openldap-technical December 2013

openldap-technical@openldap.org

61 participants
73 discussions

MMR config question - serverID without URL and CSN too old, ignoring in the log
by Daniel Jung 26 Dec '13

26 Dec '13

Set up 4 way MMR setup with 2.4.37, centos 6. Reading the doc[0] indicates that adding the URL is an optional and is used to avoid future serverID collision and using the number alone does work without any issue. Based on that information, i created 3 MMR setup with each provider with unique serverids and unique rid within each sever pointing to other providers. I have seen examples where each provider has multiple serverIDs (all providers), as the doc indicates, this is possible only if URL option is specified. Since i didnt use the URL, i only configured single serverID per the provider in the global cn=config. I had tested cn=config with 2 MMR and i didnt see the CSN too old, ignoring message in the log. But, when i set it up to be 3 way MMR, i am seeing this msg with new sync where other provider sends do_synrepl2 to the original provider and hence CSN too old, ignoring is logged. I searched the mailing list and some of the reputable members here have mentioned it is due to wrong MMR serverID setup. Could you point out if serverid without URL may be the culprit to this problem? I see no other issues other than this, replication to other consumers work fine and data are in synced. my setup serverID and rid setup. serverID 1 rid 000 for replicating from serverID 2 rid 001 for replication from serverID 3 serverID 2 rid 000 for serverID 1 rid 001 for serverID 3 serverID 3 rid 000 for serverID 1 rid 001 for serverID 2 Thank you [0] http://www.zytrax.com/books/ldap/ch6/#serverid

1 1

How to sync UID/GID?
by Peng Yu 26 Dec '13

26 Dec '13

Hi, I'm able to create an OpenLDAP server. I can use ldapsearch to query the server. https://help.ubuntu.com/12.10/serverguide/openldap-server.html http://serverfault.com/questions/19323/is-it-feasible-to-have-home-folder-h… I see on the above URL that OpenLDAP can be used to sync UID/GID. But it is not clear to how to do it. Could anybody point me some directions? Thanks. "... as you have to keep the UID and GIDs in sync - use something like OpenLDAP ..." -- Regards, Peng

2 1

missing libldif.so library ?
by Daniel Jung 26 Dec '13

26 Dec '13

Hi, I can't seem to find this lib anymore after upgrading to 2.4.37. Is this lib not being built anymore? Thanks

3 3

LDAP Proxy
by Keith Hamburg 24 Dec '13

24 Dec '13

I'm trying to configure a third party product to obtain the list of valid users based on a group membership in a corporate active directory server. The third party product is not capable of querying for users based on group membership. It can only use an OU or objectClass. The corporate AD server has a very broad "All Users" OU and we can't add an OU or objectClass to AD . I would like to configure an OpenLDAP proxy using that can dynamically create an OU by querying the members of a group. Is this possible using overlays? Another possibility is that try to synchronize OpenLDAP with AD based on a filter that includes membership in only one group. Would either of these methods work or is there another solution I haven't mentioned? Thanks, Keith

1 0

MDB_BAD_RSLOT while executing slapacl
by Igor Zinovik 24 Dec '13

24 Dec '13

Hello. Today I run slapacl to test access rights and saw this: ldap3# sudo slapacl -F /etc/openldap/slapd.d/ ... ... 52a8ae51 mdb_opinfo_get: err MDB_BAD_RSLOT: Invalid reuse of reader locktable slot(-30783) read access to o: ALLOWED At http://symas.com/mdb/doc/group__errors.html#ga1b6cbb28da30e28c48c9df66dd398… I read explanation that this error means: Txn has too many dirty pages. slapd 2.4.36 with Linux kernel 3.7.10 x86_64. In my slapd I have single database with mdb backend: dn: olcDatabase={1}mdb,config ... olcDbNoSync: FALSE olcDbMaxSize: 1073741824 olcDbMode: 0600 olcDbSearchStack: 16 Two questions: 0. What might cause this error? 1. Should I worry about this?

2 8

How to configure LDAP for sync passwd and group between ubuntu machines?
by Peng Yu 24 Dec '13

24 Dec '13

Hi, I'm trying to find a succinct description on how to use LDAP for sync passwd and group between ubuntu machines. I only find some general information on LDAP but not specific for sync passwd and group. Could anybody point me some simple instructions on how to do so? Thanks. -- Regards, Peng

1 0

Question about search performance
by Ferne Quinlan 24 Dec '13

24 Dec '13

Hi, Is there someone use openldap on windows? I found the query performance on windows is too bad, Any solution or relevant official documents?

3 4

Fw: Fw: host Attribute --- Low Sensitivity/Aerospace Internal Use Only
by Warron S French 23 Dec '13

23 Dec '13

Low Sensitivity/Aerospace Internal Use Only NetWarrior, are you attempting to apply a TCP_Wrappers like behavior but implement it through LDAP? Warron French, MBA, SCSA ----- Forwarded by Warron S French/Emp/Aerospace/US on 12/23/2013 07:42 AM ----- From: Net Warrior <netwarrior863(a)gmail.com> To: openldap-technical <openldap-technical(a)openldap.org>, Date: 12/23/2013 07:36 AM Subject: host Attribute Sent by: openldap-technical-bounces(a)OpenLDAP.org Hi guys. I'm trying to restric some user to login to some server, googling around I found that some things can be donde with the host attribute, this is what I got. A user with host attribute and and a FQDN server on it server.comap.com , the pam_check_host_attr set to yes in the client configuration ( pam_ldap.conf / ldap.conf ), If I understand well the user can now login to that server, in my tests I can confirm that, what I notice is that the user can loging to all the other servers in the farm whaterver I set to the host attribute I read this article as a reference: thornelabs dot net /documentation/2013/02/01/linux-restrict-server-login-via-ldap-hostobject-objectclass-and-host-attribute.html Please, can someone shed some light on this or clarify what I'm trying to to is correct or wrong? Thanks for your time and support Regards Low Sensitivity/Aerospace Internal Use Only

3 3

host Attribute
by Net Warrior 23 Dec '13

23 Dec '13

Hi guys. I'm trying to restric some user to login to some server, googling around I found that some things can be donde with the host attribute, this is what I got. A user with host attribute and and a FQDN server on it server.comap.com , the pam_check_host_attr set to yes in the client configuration ( pam_ldap.conf / ldap.conf ), If I understand well the user can now login to that server, in my tests I can confirm that, what I notice is that the user can loging to all the other servers in the farm whaterver I set to the host attribute I read this article as a reference: thornelabs dot net /documentation/2013/02/01/linux-restrict-server-login-via-ldap-hostobject-objectclass-and-host-attribute.html Please, can someone shed some light on this or clarify what I'm trying to to is correct or wrong? Thanks for your time and support Regards

1 0

Fw: Fw: ADDING OBJECT CLASS --- Low Sensitivity/Aerospace Internal Use Only
by Warron S French 23 Dec '13

23 Dec '13

Low Sensitivity/Aerospace Internal Use Only John, I agree with Dieter, in fact I haven't finished reading this full thread yet, but my instinct was to suggest inetOrgPerson as the appropriate schema as well. Also, Terje, that is a great website I agree, but here's another one I discovered that was also very useful: http://ldap.akbkhome.com/index.php Warron French, MBA, SCSA The Aerospace Corporation Sr. UNIX SA & Storage Admin Mailstop: CH1-230 Desk: 571-307-5311 Cell: 703-967-8936 ----- Forwarded by Warron S French/Emp/Aerospace/US on 12/23/2013 07:06 AM ----- From: Terje Trane <terjet(a)funcom.com> To: openldap-technical(a)openldap.org, Date: 12/20/2013 04:10 AM Subject: Re: ADDING OBJECT CLASS Sent by: openldap-technical-bounces(a)OpenLDAP.org On 19.12.2013 22:39, Borresen, John - 0442 - MITLL wrote: > > I would like to add and objectClass(es) so that I can add, > emailAddress, employee number. Can someone refresh my memory on what > I need (objectClasses)? > > The objectClass inetOrgPerson that you can find in the file inetorgperson.schema has employeeNumber and mail and several other useful attributes. That is what we use. PS: I have found this useful: http://www.zytrax.com/books/ldap/ape/ --- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com Low Sensitivity/Aerospace Internal Use Only

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2013