openldap-technical August 2017

openldap-technical@openldap.org

32 participants
54 discussions

accesslog contextcsn isn't always updated
by btb 26 Aug '17

26 Aug '17

hi, i am seeing a symptom where the accesslog contextcsn is not always updated when a new entry is added to the accesslog. i have a test setup [config is below], with a content database using the accesslog and syncprov overlays, and an accesslog database using the syncprov overlay. for the purposes of testing, i'm not using it as a provider for any consumers. just running by itself, and watching its behavior. when a modification is made to an entry in the content db, the contextcsn value for the content db is always updated, and a new entry is always added to the accesslog db. but when the accesslog db gets a new entry, the accesslog contextcsn does not always update to match the new entry [see example below]. ldap_accesslog_noop is just a small shell script which updates the info attribute for an entry. it's somewhat anecdotal, but there may be a timing factor involved. if there is no activity for a little while [as little as a few minutes, sometimes], then a modification performed, that does not update the accesslog contextcsn. but if subsequent modifications are done within a few moments, it then eventually updates the accesslog contextcsn correctly, typically as of the second modification, but sometimes the third. if modifications then continue, with little delay between them, then the contextcsn seems to stay consistently up to date. if activity then stops, and some time passes as before, the symptom reappears. this is version 2.4.44 on freebsd 10.3-release, built from ports. i'm hoping someone can offer some guidance on how to troubleshoot this further, or what i might be doing wrong. i can provide more config details, logs, debugging ,etc., if needed. apologies for the long collections of details following, and thanks! ###### first mod, after some time of inactivity: ###### >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170825225855.866010Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503221460 entryCSN: 20170825225855.866010Z#000000#001#000000 >./ldap_accesslog_noop >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717700 entryCSN: 20170826032140.674259Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b dc=example,dc=com -s base contextcsn dn: dc=example,dc=com contextCSN: 20170826032140.674259Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 (reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com) entrycsn dn: reqStart=20170825034142.000004Z,cn=accesslog2 entryCSN: 20170825034142.304465Z#000000#001#000000 dn: reqStart=20170825034147.000004Z,cn=accesslog2 entryCSN: 20170825034147.248214Z#000000#001#000000 dn: reqStart=20170825034238.000004Z,cn=accesslog2 entryCSN: 20170825034238.430123Z#000000#001#000000 dn: reqStart=20170825034239.000004Z,cn=accesslog2 entryCSN: 20170825034239.815833Z#000000#001#000000 dn: reqStart=20170825034320.000004Z,cn=accesslog2 entryCSN: 20170825034320.198025Z#000000#001#000000 dn: reqStart=20170825034321.000004Z,cn=accesslog2 entryCSN: 20170825034321.767124Z#000000#001#000000 dn: reqStart=20170825225347.000004Z,cn=accesslog2 entryCSN: 20170825225347.344528Z#000000#001#000000 dn: reqStart=20170825225849.000007Z,cn=accesslog2 entryCSN: 20170825225849.109615Z#000000#001#000000 dn: reqStart=20170825225855.000007Z,cn=accesslog2 entryCSN: 20170825225855.866010Z#000000#001#000000 dn: reqStart=20170826032140.000007Z,cn=accesslog2 entryCSN: 20170826032140.674259Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170825225855.866010Z#000000#001#000000 ###### second mod, a few seconds later: ###### ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170825225855.866010Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717700 entryCSN: 20170826032140.674259Z#000000#001#000000 >./ldap_accesslog_noop >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717721 entryCSN: 20170826032201.236788Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b dc=example,dc=com -s base contextcsn dn: dc=example,dc=com contextCSN: 20170826032201.236788Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 (reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com) entrycsn dn: reqStart=20170825034142.000004Z,cn=accesslog2 entryCSN: 20170825034142.304465Z#000000#001#000000 dn: reqStart=20170825034147.000004Z,cn=accesslog2 entryCSN: 20170825034147.248214Z#000000#001#000000 dn: reqStart=20170825034238.000004Z,cn=accesslog2 entryCSN: 20170825034238.430123Z#000000#001#000000 dn: reqStart=20170825034239.000004Z,cn=accesslog2 entryCSN: 20170825034239.815833Z#000000#001#000000 dn: reqStart=20170825034320.000004Z,cn=accesslog2 entryCSN: 20170825034320.198025Z#000000#001#000000 dn: reqStart=20170825034321.000004Z,cn=accesslog2 entryCSN: 20170825034321.767124Z#000000#001#000000 dn: reqStart=20170825225347.000004Z,cn=accesslog2 entryCSN: 20170825225347.344528Z#000000#001#000000 dn: reqStart=20170825225849.000007Z,cn=accesslog2 entryCSN: 20170825225849.109615Z#000000#001#000000 dn: reqStart=20170825225855.000007Z,cn=accesslog2 entryCSN: 20170825225855.866010Z#000000#001#000000 dn: reqStart=20170826032140.000007Z,cn=accesslog2 entryCSN: 20170826032140.674259Z#000000#001#000000 dn: reqStart=20170826032201.000007Z,cn=accesslog2 entryCSN: 20170826032201.236788Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170825225855.866010Z#000000#001#000000 ###### third mod, a few seconds after second mod: ###### ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170825225855.866010Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717721 entryCSN: 20170826032201.236788Z#000000#001#000000 >./ldap_accesslog_noop >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717758 entryCSN: 20170826032238.330244Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b dc=example,dc=com -s base contextcsn dn: dc=example,dc=com contextCSN: 20170826032238.330244Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 (reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com) entrycsn dn: reqStart=20170825034142.000004Z,cn=accesslog2 entryCSN: 20170825034142.304465Z#000000#001#000000 dn: reqStart=20170825034147.000004Z,cn=accesslog2 entryCSN: 20170825034147.248214Z#000000#001#000000 dn: reqStart=20170825034238.000004Z,cn=accesslog2 entryCSN: 20170825034238.430123Z#000000#001#000000 dn: reqStart=20170825034239.000004Z,cn=accesslog2 entryCSN: 20170825034239.815833Z#000000#001#000000 dn: reqStart=20170825034320.000004Z,cn=accesslog2 entryCSN: 20170825034320.198025Z#000000#001#000000 dn: reqStart=20170825034321.000004Z,cn=accesslog2 entryCSN: 20170825034321.767124Z#000000#001#000000 dn: reqStart=20170825225347.000004Z,cn=accesslog2 entryCSN: 20170825225347.344528Z#000000#001#000000 dn: reqStart=20170825225849.000007Z,cn=accesslog2 entryCSN: 20170825225849.109615Z#000000#001#000000 dn: reqStart=20170825225855.000007Z,cn=accesslog2 entryCSN: 20170825225855.866010Z#000000#001#000000 dn: reqStart=20170826032140.000007Z,cn=accesslog2 entryCSN: 20170826032140.674259Z#000000#001#000000 dn: reqStart=20170826032201.000007Z,cn=accesslog2 entryCSN: 20170826032201.236788Z#000000#001#000000 dn: reqStart=20170826032238.000007Z,cn=accesslog2 entryCSN: 20170826032238.330244Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170826032238.330244Z#000000#001#000000 ###### fourth mod, after ~5 minutes have passed ###### >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170826032238.330244Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717758 entryCSN: 20170826032238.330244Z#000000#001#000000 >./ldap_accesslog_noop >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503718313 entryCSN: 20170826033153.554034Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b dc=example,dc=com -s base contextcsn dn: dc=example,dc=com contextCSN: 20170826033153.554034Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 (reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com) entrycsn dn: reqStart=20170825034142.000004Z,cn=accesslog2 entryCSN: 20170825034142.304465Z#000000#001#000000 dn: reqStart=20170825034147.000004Z,cn=accesslog2 entryCSN: 20170825034147.248214Z#000000#001#000000 dn: reqStart=20170825034238.000004Z,cn=accesslog2 entryCSN: 20170825034238.430123Z#000000#001#000000 dn: reqStart=20170825034239.000004Z,cn=accesslog2 entryCSN: 20170825034239.815833Z#000000#001#000000 dn: reqStart=20170825034320.000004Z,cn=accesslog2 entryCSN: 20170825034320.198025Z#000000#001#000000 dn: reqStart=20170825034321.000004Z,cn=accesslog2 entryCSN: 20170825034321.767124Z#000000#001#000000 dn: reqStart=20170825225347.000004Z,cn=accesslog2 entryCSN: 20170825225347.344528Z#000000#001#000000 dn: reqStart=20170825225849.000007Z,cn=accesslog2 entryCSN: 20170825225849.109615Z#000000#001#000000 dn: reqStart=20170825225855.000007Z,cn=accesslog2 entryCSN: 20170825225855.866010Z#000000#001#000000 dn: reqStart=20170826032140.000007Z,cn=accesslog2 entryCSN: 20170826032140.674259Z#000000#001#000000 dn: reqStart=20170826032201.000007Z,cn=accesslog2 entryCSN: 20170826032201.236788Z#000000#001#000000 dn: reqStart=20170826032238.000007Z,cn=accesslog2 entryCSN: 20170826032238.330244Z#000000#001#000000 dn: reqStart=20170826033153.000007Z,cn=accesslog2 entryCSN: 20170826033153.554034Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170826032238.330244Z#000000#001#000000 ###### configuration ###### dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcLogLevel: stats sync olcPasswordCryptSaltFormat: $6$rounds=8000$%.16s olcPidFile: /var/run/openldap/slapd.pid olcSaslSecProps: noanonymous olcServerID: 1 olcTLSCACertificateFile: /usr/local/etc/pki/trusted_root_authorities/example_roo t_ca-cert.pem olcTLSCertificateFile: /usr/local/etc/openldap/pki/dsa0.example.com-cert.pe m olcTLSCertificateKeyFile: /usr/local/etc/openldap/pki/dsa0.example.com-key. pem olcTLSVerifyClient: never structuralObjectClass: olcGlobal entryUUID: 5e961a2a-290d-1036-96af-778fc97ab8bc creatorsName: cn=config createTimestamp: 20161017233001Z entryCSN: 20170520231408.133014Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20170520231408Z dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/local/libexec/openldap olcModuleLoad: {0}back_monitor.la olcModuleLoad: {1}back_mdb.la olcModuleLoad: {2}nssov.la olcModuleLoad: {3}ppolicy.la olcModuleLoad: {4}refint.la olcModuleLoad: {5}unique.la olcModuleLoad: {6}constraint.la olcModuleLoad: {7}memberof.la olcModuleLoad: {8}dynlist.la olcModuleLoad: {9}translucent.la olcModuleLoad: {10}valsort.la olcModuleLoad: {11}pw-sha2.la olcModuleLoad: {12}syncprov.la olcModuleLoad: {13}accesslog.la structuralObjectClass: olcModuleList entryUUID: 5e962542-290d-1036-96b0-778fc97ab8bc creatorsName: cn=config createTimestamp: 20161017233001Z entryCSN: 20161017233001.558726Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20161017233001Z [...] dn: olcDatabase={4}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {4}mdb olcDbDirectory: /var/db/openldap-data/example.com olcSuffix: dc=example,dc=com olcAccess:: ezB9dG8gYXR0cnM9dXNlclBhc3N3b3JkCglieSBhbm9ueW1vdXMgYXV0aAoJYnkg c2VsZiA9eHcKCWJ5ICogbm9uZQ== olcAccess:: ezF9dG8gKg0JYnkgc2VsZiB3cml0ZQ0JYnkgdXNlcnMgcmVhZA0JYnkgKiBub25l olcRootDN: uid=admin,dc=example,dc=com structuralObjectClass: olcMdbConfig entryUUID: 4801edee-14ed-1037-9fb8-99e8705e53d3 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com createTimestamp: 20170814033454Z entryCSN: 20170814035744.555520Z#000000#001#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com modifyTimestamp: 20170814035744Z dn: olcOverlay={0}syncprov,olcDatabase={4}mdb,cn=config objectClass: olcSyncProvConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}syncprov olcSpCheckpoint: 10 5 olcSpSessionlog: 500 olcSpReloadHint: TRUE structuralObjectClass: olcSyncProvConfig entryUUID: 198df6be-14ee-1037-9fbd-99e8705e53d3 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com createTimestamp: 20170814034045Z entryCSN: 20170814034045.759202Z#000000#001#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com modifyTimestamp: 20170814034045Z dn: olcOverlay={1}accesslog,olcDatabase={4}mdb,cn=config objectClass: olcAccessLogConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {1}accesslog olcAccessLogDB: cn=accesslog2 olcAccessLogOps: writes olcAccessLogPurge: 14+00:00 1+00:00 olcAccessLogSuccess: TRUE structuralObjectClass: olcAccessLogConfig entryUUID: 0a21a20c-14ee-1037-9fbc-99e8705e53d3 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com createTimestamp: 20170814034019Z entryCSN: 20170814034019.883417Z#000000#001#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com modifyTimestamp: 20170814034019Z dn: olcDatabase={5}mdb,cn=config objectClass: olcMdbConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcDatabase: {5}mdb olcDbDirectory: /var/db/openldap-data/accesslog2 olcSuffix: cn=accesslog2 olcRootDN: uid=admin,dc=example,dc=com structuralObjectClass: olcMdbConfig entryUUID: 16132114-14ec-1037-9fb7-99e8705e53d3 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com createTimestamp: 20170814032620Z entryCSN: 20170814034648.206981Z#000000#001#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com modifyTimestamp: 20170814034648Z dn: olcOverlay={0}syncprov,olcDatabase={5}mdb,cn=config objectClass: olcSyncProvConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE structuralObjectClass: olcSyncProvConfig entryUUID: e2927c2a-14ed-1037-9fbb-99e8705e53d3 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com createTimestamp: 20170814033913Z entryCSN: 20170814033913.514143Z#000000#001#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com modifyTimestamp: 20170814033913Z

2 1

OpenLDAP Replication Error
by Zpyro . 25 Aug '17

25 Aug '17

Hi All - I am trying to setup replication between a Centos 5 (2.3) and Centos 7 (2.4) server. Partial replication is working - however it has not fully replicated. I am receiving an error of "syncrepl_message_to_entry: rid=123 mods check (postalAddress: value #0 invalid per syntax)" in the logs. >From the research I was doing, it looks like this is a reference to a missing schema - however I am pretty sure they are all in place. Below are the results from querying the schemas on both - ldapsearch -H ldap://localhost -x -s base -b "cn=subschema" objectclasses as well as the slapd.conf files from both hosts. Any insight into what I am missing would be greatly appreciated!! Please let me know if you need any more information. Thank You!! ----- PRIMARY SERVER ---- # # # base <cn=subschema> with scope baseObject dn: cn=Subschema # extended LDIF # filter: (objectclass=*) # LDAPv3 # numEntries: 1 # numResponses: 2 objectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST domainComponent MAY ( associatedName $ organizationName $ description $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $ stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) ) objectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP domain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) ) objectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord ) ) objectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associatedDomain ) objectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST friendlyCountryName ) objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPassword ) objectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName ) objectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STRUCTURAL MAY dSAQuality ) objectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximumQuality ) ) objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilotPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelephoneNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature ) ) objectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host ) ) objectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ documentTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) ) objectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) ) objectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ localityName $ organizationName $ organizationalUnitName ) ) objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device with a MAC address' SUP top AUXILIARY MAY macAddress ) objectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A device with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) ) objectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction of an IP protocol' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber $ description ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an ONC/RPC binding' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber $ description ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) ) objectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of an IP network' SUP top STRUCTURAL MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ l $ description $ manager ) ) objectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction of a netgroup' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstraction of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description ) objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid object' SUP top AUXILIARY MUST uid ) objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC2252: extensible object' SUP top AUXILIARY ) objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: domain component object' SUP top AUXILIARY MUST dc ) objectClasses: ( 1.3.6.1.4.1.16331.2.2.2.1 NAME 'contactPerson' DESC 'Contact - Addressbook entry' AUXILIARY MAY ( anniversary $ marker $ birthday $ sendHolidayCard $ externalUID $ externalUIDSyncTimestamp $ modifyObjectTimestamp $ prefix $ middleName $ suffix $ custom1 $ custom2 $ custom3 $ custom4 $ country ) ) objectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI ) objectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.0 NAME 'olcConfig' DESC 'OpenLDAP configuration object' SUP top ABSTRACT ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.1 NAME 'olcGlobal' DESC 'OpenLDAP Global configuration options' SUP olcConfig STRUCTURAL MAY ( cn $ olcConfigFile $ olcConfigDir $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcDisallows $ olcGentleHUP $ olcIdleTimeout $ olcIndexSubstrIfMaxLen $ olcIndexSubstrIfMinLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcLogLevel $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPluginLogFile $ olcReadOnly $ olcReferral $ olcReplicaPidFile $ olcReplicaArgsFile $ olcReplicationInterval $ olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ olcRootDSE $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcSrvtab $ olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcToolThreads $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.2 NAME 'olcSchemaConfig' DESC 'OpenLDAP schema object' SUP olcConfig STRUCTURAL MAY ( cn $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.3 NAME 'olcBackendConfig' DESC 'OpenLDAP Backend-specific options' SUP olcConfig STRUCTURAL MUST olcBackend ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.4 NAME 'olcDatabaseConfig' DESC 'OpenLDAP Database-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase MAY ( olcSuffix $ olcSubordinate $ olcAccess $ olcLastMod $ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncrepl $ olcTimeLimit $ olcUpdateDN $ olcUpdateRef ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.5 NAME 'olcOverlayConfig' DESC 'OpenLDAP Overlay-specific options' SUP olcConfig STRUCTURAL MUST olcOverlay ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.6 NAME 'olcIncludeFile' DESC 'OpenLDAP configuration include file' SUP olcConfig STRUCTURAL MUST olcInclude MAY ( cn $ olcRootDSE ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.7 NAME 'olcFrontendConfig' DESC 'OpenLDAP frontend configuration' AUXILIARY MAY ( olcDefaultSearchBase $ olcPasswordHash ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.8 NAME 'olcModuleList' DESC 'OpenLDAP dynamic module info' SUP olcConfig STRUCTURAL MAY ( cn $ olcModulePath $ olcModuleLoad ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.1 NAME 'olcBdbConfig' DESC 'BDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.2 NAME 'olcHdbConfig' DESC 'HDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.2.1 NAME 'olcLdifConfig' DESC 'LDIF backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.3.1 NAME 'olcLDAPConfig' DESC 'LDAP backend configuration' SUP olcDatabaseConfig STRUCTURAL MAY ( olcDbURI $ olcDbStartTLS $ olcDbACLAuthcDn $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertAuthcDn $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbTFSupport $ olcDbProxyWhoAmI $ olcDbTimeout $ olcDbIdleTimeout $ olcDbSingleConn $ olcDbCancel $ olcDbQuarantine $ olcDbUseTemporaryConn $ olcDbConnectionPoolMax ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.4.1 NAME 'olcMonitorConfig' DESC 'Monitor backend configuration' SUP olcDatabaseConfig STRUCTURAL ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Provider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ olcSpSessionlog $ olcSpNoPresent ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.12.1 NAME 'olcPPolicyConfig' DESC 'Password Policy configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcPPolicyDefault $ olcPPolicyHashCleartext $ olcPPolicyUseLockout ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.1 NAME 'olcChainConfig' DESC 'Chain configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcChainCacheURI $ olcChainMaxReferralDepth $ olcChainReturnError ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.2 NAME 'olcChainDatabase' DESC 'Chain remote server configuration' AUXILIARY ) objectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) objectClasses: ( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule ) objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) ) objectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: named subordinate referral' SUP top STRUCTURAL MUST ref ) objectClasses: ( 2.5.17.0 NAME 'subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) ) objectClasses: ( 2.5.20.1 NAME 'subschema' DESC 'RFC2252: controlling subschema (sub)entry' AUXILIARY MAY ( dITStructureRules $ nameForms $ dITContentRules $ objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) ) objectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRACT MUST objectClass ) objectClasses: ( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an residential person' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l ) ) objectClasses: ( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an application process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ description ) ) objectClasses: ( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an application entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) ) objectClasses: ( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory system agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformation ) objectClasses: ( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) objectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC2256: a strong authentication user' SUP top AUXILIARY MUST userCertificate ) objectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP certificationAuthority AUXILIARY MAY deltaRevocationList ) objectClasses: ( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256: a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair ) objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) objectClasses: ( 2.5.6.18 NAME 'userSecurityInformation' DESC 'RFC2256: a user security information' SUP top AUXILIARY MAY supportedAlgorithms ) objectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL MUST cn MAY ( certificateRevocationList $ authorityRevocationList $ deltaRevocationList ) ) objectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC2256: an alias' SUP top STRUCTURAL MUST aliasedObjectName ) objectClasses: ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST dmdName MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' SUP top AUXILIARY MAY userCertificate ) objectClasses: ( 2.5.6.22 NAME 'pkiCA' DESC 'RFC2587: PKI certificate authority' SUP top AUXILIARY MAY ( authorityRevocationList $ certificateRevocationList $ cACertificate $ crossCertificatePair ) ) objectClasses: ( 2.5.6.23 NAME 'deltaCRL' DESC 'RFC2587: PKI user' SUP top AUXILIARY MAY deltaRevocationList ) objectClasses: ( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) ) objectClasses: ( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SUP top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) objectClasses: ( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organization' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) objectClasses: ( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) ) objectClasses: ( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an organizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) objectClasses: ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) # requesting: objectclasses result: 0 Success search: 2 # search result # Subschema ---- REPLICA SERVER ---- # # # base <cn=subschema> with scope baseObject dn: cn=Subschema # extended LDIF # filter: (objectclass=*) # LDAPv3 # numEntries: 1 # numResponses: 2 objectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST domainComponent MAY ( associatedName $ organizationName $ description $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $ stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) ) objectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP domain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) ) objectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord ) ) objectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associatedDomain ) objectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST friendlyCountryName ) objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPassword ) objectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName ) objectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STRUCTURAL MAY dSAQuality ) objectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximumQuality ) ) objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilotPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelephoneNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature ) ) objectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host ) ) objectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ documentTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) ) objectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) ) objectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ localityName $ organizationName $ organizationalUnitName ) ) objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device with a MAC address' SUP top AUXILIARY MAY macAddress ) objectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A device with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) ) objectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction of an IP protocol' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber $ description ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an ONC/RPC binding' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber $ description ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) ) objectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of an IP network' SUP top STRUCTURAL MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ l $ description $ manager ) ) objectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction of a netgroup' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstraction of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description ) objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid object' SUP top AUXILIARY MUST uid ) objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC2252: extensible object' SUP top AUXILIARY ) objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: domain component object' SUP top AUXILIARY MUST dc ) objectClasses: ( 1.3.6.1.4.1.16331.2.2.2.1 NAME 'contactPerson' DESC 'Contact - Addressbook entry' AUXILIARY MAY ( anniversary $ marker $ birthday $ sendHolidayCard $ externalUID $ externalUIDSyncTimestamp $ modifyObjectTimestamp $ prefix $ middleName $ suffix $ custom1 $ custom2 $ custom3 $ custom4 $ country ) ) objectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI ) objectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.0 NAME 'olcConfig' DESC 'OpenLDAP configuration object' SUP top ABSTRACT ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.1 NAME 'olcGlobal' DESC 'OpenLDAP Global configuration options' SUP olcConfig STRUCTURAL MAY ( cn $ olcConfigFile $ olcConfigDir $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcDisallows $ olcGentleHUP $ olcIdleTimeout $ olcIndexSubstrIfMaxLen $ olcIndexSubstrIfMinLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcLogLevel $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPluginLogFile $ olcReadOnly $ olcReferral $ olcReplicaPidFile $ olcReplicaArgsFile $ olcReplicationInterval $ olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ olcRootDSE $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcSrvtab $ olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcToolThreads $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.2 NAME 'olcSchemaConfig' DESC 'OpenLDAP schema object' SUP olcConfig STRUCTURAL MAY ( cn $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.3 NAME 'olcBackendConfig' DESC 'OpenLDAP Backend-specific options' SUP olcConfig STRUCTURAL MUST olcBackend ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.4 NAME 'olcDatabaseConfig' DESC 'OpenLDAP Database-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase MAY ( olcSuffix $ olcSubordinate $ olcAccess $ olcLastMod $ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncrepl $ olcTimeLimit $ olcUpdateDN $ olcUpdateRef ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.5 NAME 'olcOverlayConfig' DESC 'OpenLDAP Overlay-specific options' SUP olcConfig STRUCTURAL MUST olcOverlay ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.6 NAME 'olcIncludeFile' DESC 'OpenLDAP configuration include file' SUP olcConfig STRUCTURAL MUST olcInclude MAY ( cn $ olcRootDSE ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.7 NAME 'olcFrontendConfig' DESC 'OpenLDAP frontend configuration' AUXILIARY MAY ( olcDefaultSearchBase $ olcPasswordHash ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.8 NAME 'olcModuleList' DESC 'OpenLDAP dynamic module info' SUP olcConfig STRUCTURAL MAY ( cn $ olcModulePath $ olcModuleLoad ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.1 NAME 'olcBdbConfig' DESC 'BDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.2 NAME 'olcHdbConfig' DESC 'HDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.2.1 NAME 'olcLdifConfig' DESC 'LDIF backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.3.1 NAME 'olcLDAPConfig' DESC 'LDAP backend configuration' SUP olcDatabaseConfig STRUCTURAL MAY ( olcDbURI $ olcDbStartTLS $ olcDbACLAuthcDn $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertAuthcDn $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbTFSupport $ olcDbProxyWhoAmI $ olcDbTimeout $ olcDbIdleTimeout $ olcDbSingleConn $ olcDbCancel $ olcDbQuarantine $ olcDbUseTemporaryConn $ olcDbConnectionPoolMax ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.4.1 NAME 'olcMonitorConfig' DESC 'Monitor backend configuration' SUP olcDatabaseConfig STRUCTURAL ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Provider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ olcSpSessionlog $ olcSpNoPresent ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.12.1 NAME 'olcPPolicyConfig' DESC 'Password Policy configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcPPolicyDefault $ olcPPolicyHashCleartext $ olcPPolicyUseLockout ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.1 NAME 'olcChainConfig' DESC 'Chain configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcChainCacheURI $ olcChainMaxReferralDepth $ olcChainReturnError ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.2 NAME 'olcChainDatabase' DESC 'Chain remote server configuration' AUXILIARY ) objectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) objectClasses: ( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule ) objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) ) objectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: named subordinate referral' SUP top STRUCTURAL MUST ref ) objectClasses: ( 2.5.17.0 NAME 'subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) ) objectClasses: ( 2.5.20.1 NAME 'subschema' DESC 'RFC2252: controlling subschema (sub)entry' AUXILIARY MAY ( dITStructureRules $ nameForms $ dITContentRules $ objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) ) objectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRACT MUST objectClass ) objectClasses: ( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an residential person' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l ) ) objectClasses: ( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an application process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ description ) ) objectClasses: ( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an application entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) ) objectClasses: ( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory system agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformation ) objectClasses: ( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) objectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC2256: a strong authentication user' SUP top AUXILIARY MUST userCertificate ) objectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP certificationAuthority AUXILIARY MAY deltaRevocationList ) objectClasses: ( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256: a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair ) objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) objectClasses: ( 2.5.6.18 NAME 'userSecurityInformation' DESC 'RFC2256: a user security information' SUP top AUXILIARY MAY supportedAlgorithms ) objectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL MUST cn MAY ( certificateRevocationList $ authorityRevocationList $ deltaRevocationList ) ) objectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC2256: an alias' SUP top STRUCTURAL MUST aliasedObjectName ) objectClasses: ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST dmdName MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' SUP top AUXILIARY MAY userCertificate ) objectClasses: ( 2.5.6.22 NAME 'pkiCA' DESC 'RFC2587: PKI certificate authority' SUP top AUXILIARY MAY ( authorityRevocationList $ certificateRevocationList $ cACertificate $ crossCertificatePair ) ) objectClasses: ( 2.5.6.23 NAME 'deltaCRL' DESC 'RFC2587: PKI user' SUP top AUXILIARY MAY deltaRevocationList ) objectClasses: ( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) ) objectClasses: ( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SUP top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) objectClasses: ( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organization' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) objectClasses: ( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) ) objectClasses: ( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an organizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) objectClasses: ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) # requesting: objectclasses result: 0 Success search: 2 # search result # Subschema -------SLAPD - PRIMARY---------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/ldapab.schema include /etc/openldap/schema/ppolicy.schema #include /etc/openldap/schema/apple.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap moduleload ppolicy.la TLSCertificateFile /etc/openldap/ldap.cert TLSCertificateKeyFile /etc/openldap/ldap.key ####################################################################### # ldbm and/or bdb database definitions ####################################################################### sizelimit 100000 database bdb suffix "dc=domainname,dc=com" rootdn "uid=rootdn,ou=People,dc=domainname,dc=com" rootpw secret_here overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=domainname,dc=com" ppolicy_use_lockout # sync stuff overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 loglevel 256 directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub replogfile /var/lib/ldap/openldap-master-replog access to attrs=userPassword by anonymous auth by self write by * none access to dn.regex="(.*,)?ou=Contacts,uid=([^,]+),ou=People,(.*)$" by dn.regex="uid=$2,ou=People,$3" write by * none access to dn.subtree="ou=Contacts,dc=domainname,dc=com" by users write by users read access to * by users read by peername="IP=192\.168\.200\.5" read access to * by users read by peername="IP=192\.168\.201\.12" read ----------SLAPD - REPLICA ---------- Same as above with sync repl at the bottom: index entryCSN eq index entryUUID eq syncrepl rid=123 provider=ldap://192.168.200.12:389 type=refreshAndPersist interval=00:00:00:01 searchbase="dc=domainname,dc=com" filter="(objectClass=*)" scope=sub retry="5 5 300 +" attrs="*,+" bindmethod=simple binddn="uid=rootdn,ou=People,dc=domainname,dc=com" credentials=secret_here updateref ldap://primaryLDAP.domainname.com

2 1

Re: Removing Berkeley DB Log Files
by Howard Chu 25 Aug '17

25 Aug '17

Douglas Duckworth wrote: > Hi > > I am running openldap-servers-2.4.40-16.el6.x86_64 cluster on Centos 6.9. My > /var/lib/ldap directory contains many 10MB log files. /var partition rather > small... > > I've read they can be removed either by running "sudo db_archive -d -h > /var/lib/ldap/domain" or by defining "DB_LOG_AUTOREMOVE" within the file > "DB_CONFIG." That file does not presently exist whereas the db_archive > command does not actually remove any of the log files. If the db_archive command doesn't remove anything, that means it thinks all of the log files are still in active use. Read the docs more carefully. http://docs.oracle.com/cd/E17076_05/html/programmer_reference/transapp_logf… > > Can I remove the old log files manually using rm? Not if the above is true, you will corrupt the logs and the DB will fail to open on a subsequent restart. > If not should I create > /var/lib/ldap/DB_CONFIG then restart slapd to make this removal automatic? > Do you have any idea why db_archive does not work or produce any helpful error > to stdout? There's no error message because there's no error, everything is working as designed. You need to do periodic checkpoints to allow log files to be closed, and then db_archive will be able to remove some of them. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Removing Berkeley DB Log Files
by Douglas Duckworth 25 Aug '17

25 Aug '17

Hi I am running openldap-servers-2.4.40-16.el6.x86_64 cluster on Centos 6.9. My /var/lib/ldap directory contains many 10MB log files. /var partition rather small... I've read they can be removed either by running "sudo db_archive -d -h /var/lib/ldap/domain" or by defining "DB_LOG_AUTOREMOVE" within the file "DB_CONFIG." That file does not presently exist whereas the db_archive command does not actually remove any of the log files. Can I remove the old log files manually using rm? If not should I create /var/lib/ldap/DB_CONFIG then restart slapd to make this removal automatic? Do you have any idea why db_archive does not work or produce any helpful error to stdout? Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690

1 0

Re: mdb fragmentation
by Quanah Gibson-Mount 25 Aug '17

25 Aug '17

Hi Geert, If I could, I would delete 8664 from the ITS system entirely as it was filed based on invalid information that was provided to me. It generally should be ignored. When a write operation is performed with LMDB, the freelist is scanned for available space to reuse if possible. The larger the size of the freelist, the longer amount of time it will take for the operation to complete successfully. When the database has gotten to a certain point of fragmentation (This differs based on any individual use case), it will be start taking a noticeable amount of time for those write operations to complete and the server processing the write operation does essentially come to a halt during this process. Once the write operation completes, things go back to normal. The only solution is to dump and reload the database (slapcat/slapadd or mdb_copy -c). Eventually, you will get back into the same situation and have to do this again. A recent option was added to the slapd-mdb configuration (rtxnsize) that can also help reduce the rate of fragmentation. There are some performance related issues you can find discussed on the -devel list from when it was added. Whether or not you are affected by them and whether or not the setting will help you in particular depends on whether or not your searches result in a large number of entries being returned. You can find some guidelines around tuning the parameter that I came up with in that thread. If you do not have an unlimited Zimbra License, the license check performed by the store servers will definitely affect this, since the result set is all active accounts which can be quite large. Additionally, I had at one point had a patch for the Zimbra build of OpenLDAP that made it very aggressive in finding freespace to reuse. I don't recall if it is still applied (I don't believe it currently is based on what I saw in github). It basically meant that in Zimbra, it would work extra hard to find reusable freespace, which would reduce the rate at which the database would fragment, but it also meant that once the DB was fragmented enough, it would amplify the amount of time it took for a write op to complete. I.e., it was a tradeoff of a longer time to reach a catastrophic state, but the state was more catastrophic once achieved. This is one area where LMDB differs significantly from back-hdb/bdb. You could have back-bdb/hdb databases that endured a high rate of write operations be in effect for years w/o needing maintenance. With LMDB, you get better read & write rates, but it requires periodic reloads. Hope this helps! --Quanah ----- Original Message ----- > From: "Geert Hendrickx" <geert(a)hendrickx.be> > To: "openldap-technical" <openldap-technical(a)openldap.org> > Sent: Thursday, August 24, 2017 4:53:32 AM > Subject: mdb fragmentation > Hi > > We have an OpenLDAP 2.4.44 based, 4-way MMR setup with 4 M entries, > which is fairly write intensive (Zimbra). > > Lately we've seen very frequent lockups of the master that receives > the updates (only 1 out of 4), whereas the replicas stay responsive. > According to -d stats logs, all threads suddenly take a long time to > answer any queries, and slapd can no longer accept new connections. > The issue always disappears again without intervention, but usually > hits a number of times in a row, on an almost daily basis. > > We tested a lot of things, but eventually "solved" the issue with a > slapcat and slapadd of the database - the master server has been > completely stable again since. The mdb was also reduced 50% in size. > > Looking at the old mdb (prior to the dump), mdb_stat -f shows it had > over 3.7 M free pages. Could it be an issue of database fragmentation > similar to ITS#8664? > > Is it natural that the freelist (and thus the mdb) gets this big over > time, I would expect those free pages to get reused constantly? > And in that case would it make sense to monitor the number of free > pages? Is there a threshold to look for, before things get problematic > again? (ITS#7770 would come handy here, as we already monitor/graph > various metrics from the monitor backend) > > > Geert > > > -- > geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F > This e-mail was composed using 100% recycled spam messages! -- -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 2

Re: lock.mdb taking lots of space
by Howard Chu 24 Aug '17

24 Aug '17

Muhammed Muneer wrote: > Hi, > > Is there any particular reason why my lock.mdb is taking above 600 MB. The > data.mdb size is around 4.5 GB. The lock.mdb size is proportional to the maxreaders config setting. > Is this normal? Depending on what you set maxreaders to, probably. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

lock.mdb taking lots of space
by Muhammed Muneer 24 Aug '17

24 Aug '17

Hi, Is there any particular reason why my lock.mdb is taking above 600 MB. The data.mdb size is around 4.5 GB. Is this normal?

1 0

OpenLDAP as Proxy
by Palacios, Christian 24 Aug '17

24 Aug '17

Hi there, We need to find out if OpenLDAP will allow us to use it as a proxy so it can retrieve users from three different Windows Active Directory Domains? These three domains do not have any similar users. The user retrieval process needs to work like this: - The application that needs this LDAP connection will point to the OpenLDAP server using an LDAP address such as ldap://server.example.com:389/OU=users...etc - This application will also need to retrieve the sAMAccountName from each user retrieved via the OpenLDAP server - The application's LDAP connection settings also need to specify an Administrator's DN and password, but I'm confused about this because I don't know what Administrator account to use. Like I said, each domain has their own set of users so they don't have any Administrator accounts in common. How would this work? If you need any more information, please let me know!! Thanks, - Christian This email and any accompanying attachments are confidential. If you received this email by mistake, please delete it from your system. Any review, disclosure, copying, distribution, or use of the email by others is strictly prohibited.

2 1

LDAPCon 2017 programme now online
by Andrew Findlay 24 Aug '17

24 Aug '17

The programme for the 2017 LDAP Conference has just been published: https://ldapcon.org/2017/conference-program/ It's looking good, so get your booking in quickly to get early-bird tickets and start thinking about where you want to stay in Brussels! The conference runs 19th and 20th October 2017. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

2 1

mdb fragmentation
by Geert Hendrickx 24 Aug '17

24 Aug '17

Hi We have an OpenLDAP 2.4.44 based, 4-way MMR setup with 4 M entries, which is fairly write intensive (Zimbra). Lately we've seen very frequent lockups of the master that receives the updates (only 1 out of 4), whereas the replicas stay responsive. According to -d stats logs, all threads suddenly take a long time to answer any queries, and slapd can no longer accept new connections. The issue always disappears again without intervention, but usually hits a number of times in a row, on an almost daily basis. We tested a lot of things, but eventually "solved" the issue with a slapcat and slapadd of the database - the master server has been completely stable again since. The mdb was also reduced 50% in size. Looking at the old mdb (prior to the dump), mdb_stat -f shows it had over 3.7 M free pages. Could it be an issue of database fragmentation similar to ITS#8664? Is it natural that the freelist (and thus the mdb) gets this big over time, I would expect those free pages to get reused constantly? And in that case would it make sense to monitor the number of free pages? Is there a threshold to look for, before things get problematic again? (ITS#7770 would come handy here, as we already monitor/graph various metrics from the monitor backend) Geert -- geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages!

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2017