database size
by Marcel Berteler
Our current database size is 7GB and we are wondering how big we can
grow until we run into LDAP / BDB constrains.
Are there others on the list that have extremely large databases? Any
pointers to ensure we can grow our DB even further without issues?
Marcel
13 years, 10 months
openldap, proxy, round robin?
by Nathan Lager
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am attempting to setup an openldap proxy, which i'd like to connect to
a number of openldap directories in a round-robin fashion.
There are currently 2 ldap servers, with a round-robin DNS hostname
pointing to them.
I setup openldap to proxy to this hostname, but it seems that when i
actually connect to the proxy, it picks one of the addresses, and holds
on to it. If it gets the second server on its first connection, it then
continues to use that server.
Is there a way to make openldap connect to each server? Whether it uses
the round robin hostname or not is irrelevant. Two methods I can think
of would be to somehow keep slapd from caching the dns name. Or if I can
specify each server separately in the slapd.conf on the proxy.
Thanks!
- --
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
610-330-5907
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkoLLmsACgkQsZqG4IN3sumf4gCeJ3tOzX5Mk8ddbgvkg7TASbUH
d9MAn3U+B8uYIj6eQy+yAHitV9Cqij/K
=gFcb
-----END PGP SIGNATURE-----
13 years, 10 months
Re: Deleting hundreds of Entry under a OU
by Michael Ströder
Daniel,
please keep responses on the list so others can comment and learn as well.
Daniel Spannbauer wrote:
>
> Michael Ströder schrieb:
>> Daniel Spannbauer wrote:
>>> Hello,
>>>
>>> I have to deleted abount 500 Entrys under a OU in my LDAP-Tree cause I
>>> have to change the objectClass from "account" to "inetorgPerson".
>>> Can I do this with ldapdelete? I always used that tool only to delete
>>> one entry.
>> Yes. But you have to provide a file with a list of the DNs of the
>> entries to be deleted.
>>
>> $ ldapdelete -h
>> usage: ldapdelete [options] [dn]...
>> dn: list of DNs to delete. If not given, it will be readed from stdin
>> or from the file specified with "-f file".
>>
>> (You could also use some of the GUI LDAP clients for that. E.g. my
>> web2ldap supports recursive deletion of all entries below an entry.)
>
> Thats a posibility. But the ldap-Entries are genarated by a Script. So I
> have to delete it also by this script. So a gui is not the solution that
> I prefer.
In this case I'd prefer to use a full-featured scripting language with a
decent LDAP module to do the job. You have more control in the case of
an error than with invoking command-line tools from a shell script.
Ciao, Michael.
13 years, 10 months
Deleting hundreds of Entry under a OU
by Daniel Spannbauer
Hello,
I have to deleted abount 500 Entrys under a OU in my LDAP-Tree cause I
have to change the objectClass from "account" to "inetorgPerson".
Can I do this with ldapdelete? I always used that tool only to delete
one entry.
Regards
Daniel
--
Daniel Spannbauer Software Entwicklung
marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11
Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220
http://www.marco.de/ Email ds(a)marco.de
Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München
13 years, 10 months
OpenLDAP server and OS X clients
by Arne Schmitz
Hi!
We are running an OpenLDAP server on Debian Stable. It works very well
so far, using more than 20 Linux clients. However, we now also have
got a couple of Mac clients that are supposed to use the server. I
have set the Mac clients (OS X 10.5.6) to use our LDAP server, using
the Directory Utility. That utility is set to use a RFC 2307 server,
with our LDAP's IP and the correct base name. After that I can "sudo
su" to any LDAP user, also call "id" for any LDAP user, log in via SSH
+ key to LDAP user, but NOT authenticate via password. I.e.
interactive logins or password based SSH logins are NOT possible. It
seems the password authentication against LDAP is not working. What I
find in /var/log/secure.log is the following:
May 6 17:46:38 mymac authorizationhost[70401]: Failed to authenticate
user MyLDAPUser (tDirStatus: -14090).
Any ideas what might be going wrong here? Where should I look?
Cheers,
Arne
--
Dipl.-Inform. Arne Schmitz Phone +49 (0)241 80-21817
Computer Graphics Group Fax +49 (0)241 80-22899
RWTH Aachen University http://www.rwth-graphics.de
Ahornstrasse 55, 52074 Aachen, Germany
13 years, 10 months
LDIF, userCertificate; and missing "binary" option
by Erwann ABALEA
Hello,
Hoping it's the right list to ask for it.
I'm facing a "cross-recommendations" problem. Here it is.
I'm downloading an LDIF containing some inetOrgPerson and
cRLDistributionPoint entries, in order to have a replication site to develop
on.
Those entries have userCertificate or certificateRevocationList , but not
stored with the "binary" option (only the "::" indicating it's
Base64-encoded).
When trying to import this file with ldapadd on my directory, it failed,
telling me that those attributes need to be transfered with the binary
option. Right. I'm searching RFCs 2252 and 2256 (and their replacement as
well), and find that effectively, those attributes *MUST* be transfered as
binary ones.
I told the directory maintainer that the LDIF wasn't correct according to
these RFCs, and he replied that it was correct regarding RFC2849, which is
the only one defining the LDIF format.
Finally, that's right. And this RFC doesn't tell anything about certificates
or binary option. And I can't find an obvious link between RFC2849 and
RFC2252/2256.
I know I can just do a 'sed s/userCertificate::/userCertificate;binary::/'
of the file, but modifying something defined to be a standard for
interchange doesn't seem to be a good solution.
Do you have some ideas?
Regards.
--
Erwann.
13 years, 10 months
OpenLDAP multi master replication
by Bujji S
Hi,
i have openldap(2.4.9) installed in ubuntu 8.04 server.
i want to create a multi master set up with two such servers(2 or more than
2)
first i tried to follow
http://www.openldap.org/doc/admin24/replication.htmlto form n-way
master setup.
but in starting only i got a problem saying database(dc=mytest,dc=com) is
not configured to hold "cn=config"
then i tried setting up cn=config using
http://www.zytrax.com/books/ldap/ch6/slapd-config.html
but that doesn't help me meaning even after configuring that cn=config as he
mentioned in the site i got the same error
so i removed everything(slapd.d) what i did earlier so now i have slapd.conf
in both of my servers
finally i found one more link
http://itsecureadmin.com/wiki/index.php/OpenLDAP_Multi-Master_Replication
that displays sample config file
so i followed that
you can check the slapd.conf below
so now i set up the same configuration in the second server too.
after writing these slapd.conf i just restared slapd on both servers.
for the first time when i add some data the first server it got replicated
on the other server only when restart slapd on second server.
that is fine.
when i tried to add some other data on second server its not getting
replicated on the other server even if i restart slapd.
after that wherever i add data not getting replicated adding locally only.
what could be the problem.
plz check my slapd.conf file and suggetst me how to do multi master
replication on ubuntu 8.04 server.
so my slapd.conf is below.
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel none
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload ppolicy.la
moduleload syncprov.la
moduleload back_monitor.la
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend hdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
database config
rootdn "cn=admin,cn=config"
rootpw admin123
database monitor
rootdn cn=monitor
rootpw admin123
#######################################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database hdb
# The base of your directory in database #1
suffix "dc=mytest,dc=com"
# rootdn directive for specifying a superuser on the database. This is
needed
# for syncrepl.
rootdn "cn=admin,dc=mytest,dc=com"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
serverid 3 ldap://192.168.7.88:389
serverid 4 ldap://192.168.7.89:389
cachesize 1000
checkpoint 256 5
syncrepl rid=003
provider=ldap://192.168.7.88:389
binddn="cn=admin,dc=mytest,dc=com"
bindmethod=simple
credentials=admin123
searchbase="dc=mytest,dc=com"
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
syncrepl rid=004
provider=ldap://192.168.7.89:389
binddn="cn=admin,dc=mytest,dc=com"
bindmethod=simple
credentials=admin123
searchbase="dc=mytest,dc=com"
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
mirrormode true
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
index cn,mail,surname,givenname eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=mytest,dc=com" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=mytest,dc=com" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=mytest,dc=com" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be hdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
---------------------------------------------------------------------
so now i set up the same configuration in the second server too.
after writing these slapd.conf i just restared slapd on both servers.
for the first time when i add some data the first server it got replicated
on the other server only when restart slapd on second server.
that is fine.
when i tried to add some other data on second server its not getting
replicated on the other server even if i restart slapd.
after that wherever i add data not getting replicated adding locally only.
what could be the problem.
plz check my slapd.conf file and suggetst me how to do multi master
replication on ubuntu 8.04 server.
Thanks
Visu
13 years, 10 months
ldap users in local groups
by Justin Lintz
Hi,
I'm running into an interesting problem in that when I try to add more
than one ldap account to a local group, both users of that group no
longer show membership in that group when running "groups" or "id".
If I just add one of the users to the group, it works without a
problem. I apologize if this is not the correct list of this issue.
Does anyone have any ideas on what may be causing this?
- Justin Lintz
13 years, 10 months
Occasional corrupt DN in be_add logs under 2.4.16
by Sean Burford
Hi,
As an interim measure while deploying 2.4.16 I am canarying 2.3.43 on a
replication provider. As a result the current replication path is:
master (2.3.39) -> provider (2.3.43) -> replica (2.4.16)
The master will be upgraded in short order once the 2.3.43 canary is
successful.
I've been seeing occasional corrupt DNs in some be_add log lines on the
2.4.16 replica:
May 5 09:35:46 host slapd[31817]: syncrepl_message_to_op: rid=100 be_add
<90>Y1 ntry,ou=subtree,dc=example,dc=com (0)
I've modified the DN in this log line. The missing text is "cn=l" in this
example. The original DN was 65 characters long.
I have performed the following search against each host with the following
results. It shows that the entry replicated fine but capitalisation of the
DN differs (which may be a red herring since I was already aware that DN
capitalisation differed across servers):
$ ldapsearch -x -b cn=lntry,ou=subtree,dc=example,dc=com -s base dn
master: dn is cn=lntry,ou=Subtree,dc=example,dc=com
provider: dn is cn=lntry,ou=subtree,dc=example,dc=com
replica: dn is cn=lntry,ou=Subtree,dc=example,dc=com
slapcat shows no problems with the entry on the 2.4.16 host.
Since the database looks fine I wonder if this is just a logging issue.
Should this Debug statement in syncrepl.c actually use
op->ora_e->e_name.bv_val or some other attribute?
rc = op->o_bd->be_add( op, &rs );
Debug( LDAP_DEBUG_SYNC,
"syncrepl_message_to_op: %s be_add %s (%d)\n",
si->si_ridtxt, op->o_req_dn.bv_val, rc );
With the exception of si->si_rid becoming si->si_ridtxt (and %d->%s) this
Debug statement has not changed since 2.3.
--
Thanks,
Sean Burford
13 years, 10 months
slapd-meta and paged results control
by Lajos Boróczki
Hi,
I'm trying to set up an openldap proxy server using slapd-meta. Everything
worked so far, but after the backend database grew bigger and bigger,
searches with a fixed page size started to give strange results.
Tracing the problem led me to the following: If I set a page size of 300 in
my ldapsearch (where localhost:3890 is my slapd running slapd-meta):
ldapsearch -x -W -D "CN=admin,DC=example,DC=org" -E pr=300 -H
"ldap://localhost:3890/" -b "dc=a,dc=example,dc=org"
"(objectClass=inetOrgPerson)" uid
I get at most 300 results and the paging information is lost on the way. If
I set 300 to 1000 I get all of the results, because I have ~500 entries.
Doing an ldapsearch to the backand servers:
ldapsearch -x -W -D "CN=admin,DC=example,DC=org" -E pr=300 -H "ldap://
dc1.a.example.org/" "dc=a,dc=example,dc=org" "(objectClass=user)"
userPrincipalName
I get 300 results and a prompt to press enter, after pressing some enters I
can get every entries.
My backends are Active directories... :(
Thanks for your help,
Lajos
Config:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/ad_attr.schema
include /etc/ldap/schema/ad_class.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 8
modulepath /usr/lib/ldap
moduleload back_meta
moduleload back_ldap
moduleload rwm
moduleload pcache
moduleload back_bdb
sizelimit 1000
tool-threads 1
database meta
suffix "dc=example,dc=org"
norefs yes
rebind-as-user yes
chase-referrals no
uri "ldap://dc1.example.org/dc=example,dc=org" "ldap://
dc2.example.org/"
uri "ldap://dc1.a.example.org/dc=a,dc=example,dc=org" "ldap://
dc2.a.example.org/"
uri "ldap://dc1.b.example.org/dc=b,dc=example,dc=org" "ldap://
dc2.b.example.org/"
overlay rwm
rwm-rewriteEngine on
rwm-map attribute uid userPrincipalName
rwm-map objectclass inetOrgPerson user
13 years, 10 months
