openldap-technical March 2009

openldap-technical@openldap.org

64 participants
69 discussions

Multi-master or MirrorMode
by Sergio Cioban Filho 07 Mar '09

07 Mar '09

Hi all, I've read about ldap replication and I changed my replication from slurp to syncrepl. I want configure an failover Ldap Server, but I've read that in the multi-master replication configuration, I'll have problems with data consistency, is is true? When I'll have data inconsistency? In MIrrorMode, can I have much of two servers? What is the limit number of servers (nodes)? What is the better configuration for failover (Without a hardware proxies/load-balancing or dedicated proxy software)? ** Sorry for my poor english... ;) Thanks Regards, --- Sérgio Cioban Filho | Tecnólogo em Gestão de TI | Linux Professional Institute Certified - Level 1 ------------------------------------------------------------ | Linux - Servidores - Firewall - VPN | Virtualização - VoIP - ShellScript - C - PHP | http://cioban.googlepages.com | +55 48 9989-8733 ------------------------------------------------------------ ..:: Seja livre, use LiNuX!! ::.. ------------------------------------------------------------

1 0

TLSVerifyClient => no login possible
by Sebastian Reinhardt 06 Mar '09

06 Mar '09

Hello, I have configured an openSUSE 11.0 (x86_64) with openldap- server. Also the TLS is activated. All clients are set to "TLS_REQCERT demand" and is working. Then I created client certificates by using the servers Yast2 CA- management. I copied teh client certificates and also the servers "cacert" into the "/etc/openldap/" directory on client computer. With "TLSVerifyClient allow" clients can login, but if I activate the "TLSVerifyClient demand" option in servers slapd.conf no user can perform an login and it causes errors in /var/log/messages: ----------------/var/log/messages---------------- Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8): Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for input on id=107 Feb 22 18:50:01 lmvserver slapd[7093]: conn=107 op=0 do_extended Feb 22 18:50:01 lmvserver slapd[7093]: do_extended: oid=1.3.6.1.4.1.1466.20037 Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0 Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1 tag=120 err=0 Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for input on id=107 Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=107 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for input on id=107 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept failure error=-1 id=107, closing Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying conn=107 sd=14 for close Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=107 sd=14 Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8): Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for input on id=108 Feb 22 18:50:01 lmvserver slapd[7093]: conn=108 op=0 do_extended Feb 22 18:50:01 lmvserver slapd[7093]: do_extended: oid=1.3.6.1.4.1.1466.20037 Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0 Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1 tag=120 err=0 Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for input on id=108 Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=108 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for input on id=108 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept failure error=-1 id=108, closing Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying conn=108 sd=14 for close Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=108 sd=14 Feb 22 18:50:01 lmvserver slapd[7093]: slap_listener_activate(8): Feb 22 18:50:01 lmvserver slapd[7093]: >>> slap_listener(ldap://) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for input on id=109 Feb 22 18:50:01 lmvserver slapd[7093]: conn=109 op=0 do_extended Feb 22 18:50:01 lmvserver slapd[7093]: do_extended: oid=1.3.6.1.4.1.1466.20037 Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_extended: err=0 oid= len=0 Feb 22 18:50:01 lmvserver slapd[7093]: send_ldap_response: msgid=1 tag=120 err=0 Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for input on id=109 Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14) Feb 22 18:50:01 lmvserver slapd[7093]: connection_get(14): got connid=109 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): checking for input on id=109 Feb 22 18:50:01 lmvserver slapd[7093]: connection_read(14): TLS accept failure error=-1 id=109, closing Feb 22 18:50:01 lmvserver slapd[7093]: connection_closing: readying conn=109 sd=14 for close Feb 22 18:50:01 lmvserver slapd[7093]: connection_close: conn=109 sd=14 ----------------/var/log/messages---------------- slapd.conf: ---------------/etc/openldap/slapd.conf-------- # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/dnszone.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/samba3.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/nis.schema # Define global ACLs to disable default read access. pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args # Directives needed to implement policy: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read ####################################################################### # BDB database definitions ####################################################################### loglevel 5 TLSCertificateFile /etc/openldap/servercert.pem TLSCACertificateFile /etc/openldap/cacert.pem TLSCertificateKeyFile /etc/openldap/serverkey.pem TLSVerifyClient demand database bdb suffix "dc=lmv,dc=lmv" rootdn "cn=ldaproot,dc=lmv,dc=lmv" rootpw "???????" directory /mnt/lvm/ldap/ checkpoint 1024 5 cachesize 10000 index objectClass,uidNumber,gidNumber eq index member,mail eq,pres index cn,displayname,uid,sn,givenname sub,eq,pres database monitor ---------------/etc/openldap/slapd.conf-------- ldap.conf (client): --------------/etc/openldap/slapd.conf--------- # # LDAP Defaults # #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERT /etc/openldap/cacert.pem TLS_CERT /etc/openldap/clientcert_205.pem TLS_KEY /etc/openldap/clientkey_205.pem TLS_REQCERT demand host 192.168.0.201 base dc=lmv,dc=lmv --------------/etc/openldap/slapd.conf--------- What is wrong? The clients certificate "common name" is set to the clients hostname. Is this ok? -- Mit freundlichen Grüßen Sebastian Reinhardt

3 17

openldap client configuration to connect to AD
by Santosh Kumar 06 Mar '09

06 Mar '09

Hi  Trying to configure ldap client connection for AD,  in the ldap.conf , what configuration needs to be carried, like is it required for PAM & NSS configuration .tried to test in ldap command as initial test, but getting the below error, ./ldapsearch -x -W -h 10.10.10.10 -b "CN=testuser,OU=Users,OU=KeyPairIN,OU=KeyPair,DC=keypair,DC=internal" -S subEnter LDAP Password:  ***   ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)Please do know what needs to be included ThanksSantosh Sr Software developer

3 5

Negation regex
by Miguel Jinez 06 Mar '09

06 Mar '09

Hi guys I need your help, anyone knows which is the negation regex? I need to perform an ACL Thanks Mike

1 0

Syncrepl cn=config from another context ...
by Mads Freek Petersen 05 Mar '09

05 Mar '09

Is it possible to have a server with multiple cn=config templates (for other servers) in a non cn=config context and then "translate" them into cn=config on the consumer side using a bootstrap config and olcsyncrepl? Regards Mads Freek ------------------------------------------------------ Mads Freek Petersen Special Consultant IT-Campus Roskilde University Building 42-1, P.O. Box 260, DK-4000 Roskilde, Denmark Phone: +45 4674 3882 Fax: +45 4674 3072 E-mail: freek(a)ruc.dk

2 2

Nway multimaster sync cn=config doesn¹t make cn=config look the same...
by Mathew Rowley 05 Mar '09

05 Mar '09

I have spent the past couple of days setting up nway multimaster in my lab. I was thinking it was not working because the first step (in the admin guide) was syncing up the cn=config. When doing that, I would look at both servers to see if the cn=config was the same they were, and are not. First box has (under cn=config): Cn=schema OlcDatabase={-1}front OlcDatabase{0}config OlcDatabase={1}bdb OlcDatabase={2}bdb Second box has (under cn=config): Cn=schema OlcDatabase={-1}front OlcDatabase{0}config OlcDatabase={1}bdb My question is: is this normal, or did I do something wrong? The sync on my dc=comcast,dc=com is working fine. Here are the steps I went through to get this working. Set up slapd.conf sure to include the directory config¹ in order to have a rootd for cn=config On both servers remove old directory/config ( rm -rf /usr/var/openldap-data/* /usr/etc/openldap/slapd.d/* ) On both servers run slapd with f and F options to sync to new config mode ( /usr/sbin/slapd -h ldap://10.252.152.76 -u ldap -F /usr/etc/openldap/slapd.d/ -f /usr/etc/openldap/slapd.conf -d 1 ) On both servers run slapd with F option - made sure that it was run with ldap://<ip> (/usr/sbin/slapd -h ldap://10.252.152.76 -u ldap -F /usr/etc/openldap/slapd.d/) On both servers run ldapmodify to add initial syncrepl, and sync the two cn=config directories: dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 ldap://10.252.152.76 olcServerID: 2 ldap://10.252.152.77 dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.252.152.76 binddn="cn=root,cn=config" bindmethod=simple credentials="<RAW PASSWORD>" searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://10.252.152.77 binddn="cn=root,cn=config" bindmethod=simple credentials="<RAW PASSWORD>" searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE On first server run ldapadd to sync the dc=comcast,dc=com directory: dn: olcDatabase={1}bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcbdbConfig olcDatabase: {1}bdb olcSuffix: dc=comcast,dc=com olcDbDirectory: /usr/var/openldap-data/ olcRootDN: cn=Manager,dc=comcast,dc=com olcRootPW: {SSHA}kJTEcfOmPf7fKv71AtxDjlUZNPqN9pIT olcLimits: dn.exact="cn=Manager,dc=comcast,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcSyncRepl: rid=004 provider=ldap://10.252.152.76 binddn="cn=Manager,dc=comcast,dc=com" bindmethod=simple credentials="<RAW PASSWORD>" searchbase="dc=comcast,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=005 provider=ldap://10.252.152.77 binddn="cn=Manager,dc=comcast,dc=com" bindmethod=simple credentials="<RAW PASSWORD>" searchbase="dc=comcast,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={1}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov Now, at this point is where I look at the cn=config to see if they were the same... -- MAT DESK: 720.267.7767

2 1

Multi-master vs. MirrorMode
by Sergio Cioban Filho 05 Mar '09

05 Mar '09

1 0

Openldap, kerberos backend, and SASL
by Da Rock 05 Mar '09

05 Mar '09

Sorry to barge in straight away with a question like this, but my time is running out and I have not been able to get a straight answer out of google. I'm going through the hypotheticals for using ldap as the backend for kerberos, and I've hit a chicken and egg problem with SASL- can someone untangle my mind? IF kerberos is using ldap as a backend store for keys, users, etc, and one can set the rootdn and leave the rootpw for later entry in the database itself, and the password can use SASL auth- what happens if you use kerberos as the auth mechanism? According to the book, slapd needs to set up the access to the key from startup, and kerberos in this scenario will need ldap up to provide the key. Is ldap up enough that kerberos can provide this? Or does ldap retry or something so that this problem is overcome? Thoughts? Cheers

4 15

syntax error in my ldif file
by Ken Perl 05 Mar '09

05 Mar '09

I got the error like below and can not fix it, could anyone help me? ldap_add: Invalid syntax (21) additional info: ObjectClass: value #0 invalid per syntax $cat lv1.ldif dn: mail=lv1(a)colinux.my, dc=colinux, dc=my ObjectClass: CourierMailAccount cn: ldap_vitural1 mail: lv1(a)colinux.my mail: lv1 userPassword: {MD5}$1$RnorJ$uVjJOT1I//zCCoFAYvP8t0 homeDirectory: lv1 uidNumber: 1000 gidNumber: 100 -- perl -e 'print unpack(u,"62V5N\"FME;G\!E<FQ`9VUA:6PN8V]M\"\@`` ")'

2 2

2.3 -> 2.4 upgrading advice
by Rex Roof 04 Mar '09

04 Mar '09

I'm currently running a fairly simple LDAP environment of two OpenLDAP 2.3 servers with a Master & Slave relationship using syncrepl. These servers are currently being used for authentication and for sendmail routing. I'm hoping to upgrade these two OpenLDAP 2.4 and create some sort of multi-master environment so that I can accept writes when one or more of the servers is down. I'd also like to add 2 more servers to the pool. I have two questions: 1) does anyone have any advice for things to watch out for when updating from 2.3 to 2.4? 2) what should I use for replication? Can I use some combination of MirrorMode and Multi-Master replication? This statement worries me: "Breaks the data consistency guarantees of the directory model" what does it mean? I found that here: http://www.openldap.org/doc/admin24/replication.html is that only a concern when the servers get out of sync as far as time goes? Any advice would be appreciated.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2009