RE: Issue importing CGP schema into LDAP (centos 7)
by Quanah Gibson-Mount
--On Wednesday, May 03, 2017 12:30 PM -0400 John Cooter
<jcooter(a)atlantech.net> wrote:
> I attempted that this morning as well, and will present reference here:
> Contents of test.conf
>
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/misc.schema
> include /etc/openldap/schema/ppolicy.schema
> include /etc/openldap/schema/cgp.schema (the referenced schema
> for conversion)
>
> testing directory created
>
> slaptest -f test.conf -F testing
>
> error message:
>
> 5909f790 /etc/openldap/schema/cgp.schema: line 8 attributetype: Duplicate
> attributeType: "2.16.840.1.113730.3.1.241" slaptest: bad configuration
> directory!
Fix your cgp.schema to not include the definition for displayName, since
that already comes from inetorgperson.schema. And remove any other
attributes it is incorrectly defining that are provided from other schema
as well.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
RE: Issue importing CGP schema into LDAP (centos 7)
by Quanah Gibson-Mount
--On Wednesday, May 03, 2017 12:17 PM -0400 John Cooter
<jcooter(a)atlantech.net> wrote:
> That was my understanding, that I only needed to include the schema I was
> trying to convert. The "test.conf" file ONLY had the schema for
> conversion included. And since "organization" does come from the base
> schema, I'm wondering WHY I'm getting this error on conversion. I have
> included the problematic object definition earlier in this thread, and I
> really don't see why I'm failing. I can post the entire schema I'm trying
> to convert if that would help. I'm really quite stumped. This should be a
> simple conversion, but why I'm failing when attempting to attach to an
> existing objectClass is beyond my understanding.
The test.conf that you are converting has *zero* knowledge of what you have
loaded into cn=config.
Generally what one does is, define a test.conf that includes all the
necessary schema to convert the additional schema you are converting, and
then you do something like:
mkdir -p /tmp/test-config
slaptest -F /tmp/test-config -f test.conf
Then you can use the converted schema that is written into /tmp/test-config.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
RE: Issue importing CGP schema into LDAP (centos 7)
by Quanah Gibson-Mount
--On Wednesday, May 03, 2017 9:28 AM -0400 John Cooter
<jcooter(a)atlantech.net> wrote:
> So, just to confirm what you're saying, that EVEN THOUGH the existing
> schema has all the prerequisite objectClass and other object types, and
> even though I'm attempting to use slaptest to convert a single extended
> .schema, a holdover from an earlier version of openldap, to an .ldif in
> the configuration cn, that my test.conf, must have lines that include all
> the other base schema files as well?
You should absolutely not be including elements from other schema into the
file simply for the purpose of conversion, as you will end up with a file
you won't be able to import to cn=config if it has those other schema
included. And, if it had all the elements as you claim, then you certainly
wouldn't be getting an error about the "organization" objectClass being
missing, given that that comes from the "core" schema file.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
RE: Issue importing CGP schema into LDAP (centos 7)
by Quanah Gibson-Mount
--On Tuesday, May 02, 2017 5:02 PM -0400 John Cooter
<jcooter(a)atlantech.net> wrote:
> The existing configuration, was created as follows:
> Install ldap and related services
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
> ldapadd -Y EXTERNAL -H ldapi:/// -f
> /etc/openldap/schema/inetorgperson.ldif create test.conf which only
> contains a single line: include /etc/openldap/schema/cgp.schema run
> slaptest statement, as listed below. Get error.
> This slaptest statement should normally allow me to create the ldif to
> add to the schema, but it keeps failing. And I'm trying to figure out why
> and what I'm doing wrong.
Your test LDIF file for converting schema must include all other schema
that it is dependent upon for it to be able to convert properly.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
Issue importing CGP schema into LDAP (centos 7)
by John Cooter
I have been tasked with virtualizing our existing, aging, LDAP and CommuniGate Pro instances. Doing so will require moving from RHEL 5.X to CentOS 7.X, which means that the existing LDAP implementation has changed. Upon attempting to perform a "slaptest -f test.conf -F testing" where test.conf contains only an include statement that points to /etc/openldap/schema/cgp.schema, and testing is an empty directory, I receive the following error message:
59033edc /etc/openldap/schema/cgp.schema: line 640 objectClass: ObjectClass not found: "organization"
slaptest: bad configuration directory!
I am able to verify that the various base includes in my LDAP server do include an objectClass "organization" and can verify same in phpLDAPadmin, and in other methods. I am new to the concepts presented here, and since we are using LDAP in what appears to me to be a non-standard use case, I am at a loss. I present the relevant "line 640" below, from the schema I am attempting to import:
objectClass ( 2.5.1000.0
NAME 'CommuniGateDomain'
SUP 'organization'
STRUCTURAL
MAY ( cn $
dc ) )
Can someone perhaps tell me where I am going wrong, or how to more effectively troubleshoot this import?
6 years, 1 month
password change interception overlay
by Michael Ströder
HI!
Does anybody know a publicly available overlay which intercepts userPassword changes and
grabs the new password for password syncing?
Ciao, Michael.
6 years, 1 month
Using CRLs
by Frank Crow
Is it possible to configure OpenLDAP to trust all certs for validity but
then also check a CRL to see if the certificate may have been revoked (to
reject it)?
Sounds crazy to me and I highly doubt it but I'm asking because somebody
handing us requirements is convinced that it is possible to not have
connectivity to a CA, and validate a user cert for login using only a CRL.
Does that make any sense at all?
Thanks,
--
Frank
6 years, 1 month
Re: Multi Master replication with many 'nonpresent_callback' lines
by Quanah Gibson-Mount
--On Sunday, April 23, 2017 12:38 AM +0000 Jesper Grøndahl
<grondahl(a)ruc.dk> wrote:
> Our log level is stats and sync.
>
> The logs look like this, for the user being modified
> -----
> nonpresent_callback: rid=005 present UUID
> 528929d6-acaa-1036-922a-a3f5c9285d9d, dn uid=xxx,ou=users,dc=ruc,dc=dk
> Entry uid=xxx,ou=users,dc=ruc,dc=dk CSN
> 20170406140323.504919Z#000000#002#000000 greater than snapshot
> 20170403102309.253881Z#000000#002#000000
It would appear you have serious issues with your installation, since the
CSNs are off by 3 days. I would note that 2.4.40 is not stable for MMR as
well. I would ensure you aren't suffering from clock skew across your
servers, and upgrade to the current OpenLDAP release as well.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month