openldap-technical April 2011

openldap-technical@openldap.org

97 participants
98 discussions

Re: Installation openLDAP in Debian
by Olivier 21 Apr '11

21 Apr '11

>> No, that is not the meaning of "add". In that case, how can you change olcRootPW: MySecretPassword If it already exists but you want to change it ? --- Olivier

2 1

new entry lost on multi-master setup (two scenarios)
by Jose Ildefonso Camargo Tolosa 21 Apr '11

21 Apr '11

Greetings, At first, I was going to create a bug report, but decided to send to list first. I tried this with both: 2.4.23 (Debian package), and 2.4.25, compiled from source, bdb 4.8. After a couple of entries just disappeared on one multi-master setup I had, I decided to further investigate, and found this (there are two cases, for the same procedure): 1. Configure two LDAP servers in multi-master setup. 2. Make sure they replicate correctly (off course). 3. Shutdown one of the two ldap servers. 4. Create a new entry (say, ou1) on the LDAP server that is left up. 5. Shutdown the last LDAP server. 6. Start the *other* LDAP server, the one where you didn't create the entry. 7. Create another entry, say: ou2, so that both servers has a new entry, that is *not* on the other server. 8. Shutdown the LDAP server (both servers down now). 9. Start both LDAP servers. Result (case 1): one of the two newly created entries is missing on *one* of the servers, and only one of the entries is missing on the other server. Result (case 2): one entry is missing on *both* servers. Both servers has NTP, and has the same timezone (ie, time is synchronized). I'm *not* replicating cn=config (I shouldn't, because I have different SSL certificates on each server). Now, more details: slapd with -d 16384 gives me this on the server that misses both entries, on this server I created the entry dn ou=ou2,dc=st-andes,dc=com (and the server decided to delete it!, and, for some reason, it didn't detected the new ou1 entry created on the other server): http://www.st-andes.com/openldap/case1/log-server2-case1.txt The other server (the one that kept one entry and lost the other), on this server I created the entry ou=ou1,dc=st-andes,dc=com, and it says it was changed by peer.....: http://www.st-andes.com/openldap/case1/log-server1-case1.txt Now, I'm seeing here that it is using 000 server id... but on the cn=config.ldif I have: olcServerID: 1 ldap://ldap.ildetech.com:389/ olcServerID: 2 ldap://ldap2.ildetech.com:389/ And the syncrepl: olcSyncRepl: rid=001 provider=ldap://ldap.ildetech.com:389 binddn="cn=admin,dc=st-andes,dc=com" bindmethod=simple credentials="secret" searchbase="dc=st-andes,dc=com" type=refreshAndPersist retry="3 5 5 +" timeout=7 starttls=critical olcSyncRepl: rid=002 provider=ldap://ldap2.ildetech.com:389 binddn="cn=admin,dc=st-andes,dc=com" bindmethod=simple credentials="secret" searchbase="dc=st-andes,dc=com" type=refreshAndPersist retry="3 5 5 +" timeout=7 starttls=critical olcMirrorMode: TRUE And, as you can see on the command line, I have the URL specified on the -h parameter, but it seems to be ignoring it!. Or, should I specify the *whole* urls that I put on the -h parameter? (ldap://ldap2.ildetech.com:389 ldap://127.0.0.1:389/ ldaps:/// ldapi:///) So, I decided to change the config: On server 1 (kirara): olcServerID: 1 and olcSyncRepl: rid=002 provider=ldap://ldap2.ildetech.com:389 binddn="cn=admin,dc=st-andes,dc=com" bindmethod=simple credentials="secret" searchbase="dc=st-andes,dc=com" type=refreshAndPersist retry="3 5 5 +" timeout=7 starttls=critical olcMirrorMode: TRUE On server 2 (happy): olcServerID: 2 and olcSyncRepl: rid=002 provider=ldap://ldap2.ildetech.com:389 binddn="cn=admin,dc=st-andes,dc=com" bindmethod=simple credentials="secret" searchbase="dc=st-andes,dc=com" type=refreshAndPersist retry="3 5 5 +" timeout=7 starttls=critical olcMirrorMode: TRUE With this new setup, and following the same procedure, I get one missing entry on *both* servers (at least servers gets to a consistent state), but I still have a missing entry. The logs for this setup: Server 2 (ID 2, where I created entry: ou2 while the other server was down), this server decided, wrongly, to delete entry ou2: http://www.st-andes.com/openldap/case2/log-server2-case2.txt And the other server (where I created ou1): http://www.st-andes.com/openldap/case2/log-server1-case2.txt This one never saw the other entry, ou2. For both cases, the syncprov module was with default configuration: dn: olcOverlay={0}syncprov objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov structuralObjectClass: olcSyncProvConfig entryUUID: 24354488-e5bf-102f-9e6a-ad3cba95f7f1 creatorsName: cn=config createTimestamp: 20110318152128Z entryCSN: 20110318152128.935227Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20110318152128Z What do you think? Thanks in advance! Ildefonso Camargo

3 5

Re: Installation openLDAP in Debian
by Jose Ildefonso Camargo Tolosa 21 Apr '11

21 Apr '11

Resending on-list. On Wed, Apr 20, 2011 at 1:33 PM, Simone Piccardi <piccardi(a)truelite.it> wrote: > On 20/04/2011 17:42, Jose Ildefonso Camargo Tolosa wrote: >>> >>> Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin >>> guide. >> >> Quanah: actually, documentation is not yet complete for cn=config, I >> had to actually convert my slapd.conf to cn=config using slaptest in >> order to find out how to do the same I had on slapd.conf on cn=config. >> >> Ildefonso > > That's the way I'm using it. And I suggest to anyone not needing to modify > configurations on the fly to use it that way. > > Because apart the missing documentation, I found difficult having to deal > with the obscure attribute names and the complex directory structure (and > the not so explicative file names used under it) that I found in > /etc/ldap/slapd.d/. Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool). The "cn=config" replication suggested on the docs becomes useless when you need to use TLS, because, AFAIK, we don't have a way of having different TLS parameters for each replica (and, on a multi-master setup, you will likely have different servers, with different names, and thus: different SSL certificate). > > I understand the needs for cn=config, but for the moment I don't need it. > Having a file with a simple syntax that I can read and modify instead of a > tree of LDIF files is far more convenient for me. So I hope that slapd.conf > will remain supported. +1, we shouldn't drop slapd.conf file. > > Simone > -- > Simone Piccardi Truelite Srl > piccardi(a)truelite.it (email/jabber) Via Monferrato, 6 > Tel. +39-347-1032433 50142 Firenze > http://www.truelite.it Tel. +39-055-7879597 Fax. +39-055-7333336 >

5 5

Re: Installation openLDAP in Debian
by Howard Chu 21 Apr '11

21 Apr '11

Olivier Guillard wrote: >> On a fresh installation that has not yet been configured: ... > > Thanks howard, it helps. > > For other readers I add this found in the slapadd doc : > >> LIMITATIONS >> Your slapd(8) should not be running when you do this to ensure consis‐ >> tency of the database. > > Something I have to test : > > What happens if you attempt to add an entry or change an attribute > that already exists using "slapadd" (I suspect that the old entry is > replaced). No, that is not the meaning of "add". -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: Simple LDAP to LDAP Integration
by Alejandro Imass 20 Apr '11

20 Apr '11

On Wed, Apr 20, 2011 at 12:39 PM, Bill MacAllister <whm(a)stanford.edu> wrote: > > > --On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass > <ait(a)p2ee.org> wrote: > >> Hello, >> [...] > One way to do this is to configure your OpenLDAP server to generate an > accesslog. They you read the accesslog looking for any changes and > apply the changes to your downstream datastore whatever it is. We do > this using perl and Net::LDAPapi. I can provide an example if you are > interested. > Hi Bill, thank you *very* much for your prompt reply. One question (actually 2) though before I ask for the trouble of providing an example.... do you get the clear text passwd on the accesslog? is the the log an LDIF format? It's not that I really need clear text, but I need to compute the corresponding password hashes for MS-AD. are you guys able to change the password fields as well? or are you just copying the hashes from one to the other? how does this work with the accesslog method? Again many thanks because I really feel that this could be a practical KISS way of integrating this. Thanks!!! Alex > Bill > > -- > > Bill MacAllister > Infrastructure Delivery Group, Stanford University > >

2 1

Simple LDAP to LDAP Integration
by Alejandro Imass 20 Apr '11

20 Apr '11

Hello, I am seeking a simple integration between OpenLDAP and MS AD. The DIT structures are completely different but the Posix UIDs are the same. The integration is very simple because all we need to do is update the corresponding UID in AD whenever an entry changes in OpenLDAP (i.e. OpenLDAP is the master here). I though it would be easy to use the overlays for this but after careful examination it is not what we need. All we need for the moment is to capture the entry write event in OpenLDAP and run an external subroutine/program/lib that connects to the AD and does the changes there. We already have the second part developed in Perl, that is, we have a Perl program that connects to AD and changes whatever we want. We now need to pass this program the data that have changed in OpenLDAP. We could turn the Perl program into an LDAP server as well so we could maybe use the overlays, so in this case, the Perl program would receive the LDAP, and translate that to AD. The other option is to use SLAPI and capture the change event and use that to connect to AD, maybe spawning a daemonized process in Perl in order not to hang OpenLDAP waiting for AD. Anyway, if anyone can give us a hand as to how to approach this and what are the best alternatives to do this integration would be great. We would gladly publish this OpenLDAP to AD integration as OpenSource. Or if anyone happens to know if this already exists (but needs to be flexible because we need to translate from one DIT structure to the other with different schemas on each). Thanks! Alex

3 3

Re: Installation openLDAP in Debian
by Jose Ildefonso Camargo Tolosa 20 Apr '11

20 Apr '11

On Wed, Apr 20, 2011 at 10:53 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Wednesday, April 20, 2011 6:51 PM +0900 "D. R. Paudel" > <rajme690(a)gmail.com> wrote: > >> Hi, >> I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem >> as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy >> process for installation and configuration for beginners. > > Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin > guide. Quanah: actually, documentation is not yet complete for cn=config, I had to actually convert my slapd.conf to cn=config using slaptest in order to find out how to do the same I had on slapd.conf on cn=config. Ildefonso > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > >

2 1

proxy Auth and authzto
by LALOT Dominique 20 Apr '11

20 Apr '11

Hello, I tried some configuration in order to get porxyAuth working. I would like to know if it's restricted to SASL. We use PLAIN LOGIN over TLS in order to work with all auth method, SSO and so on. Could you confirm? Thanks Dom -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot

2 1

"Name forms" with slapo-constraint
by Michael Ströder 20 Apr '11

20 Apr '11

HI! I tried to use slapo-constraint on entryDN when adding new entries. Kind of poor man's name forms... constraint_attribute entryDN regex mail=[^,],departmentNumber=[0-9]+,O=MyOrg restrict="ldap:///O=MyOrg??sub?(objectClass=inetOrgPerson)" But looking at the trace log it seems this is not evaluated at all probably entryDN is not present in the added entry and not yet generated. Any hints whether that might work? Ciao, Michael.

1 0

Data aggregator
by Hugo Monteiro 20 Apr '11

20 Apr '11

Hello all, This post may be a little OT, but i'm sure this subject has bitten some of you some time. So, i'm willing to take the chance. Anyway, feel free to redirect me and this conversation elsewhere. Background: There's an LDAP infrastructure set up, which has been fed and maintained by a "in the house" made management system. This management system primary role is NOT to manage LDAP data, but it was where the data lived, some extensions where developed to provide that extra functionality. Years have passed and more and more we depend on our LDAP service. But we also have more and more the need to add other data to LDAP, which doesn't exist in the still in place management system. Changing the LDAP data model has also become a major headache since that type of change will also force maintenance to the management system accordingly. Objective: I'm currently delegated to find a modular solution that can aggregate data from several sources, relational databases, other ldap servers, flat text files, whatever, and be able to maintain a centrally managed information database which can then be exported to/served by an LDAP server. The solution could aggregate data directly into an LDAP database, or it could maintain it's own database that could be later exported to ldif, or sync to LDAP. The main purpose here would also to be able to find something that would do this, or that could be set with some minimal changes to perform as described, WITHOUT being an "in the house" solution. Sorry if it felt like i'm daydreaming, but i would love to hear peoples thoughts on this matter. Best regards, Hugo Monteiro. -- fct.unl.pt:~# cat .signature Hugo Monteiro Email : hugo.monteiro(a)fct.unl.pt Telefone : +351 212948300 Ext.15307 Web : http://hmonteiro.net Divisão de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.fct.unl.pt apoio(a)fct.unl.pt fct.unl.pt:~# _

3 2

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2011