Migrating to new production servers via syncrepl
by samuli.seppanen@gmail.com
Hi,
I'm phasing out two OpenLDAP production servers[1] in a master-master
configuration. The production servers can't afford more than a few mins
of downtime, so migrating using slapcat/slapadd is out of the question.
So, what I'm ending up doing is migrating using syncrepl. Here's the
plan, with arrows pointing from the provider to the consumer:
old1 <-> old2 -> new1 -> new2
Once the replicas on "new1" and "new2" are complete, I plan to
1) Direct all LDAP reads to "new1"
2) Direct all LDAP writes to "new1" (=make it briefly the only active
LDAP server)
3) Change the replication config on "new1" so that it fetches changes
from "new2" instead of "old2"
4) Restart slapd on new1 (it uses slapd.conf) to activate the change
4) Start offloading LDAP reads/writes to "new2" (e.g. using a loadbalancer)
A couple of questions:
. Does this plan makes sense in general?
- Which caveats I should be aware of?
- How can I ensure the replicas are complete and in the same state[1]?
- Does switching the replication provider for "new1" from "old2" to
"new2" cause any side-effects?
Also, when is full reload of the replica[2] required/suggested? I've
managed to end up with incomplete replicas on "old2" a couple of times
even if I've wiped /var/lib/ldap and started replication from scratch.
Any suggestions or pointers are most welcome! Also let me know if you
need more info (configs, etc) and I'll provide it.
Best regards,
Samuli Seppänen
---
[1] I've used these command so far:
$ cd /var/lib/ldap
$ db_stat -d <database-file>
If the numbers (data items etc) match, can I be sure the replicas are
identical?
I've also checked the contextCSN on the using something like this:
$ ldapsearch -H ldap://old2:389 -D "cn=admin,dc=domain,dc=com" -x -W -v
-s base -b "dc=domain,dc=com"
$ ldapsearch -H ldap://new1:389 -D "cn=admin,dc=domain,dc=com" -x -W -v
-s base -b "dc=domain,dc=com"
$ ldapsearch -H ldap://new2:389 -D "cn=admin,dc=domain,dc=com" -x -W -v
-s base -b "dc=domain,dc=com"
The output seems to be identical for "old2" and "new1", but "new2"
differs, even though the database seems identical if checked with
db_stat. I assume this is normal given the replication chaining (see above).
[2] Starting slapd with the "-c rid=<rid>" switch should do this, correct?
9 years, 7 months
Q: restrict access using "peername"
by Ulrich Windl
Hi!
Can anybody present an example that uses "peername" with a hostname (not an IP address) to restrict access? I once tried and locked out clients I did not want to lock out. It seemed that the name match failed...
slapd.access(5) seems to lack an example.
Regards,
Ulrich
9 years, 7 months
Openldap server with TLS not working
by Axel Grosse
Hi
I am new to OpenLDAP and have to configure and LDAP Proxy in one project.
Thanks to the mailing lists I managed to setup and configure the Ldap Proxy an get it working one 389 .
One of the next requirenents is to secure the outside connection with SSL.
So I have to configure LDAP over SSL ..
I am using openldap 2.3.43-12.el5 on Redhat EL 5.5 (Tikanga)
I created the certificates with openssl 0.9.8e-12.el5_4.6 and configured the slapd.conf
part of slapd.conf
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
TLSCACertificateFile /etc/openldap/ssl/VordelCA.crt
TLSCertificateFile /etc/openldap/ssl/VordelDevInt.crt
TLSCertificateKeyFile /etc/openldap/ssl/VordelDev.key
TLSCipherSuite HIGH:MEDUIM:!SSLv2
TLSVerifyClient never
...
######
server got up on 636
but when I try to connect I get SSL handshake error ...
when I test on the server itself ..
openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile ./ssl/VordelCA.crt
CONNECTED(00000003)
710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
I got this one ...
any idea whats my problem ?
regards Axel
9 years, 7 months
Log level will not change.
by espeake@oreillyauto.com
Here is the contents of configlog.ldif
dn: cn=config
changetype: modify
delete: olcLogLEvel
-
add: olcLogLevel
olcLogLevel: 0
I run the following commend:
ldapmodify -Wx -D "uid=admin,dc=oreillyauto,dc=com" -H
ldap://tntest-ldap-1.oreillyauto.com -c -f /tmp/configlog.ldif
the output shows:
Enter LDAP Password:
modifying entry "cn=config"
Except the loglevel cn=config does not change. The modifyTimeStamp and
entryCSN change to match the server. I have a 3 node MMR cluster on
2.4.31. I am working on a build to go to 2.4.36, but in the mean time I
need to get this working.
Thanks,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
9 years, 7 months
Unknown db in slapd.conf
by espeake@oreillyauto.com
I have a brand new Ubuntu-12.04 server with a brand new build of openldap
2.4.36 on it and I am try to set it up for MMR with mdb. I get the
following error when I try slapadd my config.
524c62f1 line 61 (databse mdb)
524c62f1 /usr/local/etc/openldap/slapd.conf: line 61: <database> failed
init (mdb)!
Now when I look at man slapd.conf and these are the database types that are
shown for use. There is nothing there showing mdb, but I know that it is a
viable selection.
database <databasetype>
Mark the beginning of a new database instance definition.
<databasetype> should be one of bdb, config, dnssrv, hdb, ldap, ldif,
meta, monitor, null, passwd, perl, relay, shell, or sql, depending on which
backend will serve the database.
in my slapd.conf file I have the following setup (just partially listing
here):
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_mdb.la
moduleload back_ldap.la
############################################################################
database mdb
I have checked and double cheked to be sure
that /usr/local/libexec/openldap/back_mdb.la exists.
What simple thing am I missing?
Thanks,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
9 years, 7 months
openldap-2.3.43 ignore limits in slapd.conf
by Axel Grosse
Hi
I try to change the default search limits in an openldap-2.3.43 server.
I am using this entries in the slapd.conf
gerneral section
#change to unlimited results
sizelimit size.soft=10000 size.hard=10000
timelimit unlimited
Database section
limits * size.soft=10000 size.hard=10000 size.pr=10000 size.prtotal=10000
but on a search I am always limited to 500
ldapsearch -H ldap://192.168.30.169 -x -D "cn=admin,o=TI" -W -b "ou=CustomerGroups,ou=GROUPS,o=TI" -s sub -a always -z 10000 "(objectClass=*)" "hasSubordinates" "objectClass" ldapentrycount
# search result
search: 2
result: 4 Size limit exceeded
# numResponses: 501
# numEntries: 500
is that a know bug ? ...
AXEL GROSSE
Principal Solution Architect, Sales Solution Center, Axway
P: +61-405-995-768
828 Pacific Highway
Gordon, 2072 NSW
agrosse(a)axway.com<mailto:agrosse@axway.com>
http://www.axway.com<http://www.axway.com/>
9 years, 7 months
Re: Attributes rewriting
by Dimitri Osler
I also have the same problem, can anybody help?
> Hello, List
>
> I've been trying to find a working example to understand how slapo-rwm, slapd-meta and slapd-relay work for the last 3 days with no success.
>
> I just need to substitute one attribute by another for a single LDAP user.
> Lets say I have a posixAccount Object with cn = user1 as shown below.
> dn: uid=user1,ou=People,dc=localnet
> uid: user1
> cn: user1
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> .....
>
> Also I have two LDAP users (organizationalRole): admin. simpleuser.
> I want to configure openldap in a way which allows "simpleuser" to make queries using "(description=user1)" instead of ("cn=user1") to find previously mentioned user object.
> The only thing I was able to configure is the suffixmassage, but can't find a way how to add rwm-map to my configuration.
>
> Could somebody point me to the working example.
9 years, 7 months
