It seems weird results are popping up faster than I can assemble
test-setups to reproduce.
I ran a test in mirrormode were I:
1) Took an slapcat generated LDIF from a 2.3.x setup
2) Removed all entryCSN and contextCSN lines.
3) Ran "slapadd -S 1 -q -w -l ~/load_noCSN.ldif" on server-1
4) Did a "slapcat > toserver2.ldif" on server-1
5) Started server-1 and let applications create and modify objects.
6) Moved toserver2.ldif to server-2.
7) Ran slapadd -q -l toserver2.ldif on server-2
8) Started server-2
Now - I would expect the objects created on step 5 to appear after a
while on server-2. They are not.
The reason seems to be that the contextCSN has not been updated properly
The contextCSN in the "toserver2.ldif" file from step 4 is:
The contextCSN on both servers are now:
The entry on server-1 having that entryCSN is a modified object,
however, the change has not been replicated to server-2.
Likewise, the entryCSN for one created object in step 5 is:
It is not present on server-2, but it appears TWICE in a the result from
an ldapsearch (scope sub) on its parent object on server-1.
?!?! .. I'm lost.
From all I know this should not happen on a healthy setup - unless
there's something badly wrong with the procedure I've described above.
It's slapd 2.4.19 with BDB4.8
I am working in a test environment where I have dummy accounts in AD and
OpenLDAP, I happen to see that AD schema has userPrincipalname attribute and
this is missing in OpenLDAP, The application I am trying with is
strictly using UPN names so integration with OpenLDAP is not going to work
unless UPN is added in the OpenLDAP schema, Can you please guide me in right
On Tue, Nov 24, 2009 at 10:40 PM, Jonathan Clarke <jonathan(a)phillipoux.net
> On 24/11/2009 10:17, Siddharth Sehjpal wrote:
>> Is it possible to use UPN (user principal name) in the bind request, My
>> application works fine with Microsoft AD but is giving invalid dn with
> UPN is an attribute specific to Microsoft AD. Unless you have explicitly
> added it to your OpenLDAP schema, and created entries that use it, then it
> can't work.
> What are you trying to achieve? Does your OpenLDAP server contain the same
> accounts ad your Microsoft AD?
> Jonathan Clarke - jonathan(a)phillipoux.net
> Ldap Synchronization Connector (LSC) - http://lsc-project.org
I have compiled Cyrus SASL 2.1.23 as
OpenLDAP 2.4.19 as
env CPPFLAGS="-I/Desktop/sasl/include/sasl" LDFLAGS="-L/Desktop/sasl/lib -R/Desktop/sasl/lib" ./configure --disable-slapd --disable-slurpd --with-ssl --with-cyrus-sasl
The compilation is successful and ldapsearch is working.
But if I copy the same OpenLDAP libs along with the Cyrus SASL libs to another system and try to use them, I am getting "ldap_sasl_interactive_bind_s : No such Mechanisms available"
Is there a way to give relative paths specific to a folder for CPPFLAGS and LDFLAGS?
Is it necessary to compile again in the second system?
I am using MAC OS X Leopard (10.5).
Please help me.
I have huge LDIF file from openldap 2.3.30, which I try to load in a
2.4.19 mirrormode setup.
I've tried different ways to load it.
1) Load the LDIF on server 1 and wait for server 2 to replicate it.
- it takes several days and server-2 never seems to get all the way
and catch up with server 1.
2) Load the LDIF on both servers and start slapd.
- Afterwards not all entries created on server 1 is replicated to
So the first thing to rule out would be to ensure that I've loaded the
The entryCSN from the 2.3.30 server is in this format:
The two servers (server1/server2) in the 2.4.19 setup have sid 1, 2 and
rid 3,4 (cn=config replication has rid 1,2).
I loaded the LDIF like this on both servers:
$ slapadd -q -w -l backup-2.3.30.ldif
Is that enough to make replication start from a known state?
Could someone please exemplify a scenario where the -S option for
slapadd is needed?
My slides from last month's Kerberos Conference are now available online.
The files used in my demo are attached here:
cf.ldif - a basic slapd configuration: use with
slapadd -F <path/to>/slapd.d -l cf.ldif -n0
kerberos.ldif - the MIT KDC schema
addkrb.sh - simple steps to load KDC schema into slapd
/etc/krb5.conf - config file for MIT Kerberos
initkdc.sh - commands to initialize the KDC
addprinc.sh - commands to add Kerberos attributes to an LDAP user
It took about 5 minutes to walk through these steps during the presentation;
most of that time was spent explaining the steps... Actually doing the work is
about 30 seconds.
-------- Original Message --------
Subject: [Mitkc-announce] Kerberos Conference Slides, Release 1.8
Date: Thu, 19 Nov 2009 14:19:43 -0500
From: Stephen Buckley <sbuckley(a)mit.edu>
We have put the slides from our Kerberos Conference up on our web site at:
Keynoters included Kim Cameron, Chief Architect for Identity at Microsoft.
Also, the 1.8 release feature set is now complete and documented at:
We are on track to deliver 1.8 in March 2010.
We also started a blog
Lastly, a reminder that we try to provide some useful documentation and
Stephen C. Buckley
MIT Kerberos Consortium
Perhaps someone can point me in the right direction here. Using just
simple binds (for now), I am trying to allow users to bind with just a
username or e-mail address and have OpenLDAP rewrite their bind to a
more complex DN for them before checking against userPassword.
Is there a way to do this?
I have tried playing with olcAuthIDRewrite and olcRwmRewrite but I must
be doing something incorrectly.
Thanks, we ended taking your second suggestion.
When we tried to create the parent objects, we were given an error that they
already existed. when we tried to query,modify or delete them it returned an
error that the did not exist. (bizarre)
The exported LDIF's did not contain any of these branches, and we were
2009/11/20 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On Friday, November 20, 2009 6:13 PM -0500 Dave Smith <dave.smith.to@
> gmail.com> wrote:
> I hope someone can help...
>> As I say we need to quickly remove these objects. Can anyone give some
> Create the parents, delete the children, delete the parents?
> Or, slapcat, fix the LDIF, reload.
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> Zimbra :: the leader in open source messaging and collaboration
Using OpenLDAP 2.4.18:
Anytime I try to put something/anything in the attribute
olcAuthIDRewrite for dn: cn=config I get:
conn=1 op=8 MOD dn="cn=config"
conn=1 op=8 MOD attr=olcAuthIDRewrite
conn=1 op=8 RESULT tag=103 err=80 text=<olcAuthIDRewrite> handler exited
Am I putting in the wrong data? I've tried all sorts of combinations,
I can't seem to find much documentation on the whole thing either.
Thanks for any pointers.
I hope someone can help...
We have an directory with a few objects that don't seem to have parents.
We're not sure how they got in there. They could have been added using
ldapmodify, or our application could have added them via JNDI. This is one
of the DN's:
We are fairly sure the organizational units ou=profile,ou=prod never
existed, yet the P_SUPER object was create, and is returned in a search. We
need to remove these entries in a hurry so I put together this LDIF...
but the ldifmodify gives this error...
ldap_delete: Other (e.g., implementation specific) error (80)
additional info: could not locate parent of entry
As I say we need to quickly remove these objects. Can anyone give some