Q: Multi-Master setup
by Ulrich Windl
Hi!
I have a few questions for multi-master mode:
1) olcServerID (two arguments): if a node's salpd binds to some interface alias address, do I need an olcServerID for that interface alias, do I need an olcServerID for the physical host, or do I need both?
2) What is the correct syntax for the second argument (URI): Do you need a final slash, do you need the port? Currently I'm using a syntax like "olcServerID: 1 ldap://ldap.domain.org"
3) For the syncrepl privider, how is the syntax of the provider URI: With trailing slash, or with port, or with none of those? Currently I'm using a syntax like "olcServerID: 1 ldap://ldap.domain.org/"
4) Do I need olcUpdateRef? If so, for every server in the multi-master group? My guess is that without olcUpdateRef each server will accept local changes and sync those out.
5) How does "mirrormode=on" affect a multi-master setup? I'm dealing with a configuration tool (SLES11 SP2 YaST) tha tseems to have trouble with some configuration settings, so I wonder how the correct configuration will look like.
6) On "split brain": If one server is separated from the rest, and that server receives updates, and the rest receives updates also: The latest update of an entry will overwrite older entries once the servers join again, right? Once delta-syncrepl will work for multi-master, will the latest attribute change (as opposed to the latest entry change) be propagated to the rest?
I read the documentation, but could not find answers to all of the questions above. Maybe someone can help.
Regards,
Ulrich
7 years, 8 months
Regarding Queries for Ldap authentication
by Ashutosh Tiwari
Hello,
I am calling ldap_init and ldap_bind_s from our code in which while calling
the ldap_init, we are passing the multiple host in it, so I want to know
what is the retry count for connection to a down server and time to wait
for a connection etc.
Is these parameters are configured ? where I can look into details for it.
Thanks & Regards,
Ashutosh Tiwari
7 years, 8 months
Q: "stable" slapcat / slapadd?
by Ulrich Windl
Hi!
I used to dump the OpenLDAP databases using slapcat (as suggested for backup). As an optimization I avoid storing identical databases.
However I had seen changes that actually were not made, so my question:
Is slapcat expected to be stable, i.e. report entries and attributes in a specific ordering?
Is slapadd expected to be stable, i.e. add entries and attributes the same way when they come from the same LDIF file?
I had just removed the entryCSN on cn=config, and I see differences after removing and rebuilding the config database that were not made in the LDIF file:
--- /tmp/1 2013-07-12 14:49:35.000000000 +0200
+++ /tmp/2 2013-07-12 14:49:35.000000000 +0200
@@ -4,6 +4,10 @@
olcArgsFile: /var/run/slapd/slapd.args
olcAuthzRegexp: {0}gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth dn
:cn=config
+olcLogLevel: config
+olcLogLevel: stats
+olcLogLevel: sync
+olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcServerID: 1 ldap://rksapds1.site
olcServerID: 2 ldap://rksapds2.site
@@ -19,10 +23,6 @@
entryUUID: db3f4d44-7c0e-1032-81c4-d54356bd918f
creatorsName: cn=config
createTimestamp: 20130708113956Z
-olcLogLevel: config
-olcLogLevel: stats
-olcLogLevel: sync
-olcLogLevel: none
entryCSN: 20130712095650.995134Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20130712095650Z
@@ -2152,12 +2152,12 @@
dn: olcDatabase={2}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {2}monitor
+olcAccess: {0}to dn.subtree="cn=monitor" by dn.base="cn=Admin,dc=censored
+ ,dc=uni-regensburg,dc=de" write by users read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 20f4a254-7f1a-1032-9c35-67ae7acd0417
creatorsName: cn=config
createTimestamp: 20130712083810Z
-olcAccess: {0}to dn.subtree="cn=monitor" by dn.base="cn=Admin,dc=censored
- ,dc=uni-regensburg,dc=de" write by users read by * none
entryCSN: 20130712085712.643156Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20130712085712Z
Regards,
Ulrich
7 years, 9 months
How to make a temporary password expire?
by jeevan kc
With the Openldap password policy I was able to lock the account after a certain number of failed login attempts. When I reset the password, the user can login whenever. What I want to ask is, is there a way to make the password expire if the user doesn't login within lets say 24 hours after the password has been reset? Thank you!
Jeevan
7 years, 9 months
Re: ldap syncrepl issue.
by Ashok Kumar Shah
Is there a way reliable determine whether ldap slave is sync with master?
Currently i am using ContextCSN diff between master and slave to determine
the lag.
Thanks in advance.
Ashok
On Fri, Jul 12, 2013 at 9:26 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Friday, July 12, 2013 5:40 PM +0530 Ashok <ashok.shah(a)flipkart.com>
> wrote:
>
>
>>
>>
>>
>>
>> Hi,
>>
>> I am running ldap master and multiple slave with RefreshandPersist config.
>> ldap search for an user shows different set of records. ContextCSN on
>> master and slave are exactly same.
>> What can i do to fix this. I tried restarting slave ldap but didn't help.
>> Also i keep getting do_syncrepl: rid=112 rc 68 retrying every minute. I
>> doubt if there is replication issue.
>>
>
> It sounds like it is resyncing the DB, and skipping entries that already
> exist: LDAP_ALREADY_EXISTS is error code 68.
>
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
7 years, 9 months
OTP
by Vishesh kumar
Do anyone point me right direction for setting up OTP authentication in
openldap. Reference to URL or guide will be sufficient.
--
Thanks & Regards
Vishesh Kumar
http://linuxmantra.com
7 years, 9 months
Re: Antw: Re: olcSizeLimit become ignored somehow
by Quanah Gibson-Mount
--On Friday, July 12, 2013 8:06 AM +0200 Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
>>>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am 11.07.2013 um 20:56
>>>> in
> Nachricht <3CC7F3DA0AFBA8ED75D07A48(a)[192.168.1.28]>:
>> --On Thursday, July 11, 2013 9:36 PM +0300 Покотиленко
>> Костик <casper(a)meteor.dp.ua> wrote:
>>
>>> Hi,
>>>
>>> We have 1 master + 2 slaves setup (2.4.28, Ubuntu).
>>
>> Why are you running such an ancient version of OpenLDAP? Get a current
>> release and then see if you have issues.
>
> For your records: SLES11 SP2 currently has 2.4.26, and SLES10 SP4 has
> 2.3.32. Both are still "supported" by the vendor.
> Basically those versions seem to work also ;-)
What does this have to do with anything? Using distribution provided
OpenLDAP builds is generally an extremely bad idea.
Please keep replies to the list as well.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
7 years, 9 months
ldap syncrepl issue.
by Ashok
Hi,
I am running ldap master and multiple slave with RefreshandPersist config.
ldap search for an user shows different set of records. ContextCSN on
master and slave are exactly same.
What can i do to fix this. I tried restarting slave ldap but didn't
help. Also i keep getting do_syncrepl: rid=112 rc 68 retrying every
minute. I doubt if there is replication issue.
Thanks,
Ashok
7 years, 9 months
olcSizeLimit become ignored somehow
by Покотиленко Костик
Hi,
We have 1 master + 2 slaves setup (2.4.28, Ubuntu). We had an issue with
only 500 search entries returned due to the default limit. I've added
olcSizeLimit 100000 parameter to cn=config on all 3 servers and checked
that all 3 servers return 500+ entries Ok.
In a week or so the problem returned. I've checked - the setting existed
on all 3 servers, but only one of them returned 500+, the rest 2
returned only 500 with 4 size limit exceeded.
Solution was to change olcSizeLimit to some different value and then
back.
So, the question is how could slapd "forget" about the olcSizeLimit
until it's changed? Known bug?
Also, docs state that olcSizeLimit=0 is no limit, in fact it's literal
0. I've seen posts about that in the past, but it seems to still exist.
7 years, 9 months
Q: Managing entryCSN with slapadd
by Ulrich Windl
Hi!
I have a question: Is there a way to fix entryCSNs for slapadd? Reasoning: With dynamic configuration, sometimes (if you messed up) you'll have to edit your slapcat dump to reinitialize the config database. Unfortunately with replication the entry CSNs seem to casue trouble:
If you don't change the CSN, the canges are not replicated, it seems; if you change the CSN, OpenLDAP doesn't seem to like it.
I see repeating message slike these:
slapd[3017]: Entry olcDatabase={0}config,cn=config CSN 20130709140112.108165Z#000000#000#000000 older or equal to ctx 20130709140112.108165Z#000000#000#000000
slapd[3017]: do_syncrep2: rid=001 CSN too old, ignoring 20130712085712.643156Z#000000#000#000000 (olcDatabase={2}monitor,cn=config)
Ist there a way to fix this?
Regards,
Ulrich Windl
7 years, 9 months