Multi-master or MirrorMode
by Sergio Cioban Filho
Hi all,
I've read about ldap replication and I changed my replication from slurp to
syncrepl.
I want configure an failover Ldap Server, but I've read that in the
multi-master replication configuration, I'll have problems with data
consistency, is is true? When I'll have data inconsistency?
In MIrrorMode, can I have much of two servers? What is the limit number of
servers (nodes)?
What is the better configuration for failover (Without a hardware
proxies/load-balancing or dedicated proxy software)?
** Sorry for my poor english... ;)
Thanks
Regards,
---
Sérgio Cioban Filho
| Tecnólogo em Gestão de TI
| Linux Professional Institute Certified - Level 1
------------------------------------------------------------
| Linux - Servidores - Firewall - VPN
| Virtualização - VoIP - ShellScript - C - PHP
| http://cioban.googlepages.com
| +55 48 9989-8733
------------------------------------------------------------
..:: Seja livre, use LiNuX!! ::..
------------------------------------------------------------
12 years, 1 month
TLSVerifyClient => no login possible
by Sebastian Reinhardt
Hello,
I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also
the TLS is activated. All clients are set to "TLS_REQCERT demand"
and is working.
Then I created client certificates by using the servers Yast2 CA-
management. I copied teh client certificates and also the servers
"cacert" into the "/etc/openldap/" directory on client computer. With
"TLSVerifyClient allow" clients can login, but if I activate the
"TLSVerifyClient demand" option in servers slapd.conf no user can
perform an login and it causes errors in /var/log/messages:
----------------/var/log/messages----------------
Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8):
Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=107
Feb 22 18:50:01 lmvserver slapd[7093]: conn=107 op=0 do_extended
Feb 22 18:50:01 lmvserver slapd[7093]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1
tag=120 err=0
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=107
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept
failure error=-1 id=107, closing
Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying
conn=107 sd=14 for close
Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=107 sd=14
Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8):
Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=108
Feb 22 18:50:01 lmvserver slapd[7093]: conn=108 op=0 do_extended
Feb 22 18:50:01 lmvserver slapd[7093]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1
tag=120 err=0
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=108
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept
failure error=-1 id=108, closing
Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying
conn=108 sd=14 for close
Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=108 sd=14
Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8):
Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=109
Feb 22 18:50:01 lmvserver slapd[7093]: conn=109 op=0 do_extended
Feb 22 18:50:01 lmvserver slapd[7093]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0
Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1
tag=120 err=0
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14)
Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for
input on id=109
Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept
failure error=-1 id=109, closing
Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying
conn=109 sd=14 for close
Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=109 sd=14
----------------/var/log/messages----------------
slapd.conf:
---------------/etc/openldap/slapd.conf--------
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/dnszone.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Directives needed to implement policy:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
#######################################################################
# BDB database definitions
#######################################################################
loglevel 5
TLSCertificateFile /etc/openldap/servercert.pem
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
TLSVerifyClient demand
database bdb
suffix "dc=lmv,dc=lmv"
rootdn "cn=ldaproot,dc=lmv,dc=lmv"
rootpw "???????"
directory /mnt/lvm/ldap/
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
database monitor
---------------/etc/openldap/slapd.conf--------
ldap.conf (client):
--------------/etc/openldap/slapd.conf---------
#
# LDAP Defaults
#
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /etc/openldap/cacert.pem
TLS_CERT /etc/openldap/clientcert_205.pem
TLS_KEY /etc/openldap/clientkey_205.pem
TLS_REQCERT demand
host 192.168.0.201
base dc=lmv,dc=lmv
--------------/etc/openldap/slapd.conf---------
What is wrong? The clients certificate "common name" is set to the
clients hostname. Is this ok?
--
Mit freundlichen Grüßen
Sebastian Reinhardt
12 years, 1 month
openldap client configuration to connect to AD
by Santosh Kumar
Hi Trying to configure ldap client connection for AD, in the ldap.conf , what configuration needs to be carried, like is it required for PAM & NSS configuration .tried to test in ldap command as initial test, but getting the below error, ./ldapsearch -x -W -h 10.10.10.10 -b "CN=testuser,OU=Users,OU=KeyPairIN,OU=KeyPair,DC=keypair,DC=internal" -S subEnter LDAP Password: *** ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)Please do know what needs to be included ThanksSantosh Sr Software developer
12 years, 1 month
Negation regex
by Miguel Jinez
Hi guys
I need your help, anyone knows which is the negation regex? I need to
perform an ACL
Thanks
Mike
12 years, 1 month
Syncrepl cn=config from another context ...
by Mads Freek Petersen
Is it possible to have a server with multiple cn=config templates (for
other servers) in a non cn=config context and then "translate" them
into cn=config on the consumer side using a bootstrap config and
olcsyncrepl?
Regards Mads Freek
------------------------------------------------------
Mads Freek Petersen
Special Consultant
IT-Campus
Roskilde University
Building 42-1, P.O. Box 260, DK-4000 Roskilde, Denmark
Phone: +45 4674 3882
Fax: +45 4674 3072
E-mail: freek(a)ruc.dk
12 years, 1 month
Nway multimaster sync cn=config doesn¹t make cn=config look the same...
by Mathew Rowley
I have spent the past couple of days setting up nway multimaster in my lab.
I was thinking it was not working because the first step (in the admin
guide) was syncing up the cn=config. When doing that, I would look at both
servers to see if the cn=config was the same they were, and are not.
First box has (under cn=config):
Cn=schema
OlcDatabase={-1}front
OlcDatabase{0}config
OlcDatabase={1}bdb
OlcDatabase={2}bdb
Second box has (under cn=config):
Cn=schema
OlcDatabase={-1}front
OlcDatabase{0}config
OlcDatabase={1}bdb
My question is: is this normal, or did I do something wrong? The sync on my
dc=comcast,dc=com is working fine. Here are the steps I went through to get
this working.
Set up slapd.conf sure to include the directory config¹ in order to have
a rootd for cn=config
On both servers remove old directory/config ( rm -rf
/usr/var/openldap-data/* /usr/etc/openldap/slapd.d/* )
On both servers run slapd with f and F options to sync to new config mode
( /usr/sbin/slapd -h ldap://10.252.152.76 -u ldap -F
/usr/etc/openldap/slapd.d/ -f /usr/etc/openldap/slapd.conf -d 1 )
On both servers run slapd with F option - made sure that it was run with
ldap://<ip> (/usr/sbin/slapd -h ldap://10.252.152.76 -u ldap -F
/usr/etc/openldap/slapd.d/)
On both servers run ldapmodify to add initial syncrepl, and sync the two
cn=config directories:
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://10.252.152.76
olcServerID: 2 ldap://10.252.152.77
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://10.252.152.76
binddn="cn=root,cn=config" bindmethod=simple
credentials="<RAW PASSWORD>" searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://10.252.152.77
binddn="cn=root,cn=config" bindmethod=simple
credentials="<RAW PASSWORD>" searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
On first server run ldapadd to sync the dc=comcast,dc=com directory:
dn: olcDatabase={1}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcbdbConfig
olcDatabase: {1}bdb
olcSuffix: dc=comcast,dc=com
olcDbDirectory: /usr/var/openldap-data/
olcRootDN: cn=Manager,dc=comcast,dc=com
olcRootPW: {SSHA}kJTEcfOmPf7fKv71AtxDjlUZNPqN9pIT
olcLimits: dn.exact="cn=Manager,dc=comcast,dc=com" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcSyncRepl: rid=004 provider=ldap://10.252.152.76
binddn="cn=Manager,dc=comcast,dc=com" bindmethod=simple
credentials="<RAW PASSWORD>" searchbase="dc=comcast,dc=com"
type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=005 provider=ldap://10.252.152.77
binddn="cn=Manager,dc=comcast,dc=com" bindmethod=simple
credentials="<RAW PASSWORD>" searchbase="dc=comcast,dc=com"
type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={1}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
Now, at this point is where I look at the cn=config to see if they were the
same...
--
MAT
DESK: 720.267.7767
12 years, 1 month
Multi-master vs. MirrorMode
by Sergio Cioban Filho
Hi all,
I've read about ldap replication and I changed my replication from slurp to
syncrepl.
I want configure an failover Ldap Server, but I've read that in the
multi-master replication configuration, I'll have problems with data
consistency, is is true? When I'll have data inconsistency?
In MIrrorMode, can I have much of two servers? What is the limit number of
servers (nodes)?
What is the better configuration for failover (Without a hardware
proxies/load-balancing or dedicated proxy software)?
** Sorry for my poor english... ;)
Thanks
Regards,
---
Sérgio Cioban Filho
| Tecnólogo em Gestão de TI
| Linux Professional Institute Certified - Level 1
------------------------------------------------------------
| Linux - Servidores - Firewall - VPN
| Virtualização - VoIP - ShellScript - C - PHP
| http://cioban.googlepages.com
| +55 48 9989-8733
------------------------------------------------------------
..:: Seja livre, use LiNuX!! ::..
------------------------------------------------------------
Vendo GOL G3 PLUS 1.0 8V 4P 2002 - Branco - COMPLETÍSSIMO - Só R$ 18.500,00
http://cioban.googlepages.com/vendogolg38v
12 years, 1 month
Openldap, kerberos backend, and SASL
by Da Rock
Sorry to barge in straight away with a question like this, but my time
is running out and I have not been able to get a straight answer out of
google.
I'm going through the hypotheticals for using ldap as the backend for
kerberos, and I've hit a chicken and egg problem with SASL- can someone
untangle my mind?
IF kerberos is using ldap as a backend store for keys, users, etc, and
one can set the rootdn and leave the rootpw for later entry in the
database itself, and the password can use SASL auth- what happens if you
use kerberos as the auth mechanism?
According to the book, slapd needs to set up the access to the key from
startup, and kerberos in this scenario will need ldap up to provide the
key. Is ldap up enough that kerberos can provide this? Or does ldap
retry or something so that this problem is overcome?
Thoughts?
Cheers
12 years, 1 month
syntax error in my ldif file
by Ken Perl
I got the error like below and can not fix it, could anyone help me?
ldap_add: Invalid syntax (21)
additional info: ObjectClass: value #0 invalid per syntax
$cat lv1.ldif
dn: mail=lv1(a)colinux.my, dc=colinux, dc=my
ObjectClass: CourierMailAccount
cn: ldap_vitural1
mail: lv1(a)colinux.my
mail: lv1
userPassword: {MD5}$1$RnorJ$uVjJOT1I//zCCoFAYvP8t0
homeDirectory: lv1
uidNumber: 1000
gidNumber: 100
--
perl -e 'print unpack(u,"62V5N\"FME;G\!E<FQ`9VUA:6PN8V]M\"\@``
")'
12 years, 1 month
2.3 -> 2.4 upgrading advice
by Rex Roof
I'm currently running a fairly simple LDAP environment of two OpenLDAP
2.3 servers with a Master & Slave relationship using syncrepl. These
servers are currently being used for authentication and for sendmail
routing.
I'm hoping to upgrade these two OpenLDAP 2.4 and create some sort of
multi-master environment so that I can accept writes when one or more
of the servers is down. I'd also like to add 2 more servers to the
pool.
I have two questions:
1) does anyone have any advice for things to watch out for when
updating from 2.3 to 2.4?
2) what should I use for replication? Can I use some combination of
MirrorMode and Multi-Master replication? This statement worries
me: "Breaks the data consistency guarantees of the directory model"
what does it mean? I found that here:
http://www.openldap.org/doc/admin24/replication.html
is that only a concern when the servers get out of sync as far as time
goes?
Any advice would be appreciated.
12 years, 1 month
