Re: hardware requirement
by Quanah Gibson-Mount
--On Thursday, June 11, 2009 9:19 PM +0530 mukim pathan
<mukim.iitkgp(a)gmail.com> wrote:
> I will be using latest openldap release with Berkley database. If 32 bit
> is not capable of it then please tell me the resource requirement for 64
> bit.
Keep replies on the list if you want answers. The technical limitations of
32-bit OSes are well documented. Since I have no idea how large your
database is when fully loaded, I can not say for certain that you'll hit
(or have hit) those limits, but I find it *highly* likely.
In any case, in this day and age, there is really no excuse to be running
32-bit OSes.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years, 10 months
hardware requirement
by mukim pathan
Hi,
I have to setup a database for storing 100million entries, each entry with 4
columns. I will be using centOS linux OS for this.
I checked previous queries regarding hardware, I found that with 32 bit
machine, processing might get slow for 20million above records.
I want to ask what should be the hardware configuration for this?
Thank you in advance.
Regards,
Mukim Pathan
11 years, 10 months
some thoughts about RDN
by Paweł Madej
Hello,
I have such RDN
cn=user1,dc=example,dc=com
but my webmail software knows users only by emails (which is attribute to
cn=user1,dc=example,dc=com)
My question is how can i authenticate in LDAP using provided email? I tried
sth like mail=test(a)example.com,dc=example,dc=com but ldap refuses such
login.
Thanks in advance for help
Greets
Pawel
11 years, 10 months
solaris patch vs. linux patch
by Brett @Google
Hello,
Just wondering if anybody knows why solaris patch refuses to process the bdb
4.7 patch files, where the patch command on linux works perfectly.
Ie: on solaris :
patch -p0 <patch.4.7.25.1
Looks like a context diff to me...
Hunk #1 failed at line 187.
Hunk #3 failed at line 296.
2 out of 4 hunks failed: saving rejects to sequence/sequence.c.rej
done
Works fine on a linux machine ?
Have tried patch 2.5.9 built from soruce on gnu.org, this fails also.
(i usually end up patching on linux, and then copying the patched tarball
back to solaris.. but just wondering?)
Cheers
Brett
11 years, 10 months
password change and ppolicy
by tizo
Hi there,
We are using OpenLDAP 2.4.16 with ppolicy, to authenticate users for a JEE
application. Authentication works great (with JNDI), and we are receiving
ppolicy response controls without problem. In that way, the user knows when
the password is about to expired, when the password have been reseted, etc.
Now we want to offer users to change passwords from the application.
Before starting this, I have been testing password changing with
phpLDAPAdmin. The fact is that I could only change a user password with
clear text. I guess that this behaviour happens because we have
pwdCheckQulity setting in 2 in our default password policy. So, when the
client (phpLDAPAdmin) tries to modify the password enconding it, the server
(OpenLDAP) cannot check the min length of the password, as it is encoded,
and then fails. I am guessing too, that phpLDAPAdmin is performing a simple
modify operation to change the password, as it is stored in clear text. On
the other hand, I could change passwords with ldappasswd withouth problem,
and they are stored with SSHA. I know that this command uses RFC 3062.
So, I am wondering which is the best way to change the password from a Java
application. I guess that, if I have pwdCheckQulity setting in 2, the
password should travel in clear text, so that ppolicy can check its min
lenght for example. But I would like it to be stored encoded. How could I do
that?. Do I have to use RFC 3062?. Do you know any Java implementation of
the client side for that RFC?.
Thanks very much,
tizo
11 years, 10 months
problem in my mirrormode
by Wissem BARAKET
Hello :
i would like install a mirrormode in my ldap but i don t can make fonction :
my OS debian lenny
and mu open ldap 2.4.16
can you help me
this my config in my first server :
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
serverID 1
# Features to permit
allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
TLSCertificateFile /etc/ldap/tls/ldap_bdc_cert.pem
TLSCertificateKeyFile /etc/ldap/tls/ldap_bdc_key.pem
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel sync
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
#moduleload syncprov
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=xxx,dc=com"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn "cn=admin,dc=xxx,dc=com"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=xxx,dc=com" write
by dn="uid=mirrormode,ou=Users,dc=xxx,dc=com" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=xxx,dc=com" write
by dn="uid=mirrormode,dc=xxx,dc=com" read
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=xxx,dc=com" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
rootdn "cn=admin,dc=xxx,dc=com"
moduleload syncprov
index entryCSN,entryUUID eq
lastmod on
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncrepl rid=001 provider=ldaps://debian.xxx.com:636 type=refreshAndPersist credentials=mirrormode searchbase="dc=xxx,dc=com" filter="(objectClass=*)" scope=sub schemachecking=on bindmethod=simple binddn="uid=mirrormode,ou=Users,dc=xxx,dc=com" binddn="cn=syncrepl,dc=xxx,dc=com" credentials=yyy
syncrepl rid=002 provider=ldaps://debian1.xxx.com:636 type=refreshAndPersist credentials=mirrormode searchbase="dc=luniweb,dc=com" filter="(objectClass=*)" scope=sub schemachecking=on bindmethod=simple binddn="uid=mirrormode,ou=Users,dc=xxx,dc=com"binddn="cn=syncrepl,dc=xxx,dc=com" credentials=yyy
mirrormode on
the second server :
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
serverID 1
# Features to permit
allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
TLSCertificateFile /etc/ldap/tls/ldap_pdc_cert.pem
TLSCertificateKeyFile /etc/ldap/tls/ldap_pdc_key.pem
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel sync
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload syncprov
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=xxx,dc=com"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn "cn=admin,dc=xxx,dc=com"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=xxx,dc=com" write
by dn="uid=mirrormode,ou=Users,dc=xxx,dc=com" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
#access to dn.base="cn=Subschema"by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=xxx,dc=com" write
by dn="uid=mirrormode,dc=xxx,dc=com" read
by * read
#defaultsearchbase dc=xxx,dc=com
#sasl_host localhost
#sasl_secprops none
password-hash {MD5}
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=xxx,dc=com" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
rootdn "cn=admin,dc=xxx,dc=com"
index entryCSN,entryUUID eq
lastmod on
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncrepl rid=002 provider=ldaps://debian1.xxx.com:636 type=refreshAndPersistcredentials=mirrormode searchbase="dc=xxx,dc=com" filter="(objectClass=*)" scope=sub schemachecking=on bindmethod=simple binddn="uid=mirrormode,ou=Users,dc=xxx,dc=com"binddn="cn=syncrepl,dc=xxx,dc=com" credentials=yyy
syncrepl rid=001 provider=ldaps://debian.xxx.com:636 type=refreshAndPersist credentials=mirrormode searchbase="dc=xxx,dc=com" filter="(obj#ectClass=*)" scope=sub schemachecking=on bindmethod=simple binddn="uid=mirrormode,ou=Users,dc=xxx,dc=com" binddn="cn=syncrepl,dc=xxx,dc=com" credentials=yyy
mirrormode on
thanks
11 years, 10 months
Re: UCARP setup
by Ivan Ordonez
Matt Kassawara wrote:
> I don't see why not... you'll just need to configure it to use the
> hostname/IP pointing to the active server.
>
> On Jun 9, 2009, at 4:39 PM, Ivan Ordonez wrote:
>
>>
>>
>> Matt Kassawara wrote:
>>>
>>> I'd recommend looking at mirror mode.
>>> http://www.openldap.org/doc/admin24/replication.html
>>>
>>> On Tue, Jun 9, 2009 at 2:40 PM, Ivan Ordonez
>>> <iordonez(a)nature.berkeley.edu> wrote:
>>> Hi,
>>>
>>> Has anyone here have any experience using UCARP with openldap?
>>>
>>> http://www.ucarp.org/project/ucarp
>>>
>>> Our department want to use UCARP to provide automatic failover but
>>> I'm at lost on how to make two machines replicate openldap data. If
>>> you have a better suggestion, or ideas on how to make it work,
>>> please let me know.
>>>
>>> Thanks in advance.
>>>
>>> -Ivan
>>>
>>
>> Can you do a mirror mode and at the same time, have a consumer, for
>> example, a BDC sitting on a different subnet?
I'll give it a shot. Thanks for all the help.
-Ivan
11 years, 10 months
Error while using relay
by venish khant
Hi all,
I am trying to access LDAP search using email address instead of DN. For
that I am using overlay rwm, and relay. When I gave relay
"dc=example,dc=com", slapd give me error like(unknown directive <relay>
inside backend database definition). I all ready enabled modules for
relay(back_relay.so) and rwm(rwm.so).
openLDAP => 2.4.15
Backend => bdb (Berkeley Database)
Regards
--
Venish Khant
www.deeproot.co.in
11 years, 10 months
CRL question
by joakim@comex.se
Hi,
I'm using Openldap with TLS and CRL. My slapd.conf file has the line
"TLSCRLCheck all". When the CRL has expired the client is not allowed to
make a TLS connection.
My question is whether it is possible to configure openldap to let the
client connect to the server (possibly with a warning) even when the CRL
has expired. Does anyone know if that is possible?
/Jocke
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.f-secure.com/
11 years, 10 months
