syncrepl and change in ordering
by Amol Kulkarni
Hello,
I've a openldap 2.4.30 syncrepl setup which is used by our applications.
There are over 50 servers in the setup.
I want to upgrade our application to the next version. In a single
downtime, all servers cannot be upgraded. So the application will be
upgraded in phase wise manner. Application upgrade requires some changes in
ldap schemas. I want to update the schemas in same phases as the
application so as to avoid separate downtime for schema update. I'm
planning to update schema on the consumers first and provider last so that
during the phases, some servers with old schemas and others with new
schemas both replicate properly.
schemachecking is set to off on all servers.
I understand that new attributes added in schema will not be present on
provider at the beginning, so there is no question of their replication.
I've compared the schemas and found that none of the attributes is deleted.
Only change is that for some attributes we have added 'ordering' and for
some we have changed the 'equality'.
I'm not using cn=config - if that is a consideration.
So will it all work ?
Is there a better way?
Thanks in advance,
Amol Kulkarni.
6 years, 4 months
Re: ldaps replication question
by wailok tam
Hi, thanks a lot for your reply.
I want to leave the password in text first and go step by step.
Do you mind highlighting those lines needed for a SSL thru ldaps
configured slave?
I find information about modifying another slapd file under etc/defaults on debian base
system but I dont know what to do with those on Redhat 5. What is the corresponding file
on Rh and what to do in them on the master and slave?
------------------------------
On Wed, Nov 26, 2014 12:57 PM GMT Dieter Klünter wrote:
>Am Wed, 26 Nov 2014 06:39:25 +0000 (UTC)
>schrieb wailok tam <wailoktam(a)yahoo.com>:
>
>> Hi, all,
>> I cannot get replication to work even I get no error message. I
>> change a record on the Master but when I check it on the slave, it
>> remains unchanged. (Is it immediate?) The following command on slave:
>> ldapsearch -x -h [MASTER HOST NAME] -W -D
>> 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=tam)'
>> returns no error message and gives the expected record. I am
>> suspecting I may have screwed up the ssl/tls setting for the slave as
>> I dont know what to put there.
>[...]
>
>This is a simplified slapd.conf that may help.
>
>http://pastebin.com/JcDz6Tkh
>
>-Dieter
>
>--
>Dieter Klünter | Systemberatung
>http://sys4.de
>GPG Key ID: E9ED159B
>53°37'09,95"N
>10°08'02,42"E
6 years, 4 months
using ldap database (multiple upstream servers), how to force reconnect after failover?
by David Young
Hi technical,
We have an openldap server (v2.4.39) which acts as a reverse proxy for 2
backend servers (replicated). The intention is that we use this "proxy"
server for authentication requests for applications which can't handle
SSL, or multiple backend servers, properly.
The implementation works as designed - a query is received from a
client, passed on to the first server defined in olcDbURL (server1). If
the first server is unavailable, after a brief timeout (1 sec), the
query is passed to the second server in the oldDbURL (server2).
Here's the problem - server1 is never polled again. Queries continue to
be passed to server2, but when server2 is unavailable, all queries fail,
even if server1 is now available again.
Is there a config directive I can use to force ldap to reattempt
connection to server1 after the initial failure?
My config is below.
Thanks :)
David
---
dn: olcDatabase={1}ldap
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {1}ldap
olcSuffix: dc=mydomain,dc=net,dc=nz
olcAddContentAcl: FALSE
olcLastMod: FALSE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
olcDbURI: "ldaps://server1 ldaps://server2"
olcDbStartTLS: none starttls=no
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbNetworkTimeout: 1
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
structuralObjectClass: olcLDAPConfig
entryUUID: 01eb5074-6f65-1033-8a02-cd0b00053594
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140514033850Z
olcDbIdleTimeout: 1m
olcDbConnTtl: 5m
entryCSN: 20140514033850.182221Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140514033850Z
6 years, 4 months
Invalid DN errors
by Nick Bright
Greetings,
I hope this is an appropriate mailing list to ask for some assistance. I
will state up front that my LDAP experience is extremely limited -
essentially noob level.
I've been attempting to set up openldap 2.4.39 on CentOS 6 via the
official distribution packages. The server is up and running, and my
application is connecting successfully, and attempting to add entries to
the directory; so I believe I have the most fundamentals in place like
the directory manager password, and basic base DN. When connecting with
an LDAP browser, I see "dc=valnet,dc=net" which was the configured base DN.
When my application attempts to add to the directory it searches for the
entry, then adds if the entry isn't found. I'm receiving this error:
54760bfd conn=1003 op=971 do_search: invalid dn:
"x500UniqueIdentifier=45270,dc=valnet,dc=net"
54760bfd conn=1003 op=971 SEARCH RESULT tag=101 err=34 nentries=0
text=invalid DN
54760bfd conn=1003 op=972 do_add: invalid dn
(x500UniqueIdentifier=45270,dc=valnet,dc=net)
54760bfd conn=1003 op=972 RESULT tag=105 err=34 text=invalid DN
I suspect that I am missing some sort of extremely basic configuration
item, but I've been having a very very difficult time locating relevant
documentation - everything I find in my searches references the old
style configuration, not the new style LDIF configuration with cn=config
directories, nor have I found any information about how to troubleshoot
an "invalid DN" error. It appears that I may be missing a schema file
such as inetOrgPerson or nis.
The application is attempting to create entries with these attributes:
Primary Key: x500UniqueIdentifier
Attributes: cn, uid, sn, givenname, userPassword, dn, x500UniqueIdentifier
I would appreciate some basic guidance as to what to do, or some
direction to the proper documentation or guide for solving "invalid DN"
while attempting to add entries to the directory.
--
-----------------------------------------------
- Nick Bright -
- Vice President of Technology -
- Valnet -=- We Connect You -=- -
- Tel 888-332-1616 x 315 / Fax 620-331-0789 -
- Web http://www.valnet.net/ -
-----------------------------------------------
- Are your files safe? -
- Valnet Vault - Secure Cloud Backup -
- More information& 30 day free trial at -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------
6 years, 4 months
Setting SSL/TLS options in client code?
by Scott Neugroschl
Right now, I'm passing an ldaps:// URI to ldap_initialize. I'd like to be able to change the SSL/TLS options before initiating the connection. Is such a thing possible?
---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |
6 years, 4 months
TLS Configuration
by Hydro Tium
Hi guys,
I'm struggling to configure my OpenLDAP with TLS (openssl) without
success. I'm receiving the following error:
$ sudo slapd -d 3
...
TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed
5475ca9c main: TLS init failed: -1
My configuration is the following:
dn: cn=config
objectClass: olcGlobal
cn: config
olcPidFile: /var/run/slapd/slapd.pid
olcArgsFile: /var/run/slapd/slapd.args
olcIdleTimeout: 7
olcLogLevel: conns filter stats none
olcReferral: ldap://root.openldap.org
olcTLSCACertificateFile: /etc/ssl/certs/My_Root_CA.pem
olcTLSCertificateFile: /etc/ssl/certs/My_Root_CA.pem
olcTLSCertificateKeyFile: /etc/ldap/server.key.pem
olcTLSVerifyClient: demand
olcTLSRandFile: /dev/urandom
Any clues on how to solve this one?
6 years, 4 months
Cannot add to mdb
by Da Rock
I'm trying to get openldap to play nice with mdb given that it is the
"recommended" database backend for it now- although the conf wasn't an
issue excepting I'm playing with the new cn=config setup we're expected
to use now as well (even though it is mainly broken).
My issue is that it seems to not respond like the older bdb/hdb
databases. And when I say respond, I mean it hangs the ldapadd and makes
slapd go into conniptions. I see slapd go to 100% WCPU and not come down
as well as going into a uwait state. I've left it going for 10 minutes
or more with no change, and I'm only adding 1 small entry of less the 10
lines. Strangely, I can still view other entries in the specific db as
well access the rest of the server, which I won't complain about (aren't
threads a wonderful invention? ).
So coming to the experts - got a fix at all? Or should I just go back to
ye olde db backends? At this point I have a db I can't add anything to.
And before anyone asks, there is practically nothing in the logs that I
can see; and I set the logging to everything (-1). I see recognition of
the user in the acl and then nothing. The only possible curious entry is
some blank lines and a number (that changes each time), so nothing
informative.
I set it up using the cn=config (and I'm still not entirely convinced
that I will keep cn=config, but apparently it could be gone next version
according to the grapevine, so the consensus is to suck it up and get
used to it or your panties will get in a bunch and around your ankles
when the upgrade comes along), and I've got only olcDBMaxSize.
olcSizeLimit (not sure exactly which of these 2 can go just yet),
olcDBMode, olcDBDirectory, and olcDatabase and the obviously root attrs.
My max size I've set larger than 50M (so 7 digits) which is larger than
what I have in another db so far, and I figure I can add more if needed
- currently it is sitting at 64k.
I'm using FreeBSD 9.1, ports Openldap version is 2.4.40_1 with bdb/hdb
and mdb set in config. But I notice lmdb is not installed as a
dependency - is this right?
I've been on this for near a week now with no further advancement so any
help would be very welcome at this point. No googling seems to find
anything remotely similar either.
TIA
6 years, 4 months
Unexpected growth in mdb database file
by Rene B. Elgaard
I have gone through an upgrade proces from OpenLDAP 2.4.21 to 2.4.40 and
took the opportunity to switch from the bdb backend to mdb.
I am expiriencing an (in my eyes) unexpected growth of the mdb database
file.
Two types of setup:
Setup 1: One master, one slave
Setup 2: Two masters MMR (read,write,syncrepl goes to one master, three
slaves)
I see the growth in both setups on the master, who services read,write
and syncrepl.
In setup 2 the master, who is "idle" and only syncrepl's with the other
master, does not grow more than expected.
Example from setup 2:
Servicing master:
-rw------- 1 openldap openldap 4294963200 Nov 26 10:18 data.mdb
Non-servicing master:
-rw------- 1 openldap openldap 271347712 Nov 26 10:18 data.mdb
Quite a difference !
A slapcat on the servicing master shows that I have no where near 4 Gb
of data, here from my nightly backup:
-rw------- 1 openldap openldap 73389431 Nov 25 23:46
20141125234504_slapd-dump.ldif
I have the same backend configuration on all masters:
database mdb
maxsize 8589934592
suffix "c=<country>"
rootdn "cn=Manager,o=<some-org>,c=<country>"
rootpw <some-pw>
directory <some-path>
index objectClass,entryCSN,entryUUID eq
No overlays involved.
Operating system is Solaris 10.
OpenLDAP compiled with Oracles compiler, compiler flags are:
export CC="cc"
export CFLAGS="-m64 -fast -D_AVL_H"
Unsure how to proceed. Should I file an ITS (looks somewhat like 7974
though) ?
I may also have missed something entirely...
Happy to provide further info.
/Rene
6 years, 4 months
OpenLDAP incroyable!
by Onno van der Straaten
What was created with OpenLDAP is incredible. Truly.
Experienced with open source but never seen before a system that is so
archaic. Amazing. The way that configuration works is something that has to
be seen and experienced to be believed.
There must be strong commercial interest served here to create a system
that works in this manner. It allows for configuration changes that corrupt
the installation but will now allow manual correction of the configuration.
Chicken and egg. To correct the configuration you have start OpenLDAP and
ldapmodify the config files. But.... OpenLDAP will not start because the
configuration is not correct. Really funny. And if you try to manually undo
your changes, OpenLDAP will completely refuse to put itself into something
that resembles a working configuration.
It is fairly easy to make configuration changes that corrupt the database.
Documentation is often incorrect or non-existing. For example try to add
sha2 support. Accidentally add non existing hash method will create a
corrupt configuration. If you slapd restart it will fail to start. To
correct the configuration you need to start slapd. To start slapd you need
correct configuration. It is the end of your efforts.
I'm not doing this on a production system of course, I am trying to create
a production system where OpenLDAP is on of the many components. So far
most of the effort is OpenLDAP effort. It is consuming most of the project
budget. A project of a couple of days turns into a project for a couple of
weeks.
We just need a LDAP user directory. OpenLDAP is not it.
6 years, 4 months
ldaps replication question
by wailok tam
Hi, all,
I cannot get replication to work even I get no error message. I change a record on the Master but when I check it on the slave, it remains unchanged. (Is it immediate?)
The following command on slave: ldapsearch -x -h [MASTER HOST NAME] -W -D 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=tam)'
returns no error message and gives the expected record.
I am suspecting I may have screwed up the ssl/tls setting for the slave as I dont know what to put there. The master is set to use ssl/tls and it communicates fine with the client thru the ldaps protocol.
Your help is much needed.
First come the slapd.conf of the slave (I dont have the lines for ssl certs. I just use the ldaps address in the replication directive. Is that enough?):
### configuration for IER### writeen by T.Tanaka
include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2
# Do not enable referrals until AFTER you have a working directory# service AND an understanding of referrals.#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args
######################################################################## ldbm and/or bdb database definitions#######################################################################
database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw SLAVEPWdirectory /var/lib/ldap
# Replicas of this database
# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by dn="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" write by self write by anonymous auth by * none
access to * by dn="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" write by self write by * read
#loglevel stats sync
syncrepl rid=001 provider=ldaps://mail.ier.hit-u.ac.jp type=refreshAndPersist interval=00:00:05:00 searchbase="dc=ier,dc=hit-u,dc=ac,dc=jp" binddn="uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" credentials=SLAVEPW
Next come the slapd.conf of the master:
### configuration for IER### writeen by T.Tanaka### edited by WL.Tam
include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.allow bind_v2
pidfile /var/run/openldap/slapd.pidargsfile /var/run/openldap/slapd.args
######################################################################## ldbm and/or bdb database definitions#######################################################################
database bdbsuffix "dc=ier,dc=hit-u,dc=ac,dc=jp"rootdn "cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp"rootpw MASTERPWdirectory /var/lib/ldap
TLSCACertificateFile /usr/share/ssl/certs/nii-odca2.crtTLSCertificateFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.crtTLSCertificateKeyFile /usr/share/ssl/certs/mail.ier.hit-u.ac.jp.key
overlay syncprovsyncprov-checkpoint 50 10syncprov-sessionlog 100
# Indices to maintain for this databaseindex objectClass eq,presindex ou,cn,mail,surname,givenname eq,pres,subindex uidNumber,gidNumber,loginShell eq,presindex uid,memberUid eq,pres,subindex nisMapName,nisMapEntry eq,pres,subindex entryCSN,entryUUID eq idlcachesize 1000
access to attrs=userPassword by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by anonymous auth by * none
access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn="cn=dovecot,dc=ier,dc=hit-u,dc=ac,dc=jp" read by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by self read by anonymous auth by * none
access to * by self write by dn="cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp" write by dn.exact="cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp" read by * read
6 years, 4 months