openldap-technical February 2021

openldap-technical@openldap.org

20 participants
22 discussions

Backup/Restore Overlays MemberOf
by Lars Päßler 02 Feb '21

02 Feb '21

Hello, I am running OpenLDAP 2.4.47 on Debian 10 for a while and now I enabled the overlay for memberOf. Is there any good option for backup and restore, because slapcat and slapadd aren't working. Thanks and kind regards Lars

3 2

proxied syncrepl: consumers sometimes missing all kinds of entries
by Udo Rader 01 Feb '21

01 Feb '21

Hi, We're using a proxied sync-repl installation to populate various consumers from our single master. For some time now, we've been seeing all kind of strange phenomenons, mostly with missing objects on some (not all consumers). Previously, our consumers and our master hadn't been identical with regards to the OpenLDAP version and the operating system used. While, according to the specs, this should have worked, we decided to rule out one source of trouble and upgrade our infrastructure and so right now, we're using OpenLDAP 2.4.47 on debian buster on all involved boxes: % dpkg -l slapd [...] ii slapd 2.4.47+dfsg-3+deb10u4 amd64 OpenLDAP server (slapd) One of the issue we're currently seeing is that memberOf queries don't work as expected. Different consumers yield different results, which again are different from what the master has. See for example: # on the master root@minerva:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x uid=ssebastian memberof dn: uid=ssebastian,ou=People,dc=example,dc=com memberOf: cn=ocp-cluster-users,ou=Group,dc=example,dc=com memberOf: cn=ocp-cluster-admins,ou=Group,dc=example,dc=com memberOf: cn=qube,ou=Group,dc=example,dc=com # consumer #1 root@demeter:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x uid=ssebastian memberof dn: uid=ssebastian,ou=People,dc=example,dc=com # consumer #2 root@peta:~# ldapsearch -b ou=People,dc=example,dc=com -LLL -x uid=ssebastian memberof dn: uid=ssebastian,ou=People,dc=example,dc=com memberOf: cn=ocp-cluster-users,ou=Group,dc=example,dc=com memberOf: cn=ocp-cluster-admins,ou=Group,dc=example,dc=com However, when I investigate the group, I see the user listed in every one of them: # on the master root@minerva:~# ldapsearch -LLL -x cn=qube dn: cn=qube,ou=Group,dc=example,dc=com objectClass: groupOfNames objectClass: top objectClass: posixGroup cn: qube gidNumber: 1602 [...] member: uid=ssebastian,ou=People,dc=example,dc=com [...] # on consumer #1 root@demeter:~# ldapsearch -LLL -x cn=qube dn: cn=qube,ou=Group,dc=example,dc=com objectClass: groupOfNames objectClass: top objectClass: posixGroup cn: qube gidNumber: 1602 [...] member: uid=ssebastian,ou=People,dc=example,dc=com [...] # on consumer #2 root@peta:~# ldapsearch -LLL -x cn=qube dn: cn=qube,ou=Group,dc=example,dc=com objectClass: groupOfNames objectClass: top objectClass: posixGroup cn: qube gidNumber: 1602 [...] member: uid=ssebastian,ou=People,dc=example,dc=com [...] The master only shares the relevant part of the DIT to the consumers, so unfortunately I cannot 1:1 compare them using slapcat. But if I again apply a group filter, slapcat delivers correct results on all instances as well (ie slapcat -a 'cn=qube') My first idea was an index issue, but running slapindex didn't change anything. Any ideas what might be wrong and/or how to debug this issue? Additionally - bear with me - we're not using cn=config, but the old style slapd.conf configuration. Thanks Udo -- Udo Rader, CTO BestSolution.at EDV Systemhaus GmbH Eduard-Bodem-Gasse 5-7, A-6020 Innsbruck http://www.bestsolution.at/ Reg. Nr. FN 222302s am Firmenbuchgericht Innsbruck

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2021