Delete operation is delayed...
by Bad Guy
Dear all,
I have a 4 way Multi-master LDAP synchronization version 2.4.11 configured to run in refreshonly mode, config is below :
# syncrepl directives
syncrepl rid=001
provider=ldap://ldap01
bindmethod=simple
binddn="cn=Manager"
credentials=xxxxx
searchbase="o=ABCDE"
schemachecking=off
type=refreshOnly
interval="00:00:00:30"
attrs="*,+"
retry="5 5 300 +"
#syncrepl rid=002
# provider=ldap://ldap02
# bindmethod=simple
# binddn="cn=Manager"
# credentials=xxxxx
# searchbase="o=ABCDE"
# schemachecking=off
# type=refreshOnly
# interval="00:00:00:30"
# attrs="*,+"
# retry="5 5 300 +"
syncrepl rid=003
provider=ldap://ldap03
bindmethod=simple
binddn="cn=Manager"
credentials=xxxxx
searchbase="o=ABCDE"
schemachecking=off
type=refreshOnly
interval="00:00:00:30"
attrs="*,+"
retry="5 5 300 +"
syncrepl rid=004
provider=ldap://ldap04
bindmethod=simple
binddn="cn=Manager"
credentials=xxxxx
searchbase="o=ABCDE"
schemachecking=off
type=refreshOnly
interval="00:00:00:30"
attrs="*,+"
retry="5 5 300 +"
#overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# Performance tuning directives
sizelimit 5000
threads 16
idletimeout 0
cachesize 10000
checkpoint 256 15
We will do add/modify/delete operation daily and I have a script to check record by record of the sync status. From time to time, there is some records deleted in one of the LDAP server will not be replicated to the other servers occasionaly. But it will eventually deleted after long random time. (may be 1-2 days)
Any idea ?
Thanks
_________________________________________________________________
5 GB 超大容量 、創新便捷、安全防護垃圾郵件和病毒 — 立即升級 Windows Live Hotmail
http://mail.live.com
14 years, 2 months
syncrepl consumer process
by Allan Lyons
Hi,
I'm looking at developing a simple internal app that is supposed to do things based on changes to our directory. One solution would be
to periodically poll the directory. A seemingly better solution would be to have some client watch for changes using the
refreshAndPersist mode of syncrepl.
Does anyone know of any example code that connects to the directory as a syncrepl consumer? Python examples would be preferred.
Thanks,
Allan.
14 years, 2 months
Max number of attributes in entry
by Patric
Hi all,
I am attempting to add an entry to my directory with a large number of
mail attributes.
This works fine until I have more than 51 mail attributes. Any more than
that and the add fails with the following:
Error 80 - Unknown error
What I find strange is that if I add the entry with up to 51 mail
attributes, I can then go and add individual mail attributes to the
existing entry.
If I attempt to delete the entry when it has more than 51 mail
attributes I get the same error:
Error 80 - Unknown error
But if I remove individual mail attributes until there are only 51 then
I am able to remove the entire entry.
Is there some limitation that I am not aware of, and could any body
suggest a method for me to get around this?
Any advice would be much appreciated!
Regards,
Patric
14 years, 2 months
Checkpointing and syncrepl
by John Kane
I am a bit confused with the difference between the slapd.bdb
'checkpoint' option and the syncprov overlay option
'syncprov-checkpoint'. On the provider, will these basically do the
same thing? If so, is there an advantage to using one over the other?
Also, should we do checkpointing on the consumers as well?
Thanks,
John
This message is confidential to Prodea Systems, Inc unless otherwise indicated
or apparent from its nature. This message is directed to the intended recipient
only, who may be readily determined by the sender of this message and its
contents. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended
recipient:(a)any dissemination or copying of this message is strictly
prohibited; and(b)immediately notify the sender by return message and destroy
any copies of this message in any form(electronic, paper or otherwise) that you
have.The delivery of this message and its information is neither intended to be
nor constitutes a disclosure or waiver of any trade secrets, intellectual
property, attorney work product, or attorney-client communications. The
authority of the individual sending this message to legally bind Prodea Systems
is neither apparent nor implied,and must be independently verified.
14 years, 2 months
Text files or text on OpenLdap
by Sergio Cioban Filho
Hi all,
How I do to store text files or text on OpenLdap?
I'm trying with octetString, but the line termination do not respected.
I want store openssh Keys (Public and Private) on OpenLdap.
** Sorry for my por english.. ;)
Thanks,
Regards,
---
Sérgio Cioban Filho
| Tecnólogo em Gestão de TI
| Linux Professional Institute Certified - Level 1
-----------------------------------------------------------------
| Linux :: servidores :: firewall :: VPN :: segurança
| OpenLdap :: virtualização :: VoIP :: ShellScript :: PHP
| http://cioban.googlepages.com
| +55 48 9989-8733
-----------------------------------------------------------------
..:: Seja livre, use LiNuX!! ::..
-----------------------------------------------------------------
SOLISC - Não perca o maior evento de Software Livre de Santa Catarina -
http://www.solisc.org.br
14 years, 2 months
Openldap 2.3 syncrepl filter problem
by Lanfeust troy
Hi list,
In configuration of provider and consumer server with syncrepl is possible
to modify the replication filter for add new user in replica.
In fisrt time the replica is :
syncrepl rid=123
provider=ldap://rh-test3.kvm.rla:389
type=refreshOnly
interval=00:00:01:00
retry="30 10 600 20"
searchbase="dc=local"
filter="(|(objectClass=sambaGroupMapping)(uid=user1))"
scope=sub
schemachecking=off
bindmethod=simple
binddn="uid=syncrepl,ou=sysusers,dc=local"
credentials=pwdsyncrepl
# BEGIN Session TLS
starttls="critical"
tls_cacert=__CACERTFILE__
# End Session TLS
When start the replica server it doing an ldapsearch and retrieve my data in
replica.
So now we modify the filter as the following :
filter="(|(objectClass=sambaGroupMapping)(uid=user1)(uid=user2))"
Now when the replica doing the ldapsearch request it do with the new filter
but returning numentrie to 0
like this in the log of master LDAP server:
Jun 24 22:40:40 rh-test3 slapd[28012]: conn=83 op=1 BIND
dn="uid=syncrepl,ou=sysusers,dc=local" mech=SIMPLE ssf=0
Jun 24 22:40:40 rh-test3 slapd[28012]: conn=83 op=1 RESULT tag=97 err=0
text=
Jun 24 22:40:40 rh-test3 slapd[28012]: conn=83 op=2 SRCH base="dc=local"
scope=2 deref=0
filter="(|(objectClass=sambaGroupMapping)(uid=user1)(uid=user2))"
Jun 24 22:40:40 rh-test3 slapd[28012]: conn=83 op=2 SRCH attr=* +
Jun 24 22:40:40 rh-test3 slapd[28012]: conn=83 op=2 SEARCH RESULT tag=101
err=0 *nentries=0* text=
And when i do ldapsearch manually :
ldapsearch -x -b dc=local -H ldap://rh-test3.kvm.rla
"(|(objectClass=sambaGroupMapping)(uid=user1)(uid=user2))"
Jun 24 23:40:38 rh-test3 slapd[28012]: conn=133 op=1 BIND dn="" method=128
Jun 24 23:40:38 rh-test3 slapd[28012]: conn=133 op=1 RESULT tag=97 err=0
text=
Jun 24 23:40:38 rh-test3 slapd[28012]: conn=133 op=2 SRCH base="dc=local"
scope=2 deref=0
filter="(|(objectClass=sambaGroupMapping)(uid=user1)(uid=user2))"
Jun 24 23:40:38 rh-test3 slapd[28012]: conn=133 op=2 SEARCH RESULT tag=101
err=0 *nentries=13* text=
I don't understand why my new user is not sync !!
thanks for your help,
14 years, 2 months
Maximum uidNumber (posix / ldap).
by Alejandro Leyva
Hi all, we are looking at the maximum uidNumber, we need to know the
maximum allowed uidNumber for LDAP / POSIX accounts.
The schema definition for uidNumber says that it is defined with
syntax 1.3.6.1.4.1.1466.115.121.1.27, which is an LDAP number /
integer, in http://www.zytrax.com/books/ldap/apa/types.html#numbers
the range is defined as 2,147,483,648 to 2,147,483,647, did somebody
know if this range is common to LDAP and POSIX? Could we have a user
with uidNumber 2,147,483,646 without any problem?
Thanks in advance.
14 years, 2 months
slapd-ldap proxy
by Sergio Cioban Filho
Hi all,
I'm trying to configurate an OpenLdap proxy for high availability, with ldap
backend.
My problem is the timeout.
When the first server in URI is gone down, my ldapsearch delay 3 minutes,
how do I change this timeout?
Server 192.168.166.171 UP
TIME:
real 0m0.036s
user 0m0.002s
sys 0m0.003s
Server 192.168.166.171 DOWN
TIME:
real 3m8.957s
user 0m0.003s
sys 0m0.004s
I want the ldap-proxy immediately redirect the ldapsearch to the server
192.168.166.172 when server 192.168.166.172 gone down.
My back-ldap configuration:*
database ldap
suffix "dc=digitro,dc=com,dc=br"
rootdn "cn=axs,dc=digitro,dc=com,dc=br"
uri "ldap://192.168.166.171/ ldap://192.168.166.172/"
conn-ttl 0
idle-timeout 0
timeout 1
*
Thanks,
Regards,
---
Sérgio Cioban Filho
| Tecnólogo em Gestão de TI
| Linux Professional Institute Certified - Level 1
-----------------------------------------------------------------
| Linux :: servidores :: firewall :: VPN :: segurança
| OpenLdap :: virtualização :: VoIP :: ShellScript :: PHP
| http://cioban.googlepages.com
| +55 48 9989-8733
-----------------------------------------------------------------
..:: Seja livre, use LiNuX!! ::..
-----------------------------------------------------------------
SOLISC - Não perca o maior evento de Software Livre de Santa Catarina -
http://www.solisc.org.br
14 years, 2 months
Ubuntu Jaunty Certificate Issue Solved
by gruntler-ldap@yahoo.com
Hi,
Ubuntu distributes a patched version of GNUtls 2.6.x.
Run:
gnutls-cli -VV --print-cert -p 636 my-ldap-server.com 2>&1 | egrep 'RSA-MD5|warning'
See no output. Using "-d 4711" instead of "-VV" doesn't show any problems either.
Download the real GNUtls 2.8.1 and build it and try again:
Run:
/opt/gnutls/bin/gnutls-cli -VV --print-cert -p 636 my-ldap-server.com 2>&1 | egrep 'RSA-MD5|warning'
Signature Algorithm: RSA-MD5
warning: signed using a broken signature algorithm that can be forged.
Note that the CA cert is secure, it's the LDAP server's cert that was weak.
-Ken
14 years, 2 months
Virtual List View
by Patrick Patterson
Hello All:
I am trying to debug a problem with an Outlook 2003 client querying an
OpenLDAP 2.4.11 server. The Outlook client is returning from the lookup with
an "unavailable critical extension" error.
Looking at :
http://support.microsoft.com/default.aspx?scid=kb;en-us;555536&sd=rss&spi...
It appears that Outlook may be trying to perform a search using the Virtual
List View extension.
Since this is on a large corporate network, I am loath to just apply the
registry fix to every workstation as suggested by the Microsoft KB article,
if there is a way to either enable or configure this extension on the
server.
Is this extension supported on OpenLDAP?
Thanks.
--
Personal Mail from Patrick Patterson
No company affiliation
14 years, 2 months