How to backup/restore on remote servers
by Josir Gomes
Hi folks,
I just installed a openldap server and I want to test backup/restore
routines.
I have two machines, one is a clone of the second one.The first one I
add several users and then my test is to restore those users in the new
machine.
To backup, it was easy:
slapcat -l /path/to/your/backup.ldif
But when I tried to restore,
I shutdown the samba/ldap service with:
/etc/init.d/ebox samba stop
/etc/init.d/ebox slapd stop
And then I issue: slapadd -l /path/to/your/backup.ldif
=> hdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair
already exists (-30996)
=> hdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already
exists (-30996)
slapadd: could not add entry dn="dc=ebox" (line=1): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
I understand that there are other records and I can't replace them.
Do I have to erase everything ?
Or is there a merge option ?
I know that there is a replication service but those two servers will
not be on the same network (ie. one server will not communicate with the
other) so I think this approach does not apply.
Any tip or suggestion will be very welcome.
Thanks in advance,
Josir Gomes
11 years, 9 months
Re: ldap not finding internal CA?
by gruntler-ldap@yahoo.com
--- On Wed, 6/17/09, Mathias Gug <mathiaz(a)ubuntu.com> wrote:
> From: Mathias Gug <mathiaz(a)ubuntu.com>
> Subject: Re: ldap not finding internal CA?
> To: "Kurt Yoder" <ktyopenldap(a)yoderhome.com>
> Cc: openldap-technical(a)openldap.org
> Date: Wednesday, June 17, 2009, 9:13 PM
>
> [...]
>
>> My openldap is version 2.4.15 on Ubuntu Jaunty. Interestingly, I
>> had the same message about self-signed certificates on previous
>> Ubuntu versions, but querying ldap with "TLS_REQCERT demand" works
>> fine.
>
> As Howard mentioned this should have been fixed in 2.4.16. However
> could you try to put both the CA certificate *and* the server
> certificate in the cert.file used by the slapd server - (that way
> the whole CA chain is sent to the client by gnutls) ?
Hi Mathias,
How exactly does one do that? I've tried simply appending the contents of the CA file to the server certificate file and restarting slapd and it has no effect.
I've tried other various combinations as well but testing against Jaunty still fails while Intrepid works.
Meanwhile I built OpenLDAP 2.4.16 on Jaunty with no Ubuntu patches added to OpenLDAP and it works:
gruntler@jaunty-64:~/src/openldap-2.4.16/clients/tools$ ./ldapsearch -x -V
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.16 (Jun 22 2009 17:04:33) $
gruntler@jaunty-64:/home/gruntler/src/openldap-2.4.16/clients/tools
(LDAP library: OpenLDAP 20416)
# extended LDIF
#
# LDAPv3
# base <dc=abcd, dc=efgh, dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
... snip ...
ldap.conf settings:
BASE dc=abcd, dc=efgh, dc=com
URI ldaps://auth01-test ldaps://auth02-test
TLS_CACERT /etc/ssl/cacerts/my-org.cert.pem
TLS_REQCERT demand
TIMEOUT 4
NETWORK_TIMEOUT 2
-----
Meanwhile...
gruntler@jaunty-64:~/src/openldap-2.4.16/clients/tools$ /usr/bin/ldapsearch -x -V
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.15 (Mar 19 2009 10:07:04) $
buildd@yellow:/build/buildd/openldap-2.4.15/debian/build/clients/tools
(LDAP library: OpenLDAP 20415)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
11 years, 9 months
proxy cache not really caching?
by Tyler Gates
Hello,
I've been running my openldap 2.4 proxy directory server using
back_ldap and pcache in front of two masters for a few days and have
been a little confused about why I'm not getting more "QUERY ANSWERED"
messages in the logs considering all the "QUERY CACHED" messages.
According to the script I wrote to parse the log file for certain key
words, I'm seeing data like this:
*******************************
QUERIES ANSWERED: 26901
QUERIES NOT ANSWERED: 142386
QUERIES CACHEABLE: 114491
QUERIES NOT CACHEABLE: 27895
-------------------------------
TOTAL QUERIES: 169287
QUERIES ADDED: 114080
QUERIES STORED: 7
QUERY HIT: %15.8907653866
*******************************
As you can see my templates are catching a good majority of the queries
and they appear to be added to cache. For example I see messages like
this: 'Added query expires at 1244899436 (NEGATIVE)'
But even though I've tried bumping the ttl up, I'm still seeing a lot
of QUERY NOT ANSWERABLE messages fly by about queries that should have
been in cache before. For example, this snippet below appears to cache
querystr '(&(objectClass=posixGroup)(memberUid=xfs))' but then one
query later the exact same query comes up and it says its not
answerable and adds it to cache again.
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=99 op=1658 SRCH base="dc=castlebranch,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=xfs))"
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=99 op=1658 SRCH attr=gidNumber
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: query template of incoming query = (&(objectClass=)(memberUid=))
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Entering QC, querystr = (&(objectClass=posixGroup)(memberUid=xfs))
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Lock QC index = 0x8354560
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Not answerable: Unlock QC index=0x8354560
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY NOT ANSWERABLE
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY CACHEABLE
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Added query expires at 1244899436 (NEGATIVE)
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Lock AQ index = 0x8354560
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: TEMPLATE 0x8354560 QUERIES++ 1
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Unlock AQ index = 0x8354560
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=99 op=1658 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=86 op=1661 SRCH base="dc=castlebranch,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=xfs))"
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: query template of incoming query = (&(objectClass=)(uid=))
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY NOT ANSWERABLE
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY NOT CACHEABLE
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=86 op=1661 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=86 op=1662 SRCH base="dc=castlebranch,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=xfs))"
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: conn=86 op=1662 SRCH attr=gidNumber
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: query template of incoming query = (&(objectClass=)(memberUid=))
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Entering QC, querystr = (&(objectClass=posixGroup)(memberUid=xfs))
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Lock QC index = 0x8354560
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Not answerable: Unlock QC index=0x8354560
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY NOT ANSWERABLE
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: QUERY CACHEABLE
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Added query expires at 1244899436 (NEGATIVE)
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Lock AQ index = 0x8354560
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: TEMPLATE 0x8354560 QUERIES++ 1
Jun 13 09:08:56 directory-proxy slapd2.4[20842]: Unlock AQ index =
0x8354560
According to the logs I currently have 7 cached queries and about a
%15.8 hit rate which seems ridiculous given all the 'added query'
messages I'm getting.
Is there something wrong with my caching engine on the directory server
or am I missing something with how the caching mechanism works?
Thanks,
Tyler
11 years, 9 months
Howto setup OpenLDAP as ACL for Servers?
by openbsd shen
I have many Windows 2003/Linux Server, and a OpenLDAP server as auth
server, I want setup ACL in OpenLDAP server, maybe user A allowed to
login in windows-1 server and Linux-1 server, and user B allowed to
login in windows-2 server and Linux-2 server.
How to setup it in OpenLDAP server?
11 years, 9 months
Database error 22
by Olivier Nicole
Hi,
After a reboot this morning I had the error:
Jun 23 06:47:47 ldap slapd[512]: @(#) $OpenLDAP: slapd 2.3.40 (Jan 29 2008 12:27:46) $ root@fbsd35.cs.ait.ac.th:/usr/ports/net/openldap23-server/work/openldap-2.3.40/servers/slapd
Jun 23 06:47:49 ldap slapd[522]: bdb_db_open: Database cannot be opened, err 22. Restore from backup!
Jun 23 06:47:49 ldap slapd[522]: bdb(dc=cs,dc=ait,dc=ac,dc=th): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem
Jun 23 06:47:49 ldap slapd[522]: bdb(dc=cs,dc=ait,dc=ac,dc=th): txn_checkpoint interface requires an environment configured for the transaction subsystem
Jun 23 06:47:49 ldap slapd[522]: bdb_db_close: txn_checkpoint failed: Invalid argument (22)
Jun 23 06:47:49 ldap slapd[522]: backend_startup_one: bi_db_open failed! (22)
Jun 23 06:47:49 ldap slapd[522]: bdb_db_close: alock_close failed
Jun 23 06:47:49 ldap slapd[522]: slapd stopped.
Jun 23 06:47:49 ldap slapd[522]: connections_destroy: nothing to destroy.
Yesterday I think I cleanly halted the LDAP server before the UPS ran
out of battery (major power failure). This morning when I restarted
the machine I find the above error.
1) What could cause this error?
2) How to do clean and regular backups?
Best regards,
Olivier
11 years, 9 months
(no subject)
by Sai
Hi all,
You can consider I am fairly new to LDAP Server, let alone OPENLDAP.
But I went through most of the documentation and configured openldap for our
Web Site almost year and half to 2 ago.
Now I am required to configure passive fail over for this. I am trying to
understand and weigh my options.
1) What I want to configure?
Two LDAP servers, with their content being in sync at all times.
2) What should I use?
Slurpd or syncrepl or some other configuration.
3) What version we are running on?
2.2.13. Sadly but truly, the project does not have the time and resources to
update to the latest one.
4) How are we going to use this replication configuration?
a. Currently the Web App points to server A.
b. In case of a catastrophic failure of server A (Machine down, power
plug pulled, disk failure, etc), they will point the Web App to server B.
c. Fix server A.
d. Point Web App back to server A (I know there is no harm in leaving
it pointed to B but that is the way they want. "Return every thing back to
how it was").
I think in order to satisfy 4.b (any updates while pointed to server B while
server A is down), both the servers should be Master-Master (N-Way master).
What I am trying to understand is question 2. I am currently going through
chapter 14 and 15 of openldap documentation. I noticed there are some slight
differences and I want to get your expert opinion so that I am on the right
track and not doing my own little weird configuration.
Any help in helping me understand this and decide what to use is much
appreciated.
Thanks,
-Sai
11 years, 9 months
control rules
by olivier morel
hy
when I try to find a contact with outlook I see all computeur of my area of the ou=machines
i would like to ban the route of the ou=machines for just to see the people how can i do .
thank you very mutch for your help
-------------------------
Olivier Morel - Service Informatique
4 allée de Seine - 93285 Saint Denis Cedex
E-mail : olivier.morel(a)panoranet.com
11 years, 9 months
Mirror Mode question
by Ivan Ordonez
Hi, I am trying to setup mirror mode on two identical machines.
Previously, these two machine were setup as PDC and BDC, using syncrepl
provider and comsumer method. All changes are done through the PDC, and
will sync to BDC. We decided to use mirror mode for high availability
but having issue getting it to work. When I try to create an account, I
will get an error message regarding smbldap-tools. See below.
Error: shadow context; no update referral at /usr/sbin//smbldap_tools.pm
line 1083, <DATA> line 466.
Is there anything on smbldap.conf that I need to change? I made sure
that the master were pointing to each other.
Below is my mirror mode configuration.
Machine 1 - IP Address 192.0.0.201
ServerID 1
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncrepl rid=001
provider=ldap://192.0.0.202:389
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +"
searchbase="dc=my,dc=domain,dc=com"
scope=sub
schemachecking=on
bindmethod=simple
binddn="cn=Manager,dc=my,dc=domain,dc=com"
credentials=mypassword
mirrormode on
Machine 2 - IP Address 192.0.0.202
ServerID 2
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncrepl rid=001
provider=ldap://192.0.0.201:389
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +"
searchbase="dc=my,dc=domain,dc=com"
scope=sub
schemachecking=on
bindmethod=simple
binddn="cn=Manager,dc=my,dc=domain,dc=com"
credentials=mypassword
mirrormode on
Thanks in advance.
11 years, 10 months
Update schema
by Olivier Nicole
Hi,
I have an openldap server running and being used day to day for
authentication.
I developped a small schema, and all is working fine.
Only I just noticed that in the definition of the object class, I
ussed the OID 9999 instead of my own enterprise number:
objectclass ( 1.3.6.1.4.1.9999.2.1.1
Should be
objectclass ( 1.3.6.1.4.1.26754.4.1.1
I beleive I cannot just stop slapd, correct the schema and restart
slapd.
What would be the clean way to proceed to a schema upgrade?
As this is a production server, I cannot afford to break it.
Bestregards,
Olivier
11 years, 10 months
puzzling Open LDAP dn errors
by Frizzell, Ryan
Hi all,
I'm trying to setup and ldap proxy and I'm running into a bunch of bad dn errors in my endeavors.
Currently, my slapd.conf file looks like:
Database ldap
Suffix ""
Uri "ldap://myLdapIP:389"
Idassert-bind bindmethod=simple
Binddn="cn=privilagedAcct"
Credentials="privPass"
Trying to keep it simple as this is only a sandbox setup. The issues I'm running into are when I try to change the suffix dn to something useful like
Suffix "dc=mydomain,dc=net"
Changing suffix to that will produce slaptest errors of "<suffix> invalid DN 21 (invalid syntax)"
I can connect to my ldap server and perform searchs with:
Ldapsearch -LLL "uid=mytestuser" -x -H "ldap://myLdapIP:389" -D "cn=privilagedAcct,OU=test,dc=mydomain,dc=net" -b "dc=mydomain,dc=net" -W
I've also tired to change the binddn to cn=privilagedAcct,OU=test,dc=mydomain,dc=net slaptest will then produce
Invalid bind config value binddn=cn=privilagedAcct,OU=test,dc=mydomain,dc=net
I've worked quite a bit with DNs in the past and I can't seem to see anything wrong with the DNs especially since the ldapsearch commands will complete on the running ldap server.
I'm guessing I'm overlooking something very simple. Any ideas?
Thanks,
Ryan
11 years, 10 months