openldap-technical October 2013

openldap-technical@openldap.org

63 participants
67 discussions

Migrating to new production servers via syncrepl
by samuli.seppanen＠gmail.com 07 Oct '13

07 Oct '13

Hi, I'm phasing out two OpenLDAP production servers[1] in a master-master configuration. The production servers can't afford more than a few mins of downtime, so migrating using slapcat/slapadd is out of the question. So, what I'm ending up doing is migrating using syncrepl. Here's the plan, with arrows pointing from the provider to the consumer: old1 <-> old2 -> new1 -> new2 Once the replicas on "new1" and "new2" are complete, I plan to 1) Direct all LDAP reads to "new1" 2) Direct all LDAP writes to "new1" (=make it briefly the only active LDAP server) 3) Change the replication config on "new1" so that it fetches changes from "new2" instead of "old2" 4) Restart slapd on new1 (it uses slapd.conf) to activate the change 4) Start offloading LDAP reads/writes to "new2" (e.g. using a loadbalancer) A couple of questions: . Does this plan makes sense in general? - Which caveats I should be aware of? - How can I ensure the replicas are complete and in the same state[1]? - Does switching the replication provider for "new1" from "old2" to "new2" cause any side-effects? Also, when is full reload of the replica[2] required/suggested? I've managed to end up with incomplete replicas on "old2" a couple of times even if I've wiped /var/lib/ldap and started replication from scratch. Any suggestions or pointers are most welcome! Also let me know if you need more info (configs, etc) and I'll provide it. Best regards, Samuli Seppänen --- [1] I've used these command so far: $ cd /var/lib/ldap $ db_stat -d <database-file> If the numbers (data items etc) match, can I be sure the replicas are identical? I've also checked the contextCSN on the using something like this: $ ldapsearch -H ldap://old2:389 -D "cn=admin,dc=domain,dc=com" -x -W -v -s base -b "dc=domain,dc=com" $ ldapsearch -H ldap://new1:389 -D "cn=admin,dc=domain,dc=com" -x -W -v -s base -b "dc=domain,dc=com" $ ldapsearch -H ldap://new2:389 -D "cn=admin,dc=domain,dc=com" -x -W -v -s base -b "dc=domain,dc=com" The output seems to be identical for "old2" and "new1", but "new2" differs, even though the database seems identical if checked with db_stat. I assume this is normal given the replication chaining (see above). [2] Starting slapd with the "-c rid=<rid>" switch should do this, correct?

4 5

Q: restrict access using "peername"
by Ulrich Windl 04 Oct '13

04 Oct '13

Hi! Can anybody present an example that uses "peername" with a hostname (not an IP address) to restrict access? I once tried and locked out clients I did not want to lock out. It seemed that the name match failed... slapd.access(5) seems to lack an example. Regards, Ulrich

2 1

Openldap server with TLS not working
by Axel Grosse 04 Oct '13

04 Oct '13

Hi I am new to OpenLDAP and have to configure and LDAP Proxy in one project. Thanks to the mailing lists I managed to setup and configure the Ldap Proxy an get it working one 389 . One of the next requirenents is to secure the outside connection with SSL. So I have to configure LDAP over SSL .. I am using openldap 2.3.43-12.el5 on Redhat EL 5.5 (Tikanga) I created the certificates with openssl 0.9.8e-12.el5_4.6 and configured the slapd.conf part of slapd.conf # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. TLSCACertificateFile /etc/openldap/ssl/VordelCA.crt TLSCertificateFile /etc/openldap/ssl/VordelDevInt.crt TLSCertificateKeyFile /etc/openldap/ssl/VordelDev.key TLSCipherSuite HIGH:MEDUIM:!SSLv2 TLSVerifyClient never ... ###### server got up on 636 but when I try to connect I get SSL handshake error ... when I test on the server itself .. openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile ./ssl/VordelCA.crt CONNECTED(00000003) 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: I got this one ... any idea whats my problem ? regards Axel

7 16

Log level will not change.
by espeake＠oreillyauto.com 04 Oct '13

04 Oct '13

Here is the contents of configlog.ldif dn: cn=config changetype: modify delete: olcLogLEvel - add: olcLogLevel olcLogLevel: 0 I run the following commend: ldapmodify -Wx -D "uid=admin,dc=oreillyauto,dc=com" -H ldap://tntest-ldap-1.oreillyauto.com -c -f /tmp/configlog.ldif the output shows: Enter LDAP Password: modifying entry "cn=config" Except the loglevel cn=config does not change. The modifyTimeStamp and entryCSN change to match the server. I have a 3 node MMR cluster on 2.4.31. I am working on a build to go to 2.4.36, but in the mean time I need to get this working. Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

5 7

Unknown db in slapd.conf
by espeake＠oreillyauto.com 03 Oct '13

03 Oct '13

I have a brand new Ubuntu-12.04 server with a brand new build of openldap 2.4.36 on it and I am try to set it up for MMR with mdb. I get the following error when I try slapadd my config. 524c62f1 line 61 (databse mdb) 524c62f1 /usr/local/etc/openldap/slapd.conf: line 61: <database> failed init (mdb)! Now when I look at man slapd.conf and these are the database types that are shown for use. There is nothing there showing mdb, but I know that it is a viable selection. database <databasetype> Mark the beginning of a new database instance definition. <databasetype> should be one of bdb, config, dnssrv, hdb, ldap, ldif, meta, monitor, null, passwd, perl, relay, shell, or sql, depending on which backend will serve the database. in my slapd.conf file I have the following setup (just partially listing here): # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_mdb.la moduleload back_ldap.la ############################################################################ database mdb I have checked and double cheked to be sure that /usr/local/libexec/openldap/back_mdb.la exists. What simple thing am I missing? Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

4 7

openldap-2.3.43 ignore limits in slapd.conf
by Axel Grosse 03 Oct '13

03 Oct '13

Hi I try to change the default search limits in an openldap-2.3.43 server. I am using this entries in the slapd.conf gerneral section #change to unlimited results sizelimit size.soft=10000 size.hard=10000 timelimit unlimited Database section limits * size.soft=10000 size.hard=10000 size.pr=10000 size.prtotal=10000 but on a search I am always limited to 500 ldapsearch -H ldap://192.168.30.169 -x -D "cn=admin,o=TI" -W -b "ou=CustomerGroups,ou=GROUPS,o=TI" -s sub -a always -z 10000 "(objectClass=*)" "hasSubordinates" "objectClass" ldapentrycount # search result search: 2 result: 4 Size limit exceeded # numResponses: 501 # numEntries: 500 is that a know bug ? ... AXEL GROSSE Principal Solution Architect, Sales Solution Center, Axway P: +61-405-995-768 828 Pacific Highway Gordon, 2072 NSW agrosse(a)axway.com<mailto:agrosse@axway.com> http://www.axway.com<http://www.axway.com/>

1 1

Re: Attributes rewriting
by Dimitri Osler 03 Oct '13

03 Oct '13

I also have the same problem, can anybody help? > Hello, List > > I've been trying to find a working example to understand how slapo-rwm, slapd-meta and slapd-relay work for the last 3 days with no success. > > I just need to substitute one attribute by another for a single LDAP user. > Lets say I have a posixAccount Object with cn = user1 as shown below. > dn: uid=user1,ou=People,dc=localnet > uid: user1 > cn: user1 > objectClass: account > objectClass: posixAccount > objectClass: shadowAccount > ..... > > Also I have two LDAP users (organizationalRole): admin. simpleuser. > I want to configure openldap in a way which allows "simpleuser" to make queries using "(description=user1)" instead of ("cn=user1") to find previously mentioned user object. > The only thing I was able to configure is the suffixmassage, but can't find a way how to add rwm-map to my configuration. > > Could somebody point me to the working example.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2013