i'm trying to setup a master/slave replication via delta-syncrepl, but for
the most of the entries i get the message: "Entry CSN greater than
snapshot". I had search in the archive of the mail list but i couldn't get
a solution for this. Any help is appreciate.
Some entrie i get in the syslog:
Oct 20 20:23:57 temperance slapd: Entry
CSN 20151015141738.689470Z#000000#000#000000 greater than snapshot
Oct 20 20:23:57 temperance slapd: Entry
20151020152042.450209Z#000000#000#000000 greater than snapshot
Oct 20 20:23:57 temperance slapd: Entry
20151020152042.636081Z#000000#000#000000 greater than snapshot
I have the following config in the provider (slapd 2.4.23):
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart eq
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
syncprov-checkpoint 1000 60
#syncprov-checkpoint 500 30
# accesslog overlay definitions for primary db
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
index objectClass eq,pres
index ou,cn,sn,mail,givenname eq,pres,sub
index uidNumber,gidNumber,memberUid eq,pres
index loginShell eq,pres
index memberOf eq
## required to support pdb_getsampwnam
index uid pres,sub,eq
# required to support pdb_getsambapwrid()
index displayName pres,sub,eq
index nisMapName,nisMapEntry eq,pres,sub
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
index uniqueMember eq
index sambaGroupType eq
index sambaSIDList eq
# syncprov specific indexing
index entryUUID eq
index entryCSN eq
In the consumer server we have:
retry="5 + 5 +"
# Refer updates to the master
Thanks in advance
Pedro Roger Magalhães Vasconcelos
I'm trying to get one ldap server configured to chain queries to a second server when specific OUs that are on the 2nd server (but not the 1st) are referenced in a query/ldapsearch. Note that these are read-only consumers, so I am not dealing with modifications, only searches. Both servers share the top level suffix.
An ldapsearch against the first server involving an OU that is on the second server returns "no such Object"; and the logfile on the first server (loglevel 1) shows no reference to the chain-uri or attempt to search outside the first server.
slapd.conf is valid per slaptest, and starts successfully.
However, an ldapsearch against the initial target server simply returns "No such object", because it appears the chain is never followed or these directives are inactive. In the local4.log with loglevel set to 1, there's never any attempt/reference to the chain-uri, and no subsequent entry in the log file for the second server.
- should there be logfile entries on the first server referencing the chain-uri (or on the client ldapsearch with -d1)?
- is there a missing directive or incorrect configuration?
Thanks for any assistance.
I've been trying to setup a caching proxy server with OpenLDAP for quite
a long time, and it seems, from what I can see right now, that the proxy
stuff is working (I can log on on a server that points to the proxy as
its LDAP server), but the caching stuff doesn't seem to work at all.
EVERY request I'm doing is transferred to the AD (the real LDAP server)
behind the proxy LDAP.
Here's how my pcache module is set. Not too sure though, how to setup
pcacheTemplates. Maybe that my error. One thing to note is that no
database is even created in /var/tmp/cache directory, as I would expect.
pcache bdb 100000 3 1000 60
index objectClass eq
index sAMAccountName eq
pcacheAttrset 0 objectClass name objectSid
pcacheAttrset 1 objectClass sAMAccountName
pcacheAttrset 2 *
pcacheTemplate (&(member=)(objectClass=)(name=)) 0 60
pcacheTemplate (objectClass=) 0 60
pcacheTemplate (&(objectSid=)(objectClass=)(name=)) 0 60
(&(?sAMAccountName=)(?objectClass=)(sAMAccountName=)(objectSid=)) 2 60
pcacheTemplate (sAMAccountName=) 2 60
while adding the smbk5pwd overlay 1) to a mdb database, on ldapmodify
command slapd dies suddently with the following last lines:
5620d62f >>> dnPrettyNormal:
5620d62f <<< dnPrettyNormal:
5620d62f oc_check_required entry
5620d62f oc_check_allowed type "objectClass"
5620d62f oc_check_allowed type "olcOverlay"
5620d62f oc_check_allowed type "olcSmbK5PwdEnable"
5620d62f oc_check_allowed type "structuralObjectClass"
slapd: No database support for /var/heimdal/heimdal
openldap is 2.4.42 compiled on debian jessie, heimdal is compiled too
(heimdal-1-5-branch). The module in contrib/slapd-modules/smbk5pwd
compiles fine apart a few warnings.
I think I am missing a library, but I am not able to figure out which one.
I am curious if a ppolicy can be applied to a subtree so that it is added to a user account when newly created?
This message (including any attachments) is confidential and intended for a specific individual and purpose. If you are not the intended recipient, please notify the sender immediately and delete this message.
I am not anything but new to ldap. I have however successfully installed
and configured Openldap on CentOS7. Online material was a BIG help.
I am trying to figure out how to allow users to change their own passwords.
Googling pointed me out to this:
access to attrs=userPassword
by self write
by anonymous auth
by users none
access to * by * read
But where and how does this get input into the ldap db. There is no more a
Please advise. Regards,
I currently have a local OpenLDAP v2.4.40 with a bdb backend and another
instance with a ldap backend proxying binds and queries to an AD.
The bdb backend serves just one suffix:
The AD serves several suffixes:
dc=example,dc=com (same as local one)
I would like to merge both configurations.
The entries of the suffix dc=example,dc=com, which is served by both
servers, are disjunct. There is no DN, which is located on both servers.
There will be some name problems, but these can be handled by
My first problem is that I cannot make bind work for DNs with
suffix dc=example,dc=com, which are located on the 2nd backend. In fact,
there are very few DNs of that suffix on the 2nd server, but there are. I
would like that bind first tries the first (local) server and, if the DN
is missing there, the second server (the proxy).
Currently, only the local backend is queried.
What would be the best solution to forward a bunch of suffixes to the LDAP
When slapo-unique constraints are in effect, it seems empty updates are
no longer allowed:
> $ ldapmodify -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret
> dn: cn=test1,dc=my-domain,dc=com
> changetype: modify
> modifying entry "cn=test1,dc=my-domain,dc=com"
> ldap_modify: Invalid syntax (21)
> additional info: unique_modify() got null op.orm_modlist
Why is this considered invalid syntax? Without slapo-unique constraint,
empty updates like these are accepted.
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
I have followed this link <http://www.openldap.org/faq/data/cache/185.html> to
generate self-signed certificates. I have successfully performed server
side validation. What if i want to access LDAPS:// from other client. I
have copied servercrt.pem and serverkey.pem file on client machine, also
added servercrt.pem file to client trust store. I'm using LDAPjs client for
authentication. I have provided trust store path and serverkey.pem file in
the code, but i still get the following error:
if (options.cert) c.context.setCert(options.cert);
Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
at Object.exports.createCredentials (crypto.js:104:31)
at Object.exports.connect (tls.js:1334:27)
at new Client
at authDN (/home/aneela/client-ldapjs/app.js:15:21)
at Object.<anonymous> (/home/aneela/client-ldapjs/app.js:90:1)
at Module._compile (module.js:456:26)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
Please guide me if i'm doing something wrong. Which PEM files need to be
copied on client machine? Or i need to create client side certificates
separately as well?
I am using the quarantine option of back-ldap, using the following setting:
which AFAIK it means that proxy ldap will try to unset the quarantine in 10
seconds for 30 times, and then will try every 60 seconds, forever.
In my case when proxy ldap put the backend target into quarantine
the following lines were written in slapd.log, and after that proxy ldap
never managed to remove the target from quarantine.
Oct 7 21:30:58 proxy slapd: conn=632725 op=0 ldap_back_retry:
retrying URI="ldap://back01 ldap://back02" DN=""
Oct 7 21:30:58 proxy slapd: conn=632725 op=0: ldap_back_quarantine
Oct 7 21:31:08 proxy slapd: conn=632759 op=0: ldap_back_getconn
quarantine retry block #0 try #0.
It seems to me that back ldap tried once to check the target status in 10
seconds, and after that nothing.....
1. Is the config syntax correct?
2. Is there any case this to be a regression of ITS#5592