User Import Problem with n-way multimaster setup
by robert.lindner@delivion.de
Hi,
I have a Problem importing a large batch of users into the following setup:
Two Nodes of openldap running n-way multimaster replication with mdb backend, version is 2.4.44.
Everything looks good, replication is working.
Now I am trying to import a ldif file with 110362 Users to be added and 956419 group modify operations:
1. When both nodes are online and replication is running, after slapd on the importing node quickly starts using all available memory until the kernel oom-killer decides it uses too much and kills the process.
This seems to be caused by the group modifications: It did not happen before, when we had an error in the ldif which caused the group modify statements to be ignored, so only users were imported.
We tried to circumvent this behavior by adding up to 32GB of Memory, but this only postponed the problem.
2. When I shut down the second node, so no replication is happening, then start the user and group membership import, this runs fine (takes about 10 hours) without exhausting memory, but if I join the second node afterwards none of the new entries is replicated to the second node.
Does anyone have an idea what I might be doing wrong?
Currently I try to batch import with the ldif split into chunks of 1000 entries, with a 30s pause in between.
Best Regards,
Robert Lindner
Cloud Platform Engineer | Delivion GmbH
Nachbarsweg 25a | D-45481 Mülheim an der Ruhr
Tel.: [+49] 170 7727967 | Web: www.delivion.de
This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Company Name is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.
6 years, 5 months
Syncrepl and missing entries
by Thomas Hummel
Hello,
I'm planning a migration from openldap-2.4.35 (FreeBSD 9.1-RELEASE-p12)
to openldap-2.4.40 (CentOS 7).
On BSD, I have 3 slapd.conf/hdb servers : one provider and 2 consumers
(classical syncprov overlay / syncrepl refreshAndPersist setup).
On linux, I've set up 3 new cn=config/lmdb servers in a simliar manner.
For a smooth migration, I also configured syncrepl on the linux provider
so that it is also a consumer of the BSD provider.
So this is a simple BSD provider -> linux provider-and-consumer -> linux
consumer chain, not a multi-master setup.
Everything worked fine and I could indeed check that modifying, say an
attribute of my dn, on the FreeBSD provider was replicated to the BSD
consumers, the Linux provider and then the Linux consumers.
Unfortunately, I noticed that, after a while (at least it seems that it
occurred after a while, I'd swear the entry was there from the start),
the sssd entry (cn=sssd,ou=ldap,dc=pasteur,dc=fr) - used by sssd to bind
- was missing on the Linux provider-and-consumer. That in itself may be
an mystery I must figure out.
But more important, I noticed that this entry would not be replicated
although it IS present on the BSD provider, even after slapd restarts.
Only if I remove the database files and restart from scratch get all the
entries - including this one - get replicated from the BSD provider to
the linux provider-consumer.
Is my setup only supposed to work ?
Is the difference of slapd versions a problem ?
Is the fact that both providers manage the same rootDSE a problem ?
Thanks
--
Thomas HUMMEL
6 years, 5 months
Mapping attribute from ppolicy shemas to shadowaccount
by Alexis Lameire
Hello,
Despite my search I can't find a good solution to my issue.
I would like to implement passord policy inside my LDAP server. So I will
use the password policy overlay. The policy applyed to the user is located
on the pwdPolicySubentry attribute of the user entry.
I would like to configure the password expiration warning on my policy. I
would also that this warning will be displayed on my linux based server.
Due to the deprecation of pam_ldap module on recent system, I'm using SSSD.
Despite my search, SSSD is only able to fetch the password expiration
attribut inside the shadowAccount objectClass (so on the user entry).
To be able to define my policy once, I have to show and rename the ppolicy
objectClass attribut referenced by the pwdPolicySubentry dn inside the user
entry.
with the slapo-rwm I can map the attribute of the same leaf objectClass to
another name but I'm not able to follow the pwdPolicySubentry DN and map
the value of this object inside the posixAccount objectClass.
How to acheave this ?
Regards
6 years, 5 months
Openldap with Active Directory
by Matthew Pulis
Hi,
I have a freeradius server which is authenticating users against Openldap
and according to the attribute memberOf is assigned a VLAN (this part works
fine).
Now I would like to extend this functionality for the users in Active
Directory (2012 R2).
My OpenLdap's main DN is: dc=seminary,dc=local, and has 5 OU's each with
their own users.
My Active Direcotry's main ND is: dc=seminary,dc=local too but has only 1
OU which distinguishedName is ou=School,dc=seminary,dc=local.
A few questions:
1) Will this be possible? I need only to authenticate the user and that's
it - any password modifications will be done only through Active Directory
domain.
2) I was thinking to use the back_ldap and rwm Openldap modules. But ended
up entering a problem with this ldif: (since the olcDbACLPasswd is
deprecated)
radius@radius:~$ cat proxy2.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: add
olcdatabase: ldap
olcReadOnly: TRUE
olcDbProtocolVersion: 3
olcSuffix: dc=seminary,dc=local
olcRootDN: ou=school,dc=seminary,dc=local
olcDBUri: "ldap://192.168.100.129:389"
olcDbRebindAsUser: TRUE
olcoverlay: rwm
olcRwmMap: attribute cn distinguishedName
olcRwmMap: attribute mail mail
olcRwmMap: attribute uid sAMAccountName
olcRwmMap: objectClass posixAccount person
olcRwmMap: objectClass memberUid member
olcRwmMap: attribute memberOf memberOf
#olcDbIDAssertBind: bindmethod=simple
#olcDbIDAssertMode: none
olcDbIDAssertBind: cn=Ldap Binder,dc=seminary,dc=local
olcDbACLPasswd: PASS!
Any idea how I can go through this issue?
Will this work after all?
Thanks and best regards
Matthew
Matthew Pulis
web: www.matthewpulis.info
mob: +356 79539404
6 years, 5 months
RedHat 6 & 7 disable TLSv1.0
by Gaurav Swami
Hello,
I have Redhat 6 where am trying to disable TLSv1.0 protocol.I have tried
below configuration
RHEL6
-----------------------------------------
[root@ldap1 ~]# rpm -qa | grep -we openldap -we openssl -we nss
krb5-pkinit-openssl-1.10.3-10.el6_4.6.x86_64
openldap-servers-2.4.40-12.el6.x86_64
nss-util-3.21.0-2.el6.x86_64
nss-3.21.0-8.el6.x86_64
openssl-devel-1.0.1e-48.el6_8.1.x86_64
openssl-1.0.1e-48.el6_8.1.x86_64
openldap-clients-2.4.40-12.el6.x86_64
nss-softokn-freebl-3.14.3-23.3.el6_8.x86_64
nss-sysinit-3.21.0-8.el6.x86_64
nss-tools-3.21.0-8.el6.x86_64
openldap-2.4.40-12.el6.x86_64
nss-softokn-3.14.3-23.3.el6_8.x86_64
----------------------------------------------------------------------------
RHEL6 Configuration
----------------------------------------
TLSProtocolMin 3.2
TLSCipherSuite HIGH
-----------------------------------------
But still when I ran third party tool to check offered protocol am getting
--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
SPDY/NPN not offered
--> Testing ~standard cipher lists
TLSv1.0 is still offered ,I want to disable TLSv1.0 also
Any suggestiosn?
--
Thanks & Regards,
**Gaurav Swami**
6 years, 5 months
Test
by dieter@dkluenter.de
6 years, 5 months
