I've a perhaps slightly strange question regarding tweaking of be_acl
from within an overlay and would be very happy if you could please help me.
I'm looking after a possibility to change AccessControl struct's content
on "overlay-operation-basis": For each processed Operation within my
test overlay I want to modify this sample ACL from a) into b):
a) cn=config initially stores:
access to filter=(x=*)
by users read
by * none
b) overlay has detected operation "z" ==> the acl should be tuned into:
access to filter=(y=*)
by users read
by * none
I think I've already found the concerned structs and I'm able to get the
above modification done in theory, but I'm a little bit afraid/unsure
regarding side effects, e.g thread locking and so on. I could imagine
that in general be_acl is not intend to be changed from one operation to
What would be the "best" pseudo-code-style way to achive the above
a-b-transition in a safe/consistent way from within an overlay?
Many thanks for your advice!
I was just wondering if there is any command like ldapadd/ldapmodify or any
configuration parameter in this commands which will add an entry in database
if its not present like ldapadd and modify that entry if its there in
database like ldapmodify??
I have noticed a problem regarding the new writetimeout feature in
OpenLDAP 2.4.17. I have a setup with one master and four replicas
running on Solaris 10, using the hdb-backend with BDB 4.4 from the
opencsw repository. Clients are Sun, Linux and Mac boxes in every
I updated my servers last Friday from version 2.4.15 and now some
cronjobs accessing the directory were sporadically failing over the weekend.
I monitored the server logs (log level 'stats') while running the
involved scripts repeatedly and got something like the following results
after fail-runs on all servers:
(IPs and DNs altered)
> Jul 20 11:42:43 ldapserver slapd: [ID 848112 local4.debug] conn=12479 fd=79 ACCEPT from IP=192.168.1.1:50210 (IP=0.0.0.0:389)
> Jul 20 11:42:43 ldapserver slapd: [ID 270379 local4.debug] conn=12479 op=0 EXT oid=188.8.131.52.4.1.1466.20037
> Jul 20 11:42:43 ldapserver slapd: [ID 560212 local4.debug] conn=12479 op=0 STARTTLS
> Jul 20 11:42:43 ldapserver slapd: [ID 875301 local4.debug] conn=12479 op=0 RESULT oid= err=0 text=
> Jul 20 11:42:43 ldapserver slapd: [ID 105384 local4.debug] conn=12479 fd=79 TLS established tls_ssf=256 ssf=256
> Jul 20 11:42:43 ldapserver slapd: [ID 215403 local4.debug] conn=12479 op=1 BIND dn="uid=dummyuser,ou=System,dc=example,dc=com" method=128
> Jul 20 11:42:43 ldapserver slapd: [ID 600343 local4.debug] conn=12479 op=1 BIND dn="uid=dummyuser,ou=System,dc=example,dc=com" mech=SIMPLE ssf=0
> Jul 20 11:42:43 ldapserver slapd: [ID 588225 local4.debug] conn=12479 op=1 RESULT tag=97 err=0 text=
> Jul 20 11:42:43 ldapserver slapd: [ID 469902 local4.debug] conn=12479 op=2 SRCH base="ou=people,dc=example,dc=com" scope=2 deref=2 filter="(objectClass=posixAccount)"
> Jul 20 11:42:43 ldapserver slapd: [ID 744844 local4.debug] conn=12479 op=2 SRCH attr=uid userpassword uidnumber gidnumber gecos homedirectory loginshell
> Jul 20 11:43:00 ldapserver slapd: [ID 485650 local4.debug] conn=12479 fd=79 closed (writetimeout)
I don't have the writetimeout keyword configured on any of the boxes and
the affected script doesn't do any writes anyway. Also, the problem only
seems to arise if the client takes a while to process a search result.
The failing scripts are Net::LDAP based Perl scripts running on some old
SPARC boxes, so it took them up to half a minute and more to complete.
Setting writetimeout to a high enough value seems solve the problem, but
referring to the docs, this shouldn't happen with the keyword unset or
set to 0.
Is this a bug or did I miss something? Did anyone else encounter this so
I wish uninstall openldap-2.4.16 from my linux system and install it again.
I tried uninstalling it using make uninstall but it's not working.
Can you please tell me how to uninstall openldap??
I want to correctly extend schema but I have a question regarding the
OID assignment of the custom objectClass and attributes I have
I want to know if the OID number is absolutely necessary and if I do
not use an OID number, what are the repercussions if any.
For example will it cause any issues say with syncing with Active
Directory or any other directory down the line if I go that route
I created a custom schema extension file to extend my schema so I can
associate server names containing resources to my user accounts in
This schema file has a single auxiliary objectClasses entry and three
(MAY) attributeTypes entries.
I added the schema file to my Directory with schema checking on and it
starts up correctly.
I can add this objectClass and the 3 associated attributes to any
account in my directory with no issue.
I have not assigned an OID to these entries only names. Does this mean
the OID is not necessary?
Is there a suggested base OID I can use without requesting a company
specific OID from IANA? Would be for for inter company use only.
My company has an OID name space through IANA but the people that
managed that are long gone and I do not want to overlap
anything or cause issues.
So basically I am looking to give this object class and associated
attributes OID numeric assignments and am unsure how to do that.
I am investigating the use of syncrepl to improve the efficiency of the
transport mechanism that we are currently using in a world-wide
distributed OpenLDAP deployment.
If LDAP server A has information under
"cn=my_resource,dc=example,dc=com" is it possible to replicate this
information to LDAP server B but slightly modify the DN so that this
becomes a sub tree of a larger tree eg.
Alternative suggestions are welcome and I would be happy to explain what
we are trying to do in more detail if anyone is interested.
This is probably trivial but I can't figure it out:
my OpenLDAP entry has an attribute of cn=My Name, an attribute of uid=myname and a password.
I can successfully log in using JXplorer using
cn=My Name,ou=people,o=my company
but not using
uid=myname,ou=people,o=my company (error code 49 - Invalid Credentials)
However searching with that dn is successful and returns 1 entry, so the uid attribute is in fact there.
Please advise how I could enable the second login method which I need for exim authentication.
----- "Alejandro Leyva" <alex.leyva(a)gmail.com> wrote:
> Hi all.
> We are implementing a solution with multi master LDAP, we have 11
> instances at different locations, and maybe we will grow to 21 or 31
> instances before the end of the year, expecting to hold something
> 200,000 or 300,000 user entries. What topology would be the best?
> Right now each server synch to all the other servers, is it possible
> to configure each server to synch only to a central LDAP? is it
Then that is not Multi-Master, but normal Provider/Consumer replication.
Depending on your client requirements for writing, you may be better served
using MirrorMode and numerous consumers/slaves with the chaining overlay to push writes
back to the master. This would be simpler for monitoring write propagation.
See the diagram here http://www.openldap.org/doc/admin24/replication.html#MirrorMode
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
Open Source. Open Solutions(tm).
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
I'm trying to configurate an OpenLdap proxy for high availability, with ldap
My problem is the timeout.
When the first server in URI is gone down, my ldapsearch delay 3 minutes,
how do I change this timeout?
Server 192.168.166.171 UP
Server 192.168.166.171 DOWN
I want the ldap-proxy immediately redirect the ldapsearch to the server
192.168.166.172 when server 192.168.166.172 gone down.
My back-ldap configuration:*
uri "ldap://192.168.166.171/ ldap://192.168.166.172/"
Sérgio Cioban Filho
| Tecnólogo em Gestão de TI
| Linux Professional Institute Certified - Level 1
| Linux :: servidores :: firewall :: VPN :: segurança
| OpenLdap :: virtualização :: VoIP :: ShellScript :: PHP
| +55 48 9989-8733
..:: Seja livre, use LiNuX!! ::..
SOLISC - Não perca o maior evento de Software Livre de Santa Catarina -
First of all, I hope I am not rehashing a topic that has been endlessly
discussed. I know that syncrepl gets discussed a lot from my searches, but
I have not found a specific topic on my issue.
I started out with OpenLDAP 2.3, with a single provider and two consumers
doing syncrepl using a refreshAndPersist type of replication. Periodically,
I would see that one or more of the consumers would fail to synchronize a
change made to the provider. A restart of the consumer would fix this and
we could move on. It was annoying, but not critical at this point.
Since then, I have become more dependent on OpenLDAP and syncrepl. I have
upgraded to 2.4 to try to fix the replication issue, but it seems worse than
ever. I now have one provider and six consumers. The consumers randomly
fail to synchronize (as evidences by contextCSN monitoring). This happens
several times a day. I'm thinking that maybe there is something wrong with
my configuratiuon. This is what I am using:
syncprov-checkpoint 1 10
limits dn.exact="cn=replica,o=users,dc=domain,dc=com" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
Consumers (all consumers have the exact same config):
A few "weird" things:
* After the upgrade, I notice that the Directory Type on the Root DSE is
still OpenLDAP 2.3
* I notice that where previously I could simple create a new consumer by
installing a fresh copy of openldap, copying the config from another
consumer over, and starting up to get a full copy of the directoy, it now
fails to completely replicate and I have to do a full slapcat/slapadd to do
the initial population.
Like I said, I hope it's just something stupid I am doing...