openldap-technical February 2014

openldap-technical@openldap.org

85 participants
90 discussions

RE: Syncrepl and mmr
by Quanah Gibson-Mount 03 Feb '14

03 Feb '14

--On Monday, February 03, 2014 3:31 PM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > Thanks for your assistance Quanah! > > About the userPassword attributes... > > On Apache Directory Studio (we only normally use it as a quick visual > reference)...but, we bind both servers as cn=ldapadmin,dc=example,dc=ldap > & cn=admin,cn=config (plus now > uid=replicator,ou=Admins,dc=example,dc=ldap). > > I just tested an ldapsearch by binding to the uid=replicator and the > userPassword attribute returns when searching for it...though both are > different from each other (verified with other users "jdoe2" and "jdoe3", > etc) If it is correct via ldapsearch, that is what counts. ADS may be attempting some security by hiding userPassword? > Supposedly, if I update one server, the other server should update, too. > That is if they are properly talking. Correct? And assuming your masters are in sync to start with, which is critical when thinking about replication. It would appear you've been allowing writes ops to each master prior to getting replication working? I believe you mentioned before this is a test environment. I would suggest you reload your secondary master from the primary master, and then test replication. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

2 1

RE: Syncrepl and mmr
by Quanah Gibson-Mount 03 Feb '14

03 Feb '14

--On Monday, February 03, 2014 2:26 PM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > Ok, > > Sanity Check, please. Still seeing "empty syncUUID" messages. Also, the > "userPassword" attributes on mm-server2, cannot be seen (via Apache > Directory Studio -- but show up with ldapsearch), but when I attempt to > add (via ldapmodify) it returns value already present. if it shows up with ldapsearch when binding as uid=ldapreplicator,ou=admins,dc=example,dc=ldap then you are set. I have no idea who/what you are binding with via apache dir studio. ># {1}bdb, config > dn: olcDatabase={1}bdb,cn=config > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by > anonymous auth by dn="cn=ldapadmin,dc=example,dc=ldap" manage by > dn="uid=replicator,ou=Admins,dc=example,dc=ldap" read by * none > olcAccess: {1}to * by * read Unless you plan on doing some really bizarre things, it is unlikely your ldapadmin needs manage access. See <http://www.openldap.org/its/index.cgi/?findid=7795> ># {2}bdb, config > dn: olcDatabase={2}bdb,cn=config > olcAccess: {0}to * by > dn.exact="uid=replicator,ou=Admins,dc=example,dc=ldap" write by * none The replicator only ever needs read access, not write. Also separate nit. You should be doing dn.exact in the first set of ACLs as well (you have it correctly in the second set). --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

2 1

RE: Syncrepl and mmr
by Quanah Gibson-Mount 03 Feb '14

03 Feb '14

--On Monday, February 03, 2014 1:06 PM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > The "cn=replicator,cn=accesslog" was the olcRootDN for the accesslog. > > Rather that was my intent. > > Rereading documentation...and the script you shared with me a few weeks > back. > > Currently, my set up is: > 1) The rootDN for the cn=config is cn=admin (cn=admin,cn=config) > 2) the rootDN for my primary dbase is cn=ldapadmin > (cn=ldapadmin,dc=example,dc=ldap) 3) the rootDN for the accesslog, as > mentioned above, is/was cn=replicator (cn=replicator,cn=accesslog) > > My ou=Users,dc=example,dc=ldap has all the End-Users uids for logins. > > Noticed you have a cn=admins,cn=zimbra. > > Bear with the stupid question, this is more of a sanity check for me > (getting pressure from my side to get this project done -- so very > rushed). > > I could/should create an "ou=Admins,dc=example,dc=ldap", on both > MM-Servers > > In that ou create/move the replicator that I wrongfully created in > cn=accesslog: > > uid=replicator,ou=Admins,dc=example,dc=ldap > > That will get this user in the dbase. > > Modify, the olcSyncrepl, olcAccess, etc on both MM-Servers. > > Is that basically, correct? Yes. For replication, you need one single replication DN to be used for replication, that has read access into both your primary DB and your accesslog DB. The rootdns are entirely separate from any of that. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

2 1

RE: Syncrepl and mmr
by Quanah Gibson-Mount 03 Feb '14

03 Feb '14

--On Monday, February 03, 2014 9:57 AM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > All, > > I turned off TLS on both MMR machines, so I could more easily > troubleshoot Syncrepl/MMR configuration. Once over this hurdle, I'll > re-incorporate TLS. > > The following is a snippet of the SLAPD output-log file: > > <MM-SERVER2> > 52efa558 => bdb_dn2id("cn=replicator,cn=accesslog") > 52efa558 <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair > found (-30989) 52efa558 send_ldap_result: conn=5226 op=0 p=3 > 52efa558 send_ldap_result: err=49 matched="" text="" What is cn=replicator,cn=accesslog? Whatever it is, it doesn't exist in your DB. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

2 1

Re: Deprecation of back-bdb
by Clément OUDOT 03 Feb '14

03 Feb '14

2014-02-03 Quanah Gibson-Mount <quanah(a)zimbra.com>: > --On Monday, February 03, 2014 4:48 PM +0100 Clément OUDOT < > clem.oudot(a)gmail.com> wrote: > > >> >> >> >> Hi, >> >> as Howard said in his conference at FOSDEM, back-bdb is deprecated, and >> is disabled by default. >> >> Should I fill an ITS? >> > > No. It is deprecated in 2.5 and later. > > If I remember well, BDB should be deprecated for 2.4 and HDB deprecated for 2.5. See slide 37 of this presentation: http://fr.slideshare.net/ldapcon/whats-new-in-openldap Clément.

3 2

Deprecation of back-bdb
by Clément OUDOT 03 Feb '14

03 Feb '14

Hi, as Howard said in his conference at FOSDEM, back-bdb is deprecated, and is disabled by default. I just downloaded 2.4.39 tarball, and tested the configure script, it seems back-bdb is still activated by default: clement@ader:~/Programmes/openldap-2.4.39$ ./configure --help | grep bdb --enable-bdb enable Berkeley DB backend no|yes|mod [yes] Should I fill an ITS? Clément.

2 1

RE: Syncrepl and mmr
by Quanah Gibson-Mount 03 Feb '14

03 Feb '14

--On Friday, January 31, 2014 4:34 PM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > I have turned off TLS for the time being. > > Now, I think it is an ACLs issue that I need to figure out...seeing the > following: > > ldap_write: want=531 error=Broken pipe > 52ec16ae ber_flush2 failed errno=32 reason="Broken pipe" > 52ec16ae connection_closing: readying conn=1074 sd=22 for close > 52ec16ae send_search_entry: conn 1074 ber write failed. > 52ec16ae connection_resched: attempting closing conn=1074 sd=22 > 52ec16ae connection_close: conn=1074 sd=22 > 52ec16ae daemon: removing 22 > 52ec16ae conn=1074 fd=22 closed (connection lost on write) > 52ec16ae daemon: activity on 1 descriptor > 52ec16ae daemon: activity on:52ec16ae > 52ec16ae daemon: epoll: listen=7 active_threads=0 tvp=zero That would not be an acl issue. broken pipes, flushing problems, etc... I generally see that with firewalls causing problems. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

2 2

problem with accessing secure ldap
by c chupela 03 Feb '14

03 Feb '14

I've been tasked with figuring out why a redhat 6.4 server w/openldap v2.4.23 is not accessible. This server is a test server. I have a production server that is working properly, and I've gone thru and compared config files, etc, but haven't found any differences. I'm a newbie with this, so my understanding is still somewhat limited. Here's what I've done or checked so far: - iptables is not running - if I run netstat, I can see port 389/port 636 in listening state: tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 5603/slapd tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 5603/slapd tcp 0 0 :::636 :::* LISTEN 5603/slapd tcp 0 0 :::389 :::* LISTEN 5603/slapd I can telnet to port 389 on this server from another server, but not to port 636 - putty will throw back an immediate 'connection closed by remote host' message. I'm not seeing any slapd related messages in /var/log/messages. What else can I check on here? Thanks Chris

8 16

LMDB database size
by Markus Doppelbauer 01 Feb '14

01 Feb '14

5 6

slapd.d and back-sql
by Robson, Alan 31 Jan '14

31 Jan '14

Hi all, I'm trying to set up back-sql on Ubuntu using openldap version 2.4.39 that uses slapd.d as its configuration store. All of the config examples I can find online use slapd.conf. A 2011 email from this mailing list explains that it simply is not possible to use the slapd.d config method to specify a dbname. Is that still the case ? I am trying to add an entry for my mysql database using ldapadd and the following ldif... # order value not present so entry will be appended # to current children dn: olcDatabase=sql,cn=config objectClass: olcDatabaseConfig olcDatabase: mysql dbName: ldap olcSuffix: dc=nodomain The response I get is... adding new entry "olcDatabase=sql,cn=config" ldap_add: Undefined attribute type (17) additional info: dbName: attribute type undefined I tried dbname (no capital N) as well, but I get the same result. As you may be able to tell, I have a very loose grip on what to do here ! I'd appreciate some guidance. I am confident that I have odbc and the database/user set up as it describes in the manual section on back-sql. My database connection is called "ldap" in odbc.ini. /etc/odbcinst.ini: [mysql] Description = ODBC for MySQL Driver = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc.so Setup = /usr/lib/x86_64-linux-gnu/odbc/libodbcmyS.so FileUsage = 1 /etc/odbc.ini: [ldap] Description = MySQL connection to 'test' database Driver = mysql Database = ldap UserName = ldap Password = ldap Server = localhost Port = 3306 Socket = /var/run/mysqld/mysqld.sock If I need to go back to using slapd.conf, how can I generate one from my slapd.d setup ? Many thanks Alan

2 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2014