Updating Shema in cn=config
by Andy Carlson
I have recently updated the schema (added new attributes) via the cn=config LDAP context. Once I do this, do changes get saved in real-time to the local configuration files or would I have to stop and restart the service to save the settings?
Thanks much,
Andy Carlson
Identity Administrator | Information Systems
312-329-4385
9 years, 9 months
Multi Master OpenLdap.
by arun.sasi1@wipro.com
Hello Team,
I have configured Multi-master Mirror mode replica setup in our
environment. We have 3 regions slave Ldap server which is read only and
two location we have configured as mirror mode replica Ldap. My problem
here is...
Master Ldap is going hang some times and some ID`s are disappearing from
the master server. I couldn't find any logs over there for why ID`s are
disappearing and also why Ldap is going hung state.
Thanks & Regards,
Arun Sasi V
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
9 years, 9 months
schema updates and cn=config
by E.S. Rosenberg
Hi all,
I was wondering about the following thing (after just reading the long
cn=config thread), programs may distribute .schema files only, in
which case as already pointed out you should:
1. Request in a friendly manner that they provide an ldif if possible
2. convert it yourself using slaptest and add it using ldapadd/modiy etc.
The question I had is like this, a project may update/change it's
schema and if they ship only .schema files or .ldif that assume that
the schema is not loaded yet (ie. that do the initial add and not
modify operations, what you would also get from a .schema conversion)
then you are it would seem to me a bit stuck because you either:
- have to unload the old schemas (using ldapmodify) which leaves you
with invalid entries in your DIT while their schema is missing
or
- you have to manually figure out what the differences are between the
currently loaded schema and the new version of the schema (diff may be
helpful there) and the manually create an ldif that does all the
necessary modify operations.
So I was wondering if there is any way to generate a "diff-ldif" (for
lack of a better name) automatically to update the schema based either
on provided ldifs or provided .schema files (after conversion).
Obviously the other way is to ask the project in a friendly way that
they provide said "diff-ldifs" as well as regular ldifs.
Maybe I am completely wrong but so far this is what I understood from
all the manuals etc.
Thanks for all your great work,
Eli
9 years, 9 months
Fwd: ldap_sasl_interactive_bind_s: Other (e.g., implementation specific ) error (80)
by Fabien COMBERNOUS
Here a test. I didn't receive my own mail.
This mail was it received by the list ?
-------- Original Message --------
Subject: ldap_sasl_interactive_bind_s: Other (e.g., implementation
specific ) error (80)
Date: Tue, 05 Jul 2011 17:52:54 +0200
From: Fabien COMBERNOUS <fcombernous(a)kezia.com>
To: openldap-technical(a)openldap.org
Hi There,
I have an openldap master (hosted by server) and an openldap replica
(hosted by replica). Authentication use SASL/GSSAPI with kerberos.
On the master i get the following output :
server:~ admin$ kinit root
Please enter the password for root(a)SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific )
error (80)
On the replica all looks fine :
replica:~ admin$ kinit root
Please enter the password for root(a)SERVER.LAN:
server:~ admin$ ldapsearch -b cn=mounts,dc=server,dc=lan
SASL/GSSAPI authentication started
SASL username: root(a)SERVER.LAN
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base<cn=mounts,dc=server,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
etc ...
I saw some thread on mailing list that say to take care of owner, groups
and permissions of files krb5.keytab and database. All looks good in
this side.
Any other areas to check ?
Regards,
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com<http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
9 years, 9 months
database monitor
by Friedrich Locke
I have configured database monitor and setted two access rules in its
context. By the log messages below keep annoying me:
/etc/openldap/slapd.conf: line 110: warning: cannot assess the
validity of the ACL scope within backend naming context
Backend ACL: access to dn.subtree="cn=monitor"
by dn.base="cn=oldap,dc=ufv,dc=br" read
by * none
Backend ACL: access to *
by * none
/etc/openldap/slapd.conf: line 123: warning: cannot assess the
validity of the ACL scope within backend naming context
Backend ACL: access to *
by * none
config_back_db_open: line 0: warning: cannot assess the validity of
the ACL scope within backend naming context
slapd starting
How may i "fix" that. (Altough i used the word "fix", i know it is not
a error message).
Thanks in advance
9 years, 9 months
dumping
by Friedrich Locke
Hi,
i would like to restore data generated by slapcat. I realized some
field (like userPassword) in the lidf file generated was encoded in
base64.
How should i restore the ldif with slapadd taking the real value
string for the attribute without redefined attribute value.
Thanks in advance
9 years, 9 months
deleting tree
by Friedrich Locke
I am trying to delete a complete tree, but i got the error messages:
ldap_delete: Other (e.g., implementation specific) error (80)
ldap_prune: Other (e.g., implementation specific) error (80)
ldap_delete: Operation not allowed on non-leaf (66) additional info:
subordinate objects must be deleted first
But when i remove from /etc/openldap/slapd.conf the line:
index cn,uid eq
I can delete perfectly.
Does anybody know why?
9 years, 9 months
slapd "vs." db_archive
by Peter Palmreuther
Hello,
I tried to use 'db_archive' to figure, which of those many log.* files already accumulated I can safely remove.
Unluckily it didn't print any name, albeit there're 170 file and according to 'fuser log.*' only the last one is
held open by a process (the slapd one).
After restarting slapd db_archive prints 169 file names, to be precise all but the last.
So it seems slapd keeps used BDB in a state it does not release the logs for archival and removal.
I assume it's me that has to configure slapd or BDB environment appropriately, but unluckily I don't know which
setting would have the desired effect.
Any help on this? I tried to find something in Admin Guide and man pages, but I must have missed it.
I only saw auto remove settings, which is not what I was out for ... I want to remove by myself, after keeping a backup for recovery.
I'm using OpenLDAP 2.4.20 compiled against Berkeley 4.7.
Thank for any help,
and regards,
Peter
9 years, 9 months
