Re: Deleted DNs, and the great quest.
by xsun
I agree with that, I've been using delta-syncrepl here for a while and its
much more reliable than syncrepl IMO. I did not found any consistency issue
with the replication so far.
Thanks,
Matheus Morais
2011/4/27 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On Wednesday, April 27, 2011 8:01 PM +0200 Michael Ströder <
> michael(a)stroeder.com> wrote:
>
> Correct.
>>>
>>
>> Couldn't this be the cause for delta-syncrepl to seem more reliable than
>> normal syncrepl (without slapo-accesslog)?
>>
>
> I don't think so, because that is on the master, not on the replicas.
> Replicas still get changes in the order they were written to the master
> (supposedly anyhow. ;) ).
>
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
11 years
'Operations error' possible from self signed cert?
by paul.osborne@canterbury.ac.uk
Hi,
I have a working (I think) LDAP proxy using TLS between other systems
and our Active Directory. I am though slightly confused as to why when
the proxy is working it is generating the following operations error
messages.
An example of the query and response:
ldapsearch -x -LLL "(cn=ta99)" -D "CN=ldapproxy,OU=Service
Accounts,DC=myad,DC=canterbury,DC=ac,DC=uk" -w password -Z
ldap_start_tls: Operations error (1)
additional info: TLS already started
dn: cn=ta99,ou=Test Accounts,ou=OU
Canterbury,dc=myad,dc=canterbury,dc=ac,
dc=uk
cn: ta99
SAMACCOUNTNAME: ta99
#
refldaps://ForestDnsZones.myad.canterbury.ac.uk/DC=ForestDnsZones,DC=cca
d,D
C=canterbury,DC=ac,DC=uk
#
refldaps://ccad.canterbury.ac.uk/CN=Configuration,DC=myad,DC=canterbury,
DC=
ac,DC=uk
#
refldaps://DomainDnsZones.ccad.canterbury.ac.uk/DC=DomainDnsZones,DC=mya
d,D
C=canterbury,DC=ac,DC=uk
#
refldaps://ccad.canterbury.ac.uk/CN=Schema,CN=Configuration,DC=myad,DC=c
ant
erbury,DC=ac,DC=uk
Operations error (1)
Note that the response LDIF has been filtered somewhat via use of the
rwm overlay and this is deliberate. My concern though is the 'Operations
error (1)' at the beginning and end of the operation. I *think* that
this is because I am using a self signed cert which I am politely
allowing though (TLS_REQCERT allow) - but would like to be sure that
this is the cause of the error before I have to start getting things up
on a real server with a properly trusted certificate and appropriate
chain.
Many thanks
Paul
11 years
Mailbox Limitation
by Vinayagamoorthi.Kvi@wipro.com
Hi,
My mail server setup is having openldap-2.3.43-3.el5 for virtual users,
postfix as MTA and courier-IMAP as IMAP. Now I need to limit the Maildir
size via open dap but I don't know how to implement. Please help.
Regards,
Vinay.
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
11 years
Installation openLDAP in Debian
by D. R. Paudel
Hi,
I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as
there is no slapd.conf inside /etc/ldap/ directory. Is there any easy
process for installation and configuration for beginners.
regards,
--
Dambar Raj Paudel
(Wireless Technology - Researcher)
WAKHOK University, Wakkanai, Japan
Skype: drpaudel
11 years
integrating a new overlay to the server
by Cohen Roi
I'm working with rhel 5.5
I want to write a new overlay which also uses another library
How do I compile\configure it to work within the server??
Thanks, Roi.
________________________________
"This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: security(a)comverse.com. Thank You."
11 years
LDAP proxy to AD - fails to bind
by paul.osborne@canterbury.ac.uk
Hi,
I am going through the hoops of setting up an LDAP proxy (OpenLDAP 2.3
as supplied with Red Hat 5.6) in order to expose parts of our Active
Directory to other services which for political and security reasons
(that I have no influence in) we do not want talking directly to the AD.
In order to achieve this I would like to use ldap-back as the database
to act as the proxy to the AD and then a module such as translucent to
mask out the bits of the AD that we do not want exposed.
So far I am fighting to get ldap-back working as I would expect, at the
moment no matter what I do it fails to bind against the AD and a tcp
dump demonstrates this failure. Anonymously binding and querying the AD
is not an option and so I have to specify a user and get ID assertion
working to force a bind against the AD as a specific known user. This
does mean that anything (at the moment) could query our proxy and so get
at the exposed parts of the AD and for the moment that is intentional. I
am also aware that TLS etc are not enabled - this is deliberate as it
makes packet sniffing for debugging easier.
So for my slapd.conf I have:
[slapd.conf]
database ldap
uri "ldap://myad.canterbury.ac.uk/"
suffix "dc=myad,dc=canterbury,dc=ac,dc=uk"
acl-bind bindmethod=simple
binddn="CN=ldapproxy,OU=AD
Administrators,DC=myad,DC=canterbury,DC=ac,DC=uk"
credentials="password"
access to * by * read
idassert-bind bindmethod=simple
authzId=dn:CN=ldapproxy,OU=Administrators,DC=myad,DC=canterbury,DC=ac,DC
=uk
binddn="CN=ldapproxy,OU=Administrators,DC=myad,DC=canterbury,DC=ac,DC=uk
"
credentials="password"
idassert-authzFrom "dn.regex:.*"
[end slapd.conf]
At the moment I don't really care that anyone can read anything from the
AD since I can't even bind, that will be tightened up in due course. I
have seen others over the years have had similar issues and I have noted
the responses they have received as well as reading the man pages and
the Admin Guide, but am now at the point where some community support
would be appreciated.
Thanks
Paul
11 years
Problem about CA Issue Certificate with LDAP
by Nguyen, Quoc Khanh
Hi all,
I'm a new comer, I'm trying to config a CA with LDAP follow
this site http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.2.
4.2
CA Issue Certificate
When going to step 4, I have receieved an error
messeage.
root@ldap:/usr/local/openssl/bin#
/usr/local/openssl/ssl/misc/CA.sh -sign
Using configuration from
/usr/lib/ssl/openssl.cnf
Error opening CA private key
./demoCA/private/cakey.pem
665:error:02001002:system library:fopen:No such
file or directory:bss_file.c:356:fopen('./demoCA/private/cakey.pem','r')
665:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
unable to load CA private key
cat: newcert.pem: No such file or directory
Signed certificate is in newcert.pem
I think it's very simple, but i
don't know how to solve it. I have tried to many ways but fail to fix it.
Maybe i don't understand about the CA Certificate.
I... I am so
confusing.
Please help,
khanhnq
--
***********************************
EVERYTHING HAS JUST BEGUN...
11 years
clarifications on cachesize, preferred db, et. al. from admin guide
by Tim Mooney
All-
I'm getting back to the project of upgrading our OpenLDAP infrastructure,
which I started last summer but was interrupted by email outsourcing...
As things currently stand, I'll be deploying 2.4.25 + BDB 4.8.30 on RHEL
5.6. I'm starting with a DB_CONFIG of
set_cachesize 0 536870912 1
set_lg_regionmax 262144
set_lg_bsize 2097152
set_flags DB_LOG_AUTOREMOVE
though I suspect I will tune further, as the servers are quite beefy and
our OpenLDAP databases are pretty modest (60K dn, 80 MB id2entry), so
we have horsepower and RAM to spare.
I've been carefully reviewing the docs and admin guide and have several
questions as points of clarification.
- Admin Guide, section 21.4.1.1. The tuning chapter is a godsend and
the section on the calculations for Berkeley DB cache sizing is extremely
helpful, but I've noted that the docs indicate that each index is a hash
structure and proceed to describe how to calculate how much additional cache
you will want for each index you have, beyond what you need for the (Btree)
id2entry and dn2id.
Every single one of my index .bdb files is of type Btree, though, not
Hash. Is that section of the docs outdated, and all indexed attributes
are now in Btree databases (for back-bdb and presumably back-hdb), or am
I fundamentally misunderstanding what the index-related cache calculations
are saying?
- Admin Guide, section 5. The last note in the intro section of chapter
5 mentions that some backends and overlays do not support slapd-config,
without listing what those backends are. Looking through the
documentation-related ITS's, it appears that at one point slapo-rwm didn't
support slapd-config, but that's apparently changed.
I realize it's more work to spell out what backends would prevent someone
from using slapd-config, especially since it must be kept up to date as
things change, but I think that explicitly listing the backends (and
overlays) that don't work with slapd-config will make people more likely
to choose slapd-config moving forward. As things stand, most people
aren't going to know whether they can use slapd-config or not because
they don't know which backends work with it and which don't.
If you agree that it would be useful to explicitly list which backends
would block the use of slapd-config and someone can provide me with the
list of blockers, I would be happy to file an ITS and provide a patch to
the current docs to spell things out. I personally think it will help
adoption of slapd-config.
- man page for slapd.backends(5). The man page entry states that
bdb is the preferred backend. I've seen enough hints and comments on
the mailing list to suggest that it will eventually be supplanted by hdb.
How soon is that going to happen (2.5?), and is it worth mentioning that
hdb is as good as bdb now and will be the new preferred backend soon?
Again, I'll submit the ITS with the doc patch if it's worth making that
assertion in the docs now.
- Admin Guide, chapter 21. The tuning chapter doesn't mention the
potential benefits of using an alternate memory allocator on Linux, as
Quanah clued me in to on the mailing list last month. Should it? If
people feel it would be worthwhile to mention, I would be happy to write
the first draft and supply the patch in an ITS.
- Admin Guide, chapter 21. The tuning chapter doesn't mention the
potential benefits of using sysv shared memory vs. mmap'ed files on
some platforms. Should it? Same offer for documentation patch applies,
though I expect this one will need more feedback from the experts.
Thanks,
Tim
--
Tim Mooney Tim.Mooney(a)ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
11 years
parsing output from ldap_search_ext_s C API
by sim123
Hi All,
I am using ldap_search_ext_s C API and having strange results, not sure if I
am missing something or its an API bug:
My Directory Tree looks like this:
| -- dc=example,dc=com
| ------ ou=users,dc=example,dc=com
| ---------- uid=1,ou=users,dc=example,dc=com
| --------------- cn=john
| ------ ou=departments,dc=example,dc=com
| ---------- uid=11,ou=departments,dc=example,dc=com
| --------------- cn=hr
| --------------- member=uid=1
| ---------- uid=12,ou=departments,dc=example,dc=com
| --------------- cn=sales
| --------------- member=uid=1
| ---------- uid=13,ou=departments,dc=example,dc=com
| --------------- cn=marketing
| --------------- member=uid=1
First I get all the departments for "john" by using *memberof* in sarch
attribute. for this query my search filter contains only one criteria
("uid=1")
Then I construct another search filter for getting names of all the
departments john belongs to : (|(uid=11)(uid=12)(uid=13))
I pass this filter to ldap_search_ext_s, where base is
"ou=departments,dc=example,dc=com", scope is one level down, and I want "cn"
in the attribute
LDAPMessage* output;
int retCode = ldap_search_ext_s(ld,base.c_str(),
scope,filter.c_str(),attrs,false,NULL,NULL,NULL,0,&output);
if(retCode == LDAP_SUCCESS){
//log success
//send result to a static method for parsing
LDAPUtil::parseResult(ld,output,result);
ldap_msgfree(output);
}else{
//log error & throw exception
}
LDAPUtil parse result implementation
void LDAPUtil::parseResult(LDAP* ld, LDAPMessage* ldapResponse,
LDAPSearchResult* parsedResult){
int numEntries = ldap_count_entries(ld,ldapResponse);
cout << "number of entries" << numEntries << endl;* // I get 3 here*
if(numEntries > 0){
//parse result
LDAPMessage * entry;
BerElement * ber;
char * attr;
BerVarray* vals ;
map<string,LDAPAttribute*> attributeValueMap ;
int count = 0;
* //If I don't use count < numEntries this loop becomes an infinite
loop, this loop runs 3 times, however the dn value output is:*
*// run 1 :: dn: uid=11,ou=departments,dc=examples,dc=com
//run 2 :: dn: uid=12,ou=departments,dc=examples,dc=com
// run 3 :: dn: uid=12,ou=departments,dc=examples,dc=com*
for ( entry = ldap_first_entry(ld,ldapResponse);entry != NULL &&
count < numEntries;
entry = ldap_next_entry(ld,ldapResponse)){
count++;
//create LDAP Attributes
LDAPAttribute* attribute = new LDAPAttribute();
//set DN
attribute->setDn(ldap_get_dn(ld,entry));
cout << "dn is " << ldap_get_dn(ld,entry) <<endl;
for(attr = ldap_first_attribute(ld,entry,&ber);
attr != NULL;
attr=ldap_next_attribute(ld,entry,ber))
{
string temp = attr;
cout << "attribute :: " << attr << endl;
vals = ldap_get_values_len(ld,entry,attr);
if((ldap_count_values_len(vals))> 0 ){
LDAPUtil::processAttribute(attribute,temp,vals);
}
ldap_value_free_len(vals);
}
attributeValueMap.insert(pair<string,LDAPAttribute*>(attribute->getDn(),attribute));
}
parsedResult->setAttributeValueMap(attributeValueMap);
}
}
Basically above code is working only if I have one entry returned in the
output. I would really appreciate if someone can help me with this. As I
have hard time beliving its an API bug since I am just doing basic
operation.
Thanks,
- Simon
11 years
Re: Installation openLDAP in Debian
by Jose Ildefonso Camargo Tolosa
On Thu, Apr 21, 2011 at 11:47 AM, Olivier Guillard
<olivier(a)guillard.nom.fr> wrote:
>> No, that is not the meaning of "add".
>
> In that case, how can you change
> olcRootPW: MySecretPassword
If you forgot your rootdn pass, and have no other user that with write
privileges to cn=config, I guess you would need to slapcat your
config, edit it, delete old config, and reload with slapadd. Or...
take the risk and just edit the file by hand.
Ildefonso.
11 years
