openldap-technical July 2009

openldap-technical@openldap.org

68 participants
73 discussions

Delete operation is delayed...
by Bad Guy 09 Jul '09

09 Jul '09

Dear all, I have a 4 way Multi-master LDAP synchronization version 2.4.11 configured to run in refreshonly mode, config is below : # syncrepl directives syncrepl rid=001 provider=ldap://ldap01 bindmethod=simple binddn="cn=Manager" credentials=xxxxx searchbase="o=ABCDE" schemachecking=off type=refreshOnly interval="00:00:00:30" attrs="*,+" retry="5 5 300 +" #syncrepl rid=002 # provider=ldap://ldap02 # bindmethod=simple # binddn="cn=Manager" # credentials=xxxxx # searchbase="o=ABCDE" # schemachecking=off # type=refreshOnly # interval="00:00:00:30" # attrs="*,+" # retry="5 5 300 +" syncrepl rid=003 provider=ldap://ldap03 bindmethod=simple binddn="cn=Manager" credentials=xxxxx searchbase="o=ABCDE" schemachecking=off type=refreshOnly interval="00:00:00:30" attrs="*,+" retry="5 5 300 +" syncrepl rid=004 provider=ldap://ldap04 bindmethod=simple binddn="cn=Manager" credentials=xxxxx searchbase="o=ABCDE" schemachecking=off type=refreshOnly interval="00:00:00:30" attrs="*,+" retry="5 5 300 +" #overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # Performance tuning directives sizelimit 5000 threads 16 idletimeout 0 cachesize 10000 checkpoint 256 15 We will do add/modify/delete operation daily and I have a script to check record by record of the sync status. From time to time, there is some records deleted in one of the LDAP server will not be replicated to the other servers occasionaly. But it will eventually deleted after long random time. (may be 1-2 days) Any idea ? Thanks _________________________________________________________________ 5 GB 超大容量、創新便捷、安全防護垃圾郵件和病毒 — 立即升級 Windows Live Hotmail http://mail.live.com

5 11

syncrepl consumer process
by Allan Lyons 09 Jul '09

09 Jul '09

Hi, I'm looking at developing a simple internal app that is supposed to do things based on changes to our directory. One solution would be to periodically poll the directory. A seemingly better solution would be to have some client watch for changes using the refreshAndPersist mode of syncrepl. Does anyone know of any example code that connects to the directory as a syncrepl consumer? Python examples would be preferred. Thanks, Allan.

2 2

Max number of attributes in entry
by Patric 08 Jul '09

08 Jul '09

Hi all, I am attempting to add an entry to my directory with a large number of mail attributes. This works fine until I have more than 51 mail attributes. Any more than that and the add fails with the following: Error 80 - Unknown error What I find strange is that if I add the entry with up to 51 mail attributes, I can then go and add individual mail attributes to the existing entry. If I attempt to delete the entry when it has more than 51 mail attributes I get the same error: Error 80 - Unknown error But if I remove individual mail attributes until there are only 51 then I am able to remove the entire entry. Is there some limitation that I am not aware of, and could any body suggest a method for me to get around this? Any advice would be much appreciated! Regards, Patric

1 0

Checkpointing and syncrepl
by John Kane 08 Jul '09

08 Jul '09

I am a bit confused with the difference between the slapd.bdb 'checkpoint' option and the syncprov overlay option 'syncprov-checkpoint'. On the provider, will these basically do the same thing? If so, is there an advantage to using one over the other? Also, should we do checkpointing on the consumers as well? Thanks, John This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.

2 1

Text files or text on OpenLdap
by Sergio Cioban Filho 08 Jul '09

08 Jul '09

Hi all, How I do to store text files or text on OpenLdap? I'm trying with octetString, but the line termination do not respected. I want store openssh Keys (Public and Private) on OpenLdap. ** Sorry for my por english.. ;) Thanks, Regards, --- Sérgio Cioban Filho | Tecnólogo em Gestão de TI | Linux Professional Institute Certified - Level 1 ----------------------------------------------------------------- | Linux :: servidores :: firewall :: VPN :: segurança | OpenLdap :: virtualização :: VoIP :: ShellScript :: PHP | http://cioban.googlepages.com | +55 48 9989-8733 ----------------------------------------------------------------- ..:: Seja livre, use LiNuX!! ::.. ----------------------------------------------------------------- SOLISC - Não perca o maior evento de Software Livre de Santa Catarina - http://www.solisc.org.br

2 1

Openldap 2.3 syncrepl filter problem
by Lanfeust troy 08 Jul '09

08 Jul '09

Hi list, In configuration of provider and consumer server with syncrepl is possible to modify the replication filter for add new user in replica. In fisrt time the replica is : syncrepl rid=123 provider=ldap://rh-test3.kvm.rla:389 type=refreshOnly interval=00:00:01:00 retry="30 10 600 20" searchbase="dc=local" filter="(|(objectClass=sambaGroupMapping)(uid=user1))" scope=sub schemachecking=off bindmethod=simple binddn="uid=syncrepl,ou=sysusers,dc=local" credentials=pwdsyncrepl # BEGIN Session TLS starttls="critical" tls_cacert=__CACERTFILE__ # End Session TLS When start the replica server it doing an ldapsearch and retrieve my data in replica. So now we modify the filter as the following : filter="(|(objectClass=sambaGroupMapping)(uid=user1)(uid=user2))" Now when the replica doing the ldapsearch request it do with the new filter but returning numentrie to 0 like this in the log of master LDAP server: Jun 24 22:40:40 rh-test3 slapd[28012]: conn=83 op=1 BIND dn="uid=syncrepl,ou=sysusers,dc=local" mech=SIMPLE ssf=0 Jun 24 22:40:40 rh-test3 slapd[28012]: conn=83 op=1 RESULT tag=97 err=0 text= Jun 24 22:40:40 rh-test3 slapd[28012]: conn=83 op=2 SRCH base="dc=local" scope=2 deref=0 filter="(|(objectClass=sambaGroupMapping)(uid=user1)(uid=user2))" Jun 24 22:40:40 rh-test3 slapd[28012]: conn=83 op=2 SRCH attr=* + Jun 24 22:40:40 rh-test3 slapd[28012]: conn=83 op=2 SEARCH RESULT tag=101 err=0 *nentries=0* text= And when i do ldapsearch manually : ldapsearch -x -b dc=local -H ldap://rh-test3.kvm.rla "(|(objectClass=sambaGroupMapping)(uid=user1)(uid=user2))" Jun 24 23:40:38 rh-test3 slapd[28012]: conn=133 op=1 BIND dn="" method=128 Jun 24 23:40:38 rh-test3 slapd[28012]: conn=133 op=1 RESULT tag=97 err=0 text= Jun 24 23:40:38 rh-test3 slapd[28012]: conn=133 op=2 SRCH base="dc=local" scope=2 deref=0 filter="(|(objectClass=sambaGroupMapping)(uid=user1)(uid=user2))" Jun 24 23:40:38 rh-test3 slapd[28012]: conn=133 op=2 SEARCH RESULT tag=101 err=0 *nentries=13* text= I don't understand why my new user is not sync !! thanks for your help,

2 1

Maximum uidNumber (posix / ldap).
by Alejandro Leyva 07 Jul '09

07 Jul '09

Hi all, we are looking at the maximum uidNumber, we need to know the maximum allowed uidNumber for LDAP / POSIX accounts. The schema definition for uidNumber says that it is defined with syntax 1.3.6.1.4.1.1466.115.121.1.27, which is an LDAP number / integer, in http://www.zytrax.com/books/ldap/apa/types.html#numbers the range is defined as 2,147,483,648 to 2,147,483,647, did somebody know if this range is common to LDAP and POSIX? Could we have a user with uidNumber 2,147,483,646 without any problem? Thanks in advance.

2 2

slapd-ldap proxy
by Sergio Cioban Filho 07 Jul '09

07 Jul '09

Hi all, I'm trying to configurate an OpenLdap proxy for high availability, with ldap backend. My problem is the timeout. When the first server in URI is gone down, my ldapsearch delay 3 minutes, how do I change this timeout? Server 192.168.166.171 UP TIME: real 0m0.036s user 0m0.002s sys 0m0.003s Server 192.168.166.171 DOWN TIME: real 3m8.957s user 0m0.003s sys 0m0.004s I want the ldap-proxy immediately redirect the ldapsearch to the server 192.168.166.172 when server 192.168.166.172 gone down. My back-ldap configuration:* database ldap suffix "dc=digitro,dc=com,dc=br" rootdn "cn=axs,dc=digitro,dc=com,dc=br" uri "ldap://192.168.166.171/ ldap://192.168.166.172/" conn-ttl 0 idle-timeout 0 timeout 1 * Thanks, Regards, --- Sérgio Cioban Filho | Tecnólogo em Gestão de TI | Linux Professional Institute Certified - Level 1 ----------------------------------------------------------------- | Linux :: servidores :: firewall :: VPN :: segurança | OpenLdap :: virtualização :: VoIP :: ShellScript :: PHP | http://cioban.googlepages.com | +55 48 9989-8733 ----------------------------------------------------------------- ..:: Seja livre, use LiNuX!! ::.. ----------------------------------------------------------------- SOLISC - Não perca o maior evento de Software Livre de Santa Catarina - http://www.solisc.org.br

1 0

Ubuntu Jaunty Certificate Issue Solved
by gruntler-ldap＠yahoo.com 07 Jul '09

07 Jul '09

Hi, Ubuntu distributes a patched version of GNUtls 2.6.x. Run: gnutls-cli -VV --print-cert -p 636 my-ldap-server.com 2>&1 | egrep 'RSA-MD5|warning' See no output. Using "-d 4711" instead of "-VV" doesn't show any problems either. Download the real GNUtls 2.8.1 and build it and try again: Run: /opt/gnutls/bin/gnutls-cli -VV --print-cert -p 636 my-ldap-server.com 2>&1 | egrep 'RSA-MD5|warning' Signature Algorithm: RSA-MD5 warning: signed using a broken signature algorithm that can be forged. Note that the CA cert is secure, it's the LDAP server's cert that was weak. -Ken

1 0

Virtual List View
by Patrick Patterson 07 Jul '09

07 Jul '09

Hello All: I am trying to debug a problem with an Outlook 2003 client querying an OpenLDAP 2.4.11 server. The Outlook client is returning from the lookup with an "unavailable critical extension" error. Looking at : http://support.microsoft.com/default.aspx?scid=kb;en-us;555536&sd=rss&spid=… It appears that Outlook may be trying to perform a search using the Virtual List View extension. Since this is on a large corporate network, I am loath to just apply the registry fix to every workstation as suggested by the Microsoft KB article, if there is a way to either enable or configure this extension on the server. Is this extension supported on OpenLDAP? Thanks. -- Personal Mail from Patrick Patterson No company affiliation

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2009