Re: How to slapadd cn=config
by Torsten Schlabach (Tascel eG)
Hi Ondrej!
You're right, it's a classic RTFM:
>From the slapadd man page:
-n dbnum
Add entries to the dbnum-th database listed in the configuration
file. The -n cannot be used in conjunction with the -b option.
To populate the config database slapd-config(5), use -n 0 as it
is always the first database. It must physically exist on the
filesystem prior to this, however.
I tried -b 'cn=config' instead of -n 0, which is semantically the same,
but not technially.
Problem solved, I think.
Regards,
Torsten
On Tue, 21 Sep 2010 14:45:33 +0200, Ondrej Kuznik
<ondrej.kuznik(a)acision.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/21/2010 02:23 PM, Torsten Schlabach (Tascel eG) wrote:
>> Hi Robert!
>>
>>> Slapd, etc. needs an /etc/openldap/slapd.conf file
>>
>> Well, either an /etc/openldap/slapd.conf file *or* a cn=config
database,
>> I
>> guess.
>>
>> Ok, maybe a possible trick is to have a minimal slapd.conf file which
>> just
>> declares a cn=config database to be able to load it that way.
>>
>> In that case, a cut & paste example somewhere would come in handy.
>>
>> But I understand that in OpenLDAP 2.5 they think about doing away with
>> slapd.conf entirely. This would then break your approach again.
>>
>> Maybe Howard will explain a bit better what he meand by "slapadd the
same
>> way you slapcat".
>
> I asked a similar question on the #openldap irc channel some time ago,
> the advice was to use:
> slapadd -n0 -l slapdconfig.ldif -F /path/to/new/slapd.d
>
> (the directory /path/to/new/slapd.d must already exist and should be
> an empty directory)
>
> That way you need no prior configuration in the form of slapd.conf.
>
> Ondra
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkyYqO0ACgkQ9GWxeeH+cXv1QACdHgrI5G/W760M2QCJ1PKiHbNM
> lIIAn0wiPptdEEcCftO5gBDPk01dQcMi
> =h2Z3
> -----END PGP SIGNATURE-----
>
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
11 years, 9 months
Automate Create Home Directory
by Alejandro Rodriguez Luna
Hi, i'm testing a new openldap server, and i have everything set, i can add users, groups, and log on in differents machines with the same user.
Everything works fine. but i have a problem, i have to create the home directory for each new user on each new machine that I log on. is there a way that this process can be automatic?. Ideas?
11 years, 9 months
Forcing UID attribute
by Marco Pizzoli
Hi list,
I need to populate an entry in OL having DN uid=pippo,ou=people,dc=mycorp.
I need to force this entry to have a uid attribute *different* from uid
appearing in the name. Example: I need "uid: pluto".
ldapadd-ing the entry I have the entry with 2 uid attributes populated:
- uid: pippo
- uid: pluto
Is there a way to NOT have "uid: pippo" populated even if the entry is
called in that way?
Thanks in advance
Marco
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
11 years, 9 months
Configuring AD using OpenLDAP
by Vinay Kalkoti
Hi,
Is it possible to use OpenLDAP client to authenticate against Active
Directory without using Samba or SUF ?
Thanks,
Vinay
11 years, 9 months
No connection! Some Ideas
by Márcio Luciano Donada
That night, I had a problem with stopping the LDAP, the only thing I
have in the log is this:
connection_read(42): no connection!
my version OpenLDAP is:
@(#) $OpenLDAP: slapd 2.4.11 (Jul 24 2010 08:14:20)
$#012#011@murphy:/build/buildd-openldap_2.4.11-1+lenny2-i386-H5BDjb/open
ldap-2.4.11/debian/build/servers/slapd
Debian Lenny 5.
after the restart ldap I have the following message:
connection_input: conn=32 deferring operation: pending operations
I honestly do not know what happens, I have this problem and sometimes
for my system for some reason not yet know what it is, and debugging of
slapd.conf is 256 and as I passed the e-mail that is the only
information I have. Can anyone help me? Thanks
--
Márcio Luciano Donada <mdonada -at- auroraalimentos -dot- com -dot- br>
Aurora Alimentos - Cooperativa Central Oeste Catarinense
Departamento de T.I.
11 years, 9 months
Loglevel for authentication problem
by Darouichi, Aziz
Hi,
We are working with a vendor of a hosted application, and we are using openldap-2.2.13-12.el4 for authentication. We are not able to login to the hosted application. This is what the vendor is getting for error message:
message] [09-14-2010T10:27:30] Attempting to bind to xx.xxx.xxx.xxxx:389
[message] [09-14-2010T10:27:30] Binding as 'uid=pperson,ou=People,dc=college,dc=edu'
[message] [09-14-2010T10:27:31] Bind successful
[system ] [09-14-2010T10:27:31] Checking R25 WS user
[message] [09-14-2010T10:27:31] Executing query (&(objectClass=user)(sAMAccountName=test))
[message] [09-14-2010T10:27:31] Building field mappings for query (&(objectClass=user)(sAMAccountName=test))
[message] [09-14-2010T10:27:31] Search path: OU=Group,DC=college,DC=edu
[error ] [09-14-2010T10:27:32] Search error: [10061] Connection refused
[message] [09-14-2010T10:27:32] Search path: OU=People,DC=college,DC=edu
[error ] [09-14-2010T10:27:33] Search error: [10061] Connection refused
[message] [09-14-2010T10:27:33] Search path: OU=Users,DC=college,DC=edu
[error ] [09-14-2010T10:27:34] Search error: [10061] Connection refused
[error ] [09-14-2010T10:27:34] Query (&(objectClass=user)(sAMAccountName=test)) returned no results
We have log level 64 enabled, if we increase log level it slows the machine.
This what We are getting in the log:
Sep 16 09:31:01 ldap1 last message repeated 8 times
Sep 16 09:32:06 ldap1 last message repeated 2 times
Sep 16 09:33:07 ldap1 slapd[3288]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)
Sep 16 09:34:26 ldap1 last message repeated 4 times
Sep 16 09:35:36 ldap1 last message repeated 4 times
Sep 16 09:36:39 ldap1 last message repeated 4 times
Sep 16 09:37:14 ldap1 last message repeated 4 times
Sep 16 09:37:23 ldap1 slapd[3288]: connection_read(26): no connection!
Sep 16 09:37:26 ldap1 slapd[3288]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)
Sep 16 09:38:15 ldap1 last message repeated 2 times
Sep 16 09:39:16 ldap1 last message repeated 5 times
Sep 16 09:40:28 ldap1 last message repeated 3 times
Sep 16 09:40:56 ldap1 last message repeated 5 times
Sep 16 09:41:10 ldap1 slapd[3288]: connection_read(34): no connection!
Sep 16 09:41:17 ldap1 slapd[3288]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18)
I have a test server I can use to troubleshoot this problem if I know what log level should I use?
Thanks,
Aziz
11 years, 9 months
Stitching two LDAP databases together using chaining?
by Michael Smith
Hi,
Let's say I have a database with base DN dc=parent. On a particular
server, dc=parent is a read-only syncrepl slave.
On the same server, I have a separate read-write database,
dc=child,dc=parent.
Is there a way to make it so searches of dc=parent also search the
database in dc=child,dc=parent?
I'm thinking a referral plus the chain overlay might do the trick, but I
can't create a referral object with name "dc=child,dc=parent" within the
dc=parent database because the server knows dc=child,dc=parent already
exists (as the other database). I get "Already exists (68)" from the server.
I figure I'm missing something simple, or doing something stupid.
Thanks,
Mike
11 years, 9 months
accesslog anomaly in drop/re-import (was Searched Attr=1.1)
by Marco Pizzoli
I re-post this help request using a more appropriate subject .
Thanks in advance
Marco
---------- Forwarded message ----------
From: Marco Pizzoli <marco.pizzoli(a)gmail.com>
Date: Thu, Sep 16, 2010 at 1:07 PM
Subject: Re: Searched Attr=1.1
To: Dieter Kluenter <dieter(a)dkluenter.de>
Cc: openldap-technical(a)openldap.org
Hi Dieter,
thanks for your answer.
I came to this evidence in investigating an anomaly that I'm having with my
accesslog database.
Symptom I was having was continuous high cpu spot. I suspected it was due to
my accesslog database.
- I made a slapcat of my entire log database.
- I erased my log database
- I tried a slapadd of my log database
I had this problem:
/usr/sbin/slapadd -b "cn=log,dc=mycorp.it" -l
/srv/bck/dump_db_log.ldif.20100916
. 0.00% eta 08h35m elapsed spd 90.2
k/s str2entry: invalid value for attributeType reqControls #0 (syntax
1.3.6.1.4.1.4203.666.11.5.3.1)
slapadd2.4: could not parse entry (line=4907)
- 0.01% eta 05h58m elapsed spd 205.7
k/s
Closing DB...
I went to that line and found this entry:
dn: reqStart=20100913065628.000008Z,cn=log,dc=mycorp.it
objectClass: auditSearch
structuralObjectClass: auditSearch
reqStart: 20100913065628.000008Z
reqEnd: 20100913065628.000009Z
reqType: search
reqSession: 1129
reqAuthzID: cn=syncrepl-ldap04,ou=utenze_tecniche_openldap,ou=Gestori,dc=
mycorp.it
reqControls: {0}{1.3.6.1.4.1.4203.1.9.1.1 controlValue
"30440K0103043M7269643N
3030332M7369643N3030342M63736O3N32303130303931333036353130362O3932343735355K2
330303030303023303033233030303030300001PP"}
reqControls: {1}{2.16.840.1.113730.3.4.2 criticality TRUE}
reqDN: dc=mycorp.it
reqResult: 0
reqScope: base
reqDerefAliases: never
reqAttrsOnly: TRUE
reqFilter: (objectclass=*)
reqAttr: 1.1
reqEntries: 0
reqTimeLimit: -1
reqSizeLimit: 1
entryUUID: 2beb0bd0-ba32-4a00-93da-748ef2177cc7
creatorsName: cn=Manager,cn=log,dc=mycorp.it
createTimestamp: 20100913065628Z
entryCSN: 20100913065628.167225Z#000000#003#000000
modifiersName: cn=Manager,cn=log,dc=mycorp.it
modifyTimestamp: 20100913065628Z
Can someone tell me why this entry result not accepted to my openldap
system?
I'm using OL 2.4.23 with password policy overlay defined.
The entry I posted is related to an access made by a specific syncrepl-user.
Replica configured in mirror-mode.
Other OL systems are 2.4.22.
Deleting this entry and re-slapadding I had another similar problem.
/usr/sbin/slapadd2.4 -b "cn=log,dc=mycorp.it" -l
/tmp/dump_db_log.ldif.20100916_Corrected
" 4.69% eta 01h07m elapsed 03m19s spd 542.3
k/s str2entry: invalid value for attributeType reqRespControls #0 (syntax
1.3.6.1.4.1.4203.666.11.5.3.1)
slapadd2.4: could not parse entry (line=3099715)
* 4.70% eta 01h07m elapsed 03m20s spd 979.8
k/s
Closing DB...
The entry affected is this one:
dn: reqStart=20100913093021.000000Z,cn=log,dc=mycorp.it
objectClass: auditBind
structuralObjectClass: auditBind
reqStart: 20100913093021.000000Z
reqEnd: 20100913093021.000001Z
reqType: bind
reqSession: 2746
reqAuthzID:
reqControls: {0}{1.3.6.1.4.1.42.2.27.8.5.1}
reqRespControls: {0}{1.3.6.1.4.1.42.2.27.8.5.1 controlValue "3000"}
reqDN: uid=pe1597,ou=People,dc=mycorp.it
reqResult: 0
reqVersion: 3
reqMethod: SIMPLE
entryUUID: 192cbddf-4b5c-431d-a92e-c2f84fa4b7be
creatorsName: cn=Manager,cn=log,dc=mycorp.it
createTimestamp: 20100913093021Z
entryCSN: 20100913093021.411398Z#000000#003#000000
modifiersName: cn=Manager,cn=log,dc=mycorp.it
modifyTimestamp: 20100913093021Z
Any help is appreciated.
Thanks
Marco
On Thu, Sep 16, 2010 at 12:27 PM, Dieter Kluenter <dieter(a)dkluenter.de>wrote:
> Marco Pizzoli <marco.pizzoli(a)gmail.com> writes:
>
> > Hi list,
> > I found some entries in my OL logs about searches for attribute "1.1".
> I've
> > seen that the requester is the user used for the replication (syncrepl).
> >
> > Can anyone explain to me what this kind of attribute is this?
> >
> > conn=0 op=3 SRCH attr=1.1
>
> oid 1.1 is just 'no attributes'
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> sip: 7770535(a)sipgate.de
> http://www.dpunkt.de/buecher/2104.html
> GPG Key ID:8EF7B6C6
>
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
11 years, 9 months
Re: How to bootstrap in mirror mode with cn=config
by Torsten Schlabach (Tascel eG)
Hi Brett!
I see your point, and actually, this is what we are doing anyway.
But I could ask my question in a different way as well:
How would I turn a single server in to a mirror mode pair?
> restoring
> a server2 backup avoids problems with serverId etc.
You know, I am asking because I want to understand those problems.
Regards,
Torsten
P.S.: The list doesn't have the reply-tp header properly set. Make sure
manually to reply tot he list.
On Thu, 16 Sep 2010 19:52:01 +1000, "Brett @Google"
<brett.maxfield(a)gmail.com> wrote:
> I'd suggest a less complex approach.
>
> Restore server2 from backup, but make sure you emit a backup ldif
> somewhere on a backed up filesystem daily or whatever.
>
> After restoring your server 2 ldif, you will be configured, and will
> recover data quicker if you have some relatively static data sets.
>
> Building a replica with syncrepl can be slower than slapcat, restoring
> a server2 backup avoids problems with serverId etc., even with newer
> openldap versions.
>
>
> On 9/16/10, Torsten Schlabach (Tascel eG) <tschlabach(a)tascel.net> wrote:
>> Dear list!
>>
>> I am currently chasing some replication problems and I am trying to get
>> my
>> mind around a couple of questions.
>>
>> Let's assume this:
>>
>> We have two LDAP servers, server 1 and server 2, which are supposed to
be
>> mirrors of each other.
>> The both have their cn=config database and a database with actual data,
>> let's assume it's the dc=example,dc=com database.
>> I want to run not only dc=example,dc=com but also cn=config in mirror
>> mode
>> to make sure that I keep the config in sync and that any changes to the
>> config (e.g. ACls) can be done on one of the servers and will replicate
>> to
>> the other one.
>>
>> Let's assume this was all working well.
>>
>> Not server 2 fails and needs a complete reinstall. So I sit there with
a
>> slapd binary and no configuration at all.
>>
>> My idea would be (please tell me if I am on the right path) :
>>
>> 1. I could give server 2 a minimal config which does not contain
anything
>> else but "replicate your cn=config from server1". Let's call this a
>> bootstrap config.
>> 2. Once server 2 starts with that bootstrap config, it will fetch
>> cn=config from server1.
>> 3. It will learn from the replicated config that it has to have an
>> dc=example,dc=com database, create it and replicate its content from
>> server1 as well.
>> 4. I would be back in business.
>>
>> Unfortunately, when I tried, what happened was:
>>
>> The contextCSN of the bootstrap config on server 2 is newer / higher
than
>> the one on server 1 which has not been touched for a while. So server 2
>> did
>> not fetch the config from server 1 but vice versa, which was not
exactly
>> the result I intended. Though it's very consequent and logical
behaviour.
>>
>> My question:
>>
>> Am I on the complete wrtong track?
>>
>> Would I have to do the slapcat -> slapadd thing between server 1 and
>> server 2 first (with server 2 offline) and start server 2 only after
>> that?
>>
>> When I do the slapcat / slapadd thing from server 1 to server 2, do I
>> have
>> to remove any contextCSN / entryCSN entries (as some postings such as
>>
http://www.mail-archive.com/openldap-technical@openldap.org/msg00109.html)
>> suggest or would that be just wrong?
>>
>> Regards,
>> Torsten
>>
>>
11 years, 9 months
Attribute modification via alias
by Echedey Lorenzo
Hi,
I wonder if it is possible to modify an attribute parsing to the request a
dn which has an alias to the real entry where the attribute is placed.
Thanks for your help
--
--------------------------------------------
| Echedey Lorenzo Arencibia |
--------------------------------------------
11 years, 9 months
