openldap-technical February 2015

openldap-technical@openldap.org

66 participants
63 discussions

Data is not replicating in other LDAP server in open-ldap mode configuration
by Shashi Ranjan 13 Feb '15

13 Feb '15

Hello, I am new to openldap, facing some issue in replication of data in one instance to other instance of openldap 2.4.11. I have two instance of openldap 2.4.11 and it is configured in multi-master mode. I import the data in one ldap instance using slapadd command(in that time both the instances are down as it ?pre-requisite to run the slapadd command. ). After importing the data, when I start the both ldap instance, data is not replicated to second ldap instance. I check the ldap behavior after restarting the ldap instance but in all cases it failed. Please provide your input so that we can identified the problem. Thanks, Shashi Ranjan "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."

3 2

syncrepl multiple providers?
by Mark R Bannister 13 Feb '15

13 Feb '15

We have a multi-master pair and multiple replicas hanging off it. Currently we have to use a physical load balancer between the replicas and the masters so that the replicas can survive if one master goes down. Is it possible to configure syncrepl on the consumer side with a failover policy so that if one provider goes down it can automatically retry against another? That would remove the need for separate load balancers. Or should I be looking at deploying something like HAProxy on each LDAP replica? Thanks, Mark.

1 0

Add subtrees to replica via ACL
by Maily Peng 13 Feb '15

13 Feb '15

Hello, I'd like to manage replica ( read only) via ACL. So all replica servers would have the same config : olcSyncrepl :rid=001 provider=ldap://ip:389 binddn="cn=seruser-test,ou=AppUsers,dc=test,dc=net" bindmethod=simple credentials=secret searchbase="dc=phonesystems,dc=net" type=refreshAndPersist interval=00:00:00:10 retry="60 10 300 12 7200 +" where searchbase is the base entry. If we want to add a subtree to a replica, we'd only have to add rights to the ACL on the master. exple : ...to dn.subtree="ou=customer,ou=suite,dc=test,dc=net" by group/groupOfNames/member.exact="cn=ser-test-write,ou=groups,cn=system" write by group/groupOfNames/member.exact="cn=ser-test-read,ou=groups,cn=system" read by * none adding to dn.subtree="ou=provider,ou=suite,dc=test,dc=net" by group/groupOfNames/member.exact="cn=ser-test-write,ou=groups,cn=system" write by group/groupOfNames/member.exact="cn=ser-test-read,ou=groups,cn=system" read by * none would add the subtree "ou=provider,ou=suite,dc=test,dc=net" to the replica. It would be easier to manage replica. Is it possible to implement this solution ? Thank you

1 0

Re: Is the monitor backend writable?
by Ferenc Wagner 13 Feb '15

13 Feb '15

"Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de> writes: > Could it be access problems? No, I used the rootDN. > dn: cn=Total,cn=Connections,cn=Monitor > [...] > Does this help you, or do you want something completely different? I expected to see the current logging configuration in cn=Log,cn=Monitor. -- Feri.

1 0

Is the monitor backend writable?
by Ferenc Wagner 13 Feb '15

13 Feb '15

Hi, >From http://www.openldap.org/faq/data/cache/358.html: dn: cn=Log,cn=Monitor changetype: modify add: managedInfo managedInfo: stats managedInfo: stats2 I'm running 2.4.40 with cn=config, olcLoglevel: stats (thus I can change the log level anyway), but cn=Log,cn=Monitor does not contain any managedInfo attributes (at least $ ldapsearch -x -H ldapi:/// -D cn=monitor -W -b cn=Log,cn=Monitor managedInfo does not return any; cn=monitor is the rootDN of the monitor database). My questions: 1. Is the above FAQ entry outdated? Or is it relevant only when not using cn=config? 2. Are there (other) writeable items under cn=Monitor? -- Thanks, Feri.

2 2

Speed when writing dublicate keys
by Tom Kirchner 13 Feb '15

13 Feb '15

Hi, I have a database with about 1 million integer keys. Now I want to append a lot of small values (each 3 bytes) to random keys very often (tens of millions of times). How do I insert into the database the fastest? Currently I am trying the following setup, but I wonder if that is optimal, because I see a decrease in indexing speed after about 500000 random writes (here appends): - I have split the whole key range into 16 databases (each within a different lmdb environment), so each range-db holds about 65000 keys - I open each range-db with the flags: MDB_APPENDDUP | MDB_INTEGERKEY | MDB_INTEGERDUP | MDB_DUPSORT - then when I want to append 3 bytes to the value of a key, I use the following call: res = mdb_put( txn[dbnumber], db[dbnumber], &k, &v, MDB_APPENDDUP ); Thank you for your help! -Tom

2 2

Re: Is the monitor backend writable?
by Ferenc Wagner 13 Feb '15

13 Feb '15

"Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de> writes: > Ferenc Wagner <wferi(a)niif.hu> schrieb am 13.02.2015 um 09:20 in Nachricht <874mqqte84.fsf(a)lant.ki.iif.hu>: > >> From http://www.openldap.org/faq/data/cache/358.html: >> >> dn: cn=Log,cn=Monitor >> changetype: modify >> add: managedInfo >> managedInfo: stats >> managedInfo: stats2 >> >> I'm running 2.4.40 with cn=config, olcLoglevel: stats (thus I can change >> the log level anyway), but cn=Log,cn=Monitor does not contain any >> managedInfo attributes (at least >> >> $ ldapsearch -x -H ldapi:/// -D cn=monitor -W -b cn=Log,cn=Monitor managedInfo > > If the default isn't "-s sub", I'd add it, and did you try "monitoredInfo" instead? Neither makes a difference. Not even -s base. Also consider this: $ ldapsearch -LLL -x -H ldapi:/// -D cn=monitor -W -b cn=Log,cn=Monitor -s sub '*' '+' Enter LDAP Password: dn: cn=Log,cn=Monitor objectClass: monitorContainer structuralObjectClass: monitorContainer cn: Log creatorsName: cn=monitor modifiersName: cn=monitor createTimestamp: 20150128093559Z modifyTimestamp: 20150128093559Z description: This subsystem contains information about logging. description: Set the attribute "managedInfo" to the desired log levels. entryDN: cn=Log,cn=Monitor subschemaSubentry: cn=Subschema hasSubordinates: FALSE -- Feri.

1 0

determining what schema are loaded
by chris c 12 Feb '15

12 Feb '15

I've been tasked with adding a mail attribute for an openldap 2.4.23 installation. I've read enough of the entries on the mailing list that talk about the inability to do so being related to the proper schema not being loaded, and I think that is the issue. What I'm struggling with, is how to determine what schema are loaded and where they are loaded from? In reading the Redhat documentation, they reference Required attributes are specified using the objectClass definition, and can be found in schema files located in the /etc/openldap/slapd.d/cn=config/cn=schema/directory. So does this mean that in the above referenced directory, those schema will be loaded?

2 1

Trying to connection php with ldap
by Abhishek koserwal 12 Feb '15

12 Feb '15

*<?php// LDAP variables//$ldaphost = "host";$ldaphost = "localhost";$ldapport = 389;//$ldap_base_dn = "dc=exemplo,dc=com";$ldap_base_dn = "dc=zyz,dc=com";//$ldaprdn = "cn=Manager,$ldap_base_dn";$ldaprdn = "cn=root,$ldap_base_dn";$ldappassw = "my_password";// Connecting to LDAP$ldapconn = ldap_connect($ldaphost, $ldapport) or die ("Could not connect to $ldaphost");@ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn,$ldaprdn,$ldappassw); // verify binding if (!$ldapbind) { echo '<script>alert("not connected")</script>'; var_dump($ldapbind); exit(); } }?>* Fail to bind, $ldapbind return bool(false). I have configured phpldapadmin, which is working fine. Regards Abhishek Koserwal Final year, CSE, IET-DAVV The capacity to learn is a gift; The ability to learn is a skill; The willingness to learn is a choice -- Brian Herbert

3 2

Re: LDAP searches for Kerberos entries
by Dameon Wagner 12 Feb '15

12 Feb '15

(Reposted to the list rather than just to Michael, sorry about that.) On Wed, Feb 11 2015 at 16:24:09 +0100, Michael Ströder scribbled in "Re: LDAP searches for Kerberos entries": > Simo Sorce wrote: > > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote: > >> HI! > >> > >> Maybe some of you are using MIT Kerberos with LDAP backend. > >> > >> For creating a decent web2ldap search form template for the > >> Kerberos schema I'd like to know which kind of searches you > >> usually do when looking into your backend via LDAP. > >> > >> Which attributes are you usually using in the search? Which > >> filters do you hack on command-line? > >> > >> Well, 'krbPrincipalName' will of course be the most used search > >> attribute. The default equality matching rule is > >> caseExactIA5Match, so for convenience I'd add something to use > >> caseIgnoreIA5Match without the user having to select that > >> himself. > > > > You should also search on KrbCanonicalName if you need exact > > matching, krbPrincipalName is multivalued and may contain aliases. > > Thanks, added it. > > What about 'krbPrincipalAliases'? Is that actually used? That depends on whether you're using MIT or Heimdal for your your KDCs. IIRC krbPrincipalAliases refers to a feathure of Heimdal's implementation that MIT doesn't have, namely the ability for a principal to have one or more aliases (so host/foo.example.com could have also have HTTP/foo.example.com and ldap/foo.example.com all refer to the same principal in the KDB) If you're using an MIT realm, you probably don't need it. Cheers. Dameon. -- ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< Dameon Wagner, Systems Development and Support Team IT Services, University of Oxford ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2015