After more than a day of fiddling with it, I turn to you, the gurus ;)
I'm trying to create an OpenLDAP proxy that will talk to 2 OpenLDAP
servers, doing MirrorMode replication and using a floating IP so that I
can point all write queries to one and the same server. Those 2
MirrorMode servers are up and running and doing fine, but I can't figure
out how to make that proxy.
I'm running on Debian Bullseye (still "testing" at this moment), with
OpenLDAP 2.4.57, both on the backend servers and the proxy I'm trying to
make. I'm not using TLS yet, that's for later.
After installation, there's an (empty, of course) mdb database. I think
I should throw that away, but I'm not sure. The suffix in that database
is different than the one I need to proxy, so it's probably not a
problem to leave it there.
I have loaded the extra schemas that I use on the MirrorMode machines,
and loaded the backends ldap and meta, with LDIF files like this:
And fed that to slapd with
ldapmodify -Y EXTERNAL -h ldapi:/// -f <file>
I checked with ldapvi and saw both modules loaded. So far, so good.
Now I need to create the backend, and this is where I keep running into
problems. Although the use of slapd.conf has fallen from grace a long
time ago, every example I can find online only uses that. So I tried
creating one and adding it to the configuration with slaptest. This is
what I came up with:
rootpw "super secret passwd"
acl-passwd "super secret passwd"
acl-passwd "super secret passwd"
acl-passwd "super secret passwd"
But when I try to convert that, I get an error:
# slaptest -f /root/proxybackend.conf -F /etc/ldap/slapd.d
6075bced /root/proxybackend.conf: line 1: <backend> failed init (meta)!
slaptest: bad configuration directory!
The information in the OpenLDAP Handbook is, well, lacking:
I had hoped to find a way to create an LDIF file which I could add with
ldapadd, but I never came much further than this:
olcRootPW: "super secret passwd"
which results in:
adding new entry "olcDatabase=meta"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
I'm pretty sure I need more lines in that, to begin with the URI lines
to point the proxy to the machines it needs to contact, but I couldn't
find the olcSomeThing syntax for them. I'm pretty good at searching, but
not so good at finding, unfortunately.
Can somebody give me a few hints please? I'm pretty sure I'm missing
something small here, but I'm stuck.
I am migrating from single provider to N-Way provider in OpenLDAP 2.4.56
This configuration was setup years ago and reading the docs has me questioning this piece of configuration. I notice we have no present configured on our syncprov overlay for our primary DB setup for delta sync. I noticed in the docs it explains
The nonpresent option should only be configured if the overlay is being placed on top of a log database, such as when used with delta-syncrepl.
The nonpresent option is configured by the
directive. This value should only be set TRUE for a syncprov instance on top of a log database (such as one managed by the accesslog overlay). The default is FALSE.
olcDbCheckpoint: 1024 10
... indexes ...
Should this olcSpNoPresent piece be removed from our configuration? What adverse affects would this generate if it is in fact an incorrect piece of configuration? Delta-Sync between our consumers and provider seem to function. I am worried this could cause problems on my journey to N-Way provider replication.
Next, I am testing new architecture for N-Way but see that the new context CSNs generated by those new providers also show up in the initial provider. If I want to "go back" to my original system state before my N-Way testing, can I simply delete the ContextCSNs from an exported LDIF and reload the database? Or is that asking for trouble?
I am setting up n-way multi-provider replication.
Should we expect a full sync when we setup sync for the first time on a new provider?
Can we load a backup data.mdb file first and have deltasync run from there to prevent a full sync (i.e. to save time)?
What is the expected behavior/best practice?
Also, I have some questions around mdb_copy.
Is there any concern using the -c flag for compacting the data.mdb file to be used for restore (or new n-way provider if that works)?
I notice the compacted file is smaller on disk than the original data.mdb (due to the removed freed pages).
I assume the data sets are still the same? Are there tools to compare the two?
And last question, I am using mdb_copy to create a backup but standard linux cp to put the new file into /var/lib/ldap/data.mdb.
Will this cause any issues or is it recommended to use mdb_copy to also move the data.mdb file into place?
I was wondering if anyone has successfully made schema and data migration from OpenLDAP (current version: openldap-2.4.49) to OUD (Oracle Unified Directory 11g) or ODSEE (Oracle Directory Server Enterprise Edition 11g).
We are trying to make Zimbra servers (currently using OpenLDAP directory on each server Zimbra installed) use a centralized MMR-enabled OUD environment. But we couldn't find any migration documentation on that.
Is it possible to hide a attribute for a specific value only?
E.g., I would like to hide the 'attr1: A' for some DNs binding, but, 'attr1: B' should be visible for the client.
I'm having difficulty making tools like ldapsearch accept SSL certificates signed by a Windows domain controller, even when the trust chain seems good. The problem extends to PHP, which uses openldap (PHP debug logging shows the exact same errors).
We manually trusted the CA certifcate of the domain controller:
cp -v /tmp/PDC02CA.crt /usr/local/share/ca-certificates
OpenSSL approves it (it doesn't aprove without the previous step):
# openssl verify -verify_hostname PDC01.city.cmpny.local /tmp/PDC01.city.cmpny.local.crt
openssl s_client -verify_hostname PDC01.city.cmpny.local -connect PDC01.city.cmpny.local:3269
depth=1 DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA
i:DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA
But ldapsearch just will not approve it:
$ ldapsearch -d1 -H ldaps://PDC01.city.cmpny.local:3269
ldap_connect_to_host: TCP PDC01.city.cmpny.local:3269
ldap_connect_to_host: Trying 10.105.10.10:3269
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
TLS: peer cert untrusted or revoked (0x102)
TLS: can't connect: (unknown error code).
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: (unknown error code)
Running 'strace' shows '/etc/ssl/certs/ca-certificates.crt' is properly read. Doing all the standard tricks with 'LDAPTLS_CACERT, TLS_CACERT', pointing directly to '/tmp/PDC02CA.crt', editing '/etc/ldap/ldap.conf' with all possible permutations. Nothing works, except 'TLS_REQCERT never'.
Other certificates are accepted when testing public servers. They are just https, but for SSL tests that doesn't matter. Like:
ldapsearch -d1 -H ldaps://www.google.com:443
ldapsearch -d1 -H ldaps://www.amazon.co.uk:443
The latter only has the correct domain name in the 'subject alternate name', not the common name. I theorized that maybe the SAN was a cause, but this test result, and , show that should work fine.
If I deliberately try to create a hostname mismatch, it says: 'TLS: hostname (blabla.com) does not match common name in certificate (www.amazon.co.uk)'. Very different from my 'peer cert untrusted or revoked'.
Could this be a bug (in GnuTLS)?
ldapsearch: @(#) $OpenLDAP: ldapsearch (Ubuntu) (Feb 18 2021 14:22:42)
Ubuntu: 18.04.5 LTS
I have multi-master replication configured. https://pastebin.com/vYKsa9VY
I want to replace ldap3. Please tell me how to do this ? I mean, how does the new server synchronize the current ldap database?
--On Monday, April 5, 2021 2:37 PM +0000 "Ballem, Narayanan"
> Good Morning !!!
> On Last weekend , finally migration went fine .
> I have modified loglevel to stats and increased slapd file descriptor to
> 8192 which resolve the issue. Looks like in RHEL7 somehow with value 2k
> it's not working where as it's used to work in RHEL6.
> It's bit interesting , No errors reported with ulimit issues in the logs.
Glad to hear it! :)
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
I was certain that I could find this in the archives but failed.
What's the recommended way to extend inetOrgPerson to include twitter
handle, facebook ID and other social media contact points? There
doesn't seem to be OID defined for these attributes.