Scaling Syncrepl
by Duncan Idaho
In my environment I have a need to synchronize from a single master to 125
globally distributed read-only consumers.
I've attempted this in two ways and run into problems in either direction.
First, I attempted a multi-tier replication strategy where the master would
sync to a regional consumer which would in-turn act as a producer for around
20 slaves each. It seems that a server should be able to act as both a
producer and a consumer, but in my experience with 2.4.25 this will cause a
repeatable segfault within a days time. (test_filter() is passed a NULL
filter in syncrepl.c) I think this would probably be the best solution if I
could resolve the segfault issue.
The other option I've tried is pointing all 125 slaves at a single master.
This works if I bring the slaves up gradually, but if they all attempt to
connect at once (like after a master restart) the initial sync process seems
to monopolize a thread per replica which causes any other searches to fail
for a period of greater than 30 seconds. Bumping the threads up to over 125
seems to solve the issue on a test machine but I'm hesitant to do this on
the production master which is used heavily for a variety of other purposes.
Can anyone offer advice on how I could go about resolving these issues or
other methods for successfully replicating to this many slaves?
Thanks,
Duncan.
11 years, 9 months
Migrating from RHDS to openldap
by Allgood, John
Hey Guys
We are looking to migrate off our current RHDS environment to openldap. I have searched the internet and have found documentation that migrates to RHDS. RHDS is pretty expensive and we will like to move away from that platform. Has anyone had any experience with doing this type of migration? Any suggestions are welcome.
Best Regards
John Allgood
Sr. Systems Engineer
OHL - North American Transportation
2419 West Park Drive SW, Suite 100
Gainesville, GA 30504
Office (800) 532-2239 Ext. 2051
jallgood(a)ohl.com<mailto:jallgood@ohl.com>
www.ohl.com<http://www.ohl.com>
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
11 years, 9 months
phpldapadmin and openldap
by Juan Diego Calle
Hi,
I have being trying to solve this for more than a month. I installed Openldap, Samba, smbldap-tools, and phpmyadmin in a Red Hat 5.6 server. I have many users created with smbldap-tools.
Almost everything works, there are 2 things that I need help with.
One is with phpldapadmin. I can log with the user administrator, but can not change anything, this is the error in phpldapadmin
Could not perform ldap_modify operation.
LDAP said: Insufficient access
Error number: 0x32 (LDAP_INSUFFICIENT_ACCESS)
Description: You do not have sufficient permissions to perform that operation.
This error on the log
Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 fd=11 ACCEPT from IP=127.0.0.1:59487 (IP=0.0.0.0:389)
Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=0 BIND dn="uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec" method=128
Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=0 BIND dn="uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec" mech=SIMPLE ssf=0
Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=0 RESULT tag=97 err=0 text=
Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=1 MOD dn="uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec"
Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=1 MOD attr=loginShell
Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=1 RESULT tag=103 err=50 text=
Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 op=2 UNBIND
Jun 7 17:43:58 pruebas03 slapd[11983]: conn=10 fd=11 closed
This is my slapd.conf
############################################
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib64/openldap
# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#access to *
# by self write
# by users read
# by anonymous auth
#access to attrs=userpassword
# by self =xw
# by anonymous auth by anonymous auth
#access to *
# by self write
# by users read
#access to attrs=userpassword by self write by anonymous auth by * none
#access to * by self write by users read by anonymous read by * none
#access to * by uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec write
#access to dn.regex = "ou = personal_addressbook or =(.+),, dc = korrigan, dc = org"
#by dn.regex="cn=$1,ou=Users,dc=korrigan,dc=org" write by dn.regex = "cn = $ 1, ou = Users, dc = korrigan, dc = org" write
#by dn="cn=admin,dc=korrigan,dc=org" write by dn = "cn = admin, dc = korrigan, dc = org" write
#by * none by * none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=mydomain,dc=com,dc=ec"
rootdn "cn=Manager,dc=mydomain,dc=com,dc=ec"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
# Extras para ser servidor master de ldap
loglevel 256
(I already posted this once)
##########################################3
When i add this line
access to * by self write by users read by anonymous read by * none
Users are allowed to change their info. I just want a group of users that can change the info of other users, users that have more privileges .
I also tried adding a group called miniadmins, it didnt work.
dn: cn=MiniAdmins,ou=People,dc=mydomain,dc=com,dc=ec
objectClass: groupOfNames
objectClass: top
cn: MiniAdmins
member: uid=jdc,ou=People,dc=mydomain,dc=com,dc=ec
member: uid=user2,ou=People,dc=mydomain,dc=com,dc=ec
structuralObjectClass: groupOfNames
entryUUID: a3e66d90-19b0-1030-9c61-73ebddf12515
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110523174841Z
modifyTimestamp: 20110523174841Z
entryCSN: 20110523174841Z#000012#00#000000
with the following acl
access to *
by group/groupOfNames/member="cn=MiniAdmins,ou=People,dc=iess,dc=gob,dc=ec" write
Also for the second part I dont know if you are able to do this with openldap: All users are part of dn: cn=Domain Users,ou=Group,dc=mydomain,dc=com,dc=ec. Also this users belong to others groups like city1, city2, city3. In each city there is and admin that has control over that group, example admincity1, admincity2,etc. They can manage users in their respective cities, but they can not change anything on another city.
I need help with the slapd.conf, I have a basic understanding, but my logic here is failing.
I have found people with similar problems but no answers.
Thanks,
Juan Diego
11 years, 9 months
cannot restore db
by Bidwell, Matt
I'm using both openldap-2.4.24 and db-5.1.25 from source. I was experiencing
corrupted entries from the running database. I tried moving the openldap-data
folder, created a new one, and tried running slapadd with the -f and -l
flags with my conf file and backup ldif. I get back an error that tells
me id2entry.bdb can't be opened because it is missing. Isn't slapadd supposed
to create id2entry.bdb? The flags I used to configure BDB are --enable-cxx -C,
did I miss something?
Matt
11 years, 9 months
retrieving dn via proxy ldap
by Ron Peterson
Hi,
I'm having trouble retrieving the DN, and only the DN, when using the
'ldap' back end to proxy my master directory database.
2656$ ldapsearch -LLL -x -w apass -D "uid=test,ou=admin" -b "ou=test" '(uid=auser)'
dn: yDirectoryID=442E65DA-678E-BEB5-3378-56331AEE1AA0,ou=test
eduPersonPrimaryAffiliation: staff
sn: Peterson
...
2657$ ldapsearch -LLL -x -w apass -D "uid=test,ou=admin" -b "ou=test" '(uid=auser)' 1.1
Why would I not see the DN when asking for just 1.1?
TIA
--
Ron Peterson
Network & Systems Administrator
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
11 years, 9 months
Setup syncrepl on Redhat Fedora
by Daniel Qian
Hi,
I used to be fine with slapd.conf way but now with slapd.d/ I am kind of
lost. From the reading I did so far I have to load the syncprov module
but I couldn't find a single document or example how to enable that on
Redhat Fedora platform. The following list is all that comes with
Redhat distribution:
[root@ldaprov1 cn=config]# pwd
/etc/openldap/slapd.d/cn=config
[root@ldaprov1 cn=config]# ll
total 72
drwx------. 2 ldap ldap 4096 Jun 6 02:21 cn=schema
-rw-------. 1 ldap ldap 52268 Jun 6 02:21 cn=schema.ldif
-rw-------. 1 ldap ldap 572 Jun 6 02:55 olcDatabase={0}config.ldif
-rw-------. 1 ldap ldap 1377 Jun 6 02:54 olcDatabase={1}bdb.ldif
-rw-------. 1 ldap ldap 525 Jun 6 02:21 olcDatabase={-1}frontend.ldif
-rw-------. 1 ldap ldap 556 Jun 6 03:00 olcDatabase={2}monitor.ldif
Can anyone point out to me how I can add the module required to do
replication on the provider side? I will make a document if I am able to
set it up eventually.
Thanks,
Daniel
11 years, 9 months
Schema definitions: from Sun DS to OpenLDAP
by Silvio Verrecchia
Hello gurus,
I'm migrating a Sun DS to Openldap and I've an highly personalized
99user.ldif file with user defined objectclass and attributes
(hundreds... :( :( )
Regarding personalized schema definitions, is there a way
(script/batch/etc) to convert quickly and easly a Sun DS 99user.ldif
file to the standard OpenLDAP schema files ?
Any suggestion is highly appreciated !
Thank you very much!
Silvano
11 years, 9 months
How to reply with parent attributes ?
by Aurélien Lafranchise
Hi all,
When I am doing a user search I would like to get an answer with parent
attributes. In another way, I would like to get common attribute shared by
people from the same group ?
Do I have to look in menberOf or in Collective attribute in my schema ? or
others ideas ?
Thanks !
Aurélien Lafranchise | Consultant
Tél. : +33 (0)1 75 43 55 12 | Fax : +33 (0)1 75 43 55 11
www.snype-consulting.com
11 years, 9 months
Issue with memberof overlay
by sachin mishra
Hi all, I am facing problem with "memberof" overlay. I have followed following
steps for installation on my CentOS release 5.5:
env LIBS=-ldb ./configure --enable-overlays [I also tried with env
LIBS=-ldb ./configure --enable-memberof]
make depend
make
make install
in my slapd.conf file, I have enable memberof overlay:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/local.schema
...
modulepath /usr/local/libexec/openldap
moduleload memberof.la
...
database bdb
suffix "dc=mybrocade,dc=com"
rootdn "cn=Manager,dc=xxx,dc=com"
rootpw {SSHA}HL8uT5hPaWyIdcP6yAheMT8n0GoWubr3
index objectClass eq
overlay memberof
When I start slapd (slapd -d -1), it gives these lines in log:
line 27 (modulepath /usr/local/libexec/openldap)
/usr/local/etc/openldap/slapd.conf: line 27: keyword <modulepath> ignored
line 31 (moduleload memberof.la)
/usr/local/etc/openldap/slapd.conf: line 31: keyword <moduleload> ignored
When I try searching for memberof Attribute, it doesn't return the value:
ldapsearch -LL -D cn=Manager,dc=xxx,dc=com -w secret "cn=sachin" -b
dc=xxx,dc=com memberOf
version: 1
dn: cn=Sachin,cn=Users,dc=xxx,dc=com <there is no entry for
memberof>
I tried searching for memberof.la but I could not find any instance of it in the
system. Am I missing something here?
Here is the place, where I have specified the "member" attribute:
ldapsearch -LL -D cn=Manager,dc=xxx,dc=com -w ***** "cn=admin" -b dc=xxx,dc=com
version: 1
dn: cn=admin,ou=groups,dc=xxx,dc=com
objectClass: groupOfNames
cn: admin
description: Members having admin permission
member: cn=sachin,cn=Users,dc=xxx,dc=com
Thanks,
Sachin
11 years, 9 months
