Fw: Re: Differences between MirrorMode and 2-way mulit-master
by Pavlos Parissis
By mistake I replied to Gavin Henry and not the list, I am sorry for this.
On Thu, 18 Sep 2008 20:40:17 +0100 (BST)
Gavin Henry <ghenry(a)OpenLDAP.org> wrote:
>
> ----- "Pavlos Parissis" <p_pavlos(a)freemail.gr> wrote:
>
> > Hi all,
> >
> > I am experimenting with different replication configurations and I may
> > have a rather silly question.
> >
> > Are any differences between a MirrorMode and 2 node Multi-Master
> > replication?
> > >From configuration point of view they look like the same, but are
> > they?
> >
> > Reading the Admin guide I see that on the MirrorMode configuration
> > example there are no syncpro overlay settings, shouldn't be?
>
> This explains it:
>
> http://www.openldap.org/doc/admin24/replication.html#MirrorMode%20replica...
If I understood it correctly, on N-way Multi-Master replication any member can
accept write operations while on MirrorMode only must|should accept write
operations.
I had a MirrorMode configured and I was able to send writes on
both servers and each server was replicating the changes without problems.
The test which I did was very simple, first add/remove an entry on the first
and then add/remove an entry on the second.
So, the above test made to wonder about the differences between MirrorMode and
2-way mulit-master.
what is the reason on a MirrorMode replication to force all write operations to
one of the members of the replication?
BTW, what about the syncpro overlay settings which are not part of the
MirrorMode configuration example?
Thanks,
Pavlos
15 years
Differences between MirrorMode and 2-way mulit-master
by p_pavlos@freemail.gr
Hi all,
I am experimenting with different replication configurations and I may have a rather silly question.
Are any differences between a MirrorMode and 2 node Multi-Master replication?
>From configuration point of view they look like the same, but are they?
Reading the Admin guide I see that on the MirrorMode configuration example there are no syncpro overlay settings, shouldn't be?
Cheers,
Pavlos
15 years
Ldap and root access on workstations
by Nick Rathke
HI,
I have what I hope is an easy question ( and I hope this is the right place
to post this ).
I have a situation where we are using openldap and a large number of users
who also have local root level access to their own workstations.
Is there a way in ldap to allow root access without letting them su to
another user ? Is there some ACL that I can put into place that would
prevent this ?
-Nick
15 years
Re: custom bind attribute
by Stefano Zanmarchi
Hi,
what I am trying to achieve is to have both a Shibboleth IdP and an Imap
server
(that's why different IPs) authenticate against openldap, with different
credentials.
My aim is to let Openldap handle this difference and let the Imap and IdP
server
unaware of this, they'd just need to do a simple bind.
Thanks again,
Stefano
15 years
Regarding LDAP Replication
by ashish mahamuni
Hello Everybody,
I've one query regarding LDAP master/slave configuration.
When we set replication,We put same base DN on master as well as on slave. Also If my organization have any unique OID that will also get replicated on slave.
But as per my knowledge, ideally we should not use existing OID's and base DN's(not sure about base DN's) because it could cause inconsistency.
How this replication works indeed?
Regards,
Ash
Unlimited freedom, unlimited storage. Get it now, on http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/
15 years
Re: pwd* Attributes and replication
by Eyal Marantenboim
Hi,
here are the configs:
Thanks!
MASTER:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/openldap-2.4.11/etc/openldap/schema/core.schema
include /opt/openldap-2.4.11/etc/openldap/schema/cosine.schema
include /opt/openldap-2.4.11/etc/openldap/schema/inetorgperson.schema
include /opt/openldap-2.4.11/etc/openldap/schema/dnszone.schema
include /opt/openldap-2.4.11/etc/openldap/schema/nis.schema
include /opt/openldap-2.4.11/etc/openldap/schema/sudo.schema
include /opt/openldap-2.4.11/etc/openldap/schema/DUAConfigProfile.schema
include /opt/openldap-2.4.11/etc/openldap/schema/solaris.schema
include /opt/openldap-2.4.11/etc/openldap/schema/ppolicy.schema
include /opt/openldap-2.4.11/etc/openldap/schema/autofs.schema
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /opt/openldap-2.4.11/var/run/slapd.pid
argsfile /opt/openldap-2.4.11/var/run/slapd.args
allow bind_v2
password-hash {MD5}
database monitor
# TLS configuration
TLSCipherSuite HIGH:MEDIUM:TLSv1:+SSLv2:+SSLv3
TLSCACertificateFile /etc/openldap/cacerts/ca-ldap.crt
TLSCertificateFile /etc/openldap/ldap1.crt
TLSCertificateKeyFile /etc/openldap/ldap1.key
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=empresa,dc=com"
rootdn "cn=root,dc=empresa,dc=com"
rootpw {SSHA}password
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /opt/openldap-2.4.11/var/openldap-data
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Database access list
access to attrs=userPassword
by self write
by anonymous auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
# Replication
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# Password policies
overlay ppolicy
ppolicy_default "cn=Password,ou=Policies,dc=empresa,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
# Access Logging
overlay accesslog
logdb cn=log
logops bind
logsuccess TRUE
# Access DB
database bdb
suffix "cn=log"
directory /opt/openldap-2.4.11/var/openldap-accesslog
rootdn "cn=log"
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart, eq,pres
# Syncrepl
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
SLAVE:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/openldap-2.4.11/etc/openldap/schema/core.schema
include /opt/openldap-2.4.11/etc/openldap/schema/cosine.schema
include /opt/openldap-2.4.11/etc/openldap/schema/inetorgperson.schema
include /opt/openldap-2.4.11/etc/openldap/schema/dnszone.schema
include /opt/openldap-2.4.11/etc/openldap/schema/nis.schema
include /opt/openldap-2.4.11/etc/openldap/schema/sudo.schema
include /opt/openldap-2.4.11/etc/openldap/schema/DUAConfigProfile.schema
include /opt/openldap-2.4.11/etc/openldap/schema/solaris.schema
include /opt/openldap-2.4.11/etc/openldap/schema/ppolicy.schema
include /opt/openldap-2.4.11/etc/openldap/schema/autofs.schema
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /opt/openldap-2.4.11/var/run/slapd.pid
argsfile /opt/openldap-2.4.11/var/run/slapd.args
allow bind_v2
password-hash {MD5}
database monitor
# TLS configuration
TLSCACertificateFile /etc/openldap/cacerts/ca-ldap.crt
TLSCertificateFile /etc/openldap/ldap2.crt
TLSCertificateKeyFile /etc/openldap/ldap2.key
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=empresa,dc=com"
rootdn "cn=root,dc=empresa,dc=com"
rootpw {SSHA}password
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /opt/openldap-2.4.11/var/openldap-data
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Database Access list
access to * attrs=userPassword
by self write
by anonymous auth
access to * attrs=shadowLastChange
by self write
by * read
access to * by * read
# Replication
# Transparently proxy updates to master
overlay chain
chain-uri "ldap://ldap1.empresa.com"
chain-idassert-bind bindmethod="simple"
binddn="cn=root,dc=empresa,dc=com"
credentials="password"
mode="self"
chain-tls start
chain-return-error TRUE
# Replication agent
syncrepl rid=123
provider=ldaps://ldap1.empresa.com
type=refreshOnly
interval=00:00:01:00
searchbase="dc=empresa,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*,+"
schemachecking=on
retry="60 10 300 3"
bindmethod=simple
binddn="cn=root,dc=empresa,dc=com"
credentials=password
# Refer updates to master
updateref ldap://ldap1.empresa.com/
# Password policies
overlay ppolicy
ppolicy_default "cn=Password,ou=Policies,dc=empresa,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
# Access Logging
overlay accesslog
logdb cn=log
logops bind
logsuccess TRUE
# Access DB
database bdb
suffix "cn=log"
directory /opt/openldap-2.4.11/var/openldap-accesslog
rootdn "cn=log"
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart, eq,pres
syncrepl rid=124
provider=ldaps://ldap1.empresa.com
bindmethod=simple
binddn="cn=root,dc=empresa,dc=com"
credentials=password
type=refreshOnly
interval=00:00:01:00
filter="(objectClass=*)"
retry="5 +"
searchbase="cn=log"
logbase="cn=log"
syncdata=accesslog
# type=refreshAndPersist
# schemachecking=on
updateref ldap://ldap1.empresa.com/
----- Original Message ----
From: Gavin Henry <ghenry(a)OpenLDAP.org>
To: Eyal Marantenboim <eyalmdiveo(a)yahoo.com>
Cc: openldap-technical(a)openldap.org
Sent: Monday, September 15, 2008 12:46:15 PM
Subject: Re: pwd* Attributes and replication
Eyal Marantenboim wrote:
> Hi,
>
> We have 1 master and 1 secondary servers (version 2.4.11) using ppolicy.
> When a user tries to bind with incorrect credential, the master server
> gets populated with pwdFailureTime attribute.
> After 4 times of entering wrong credentials, pwdAccountLockedTime is
> added to that user.
>
> Our problem is that the secondary server (using syncrepl) is not
> replicating the pwd* values.
> I've noticed that neither entryCSN nor contextCSN are being updated (on
> the master) when pwdFailureTime is added to the user (I'm not sure if it
> should actually change).
> But, when we change any other attribute (userPassword, etc) on the
> master, that does change entryCSN, and all pwd* attributes do get
> updated in the seconday server.
>
> appreciate your help.
> Thanks!
>
Config?
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
15 years
custom bind attribute
by Stefano Zanmarchi
Hi all,
I'd like to let users bind against an attribute other than "userPassword".
Is it possible or is userPassword hardcoded?
Moreover I'd like to serve bind requests from one IP against
"userPassword" and bind requests from another IP against another
(custom) attribute. Is this possible by any chance?
Thank you very much for your help,
Stefano
15 years
Active directory change notification using open ldap library: errorMessage: 00000057: LdapErr: DSID-0C09068F, comment: Error processing control, data 0, vece
by susant sahani
Hi ,
I am trying to syncing up with Active directory. When ever there
is a change in active directory it should send the information.
But It's keep on sending me this error message .
errorMessage: 00000057: LdapErr: DSID-0C09068F, comment: Error processing
control, data 0, vece
LDAP_SERVER_NOTIFICATION_OID_W "1.2.840.113556.1.4.528"
char* base="dc=ad,dc=hello123,dc=com";
char* filter="(objectClass=*)";
controls[0] = create_psearch_control (LDAP_SERVER_NOTIFICATION_OID_W, 1,
1);
controls[1] = 0;
ret = ldap_search_ext (ld, base,
LDAP_SCOPE_SUBTREE,
filter,
0, /* attrs */
0, /* attrsonly */
controls,
0, /* clientctrls */
0, /* timeout */
LDAP_NO_LIMIT,
&msgid);
while ((ret = ldap_result (ld, msgid, LDAP_MSG_RECEIVED, &timeout,
&entries)) >= 0) {
LDAPMessage *entry;
LDAPControl **ec_controls;
if (!ret) {
printf ("Timed out\n");
continue;
}
}
Please let me know what I am doing wrong.
--
Thanks,
Susant
15 years
Syncrepl missing cn,sn and givenName
by Stelios A.
Hello all,
I'm going mad with a problem during syncrepl.
I have one master and one slave.
When I add one entry to the master the record is replicated to the
slave without a problem but without all fields and this is causing me
problems as from a shell cannot resolve the user using for example the
command 'id username'. That gives me an error, no such a user and
cause further problems with existin email setup. Under master ldap
everything works/resolves fine.
If I manually add the whole tree of the master including the
'username' entry then it works fine.
Master entry is like:
dn: cn=Kostas Somelastname,ou=Users,dc=mydomain,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: top
givenName: Kostas
sn: Somelastname
cn: Kostas Somelastname
uid: kSomelastname
userPassword: {MD5}gnzLDuqKcGxMNKFokfhOew==
uidNumber: 1802
gidNumber: 100
homeDirectory: /home/kSomelastname
loginShell: /bin/false
mail: kSomelastname(a)mydomain.com
and slave when replicated has:
dn: cn=Kostas Somelastname,ou=Users,dc=mydomain,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: top
uid: kSomelastname
userPassword: {MD5}gnzLDuqKcGxMNKFokfhOew==
uidNumber: 1802
gidNumber: 100
homeDirectory: /home/kSomelastname
loginShell: /bin/false
mail: kSomelastname(a)mydomain.com
If you check the fields that missing from slave are:
cn, sn and givenName
My slave slapd.conf has:
syncrepl rid=001
provider=ldap://192.168.1.110
type=refreshOnly
interval=00:00:05:00
retry="30 10 600 20"
searchbase="dc=mydomain,dc=com"
attrs="*"
scope=sub
binddn="uid=syncrepl,ou=System,dc=mydomain,dc=com"
credentials=smypassword
updateref ldap://192.168.1.110
Any help is much appreciated.
Thanks a lot
15 years