openldap-technical June 2011

openldap-technical@openldap.org

80 participants
92 discussions

Scaling Syncrepl
by Duncan Idaho 10 Jun '11

10 Jun '11

In my environment I have a need to synchronize from a single master to 125 globally distributed read-only consumers. I've attempted this in two ways and run into problems in either direction. First, I attempted a multi-tier replication strategy where the master would sync to a regional consumer which would in-turn act as a producer for around 20 slaves each. It seems that a server should be able to act as both a producer and a consumer, but in my experience with 2.4.25 this will cause a repeatable segfault within a days time. (test_filter() is passed a NULL filter in syncrepl.c) I think this would probably be the best solution if I could resolve the segfault issue. The other option I've tried is pointing all 125 slaves at a single master. This works if I bring the slaves up gradually, but if they all attempt to connect at once (like after a master restart) the initial sync process seems to monopolize a thread per replica which causes any other searches to fail for a period of greater than 30 seconds. Bumping the threads up to over 125 seems to solve the issue on a test machine but I'm hesitant to do this on the production master which is used heavily for a variety of other purposes. Can anyone offer advice on how I could go about resolving these issues or other methods for successfully replicating to this many slaves? Thanks, Duncan.

2 1

Migrating from RHDS to openldap
by Allgood, John 10 Jun '11

10 Jun '11

Hey Guys We are looking to migrate off our current RHDS environment to openldap. I have searched the internet and have found documentation that migrates to RHDS. RHDS is pretty expensive and we will like to move away from that platform. Has anyone had any experience with doing this type of migration? Any suggestions are welcome. Best Regards John Allgood Sr. Systems Engineer OHL - North American Transportation 2419 West Park Drive SW, Suite 100 Gainesville, GA 30504 Office (800) 532-2239 Ext. 2051 jallgood(a)ohl.com<mailto:jallgood@ohl.com> www.ohl.com<http://www.ohl.com> ______________________________________________________ This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.

2 2

phpldapadmin and openldap
by Juan Diego Calle 09 Jun '11

09 Jun '11

Hi, I have being trying to solve this for more than a month. I installed Openldap, Samba, smbldap-tools, and phpmyadmin in a Red Hat 5.6 server. I have many users created with smbldap-tools. Almost everything works, there are 2 things that I need help with. One is with phpldapadmin. I can log with the user administrator, but can not change anything, this is the error in phpldapadmin Could not perform ldap_modify operation. LDAP said: Insufficient access Error number: 0x32 (LDAP_INSUFFICIENT_ACCESS) Description: You do not have sufficient permissions to perform that operation. This error on the log Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 fd=11 ACCEPT from IP=127.0.0.1:59487 (IP=0.0.0.0:389) Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=0 BIND dn="uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec" method=128 Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=0 BIND dn="uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec" mech=SIMPLE ssf=0 Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=0 RESULT tag=97 err=0 text= Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=1 MOD dn="uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec" Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=1 MOD attr=loginShell Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=1 RESULT tag=103 err=50 text= Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=2 UNBIND Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 fd=11 closed This is my slapd.conf ############################################ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/lib64/openldap # Modules available in openldap-servers-overlays RPM package # Module syncprov.la is now statically linked with slapd and there # is no need to load it here # moduleload accesslog.la # moduleload auditlog.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la # moduleload smbk5pwd.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # modules available in openldap-servers-sql RPM package: # moduleload back_sql.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! #access to * # by self write # by users read # by anonymous auth #access to attrs=userpassword # by self =xw # by anonymous auth by anonymous auth #access to * # by self write # by users read #access to attrs=userpassword by self write by anonymous auth by * none #access to * by self write by users read by anonymous read by * none #access to * by uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec write #access to dn.regex = "ou = personal_addressbook or =(.+),, dc = korrigan, dc = org" #by dn.regex="cn=$1,ou=Users,dc=korrigan,dc=org" write by dn.regex = "cn = $ 1, ou = Users, dc = korrigan, dc = org" write #by dn="cn=admin,dc=korrigan,dc=org" write by dn = "cn = admin, dc = korrigan, dc = org" write #by * none by * none ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=mydomain,dc=com,dc=ec" rootdn "cn=Manager,dc=mydomain,dc=com,dc=ec" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXX # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM # Extras para ser servidor master de ldap loglevel 256 (I already posted this once) ##########################################3 When i add this line access to * by self write by users read by anonymous read by * none Users are allowed to change their info. I just want a group of users that can change the info of other users, users that have more privileges . I also tried adding a group called miniadmins, it didnt work. dn: cn=MiniAdmins,ou=People,dc=mydomain,dc=com,dc=ec objectClass: groupOfNames objectClass: top cn: MiniAdmins member: uid=jdc,ou=People,dc=mydomain,dc=com,dc=ec member: uid=user2,ou=People,dc=mydomain,dc=com,dc=ec structuralObjectClass: groupOfNames entryUUID: a3e66d90-19b0-1030-9c61-73ebddf12515 creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec createTimestamp: 20110523174841Z modifyTimestamp: 20110523174841Z entryCSN: 20110523174841Z#000012#00#000000 with the following acl access to * by group/groupOfNames/member="cn=MiniAdmins,ou=People,dc=iess,dc=gob,dc=ec" write Also for the second part I dont know if you are able to do this with openldap: All users are part of dn: cn=Domain Users,ou=Group,dc=mydomain,dc=com,dc=ec. Also this users belong to others groups like city1, city2, city3. In each city there is and admin that has control over that group, example admincity1, admincity2,etc. They can manage users in their respective cities, but they can not change anything on another city. I need help with the slapd.conf, I have a basic understanding, but my logic here is failing. I have found people with similar problems but no answers. Thanks, Juan Diego

2 3

cannot restore db
by Bidwell, Matt 08 Jun '11

08 Jun '11

I'm using both openldap-2.4.24 and db-5.1.25 from source. I was experiencing corrupted entries from the running database. I tried moving the openldap-data folder, created a new one, and tried running slapadd with the -f and -l flags with my conf file and backup ldif. I get back an error that tells me id2entry.bdb can't be opened because it is missing. Isn't slapadd supposed to create id2entry.bdb? The flags I used to configure BDB are --enable-cxx -C, did I miss something? Matt

2 3

retrieving dn via proxy ldap
by Ron Peterson 08 Jun '11

08 Jun '11

Hi, I'm having trouble retrieving the DN, and only the DN, when using the 'ldap' back end to proxy my master directory database. 2656$ ldapsearch -LLL -x -w apass -D "uid=test,ou=admin" -b "ou=test" '(uid=auser)' dn: yDirectoryID=442E65DA-678E-BEB5-3378-56331AEE1AA0,ou=test eduPersonPrimaryAffiliation: staff sn: Peterson ... 2657$ ldapsearch -LLL -x -w apass -D "uid=test,ou=admin" -b "ou=test" '(uid=auser)' 1.1 Why would I not see the DN when asking for just 1.1? TIA -- Ron Peterson Network & Systems Administrator Mount Holyoke College http://www.mtholyoke.edu/~rpeterso

1 1

Setup syncrepl on Redhat Fedora
by Daniel Qian 08 Jun '11

08 Jun '11

Hi, I used to be fine with slapd.conf way but now with slapd.d/ I am kind of lost. From the reading I did so far I have to load the syncprov module but I couldn't find a single document or example how to enable that on Redhat Fedora platform. The following list is all that comes with Redhat distribution: [root@ldaprov1 cn=config]# pwd /etc/openldap/slapd.d/cn=config [root@ldaprov1 cn=config]# ll total 72 drwx------. 2 ldap ldap 4096 Jun 6 02:21 cn=schema -rw-------. 1 ldap ldap 52268 Jun 6 02:21 cn=schema.ldif -rw-------. 1 ldap ldap 572 Jun 6 02:55 olcDatabase={0}config.ldif -rw-------. 1 ldap ldap 1377 Jun 6 02:54 olcDatabase={1}bdb.ldif -rw-------. 1 ldap ldap 525 Jun 6 02:21 olcDatabase={-1}frontend.ldif -rw-------. 1 ldap ldap 556 Jun 6 03:00 olcDatabase={2}monitor.ldif Can anyone point out to me how I can add the module required to do replication on the provider side? I will make a document if I am able to set it up eventually. Thanks, Daniel

8 27

OID orcluser, orcluserv2, orclgroup objectclasses openldap compatability
by Ali Okan YÜKSEL 08 Jun '11

08 Jun '11

oracle identity management has some objectclasses that i need for our openldap directory. (orcluser, orcluserv2, orclgroup) i want to export .schema .ldif files from OID and import them to openldap 2.4? if you have experience about this subject can you guide me? i don't want to use OID anymore but i need these objectclasses for our project, regards, -- http://www.siyahsapka.org

1 0

Schema definitions: from Sun DS to OpenLDAP
by Silvio Verrecchia 07 Jun '11

07 Jun '11

Hello gurus, I'm migrating a Sun DS to Openldap and I've an highly personalized 99user.ldif file with user defined objectclass and attributes (hundreds... :( :( ) Regarding personalized schema definitions, is there a way (script/batch/etc) to convert quickly and easly a Sun DS 99user.ldif file to the standard OpenLDAP schema files ? Any suggestion is highly appreciated ! Thank you very much! Silvano

6 6

How to reply with parent attributes ?
by Aurélien Lafranchise 07 Jun '11

07 Jun '11

Hi all, When I am doing a user search I would like to get an answer with parent attributes. In another way, I would like to get common attribute shared by people from the same group ? Do I have to look in menberOf or in Collective attribute in my schema ? or others ideas ? Thanks ! Aurélien Lafranchise | Consultant Tél. : +33 (0)1 75 43 55 12 | Fax : +33 (0)1 75 43 55 11 www.snype-consulting.com

2 1

Issue with memberof overlay
by sachin mishra 07 Jun '11

07 Jun '11

Hi all, I am facing problem with "memberof" overlay. I have followed following steps for installation on my CentOS release 5.5: env LIBS=-ldb ./configure --enable-overlays [I also tried with env LIBS=-ldb ./configure --enable-memberof] make depend make make install in my slapd.conf file, I have enable memberof overlay: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/local.schema ... modulepath /usr/local/libexec/openldap moduleload memberof.la ... database bdb suffix "dc=mybrocade,dc=com" rootdn "cn=Manager,dc=xxx,dc=com" rootpw {SSHA}HL8uT5hPaWyIdcP6yAheMT8n0GoWubr3 index objectClass eq overlay memberof When I start slapd (slapd -d -1), it gives these lines in log: line 27 (modulepath /usr/local/libexec/openldap) /usr/local/etc/openldap/slapd.conf: line 27: keyword <modulepath> ignored line 31 (moduleload memberof.la) /usr/local/etc/openldap/slapd.conf: line 31: keyword <moduleload> ignored When I try searching for memberof Attribute, it doesn't return the value: ldapsearch -LL -D cn=Manager,dc=xxx,dc=com -w secret "cn=sachin" -b dc=xxx,dc=com memberOf version: 1 dn: cn=Sachin,cn=Users,dc=xxx,dc=com <there is no entry for memberof> I tried searching for memberof.la but I could not find any instance of it in the system. Am I missing something here? Here is the place, where I have specified the "member" attribute: ldapsearch -LL -D cn=Manager,dc=xxx,dc=com -w ***** "cn=admin" -b dc=xxx,dc=com version: 1 dn: cn=admin,ou=groups,dc=xxx,dc=com objectClass: groupOfNames cn: admin description: Members having admin permission member: cn=sachin,cn=Users,dc=xxx,dc=com Thanks, Sachin

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2011