openldap-technical August 2009

openldap-technical@openldap.org

65 participants
73 discussions

Re: top-level data entries not replicating, 2.4.15, now 2.4.17
by Brian Neu 21 Aug '09

21 Aug '09

I compiled new rpms and upgraded to 2.4.17 on both the provider and consumer. The problem persists. New entries like: dn:cn=test2,dc=srg,dc=com objectclass: top objectclass: person userpassword:blah sn:test2 don't replicate. But other entries do, like: dn: uid=user1,ou=People,dc=srg,dc=com uid: user1 cn: Advanced Open Systems objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: shadowLastChange: 14441 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 5000 gidNumber: 5000 homeDirectory: /home/user1 gecos: Advanced Open Systems I've attached the slapd.conf for the master/provider. Thank you in advance for any assistance. --- On Thu, 8/20/09, Brian Neu <proclivity76(a)yahoo.com> wrote: > From: Brian Neu <proclivity76(a)yahoo.com> > Subject: Re: top-level data entries not replicating, 2.4.15 > To: "Jonathan Clarke" <jonathan(a)phillipoux.net> > Cc: openldap-technical(a)openldap.org > Date: Thursday, August 20, 2009, 8:39 AM > Forgive me if pasting here is bad > etiquette. > > > <consumer slapd.conf> > > include > /etc/openldap/schema/corba.schema > include > /etc/openldap/schema/core.schema > include > /etc/openldap/schema/cosine.schema > include > /etc/openldap/schema/duaconf.schema > include > /etc/openldap/schema/dyngroup.schema > include > /etc/openldap/schema/inetorgperson.schema > include > /etc/openldap/schema/java.schema > include > /etc/openldap/schema/misc.schema > include > /etc/openldap/schema/nis.schema > include > /etc/openldap/schema/openldap.schema > include > /etc/openldap/schema/ppolicy.schema > include > /etc/openldap/schema/collective.schema > include > /etc/openldap/schema/samba.schema > > allow bind_v2 > > pidfile > /var/run/openldap/slapd.pid > argsfile > /var/run/openldap/slapd.args > > TLSCACertificateFile /etc/openldap/cacerts/cavictory2.crt > TLSCertificateFile /etc/openldap/keys/victory3cert.pem > TLSCertificateKeyFile /etc/openldap/keys/victory3key.pem > > database hdb > suffix "dc=srg,dc=com" > checkpoint 1024 15 > rootdn > "cn=Manager,dc=srg,dc=com" > > rootpw {MD5}blah > > directory /var/lib/ldap > > index objectClass > eq,pres > index ou,cn,mail,surname,givenname > eq,pres,sub > index uidNumber,gidNumber,loginShell eq,pres > index uid,memberUid > eq,pres,sub > index nisMapName,nisMapEntry > eq,pres,sub > > syncrepl rid=0 > > provider=ldap://victory2.srg.com:389 > bindmethod=simple > starttls=critical > > binddn="cn=replicator,dc=srg,dc=com" > credentials=blah > searchbase="dc=srg,dc=com" > logbase="cn=accesslog" > schemachecking=on > type=refreshAndPersist > retry="60 +" > syncdata=accesslog > > updateref > ldaps://victory2.srg.com > > database monitor > > access to * > by > dn.exact="cn=Manager,dc=srg,dc=com" write > by * none > > </consumer slapd.conf> > > > --- On Thu, 8/20/09, Jonathan Clarke <jonathan(a)phillipoux.net> > wrote: > > > From: Jonathan Clarke <jonathan(a)phillipoux.net> > > Subject: Re: top-level data entries not replicating, > 2.4.15 > > To: "Brian Neu" <proclivity76(a)yahoo.com> > > Cc: openldap-technical(a)openldap.org > > Date: Thursday, August 20, 2009, 8:02 AM > > On 19/08/2009 19:29, Brian Neu > > wrote: > > > Even with no logfilter on the consumer, > > > > > cn=replicator,dc=domain,dc=com& > > > > > sambaDomainName=SRG,dc=domain,dc=com > > > > > > don't replicate, even after wiping the database > and > > restarting. Everything else seems to replicate > fine. > > > > > > How do I get top-level data entries to > replicate? > > > > This really depends on your syncrepl configuration on > the > > consumer. > > If you provide it here, maybe we can take a look. > > > > Aside from that, the latest version, 2.4.17, contains > a few > > fixes that > > might help with this problem. > > > > Jonathan > > >

3 3

errors when trying to modify olcAttributeTypes
by Alexander 'Leo' Bergolth 21 Aug '09

21 Aug '09

Hi! I'd like to slightly change the attribute definition of olcDbConfig by modifying olcAttributeTypes in cn=schema,cn=config with openldap-2.4.16. I tried to apply the modification using two different ways, both failing with different errors: 1) Delete the old attribute value and adding the new one: --------------------------------------------------------- $ ldapmodify -xvW -h bach-s49 -D cn=Manager,cn=config -f cn-schema-olcAttributeTypes-add-del.ldif ldap_initialize( ldap://bach-s49 ) Enter LDAP Password: delete olcAttributeTypes: ( OLcfgDbAt:1.3 NAME 'olcDbConfig' DESC 'BerkeleyDB DB_CONFIG configuration directives' SYNTAX OMsIA5String X-ORDERED 'VALUES' ) add olcAttributeTypes: ( OLcfgDbAt:1.3 NAME 'olcDbConfig' DESC 'BerkeleyDB DB_CONFIG configuration directives' SYNTAX OMsIA5String EQUALITY CaseExactIA5Match X-ORDERED 'VALUES' ) modifying entry "cn=schema,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: olcAttributeTypes: Duplicate attributeType: "" Apache DirectoryStudio shows a little bit more info: #!ERROR [LDAP: error code 80 - olcAttributeTypes: Duplicate attributeType: "?? 6.1.4.1.4203.1.12.2.3.2.1.3"] dn: cn=schema,cn=config changetype: modify add: olcAttributeTypes olcAttributeTypes: ( OLcfgDbAt:1.3 NAME 'olcDbConfig' DESC 'BerkeleyDB DB_CONF IG configuration directives' EQUALITY caseExactIA5Match SYNTAX OMsIA5String X -ORDERED 'VALUES' ) - delete: olcAttributeTypes olcAttributeTypes: ( OLcfgDbAt:1.3 NAME 'olcDbConfig' DESC 'BerkeleyDB DB_CONF IG configuration directives' SYNTAX OMsIA5String X-ORDERED 'VALUES' ) - 2) Replace all olcAttributeTypes-attributes: -------------------------------------------- $ ldapmodify -xvW -h bach-s49 -D cn=Manager,cn=config -f cn-schema-olcAttributeTypes-repl.ldif ldap_initialize( ldap://bach-s49 ) Enter LDAP Password: replace olcAttributeTypes: ( 2.5.4.0 NAME 'objectClass' DESC 'RFC4512: object classes of the entity' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) ( 2.5.21.9 NAME 'structuralObjectClass' DESC 'RFC4512: structural object class of entry' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 2.5.18.1 NAME 'createTimestamp' DESC 'RFC4512: time which object was created' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 2.5.18.2 NAME 'modifyTimestamp' DESC 'RFC4512: time which object was last modified' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 2.5.18.3 NAME 'creatorsName' DESC 'RFC4512: name of creator' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 2.5.18.4 NAME 'modifiersName' DESC 'RFC4512: name of last modifier' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 2.5.18.9 NAME 'hasSubordinates' DESC 'X.501: entry has children' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 2.5.18.10 NAME 'subschemaSubentry' DESC 'RFC4512: name of controlling subschema entry' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 1.3.6.1.1.20 NAME 'entryDN' DESC 'DN of the entry' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 1.3.6.1.1.16.4 NAME 'entryUUID' DESC 'UUID of the entry' EQUALITY UUIDMatch ORDERING UUIDOrderingMatch SYNTAX 1.3.6.1.1.16.1 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change sequence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 1.3.6.1.4.1.4203.666.1.13 NAME 'namingCSN' DESC 'change sequence number of the entry naming (RDN)' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) ( 1.3.6.1.4.1.4203.666.1.23 NAME 'syncreplCookie' DESC 'syncrepl Cookie for shadow copy' EQUALITY octetStringMatch ORDERING octetStringOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.25 NAME 'contextCSN' DESC 'the largest committed CSN of a context' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.1466.101.120.6 NAME 'altServer' DESC 'RFC4512: alternative servers' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 USAGE dSAOperation ) ( 1.3.6.1.4.1.1466.101.120.5 NAME 'namingContexts' DESC 'RFC4512: naming contexts' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE dSAOperation ) ( 1.3.6.1.4.1.1466.101.120.13 NAME 'supportedControl' DESC 'RFC4512: supported controls' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) ( 1.3.6.1.4.1.1466.101.120.7 NAME 'supportedExtension' DESC 'RFC4512: supported extended operations' SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) ( 1.3.6.1.4.1.1466.101.120.15 NAME 'supportedLDAPVersion' DESC 'RFC4512: supported LDAP versions' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 USAGE dSAOperation ) ( 1.3.6.1.4.1.1466.101.120.14 NAME 'supportedSASLMechanisms' DESC 'RFC4512: supported SASL mechanisms' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.1.3.5 NAME 'supportedFeatures' DESC 'RFC4512: features supported by the server' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.10 NAME 'monitorContext' DESC 'monitor context' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.1.12.2.1 NAME 'configContext' DESC 'config context' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.1.4 NAME 'vendorName' DESC 'RFC3045: name of implementation vendor' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.1.5 NAME 'vendorVersion' DESC 'RFC3045: version of implementation' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 2.5.18.5 NAME 'administrativeRole' DESC 'RFC3672: administrative role' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 USAGE directoryOperation ) ( 2.5.18.6 NAME 'subtreeSpecification' DESC 'RFC3672: subtree specification' SYNTAX 1.3.6.1.4.1.1466.115.121.1.45 SINGLE-VALUE USAGE directoryOperation ) ( 2.5.21.1 NAME 'dITStructureRules' DESC 'RFC4512: DIT structure rules' EQUALITY integerFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.17 USAGE directoryOperation ) ( 2.5.21.2 NAME 'dITContentRules' DESC 'RFC4512: DIT content rules' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.16 USAGE directoryOperation ) ( 2.5.21.4 NAME 'matchingRules' DESC 'RFC4512: matching rules' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.30 USAGE directoryOperation ) ( 2.5.21.5 NAME 'attributeTypes' DESC 'RFC4512: attribute types' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.3 USAGE directoryOperation ) ( 2.5.21.6 NAME 'objectClasses' DESC 'RFC4512: object classes' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.37 USAGE directoryOperation ) ( 2.5.21.7 NAME 'nameForms' DESC 'RFC4512: name forms ' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.35 USAGE directoryOperation ) ( 2.5.21.8 NAME 'matchingRuleUse' DESC 'RFC4512: matching rule uses' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.31 USAGE directoryOperation ) ( 1.3.6.1.4.1.1466.101.120.16 NAME 'ldapSyntaxes' DESC 'RFC4512: LDAP syntaxes' EQUALITY objectIdentifierFirstComponentMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.54 USAGE directoryOperation ) ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' ) DESC 'RFC4512: name of aliased object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) ( 2.16.840.1.113730.3.1.34 NAME 'ref' DESC 'RFC3296: subordinate referral URL' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE distributedOperation ) ( 1.3.6.1.4.1.4203.1.3.1 NAME 'entry' DESC 'OpenLDAP ACL entry pseudo-attribute' SYNTAX 1.3.6.1.4.1.4203.1.1.1 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.1.3.2 NAME 'children' DESC 'OpenLDAP ACL children pseudo-attribute' SYNTAX 1.3.6.1.4.1.4203.1.1.1 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.8 NAME ( 'authzTo' 'saslAuthzTo' ) DESC 'proxy authorization targets' EQUALITY authzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 USAGE distributedOperation X-ORDERED 'VALUES' ) ( 1.3.6.1.4.1.4203.666.1.9 NAME ( 'authzFrom' 'saslAuthzFrom' ) DESC 'proxy authorization sources' EQUALITY authzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 USAGE distributedOperation X-ORDERED 'VALUES' ) ( 1.3.6.1.4.1.1466.101.119.3 NAME 'entryTtl' DESC 'RFC2589: entry time-to-live' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.1466.101.119.4 NAME 'dynamicSubtrees' DESC 'RFC2589: dynamic subtrees' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation ) ( 2.5.4.49 NAME 'distinguishedName' DESC 'RFC4519: common supertype of DN attributes' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) ( 2.5.4.41 NAME 'name' DESC 'RFC4519: common supertype of name attributes' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) ( 2.5.4.3 NAME ( 'cn' 'commonName' ) DESC 'RFC4519: common name(s) for which the entity is known by' SUP name ) ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'RFC4519: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' DESC 'RFC2307: An integer uniquely identifying a user in an administrative domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' DESC 'RFC2307: An integer uniquely identifying a group in an administrative domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) ( 2.5.4.35 NAME 'userPassword' DESC 'RFC4519/2307: password of user' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) ( 2.5.4.13 NAME 'description' DESC 'RFC4519: descriptive information' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) ( 2.5.4.34 NAME 'seeAlso' DESC 'RFC4519: DN of related object' SUP distinguishedName ) ( OLcfgGlAt:78 NAME 'olcConfigFile' DESC 'File for slapd configuration directives' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:79 NAME 'olcConfigDir' DESC 'Directory for slapd configuration backend' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:1 NAME 'olcAccess' DESC 'Access Control List' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgGlAt:86 NAME 'olcAddContentAcl' DESC 'Check ACLs against content of Add ops' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgGlAt:2 NAME 'olcAllows' DESC 'Allowed set of deprecated features' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgGlAt:3 NAME 'olcArgsFile' DESC 'File for slapd command line options' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:5 NAME 'olcAttributeOptions' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgGlAt:4 NAME 'olcAttributeTypes' DESC 'OpenLDAP attributeTypes' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgGlAt:6 NAME 'olcAuthIDRewrite' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgGlAt:7 NAME 'olcAuthzPolicy' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:8 NAME 'olcAuthzRegexp' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgGlAt:9 NAME 'olcBackend' DESC 'A type of backend' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VALUE X-ORDERED 'SIBLINGS' ) ( OLcfgGlAt:10 NAME 'olcConcurrency' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:11 NAME 'olcConnMaxPending' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:12 NAME 'olcConnMaxPendingAuth' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:13 NAME 'olcDatabase' DESC 'The backend type for a database instance' SUP olcBackend SINGLE-VALUE X-ORDERED 'SIBLINGS' ) ( OLcfgGlAt:14 NAME 'olcDefaultSearchBase' SYNTAX OMsDN SINGLE-VALUE ) ( OLcfgGlAt:15 NAME 'olcDisallows' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgGlAt:16 NAME 'olcDitContentRules' DESC 'OpenLDAP DIT content rules' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgGlAt:17 NAME 'olcGentleHUP' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:0.17 NAME 'olcHidden' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgGlAt:18 NAME 'olcIdleTimeout' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:19 NAME 'olcInclude' SUP labeledURI ) ( OLcfgGlAt:20 NAME 'olcIndexSubstrIfMinLen' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:21 NAME 'olcIndexSubstrIfMaxLen' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:22 NAME 'olcIndexSubstrAnyLen' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:23 NAME 'olcIndexSubstrAnyStep' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:84 NAME 'olcIndexIntLen' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgDbAt:0.4 NAME 'olcLastMod' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgGlAt:85 NAME 'olcLdapSyntaxes' DESC 'OpenLDAP ldapSyntax' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgDbAt:0.5 NAME 'olcLimits' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgGlAt:26 NAME 'olcLocalSSF' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:27 NAME 'olcLogFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:28 NAME 'olcLogLevel' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgDbAt:0.6 NAME 'olcMaxDerefDepth' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgDbAt:0.16 NAME 'olcMirrorMode' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgGlAt:30 NAME 'olcModuleLoad' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgGlAt:31 NAME 'olcModulePath' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:0.18 NAME 'olcMonitoring' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgGlAt:32 NAME 'olcObjectClasses' DESC 'OpenLDAP object classes' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgGlAt:33 NAME 'olcObjectIdentifier' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgGlAt:34 NAME 'olcOverlay' SUP olcDatabase SINGLE-VALUE X-ORDERED 'SIBLINGS' ) ( OLcfgGlAt:35 NAME 'olcPasswordCryptSaltFormat' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:36 NAME 'olcPasswordHash' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgGlAt:37 NAME 'olcPidFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:38 NAME 'olcPlugin' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgGlAt:39 NAME 'olcPluginLogFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:40 NAME 'olcReadOnly' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgGlAt:41 NAME 'olcReferral' SUP labeledURI SINGLE-VALUE ) ( OLcfgDbAt:0.7 NAME 'olcReplica' SUP labeledURI EQUALITY caseIgnoreMatch X-ORDERED 'VALUES' ) ( OLcfgGlAt:43 NAME 'olcReplicaArgsFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:44 NAME 'olcReplicaPidFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:45 NAME 'olcReplicationInterval' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:46 NAME 'olcReplogFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:47 NAME 'olcRequires' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgGlAt:48 NAME 'olcRestrict' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgGlAt:49 NAME 'olcReverseLookup' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:0.8 NAME 'olcRootDN' EQUALITY distinguishedNameMatch SYNTAX OMsDN SINGLE-VALUE ) ( OLcfgGlAt:51 NAME 'olcRootDSE' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgDbAt:0.9 NAME 'olcRootPW' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:53 NAME 'olcSaslHost' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:54 NAME 'olcSaslRealm' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:56 NAME 'olcSaslSecProps' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:58 NAME 'olcSchemaDN' EQUALITY distinguishedNameMatch SYNTAX OMsDN SINGLE-VALUE ) ( OLcfgGlAt:59 NAME 'olcSecurity' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgGlAt:81 NAME 'olcServerID' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgGlAt:60 NAME 'olcSizeLimit' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:61 NAME 'olcSockbufMaxIncoming' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:62 NAME 'olcSockbufMaxIncomingAuth' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:83 NAME 'olcSortVals' DESC 'Attributes whose values will always be sorted' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgDbAt:0.15 NAME 'olcSubordinate' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:0.10 NAME 'olcSuffix' EQUALITY distinguishedNameMatch SYNTAX OMsDN ) ( OLcfgDbAt:0.11 NAME 'olcSyncrepl' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgGlAt:66 NAME 'olcThreads' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgGlAt:67 NAME 'olcTimeLimit' SYNTAX OMsDirectoryString ) ( OLcfgGlAt:68 NAME 'olcTLSCACertificateFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:69 NAME 'olcTLSCACertificatePath' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:70 NAME 'olcTLSCertificateFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:71 NAME 'olcTLSCertificateKeyFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:72 NAME 'olcTLSCipherSuite' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:73 NAME 'olcTLSCRLCheck' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:82 NAME 'olcTLSCRLFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:74 NAME 'olcTLSRandFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:75 NAME 'olcTLSVerifyClient' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:87 NAME 'olcTLSProtocolMin' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgGlAt:80 NAME 'olcToolThreads' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgDbAt:0.12 NAME 'olcUpdateDN' SYNTAX OMsDN SINGLE-VALUE ) ( OLcfgDbAt:0.13 NAME 'olcUpdateRef' SUP labeledURI EQUALITY caseIgnoreMatch ) ( OLcfgDbAt:0.1 NAME 'olcDbDirectory' DESC 'Directory for database content' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString SINGLE-VALUE ) ( 1.3.6.1.4.1.4203.666.1.55.1 NAME 'monitoredInfo' DESC 'monitored info' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.2 NAME 'managedInfo' DESC 'monitor managed info' SUP name ) ( 1.3.6.1.4.1.4203.666.1.55.3 NAME 'monitorCounter' DESC 'monitor counter' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.4 NAME 'monitorOpCompleted' DESC 'monitor completed operations' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.5 NAME 'monitorOpInitiated' DESC 'monitor initiated operations' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.6 NAME 'monitorConnectionNumber' DESC 'monitor connection number' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.7 NAME 'monitorConnectionAuthzDN' DESC 'monitor connection authorization DN' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.8 NAME 'monitorConnectionLocalAddress' DESC 'monitor connection local address' SUP monitoredInfo NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.9 NAME 'monitorConnectionPeerAddress' DESC 'monitor connection peer address' SUP monitoredInfo NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.10 NAME 'monitorTimestamp' DESC 'monitor timestamp' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.11 NAME 'monitorOverlay' DESC 'name of overlays defined for a given database' SUP monitoredInfo NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.12 NAME 'readOnly' DESC 'read/write status of a given database' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.13 NAME 'restrictedOperation' DESC 'name of restricted operation for a given database' SUP managedInfo ) ( 1.3.6.1.4.1.4203.666.1.55.14 NAME 'monitorConnectionProtocol' DESC 'monitor connection protocol' SUP monitoredInfo NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.15 NAME 'monitorConnectionOpsReceived' DESC 'monitor number of operations received by the connection' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.16 NAME 'monitorConnectionOpsExecuting' DESC 'monitor number of operations in execution within the connection' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.17 NAME 'monitorConnectionOpsPending' DESC 'monitor number of pending operations within the connection' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.18 NAME 'monitorConnectionOpsCompleted' DESC 'monitor number of operations completed within the connection' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.19 NAME 'monitorConnectionGet' DESC 'number of times connection_get() was called so far' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.20 NAME 'monitorConnectionRead' DESC 'number of times connection_read() was called so far' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.21 NAME 'monitorConnectionWrite' DESC 'number of times connection_write() was called so far' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.22 NAME 'monitorConnectionMask' DESC 'monitor connection mask' SUP monitoredInfo NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.23 NAME 'monitorConnectionListener' DESC 'monitor connection listener' SUP monitoredInfo NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.24 NAME 'monitorConnectionPeerDomain' DESC 'monitor connection peer domain' SUP monitoredInfo NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.25 NAME 'monitorConnectionStartTime' DESC 'monitor connection start time' SUP monitorTimestamp SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.26 NAME 'monitorConnectionActivityTime' DESC 'monitor connection activity time' SUP monitorTimestamp SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.27 NAME 'monitorIsShadow' DESC 'TRUE if the database is shadow' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.28 NAME 'monitorUpdateRef' DESC 'update referral for shadow databases' SUP monitoredInfo SINGLE-VALUE USAGE dSAOperation ) ( 1.3.6.1.4.1.4203.666.1.55.29 NAME 'monitorRuntimeConfig' DESC 'TRUE if component allows runtime configuration' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE USAGE dSAOperation ) ( OLcfgDbAt:1.11 NAME 'olcDbCacheFree' DESC 'Number of extra entries to free when max is reached' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgDbAt:1.1 NAME 'olcDbCacheSize' DESC 'Entry cache size in entries' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgDbAt:1.2 NAME 'olcDbCheckpoint' DESC 'Database checkpoint interval in kbytes and minutes' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:1.16 NAME 'olcDbChecksum' DESC 'Enable database checksum validation' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:1.13 NAME 'olcDbCryptFile' DESC 'Pathname of file containing the DB encryption key' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:1.14 NAME 'olcDbCryptKey' DESC 'DB encryption key' SYNTAX OMsOctetString SINGLE-VALUE ) ( OLcfgDbAt:1.3 NAME 'olcDbConfig' DESC 'BerkeleyDB DB_CONFIG configuration directives' SYNTAX OMsIA5String X-ORDERED 'VALUES' ) ( OLcfgDbAt:1.4 NAME 'olcDbNoSync' DESC 'Disable synchronous database writes' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:1.15 NAME 'olcDbPageSize' DESC 'Page size of specified DB, in Kbytes' EQUALITY caseExactMatch SYNTAX OMsDirectoryString ) ( OLcfgDbAt:1.5 NAME 'olcDbDirtyRead' DESC 'Allow reads of uncommitted data' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:1.12 NAME 'olcDbDNcacheSize' DESC 'DN cache size' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgDbAt:1.6 NAME 'olcDbIDLcacheSize' DESC 'IDL cache size in IDLs' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgDbAt:0.2 NAME 'olcDbIndex' DESC 'Attribute index parameters' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( OLcfgDbAt:1.7 NAME 'olcDbLinearIndex' DESC 'Index attributes one at a time' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:1.8 NAME 'olcDbLockDetect' DESC 'Deadlock detection algorithm' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:0.3 NAME 'olcDbMode' DESC 'Unix permissions of database files' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:1.9 NAME 'olcDbSearchStack' DESC 'Depth of search stack in IDLs' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgDbAt:1.10 NAME 'olcDbShmKey' DESC 'Key for shared memory region' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgOvAt:3.1 NAME 'olcChainingBehavior' DESC 'Chaining behavior control parameters (draft-sermersheim-ldap-chaining)' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgOvAt:3.2 NAME 'olcChainCacheURI' DESC 'Enables caching of URIs not present in configuration' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgOvAt:3.3 NAME 'olcChainMaxReferralDepth' DESC 'max referral depth' EQUALITY integerMatch SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgOvAt:3.4 NAME 'olcChainReturnError' DESC 'Errors are returned instead of the original referral' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:0.14 NAME 'olcDbURI' DESC 'URI (list) for remote DSA' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.1 NAME 'olcDbStartTLS' DESC 'StartTLS' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.2 NAME 'olcDbACLAuthcDn' DESC 'Remote ACL administrative identity' OBSOLETE SYNTAX OMsDN SINGLE-VALUE ) ( OLcfgDbAt:3.3 NAME 'olcDbACLPasswd' DESC 'Remote ACL administrative identity credentials' OBSOLETE SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.4 NAME 'olcDbACLBind' DESC 'Remote ACL administrative identity auth bind configuration' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.5 NAME 'olcDbIDAssertAuthcDn' DESC 'Remote Identity Assertion administrative identity' OBSOLETE SYNTAX OMsDN SINGLE-VALUE ) ( OLcfgDbAt:3.6 NAME 'olcDbIDAssertPasswd' DESC 'Remote Identity Assertion administrative identity credentials' OBSOLETE SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.7 NAME 'olcDbIDAssertBind' DESC 'Remote Identity Assertion administrative identity auth bind configuration' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.8 NAME 'olcDbIDAssertMode' DESC 'Remote Identity Assertion mode' OBSOLETE SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.9 NAME 'olcDbIDAssertAuthzFrom' DESC 'Remote Identity Assertion authz rules' SYNTAX OMsDirectoryString X-ORDERED 'VALUES' ) ( OLcfgDbAt:3.10 NAME 'olcDbRebindAsUser' DESC 'Rebind as user' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:3.11 NAME 'olcDbChaseReferrals' DESC 'Chase referrals' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:3.12 NAME 'olcDbTFSupport' DESC 'Absolute filters support' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.13 NAME 'olcDbProxyWhoAmI' DESC 'Proxy whoAmI exop' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:3.14 NAME 'olcDbTimeout' DESC 'Per-operation timeouts' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.15 NAME 'olcDbIdleTimeout' DESC 'connection idle timeout' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.16 NAME 'olcDbConnTtl' DESC 'connection ttl' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.17 NAME 'olcDbNetworkTimeout' DESC 'connection network timeout' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.18 NAME 'olcDbProtocolVersion' DESC 'protocol version' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgDbAt:3.19 NAME 'olcDbSingleConn' DESC 'cache a single connection per identity' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:3.20 NAME 'olcDbCancel' DESC 'abandon/ignore/exop operations when appropriate' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.21 NAME 'olcDbQuarantine' DESC 'Quarantine database if connection fails and retry according to rule' SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:3.22 NAME 'olcDbUseTemporaryConn' DESC 'Use temporary connections if the cached one is busy' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:3.23 NAME 'olcDbConnectionPoolMax' DESC 'Max size of privileged connections pool' SYNTAX OMsInteger SINGLE-VALUE ) ( OLcfgDbAt:3.25 NAME 'olcDbNoRefs' DESC 'Do not return search reference responses' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:3.26 NAME 'olcDbNoUndefFilter' DESC 'Do not propagate undefined search filters' SYNTAX OMsBoolean SINGLE-VALUE ) ( OLcfgDbAt:5.1 NAME 'olcRelay' DESC 'Relay DN' SYNTAX OMsDN SINGLE-VALUE ) ( OLcfgDbAt:7.1 NAME 'olcDbSocketPath' DESC 'Pathname for Unix domain socket' EQUALITY caseExactMatch SYNTAX OMsDirectoryString SINGLE-VALUE ) ( OLcfgDbAt:7.2 NAME 'olcDbSocketExtensions' DESC 'binddn, peername, or ssf' EQUALITY caseIgnoreMatch SYNTAX OMsDirectoryString ) ( olmBDBAttributes:1 NAME 'olmBDBEntryCache' DESC 'Number of items in Entry Cache' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( olmBDBAttributes:2 NAME 'olmBDBDNCache' DESC 'Number of items in DN Cache' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( olmBDBAttributes:3 NAME 'olmBDBIDLCache' DESC 'Number of items in IDL Cache' SUP monitorCounter NO-USER-MODIFICATION USAGE dSAOperation ) ( olmBDBAttributes:4 NAME 'olmDbDirectory' DESC 'Path name of the directory where the database environment resides' SUP monitoredInfo NO-USER-MODIFICATION USAGE dSAOperation ) modifying entry "cn=schema,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) The corresponding ldif-files and the original cn=schema,cn=config entry can be found at http://leo.kloburg.at/tmp/openldap-olcattributetypes/ Any hints? Thanks, --leo -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria

2 2

runtime config: adding values to olcDbConfig
by Alexander 'Leo' Bergolth 21 Aug '09

21 Aug '09

Hi! I am experiencing troubles when trying to add an additional value to the olcDbConfig attribute (openldap-2.4.16): $ ldapmodify -xvW -h bach-s49 -D cn=Manager,cn=config <<EOF > dn: olcDatabase={1}bdb,cn=config > changetype: modify > add: olcDbConfig > olcDbConfig: {19}# urxn > - > EOF ldap_initialize( ldap://bach-s49 ) Enter LDAP Password: add olcDbConfig: {19}# urxn modifying entry "olcDatabase={1}bdb,cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcDbConfig: no equality matching rule replacing all attribute values with "changetype: modify" and "replace: olcDbConfig" works fine but unfortunately Apache DirectoryStudio doesn't seem to offer that way of committing changes... Unfortunately the attribute definition of olcDbConfig seems to be hardcoded, so is there any way to make the above modification work? Thanks, --leo -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria

2 1

question for some code in sasl binding
by Xu, Qiang (FXSGSC) 20 Aug '09

20 Aug '09

Hi, all: In reading OpenLDAP code related to SASL binding, I found the following snippet: ======================================== int ldap_sasl_bind( LDAP *ld, LDAP_CONST char *dn, LDAP_CONST char *mechanism, struct berval *cred, LDAPControl **sctrls, LDAPControl **cctrls, int *msgidp ) { ... if( mechanism == LDAP_SASL_SIMPLE ) { /* simple bind */ rc = ber_printf( ber, "{it{istON}" /*}*/, id, LDAP_REQ_BIND, ld->ld_version, dn, LDAP_AUTH_SIMPLE, cred ); } else if ( cred == NULL || cred->bv_val == NULL ) { /* SASL bind w/o credentials */ rc = ber_printf( ber, "{it{ist{sN}N}" /*}*/, id, LDAP_REQ_BIND, ld->ld_version, dn, LDAP_AUTH_SASL, mechanism ); } else { /* SASL bind w/ credentials */ rc = ber_printf( ber, "{it{ist{sON}N}" /*}*/, id, LDAP_REQ_BIND, ld->ld_version, dn, LDAP_AUTH_SASL, mechanism, cred ); } ... } ======================================== Just wanna know that if I remove the condition "|| cred->bv_val == NULL" in the "else if" brance, what will happen? Anyone can tell me why this condition was added? What bug did it fix? My guess is that if it is removed, then the network trace will display some packet marked with "Malformed Packet", but the binding result should be the same. Still, I need some confirmation from your guys. P.S. Shouldn't another condtion, say, "|| cred->bv_len == 0" be added into the "else if" brance as well? Thanks, Xu Qiang

1 0

Avoid unexistent user queries
by Jordi Espasa Clofent 20 Aug '09

20 Aug '09

Hi all, I'm using OpenLDAP as account server. In the server I see a lot of queries from inexistents users in LDAP: filter="(&(objectClass=posixGroup)(|(memberUid=ivan)(uniqueMember=uid=ivan,ou=sat,ou=tecnic,dc=cdmon,dc=com)))" filter="(&(objectClass=posixAccount)(uidNumber=900))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=nobody))" gidNumbercn filter="(&(objectClass=posixAccount)(uid=postfix))" gidNumbercn filter="(&(objectClass=posixAccount)(uidNumber=125))" gidNumbercn filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=xatlantax))" gidNumbercn filter="(&(objectClass=posixAccount)(uidNumber=900))" gidNumbercn filter="(&(objectClass=posixAccount)(uid=cetr))" gidNumbercn filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uidNumber=900))" gidNumbercn filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" filter="(&(objectClass=posixAccount)(uid=www-data))" I don't understand why because of users as '900, postfix, root, www-data' don't exists as users in LDAP server. On the other hand, the user 'ivan' exists and you can see the difference in the log record. ¿Where is the problem? Maybe in my /etc/nsswitch.conf of LDAP clients? # cat /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap sudoers: ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Taking for example the common 'www-data' user query, I see in the LDAP client the next: # cat /var/log/auth.log | grep apache Aug 20 01:20:30 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:20:30 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:20:30 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:20:30 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:20:58 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:02 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:04 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:04 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:05 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:05 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:05 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:05 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:06 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:06 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:06 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:06 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:06 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:06 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:06 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:06 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:48 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:49 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:50 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:50 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:50 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:50 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:50 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:21:59 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:22:00 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:22:00 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:22:03 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:22:05 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:22:07 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:22:07 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:22:24 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:22:24 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:22:24 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ Aug 20 01:22:25 xen-ad0010 apache2: nss_ldap: reconnected to LDAP server ldap://192.168.10.1/ ¿Why Apache2 tries to connect to LDAP (192.168.10.1)? ¿How I can avoid it? -- Thanks, Jordi Espasa Clofent

1 0

using ldapsearch to get whole data
by mukim pathan 20 Aug '09

20 Aug '09

Hi, I am unable to use slapcat to get whole database into a ldif file because I have a 32 bit machine which cannot write file having size more than 2 GB. So I am looking for alternate ways to get full database into ldif file. So please tell me if there are any alternate ways to do this. I am using openldap-2.4.16 with BDB-4.5 Regards, Mukim Pathan

4 4

LDAP Multimaster Replication
by Paul bob 19 Aug '09

19 Aug '09

Hi - I have question regarding the HA, configured LDAP Multimaster Replication (Openldap 2.4.17 & BDB 4.6.21 ) I can see the Users data in both Server1 and Server2. When I turned off the server2 the users are not getting authenticated through Server1. It always getting authentication through Server2. I would appreciate your valuable suggestion! Thanks, PB

1 0

ldap_add: Already exists (68) errors when testing multi-master sync replication
by Barry Colston 19 Aug '09

19 Aug '09

While testing sync replication, I encountered a situation in which a previously deleted DN cannot be added again because the ldapadd command receives a 68 error code. If I perform an ldapsearch command for the DN, the DN is not found. If I try to add the DN, the add fails with a 68 error code. If I perform a slapcat command for that DN, slapcat displays the record. I have removed all BDB index files and rerun the slapindex command, but the DN is still not found with the ldapsearch command and fails to be added because of a 68 error code. 1 reason I can think of is that deleting a DN does not physically delete the record, but flags the DN as being logically deleted. This condition does not happen all the time, but it does happen eventually after I have been adding, modifying, and deleting records for approximately 15 minutes. I'm running openLDAP 2.4.17 with BDB 4.6.21 (and have not applied the 4 BDB patches). Running sync replication with 2 masters defined in mirror mode using refreshandpersist; issuing LDAP commands against only master slapd #1. Barry Colston

2 3

Need help migrating from Novell eDirectory to OpenLDAP
by Donal Duane 19 Aug '09

19 Aug '09

Hi all, Has anyone tried to migrate data between eDirectory and OpenLDAP? I am having a lot of trouble with invalid attributes. /D

2 1

[PROBLEM] delta-syncrepl, accesslog and filters
by mkappe 19 Aug '09

19 Aug '09

Hello, I use openldap 2.4.16. I configured 2 servers using syncrepl. I would like to sync only a DIT fragment and so i put these lines in the consumer slapd.conf file: syncrepl rid=111 provider=ldaps://mydomain.it<http://ldapstudenti.cca.unipd.it:12315/> type=refreshAndPersist searchbase="dc=mydomain,dc=it" filter="(&(objectClass=MyClass)(Email=true))" attrs="Username,UserStatus,UserExpireDate" schemachecking=off bindmethod=simple binddn="cn=reader,dc=mydomain,dc=it" credentials=xxxxxx retry="60 +" When i try to get out of the scope an entry (setting its attribute 'Email' = false) in the producer, i see that the same entry is removed from the consumer. Everything works fine if i don't activate delta syncrepl mode using accesslog overlay. If i do that, every changes in the producer is propagated to the consumer even if the entry is out of the scope defined in the consumer. How can i configure delta syncrepl (with accesslog) for sync only a DIT fragment? My producer (delta-syncrepl mode) slapd.conf is: moduleload syncprov.la ####################################################################### # ACCESSLOG database definitions ####################################################################### moduleload accesslog.la database bdb suffix "cn=accesslog" rootdn "cn=accesslog" directory /openldap/data/accesslog index default eq index entryCSN,objectClass overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE ####################################################################### # BDB database definitions ####################################################################### # RAMO LOCALE: database bdb suffix "dc=mydomain,dc=it" rootdn "cn=manager,dc=mydomain,dc=it" rootpw xxxxxxx directory /openldap/data index objectClass,uid eq index entryCSN eq index entryUUId eq index Email pres,eq ####################################################################### # Syncrepl - Sincprov ####################################################################### overlay syncprov syncprov-checkpoint 100 1 syncprov-sessionlog 100 overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE logpurge 00+01:00 00+00:15 ####################################################################### # ACL ####################################################################### access to dn.subtree="dc=mydomain,dc=it" attrs="userPassword" by anonymous auth by self write by * search access to * by dn.base="cn=reader,dc=mydomain,dc=it" read by * break My consumer (delta-syncrepl mode) slapd.conf is: ####################################################################### # BDB database definitions ####################################################################### # RAMO LOCALE: database bdb suffix "dc=mydomain,dc=it" rootdn "cn=manager,dc=mydomain,dc=it" rootpw xxxxxxx directory /openldap/data index objectClass,uid eq index entryUUID,entryCSN eq index Email pres,eq ####################################################################### # DELTA-SYNCREPL ####################################################################### syncrepl rid=005 provider=ldaps://mydomain.it:123 type=refreshAndPersist searchbase="dc=mydomain,dc=it" filter="(&(objectClass=myClass)(Email=true))" logbase="cn=accesslog" syncdata=accesslog schemachecking=off bindmethod=simple binddn="cn=reader,dc=mydomain,dc=it" credentials=xxxxxx retry="60 +" updateref ldaps://mydomain.it:123 ###################################################################### # ACL ###################################################################### access to dn.subtree="dc=mydomain,dc=it" attrs="userPassword" by anonymous auth by self write by * search access to * by dn.base="cn=reader,dc=mydomain,dc=it" read by * break Thank you! Marco

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2009