openldap-technical July 2009

openldap-technical@openldap.org

68 participants
73 discussions

on-the-fly tweaking of AccessControl (be_acl)
by Daniel 20 Jul '09

20 Jul '09

Dear slapd-Experts, I've a perhaps slightly strange question regarding tweaking of be_acl from within an overlay and would be very happy if you could please help me. I'm looking after a possibility to change AccessControl struct's content on "overlay-operation-basis": For each processed Operation within my test overlay I want to modify this sample ACL from a) into b): a) cn=config initially stores: access to filter=(x=*) by users read by * none b) overlay has detected operation "z" ==> the acl should be tuned into: access to filter=(y=*) by users read by * none I think I've already found the concerned structs and I'm able to get the above modification done in theory, but I'm a little bit afraid/unsure regarding side effects, e.g thread locking and so on. I could imagine that in general be_acl is not intend to be changed from one operation to another...?! What would be the "best" pseudo-code-style way to achive the above a-b-transition in a safe/consistent way from within an overlay? Many thanks for your advice! Cheers Daniel

1 0

add and modify
by mukim pathan 20 Jul '09

20 Jul '09

Hi, I was just wondering if there is any command like ldapadd/ldapmodify or any configuration parameter in this commands which will add an entry in database if its not present like ldapadd and modify that entry if its there in database like ldapmodify?? Regards, Mukim Pathan

2 1

Problem with new writetimeout
by Christian Manal 20 Jul '09

20 Jul '09

Hi everyone, I have noticed a problem regarding the new writetimeout feature in OpenLDAP 2.4.17. I have a setup with one master and four replicas running on Solaris 10, using the hdb-backend with BDB 4.4 from the opencsw repository. Clients are Sun, Linux and Mac boxes in every possible variation. I updated my servers last Friday from version 2.4.15 and now some cronjobs accessing the directory were sporadically failing over the weekend. I monitored the server logs (log level 'stats') while running the involved scripts repeatedly and got something like the following results after fail-runs on all servers: (IPs and DNs altered) > Jul 20 11:42:43 ldapserver slapd[9053]: [ID 848112 local4.debug] conn=12479 fd=79 ACCEPT from IP=192.168.1.1:50210 (IP=0.0.0.0:389) > Jul 20 11:42:43 ldapserver slapd[9053]: [ID 270379 local4.debug] conn=12479 op=0 EXT oid=1.3.6.1.4.1.1466.20037 > Jul 20 11:42:43 ldapserver slapd[9053]: [ID 560212 local4.debug] conn=12479 op=0 STARTTLS > Jul 20 11:42:43 ldapserver slapd[9053]: [ID 875301 local4.debug] conn=12479 op=0 RESULT oid= err=0 text= > Jul 20 11:42:43 ldapserver slapd[9053]: [ID 105384 local4.debug] conn=12479 fd=79 TLS established tls_ssf=256 ssf=256 > Jul 20 11:42:43 ldapserver slapd[9053]: [ID 215403 local4.debug] conn=12479 op=1 BIND dn="uid=dummyuser,ou=System,dc=example,dc=com" method=128 > Jul 20 11:42:43 ldapserver slapd[9053]: [ID 600343 local4.debug] conn=12479 op=1 BIND dn="uid=dummyuser,ou=System,dc=example,dc=com" mech=SIMPLE ssf=0 > Jul 20 11:42:43 ldapserver slapd[9053]: [ID 588225 local4.debug] conn=12479 op=1 RESULT tag=97 err=0 text= > Jul 20 11:42:43 ldapserver slapd[9053]: [ID 469902 local4.debug] conn=12479 op=2 SRCH base="ou=people,dc=example,dc=com" scope=2 deref=2 filter="(objectClass=posixAccount)" > Jul 20 11:42:43 ldapserver slapd[9053]: [ID 744844 local4.debug] conn=12479 op=2 SRCH attr=uid userpassword uidnumber gidnumber gecos homedirectory loginshell > Jul 20 11:43:00 ldapserver slapd[9053]: [ID 485650 local4.debug] conn=12479 fd=79 closed (writetimeout) I don't have the writetimeout keyword configured on any of the boxes and the affected script doesn't do any writes anyway. Also, the problem only seems to arise if the client takes a while to process a search result. The failing scripts are Net::LDAP based Perl scripts running on some old SPARC boxes, so it took them up to half a minute and more to complete. Setting writetimeout to a high enough value seems solve the problem, but referring to the docs, this shouldn't happen with the keyword unset or set to 0. Is this a bug or did I miss something? Did anyone else encounter this so far? Regards, Christian Manal

2 1

how to uninstall openldap
by mukim pathan 20 Jul '09

20 Jul '09

Hi, I wish uninstall openldap-2.4.16 from my linux system and install it again. I tried uninstalling it using make uninstall but it's not working. Can you please tell me how to uninstall openldap?? Regards, Mukim Pathan

2 1

Extend Schema correctly
by Techie 17 Jul '09

17 Jul '09

Hello List, I want to correctly extend schema but I have a question regarding the OID assignment of the custom objectClass and attributes I have created. I want to know if the OID number is absolutely necessary and if I do not use an OID number, what are the repercussions if any. For example will it cause any issues say with syncing with Active Directory or any other directory down the line if I go that route , I created a custom schema extension file to extend my schema so I can associate server names containing resources to my user accounts in LDAP. This schema file has a single auxiliary objectClasses entry and three (MAY) attributeTypes entries. I added the schema file to my Directory with schema checking on and it starts up correctly. I can add this objectClass and the 3 associated attributes to any account in my directory with no issue. I have not assigned an OID to these entries only names. Does this mean the OID is not necessary? Is there a suggested base OID I can use without requesting a company specific OID from IANA? Would be for for inter company use only. My company has an OID name space through IANA but the people that managed that are long gone and I do not want to overlap anything or cause issues. So basically I am looking to give this object class and associated attributes OID numeric assignments and am unsure how to do that. Thank you

1 0

syncrepl configuration possibilities
by Laurence Field 15 Jul '09

15 Jul '09

Hi, I am investigating the use of syncrepl to improve the efficiency of the transport mechanism that we are currently using in a world-wide distributed OpenLDAP deployment. If LDAP server A has information under "cn=my_resource,dc=example,dc=com" is it possible to replicate this information to LDAP server B but slightly modify the DN so that this becomes a sub tree of a larger tree eg. "cn=my_resource,cn=my_group,dc=example,dc=com"? Alternative suggestions are welcome and I would be happy to explain what we are trying to do in more detail if anyone is interested. Thanks, Laurence

2 3

auth works with cn=My Name but not with uid=myname
by Arne Schirmacher 15 Jul '09

15 Jul '09

This is probably trivial but I can't figure it out: my OpenLDAP entry has an attribute of cn=My Name, an attribute of uid=myname and a password. I can successfully log in using JXplorer using cn=My Name,ou=people,o=my company but not using uid=myname,ou=people,o=my company (error code 49 - Invalid Credentials) However searching with that dn is successful and returns 1 entry, so the uid attribute is in fact there. Please advise how I could enable the second login method which I need for exim authentication. Thanks!

3 2

Re: Multi master topology.
by Gavin Henry 14 Jul '09

14 Jul '09

----- "Alejandro Leyva" <alex.leyva(a)gmail.com> wrote: > Hi all. > > We are implementing a solution with multi master LDAP, we have 11 > instances at different locations, and maybe we will grow to 21 or 31 > instances before the end of the year, expecting to hold something > like > 200,000 or 300,000 user entries. What topology would be the best? > Right now each server synch to all the other servers, is it possible > to configure each server to synch only to a central LDAP? is it > convenient? Then that is not Multi-Master, but normal Provider/Consumer replication. Depending on your client requirements for writing, you may be better served using MirrorMode and numerous consumers/slaves with the chaining overlay to push writes back to the master. This would be simpler for monitoring write propagation. See the diagram here http://www.openldap.org/doc/admin24/replication.html#MirrorMode -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

2 2

slapd proxy
by Sergio Cioban Filho 13 Jul '09

13 Jul '09

Hi all, I'm trying to configurate an OpenLdap proxy for high availability, with ldap backend. My problem is the timeout. When the first server in URI is gone down, my ldapsearch delay 3 minutes, how do I change this timeout? Server 192.168.166.171 UP TIME: real 0m0.036s user 0m0.002s sys 0m0.003s Server 192.168.166.171 DOWN TIME: real 3m8.957s user 0m0.003s sys 0m0.004s I want the ldap-proxy immediately redirect the ldapsearch to the server 192.168.166.172 when server 192.168.166.172 gone down. My back-ldap configuration:* database ldap suffix "dc=digitro,dc=com,dc=br" rootdn "cn=axs,dc=digitro,dc=com,dc=br" uri "ldap://192.168.166.171/ ldap://192.168.166.172/" conn-ttl 0 idle-timeout 0 timeout 1 * Thanks, Regards, --- Sérgio Cioban Filho | Tecnólogo em Gestão de TI | Linux Professional Institute Certified - Level 1 ----------------------------------------------------------------- | Linux :: servidores :: firewall :: VPN :: segurança | OpenLdap :: virtualização :: VoIP :: ShellScript :: PHP | http://cioban.googlepages.com | +55 48 9989-8733 ----------------------------------------------------------------- ..:: Seja livre, use LiNuX!! ::.. ----------------------------------------------------------------- SOLISC - Não perca o maior evento de Software Livre de Santa Catarina - http://www.solisc.org.br

1 0

syncrepl randomly failing to sync
by Jay Christopherson 12 Jul '09

12 Jul '09

Hi- First of all, I hope I am not rehashing a topic that has been endlessly discussed. I know that syncrepl gets discussed a lot from my searches, but I have not found a specific topic on my issue. I started out with OpenLDAP 2.3, with a single provider and two consumers doing syncrepl using a refreshAndPersist type of replication. Periodically, I would see that one or more of the consumers would fail to synchronize a change made to the provider. A restart of the consumer would fix this and we could move on. It was annoying, but not critical at this point. Since then, I have become more dependent on OpenLDAP and syncrepl. I have upgraded to 2.4 to try to fix the replication issue, but it seems worse than ever. I now have one provider and six consumers. The consumers randomly fail to synchronize (as evidences by contextCSN monitoring). This happens several times a day. I'm thinking that maybe there is something wrong with my configuratiuon. This is what I am using: Provider: overlay syncprov syncprov-checkpoint 1 10 syncprov-sessionlog 100 syncprov-nopresent TRUE syncprov-reloadhint TRUE limits dn.exact="cn=replica,o=users,dc=domain,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited Consumers (all consumers have the exact same config): syncrepl rid=123 provider=ldap://ldap.sea.corp.domain.com:389 binddn="uid=replica,o=users,dc=domain,dc=com" bindmethod=simple retry="10 +" credentials=secret searchbase="dc=domain,dc=com" schemachecking=off type=refreshAndPersist interval=00:00:00:05 updateref ldap://ldap.sea.corp.domain.com A few "weird" things: * After the upgrade, I notice that the Directory Type on the Root DSE is still OpenLDAP 2.3 * I notice that where previously I could simple create a new consumer by installing a fresh copy of openldap, copying the config from another consumer over, and starting up to get a full copy of the directoy, it now fails to completely replicate and I have to do a full slapcat/slapadd to do the initial population. Like I said, I hope it's just something stupid I am doing...

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2009