Syncprov & synrepl indices
by Jaap Winius
Hi all,
When configuring a provider for replication with the syncprov option,
using the syncprov-sessionlog option requires searching for the
entryUUID attribute. While not a requirement, setting an eq index for
this attribute can improve the performance of the session log
considerably. For the same reason, setting an eq index for the
entryCSN attribute when using the syncprov-checkpoint option is also
recommended.
My question is in regard to the consumer. This documentation...
http://www.openldap.org/doc/admin24/replication.html#Syncrepl
... shows an example consumer configuration (18.3.1.3) that also
includes setting eq indices for entryCSN and entryUUID. Is this really
useful, or only if the consumer is configured to act as a provider as
well?
Thanks,
Jaap
11 years, 11 months
objectClass=posixAccount search anomaly.
by Prentice Bisbal
Dear OpenLDAP Tech list:
I can't tell if the problem below is with OpenLDAP, or nss_ldap. Since I
can reproduce the problem with the ldapsearch command, I'm inclined to
think it's with OpenLDAP. Any assistance will be greatly appreciated.
At the academic institution where are work, there are several different
departments that maintain their own LDAP directory:
dc=sns,dc=example,dc=edu
dc=math,dc=example,dc=edu
dc=itg,dc=example,dc=edu
dc=net,dc=example,dc=edu
and a top-level LDAP server that just contains referrals to the
individual dept servers:
dc=example,dc=edu
We are now looking to share access to systems without duplicating
account information in all the LDAP servers. So if someone from math
would like to log into an SNS system, they can authenticate against
their credentials in the math LDAP directory, and get their account
information from there, too.
We are using an RHEL 5.4-based Linux distro.
To facilitate this, I added this to my /etc/openldap/slapd.conf:
database ldap
suffix "dc=example,dc=edu"
uri ldaps://ldap.example.edu/
And in /etc/ldap.conf, I changed the base to dc=example, dc=edu. The
clients are still searching my local OpenLDAP server first.
After making these changes, 'getent passwd no longer works correctly,
and these ldapsearch no longer returns results
ldapsearch -x objectClass=posixAccount
ldapsearch -x -b dc=example,dc=edu objectClass=posixAccount
ldapsearch -x -b dc=sns,dc=example,dc=edu objectClass=posixAccount
ldapsearch -x -b dc=math,dc=example,dc=edu objectClass=posixAccount
However, these ldapsearches work as expected
ldapsearch -x objectClass=account
ldapsearch -x
ldapsearch -x objectClass=inetorgperson
ldapsearch -x objectClass=inetlocalmailrecipient
ldapsearch -x objectClass=top
ldapsearch -x -b dc=math,dc=example,dc=edu
Any ideas why the behavior is different for the posixAccount object
class vs. the other object classes? Is there any other configurations
for OpenLDAP that would achieve the same goal?
--
Prentice
11 years, 11 months
Syncrepl and rootdn
by Jaap Winius
Hi all,
This question has to do with syncrepl and the use of the rootdn option
in slapd.conf.
My understanding is that on a provider server (where writes are
possible), it is not necessary to use the rootdn option in slapd.conf.
Instead it is enough to have an account that only exists in the
directory, with ACLs that give it the same unrestricted access. This
works fine for me.
On syncrepl consumers a rootdn in the local slapd.conf is apparently
required (according to the man page for slapd.conf). Why is this, and
does it make a difference what the name of the account is? For
example, should it be the same as the binddn for syncrepl? For that
matter, should rootpw also be set, and should it then be the same as
the credentials value used for syncrepl?
Thanks,
Jaap
PS -- I'm using OpenLDAP 2.4.11-1 on Debian lenny.
11 years, 11 months
slapadd: database doesn't support necessary operations
by Sergey Kharlamov
Hi all! I'm newbie in openldap.
I try to setup openldap with mysql-backend. I try to insert ldif file:
dn: o=test
objectclass: organization
o: tester
and get error:
==>backsql_get_db_conn()
==>backsql_open_db_conn(4294967295)
[MYODBCUtilReadDataSource.c][243][ERROR] Unknown attribute (DSN).
[MYODBCUtilReadDataSource.c][243][ERROR] Unknown attribute (Host).
[MYODBCUtilReadDataSource.c][243][ERROR] Unknown attribute (Trace).
[MYODBCUtilReadDataSource.c][243][ERROR] Unknown attribute (UserName).
[MYODBCUtilReadDataSource.c][243][ERROR] Unknown attribute (ReadOnly).
[MYODBCUtilReadDataSource.c][243][ERROR] Unknown attribute (RowVersioning).
[MYODBCUtilReadDataSource.c][243][ERROR] Unknown attribute (ShowSystemTables).
[MYODBCUtilReadDataSource.c][243][ERROR] Unknown attribute (ShowOidColumn).
[MYODBCUtilReadDataSource.c][243][ERROR] Unknown attribute (FakeOidIndex).
<==backsql_open_db_conn(4294967295)
backsql_open_db_conn(4294967295): connected, adding to tree.
<==backsql_get_db_conn()
==>backsql_load_schema_map()
backsql_load_schema_map(): oc_query "SELECT
id,name,keytbl,keycol,create_proc,delete_proc,expect_return FROM
ldap_oc_mappings"
backsql_load_schema_map(): at_query "SELECT
name,sel_expr,from_tbls,join_where,add_proc,delete_proc,param_order,expect_return,sel_expr_u
FROM ldap_attr_mappings WHERE oc_map_id=?"
<==backsql_load_schema_map()
==>backsql_free_db_conn()
backsql_free_db_conn(): closing db connection 4294967295 (0x8115530)
==>backsql_close_db_conn(4294967295)
<==backsql_close_db_conn(4294967295)
<==backsql_free_db_conn()
<==backsql_db_open(): test succeeded, schema map loaded
slapadd: database doesn't support necessary operations.
How I can fix that? Tell me if need some more information
--
---------------------------
Best Regards
Kharlamov Sergey
11 years, 11 months
Re: Re : OpenLDAP 2.4 - Problem with rewrite overlay
by Quanah Gibson-Mount
Please keep replies on the list.
--Quanah
--On Friday, December 18, 2009 2:36 AM -0800 KISTER RAPHAEL
<kraph(a)yahoo.com> wrote:
> Hello,
>
> My command to test the configuration is :su - openldap -c
> "/opt/openldap/sbin/slaptest -v -u -F /opt/donnees/etc/openldap/slapd.d/"
> If i use this commande line, i don't get any error or warning :su -
> openldap -c "/opt/openldap/sbin/slaptest -v -u -f
> /opt/donnees/etc/openldap/slapd.conf -F
> /opt/donnees/etc/openldap/slapd.d/"
>
> But, when i want to start my openldap server, i get the same error. I
> join you the result of the start command.
>
>
> modulepath is commented out because all my module are includes in
> openldap. I try to use modulepath and moduleload, but i still have the
> error.
>
> Best resgards,
> Raphael KISTER
>
>
>
>
> ----- Message d'origine ----
> De : Quanah Gibson-Mount <quanah(a)zimbra.com>
> À : KISTER RAPHAEL <kraph(a)yahoo.com>; openldap-technical(a)openldap.org
> Envoyé le : Mer 16 Décembre 2009, 20 h 14 min 13 s
> Objet : Re: OpenLDAP 2.4 - Problem with rewrite overlay
>
> --On Wednesday, December 16, 2009 8:07 AM -0800 KISTER RAPHAEL
> <kraph(a)yahoo.com> wrote:
>
>> Hello,
>>
>> I have to configure an OpenLDAP directory that store some
>> informations about users and groups and that is a proxy with Active
>> Directory. To do this, i configure two suffix on my openldap server : the
>> first one is to store informations about users and groups and the second
>> is for the Active Directory proxy (second suffix is embedded in the first
>> one.
>>
>> To configure the Active Directory proxy, i use an ldap backend with rwm
>> overlay to rewrite some attributes and objectclass.
>>
>> When i test my configuration with slaptest binary, i get this error :
>> config error processing olcOverlay={0}rwm,olcDatabase={2}ldap,cn=config:
>> <olcRwmMap> handler exited with 1 slaptest: bad configuration directory!
>
> What is your exact slaptest command? Why is modulepath commented out in
> your slapd.conf?
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
>
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years, 11 months
Re: Re : OpenLDAP 2.4 - Problem with rewrite overlay
by Pierangelo Masarati
KISTER RAPHAEL wrote:
> Hello,
>
> Thank you for your response.I try to test the config file without the microsoft.schema, but i still have the problem. If i delete all the rwm-map lines, OpenLDAP have a good configuration file and start fine.
>
> The microsoft.schema is the file a find in OpenLDAP source (i just put in this file user objectclass, sAMAccountName attribut and all the user class attributes).
>
> When i try to start OpenLDAP, i get the same error. I join you the result in the openldap_start.txt file.
Please keep replies in CC to the list.
I see your problem, it's when you restart the server using the
in-directory configuration. I couldn't investigate things further right
now; please file an ITS <http://www.openldap.org/its/>
p.
11 years, 11 months
Half-created objects, objectClass: glue
by Peter Mogensen
Hi,
I have a group of objects in my DIT which seems to haven been added at a
time where the server was under heavy write load.
They exist in a slapcat, but are not visible in a search.
They are not fully created but have:
objectClass: top
objectClass: glue
structuralObjectClass: glue
Should this happen?
slapd. 2.4.20. BDB 4.8, using a back_hdb database.
/Peter
11 years, 11 months
Two index questions
by Jaap Winius
Hi all,
Today I have two questions involving indexing. First, my understanding
is that if a new index has been added to slapd.conf, it won't be used
until slapd is stopped, slapindex is run and slapd is started again.
However, if there aren't any entries yet in the database that carry a
new attribute to be indexed, then there's actually nothing to index.
Also, the man page for it states that "Slapindex is used to
regenerate slapd(8) indices based upon the current contents of a
database." Could this also be a hint that slapindex does need relevant
data to process before it can produce any indices? I expect to be
wrong about this, but I'd rather be sure.
Second, regarding consumers, if a new index is added to a provider,
does the same index also have to be added and (re)generated with
slapindex on its consumers before it will be available there as well?
I would expect so, but again, I'm not completely certain.
Thanks,
Jaap
11 years, 11 months
OpenLDAP 2.4 - Problem with rewrite overlay
by KISTER RAPHAEL
Hello,
I have to configure an OpenLDAP directory that store some informations about users and groups and that is a proxy with Active Directory.
To do this, i configure two suffix on my openldap server : the first one is to store informations about users and groups and the second is for the Active Directory proxy (second suffix is embedded in the first one.
To configure the Active Directory proxy, i use an ldap backend with rwm overlay to rewrite some attributes and objectclass.
When i test my configuration with slaptest binary, i get this error :
config error processing olcOverlay={0}rwm,olcDatabase={2}ldap,cn=config: <olcRwmMap> handler exited with 1
slaptest: bad configuration directory!
I am on a CentOS 5.4 server with OpenLDAP 2.4.20 (compile from sources) and Berkeley DB 4.6.21.
I'll give you my slapd.conf file :
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
serverid 001
# Inclusion des schemas
include /opt/openldap/etc/openldap/schema/core.schema
include /opt/openldap/etc/openldap/schema/cosine.schema
include /opt/openldap/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/etc/openldap/schema/nis.schema
include /opt/donnees/etc/openldap/schema/microsoft.schema
# Log level
loglevel -1
# The maximum number of entries that is returned for a search operation
sizelimit unlimited
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
# PID File
pidfile /opt/donnees/var/run/slapd.pid
argsfile /opt/donnees/var/run/slapd.args
# Load dynamic backend modules:
#modulepath /opt/openldap/lib
#moduleload back_hdb
#moduleload back_monitor
moduleload rwm
# Access control policy:
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to dn.base="" by * read
access to dn.subtree="cn=Monitor"
by dn.exact="cn=admin,cn=config" write
by users read
by * none
access to *
by self write
by dn="cn=admin,cn=config" write
by * none
# Configuration du backend
backend hdb
#######################################################################
# BDB database definitions
#######################################################################
database monitor
# Dynamic Config
database config
rootdn "cn=admin,cn=config"
rootpw secret
#######################################################################
# Configuration Proxy Active Directory
database ldap
suffix ou=proxy,dc=my-company,dc=meta
rootdn "cn=admin,cn=config"
subordinate
uri ldap://192.168.44.88:389
lastmod off
acl-authcDN cn=admin,cn=config
acl-passwd secret
idassert-bind bindmethod="simple"
binddn="CN=srv_ldap,OU=Services-account,OU=Administration,dc=my-company,dc=local"
credentials="Azerty00"
mode="legacy"
overlay rwm
rwm-suffixmassage dc=my-company,dc=local
rwm-map attribute uid sAMAccountName
rwm-map attribute cn cn
rwm-map attribute displayName displayName
rwm-map attribute givenName givenName
rwm-map attribute sn sn
rwm-map attribute mail mail
rwm-map attribute userPassword userPassword
rwm-map attribute *
rwm-map objectclass inetOrgPerson user
#######################################################################
# Configuration Annuaire technique (habilitations, partenaires, internautes)
database hdb
suffix "dc=my-company,dc=meta"
rootdn "cn=admin,cn=config"
directory "/opt/donnees/var/openldap-data"
checkpoint 512 30
dbconfig set_cachesize 0 128000000 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass,entryCSN,entryUUID eq
index uid pres,eq,sub
index sn pres,eq,sub
index mail pres,eq,sub
index cn pres,eq,sub
lastmod on
When i install OpenLDAP on my server, i execute this commands :
CPPFLAGS="-I/usr/local/BerkeleyDB.4.6/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.6/lib"
./configure --prefix=/opt/openldap --enable-shared --enable-crypt=yes --enable-rewrite=yes
--enable-bdb=yes --enable-hdb=yes --enable-ldap=mod --enable-meta=mod --enable-monitor=yes
--enable-relay=mod --enable-overlays=yes --with-cyrus-sasl --with-threads=posix
--with-tls=openssl
make depend
make
make test
make install
What's wrong with my installation or my config file ? Is this error is an OpenLDAP bug ?
Thank you for your help,
Raphaël KISTER
11 years, 11 months
changing userPassword from custom application
by Zdenek Styblik
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
let's open up old wounds. Ok, it sounds jerky, but I don't mean it.
Anyway. As the subject suggests, my question is how to code application
which allows user to change his password. Or better to ask, if there is
some [to me] unknown LDAP function which figures out what password
encryption [hash] is used and generates new hash of password, if
application should have idea at all what kind of password encryption is
used.
I think this is just impossible. Login is one thing, changing password
is another.
Please, don't suggest using % slappasswd; for generating hash. This is
really no good way to do it and also, % slappaswd; is not all knowing,
or is it?
Yeah, it could save up the need to code up for whatever hash is used,
yet calling external application, which doesn't even have to be present
at system since LDAP can be used over network, it's just no funky enough.
Please, don't mind the tone if it doesn't look normal or neutral. There
is no intention to be offensive or flame, but to get the answer and
solution.
So far, I've implemented functions for CRYPT and later for SSHA. Users
can't choose what hash will be used - and of course, there is no such
intention. The point is, I haven't figured out other way. And it's not
just an application, but ldap-tools too. Add new user? Use % slappasswd;
Changing password from cmd-line? Use % slappaswd;
Regards,
Zdenek
PS: This question backtracks couple months back. I've tried to ask and
clarify this, but ... let's say it got lost in the static :)
- --
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla(a)turnovfree.net
jabber: stybla(a)jabber.turnovfree.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksmz6wACgkQ8MreUbSH7imZRACeNDO2aY29mWShGTh2PGoZhkcR
MFUAn39UYxN2e5oOfLO09YHspCswOtNf
=Ww+H
-----END PGP SIGNATURE-----
11 years, 11 months
