Delta-syncrepl not syncing entire directory: Entry CSN greater than snapshot
by Pedro Roger
Hello,
i'm trying to setup a master/slave replication via delta-syncrepl, but for
the most of the entries i get the message: "Entry CSN greater than
snapshot". I had search in the archive of the mail list but i couldn't get
a solution for this. Any help is appreciate.
Some entrie i get in the syslog:
Oct 20 20:23:57 temperance slapd[7645]: Entry
uid=ari_oliveira,ou=uvanet.br,ou=mail,dc=uvanet,dc=br
CSN 20151015141738.689470Z#000000#000#000000 greater than snapshot
20150709142425.146445Z#000000#000#000000
Oct 20 20:23:57 temperance slapd[7645]: Entry
cn=SAPLIC,ou=groupOfNames,ou=intranet,dc=uvanet,dc=br CSN
20151020152042.450209Z#000000#000#000000 greater than snapshot
20150709142425.146445Z#000000#000#000000
Oct 20 20:23:57 temperance slapd[7645]: Entry
cn=SIGU,ou=groupOfNames,ou=intranet,dc=uvanet,dc=br CSN
20151020152042.636081Z#000000#000#000000 greater than snapshot
20150709142425.146445Z#000000#000#000000
I have the following config in the provider (slapd 2.4.23):
...
moduleload accesslog.la
moduleload syncprov.la
database hdb
suffix cn=accesslog
directory /opt/ldap/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart eq
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
database hdb
suffix "dc=uvanet,dc=br"
rootdn "xxxxxx"
directory "/var/lib/ldap"
overlay syncprov
syncprov-checkpoint 1000 60
#syncprov-checkpoint 500 30
syncprov-reloadhint TRUE
syncprov-sessionlog 500
# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
index objectClass eq,pres
index ou,cn,sn,mail,givenname eq,pres,sub
index uidNumber,gidNumber,memberUid eq,pres
index loginShell eq,pres
index memberOf eq
## required to support pdb_getsampwnam
index uid pres,sub,eq
# required to support pdb_getsambapwrid()
index displayName pres,sub,eq
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
index uniqueMember eq
index sambaGroupType eq
index sambaSIDList eq
# syncprov specific indexing
index entryUUID eq
index entryCSN eq
overlay memberof
In the consumer server we have:
syncrepl rid=1
provider=ldap://X.X.X.X
type=refreshAndPersist
retry="5 + 5 +"
interval=00:00:00:01
searchbase="dc=uvanet,dc=br"
filter="(objectClass=*)"
scope=sub
starttls=no
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
syncdata=accesslog
attrs="*"
schemachecking=on
bindmethod=simple
binddn="XXXX"
credentials="XXXX"
# Refer updates to the master
updateref ldap://X.X.X.X
Thanks in advance
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Pedro Roger Magalhães Vasconcelos
http://www.proger.eti.br
8 years, 1 month
openldap chain overlay: does not seem to be functioning/referenced
by Peter Heinemann
openldap 2.4-39
RHEL 6.5
I'm trying to get one ldap server configured to chain queries to a second server when specific OUs that are on the 2nd server (but not the 1st) are referenced in a query/ldapsearch. Note that these are read-only consumers, so I am not dealing with modifications, only searches. Both servers share the top level suffix.
An ldapsearch against the first server involving an OU that is on the second server returns "no such Object"; and the logfile on the first server (loglevel 1) shows no reference to the chain-uri or attempt to search outside the first server.
overlay chain
chain-uri ldap://chained-server.domain.com
chain-idassert-bind bindmethod="simple"
binddn="cn=admin,dc=domain,dc=com"
credentials="<password>"
mode="self"
chain-tls start
chain-return-error TRUE
slapd.conf is valid per slaptest, and starts successfully.
However, an ldapsearch against the initial target server simply returns "No such object", because it appears the chain is never followed or these directives are inactive. In the local4.log with loglevel set to 1, there's never any attempt/reference to the chain-uri, and no subsequent entry in the log file for the second server.
- should there be logfile entries on the first server referencing the chain-uri (or on the client ldapsearch with -d1)?
- is there a missing directive or incorrect configuration?
Thanks for any assistance.
Peter
8 years, 1 month
OpenLDAP as a Caching Proxy server
by Christian Tardif
Hi,
I've been trying to setup a caching proxy server with OpenLDAP for quite
a long time, and it seems, from what I can see right now, that the proxy
stuff is working (I can log on on a server that points to the proxy as
its LDAP server), but the caching stuff doesn't seem to work at all.
EVERY request I'm doing is transferred to the AD (the real LDAP server)
behind the proxy LDAP.
Here's how my pcache module is set. Not too sure though, how to setup
pcacheTemplates. Maybe that my error. One thing to note is that no
database is even created in /var/tmp/cache directory, as I would expect.
moduleload pcache.la
overlay pcache
pcache bdb 100000 3 1000 60
directory /var/tmp/cache
cachesize 150
index objectClass eq
index sAMAccountName eq
pcacheMaxQueries 100
pcacheAttrset 0 objectClass name objectSid
pcacheAttrset 1 objectClass sAMAccountName
pcacheAttrset 2 *
pcacheTemplate (&(member=)(objectClass=)(name=)) 0 60
pcacheTemplate (objectClass=) 0 60
pcacheTemplate (&(objectSid=)(objectClass=)(name=)) 0 60
pcacheTemplate
(&(?sAMAccountName=)(?objectClass=)(sAMAccountName=)(objectSid=)) 2 60
pcacheTemplate (sAMAccountName=) 2 60
pcachePersist true
--
CHRISTIAN TARDIF
-------------------------
8 years, 1 month
slapd: No database support for /var/heimdal/heimdal
by Francesco Malvezzi
hi all,
while adding the smbk5pwd overlay 1) to a mdb database, on ldapmodify
command slapd dies suddently with the following last lines:
[...]
5620d62f >>> dnPrettyNormal:
<olcOverlay={3}smbk5pwd,olcDatabase={1}mdb,cn=config>
5620d62f <<< dnPrettyNormal:
<olcOverlay={3}smbk5pwd,olcDatabase={1}mdb,cn=config>,
<olcOverlay={3}smbk5pwd,olcDatabase={1}mdb,cn=config>
5620d62f oc_check_required entry
(olcOverlay={3}smbk5pwd,olcDatabase={1}mdb,cn=config), objectClass
"olcSmbK5PwdConfig"
5620d62f oc_check_allowed type "objectClass"
5620d62f oc_check_allowed type "olcOverlay"
5620d62f oc_check_allowed type "olcSmbK5PwdEnable"
5620d62f oc_check_allowed type "structuralObjectClass"
slapd: No database support for /var/heimdal/heimdal
openldap is 2.4.42 compiled on debian jessie, heimdal is compiled too
(heimdal-1-5-branch). The module in contrib/slapd-modules/smbk5pwd
compiles fine apart a few warnings.
I think I am missing a library, but I am not able to figure out which one.
thank you,
Francesco
1)
dn: olcOverlay={3}smbk5pwd,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcSmbK5PwdConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {3}smbk5pwd
olcSmbK5PwdEnable: samba
olcSmbK5PwdEnable: krb5
8 years, 1 month
Can a ppolicy be applied to a subtree?
by Campbell, Courtney
I am curious if a ppolicy can be applied to a subtree so that it is added to a user account when newly created?
________________________________
This message (including any attachments) is confidential and intended for a specific individual and purpose. If you are not the intended recipient, please notify the sender immediately and delete this message.
8 years, 1 month
Allowing users to update their passwords
by Kartik Vashishta
Team,
I am not anything but new to ldap. I have however successfully installed
and configured Openldap on CentOS7. Online material was a BIG help.
I am trying to figure out how to allow users to change their own passwords.
Googling pointed me out to this:
access to attrs=userPassword
by self write
by anonymous auth
by users none
access to * by * read
But where and how does this get input into the ldap db. There is no more a
slapd.conf.
Please advise. Regards,
Kartik Vashishta
8 years, 1 month
bind/queries through multiple backends
by Steffen Kaiser
Hi,
I currently have a local OpenLDAP v2.4.40 with a bdb backend and another
instance with a ldap backend proxying binds and queries to an AD.
The bdb backend serves just one suffix:
dc=example,dc=com
The AD serves several suffixes:
dc=example,dc=com (same as local one)
dc=example,dc=net
dc=otherexample,dc=com
dc=anotherexample,dc=net
I would like to merge both configurations.
The entries of the suffix dc=example,dc=com, which is served by both
servers, are disjunct. There is no DN, which is located on both servers.
There will be some name problems, but these can be handled by
organisational means.
====
My first problem is that I cannot make bind work for DNs with
suffix dc=example,dc=com, which are located on the 2nd backend. In fact,
there are very few DNs of that suffix on the 2nd server, but there are. I
would like that bind first tries the first (local) server and, if the DN
is missing there, the second server (the proxy).
Currently, only the local backend is queried.
====
What would be the best solution to forward a bunch of suffixes to the LDAP
backend?
--
Steffen Kaiser
8 years, 1 month
empty ldapmodify refused with slapo-unique
by Geert Hendrickx
When slapo-unique constraints are in effect, it seems empty updates are
no longer allowed:
> $ ldapmodify -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret
> dn: cn=test1,dc=my-domain,dc=com
> changetype: modify
>
> modifying entry "cn=test1,dc=my-domain,dc=com"
> ldap_modify: Invalid syntax (21)
> additional info: unique_modify() got null op.orm_modlist
Why is this considered invalid syntax? Without slapo-unique constraint,
empty updates like these are accepted.
Geert
--
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
8 years, 1 month
SSL based LDAP client verification
by Aneela Saleem
Hi all,
I have followed this link <http://www.openldap.org/faq/data/cache/185.html> to
generate self-signed certificates. I have successfully performed server
side validation. What if i want to access LDAPS:// from other client. I
have copied servercrt.pem and serverkey.pem file on client machine, also
added servercrt.pem file to client trust store. I'm using LDAPjs client for
authentication. I have provided trust store path and serverkey.pem file in
the code, but i still get the following error:
crypto.js:104
if (options.cert) c.context.setCert(options.cert);
^
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Object.exports.createCredentials (crypto.js:104:31)
at Object.exports.connect (tls.js:1334:27)
at Client._connect
(/home/aneela/node_modules/ldapjs/lib/client/client.js:736:18)
at new Client
(/home/aneela/node_modules/ldapjs/lib/client/client.js:247:22)
at Object.createClient
(/home/aneela/node_modules/ldapjs/lib/client/index.js:60:12)
at authDN (/home/aneela/client-ldapjs/app.js:15:21)
at Object.<anonymous> (/home/aneela/client-ldapjs/app.js:90:1)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
Please guide me if i'm doing something wrong. Which PEM files need to be
copied on client machine? Or i need to create client side certificates
separately as well?
8 years, 1 month
slapd-ldap quarantine, manual slapd restart is required
by Nikos Voutsinas
Hi,
I am using the quarantine option of back-ldap, using the following setting:
olcDbQuarantine 10,30;60,+
which AFAIK it means that proxy ldap will try to unset the quarantine in 10
seconds for 30 times, and then will try every 60 seconds, forever.
In my case when proxy ldap put the backend target into quarantine
the following lines were written in slapd.log, and after that proxy ldap
never managed to remove the target from quarantine.
Oct 7 21:30:58 proxy slapd[330]: conn=632725 op=0 ldap_back_retry:
retrying URI="ldap://back01 ldap://back02" DN=""
Oct 7 21:30:58 proxy slapd[330]: conn=632725 op=0: ldap_back_quarantine
enter.
Oct 7 21:31:08 proxy slapd[330]: conn=632759 op=0: ldap_back_getconn
quarantine retry block #0 try #0.
It seems to me that back ldap tried once to check the target status in 10
seconds, and after that nothing.....
1. Is the config syntax correct?
2. Is there any case this to be a regression of ITS#5592
Thanks,
Nikos
8 years, 1 month
