openldap-technical January 2015

openldap-technical@openldap.org

38 participants
37 discussions

occasional user entry being deleted
by Al 23 Jan '15

23 Jan '15

Hi All - I'm having an odd issue where on a rare occasion (a couple of times a week), a new LDAP user entry is being deleted shortly after it is created. Sometimes it happens within a few minutes, sometimes it happens within an hour or so. I have a 4 way multi-master setup, with all writes being directed at a single server with a load balancer. I have the auditlog enabled (from failed attempts at delta sync) and I see auditDelete entries in the auditdb, but its being executed from the internal admin user, not a "real" user. I do not see anything suspect in my system logs running at the normal loglevel. I'm running 2.4.39 on Redhat 6, x64 with mdb. Below is a snippet of my configuration from the specific database in question. Does anyone know why this might be occurring? Any idea on how to further troubleshoot this issue? Thanks in advance - Al dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /PATH/TO/OPENLDAP/var/openldap-data olcSuffix: dc=company,dc=com olcAddContentAcl: FALSE olcLastMod: TRUE olcLimits: {0}dn.base="XXXXXXX" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=Manager,dc=company,dc=com olcRootPW:: XXXXXXXXX olcSyncUseSubentry: FALSE olcMirrorMode: TRUE olcMonitoring: TRUE olcDbCheckpoint: 512 5 olcDbNoSync: TRUE olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: uniqueMember eq olcDbIndex: nisNetgroupTriple eq olcDbIndex: sudoUser eq,sub olcDbIndex: mail eq olcDbIndex: pwmToken eq,sub olcDbIndex: memberOf eq olcDbMaxSize: 25000000000 olcDbMode: 0600 structuralObjectClass: olcMdbConfig entryUUID: xxxx-xxxx-xxxxx-xxxxx creatorsName: cn=config createTimestamp: 20111014131247Z olcSyncrepl: {0}rid=011 provider=ldap://server1:21389/ bind method=simple timeout=0 network-timeout=0 binddn="XXXXXXX" credentials="XXXX" keepalive=0:0:0 startt ls=critical filter="(objectclass=*)" searchbase="dc=company,dc=com" scope=sub schemachecking=off type=refreshOnly retry="30 +" interval=00:00:00:30 olcSyncrepl: {1}rid=012 provider=ldap://server2:21389/ bind method=simple timeout=0 network-timeout=0 binddn="XXXXXXX" credentials="XXXX" keepalive=0:0:0 startt ls=critical filter="(objectclass=*)" searchbase="dc=company,dc=com" scope=sub schemachecking=off type=refreshOnly retry="30 +" interval=00:00:00:30 olcSyncrepl: {2}rid=013 provider=ldap://server3:21389/ bind method=simple timeout=0 network-timeout=0 binddn="XXXXXXX" credentials="XXXX" keepalive=0:0:0 startt ls=critical filter="(objectclass=*)" searchbase="dc=company,dc=com" scope=sub schemachecking=off type=refreshOnly retry="30 +" interval=00:00:00:30 olcSyncrepl: {3}rid=014 provider=ldap://server4:21389/ bind method=simple timeout=0 network-timeout=0 binddn="XXXXXXX" credentials="XXXX" keepalive=0:0:0 startt ls=critical filter="(objectclass=*)" searchbase="dc=company,dc=com" scope=sub schemachecking=off type=refreshOnly retry="30 +" interval=00:00:00:30 entryCSN: 20140924095732.634049Z#000000#001#000000 modifiersName: cn=Manager,cn=config modifyTimestamp: 20140924095732Z

5 6

Creating LDAP schema issue
by Leander Schäfer 23 Jan '15

23 Jan '15

Hi Unfortunately I'm struggeling, since since 2.5 days. I have to create individual a LDAP schema which suits the currently used LDAP structure. The current tructure looks like this: => dc=MyDomain,dc=TLD ==> ou=People ===> uid=User-1 ====> ou=mail ===> uid=User-2 ====> ou=mail ... and so on ... Within ou=mail should be the individual mail account(s) information of a user. So in the end I want to add a(nother) mail account by something like this: cat << EOF > ./newUser.ldif dn: mailAddress=Test(a)Domain.TLD,ou=mail,uid=User-1,ou=people,dc=MyDomain,dc=TLD objectclass: top objectclass: mailAccount mailAddress: Test(a)Domain.TLD MailPassword: {SSHA}SomePassword MailAccountStatus: active [...] EOF Therefore I setup a LDAP schema like the following, but it seems to ignore the attributes "MailPassword" and "noMailAccountStatus". Why? I don't understand what I'm missing here on my objectclass? I'm sure it is an easy little thing to fix - but I just can't figure it out with the tutarials provided I went thorugh ;/ # ====================== LDAP schema ======================= # # # OID Macros (10001 should be IANA-registered) # objectidentifier nameSpace 1.3.6.1.4.1.10001 objectidentifier mail nameSpace:1 objectidentifier objectClassAccount mail:1 objectidentifier objectClassAccountInfo mail:2 # # Attributes: objectClass[NAME]:1.[SERIAL] # attributetype ( objectClassAccount:1.1 NAME 'mailAddress' DESC 'The hosted mail addresses' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) attributetype ( objectClassAccount:1.2 NAME 'MailPassword' DESC 'The hosted mail password' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) attributetype ( objectClassAccount:1.3 NAME 'MailAccountStatus' DESC 'The status of a user account: active, noaccess, disabled, deleted' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) [...] # # Objects: objectClass[NAME]:2.[SERIAL] # objectclass ( objectClassAccount:2.1 NAME 'mailAccount' SUP ( top ) STRUCTURAL DESC 'Mail account' MUST ( mailAddress ) MAY ( MailPassword $ MailAccountStatus ) ) # ====================================================== # Thanks Best Regards, Leander

2 1

Replication
by sofien BLOUZA 23 Jan '15

23 Jan '15

Hi all, Is it possible to associate multi-master Replication and delta-syncrepl ? Thunks a lot ? Sofiene BLOUZA -- Sofiene BLOUZA Ingénieur R & D 0645492223

1 0

LDAP Search with non-existent attributes
by Dirk-Willem van Gulik 22 Jan '15

22 Jan '15

W’re comparing various LDAP server setups; and we are wondering what the ‘correct’ search result is for a search which is done such as '(|(|(|(givenname=fred*)(sn=fred*)(mail=fred*)(cn=fred*) in a situation where we have records which do not have a certain attribute (e.g. no givenname or cn) — e.g. a record as light weight as: dn: uid= 1234 objectClass: person uid: 1234 sn: fred fred telephoneNumber: 1234 As we notice that some servers will return this given above query; and some do not. And I cannot find the exact spot in the RFC where the ‘correct’ behaviour is mentioned. Would anyone have a pointer or a suggestion ? And would OpenLDAP 2.4 be intentionally more accommodating than the spec ? Dw.

2 2

Access to dn.subtree with dnatrr=attrname
by Tomasz Lesniewski 21 Jan '15

21 Jan '15

Hi. I have ldap tree which i'm trying to migrate from 389-ds to openldap, with structure like this: o=company ou=admins uid=admin1 ... dc=domain ou=users uid=user1 service=service1 ... uid=user2 service=service2 At uid=user1,ou=users,dc=domain,o=company there is admin entry (and no admin entry in childrens) which points to uid=admin1,ou=admins,o=company. Now i want to grant access to all entries below uid=user1,ou=users,dc=domain,o=company to uid=admin1. In 389-ds it was easy, but in openldap it seems not easy to do. I tried to use: olcAccess: to dn.subtree="uid=*,ou=users,dc=domain,o=company" by dnattr="admin" but it grant access only uid=user1,ou=users,dc=domain,o=company and for no childrens access is granted. Maybe i'm doing something wrong or should i use other functionality to solve this problem? Any help will be appreciate. -- Pozdrawiam/Best regards Tomasz Leśniewski

2 1

LMDB and Android
by Kristoffer Sjögren 19 Jan '15

19 Jan '15

Hi I'm a Android noob and need to build LMDB for Android. Is Android NDK the way to go? https://developer.android.com/tools/sdk/ndk/index.html Any tricks I should be aware of? Cheers, -Kristoffer

2 4

Re: back-sql deployment woes
by Nick Atzert 16 Jan '15

16 Jan '15

I personally wouldn't move to a sql backend.. I've recommended against it. This is what the boss wants though so here we are. :-) Any ideas? Thanks. On Jan 5, 2015 8:03 PM, "Quanah Gibson-Mount" <quanah(a)zimbra.com> wrote: > --On Monday, January 05, 2015 7:27 PM -0500 thelastknowngod < > tlkg.me(a)gmail.com> wrote: > > I've finished moving my existing LDAP user data into MySQL >> > > Why would you move to SQL for an LDAP server? > > for use with >> back-sql on my testing machine and everything is working perfectly. >> > > back-sql is entirely experimental and generally unsupported. > > --Quanah > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

7 10

Update openldap version from 2.3.43 to latest
by Tian Zhiying 15 Jan '15

15 Jan '15

Hi Admin I'm running OpenLDAP 2.3.43 in CentOS 5.8 64bit, now I want to update OpenLDAP from 2.3.43 to latest. How can I do it ? If no way update from 2.3.43 to latest, how can I migration data of 2.3.43 to new OpenLDAP? Thanks. Tian Zhiying ----- 在此邮件中未发现病毒。检查工具：AVG - www.avg.com 版本：2012.0.2249 / 病毒数据库：4257/8428 - 发布日期：01/14/15

2 1

[Openldap] Replicate olcAccess and olcLimits from Provider to consumer
by coma 15 Jan '15

15 Jan '15

Dear List, I am currently trying to find out if it is possible to replicate the olcAccess and olcLimits from a master server to a slave server for a specific database (in my case, replicate olcAccess and olcLimits configured on my "dc=example,dc=com" database only, i don't replicates cn=config and other databases). can you give me advice on this? Thanks in advance for any help, Sincerely

1 0

resynchronizing partial replica after ACL change
by Ferenc Wagner 14 Jan '15

14 Jan '15

Hi, I'm running a couple of partial replicas, where the replicated content is narrowed by provider ACLs. All is fine. Now, I need to extend the replicas with a new attribute, so I extend the ACL to allow reading of this attribute as well. How can I get the replicas synchronize this new attribute without downtime? Is forcing a full reload by slapd -c rid=1 a good solution? Does that incur the slapd restart downtime only, or would the replica database be in a crippled state until the full resync finishes? -- Thanks, Feri.

5 6

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2015