I'm trying to set up repliction with OpenLDAP on SL:RHEL 6.1. OpenLDAP is
by default configured with cn=config, but the replication documentation is
still in the old slapd.conf format.
Can anyone point me out how to get this up and running with cn=config?
I've currently been tasked with migrating the contents of a contained
ldap environment running openldap-2.1 to a new development server
running sles11 with openldap-2.3.37. I've begun to populate the new
environment, but have hit an "Invalid DN syntax" error that I'm not
quite sure how to get around yet. I'm new to ldap from a server point
of view, so I'm learning as I chug through this.
This piece is what's in the existing 2.1:
dn: group-name=EDI Technician,ou=group,ou=edi,dc=coat,dc=com
group-name: EDI Technician
roles: EDI Technician
And when I go to add:
ldapadd -x -W -D "cn=edi_admin,ou=edi,dc=coat,dc=com" -f ./edi-tech_roles.ldif
Enter LDAP Password:
adding new entry "group-name=EDI Technician,ou=group,ou=edi,dc=coat,dc=com"
ldap_add: Invalid DN syntax (34)
additional info: invalid DN
Is it the "group-name" that's no longer valid syntax? If so, is there
Any help is appreciated!
by Nishant Goli -X (ngoli - Exobase Corporation at Cisco)
I have set up Open LDAP with Oracle as backend DB using back sql.
Everything was running fine until recently. LDAP started going down
frequently with the following line in the log.
slapd: entry-id.c:867: backsql_get_attr_vals: Assertion `j < oldcount +
count' failed and then the process goes down.
Any help in troubleshooting this issue is greatly appreciated.
Is it possible to synchronize the same ppolicy across different
suffixes on the same server? I would have thought referrals would take
care of this and they to an extent but when the suffix that doesn't
actually contain the policy entry gets a lockout request from failed
attempts, pwdAccountLockedTime gets recorded on the same suffix from
where it was originating -not the one being referenced.
In the manual it states that ppolicy_forward_updates should take care
of this but it requires updateref and the chain overlay (which must be
setup under back_ldap) in order to work. The problem is when I setup
back_ldap and point its database to the original policy entry, it
complains that a previous database declaration has already claimed it
-which is true because I have the database containing that policy
entry on the same machine.
Is there a way to do this or am I going about this wrong?
My primary goal with an openldap directory is to store information
to manage people authentification and autorisation to resources on
my local network. But I also feel this directory to be a cool opportunity
to maintain a registry that would include administrative information such
as telephone number.
Here is the DIT structure that I plan to deploy to to do that.
If anyone has a comment or advice I would be grateful !
| STAFF=organizationalUnit |
_____| | | | | | | | | -> [ one entry per employee ]
| John Doe=inetOrgPerson | -> [administrative data such as tel number]
| doe=posixAccount | -> [ uid, password on so on ]
Staff is a branch of people :
# Entry 1: ou=staff,ou=people,dc=example,dc=fr
that contains as many inetOrgPerson as I have people
in staff (here are recorded administrative data such as
telephone number and so on) :
# Entry 12: uid=doe,ou=staff,ou=people,dc=example,dc=fr
cn: john doe
Each "inetOrgPerson" may also have a "posixAccount" child
that record information usable to access resources :
cn: john doe
I upgraded and updated four of our OpenLDAP servers that we have back in
May to run the latest stable version of OpenLDAP (2.4.23) along with BDB
(4.8.30). Everything was running with no issues until a little over a
month later one of the servers slapd processes hung, the only way I
could restart the process was to use kill -9, all other kill options
failed. Over the next month and a half the issue reoccurred on the same
server and occurred on two of the other servers. There was nothing in
the logs to indicate an issue with running out of file descriptors, dead
locks or anything else. I set out to see if I could recreate the issue
and I found if I had around 20000 entries, which our database is roughly
around 21000, and ran a script to randomly query, one a time, the
entries in the database and then run another script that added 1000
entries, one at a time, then deleted them in reverse order, one at a
time, and will continue to do so infinitely. When I ran the two scripts
simultaneously they would hang after 3 to 16 deletes were completed. I
attempted to use the latest version of OpenLDAP (2.4.26) to see if any
of the bug fixes in it would help and I still get the same results, I
even tried to run it with all of the supported versions of BDB, 4.4,
4.5, 4.6, 4.7, 5.0 and 5.1 with the same results. I ran it with full
logging on and I was not able to find any thing that pointed to the problem.
We have been running OpenLDAP 2.2 and 2.3 for years (many servers
without any restarting of slapd for over a year) without any lockups, so
I decided to test with OpenLDAP 2.3.43 with BDB 4.2.52 (with patches)
and loaded the same exact database and the same exact tests and it runs
literally for hours with no issues. I attempted to upgrade the version
of BDB to 4.4 and I started to experience the hanging again, so it
appears to be a BDB issue. I searched for related issues with no
success and considering that others are running 2.4 with newer versions
of BDB for a couple of years now I find it odd that I am running into
this issue on my first use of 2.4.
I tested all of this on CentOS 5.4, 5.6 and Fedora 17 with the same
results. Does anyone have any ideas or suggestions on what I can try to
do to fix this issue?
Below are some of the configs I am using on my last attempts to resolve
set_cachesize 0 536870912 1
# This one I added recently to see if it might help.
checkpoint 5120 30
# Indices to maintain
index default pres,eq
index sn pres,eq,sub
index objectClass eq
index uidNumber eq
index gidNumber eq
index memberUid eq
# database access control definitions
access to attrs=userPassword
by self write
by anonymous auth
by dn="cn=Admin,dc=example,dc=net" write
by * none
access to *
by self write
by dn="cn=Admin,dc=example,dc=net" write
by * read
I can send out the LDIF I am using and the perl scripts that I run to
break it for anyone who is interested.
Whidbey Telecom Internet and Broadband
We got a problem about our authentication architecture.
Here is our situation:
We are using two parts for user authentication, which both are openldap
One is password OpenLDAP service on remote server.
One is groups information OpenLDAP service, which also is user's permission
info, on local server.
In fact we could not get the user password in our local Openldap, pasword
information stored in remote openldap which could not get our local group
Do you have any idea to make our local OpenLDAP using remote OpenLDAP
authorize the password and using local OpenLDAP supply groups information?
With the command "ldapadd -f " what is the max size of file,that ldapadd can handle? is there any command with which mupltiple records can be inserted efficiently other than ldapadd command?
NOTICE: The information contained in this electronic mail transmission is intended by Convergys Corporation for the use of the named individual or entity to which it is directed and may contain information that is privileged or otherwise confidential. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by telephone (collect), so that the sender's address records can be corrected.
I would like that my LDAP users should be change their password for the
first time login.
But when am adding pwdReset attribute to ppolicy.schema file its throwing me
error and ppolicy schema file is not getting loaded.