Re: Installation openLDAP in Debian
by Olivier
>> No, that is not the meaning of "add".
In that case, how can you change
olcRootPW: MySecretPassword
If it already exists but you want to change it ?
---
Olivier
9 years, 11 months
new entry lost on multi-master setup (two scenarios)
by Jose Ildefonso Camargo Tolosa
Greetings,
At first, I was going to create a bug report, but decided to send to
list first. I tried this with both: 2.4.23 (Debian package), and
2.4.25, compiled from source, bdb 4.8.
After a couple of entries just disappeared on one multi-master setup I
had, I decided to further investigate, and found this (there are two
cases, for the same procedure):
1. Configure two LDAP servers in multi-master setup.
2. Make sure they replicate correctly (off course).
3. Shutdown one of the two ldap servers.
4. Create a new entry (say, ou1) on the LDAP server that is left up.
5. Shutdown the last LDAP server.
6. Start the *other* LDAP server, the one where you didn't create the entry.
7. Create another entry, say: ou2, so that both servers has a new
entry, that is *not* on the other server.
8. Shutdown the LDAP server (both servers down now).
9. Start both LDAP servers.
Result (case 1): one of the two newly created entries is missing on
*one* of the servers, and only one of the entries is missing on the
other server.
Result (case 2): one entry is missing on *both* servers.
Both servers has NTP, and has the same timezone (ie, time is synchronized).
I'm *not* replicating cn=config (I shouldn't, because I have different
SSL certificates on each server). Now, more details:
slapd with -d 16384 gives me this on the server that misses both
entries, on this server I created the entry dn
ou=ou2,dc=st-andes,dc=com (and the server decided to delete it!, and,
for some reason, it didn't detected the new ou1 entry created on the
other server):
http://www.st-andes.com/openldap/case1/log-server2-case1.txt
The other server (the one that kept one entry and lost the other), on
this server I created the entry ou=ou1,dc=st-andes,dc=com, and it says
it was changed by peer.....:
http://www.st-andes.com/openldap/case1/log-server1-case1.txt
Now, I'm seeing here that it is using 000 server id... but on the
cn=config.ldif I have:
olcServerID: 1 ldap://ldap.ildetech.com:389/
olcServerID: 2 ldap://ldap2.ildetech.com:389/
And the syncrepl:
olcSyncRepl: rid=001 provider=ldap://ldap.ildetech.com:389
binddn="cn=admin,dc=st-andes,dc=com" bindmethod=simple
credentials="secret" searchbase="dc=st-andes,dc=com"
type=refreshAndPersist retry="3 5 5 +" timeout=7 starttls=critical
olcSyncRepl: rid=002 provider=ldap://ldap2.ildetech.com:389
binddn="cn=admin,dc=st-andes,dc=com" bindmethod=simple
credentials="secret" searchbase="dc=st-andes,dc=com"
type=refreshAndPersist retry="3 5 5 +" timeout=7 starttls=critical
olcMirrorMode: TRUE
And, as you can see on the command line, I have the URL specified on
the -h parameter, but it seems to be ignoring it!. Or, should I
specify the *whole* urls that I put on the -h parameter?
(ldap://ldap2.ildetech.com:389 ldap://127.0.0.1:389/ ldaps:///
ldapi:///)
So, I decided to change the config:
On server 1 (kirara):
olcServerID: 1
and
olcSyncRepl: rid=002 provider=ldap://ldap2.ildetech.com:389
binddn="cn=admin,dc=st-andes,dc=com" bindmethod=simple
credentials="secret" searchbase="dc=st-andes,dc=com"
type=refreshAndPersist retry="3 5 5 +" timeout=7 starttls=critical
olcMirrorMode: TRUE
On server 2 (happy):
olcServerID: 2
and
olcSyncRepl: rid=002 provider=ldap://ldap2.ildetech.com:389
binddn="cn=admin,dc=st-andes,dc=com" bindmethod=simple
credentials="secret" searchbase="dc=st-andes,dc=com"
type=refreshAndPersist retry="3 5 5 +" timeout=7 starttls=critical
olcMirrorMode: TRUE
With this new setup, and following the same procedure, I get one
missing entry on *both* servers (at least servers gets to a consistent
state), but I still have a missing entry. The logs for this setup:
Server 2 (ID 2, where I created entry: ou2 while the other server was
down), this server decided, wrongly, to delete entry ou2:
http://www.st-andes.com/openldap/case2/log-server2-case2.txt
And the other server (where I created ou1):
http://www.st-andes.com/openldap/case2/log-server1-case2.txt
This one never saw the other entry, ou2.
For both cases, the syncprov module was with default configuration:
dn: olcOverlay={0}syncprov
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
structuralObjectClass: olcSyncProvConfig
entryUUID: 24354488-e5bf-102f-9e6a-ad3cba95f7f1
creatorsName: cn=config
createTimestamp: 20110318152128Z
entryCSN: 20110318152128.935227Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110318152128Z
What do you think?
Thanks in advance!
Ildefonso Camargo
9 years, 11 months
Re: Installation openLDAP in Debian
by Jose Ildefonso Camargo Tolosa
Resending on-list.
On Wed, Apr 20, 2011 at 1:33 PM, Simone Piccardi <piccardi(a)truelite.it> wrote:
> On 20/04/2011 17:42, Jose Ildefonso Camargo Tolosa wrote:
>>>
>>> Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin
>>> guide.
>>
>> Quanah: actually, documentation is not yet complete for cn=config, I
>> had to actually convert my slapd.conf to cn=config using slaptest in
>> order to find out how to do the same I had on slapd.conf on cn=config.
>>
>> Ildefonso
>
> That's the way I'm using it. And I suggest to anyone not needing to modify
> configurations on the fly to use it that way.
>
> Because apart the missing documentation, I found difficult having to deal
> with the obscure attribute names and the complex directory structure (and
> the not so explicative file names used under it) that I found in
> /etc/ldap/slapd.d/.
Well, I actually got used to cn=config pretty quickly, nevertheless, I
still find easier to understand and modify the slapd.conf file than
the directory structure under slapd.d... it is definitely more complex
(and I don't think it is easier to modify using a LDAP administration
tool).
The "cn=config" replication suggested on the docs becomes useless when
you need to use TLS, because, AFAIK, we don't have a way of having
different TLS parameters for each replica (and, on a multi-master
setup, you will likely have different servers, with different names,
and thus: different SSL certificate).
>
> I understand the needs for cn=config, but for the moment I don't need it.
> Having a file with a simple syntax that I can read and modify instead of a
> tree of LDIF files is far more convenient for me. So I hope that slapd.conf
> will remain supported.
+1, we shouldn't drop slapd.conf file.
>
> Simone
> --
> Simone Piccardi Truelite Srl
> piccardi(a)truelite.it (email/jabber) Via Monferrato, 6
> Tel. +39-347-1032433 50142 Firenze
> http://www.truelite.it Tel. +39-055-7879597 Fax. +39-055-7333336
>
9 years, 11 months
Re: Installation openLDAP in Debian
by Howard Chu
Olivier Guillard wrote:
>> On a fresh installation that has not yet been configured: ...
>
> Thanks howard, it helps.
>
> For other readers I add this found in the slapadd doc :
>
>> LIMITATIONS
>> Your slapd(8) should not be running when you do this to ensure consis‐
>> tency of the database.
>
> Something I have to test :
>
> What happens if you attempt to add an entry or change an attribute
> that already exists using "slapadd" (I suspect that the old entry is
> replaced).
No, that is not the meaning of "add".
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9 years, 11 months
Re: Simple LDAP to LDAP Integration
by Alejandro Imass
On Wed, Apr 20, 2011 at 12:39 PM, Bill MacAllister <whm(a)stanford.edu> wrote:
>
>
> --On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass
> <ait(a)p2ee.org> wrote:
>
>> Hello,
>>
[...]
> One way to do this is to configure your OpenLDAP server to generate an
> accesslog. They you read the accesslog looking for any changes and
> apply the changes to your downstream datastore whatever it is. We do
> this using perl and Net::LDAPapi. I can provide an example if you are
> interested.
>
Hi Bill, thank you *very* much for your prompt reply.
One question (actually 2) though before I ask for the trouble of
providing an example.... do you get the clear text passwd on the
accesslog? is the the log an LDIF format? It's not that I really need
clear text, but I need to compute the corresponding password hashes
for MS-AD. are you guys able to change the password fields as well? or
are you just copying the hashes from one to the other? how does this
work with the accesslog method?
Again many thanks because I really feel that this could be a practical
KISS way of integrating this.
Thanks!!!
Alex
> Bill
>
> --
>
> Bill MacAllister
> Infrastructure Delivery Group, Stanford University
>
>
9 years, 11 months
Simple LDAP to LDAP Integration
by Alejandro Imass
Hello,
I am seeking a simple integration between OpenLDAP and MS AD. The DIT
structures are completely different but the Posix UIDs are the same.
The integration is very simple because all we need to do is update the
corresponding UID in AD whenever an entry changes in OpenLDAP (i.e.
OpenLDAP is the master here).
I though it would be easy to use the overlays for this but after
careful examination it is not what we need. All we need for the moment
is to capture the entry write event in OpenLDAP and run an external
subroutine/program/lib that connects to the AD and does the changes
there. We already have the second part developed in Perl, that is, we
have a Perl program that connects to AD and changes whatever we want.
We now need to pass this program the data that have changed in
OpenLDAP. We could turn the Perl program into an LDAP server as well
so we could maybe use the overlays, so in this case, the Perl program
would receive the LDAP, and translate that to AD. The other option is
to use SLAPI and capture the change event and use that to connect to
AD, maybe spawning a daemonized process in Perl in order not to hang
OpenLDAP waiting for AD.
Anyway, if anyone can give us a hand as to how to approach this and
what are the best alternatives to do this integration would be great.
We would gladly publish this OpenLDAP to AD integration as OpenSource.
Or if anyone happens to know if this already exists (but needs to be
flexible because we need to translate from one DIT structure to the
other with different schemas on each).
Thanks!
Alex
9 years, 11 months
Re: Installation openLDAP in Debian
by Jose Ildefonso Camargo Tolosa
On Wed, Apr 20, 2011 at 10:53 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Wednesday, April 20, 2011 6:51 PM +0900 "D. R. Paudel"
> <rajme690(a)gmail.com> wrote:
>
>> Hi,
>> I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem
>> as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy
>> process for installation and configuration for beginners.
>
> Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin
> guide.
Quanah: actually, documentation is not yet complete for cn=config, I
had to actually convert my slapd.conf to cn=config using slaptest in
order to find out how to do the same I had on slapd.conf on cn=config.
Ildefonso
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
9 years, 11 months
proxy Auth and authzto
by LALOT Dominique
Hello,
I tried some configuration in order to get porxyAuth working. I would like
to know if it's restricted to SASL. We use PLAIN LOGIN over TLS in order to
work with all auth method, SSO and so on.
Could you confirm?
Thanks
Dom
--
Dominique LALOT
Ingénieur Systèmes et Réseaux
http://annuaire.univmed.fr/showuser.php?uid=lalot
9 years, 11 months
"Name forms" with slapo-constraint
by Michael Ströder
HI!
I tried to use slapo-constraint on entryDN when adding new entries.
Kind of poor man's name forms...
constraint_attribute
entryDN
regex mail=[^,],departmentNumber=[0-9]+,O=MyOrg
restrict="ldap:///O=MyOrg??sub?(objectClass=inetOrgPerson)"
But looking at the trace log it seems this is not evaluated at all probably
entryDN is not present in the added entry and not yet generated.
Any hints whether that might work?
Ciao, Michael.
9 years, 11 months
Data aggregator
by Hugo Monteiro
Hello all,
This post may be a little OT, but i'm sure this subject has bitten some
of you some time. So, i'm willing to take the chance.
Anyway, feel free to redirect me and this conversation elsewhere.
Background:
There's an LDAP infrastructure set up, which has been fed and maintained
by a "in the house" made management system.
This management system primary role is NOT to manage LDAP data, but it
was where the data lived, some extensions where developed to provide
that extra functionality. Years have passed and more and more we depend
on our LDAP service. But we also have more and more the need to add
other data to LDAP, which doesn't exist in the still in place management
system. Changing the LDAP data model has also become a major headache
since that type of change will also force maintenance to the management
system accordingly.
Objective:
I'm currently delegated to find a modular solution that can aggregate
data from several sources, relational databases, other ldap servers,
flat text files, whatever, and be able to maintain a centrally managed
information database which can then be exported to/served by an LDAP
server. The solution could aggregate data directly into an LDAP
database, or it could maintain it's own database that could be later
exported to ldif, or sync to LDAP.
The main purpose here would also to be able to find something that would
do this, or that could be set with some minimal changes to perform as
described, WITHOUT being an "in the house" solution.
Sorry if it felt like i'm daydreaming, but i would love to hear peoples
thoughts on this matter.
Best regards,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro(a)fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio(a)fct.unl.pt
fct.unl.pt:~# _
9 years, 11 months
