thanks a lot

14 years, 6 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2008