Re: Removing unused schemas - recommended?
by Quanah Gibson-Mount
--On Wednesday, December 10, 2014 8:49 AM +1300 Chris Neilson
<crusty.chris(a)gmail.com> wrote:
Please keep replies on the list.
> OK thanks. so no performance gains be excluding schemas. sweet.
> When working with syncrepl, does it matter if the consumer has schemas
> imported in a different order? or if the consumer has more schemas than
> the provider (obviously assuming youre not replicating cn=config)?
It shouldn't matter, order wise, but I personally prefer to have all
systems load in the same order.
If you have "extra" schema on a consumer that's never being used, then it
shouldn't affect replication.
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8 years, 9 months
Removing unused schemas - recommended?
by Chris Neilson
Im having a few issues wrapping my head around how schemas should be
implemented.
If I do a default install of openldap (2.4.23) on CentOS 6 the following
schemas are automatically included:
cn={0}corba.ldif
cn={1}core.ldif
cn={2}cosine.ldif
cn={3}duaconf.ldif
cn={4}dyngroup.ldif
cn={5}inetorgperson.ldif
cn={6}java.ldif
cn={7}misc.ldif
cn={8}nis.ldif
cn={9}openldap.ldif
cn={10}ppolicy.ldif
cn={11}collective.ldif
I assume this is done because it allows for a fairly flexible directory
that Just Works for nearly everyone.
However, many of these schemas contain attributes that I do not use, in
fact I can cut down the list of schemas that contain attributes I
knowingly use to the following list:
cn={0}core.ldif
cn={1}cosine.ldif
cn={2}inetorgperson.ldif
cn={3}nis.ldif
cn={4}customschema.ldif
My issue is that I am not sure if there is any benefit for removing the
unused schemas (i.e. I could have just added my customschema as
cn={12}customschema.ldif to the default install but I was worried there
would be a performance penalty or security issue with including the
unused schemas).
Is it advisable to remove unused schemas? Does including unused schemas
result in any sort of performance penalty (e.g. while booting or when
doing searches)?
If I want to use syncrepl to replicate my data do I have to have the
exact same list of schemas in the same order on the consumer (i.e. does
the number in the curly braces matter)? If I add a schema to a consumer
does it have to be added to the provider as well even if the attributes
it contains are unused?
8 years, 9 months
adding a custom attribute
by Igor Shmukler
Hello,
I want to have an ability add "custom attribute[s]" to my LDAP records.
For example, such an attribute could be sipTelephone, mobile and/or
something else.
I did a little digging. Please advise whether I am on the right track.
My understanding, at present, is that I would have to modify
core.schema [located on my Ubuntu under /etc/ldap/schema ] and perhaps
some other schema files from the same directory.
I found various syntax OIDs. For telephones, for example -
1.3.6.1.4.1.1466.115.121.1.50 should be the right one. There is
another OID for strings - 1.3.6.1.4.1.1466.115.121.1.15 for UTF-8
coded strings.
Is editing core.schema the correct way to go? I am eagerly looking for advice.
Thank you for reading my question this far. I have been saved twice by
people on this list. Appreciate your help very much.
Sincerely,
Igor Shmukler
8 years, 9 months
A TLS fatal alert has been received
by Scutulat Um
Hello guys,
I'm having trouble figuring out a TLS fatal error. It seems that the certs
are being read but a broken pipe appears suddenly (don't know exaclty what
does it means).
Here's the command I'm running:
$ ldapsearch -LLLxWD cn=manager,dc=example,dc=com -b dc=apsidis,dc=com -ZZ
-d 3
ldap_start_tls: Connect error (-11)
additional info: A TLS fatal alert has been received.
Here's part of the debug output:
<Some certs info...>
...
tls_write: want=523, written=523
0000: 16 03 03 02 06 10 00 02 02 02 00 9e 22 0e d5 86
............"...
0010: 69 a5 a2 29 f6 76 11 19 f6 2d db a9 e8 f5 27 26
i..).v...-....'&
0020: da 74 85 e4 22 92 50 37 ef e8 8b 31 6e 32 c6 84
.t..".P7...1n2..
0030: 2c 61 79 65 b0 56 9e bf 3e 97 3d 9a 6d 61 80 70
,aye.V..>.=.ma.p
0040: f7 d9 dc 5f e6 40 f7 af 12 92 61 4f 56 fe 52 55
..._.@....aOV.RU
0050: e0 3a 57 21 c4 d4 27 58 20 ba fb e2 74 9e f8 08 .:W!..'X
...t...
0060: ec 4b 2a b1 93 f1 06 e3 0b a8 d1 d1 b3 f8 e4 c4
.K*.............
0070: d4 b7 0a 22 7f a6 01 17 00 92 bb 12 99 68 2a 6f
...".........h*o
0080: 43 96 7d b1 da 80 fb 53 7e a4 71 40 51 50 46 5e C.}....S~.q@QPF^
0090: a8 09 fc ab e9 10 90 27 2f a5 46 16 41 45 1d 95 .......'/.F.AE..
00a0: 0d f2 d4 a1 d7 62 40 dd ba 5e d2 7a 47 10 14 83 .....b@..^.zG...
00b0: 60 2f be 66 a8 a8 6e 82 1a bc 61 45 d7 6c c2 e5
`/.f..n...aE.l..
00c0: b3 07 b8 e1 6e a7 ca e1 22 50 79 5a 01 60 5f 0d
....n..."PyZ.`_.
00d0: ec f3 f5 a3 c2 f9 9d b1 52 cc 88 f9 65 de 74 58
........R...e.tX
00e0: c1 b7 a8 e7 b7 c7 81 a0 8b ee 40 8c f3 a5 d2 b5
..........@.....
00f0: 22 58 bd 87 d5 55 6e 32 a0 b5 2e 7a b7 a5 6b aa
"X...Un2...z..k.
0100: 6f ab 32 37 bb bb f7 e5 ed 5c 79 16 93 94 ac 35
o.27.....\y....5
0110: 80 2b 9e d3 e6 c9 7e ef 3f 46 26 64 e4 40 ec f8 .+....~.?F&d.@..
0120: 69 30 3e c5 61 0e 06 3a 2b 88 72 ef df aa d0 50
i0>.a..:+.r....P
0130: b9 b0 8e 7b 0a e1 2a 61 6d d6 75 1a 2d 04 bf 8e
...{..*am.u.-...
0140: 5e 09 ee c0 c2 1e b1 e1 f8 29 78 0f 91 e7 49 1d
^........)x...I.
0150: 9e bf a9 98 31 bc af d6 02 19 f9 3b 5e d2 0f 5e
....1......;^..^
0160: 29 c2 ba 00 7c 52 d5 d6 33 59 4c 16 91 a8 9c 6d
)...|R..3YL....m
0170: b6 9c 47 51 97 5a d9 ab 14 9b ba 0a a7 08 36 90
..GQ.Z........6.
0180: 2f a8 33 0e 27 79 93 02 8f 91 46 92 da 5b e6 7e
/.3.'y....F..[.~
0190: db 7a 3a b0 3c c5 c9 98 f4 0a 86 44 94 03 66 d8
.z:.<......D..f.
01a0: b0 36 6e 59 ef 4d c5 03 e3 34 50 be c5 8d 43 e0
.6nY.M...4P...C.
01b0: ba 25 9d b4 74 52 15 5e bc 7c b1 3c 59 3d b7 a2
.%..tR.^.|.<Y=..
01c0: 9a a0 82 d6 8a 83 8f cd b9 39 89 15 e9 f8 35 80
.........9....5.
01d0: 12 65 d3 1e 78 bb 10 d9 a7 0d 43 92 f5 de 01 52
.e..x.....C....R
01e0: be 55 c8 5c 30 93 21 d2 5e d8 87 a0 f0 5e 57 1a
.U.\0.!.^....^W.
01f0: 11 c1 04 c7 70 33 01 8f cc 81 58 b4 4d 4c d2 b2 ....p3....X.ML..
0200: ff 6a ba 80 e5 c3 18 29 5d c8 5e .j.....)].^
tls_write: want=269 error=Broken pipe
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 47 bytes to sd 3
tls_write: want=269 error=Broken pipe
ldap_write: want=47 error=Broken pipe
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 0 0
ldap_free_connection: refcnt 1
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_write: want=7 error=Broken pipe
ldap_free_connection: actually freed
$
Can anyone can point me into the right direction on how to solve this?
Thanks!
8 years, 9 months
Q: LDIF: use replace instead of add/delete?
by Ulrich Windl
Hello!
I have a question:
Is it always OK to use LDIF "replace", even if the attribute doesn't exist yet? If so, is it also OK to use "replace" with out specifying an attribute value instead of using "delete"?
I actually managed to do the first one, and the operation is logged as "replace" not as "add" in accesslog. I wrote a program that uses accesslog to create an "undo-LDIF" to undo recent changes on demand. Now with that "replace" having succeeded, the undo operation created for it would be the second case ("replace" with no new value).
Regards,
Ulrich
8 years, 9 months
ACL on new value for two attributes
by Emmanuel Dreyfus
Hello
In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on
the new value for an attribute.
Using sets in the who clauses this new value can be matched as ${v0}
against current attributes values. But what about if we want to match
against another new attribute value? I currently run 2.4.33, and there
is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the
what clause. Has this changed in later releases? Or is there another way
of doing it?
--
Emmanuel Dreyfus
manu(a)netbsd.org
8 years, 9 months
Access bdb and ldap database at the same time
by Zhang,Jun
I've configured an ldap database in slapd.conf which serves as an Active Directory proxy, the slapd is running on RHEL 6. My Linux openldap clients can now browse the content of the AD. The purpose of doing this is for user login, which is authenticated against the AD, with the home directory information provided by the bdb database of the openldap server. autofs is functional through the rfc2307bis formatted automount maps. The problem is that "getent passwd username" not always work, so the AD users are not known even though ldapsearch can always find the user information with a proper search base set.
At the slapd server (rhel 6), nslcd (try to avoid ssl at this stage) is being used, while at the Linux openldap clients, I compiled pam_ldap and nss_ldap. I noticed that the openldap clients use /etc/openldap/ldap.conf as the configuration file, and nss/pam use /etc/ldap.conf. Tried to use different BASE in the two conf files but it didn't work for me.
I know there must be other people who's already done this, some way, and I'll very much appreciate it if somebody can point me to some known to work ways.
Jun
8 years, 9 months
Which schema to use?
by Nick Bright
Are there any pre-defined schema (or combination of schema) available
that I could use with openldap that would provide some or all these
attributes:
accountid (integer)
customerid (integer)
nodeid (integer)
accounttype (string)
accesspoint (string)
ipaddress (ip address)
latitude (float)
longitude (float)
macaddress (string)
A link to a novice/beginner guide for how to create schema would be
helpful too.
Thanks,
--
-----------------------------------------------
- Nick Bright -
- Vice President of Technology -
- Valnet -=- We Connect You -=- -
- Tel 888-332-1616 x 315 / Fax 620-331-0789 -
- Web http://www.valnet.net/ -
-----------------------------------------------
- Are your files safe? -
- Valnet Vault - Secure Cloud Backup -
- More information & 30 day free trial at -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------
This email message and any attachments are intended solely for the use of the addressees hereof. This message and any attachments may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system.
8 years, 9 months
what to do with ssl certs and keys of master and slave during replication
by wailok tam
Hi, all,
Can a kind person tell me what special things need to be done with ca certs, server certs,
and server keys?
I read some blog which reports concatenating the master ca cert to the slave ca cert.
But the slaver server cert and key was created & signed with the slave ca cert b4 concatenation.
Is that correct? No need to share the master server cert or key with the slave
Thanks for viewing and thanks in advance for any advice.
8 years, 9 months
storing ldap passwords on HSM
by lux-integ
Greetings,
I have been searching webpages for guidance on using a smartcard ( also know
as an HSM ) for storing passwords for an ldap database on a linux system.
This would include for instance how would the userPassword (attrribute) be
specified - i.e. how to specify the userPassword to read the PIN/SO-
PIN/PUK{whatever} of the HSM/smart-card etc etc ??
Any guidance would be much appreciated.
Yours sincerely
luxInteg
8 years, 9 months
