On Wed, Nov 23, 2011 at 10:13 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Wednesday, November 23, 2011 9:26 AM -0800 Jeffrey Crawford
> <jeffreyc(a)ucsc.edu> wrote:
>> read that already:
>> my original question was the following:
>> Granted the above issues might be explained away in that we don't yet
>> have enough ram on the machines yet, however it does seem to present
>> us with a problem when we notice the discrepancy, how do we during run
>> time re-sync the data from the provider server? I have tried the slapd
>> -c rid=2,csn=20111114000000.000000Z but that doesn't seem to do any
>> good. (I've tried several different values of csn=0
>> csn=20111114000000.000000Z#000000#000#000000 etc. to no avail)
> Regardless of RAM limitations, you should never have an inconsistent
> database. However, so far, the only replication mechanism I've seen
> guarantee this is delta-syncrepl. This may be better in the upcoming
> OpenLDAP 2.4.27 for syncrepl.
> If you read the slapd man page for the -c option, it is quite clear:
> Use only the rid part to force a full reload.
Humm that didn't seem to work. I'm rebuilding so I'll give that another try.
>> from man slapadd
>> Your slapd(8) should not be running when you do this to ensure
>> consis- tency of the database.
>> So how can I have slapd run, respond to what data it has currently yet
>> understand that it will update all it's data with the source provider
>> updating, adding, removing entries as necessary without removing the
>> database first?
> I don't understand why you would want slapd to respond with completely bogus
> data to any clients doing queries. If you're going to force reload the
> replica anyway, it makes much more sense to use slapadd from the master
> rather than trying to do it via syncrepl, which can take numerous amounts of
> time longer than doing it via slapadd, and during that entire time period,
> you have the possibility of sending out significantly erroneous data.
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> Zimbra :: the leader in open source messaging and collaboration
i'am new on this list and i have a question.
While i'am using the tool web2ldap from Michael Stroeder and try to
create a new entry with this tool.
I'am using openldap with cn=config backend on ubuntu 10.04
Michael mentioned it could be a acl problem, because his tool couldn't
read the Root DSE
If i specify the search base and the adminuser i could see the content
of the Tree root.
ldapsearch -b "dc=2axels-company,dc=de" -s base 'objectclass=*' -h
localhost -D cn=admin,dc=2axels-company,dc=de -W
abirndt@ubuntunb:~$ ldapsearch -b "dc=2axels-company,dc=de" -s base
'objectclass=*' -h localhost -D cn=admin,dc=2axels-company,dc=de -W
Enter LDAP Password:
# extended LDIF
# base <dc=2axels-company,dc=de> with scope baseObject
# filter: objectclass=*
# requesting: ALL
description: Tree root
But if i use ldapsearch with the following command i got nothing:
ldapsearch -b "" -s base 'objectclass=*'
ldap_sasl_interactive_bind_s: No such object (32)
Could you help me please to identify if there is a problem with reading
the Root DSE?
What could i do next ?
Any help is very appreciated.
I am using OpenLDAP 2.4.25.
After reboot I see logs (Logsetting -d 256) like :
=> bdb_idl_delete_key: c_del id failed: DB_LOCK_DEADLOCK: Locker killed to
resolve a deadlock (-30994)
I checked this and found that I can ignore this.
But one minute after this message OpenLDAP stopped working.
I automatically detected it and restarted OpenLDAP.
After restarting I see a logmessage:
hdb_db_open: database "o=mydomain": unclean shutdown detected; attempting
Then I see for 1 to 3 minutes that OpenLDAP seems to work, before stopping
the work again.
I repeated restarting.
After the sixths restarts LDAP now seems to work correctly.
So now my question:
When I see the message: "unclean shutdown detected; attempting recovery"
How long does the recovery take? Is it possbile that the recovery was
still in progress as I restarted (after 5 mins) OpenLDAP?
Is there a Logsetting I could activate to see when the recovery is
Would it be better to manually do the recovery after stopping slapd?
On 11/30/2011 7:23 AM, Juergen.Sprenger(a)swisscom.com wrote:
> Hi Harry,
> have done this here with an extended schema for a
> heterogeneous environment of AIX, HPUX, Solaris and Linux.
> Extended posixaccount to x-posixaccount with attributetypes (complete schema on request):
> Then configure ldap clients with proper attribute mapping, example for Solaris:
> NS_LDAP_ATTRIBUTEMAP= passwd:uidNumber=x-SolarisuidNumber
> NS_LDAP_ATTRIBUTEMAP= passwd:gidNumber=x-SolarisgidNumber
> NS_LDAP_ATTRIBUTEMAP= passwd:homeDirectory=x-SolarishomeDirectory
> NS_LDAP_ATTRIBUTEMAP= passwd:loginSHell=x-SolarisloginShell
> Now each operating system can have its own uid/gid combination and shadow
> attributes for a given username.
> Disadvantage is, that You have slightly more complex users and You have to
> provide consistent settings on all machines of the same operating system.
> dn: uid=myname,ou=Person,dc=myEnterprise,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: x-posixAccount
> objectClass: shadowAccount
> sn: myname
> cn: myname
> uid: myname
> mail: myname(a)myEnterpsiem.com
> uidNumber: 287564
> gecos: myname
> displayName: myname
> x-LinuxuidNumber: 287564
> x-SolarisuidNumber: 287564
> x-HPUXuidNumber: 287564
> x-AIXuidNumber: 287564
> homeDirectory: /home/myname
> x-AIXhomeDirectory: /home/myname
> x-HPUXhomeDirectory: /home/myname
> x-LinuxhomeDirectory: /home/myname
> x-SolarishomeDirectory: /home/myname
> loginShell: /usr/bin/bash
> x-LinuxloginShell: /bin/bash
> x-HPUXloginShell: /bin/ksh
> x-SolarisloginShell: /usr/bin/bash
> x-AIXloginShell:: /bin/sh
> gidNumber: 50001
> x-HPUXgidNumber: 50001
> x-SolarisgidNumber: 50001
> x-LinuxgidNumber: 50001
> x-AIXgidNumber: 50001
> Kind regards
> Juergen Sprenger
Juergen, thanks very much for this. I think your approach strikes a
balance between storing the same data in more than one place (separate
whole ou trees for each os duplicating other information -- at the
benefit of no schema changes), returning exactly the one result wanted
given a search (a practical necessity as those who aren't given to
maintain ldap clients like nslcd/nss_ldap are not able to cause them to
iterate through a number of home-directory results with the same name
looking for attributes to discern which is intended).
The downside of your approach is as you note no machine specific
variants, but those are few enough they can be put in the relevant
machine's passwd file and that set to be searched before ldap.
I am new to ldap.
In my project , I need to send employee's information to the third party software.
For the first time set up , may be I can export the ldap data and push the information to the third party software but later I want to send delta changes. We don't want to write all employee changes every day.
How do I achieve this in ldap?
2011/11/28 Quanah Gibson-Mount <quanah(a)zimbra.com>:
> --On Friday, November 25, 2011 8:01 PM +0100 Clément OUDOT
> <clem.oudot(a)gmail.com> wrote:
>> 2011/11/25, Howard Chu <hyc(a)symas.com>:
>>> Clément OUDOT wrote:
>>>> I built today RPMs for OpenLDAP 2.4.27, for those who are interested,
>>>> they are available here: http://ltb-project.org/wiki/download#openldap
>>> You are probably going to want to respin these with the last 3 commits in
>> Thanks for this information, do you plan to release 2.4.28 to include
>> these commits?
> Yes. It is out now.
RPMs for OpenLDAP 2.4.28 are now available:
A new RPM has been created to provide overlays lastbind and smbk5pwd.
> I'v implemented a OpenLDAP Metadirectory that proxying 2 Microsft AD
> Nov 28 20:27:39 walrhel5 slapd: filter:
The objectClasses "user" and "computer" are unknown. They need to be
defined in the proxy's schema.
I have setup a ldap replicate, replicating data from an offsite ldap
master. Replication is ok, but being a consumer replicate, my ldap server
is read only.
I need to add and modify attributes to this replicate, but i have no write
access to the master and ldap master admin won't change/update schemas...
>From the guide, i can't figure if it's possible.
Please, let me know what solution i have (on any Linux distro).
I have a huge openldap server and a small one with maybe 10 users.
The small one contains it admistrator objects (or most of them are
admins) and is complitly different from the huge one.
So what I want is to include some userobjects or a specific basedn from
the small one in the huge one.
Im not sure whats the best way for that, maybe meta backend..? or some
proxy auth points to the small one..
|->point to ldap://ldapserver.com?dc=smallldap,dc=net/memberof=hugeldap
Thanks for your help