Re: one user access all databases
by Hendrik van der Ploeg
ok thanks,
But how can I set the user in a seperate database to have access to a
different database?
Regards,
Hendrik
> On Tue, 22 Mar 2011 12:07:54 +0200 (SAST), Buchan Milne
> <bgmilne(a)staff.telkomsa.net> wrote:
>> ----- "Hendrik van der Ploeg" <hvdploeg(a)competa.com> wrote:
>>
>>> Hello,
>>>
>>> Can I add 1 user in cn=config so that it can access all the
>>> underlying
>>> databases? (olcdatabase={1}bdb, olcdatabase={2}bdb etc.
>>
>> cn=config is not for hosting entries for DUA clients, just as the
> 'mysql'
>> database is not for hosting tables for RDBMS client applications.
>>
>>> The reason for this is that I use ldap-meta which connects to a LDAP
>>> server with multiple databases in it.
>>>
>>> dc=0001,dc=domain,dc=nl
>>> dc=0002,dc=domain,dc=nl
>>> dc=0003,dc=domain,dc=nl
>>>
>>> I use "idassert-bind" at the ldap-meta server to set a different
>>> username.
>>> But in this situation I need to add an extra username for every
>>> database in
>>> slapd.conf
>>>
>>> Is there a possibility to use a global user which can access all the
>>> databases?
>>
>> Use a separate local database with a suitable backend (e.g. hdb or
bdb).
>>
>> Regards,
>> Buchan
--
Hendrik van der Ploeg
Competa IT ( http://www.competa.com )
Verrijn Stuartlaan 20
2288 EL Rijswijk
the Netherlands
Phone: +31(0)704277555
Fax: +31(0)704277554
11 years, 3 months
Re: one user access all databases
by Buchan Milne
----- "Hendrik van der Ploeg" <hvdploeg(a)competa.com> wrote:
> Hello,
>
> Can I add 1 user in cn=config so that it can access all the
> underlying
> databases? (olcdatabase={1}bdb, olcdatabase={2}bdb etc.
cn=config is not for hosting entries for DUA clients, just as the 'mysql' database is not for hosting tables for RDBMS client applications.
> The reason for this is that I use ldap-meta which connects to a LDAP
> server with multiple databases in it.
>
> dc=0001,dc=domain,dc=nl
> dc=0002,dc=domain,dc=nl
> dc=0003,dc=domain,dc=nl
>
> I use "idassert-bind" at the ldap-meta server to set a different
> username.
> But in this situation I need to add an extra username for every
> database in
> slapd.conf
>
> Is there a possibility to use a global user which can access all the
> databases?
Use a separate local database with a suitable backend (e.g. hdb or bdb).
Regards,
Buchan
11 years, 3 months
one user access all databases
by Hendrik van der Ploeg
Hello,
Can I add 1 user in cn=config so that it can access all the underlying
databases? (olcdatabase={1}bdb, olcdatabase={2}bdb etc.
The reason for this is that I use ldap-meta which connects to a LDAP
server with multiple databases in it.
dc=0001,dc=domain,dc=nl
dc=0002,dc=domain,dc=nl
dc=0003,dc=domain,dc=nl
I use "idassert-bind" at the ldap-meta server to set a different username.
But in this situation I need to add an extra username for every database in
slapd.conf
Is there a possibility to use a global user which can access all the
databases?
Thanks in advance
Regards,
Hendrik
The Netherlands
11 years, 3 months
OpenLDAP Memory Usage
by Diego Lima
Hello all,
I'm experiencing some problems with some OpenLDAP servers: the slapd
process seems to always use more memory, eventually reaching a point
where it has consumed all the available server memory and is killed by
the OOM killer. The servers have 32gb of memory plus 32gb of swap
space and are running Debian Lenny (with kernel 2.6.26-2-amd64), and
we have compiled OpenLDAP 2.4.23 from source, and we're using Berkeley
DB 4.6. The servers are dedicated to running OpenLDAP, so they don't
have other processes that use a significant amount of memory.
This is a relatively high-volume environment, with 4 servers running
with mirrormode to enable multi-master replication. The current
database size is about 900mb. Is there any setting that could limit
this memory usage? I don't feel this is "normal" considering our DB
size and cache sizes.
These are my slapd.conf and DB_CONFIG files:
--------------------------------- slapd.conf ---------------------------------
disallow bind_anon
require authc
#== Schemas snipped ==
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
loglevel 16640
modulepath /usr/local/openldap/lib/ldap/
moduleload back_bdb
moduleload ppolicy
moduleload syncprov
threads 8
database config
rootdn "cn=admin,cn=config"
rootpw {SSHA}PASS
database monitor
rootdn "cn=admin,cn=monitor"
rootpw {SSHA}PASS
database bdb
suffix "dc=corpldap,dc=mycompany"
rootdn "cn=admin,dc=corpldap,dc=mycompany"
rootpw {SSHA}PASS
directory /usr/local/openldap/var/corpldap-mycompany-data
overlay ppolicy
overlay syncprov
ppolicy_hash_cleartext
syncprov-checkpoint 100 10
syncprov-sessionlog 100
monitoring on
lastmod on
checkpoint 512 10
cachesize 200000
idlcachesize 600000
#== Indexes and ACLs snipped ==
serverid 1
syncrepl rid=002
provider="ldap://server02:389"
searchbase="dc=corpldap,dc=mycompany"
type="refreshAndPersist"
retry="30 10 60 15 600 +"
bindmethod=simple
binddn="cn=repuser3,ou=replica,dc=corpldap,dc=mycompany"
credentials="PASSWORD"
#== other syncrepl entries snipped
mirrormode on
--------------------------------- DB_CONFIG ---------------------------------
set_lg_max 10485760
set_lg_regionmax 1048576
set_lg_bsize 2097152
set_lg_dir /var/ldap/corpldap-mycompany-log
set_flags DB_LOG_AUTOREMOVE
set_cachesize 0 2073741824 0
set_lk_max_objects 5000
set_lk_max_locks 5000
set_lk_max_lockers 5000
--
Diego Lima
http://www.diegolima.org
11 years, 3 months
DSEE to OpenLDAP
by adam@spoontech.biz
Hi, I have currently been given the task of migrating our current LDAP
environment from Sun DSEE (6.3.1) to OpenLDAP.
I have done some research on this topic, and suspect its not a trivial
task, and am hoping for some pointers/advise from anyone that may have
attempted this in the past...
I'm not sure that replication between the two is an option (although would
love it if it was :), so I have looked into exporting the current DSEE
environment to a LDIF, and attempted to then import it into openldap
(using slapadd), but ran into a few issues...
The issue I'm currently stuck on is getting the data in the LDIF into a
format that can be imported using slapadd. Currently, I have issues with
automounts, pwdReset attribs etc etc...
Any help would be appreciated.
Cheers,
11 years, 3 months
Fw: Trying to start Slapd, bad conf file.
by Noel Akins
Hi,
When I try to start slapd I get a failed message saying the config file is bad.
What I have below is what was uncommented in slapd.conf as it came in the
package. I installed Openldap via yum on my 1and1 VPS which has CentOS. It
would seem that the Openldap package for CentOS puts things in different places
then in other distributions, and it also seems that this conf file is a bit more
complex then what I see in introductory material on LDAP/Openldap, which isn't
helping me to learn this.
I'm wanting to use ldap to authenticate users on a website, and to ultimately
use Shibboleth to federate logins (which requires ldap). I'm new to this and I'm
not sure what the problem is with this file. One thing I wanted to ask was
since I'm looking to use ldap for website authentication, do I need these
schema's? I know I can create a local schema which I think is what I need to do
for my purpose.
If you have any suggestions or can point out what is wrong here, I would greatly
appreciate it.
Thank you.
#########################################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=<mydomain>,dc=<org>"
rootdn "cn=XXXXXX,dc=<mydomain>,dc=<org>"
rootpw xxxxxxx
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
11 years, 3 months
syncrepl consumer with several providers, is it working?
by LALOT Dominique
Hello,
I'm a little bit worried about that mail and the fact that our setup is
getting out of sync sometimes.
http://www.openldap.org/lists/openldap-software/200505/msg00324.html
versions: the providers are all 2.4. The consumer is 2.4.23, some providers
2.4.21 one 2.4.11
And our setup is not stable, we get out of sync, it's a matter of
days/weeks. So, is this working? Should we prefer a relay, then replicate
from the relay. What is the right solution?
Is there a simple way to force replication whithout deleting the database?
Should I replicate to 4 databases and create refererals, then replicate the
whole tree to another consumer?
Thanks in advance for any advice
Dom
Our configuration on the fusion consumer:
database bdb
suffix "dc=fr"
syncrepl rid=010
provider=ldap://ldapmaitre.univ-xx.fr/
type=refreshAndPersist
searchbase="dc=univ-xx,dc=fr"
retry="60 10 300 +"
scope=sub
filter="(objectClass=*)"
attrs="*,modifytimestamp,modifiersName,createTimestamp,creatorsName"
schemachecking=off
bindmethod=simple
syncrepl rid=011
provider=ldap://ldapmaitre.univ-yy.fr/
type=refreshAndPersist
searchbase="dc=univ-yy,dc=fr"
retry="60 10 300 +"
scope=sub
filter="(objectClass=*)"
attrs="*,modifytimestamp,modifiersName,createTimestamp,creatorsName"
schemachecking=off
bindmethod=simple
syncrepl rid=012
provider=ldap://annuaire.univ-zz.fr/
type=refreshAndPersist
searchbase="dc=univ-zz,dc=fr"
retry="60 10 300 +"
scope=sub
filter="(objectClass=*)"
attrs="*,modifytimestamp,modifiersName,createTimestamp,creatorsName"
schemachecking=off
bindmethod=simple
syncrepl rid=013
provider=ldap://annuaire-maitre.univ-ww.fr/
type=refreshAndPersist
searchbase="dc=univ-ww,dc=fr"
retry="60 10 300 +"
scope=sub
filter="(objectClass=*)"
attrs="*,modifytimestamp,modifiersName,createTimestamp,creatorsName"
schemachecking=off
bindmethod=simple
--
Dominique LALOT
Ingénieur Systèmes et Réseaux
http://annuaire.univmed.fr/showuser.php?uid=lalot
11 years, 3 months
how ldap works replicating AD?
by Lumeng Lim
am new to this but is familiar with the purpose of ldap.
I just can't visualize how it works.
What we would want to happen is have linux desktops to authenticate with
a linux server to be able to gain access to network resources.
currently. We have linux server with samba as PDC and windows clients
that connect to network shared resourced. Users just login via the
"domain" and network drives are mapped. When server is unavailable (in
cases of laptops) user just logs in and work with the local resources
We would like to have the same thing going with linux desktops and
laptops. With LDAP how is this implemented? Hope someone can help us
visualize so we know what softwares and configurations should be done in
the side of both the server and the clients.
11 years, 3 months
Re: Error code 65 - invalid structural object class chain (groupOfUniqueNames/posixGroup)]
by Casey Jordan
Quanah,
Thanks for the quick reply. I understand this, however the tutorial I am
following seems to require it:
http://demo.exist-db.org/exist/ldap-security.xml
They say "Each group is represented by a single entry under the groupDN as a
union of RFC 2307 posixGroup and RFC 2256 groupOfUniqueNames."
If this is indeed a requirement for these systems to talk to each other do I
have any other options?
Thanks,
Casey
On Fri, Mar 18, 2011 at 4:57 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Friday, March 18, 2011 4:16 PM -0400 Casey Jordan <
> casey.jordan(a)jorsek.com> wrote:
>
> Hi group,
>>
>> I am trying to import an ldif and I keep getting this error which has me
>> totally stumped:
>>
>
> An LDAP object may only have one structural objectClass. You've provided
> two.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
--
Casey Jordan
easyDITA a product of Jorsek LLC
"CaseyDJordan" on LinkedIn, Twitter & Facebook
Cell (585) 348 7399
Office (585) 239 6060
easydita.com
This message is intended only for the use of the Addressee(s) and may
contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient,
please be advised that any disclosure copying, distribution, or use of
the information contained herein is prohibited. If you have received
this communication in error, please destroy all copies of the message,
whether in electronic or hard copy format, as well as attachments, and
immediately contact the sender by replying to this e-mail or by phone.
Thank you.
11 years, 3 months
Understanding back_perl SampleLDAP.pm
by Marco Pizzoli
Hi list,
could someone help me in understanding what the SampleLDAP.pm perl module do
in its search routine?
This is the code:
--------
sub search {
my $this = shift;
my ( $base, $scope, $deref, $sizeLim, $timeLim, $filterStr, $attrOnly,
@attrs )
= @_;
print {*STDERR} "====$filterStr====\n";
$filterStr =~ s/\(|\)//gm;
$filterStr =~ s/=/: /m;
my @match_dn = ();
for my $dn ( *keys %{$this}* ) {
if ( $this->{$dn} =~ /$filterStr/imx ) {
push @match_dn, $dn;
last if ( scalar @match_dn == $sizeLim );
}
}
my @match_entries = ();
for my $dn (@match_dn) {
push @match_entries, $this->{$dn};
}
return ( 0, @match_entries );
}
--------
I'm interested in knowing what "keys %{$this}" should contain and why, in
trying to use this sample perl module I cannot see any "key" of the array
variable $this.
I configured the database in this way:
database perl
suffix "dc=perl,dc=com"
perlModulePath /tmp/appoggio/
perlModule SampleLDAP
Thanks in advance
Marco
11 years, 3 months