openldap-technical July 2013

openldap-technical@openldap.org

68 participants
86 discussions

Q: Multi-Master setup
by Ulrich Windl 16 Jul '13

16 Jul '13

Hi! I have a few questions for multi-master mode: 1) olcServerID (two arguments): if a node's salpd binds to some interface alias address, do I need an olcServerID for that interface alias, do I need an olcServerID for the physical host, or do I need both? 2) What is the correct syntax for the second argument (URI): Do you need a final slash, do you need the port? Currently I'm using a syntax like "olcServerID: 1 ldap://ldap.domain.org" 3) For the syncrepl privider, how is the syntax of the provider URI: With trailing slash, or with port, or with none of those? Currently I'm using a syntax like "olcServerID: 1 ldap://ldap.domain.org/" 4) Do I need olcUpdateRef? If so, for every server in the multi-master group? My guess is that without olcUpdateRef each server will accept local changes and sync those out. 5) How does "mirrormode=on" affect a multi-master setup? I'm dealing with a configuration tool (SLES11 SP2 YaST) tha tseems to have trouble with some configuration settings, so I wonder how the correct configuration will look like. 6) On "split brain": If one server is separated from the rest, and that server receives updates, and the rest receives updates also: The latest update of an entry will overwrite older entries once the servers join again, right? Once delta-syncrepl will work for multi-master, will the latest attribute change (as opposed to the latest entry change) be propagated to the rest? I read the documentation, but could not find answers to all of the questions above. Maybe someone can help. Regards, Ulrich

1 0

Regarding Queries for Ldap authentication
by Ashutosh Tiwari 15 Jul '13

15 Jul '13

Hello, I am calling ldap_init and ldap_bind_s from our code in which while calling the ldap_init, we are passing the multiple host in it, so I want to know what is the retry count for connection to a down server and time to wait for a connection etc. Is these parameters are configured ? where I can look into details for it. Thanks & Regards, Ashutosh Tiwari

1 0

Q: "stable" slapcat / slapadd?
by Ulrich Windl 12 Jul '13

12 Jul '13

Hi! I used to dump the OpenLDAP databases using slapcat (as suggested for backup). As an optimization I avoid storing identical databases. However I had seen changes that actually were not made, so my question: Is slapcat expected to be stable, i.e. report entries and attributes in a specific ordering? Is slapadd expected to be stable, i.e. add entries and attributes the same way when they come from the same LDIF file? I had just removed the entryCSN on cn=config, and I see differences after removing and rebuilding the config database that were not made in the LDIF file: --- /tmp/1 2013-07-12 14:49:35.000000000 +0200 +++ /tmp/2 2013-07-12 14:49:35.000000000 +0200 @@ -4,6 +4,10 @@ olcArgsFile: /var/run/slapd/slapd.args olcAuthzRegexp: {0}gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth dn :cn=config +olcLogLevel: config +olcLogLevel: stats +olcLogLevel: sync +olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcServerID: 1 ldap://rksapds1.site olcServerID: 2 ldap://rksapds2.site @@ -19,10 +23,6 @@ entryUUID: db3f4d44-7c0e-1032-81c4-d54356bd918f creatorsName: cn=config createTimestamp: 20130708113956Z -olcLogLevel: config -olcLogLevel: stats -olcLogLevel: sync -olcLogLevel: none entryCSN: 20130712095650.995134Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20130712095650Z @@ -2152,12 +2152,12 @@ dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor +olcAccess: {0}to dn.subtree="cn=monitor" by dn.base="cn=Admin,dc=censored + ,dc=uni-regensburg,dc=de" write by users read by * none structuralObjectClass: olcDatabaseConfig entryUUID: 20f4a254-7f1a-1032-9c35-67ae7acd0417 creatorsName: cn=config createTimestamp: 20130712083810Z -olcAccess: {0}to dn.subtree="cn=monitor" by dn.base="cn=Admin,dc=censored - ,dc=uni-regensburg,dc=de" write by users read by * none entryCSN: 20130712085712.643156Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20130712085712Z Regards, Ulrich

3 2

How to make a temporary password expire?
by jeevan kc 12 Jul '13

12 Jul '13

With the Openldap password policy I was able to lock the account after a certain number of failed login attempts. When I reset the password, the user can login whenever. What I want to ask is, is there a way to make the password expire if the user doesn't login within lets say 24 hours after the password has been reset? Thank you! Jeevan

3 3

Re: ldap syncrepl issue.
by Ashok Kumar Shah 12 Jul '13

12 Jul '13

Is there a way reliable determine whether ldap slave is sync with master? Currently i am using ContextCSN diff between master and slave to determine the lag. Thanks in advance. Ashok On Fri, Jul 12, 2013 at 9:26 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Friday, July 12, 2013 5:40 PM +0530 Ashok <ashok.shah(a)flipkart.com> > wrote: > > >> >> >> >> >> Hi, >> >> I am running ldap master and multiple slave with RefreshandPersist config. >> ldap search for an user shows different set of records. ContextCSN on >> master and slave are exactly same. >> What can i do to fix this. I tried restarting slave ldap but didn't help. >> Also i keep getting do_syncrepl: rid=112 rc 68 retrying every minute. I >> doubt if there is replication issue. >> > > It sounds like it is resyncing the DB, and skipping entries that already > exist: LDAP_ALREADY_EXISTS is error code 68. > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 2

OTP
by Vishesh kumar 12 Jul '13

12 Jul '13

Do anyone point me right direction for setting up OTP authentication in openldap. Reference to URL or guide will be sufficient. -- Thanks & Regards Vishesh Kumar http://linuxmantra.com

3 3

Re: Antw: Re: olcSizeLimit become ignored somehow
by Quanah Gibson-Mount 12 Jul '13

12 Jul '13

--On Friday, July 12, 2013 8:06 AM +0200 Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> wrote: >>>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am 11.07.2013 um 20:56 >>>> in > Nachricht <3CC7F3DA0AFBA8ED75D07A48(a)[192.168.1.28]>: >> --On Thursday, July 11, 2013 9:36 PM +0300 Покотиленко >> Костик <casper(a)meteor.dp.ua> wrote: >> >>> Hi, >>> >>> We have 1 master + 2 slaves setup (2.4.28, Ubuntu). >> >> Why are you running such an ancient version of OpenLDAP? Get a current >> release and then see if you have issues. > > For your records: SLES11 SP2 currently has 2.4.26, and SLES10 SP4 has > 2.3.32. Both are still "supported" by the vendor. > Basically those versions seem to work also ;-) What does this have to do with anything? Using distribution provided OpenLDAP builds is generally an extremely bad idea. Please keep replies to the list as well. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

ldap syncrepl issue.
by Ashok 12 Jul '13

12 Jul '13

Hi, I am running ldap master and multiple slave with RefreshandPersist config. ldap search for an user shows different set of records. ContextCSN on master and slave are exactly same. What can i do to fix this. I tried restarting slave ldap but didn't help. Also i keep getting do_syncrepl: rid=112 rc 68 retrying every minute. I doubt if there is replication issue. Thanks, Ashok

2 1

olcSizeLimit become ignored somehow
by Покотиленко Костик 12 Jul '13

12 Jul '13

Hi, We have 1 master + 2 slaves setup (2.4.28, Ubuntu). We had an issue with only 500 search entries returned due to the default limit. I've added olcSizeLimit 100000 parameter to cn=config on all 3 servers and checked that all 3 servers return 500+ entries Ok. In a week or so the problem returned. I've checked - the setting existed on all 3 servers, but only one of them returned 500+, the rest 2 returned only 500 with 4 size limit exceeded. Solution was to change olcSizeLimit to some different value and then back. So, the question is how could slapd "forget" about the olcSizeLimit until it's changed? Known bug? Also, docs state that olcSizeLimit=0 is no limit, in fact it's literal 0. I've seen posts about that in the past, but it seems to still exist.

2 3

Q: Managing entryCSN with slapadd
by Ulrich Windl 12 Jul '13

12 Jul '13

Hi! I have a question: Is there a way to fix entryCSNs for slapadd? Reasoning: With dynamic configuration, sometimes (if you messed up) you'll have to edit your slapcat dump to reinitialize the config database. Unfortunately with replication the entry CSNs seem to casue trouble: If you don't change the CSN, the canges are not replicated, it seems; if you change the CSN, OpenLDAP doesn't seem to like it. I see repeating message slike these: slapd[3017]: Entry olcDatabase={0}config,cn=config CSN 20130709140112.108165Z#000000#000#000000 older or equal to ctx 20130709140112.108165Z#000000#000#000000 slapd[3017]: do_syncrep2: rid=001 CSN too old, ignoring 20130712085712.643156Z#000000#000#000000 (olcDatabase={2}monitor,cn=config) Ist there a way to fix this? Regards, Ulrich Windl

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2013