I am migrating from single provider to N-Way provider in OpenLDAP 2.4.56
This configuration was setup years ago and reading the docs has me questioning this piece of configuration. I notice we have no present configured on our syncprov overlay for our primary DB setup for delta sync. I noticed in the docs it explains
The nonpresent option should only be configured if the overlay is being placed on top of a log database, such as when used with delta-syncrepl.
The nonpresent option is configured by the
directive. This value should only be set TRUE for a syncprov instance on top of a log database (such as one managed by the accesslog overlay). The default is FALSE.
olcDbCheckpoint: 1024 10
... indexes ...
Should this olcSpNoPresent piece be removed from our configuration? What adverse affects would this generate if it is in fact an incorrect piece of configuration? Delta-Sync between our consumers and provider seem to function. I am worried this could cause problems on my journey to N-Way provider replication.
Next, I am testing new architecture for N-Way but see that the new context CSNs generated by those new providers also show up in the initial provider. If I want to "go back" to my original system state before my N-Way testing, can I simply delete the ContextCSNs from an exported LDIF and reload the database? Or is that asking for trouble?
I am setting up n-way multi-provider replication.
Should we expect a full sync when we setup sync for the first time on a new provider?
Can we load a backup data.mdb file first and have deltasync run from there to prevent a full sync (i.e. to save time)?
What is the expected behavior/best practice?
Also, I have some questions around mdb_copy.
Is there any concern using the -c flag for compacting the data.mdb file to be used for restore (or new n-way provider if that works)?
I notice the compacted file is smaller on disk than the original data.mdb (due to the removed freed pages).
I assume the data sets are still the same? Are there tools to compare the two?
And last question, I am using mdb_copy to create a backup but standard linux cp to put the new file into /var/lib/ldap/data.mdb.
Will this cause any issues or is it recommended to use mdb_copy to also move the data.mdb file into place?
I was wondering if anyone has successfully made schema and data migration from OpenLDAP (current version: openldap-2.4.49) to OUD (Oracle Unified Directory 11g) or ODSEE (Oracle Directory Server Enterprise Edition 11g).
We are trying to make Zimbra servers (currently using OpenLDAP directory on each server Zimbra installed) use a centralized MMR-enabled OUD environment. But we couldn't find any migration documentation on that.
Is it possible to hide a attribute for a specific value only?
E.g., I would like to hide the 'attr1: A' for some DNs binding, but, 'attr1: B' should be visible for the client.
I'm having difficulty making tools like ldapsearch accept SSL certificates signed by a Windows domain controller, even when the trust chain seems good. The problem extends to PHP, which uses openldap (PHP debug logging shows the exact same errors).
We manually trusted the CA certifcate of the domain controller:
cp -v /tmp/PDC02CA.crt /usr/local/share/ca-certificates
OpenSSL approves it (it doesn't aprove without the previous step):
# openssl verify -verify_hostname PDC01.city.cmpny.local /tmp/PDC01.city.cmpny.local.crt
openssl s_client -verify_hostname PDC01.city.cmpny.local -connect PDC01.city.cmpny.local:3269
depth=1 DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA
i:DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA
But ldapsearch just will not approve it:
$ ldapsearch -d1 -H ldaps://PDC01.city.cmpny.local:3269
ldap_connect_to_host: TCP PDC01.city.cmpny.local:3269
ldap_connect_to_host: Trying 10.105.10.10:3269
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
Running 'strace' shows '/etc/ssl/certs/ca-certificates.crt' is properly read. Doing all the standard tricks with 'LDAPTLS_CACERT, TLS_CACERT', pointing directly to '/tmp/PDC02CA.crt', editing '/etc/ldap/ldap.conf' with all possible permutations. Nothing works, except 'TLS_REQCERT never'.
Other certificates are accepted when testing public servers. They are just https, but for SSL tests that doesn't matter. Like:
ldapsearch -d1 -H ldaps://www.google.com:443
ldapsearch -d1 -H ldaps://www.amazon.co.uk:443
The latter only has the correct domain name in the 'subject alternate name', not the common name. I theorized that maybe the SAN was a cause, but this test result, and , show that should work fine.
If I deliberately try to create a hostname mismatch, it says: 'TLS: hostname (blabla.com) does not match common name in certificate (www.amazon.co.uk)'. Very different from my 'peer cert untrusted or revoked'.
Could this be a bug (in GnuTLS)?
ldapsearch: @(#) $OpenLDAP: ldapsearch (Ubuntu) (Feb 18 2021 14:22:42)
Ubuntu: 18.04.5 LTS
I have multi-master replication configured. https://pastebin.com/vYKsa9VY
I want to replace ldap3. Please tell me how to do this ? I mean, how does the new server synchronize the current ldap database?
--On Monday, April 5, 2021 2:37 PM +0000 "Ballem, Narayanan"
> Good Morning !!!
> On Last weekend , finally migration went fine .
> I have modified loglevel to stats and increased slapd file descriptor to
> 8192 which resolve the issue. Looks like in RHEL7 somehow with value 2k
> it's not working where as it's used to work in RHEL6.
> It's bit interesting , No errors reported with ulimit issues in the logs.
Glad to hear it! :)
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
I was certain that I could find this in the archives but failed.
What's the recommended way to extend inetOrgPerson to include twitter
handle, facebook ID and other social media contact points? There
doesn't seem to be OID defined for these attributes.