olcSyncprovConfig not converted for cn=config
by Oliver Liebel
using openldap 2.4.14 (compiled from openldap.org source-package)
i have noticed the following, reproducable behaviour when converting
a slapd.conf to slapd.d:
olcSyncprovConfig is generated during conversion for the hdb-context,
but not for cn=config,
although "overlay syncprov" is set for database config
tested the conversion several times with slaptest and slapd, with the
following simple example-slapd.conf. the result seems always to be the
same.
---
include /usr/local/etc/openldap/schema/core.schema
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to *
by * read
#####################################
database config
rootdn cn=config
rootpw {SSHA}4PvZLcpQ7s1CyQG+yworyl5DcrFTn78q
overlay syncprov
#####################################
database hdb
suffix "dc=local,dc=site"
checkpoint 1024 5
cachesize 10000
rootdn "cn=ldapadmin,dc=local,dc=site"
rootpw {SSHA}4PvZLcpQ7s1CyQG+yworyl5DcrFTn78q
directory /var/lib/ldap
index objectClass eq
index entryUUID,entryCSN eq
overlay syncprov
syncprov-checkpoint 10 1
syncprov-sessionlog 100
---
any ideas?
thanks and greetings,
oliver
12 years, 9 months
Syncrepl master/master on RedHat4 Update 5 - wheres library?
by Mathew Rowley
I am trying to test the master/master replication architecture. When
following the documentation from:
http://www.openldap.org/doc/admin24/replication.html it shows:
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: syncprov.la
When looking on my system, that file, nor the directory exists. I then
looked into the slapd.conf file to see where the other libraries were:
# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
Again that directory, nor the module exist.
I then thought there may be some option in the source that needs to be
enabled to build the syncprov library, but I found nothing. I do see that
there is a patch for syncrepl-uuid¹ which would make me think that the
package is being built with syncrepl capability. How do I move forward? Do
I need that library loaded? I did find this:
https://bugzilla.redhat.com/show_bug.cgi?id=466937 which states:
syncprov is compiled statically into slapd daemon to keep backward
compatibility, I forgot to remove it from the config file.
Does that mean the library is loaded by default, and doesn¹t explicitly need
to be set to load? Thanks for any help.
--
MAT
12 years, 9 months
N-way multimaster replication with 2 masters
by Adrien Futschik
Hy again !
Still testing n-way multimaster replication with 2 masters.
I encountered a situation where my two masters where out of sync.
Here is the deal :
I have M1(serverID=1) & M2(serverID=2) synced and I am performing adds/modify
to both M1 & M2.
1) I stop M2 and make a backup of it with slapcat.
2) I then restart M2.
3) I continue to make updates on M1 & M2.
4) I then stop (kill -INT PID) M2
5) I continue to make updates on M1
6) I then delete all *.bdb etc.. files from M2
7) I use the LDIF backup(see 1)) to restore M2 and then restart it.
8) restart M2
9) all entries modified/added during phase 5) are successfuly replicated to M2,
but all entries modified/added on M2 dunring phase 3) are not replicated on M2.
This is because those entries have an entryCSN menchening that theses entries
where last modified/created on M2
(ex: entryCSN: 20090219091852.789559Z#000000#002#000000)
So M1 doesn't send them back to M2 even though they aren't present on M2.
The trick I used to force M1 to send these entries to M2 is to change the
serverID of M2. In fact, it is like setting up a whole new master. So I
changed cn=config olcServerID from M1 before restarting M2 (before 8)) and I
modify /appli/projects/m2/openldap_2.4.14/conf/slapd.d/cn=config.ldif also
This is the only way I found to make sure that M1 & M2 are really the same
again.
Any other suggestions ? I didn't found anything in the documentation about
that, maybe I missed-it.
Adrien
12 years, 9 months
N-way multimaster error code 53 - shadow context
by Adrien Futschik
Hy !
it's me again :)
I am still testing n-way multi master replication with OpenLDAP 2.4.14. I
don't know why I could modify my olcSyncrepl attribute from my data bdb.
I am binding with cn=config, and I can modify the olcSyncrepl attribute from
olcDatabase={0}config, but not from olcDatabase={1}bdb !
I am getting this error :
08:57:25: Failed to update entry olcDatabase={1}bdb, cn=config
Reason: [LDAP: error code 53 - shadow context; no update referral]
This appends on both masters. Is this supposed to be like that ? I have
configured cn=config to replicate, this should work right ?
Adrien
12 years, 9 months
Usermod problems with ldap
by okossuth@antel.com.uy
hi
I'm having a problem dealing with usermod and groups stored on my openldap 2.3 server.
when I try to change the supplementary group of a user I do:
vmlx-jboss-desa:/home # usermod -D 'cn=admin,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy' -G mysql okossuth
Enter LDAP Password:
LDAP information update failed: Object class violation
usermod: User not added to LDAP group `mysql'.
vmlx-jboss-desa:/home #
I looked into the log of my ldap server and I saw this error:
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify: cn=mysql,ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: add member
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: replace entryCSN
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: replace modifiersName
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: bdb_modify_internal: replace modifyTimestamp
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: Entry (cn=mysql,ou=Grupos,ou=Teleinformatica,dc=vmlx-ldapauth-test,dc=in.iantel.com.uy), attribute 'member' not allowed
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: entry failed schema check: attribute 'member' not allowed
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: send_ldap_result: err=65 matched="" text="attribute 'member' not allowed"
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: connection_get(40)
Feb 17 17:17:07 vmlx-ldapauth-test slapd[2800]: connection_get(35)
The groups that I have created on the ldap server don't have the member attribute, only the memberUid...
Any ideas on how to solve this problem with usermod???
thanks.
Saludos,
Oskar Kossuth
Administrador UNIX
ANTEL Telecomunicaciones
El presente correo y cualquier posible archivo adjunto está
dirigido únicamente al destinatario del mensaje y contiene información
que puede ser confidencial. Si Ud. no es el destinatario correcto por
favor notifique al remitente respondiendo anexando este mensaje y elimine
inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su
sistema. Está prohibida cualquier utilización, difusión o copia de este
e-mail por cualquier persona o entidad que no sean las específicas
destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con
respecto a cualquier comunicación que haya sido emitida incumpliendo
nuestra Política de Seguridad de la Información.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
This e-mail and any attachment is confidential and is intended solely for
the addressee(s). If you are not intended recipient please inform the
sender immediately, answering this e-mail and delete it as well as the
attached files. Any use, circulation or copy of this e-mail by any person
or entity that is not the specific addressee(s) is prohibited. ANTEL is
not responsible for any communication emitted without respecting our
Information Security Policy.
12 years, 9 months
DO script IF ldap-useraccount GETS LOCKED ...
by Axel Werner
Hi Gurus out there!
Is there a Way to have OpenLDAP start a script that kicks in whenever a
LDAP User-Object got locked down ?? (through manual lock OR more
important, through a intruder detection / x failed logon attempts )
My Problem is that whenever a LDAP Account got locked because of
exceeding max. failed logon attempts the corresponding SAMBA Account
(same LDAP Object) is still "unlocked". So when however the user cannot
log back in to LDAP, he is still able to log in on Windows-workstation
(samba) and reset his password. But reseting his SAMBA Password through
Windows PC does also reset his LDAP Password through
Password-Syncronisation. That means that his Locked LDAP Account is
again "unlocked" because Samba's LDAP-Admin reseted the Password of my
locked LDAP User.
So i want to make sure that if he fucks up his LDAP account , his SAMBA
account will also be disabled.
Some Hook for a custom script would be fine. But is there something like
that ?
Any other Ideas how to manage that ?
greetings
Axel
12 years, 9 months
Re: N-way replication "dn_callback : entries have identical CSN"
by Jonathan Clarke
Le Mer 18 février 2009 09:24, Adrien Futschik a écrit :
> I then switched to OpenLDAP 2.4.14 and did not have the problem anymore
> (same
> configuration). I guess this was a bug form 2.4.11.
>
> Still, I had a few of theses messages in the log :
> conn=9 op=1 => bdb_dn2id_add
> dn="cn=M2client2(a)laposte.net,ou=clients,o=edf,c=fr" ID=0xb: put failed:
> DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock -30995
>
> but I also got a few of theses :
> dn_callback : entries have identical CSN
> cn=M2client20(a)laposte.net,ou=clients,o=edf,c=fr
> 20090217155418.854085Z#000000#002#000000
> syncrepl_entry: rid=004 be_search (0)
> syncrepl_entry: rid=004 cn=M2client20(a)laposte.net,ou=clients,o=edf,c=fr
> syncrepl_entry: rid=004 entry unchanged, ignored
> (cn=M2client20(a)laposte.net,ou=clients,o=edf,c=fr)
> do_syncrep2: cookie=rid=004,sid=002
> syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
>
> Can anyone explain to me why ? is this normal ?
> The dn_callback message comes from the master log-file where
> "cn=M2client20(a)laposte.net,ou=clients,o=edf,c=fr" was inserted.
I don't know about the DB_LOCK_DEADLOCK message, but "entries have
identical CSN" means that your syncrepl consumer received an entry that is
identical to one already present in your DB.
This may happen when resynching a database, or it could be that your
multi-master setup is causing each server to feed updates back to itself.
Make sure the URLs in your syncrepl declarations match the listener URLs
to slapd (-h option).
Jonathan
12 years, 9 months
Re: N-way multi-master replication
by Gavin Henry
----- "Adrien Futschik" <adrien.futschik(a)atosorigin.com> wrote:
> I am testing Multi-master replication with two masters.
>
> If I stop one of them and don't restart it before the end of retry
> interval,
> the replication process doesn't work anymore. (looks like it is
> stopped).
>
> exemple :
> - M1 & M2 are synchronised.
> - stop M2
> - add entries to M1
> - wait for retry to fail (retry="5 5 300 5")
> - restart M2
> - previously added entries to M1 are replicated to M2
> - modifying M2 (attributes) are not replicated to M1
>
> It look like M1 -> M2 : OK and M2 -> M1 : broken
>
> Is there a way to restart replication after configured retry are over
> ? The
> solution I found was to restart M1. After that everything seems to
> work fine.
>
> I could set up retry so that the number of retry is very hight, but I
> was
> wondering if there was a way to restart synchronisation online.
"If an error occurs during replication, the consumer will attempt to reconnect according to the retry parameter
which is a list of the <retry interval> and <# of retries> pairs. For example, retry="60 10 300 3" lets the
consumer retry every 60 seconds for the first 10 times and then retry every 300 seconds for the next 3 times
before stop retrying. The '+' in <# of retries> means indefinite number of retries until success. If no retry
was specified, by default syncrepl retries every hour forever."
Why not just change it to retry="60 +" ?
--
Kind Regards,
Gavin Henry.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
12 years, 9 months
LDAP + PAM + NSS with groups local and in LDAP
by John Kane
I am using LDAP + PAM + NSS on Linux, and am trying to use groups
defined locally as well as in LDAP. These groups are for (critical)
apps that run on the Linux systems. I want to define the group locally
as to not have issues when and if LDAP is unavailable. But to manage
group members, I want to define the same groups (and gids) in LDAP.
The problem is that the group members cannot 'newgrp' to groups in which
they are members (LDAP defined) if the groups exists locally.
It appears that when the group is defined locally, the server does not
check LDAP for group members. In the following example, user 'tester' is
a member of groups 'postgres' and 'testgrp' (defined in LDAP), and the
group 'testgrp' is also defined locally:
[tester]$ groups
postgres testgrp
[tester]$ grep testgrp /etc/group
[tester]$ getent group testgrp
testgrp:x:110:tester
[tester]$ grep postgres /etc/group
postgres:x:110:
[tester]$ grep postgres /etc/gshadow
postgres:!::
[tester]$ getent group postgres
postgres:x:101:
As you can see, 'getent group' shows 'tester' is NOT a member of
postgres, although 'groups' shows he is.
My /etc/nsswitch.conf has:
passwd: files ldap
shadow: files ldap
group: files ldap
PAM /etc/pam.d/system-auth has:
# testing for groups local and in ldap - 022809
auth required /lib/security/$ISA/pam_group.so debug
use_first_pass
#
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
nodelay
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
And, in LDAP:
[tester]$ ldapsearch -x -b 'ou=groups,o=partner_x,dc=example,dc=net'
'cn=postgres'
# extended LDIF
#
# LDAPv3
# base <ou=groups,o=partner_x,dc= example,dc=net> with scope subtree
# filter: cn=postgres
# requesting: ALL
#
# postgres, groups, partner_x, example.net
dn: cn=postgres,ou=groups,o=partner_x,dc=example,dc=net
objectClass: top
objectClass: posixGroup
cn:: cG9zdGdyZXMg
gidNumber: 110
memberUid: tester
description: Postgres DB Group
Thanks in advance for any help.
John
This message is confidential to Prodea Systems, Inc unless otherwise indicated
or apparent from its nature. This message is directed to the intended recipient
only, who may be readily determined by the sender of this message and its
contents. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended
recipient:(a)any dissemination or copying of this message is strictly
prohibited; and(b)immediately notify the sender by return message and destroy
any copies of this message in any form(electronic, paper or otherwise) that you
have.The delivery of this message and its information is neither intended to be
nor constitutes a disclosure or waiver of any trade secrets, intellectual
property, attorney work product, or attorney-client communications. The
authority of the individual sending this message to legally bind Prodea Systems
is neither apparent nor implied,and must be independently verified.
12 years, 9 months
password encryption question
by Mike Simonton
Hello,
I want to change the default 'secret' password in the slapd.conf file to
something that's encrypted in some way to hide the clear text password for
the Manager account. What's the best and easiest way to go about doing
this? Is slappasswd the way to not only do this but change passwords for
any users in the database, or is ldappasswd the way to go?
One other question - does anyone have an example slapd.conf file that uses
the /etc/passwd and /etc/shadow files to manage the passwords for openldap,
particularly for the Manager account?
Thank you for your help!
Mike
12 years, 9 months
