openldap-technical July 2013

openldap-technical@openldap.org

68 participants
86 discussions

Re: Antw: N-Way Multi-Master TLS problem
by Patrick Lists 31 Jul '13

31 Jul '13

On 07/31/2013 11:50 AM, Ulrich Windl wrote: > Hi! > > I had the same problem, and I found a solution: > > In config, don't use the host name as filename for the certificate/key, but use the service name (like "slapd"). Then (the confusing part), store the server's certificate in that "slapd" file. So even if the file name is the same on every server, the file's contents are different. > > I use (SLES11, your paths may vary): > > olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem > olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key > olcTLSCACertificatePath: /etc/ssl/certs > > Here that works fine, but I feel documentation should talk about that also. Wow that certainly is a solution I did not see coming. Thanks! I think I got it working now :-) IMHO it sounds like a bug to me. Never seen such a requirement for a TLS config. Thanks again, much appreciated! Regards, Patrick

1 0

Re: RE24 testing call (OpenLDAP 2.4.36)
by Andrew Cobaugh 31 Jul '13

31 Jul '13

On Mon, Jul 29, 2013 at 3:44 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > If you know how to build OpenLDAP manually, and would like to participate > in testing the next set of code for the 2.4.36 release, please do so. > I can report that all tests run by 'make test' complete successfuly on a stock 64-bit RHEL6 host. --andy

1 0

OpenLDAP syncrepl over SSL
by Tony Davis 31 Jul '13

31 Jul '13

Hi, I wonder if anyone can help me with a question I have regarding an openldap setup on Redhat / Centos 5.8 using openldap-2.3.43. I am trying to setup replication, I have set this up using the simple bind method, which stores a password for the replication in the config. (This works) but I wondered if there was a way to have this replication take place using ssl certificates without the need to store the unhashed password in the slapd.conf? Is this possible? or do I still have to specify a replication user and pass, but all the auth takes place over ssl? This is my current config for replication: syncrepl rid=001 provider=ldap://master01.tld type=refreshAndPersist interval=00:00:05:00 retry="5 5 300 +" searchbase="dc=tld" attrs="*,+" bindmethod=sasl saslmech=EXTERNAL tls_cert=/etc/master02.tld.pem tls_key=/etc/master02.tld.key tls_cacert=/etc/openldap/cacerts/ca.pem tls_reqcert=demand starttls=yes mirrormode on updateref ldap://master01.tld but in the replication log i get the following: Jul 31 11:06:18 master02 slapd[6958]: do_syncrep1: rid 001 ldap_sasl_interactive_bind_s failed (7) Jul 31 11:06:18 master02 slapd[6958]: do_syncrepl: rid 001 retrying (3 retries left) Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on 1 descriptor Jul 31 11:06:18 master02 slapd[6958]: daemon: activity on:

3 2

ldap_sasl_bind doesn't fail with wrong credentials
by Andrius Kulbis 31 Jul '13

31 Jul '13

Hello, Shouldn't ldap_sals_bind fail if wrong credentials are given? Or am I checking the bind result in wrong way? I pass wrong password or username and still can't get BIND ERROR. #include <stdio.h> #include <ldap.h> #include <stdlib.h> #define HOST "x.x.x.x" int main (int argc, char **argv) { char *UID = argv[1]; char *PASSWD = argv[2]; char BASEDN[80]; strcpy(BASEDN, "eduPersonPrincipalName="); strcat(BASEDN, UID); strcat(BASEDN, "@ex.com,ou=People,ou=Users,dc=ex,dc=com"); LDAP *ld; char *ldapuri = NULL; LDAPURLDesc url; memset( &url, 0, sizeof(url)); url.lud_scheme = "ldap"; url.lud_host = HOST; url.lud_port = LDAP_PORT; url.lud_scope = LDAP_SCOPE_DEFAULT; ldapuri = ldap_url_desc2str( &url ); int rc, msgid, version = LDAP_VERSION3; struct berval passwd = {0, NULL}; passwd.bv_val = PASSWD; passwd.bv_len = strlen(PASSWD); LDAPControl c; LDAPControl **sctrlsp = NULL; LDAPControl *sctrls[3]; LDAPControl sctrl[3]; int nsctrls = 0; c.ldctl_oid = LDAP_CONTROL_PASSWORDPOLICYREQUEST; c.ldctl_value.bv_val = NULL; c.ldctl_value.bv_len = 0; c.ldctl_iscritical = 1; sctrl[nsctrls] = c; sctrls[nsctrls] = &sctrl[nsctrls]; sctrls[++nsctrls] = NULL; sctrlsp = sctrls; if((rc = ldap_initialize(&ld, ldapuri)) != LDAP_SUCCESS) { printf("LDAP_INIT Error\n"); return 1; } ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); ldap_set_option(ld, LDAP_OPT_REFERRALS, 0); ldap_set_option(ld, LDAP_OPT_SERVER_CONTROLS, sctrlsp); if((rc = ldap_sasl_bind(ld, BASEDN, LDAP_SASL_SIMPLE, &passwd, NULL, NULL, &msgid)) != LDAP_SUCCESS) { printf("BIND ERROR\n"); return 1; } return 0; } Regards, Andrius

1 0

N-Way Multi-Master TLS problem
by Patrick Lists 30 Jul '13

30 Jul '13

Hi, As an exercise I tried setting up a 2 node N-Way Multi-Master with TLS and TLS replication based on section 18.3.3 of the Admin Gguide. I bumped into a problem that I haven't been able to fix. The error is: TLS: hostname (ldap02.local) does not match common name in certificate (ldap01.local). 51f87d48 slap_client_connect: URI=ldap://ldap02.local Error, ldap_start_tls failed (-11 I have tested the certificates manually and I can't see anything wrong with them. I use FQDNs everywhere. Also it seems odd that, based on strace slapd output, ldap01 needs acess to the public and private certificate of ldap02 and vice versa. OpenLDAP version 2.4.35 + fixes recommended by Quanah on the list. Ntp is running, iptables & SELinux are off The config below is added with: slapadd -v -F /etc/openldap-2.4/slapd.d -l ./test.ldif -n 0 Anyone have a hint what I am doing wrong? ------------------------------------------------------------------- Config ldap01: ------------------------------------------------------------------- # global configuration settings dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap-2.4/slapd-2.4.args olcPidFile: /var/run/openldap-2.4/slapd-2.4.pid olcLogFile: /var/log/openldap-2.4/slapd-2.4.log olcLogLevel: 127 16384 olcTLSCACertificateFile: /etc/pki/tls/certs/Test-CA.crt olcTLSCertificateFile: /etc/pki/tls/certs/ldap01.local.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap01.local.key.crt olcTLSVerifyClient: demand olcLocalSSF: 256 olcSecurity: ssf=256 olcPasswordCryptSaltFormat: $6$%s olcPasswordHash: {CRYPT} olcServerID: 1 ldap://ldap01.local olcServerID: 2 ldap://ldap02.local # load modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/local/lib64/openldap-2.4 olcModuleLoad: back_mdb.la olcModuleLoad: back_monitor.la olcModuleload: syncprov.la # schema definitions dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema # include the schemas include: file:///etc/openldap-2.4/schema/core.ldif include: file:///etc/openldap-2.4/schema/corba.ldif include: file:///etc/openldap-2.4/schema/cosine.ldif include: file:///etc/openldap-2.4/schema/duaconf.ldif include: file:///etc/openldap-2.4/schema/dyngroup.ldif include: file:///etc/openldap-2.4/schema/inetorgperson.ldif include: file:///etc/openldap-2.4/schema/java.ldif include: file:///etc/openldap-2.4/schema/misc.ldif include: file:///etc/openldap-2.4/schema/nis.ldif include: file:///etc/openldap-2.4/schema/openldap.ldif include: file:///etc/openldap-2.4/schema/ppolicy.ldif include: file:///etc/openldap-2.4/schema/collective.ldif # global database parameters dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # setup cn=config dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcRootPW: {CRYPT}$6$<somepass> olcSyncrepl: rid=1 provider=ldap://ldap01.local searchbase="cn=config" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=config" credentials=password starttls=critical tls_cert=/etc/pki/tls/certs/config.crt tls_key=/etc/pki/tls/private/config.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcSyncrepl: rid=2 provider=ldap://ldap02.local searchbase="cn=config" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=config" credentials=1234 starttls=critical tls_cert=/etc/pki/tls/certs/config.crt tls_key=/etc/pki/tls/private/config.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcMirrorMode: TRUE olcAccess: to * by dn.exact="cn=Manager,dc=local" write by * none # setup monitoring dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcDatabase: monitor olcAccess: to dn.subtree=cn=Monitor by dn.exact="cn=Manager,dc=local" write by * none dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcSuffix: dc=local olcRootDN: cn=Manager,dc=local olcRootPW: {CRYPT}$6$<somepass> olcDbDirectory: /var/lib/ldap-2.4/local olcDbIndex: cn pres,eq,sub olcDbIndex: gidNumber pres,eq olcDbIndex: mail pres,eq,sub olcDbIndex: memberUid pres,eq olcDbIndex: objectClass pres,eq olcDbIndex: ou pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: uid pres,eq olcDbIndex: uidNumber pres,eq olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbMaxReaders: 0 olcDbMode: 0600 olcDbSearchStack: 16 # size in bytes - 1GB = 1073741824 bytes olcDbMaxSize: 5368709120 olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: TRUE olcDbNoSync: FALSE olcSizeLimit: unlimited olcTimeLimit: unlimited olcDbEnvFlags: writemap olcDbEnvFlags: nometasync olcAccess: to attrs=userPassword by dn.exact="cn=Manager,dc=local" write by self write by anonymous auth by * none olcAccess: to * by dn.exact="cn=Manager,dc=local" write by self write by * read olcLimits: dn.exact="cn=Manager,dc=local" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcSyncrepl: rid=3 provider=ldap://ldap01.local searchbase="dc=local" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=Manager,dc=local" credentials=password starttls=critical tls_cert=/etc/pki/tls/certs/Manager.crt tls_key=/etc/pki/tls/private/Manager.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcSyncrepl: rid=4 provider=ldap://ldap02.local searchbase="dc=local" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=Manager,dc=local" credentials=password starttls=critical tls_cert=/etc/pki/tls/certs/Manager.crt tls_key=/etc/pki/tls/private/Manager.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcMirrorMode: TRUE # add the syncprov overlay to the cn=config database dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov # add the syncprov overlay to the main mdb database dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov ------------------------------------------------------------------- Config ldap02: ------------------------------------------------------------------- # global configuration settings dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap-2.4/slapd-2.4.args olcPidFile: /var/run/openldap-2.4/slapd-2.4.pid olcLogFile: /var/log/openldap-2.4/slapd-2.4.log olcLogLevel: 127 16384 olcTLSCACertificateFile: /etc/pki/tls/certs/Test-CA.crt olcTLSCertificateFile: /etc/pki/tls/certs/ldap01.local.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap01.local.key.crt olcTLSCipherSuite: TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!RC4:@STRENGTH olcTLSVerifyClient: demand olcLocalSSF: 256 olcSecurity: ssf=256 olcPasswordCryptSaltFormat: $6$%s olcPasswordHash: {CRYPT} olcServerID: 1 ldap://ldap01.local olcServerID: 2 ldap://ldap02.local # load modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/local/lib64/openldap-2.4 olcModuleLoad: back_mdb.la olcModuleLoad: back_monitor.la olcModuleLoad: memberof.la olcModuleLoad: refint.la olcModuleLoad: auditlog.la olcModuleLoad: ppolicy.la olcModuleload: syncprov.la # schema definitions dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema # include the schemas include: file:///etc/openldap-2.4/schema/core.ldif include: file:///etc/openldap-2.4/schema/corba.ldif include: file:///etc/openldap-2.4/schema/cosine.ldif include: file:///etc/openldap-2.4/schema/duaconf.ldif include: file:///etc/openldap-2.4/schema/dyngroup.ldif include: file:///etc/openldap-2.4/schema/inetorgperson.ldif include: file:///etc/openldap-2.4/schema/java.ldif include: file:///etc/openldap-2.4/schema/misc.ldif include: file:///etc/openldap-2.4/schema/nis.ldif include: file:///etc/openldap-2.4/schema/openldap.ldif include: file:///etc/openldap-2.4/schema/ppolicy.ldif include: file:///etc/openldap-2.4/schema/collective.ldif # global database parameters dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend # setup cn=config dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcRootPW: {CRYPT}$6$<somepass> olcSyncrepl: rid=1 provider=ldap://ldap01.local searchbase="cn=config" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=config" credentials=password starttls=critical tls_cert=/etc/pki/tls/certs/config.crt tls_key=/etc/pki/tls/private/config.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcSyncrepl: rid=2 provider=ldap://ldap02.local searchbase="cn=config" type=refreshAndPersist timeout=1 schemachecking=off interval=00:00:00:5 retry="5 +" bindmethod=simple binddn="cn=config" credentials=1234 starttls=critical tls_cert=/etc/pki/tls/certs/config.crt tls_key=/etc/pki/tls/private/config.key.crt tls_cacert=/etc/pki/tls/certs/Test-CA.crt tls_reqcert=demand olcMirrorMode: TRUE olcAccess: to * by dn.exact="cn=Manager,dc=local" write by * none # setup monitoring dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcDatabase: monitor olcAccess: to dn.subtree=cn=Monitor by dn.exact="cn=Manager,dc=local" write by * none # add the syncprov overlay to the cn=config database dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov Thank you for any pointers. Regards, Patrick

1 0

OpenLDAP (using BDB) stalls adding 65,536th entry
by Mark Cooper 30 Jul '13

30 Jul '13

I've been doing some testing using OpenLDAP with BDB on a couple of different platforms. I noticed a similar situation. When I sit in a loop doing adds, at the 65,536th added entry the process stalls for a short period of time. After a minute or two, the add succeeds. My first thought is that this is a BDB issue, so I posted this question to Oracle's BDB forum. But I have yet to receive any answer. This situation seems to happen when I have around 43 10MB log files. During the stall, I notice many log files are being written (another 25 or so), which is a much quicker rate than was being written prior to the stall. The stall only happens once. I added another 350,000 entries and no more stalls. I ran a few other tests. Added 65,535 entries. All is fine. As soon as the next entry is add, even if I recycle the server, I hit the condition. I even tried deleting 1,000 entries. I would then need to add 1,0001 to get to 65,536 entries in the database and then hit the delay. I did try playing around with the number of indexes and it did seem to affect the size of the delay, but not the fact that the delay occurs. I'm trying to understand what OpenLDAP or BDB is doing during the stall. Is their a reorganizing of tables/indexes based on a threshold of 65,536 entries? Is this a one time only event as my testing seems to show? Again, my suspicion is that it's more of a BDB issue, but thought others here may have seen this situation. Some values from my DB_CONFIG file: set_cachesize 0 20971520 1 set_lg_regionmax 1048576 set_lg_max 10485760 set_lg_bsize 2097152 set_lk_max_locks 2000 set_lk_max_objects 2000 set_open_flags db_private Some values from my slapd.conf: database bdb suffix "dc=myco,dc=com" rootdn "cn=Manager,dc=myco,dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq index cn eq,sub index departmentNumber eq index employeeNumber eq,sub index uid eq,sub index entryCSN eq index entryUUID eq cachesize 5000 idlcachesize 5000 dncachesize 30000 cachefree 100 searchstack 8 threads 4 Thanks for any help, Mark

4 6

back_sql synrepl producer
by Raymond Page 30 Jul '13

30 Jul '13

Pierangelo, Has the status of back_sql as a valid syncrepl provider changed since this conversation: http://www.openldap.org/lists/openldap-technical/200904/msg00145.html I have a back_sql producer that I want to query and populate/synchronize to a back_hdb consumer. From the 2009 email exchange, it sounds as though it is impossible or unsupported, though some emails from 2004 made it sound as though its feasible. http://www.openldap.org/lists/openldap-devel/200410/msg00020.html -------------------------------------------------------------- # My SQL Producer database null suffix "cn=admin" rootdn "cn=admin" rootpw password #Clone of SQL entries for verifying syncrepl configuration #database hdb #suffix "ou=virtual" #rootdn "cn=admin" #directory /var/lib/ldap/virtual database sql lastmod on readonly on suffix "ou=virtual" dbname dbname dbuser dbuser upper_func UPPER use_subtree_shortcut yes children_cond "ldap_entries.dn=UPPER(?)" subtree_cond "UPPER(ldap_entries.dn) LIKE UPPER(CONCAT('%',?))" has_ldapinfo_dn_ru no overlay syncprov -------------------------------------------------------------- # My HDB Consumer database null suffix "cn=admin" rootdn "cn=admin" rootpw password database hdb rootdn "cn=admin" directory /var/lib/ldap syncrepl rid=123 provider=ldaps://localhost:636 type=refreshOnly interval=00:00:05:00 searchbase="ou=virtual" schemachecking=off bindmethod=simple binddn="cn=admin" credentials=password tls_cacertdir=/etc/pki/cacerts ---------------------------------------------------------- # Producer logging from -d 16384 syncprov_search_response: cookie=rid=123,csn=20130724213107.411609Z#000000#000#000000 slap_queue_csn: queing 0x7fe7fbffcb70 20130724213725.653540Z#000000#000#000000 slap_graduate_commit_csn: removing 0x7fe7f4168ef0 20130724213725.653540Z#000000#000#000000 ----------------------------------------------------------- # Consumer logging from -d 16384 do_syncrep2: rid=123 LDAP_RES_SEARCH_RESULT do_syncrep2: rid=123 cookie=rid=123,csn=20130724213107.411609Z#000000#000#000000 slap_queue_csn: queing 0x7fba781ae900 20130724213107.411609Z#000000#000#000000 slap_graduate_commit_csn: removing 0x7fba781ae880 20130724213107.411609Z#000000#000#000000 syncrepl_updateCookie: rid=123 be_modify failed (32) -- Raymond Page

2 1

ldap_bind() extended response for password policy
by Andrius Kulbis 29 Jul '13

29 Jul '13

Hello, I'm trying to pull the password policy response message from ldap_bind() method. While checking the packet content from OpenLDAP after ldap_bind() request, with Wireshark, there is a control hooked to the ldap_bind() response, were the message code and message text about password expiration is, but I can't manage to parse that message from response. AFAIK, the OpenLDAP C API ldap_get_option() method doesn't have LDAP_OPT_SERVER_CONTRLOLS case implementation, and I can't get the PASSWORDPOLICYRESPONSE, although I have set the PASSWORDPOLICYREQUEST before the bind. Is there a workaround of this problem? ------ Regards, Andrius Kulbis

3 4

Q: "olcMirrorMode: no equality matching rule"
by Ulrich Windl 29 Jul '13

29 Jul '13

Hi! When trying to add "olcMirrorMode: TRUE" to a database where the value already exists, I get: --- # ldapmodify -ZZ -x -W -D cn=config -f mirrormode.ldif -v -c ldap_initialize( <DEFAULT> ) Enter LDAP Password: add olcMirrorMode: TRUE modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcMirrorMode: no equality matching rule add olcMirrorMode: TRUE modifying entry "olcDatabase={1}hdb,cn=config" modify complete --- It looks to me as if a compare operator for "TRUE" (Boolean?) is not defined. Am I right? olcObjectIdentifier: OMsBoolean OMsyn:7 Regards, Ulrich

2 1

How to Pointing Openldap Slave from Openldap Master on Openldap Replication
by Iftakhul Anwar 27 Jul '13

27 Jul '13

Hi All, I just successfully replicated Openldap using ubuntu 10.04 as master server (provider), 12.04 as slave server (consumer). I'm using syncrepl method for this replication. Below configuration for provider.ldif and customer.ldif *### provider ### # Add indexes to the frontend db. dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryCSN eq - add: olcDbIndex olcDbIndex: entryUUID eq #Load the syncprov and accesslog modules. dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov - add: olcModuleLoad olcModuleLoad: accesslog # Accesslog database definitions dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,dc=teleneos,dc=org olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart # Accesslog db syncprov. dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE # syncrepl Provider for primary db dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE # accesslog overlay definitions for primary db dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogSuccess: TRUE # scan the accesslog DB every day, and purge entries older than 7 days olcAccessLogPurge: 07+00:00 01+00:00* Then below consumer.ldif * ### consumer ### #Load the syncprov module. dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov # syncrepl specific indices dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryUUID eq - add: olcSyncRepl olcSyncRepl: rid=0 provider=ldap://139.193.195.170 bindmethod=simple binddn="cn=admin,dc=teleneos,dc=org" credentials=teleneos searchbase="dc=teleneos,dc=org" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog - add: olcUpdateRef olcUpdateRef: ldap://139.193.195.170* Now when i add any value on ldap provider, They will replicated on consumer (ldap slave server). But on my mechanism, i will have many ldap master machine on internet which will have to replicated to one ldap slave server.I will created centralized system. Moreover every ldap server is using dynamic Ip address which should change automatically. So not possible for me if i must add line* olcUpdateRef: ldap://ip_provider*for every ldap provider on ldap configuration. Is there configuration on ldap provider to pointing where ldap slave is ? So that, to replicate to slave server on my provider server (ldap master) , i just need pointing ip of slave ldap server is. So configuration pointing on every ldap provider. Help me to solve this issue. Thanks

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2013