accesslog contextcsn isn't always updated
by btb
hi, i am seeing a symptom where the accesslog contextcsn is not always
updated when a new entry is added to the accesslog. i have a test setup
[config is below], with a content database using the accesslog and
syncprov overlays, and an accesslog database using the syncprov overlay.
for the purposes of testing, i'm not using it as a provider for any
consumers. just running by itself, and watching its behavior.
when a modification is made to an entry in the content db, the
contextcsn value for the content db is always updated, and a new entry
is always added to the accesslog db. but when the accesslog db gets a
new entry, the accesslog contextcsn does not always update to match the
new entry [see example below]. ldap_accesslog_noop is just a small
shell script which updates the info attribute for an entry.
it's somewhat anecdotal, but there may be a timing factor involved. if
there is no activity for a little while [as little as a few minutes,
sometimes], then a modification performed, that does not update the
accesslog contextcsn. but if subsequent modifications are done within a
few moments, it then eventually updates the accesslog contextcsn
correctly, typically as of the second modification, but sometimes the
third. if modifications then continue, with little delay between them,
then the contextcsn seems to stay consistently up to date. if activity
then stops, and some time passes as before, the symptom reappears.
this is version 2.4.44 on freebsd 10.3-release, built from ports.
i'm hoping someone can offer some guidance on how to troubleshoot this
further, or what i might be doing wrong. i can provide more config
details, logs, debugging ,etc., if needed.
apologies for the long collections of details following, and thanks!
###### first mod, after some time of inactivity: ######
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2 -s base contextcsn
dn: cn=accesslog2
contextCSN: 20170825225855.866010Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
-s base info entrycsn
dn:
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
info: 1503221460
entryCSN: 20170825225855.866010Z#000000#001#000000
>./ldap_accesslog_noop
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
-s base info entrycsn
dn:
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
info: 1503717700
entryCSN: 20170826032140.674259Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b dc=example,dc=com -s base contextcsn
dn: dc=example,dc=com
contextCSN: 20170826032140.674259Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2
(reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com)
entrycsn
dn: reqStart=20170825034142.000004Z,cn=accesslog2
entryCSN: 20170825034142.304465Z#000000#001#000000
dn: reqStart=20170825034147.000004Z,cn=accesslog2
entryCSN: 20170825034147.248214Z#000000#001#000000
dn: reqStart=20170825034238.000004Z,cn=accesslog2
entryCSN: 20170825034238.430123Z#000000#001#000000
dn: reqStart=20170825034239.000004Z,cn=accesslog2
entryCSN: 20170825034239.815833Z#000000#001#000000
dn: reqStart=20170825034320.000004Z,cn=accesslog2
entryCSN: 20170825034320.198025Z#000000#001#000000
dn: reqStart=20170825034321.000004Z,cn=accesslog2
entryCSN: 20170825034321.767124Z#000000#001#000000
dn: reqStart=20170825225347.000004Z,cn=accesslog2
entryCSN: 20170825225347.344528Z#000000#001#000000
dn: reqStart=20170825225849.000007Z,cn=accesslog2
entryCSN: 20170825225849.109615Z#000000#001#000000
dn: reqStart=20170825225855.000007Z,cn=accesslog2
entryCSN: 20170825225855.866010Z#000000#001#000000
dn: reqStart=20170826032140.000007Z,cn=accesslog2
entryCSN: 20170826032140.674259Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2 -s base contextcsn
dn: cn=accesslog2
contextCSN: 20170825225855.866010Z#000000#001#000000
###### second mod, a few seconds later: ######
ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2 -s base contextcsn
dn: cn=accesslog2
contextCSN: 20170825225855.866010Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
-s base info entrycsn
dn:
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
info: 1503717700
entryCSN: 20170826032140.674259Z#000000#001#000000
>./ldap_accesslog_noop
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
-s base info entrycsn
dn:
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
info: 1503717721
entryCSN: 20170826032201.236788Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b dc=example,dc=com -s base contextcsn
dn: dc=example,dc=com
contextCSN: 20170826032201.236788Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2
(reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com)
entrycsn
dn: reqStart=20170825034142.000004Z,cn=accesslog2
entryCSN: 20170825034142.304465Z#000000#001#000000
dn: reqStart=20170825034147.000004Z,cn=accesslog2
entryCSN: 20170825034147.248214Z#000000#001#000000
dn: reqStart=20170825034238.000004Z,cn=accesslog2
entryCSN: 20170825034238.430123Z#000000#001#000000
dn: reqStart=20170825034239.000004Z,cn=accesslog2
entryCSN: 20170825034239.815833Z#000000#001#000000
dn: reqStart=20170825034320.000004Z,cn=accesslog2
entryCSN: 20170825034320.198025Z#000000#001#000000
dn: reqStart=20170825034321.000004Z,cn=accesslog2
entryCSN: 20170825034321.767124Z#000000#001#000000
dn: reqStart=20170825225347.000004Z,cn=accesslog2
entryCSN: 20170825225347.344528Z#000000#001#000000
dn: reqStart=20170825225849.000007Z,cn=accesslog2
entryCSN: 20170825225849.109615Z#000000#001#000000
dn: reqStart=20170825225855.000007Z,cn=accesslog2
entryCSN: 20170825225855.866010Z#000000#001#000000
dn: reqStart=20170826032140.000007Z,cn=accesslog2
entryCSN: 20170826032140.674259Z#000000#001#000000
dn: reqStart=20170826032201.000007Z,cn=accesslog2
entryCSN: 20170826032201.236788Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2 -s base contextcsn
dn: cn=accesslog2
contextCSN: 20170825225855.866010Z#000000#001#000000
###### third mod, a few seconds after second mod: ######
ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2 -s base contextcsn
dn: cn=accesslog2
contextCSN: 20170825225855.866010Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
-s base info entrycsn
dn:
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
info: 1503717721
entryCSN: 20170826032201.236788Z#000000#001#000000
>./ldap_accesslog_noop
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
-s base info entrycsn
dn:
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
info: 1503717758
entryCSN: 20170826032238.330244Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b dc=example,dc=com -s base contextcsn
dn: dc=example,dc=com
contextCSN: 20170826032238.330244Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2
(reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com)
entrycsn
dn: reqStart=20170825034142.000004Z,cn=accesslog2
entryCSN: 20170825034142.304465Z#000000#001#000000
dn: reqStart=20170825034147.000004Z,cn=accesslog2
entryCSN: 20170825034147.248214Z#000000#001#000000
dn: reqStart=20170825034238.000004Z,cn=accesslog2
entryCSN: 20170825034238.430123Z#000000#001#000000
dn: reqStart=20170825034239.000004Z,cn=accesslog2
entryCSN: 20170825034239.815833Z#000000#001#000000
dn: reqStart=20170825034320.000004Z,cn=accesslog2
entryCSN: 20170825034320.198025Z#000000#001#000000
dn: reqStart=20170825034321.000004Z,cn=accesslog2
entryCSN: 20170825034321.767124Z#000000#001#000000
dn: reqStart=20170825225347.000004Z,cn=accesslog2
entryCSN: 20170825225347.344528Z#000000#001#000000
dn: reqStart=20170825225849.000007Z,cn=accesslog2
entryCSN: 20170825225849.109615Z#000000#001#000000
dn: reqStart=20170825225855.000007Z,cn=accesslog2
entryCSN: 20170825225855.866010Z#000000#001#000000
dn: reqStart=20170826032140.000007Z,cn=accesslog2
entryCSN: 20170826032140.674259Z#000000#001#000000
dn: reqStart=20170826032201.000007Z,cn=accesslog2
entryCSN: 20170826032201.236788Z#000000#001#000000
dn: reqStart=20170826032238.000007Z,cn=accesslog2
entryCSN: 20170826032238.330244Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2 -s base contextcsn
dn: cn=accesslog2
contextCSN: 20170826032238.330244Z#000000#001#000000
###### fourth mod, after ~5 minutes have passed ######
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2 -s base contextcsn
dn: cn=accesslog2
contextCSN: 20170826032238.330244Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
-s base info entrycsn
dn:
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
info: 1503717758
entryCSN: 20170826032238.330244Z#000000#001#000000
>./ldap_accesslog_noop
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
-s base info entrycsn
dn:
uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com
info: 1503718313
entryCSN: 20170826033153.554034Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b dc=example,dc=com -s base contextcsn
dn: dc=example,dc=com
contextCSN: 20170826033153.554034Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2
(reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com)
entrycsn
dn: reqStart=20170825034142.000004Z,cn=accesslog2
entryCSN: 20170825034142.304465Z#000000#001#000000
dn: reqStart=20170825034147.000004Z,cn=accesslog2
entryCSN: 20170825034147.248214Z#000000#001#000000
dn: reqStart=20170825034238.000004Z,cn=accesslog2
entryCSN: 20170825034238.430123Z#000000#001#000000
dn: reqStart=20170825034239.000004Z,cn=accesslog2
entryCSN: 20170825034239.815833Z#000000#001#000000
dn: reqStart=20170825034320.000004Z,cn=accesslog2
entryCSN: 20170825034320.198025Z#000000#001#000000
dn: reqStart=20170825034321.000004Z,cn=accesslog2
entryCSN: 20170825034321.767124Z#000000#001#000000
dn: reqStart=20170825225347.000004Z,cn=accesslog2
entryCSN: 20170825225347.344528Z#000000#001#000000
dn: reqStart=20170825225849.000007Z,cn=accesslog2
entryCSN: 20170825225849.109615Z#000000#001#000000
dn: reqStart=20170825225855.000007Z,cn=accesslog2
entryCSN: 20170825225855.866010Z#000000#001#000000
dn: reqStart=20170826032140.000007Z,cn=accesslog2
entryCSN: 20170826032140.674259Z#000000#001#000000
dn: reqStart=20170826032201.000007Z,cn=accesslog2
entryCSN: 20170826032201.236788Z#000000#001#000000
dn: reqStart=20170826032238.000007Z,cn=accesslog2
entryCSN: 20170826032238.330244Z#000000#001#000000
dn: reqStart=20170826033153.000007Z,cn=accesslog2
entryCSN: 20170826033153.554034Z#000000#001#000000
>ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w
xxxxxx -b cn=accesslog2 -s base contextcsn
dn: cn=accesslog2
contextCSN: 20170826032238.330244Z#000000#001#000000
###### configuration ######
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcLogLevel: stats sync
olcPasswordCryptSaltFormat: $6$rounds=8000$%.16s
olcPidFile: /var/run/openldap/slapd.pid
olcSaslSecProps: noanonymous
olcServerID: 1
olcTLSCACertificateFile:
/usr/local/etc/pki/trusted_root_authorities/example_roo
t_ca-cert.pem
olcTLSCertificateFile: /usr/local/etc/openldap/pki/dsa0.example.com-cert.pe
m
olcTLSCertificateKeyFile: /usr/local/etc/openldap/pki/dsa0.example.com-key.
pem
olcTLSVerifyClient: never
structuralObjectClass: olcGlobal
entryUUID: 5e961a2a-290d-1036-96af-778fc97ab8bc
creatorsName: cn=config
createTimestamp: 20161017233001Z
entryCSN: 20170520231408.133014Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20170520231408Z
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: {0}back_monitor.la
olcModuleLoad: {1}back_mdb.la
olcModuleLoad: {2}nssov.la
olcModuleLoad: {3}ppolicy.la
olcModuleLoad: {4}refint.la
olcModuleLoad: {5}unique.la
olcModuleLoad: {6}constraint.la
olcModuleLoad: {7}memberof.la
olcModuleLoad: {8}dynlist.la
olcModuleLoad: {9}translucent.la
olcModuleLoad: {10}valsort.la
olcModuleLoad: {11}pw-sha2.la
olcModuleLoad: {12}syncprov.la
olcModuleLoad: {13}accesslog.la
structuralObjectClass: olcModuleList
entryUUID: 5e962542-290d-1036-96b0-778fc97ab8bc
creatorsName: cn=config
createTimestamp: 20161017233001Z
entryCSN: 20161017233001.558726Z#000000#001#000000
modifiersName: cn=config
modifyTimestamp: 20161017233001Z
[...]
dn: olcDatabase={4}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {4}mdb
olcDbDirectory: /var/db/openldap-data/example.com
olcSuffix: dc=example,dc=com
olcAccess:: ezB9dG8gYXR0cnM9dXNlclBhc3N3b3JkCglieSBhbm9ueW1vdXMgYXV0aAoJYnkg
c2VsZiA9eHcKCWJ5ICogbm9uZQ==
olcAccess:: ezF9dG8gKg0JYnkgc2VsZiB3cml0ZQ0JYnkgdXNlcnMgcmVhZA0JYnkgKiBub25l
olcRootDN: uid=admin,dc=example,dc=com
structuralObjectClass: olcMdbConfig
entryUUID: 4801edee-14ed-1037-9fb8-99e8705e53d3
creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com
createTimestamp: 20170814033454Z
entryCSN: 20170814035744.555520Z#000000#001#000000
modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com
modifyTimestamp: 20170814035744Z
dn: olcOverlay={0}syncprov,olcDatabase={4}mdb,cn=config
objectClass: olcSyncProvConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}syncprov
olcSpCheckpoint: 10 5
olcSpSessionlog: 500
olcSpReloadHint: TRUE
structuralObjectClass: olcSyncProvConfig
entryUUID: 198df6be-14ee-1037-9fbd-99e8705e53d3
creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com
createTimestamp: 20170814034045Z
entryCSN: 20170814034045.759202Z#000000#001#000000
modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com
modifyTimestamp: 20170814034045Z
dn: olcOverlay={1}accesslog,olcDatabase={4}mdb,cn=config
objectClass: olcAccessLogConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {1}accesslog
olcAccessLogDB: cn=accesslog2
olcAccessLogOps: writes
olcAccessLogPurge: 14+00:00 1+00:00
olcAccessLogSuccess: TRUE
structuralObjectClass: olcAccessLogConfig
entryUUID: 0a21a20c-14ee-1037-9fbc-99e8705e53d3
creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com
createTimestamp: 20170814034019Z
entryCSN: 20170814034019.883417Z#000000#001#000000
modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com
modifyTimestamp: 20170814034019Z
dn: olcDatabase={5}mdb,cn=config
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig
objectClass: olcConfig
objectClass: top
olcDatabase: {5}mdb
olcDbDirectory: /var/db/openldap-data/accesslog2
olcSuffix: cn=accesslog2
olcRootDN: uid=admin,dc=example,dc=com
structuralObjectClass: olcMdbConfig
entryUUID: 16132114-14ec-1037-9fb7-99e8705e53d3
creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com
createTimestamp: 20170814032620Z
entryCSN: 20170814034648.206981Z#000000#001#000000
modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com
modifyTimestamp: 20170814034648Z
dn: olcOverlay={0}syncprov,olcDatabase={5}mdb,cn=config
objectClass: olcSyncProvConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
structuralObjectClass: olcSyncProvConfig
entryUUID: e2927c2a-14ed-1037-9fbb-99e8705e53d3
creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com
createTimestamp: 20170814033913Z
entryCSN: 20170814033913.514143Z#000000#001#000000
modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com
modifyTimestamp: 20170814033913Z
6 years, 3 months
OpenLDAP Replication Error
by Zpyro .
Hi All - I am trying to setup replication between a Centos 5 (2.3) and Centos 7 (2.4) server.
Partial replication is working - however it has not fully replicated. I am receiving an error of "syncrepl_message_to_entry: rid=123 mods check (postalAddress: value #0 invalid per syntax)" in the logs.
>From the research I was doing, it looks like this is a reference to a missing schema - however I am pretty sure they are all in place.
Below are the results from querying the schemas on both - ldapsearch -H ldap://localhost -x -s base -b "cn=subschema" objectclasses as well as the slapd.conf files from both hosts.
Any insight into what I am missing would be greatly appreciated!!
Please let me know if you need any more information.
Thank You!!
----- PRIMARY SERVER ----
#
#
# base <cn=subschema> with scope baseObject
dn: cn=Subschema
# extended LDIF
# filter: (objectclass=*)
# LDAPv3
# numEntries: 1
# numResponses: 2
objectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST domainComponent MAY ( associatedName $ organizationName $ description $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $ stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) )
objectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP domain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) )
objectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord ) )
objectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associatedDomain )
objectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST friendlyCountryName )
objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPassword )
objectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName )
objectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STRUCTURAL MAY dSAQuality )
objectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximumQuality ) )
objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilotPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelephoneNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature ) )
objectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host ) )
objectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ documentTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) )
objectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) )
objectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ localityName $ organizationName $ organizationalUnitName ) )
objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )
objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY description )
objectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device with a MAC address' SUP top AUXILIARY MAY macAddress )
objectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A device with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) )
objectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) )
objectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) )
objectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY description )
objectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction of an IP protocol' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber $ description ) MAY description )
objectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an ONC/RPC binding' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber $ description ) MAY description )
objectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) )
objectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of an IP network' SUP top STRUCTURAL MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ l $ description $ manager ) )
objectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction of a netgroup' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
objectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstraction of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description )
objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid object' SUP top AUXILIARY MUST uid )
objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC2252: extensible object' SUP top AUXILIARY )
objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: domain component object' SUP top AUXILIARY MUST dc )
objectClasses: ( 1.3.6.1.4.1.16331.2.2.2.1 NAME 'contactPerson' DESC 'Contact - Addressbook entry' AUXILIARY MAY ( anniversary $ marker $ birthday $ sendHolidayCard $ externalUID $ externalUIDSyncTimestamp $ modifyObjectTimestamp $ prefix $ middleName $ suffix $ custom1 $ custom2 $ custom3 $ custom4 $ country ) )
objectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI )
objectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.0 NAME 'olcConfig' DESC 'OpenLDAP configuration object' SUP top ABSTRACT )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.1 NAME 'olcGlobal' DESC 'OpenLDAP Global configuration options' SUP olcConfig STRUCTURAL MAY ( cn $ olcConfigFile $ olcConfigDir $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcDisallows $ olcGentleHUP $ olcIdleTimeout $ olcIndexSubstrIfMaxLen $ olcIndexSubstrIfMinLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcLogLevel $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPluginLogFile $ olcReadOnly $ olcReferral $ olcReplicaPidFile $ olcReplicaArgsFile $ olcReplicationInterval $ olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ olcRootDSE $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcSrvtab $ olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcToolThreads $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.2 NAME 'olcSchemaConfig' DESC 'OpenLDAP schema object' SUP olcConfig STRUCTURAL MAY ( cn $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.3 NAME 'olcBackendConfig' DESC 'OpenLDAP Backend-specific options' SUP olcConfig STRUCTURAL MUST olcBackend )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.4 NAME 'olcDatabaseConfig' DESC 'OpenLDAP Database-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase MAY ( olcSuffix $ olcSubordinate $ olcAccess $ olcLastMod $ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncrepl $ olcTimeLimit $ olcUpdateDN $ olcUpdateRef ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.5 NAME 'olcOverlayConfig' DESC 'OpenLDAP Overlay-specific options' SUP olcConfig STRUCTURAL MUST olcOverlay )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.6 NAME 'olcIncludeFile' DESC 'OpenLDAP configuration include file' SUP olcConfig STRUCTURAL MUST olcInclude MAY ( cn $ olcRootDSE ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.7 NAME 'olcFrontendConfig' DESC 'OpenLDAP frontend configuration' AUXILIARY MAY ( olcDefaultSearchBase $ olcPasswordHash ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.8 NAME 'olcModuleList' DESC 'OpenLDAP dynamic module info' SUP olcConfig STRUCTURAL MAY ( cn $ olcModulePath $ olcModuleLoad ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.1 NAME 'olcBdbConfig' DESC 'BDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.2 NAME 'olcHdbConfig' DESC 'HDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.2.1 NAME 'olcLdifConfig' DESC 'LDIF backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.3.1 NAME 'olcLDAPConfig' DESC 'LDAP backend configuration' SUP olcDatabaseConfig STRUCTURAL MAY ( olcDbURI $ olcDbStartTLS $ olcDbACLAuthcDn $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertAuthcDn $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbTFSupport $ olcDbProxyWhoAmI $ olcDbTimeout $ olcDbIdleTimeout $ olcDbSingleConn $ olcDbCancel $ olcDbQuarantine $ olcDbUseTemporaryConn $ olcDbConnectionPoolMax ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.4.1 NAME 'olcMonitorConfig' DESC 'Monitor backend configuration' SUP olcDatabaseConfig STRUCTURAL )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Provider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ olcSpSessionlog $ olcSpNoPresent ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.12.1 NAME 'olcPPolicyConfig' DESC 'Password Policy configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcPPolicyDefault $ olcPPolicyHashCleartext $ olcPPolicyUseLockout ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.1 NAME 'olcChainConfig' DESC 'Chain configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcChainCacheURI $ olcChainMaxReferralDepth $ olcChainReturnError ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.2 NAME 'olcChainDatabase' DESC 'Chain remote server configuration' AUXILIARY )
objectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
objectClasses: ( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule )
objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) )
objectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: named subordinate referral' SUP top STRUCTURAL MUST ref )
objectClasses: ( 2.5.17.0 NAME 'subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) )
objectClasses: ( 2.5.20.1 NAME 'subschema' DESC 'RFC2252: controlling subschema (sub)entry' AUXILIARY MAY ( dITStructureRules $ nameForms $ dITContentRules $ objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) )
objectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRACT MUST objectClass )
objectClasses: ( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an residential person' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l ) )
objectClasses: ( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an application process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ description ) )
objectClasses: ( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an application entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) )
objectClasses: ( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory system agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformation )
objectClasses: ( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
objectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC2256: a strong authentication user' SUP top AUXILIARY MUST userCertificate )
objectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP certificationAuthority AUXILIARY MAY deltaRevocationList )
objectClasses: ( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256: a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair )
objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
objectClasses: ( 2.5.6.18 NAME 'userSecurityInformation' DESC 'RFC2256: a user security information' SUP top AUXILIARY MAY supportedAlgorithms )
objectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL MUST cn MAY ( certificateRevocationList $ authorityRevocationList $ deltaRevocationList ) )
objectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC2256: an alias' SUP top STRUCTURAL MUST aliasedObjectName )
objectClasses: ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST dmdName MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
objectClasses: ( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' SUP top AUXILIARY MAY userCertificate )
objectClasses: ( 2.5.6.22 NAME 'pkiCA' DESC 'RFC2587: PKI certificate authority' SUP top AUXILIARY MAY ( authorityRevocationList $ certificateRevocationList $ cACertificate $ crossCertificatePair ) )
objectClasses: ( 2.5.6.23 NAME 'deltaCRL' DESC 'RFC2587: PKI user' SUP top AUXILIARY MAY deltaRevocationList )
objectClasses: ( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) )
objectClasses: ( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SUP top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
objectClasses: ( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organization' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
objectClasses: ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
objectClasses: ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
objectClasses: ( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )
objectClasses: ( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an organizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
objectClasses: ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
# requesting: objectclasses
result: 0 Success
search: 2
# search result
# Subschema
---- REPLICA SERVER ----
#
#
# base <cn=subschema> with scope baseObject
dn: cn=Subschema
# extended LDIF
# filter: (objectclass=*)
# LDAPv3
# numEntries: 1
# numResponses: 2
objectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST domainComponent MAY ( associatedName $ organizationName $ description $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $ stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) )
objectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP domain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) )
objectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord ) )
objectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associatedDomain )
objectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST friendlyCountryName )
objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPassword )
objectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName )
objectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STRUCTURAL MAY dSAQuality )
objectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximumQuality ) )
objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilotPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelephoneNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature ) )
objectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host ) )
objectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ documentTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) )
objectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) )
objectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ localityName $ organizationName $ organizationalUnitName ) )
objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )
objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY description )
objectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device with a MAC address' SUP top AUXILIARY MAY macAddress )
objectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A device with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) )
objectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) )
objectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) )
objectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY description )
objectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction of an IP protocol' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber $ description ) MAY description )
objectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an ONC/RPC binding' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber $ description ) MAY description )
objectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) )
objectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of an IP network' SUP top STRUCTURAL MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ l $ description $ manager ) )
objectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction of a netgroup' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
objectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstraction of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description )
objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid object' SUP top AUXILIARY MUST uid )
objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC2252: extensible object' SUP top AUXILIARY )
objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: domain component object' SUP top AUXILIARY MUST dc )
objectClasses: ( 1.3.6.1.4.1.16331.2.2.2.1 NAME 'contactPerson' DESC 'Contact - Addressbook entry' AUXILIARY MAY ( anniversary $ marker $ birthday $ sendHolidayCard $ externalUID $ externalUIDSyncTimestamp $ modifyObjectTimestamp $ prefix $ middleName $ suffix $ custom1 $ custom2 $ custom3 $ custom4 $ country ) )
objectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI )
objectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.0 NAME 'olcConfig' DESC 'OpenLDAP configuration object' SUP top ABSTRACT )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.1 NAME 'olcGlobal' DESC 'OpenLDAP Global configuration options' SUP olcConfig STRUCTURAL MAY ( cn $ olcConfigFile $ olcConfigDir $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcDisallows $ olcGentleHUP $ olcIdleTimeout $ olcIndexSubstrIfMaxLen $ olcIndexSubstrIfMinLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcLogLevel $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPluginLogFile $ olcReadOnly $ olcReferral $ olcReplicaPidFile $ olcReplicaArgsFile $ olcReplicationInterval $ olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ olcRootDSE $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcSrvtab $ olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcToolThreads $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.2 NAME 'olcSchemaConfig' DESC 'OpenLDAP schema object' SUP olcConfig STRUCTURAL MAY ( cn $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.3 NAME 'olcBackendConfig' DESC 'OpenLDAP Backend-specific options' SUP olcConfig STRUCTURAL MUST olcBackend )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.4 NAME 'olcDatabaseConfig' DESC 'OpenLDAP Database-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase MAY ( olcSuffix $ olcSubordinate $ olcAccess $ olcLastMod $ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncrepl $ olcTimeLimit $ olcUpdateDN $ olcUpdateRef ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.5 NAME 'olcOverlayConfig' DESC 'OpenLDAP Overlay-specific options' SUP olcConfig STRUCTURAL MUST olcOverlay )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.6 NAME 'olcIncludeFile' DESC 'OpenLDAP configuration include file' SUP olcConfig STRUCTURAL MUST olcInclude MAY ( cn $ olcRootDSE ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.7 NAME 'olcFrontendConfig' DESC 'OpenLDAP frontend configuration' AUXILIARY MAY ( olcDefaultSearchBase $ olcPasswordHash ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.8 NAME 'olcModuleList' DESC 'OpenLDAP dynamic module info' SUP olcConfig STRUCTURAL MAY ( cn $ olcModulePath $ olcModuleLoad ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.1 NAME 'olcBdbConfig' DESC 'BDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.2 NAME 'olcHdbConfig' DESC 'HDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.2.1 NAME 'olcLdifConfig' DESC 'LDIF backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.3.1 NAME 'olcLDAPConfig' DESC 'LDAP backend configuration' SUP olcDatabaseConfig STRUCTURAL MAY ( olcDbURI $ olcDbStartTLS $ olcDbACLAuthcDn $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertAuthcDn $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbTFSupport $ olcDbProxyWhoAmI $ olcDbTimeout $ olcDbIdleTimeout $ olcDbSingleConn $ olcDbCancel $ olcDbQuarantine $ olcDbUseTemporaryConn $ olcDbConnectionPoolMax ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.4.1 NAME 'olcMonitorConfig' DESC 'Monitor backend configuration' SUP olcDatabaseConfig STRUCTURAL )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Provider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ olcSpSessionlog $ olcSpNoPresent ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.12.1 NAME 'olcPPolicyConfig' DESC 'Password Policy configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcPPolicyDefault $ olcPPolicyHashCleartext $ olcPPolicyUseLockout ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.1 NAME 'olcChainConfig' DESC 'Chain configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcChainCacheURI $ olcChainMaxReferralDepth $ olcChainReturnError ) )
objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.2 NAME 'olcChainDatabase' DESC 'Chain remote server configuration' AUXILIARY )
objectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
objectClasses: ( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule )
objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) )
objectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: named subordinate referral' SUP top STRUCTURAL MUST ref )
objectClasses: ( 2.5.17.0 NAME 'subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) )
objectClasses: ( 2.5.20.1 NAME 'subschema' DESC 'RFC2252: controlling subschema (sub)entry' AUXILIARY MAY ( dITStructureRules $ nameForms $ dITContentRules $ objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) )
objectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRACT MUST objectClass )
objectClasses: ( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an residential person' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l ) )
objectClasses: ( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an application process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ description ) )
objectClasses: ( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an application entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) )
objectClasses: ( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory system agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformation )
objectClasses: ( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
objectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC2256: a strong authentication user' SUP top AUXILIARY MUST userCertificate )
objectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP certificationAuthority AUXILIARY MAY deltaRevocationList )
objectClasses: ( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256: a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair )
objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
objectClasses: ( 2.5.6.18 NAME 'userSecurityInformation' DESC 'RFC2256: a user security information' SUP top AUXILIARY MAY supportedAlgorithms )
objectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL MUST cn MAY ( certificateRevocationList $ authorityRevocationList $ deltaRevocationList ) )
objectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC2256: an alias' SUP top STRUCTURAL MUST aliasedObjectName )
objectClasses: ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST dmdName MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
objectClasses: ( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' SUP top AUXILIARY MAY userCertificate )
objectClasses: ( 2.5.6.22 NAME 'pkiCA' DESC 'RFC2587: PKI certificate authority' SUP top AUXILIARY MAY ( authorityRevocationList $ certificateRevocationList $ cACertificate $ crossCertificatePair ) )
objectClasses: ( 2.5.6.23 NAME 'deltaCRL' DESC 'RFC2587: PKI user' SUP top AUXILIARY MAY deltaRevocationList )
objectClasses: ( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) )
objectClasses: ( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SUP top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
objectClasses: ( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organization' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
objectClasses: ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
objectClasses: ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
objectClasses: ( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )
objectClasses: ( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an organizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
objectClasses: ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
# requesting: objectclasses
result: 0 Success
search: 2
# search result
# Subschema
-------SLAPD - PRIMARY----------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/ldapab.schema
include /etc/openldap/schema/ppolicy.schema
#include /etc/openldap/schema/apple.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCertificateFile /etc/openldap/ldap.cert
TLSCertificateKeyFile /etc/openldap/ldap.key
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
sizelimit 100000
database bdb
suffix "dc=domainname,dc=com"
rootdn "uid=rootdn,ou=People,dc=domainname,dc=com"
rootpw secret_here
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=domainname,dc=com"
ppolicy_use_lockout
# sync stuff
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
loglevel 256
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
replogfile /var/lib/ldap/openldap-master-replog
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to dn.regex="(.*,)?ou=Contacts,uid=([^,]+),ou=People,(.*)$"
by dn.regex="uid=$2,ou=People,$3" write
by * none
access to dn.subtree="ou=Contacts,dc=domainname,dc=com"
by users write
by users read
access to *
by users read
by peername="IP=192\.168\.200\.5" read
access to *
by users read
by peername="IP=192\.168\.201\.12" read
----------SLAPD - REPLICA ----------
Same as above with sync repl at the bottom:
index entryCSN eq
index entryUUID eq
syncrepl rid=123
provider=ldap://192.168.200.12:389
type=refreshAndPersist
interval=00:00:00:01
searchbase="dc=domainname,dc=com"
filter="(objectClass=*)"
scope=sub
retry="5 5 300 +"
attrs="*,+"
bindmethod=simple
binddn="uid=rootdn,ou=People,dc=domainname,dc=com"
credentials=secret_here
updateref ldap://primaryLDAP.domainname.com
6 years, 3 months
Re: Removing Berkeley DB Log Files
by Howard Chu
Douglas Duckworth wrote:
> Hi
>
> I am running openldap-servers-2.4.40-16.el6.x86_64 cluster on Centos 6.9. My
> /var/lib/ldap directory contains many 10MB log files. /var partition rather
> small...
>
> I've read they can be removed either by running "sudo db_archive -d -h
> /var/lib/ldap/domain" or by defining "DB_LOG_AUTOREMOVE" within the file
> "DB_CONFIG." That file does not presently exist whereas the db_archive
> command does not actually remove any of the log files.
If the db_archive command doesn't remove anything, that means it thinks all of
the log files are still in active use.
Read the docs more carefully.
http://docs.oracle.com/cd/E17076_05/html/programmer_reference/transapp_lo...
>
> Can I remove the old log files manually using rm?
Not if the above is true, you will corrupt the logs and the DB will fail to
open on a subsequent restart.
> If not should I create
> /var/lib/ldap/DB_CONFIG then restart slapd to make this removal automatic?
> Do you have any idea why db_archive does not work or produce any helpful error
> to stdout?
There's no error message because there's no error, everything is working as
designed.
You need to do periodic checkpoints to allow log files to be closed, and then
db_archive will be able to remove some of them.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 3 months
Removing Berkeley DB Log Files
by Douglas Duckworth
Hi
I am running openldap-servers-2.4.40-16.el6.x86_64 cluster on Centos 6.9.
My /var/lib/ldap directory contains many 10MB log files. /var partition
rather small...
I've read they can be removed either by running "sudo db_archive -d -h
/var/lib/ldap/domain" or by defining "DB_LOG_AUTOREMOVE" within the file
"DB_CONFIG." That file does not presently exist whereas the db_archive
command does not actually remove any of the log files.
Can I remove the old log files manually using rm? If not should I create
/var/lib/ldap/DB_CONFIG then restart slapd to make this removal automatic?
Do you have any idea why db_archive does not work or produce any helpful
error to stdout?
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
6 years, 3 months
Re: mdb fragmentation
by Quanah Gibson-Mount
Hi Geert,
If I could, I would delete 8664 from the ITS system entirely as it was filed based on invalid information that was provided to me. It generally should be ignored.
When a write operation is performed with LMDB, the freelist is scanned for available space to reuse if possible. The larger the size of the freelist, the longer amount of time it will take for the operation to complete successfully. When the database has gotten to a certain point of fragmentation (This differs based on any individual use case), it will be start taking a noticeable amount of time for those write operations to complete and the server processing the write operation does essentially come to a halt during this process. Once the write operation completes, things go back to normal. The only solution is to dump and reload the database (slapcat/slapadd or mdb_copy -c). Eventually, you will get back into the same situation and have to do this again.
A recent option was added to the slapd-mdb configuration (rtxnsize) that can also help reduce the rate of fragmentation. There are some performance related issues you can find discussed on the -devel list from when it was added. Whether or not you are affected by them and whether or not the setting will help you in particular depends on whether or not your searches result in a large number of entries being returned. You can find some guidelines around tuning the parameter that I came up with in that thread. If you do not have an unlimited Zimbra License, the license check performed by the store servers will definitely affect this, since the result set is all active accounts which can be quite large.
Additionally, I had at one point had a patch for the Zimbra build of OpenLDAP that made it very aggressive in finding freespace to reuse. I don't recall if it is still applied (I don't believe it currently is based on what I saw in github). It basically meant that in Zimbra, it would work extra hard to find reusable freespace, which would reduce the rate at which the database would fragment, but it also meant that once the DB was fragmented enough, it would amplify the amount of time it took for a write op to complete. I.e., it was a tradeoff of a longer time to reach a catastrophic state, but the state was more catastrophic once achieved.
This is one area where LMDB differs significantly from back-hdb/bdb. You could have back-bdb/hdb databases that endured a high rate of write operations be in effect for years w/o needing maintenance. With LMDB, you get better read & write rates, but it requires periodic reloads.
Hope this helps!
--Quanah
----- Original Message -----
> From: "Geert Hendrickx" <geert(a)hendrickx.be>
> To: "openldap-technical" <openldap-technical(a)openldap.org>
> Sent: Thursday, August 24, 2017 4:53:32 AM
> Subject: mdb fragmentation
> Hi
>
> We have an OpenLDAP 2.4.44 based, 4-way MMR setup with 4 M entries,
> which is fairly write intensive (Zimbra).
>
> Lately we've seen very frequent lockups of the master that receives
> the updates (only 1 out of 4), whereas the replicas stay responsive.
> According to -d stats logs, all threads suddenly take a long time to
> answer any queries, and slapd can no longer accept new connections.
> The issue always disappears again without intervention, but usually
> hits a number of times in a row, on an almost daily basis.
>
> We tested a lot of things, but eventually "solved" the issue with a
> slapcat and slapadd of the database - the master server has been
> completely stable again since. The mdb was also reduced 50% in size.
>
> Looking at the old mdb (prior to the dump), mdb_stat -f shows it had
> over 3.7 M free pages. Could it be an issue of database fragmentation
> similar to ITS#8664?
>
> Is it natural that the freelist (and thus the mdb) gets this big over
> time, I would expect those free pages to get reused constantly?
> And in that case would it make sense to monitor the number of free
> pages? Is there a threshold to look for, before things get problematic
> again? (ITS#7770 would come handy here, as we already monitor/graph
> various metrics from the monitor backend)
>
>
> Geert
>
>
> --
> geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
> This e-mail was composed using 100% recycled spam messages!
--
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 3 months
lock.mdb taking lots of space
by Muhammed Muneer
Hi,
Is there any particular reason why my lock.mdb is taking above 600 MB. The
data.mdb size is around 4.5 GB.
Is this normal?
6 years, 3 months
OpenLDAP as Proxy
by Palacios, Christian
Hi there,
We need to find out if OpenLDAP will allow us to use it as a proxy so it can retrieve users from three different Windows Active Directory Domains? These three domains do not have any similar users. The user retrieval process needs to work like this:
- The application that needs this LDAP connection will point to the OpenLDAP server using an LDAP address such as ldap://server.example.com:389/OU=users...etc
- This application will also need to retrieve the sAMAccountName from each user retrieved via the OpenLDAP server
- The application's LDAP connection settings also need to specify an Administrator's DN and password, but I'm confused about this because I don't know what Administrator account to use. Like I said, each domain has their own set of users so they don't have any Administrator accounts in common. How would this work?
If you need any more information, please let me know!!
Thanks,
- Christian
This email and any accompanying attachments are confidential. If you received this email by mistake, please delete
it from your system. Any review, disclosure, copying, distribution, or use of the email by others is strictly prohibited.
6 years, 3 months
LDAPCon 2017 programme now online
by Andrew Findlay
The programme for the 2017 LDAP Conference has just been published:
https://ldapcon.org/2017/conference-program/
It's looking good, so get your booking in quickly to get early-bird
tickets and start thinking about where you want to stay in Brussels!
The conference runs 19th and 20th October 2017.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
6 years, 3 months
mdb fragmentation
by Geert Hendrickx
Hi
We have an OpenLDAP 2.4.44 based, 4-way MMR setup with 4 M entries,
which is fairly write intensive (Zimbra).
Lately we've seen very frequent lockups of the master that receives
the updates (only 1 out of 4), whereas the replicas stay responsive.
According to -d stats logs, all threads suddenly take a long time to
answer any queries, and slapd can no longer accept new connections.
The issue always disappears again without intervention, but usually
hits a number of times in a row, on an almost daily basis.
We tested a lot of things, but eventually "solved" the issue with a
slapcat and slapadd of the database - the master server has been
completely stable again since. The mdb was also reduced 50% in size.
Looking at the old mdb (prior to the dump), mdb_stat -f shows it had
over 3.7 M free pages. Could it be an issue of database fragmentation
similar to ITS#8664?
Is it natural that the freelist (and thus the mdb) gets this big over
time, I would expect those free pages to get reused constantly?
And in that case would it make sense to monitor the number of free
pages? Is there a threshold to look for, before things get problematic
again? (ITS#7770 would come handy here, as we already monitor/graph
various metrics from the monitor backend)
Geert
--
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
6 years, 3 months