Re: Need assistant to Implement and Configure OpenLDAP for users authentication from Multi-Domain
by Quanah Gibson-Mount
--On Thursday, November 23, 2023 12:21 PM +0000 Sunil Sharma
<sunil.sharma(a)mdsglobalit.com> wrote:
> • What would be the Best OS for OpenLDAP currently, is it Linux,
> CentOS or any other?
Generally any current linux distribution with a current openldap release.
> • We have users from Multi-Domain where these domains do not have any
> trust relationship between each other and we need to authenticate the
> users from multi-Domain for UC applications (CUCM, CUC, CER, UCCE,
> Expressways and Jabber).
>
>
>
> We are looking if we can sync the user database from
> these multidomain to a single OpenLDAP server and then from this OpenLDAP
> to UC applications using single search base for authentication, is this
> possible?
Probably?
--Quanah
13 hours, 5 minutes
Re: Replication issue during performance test with MMR configuration and LastBind enabled
by Falgon
Hello,
I'm working on the same project as Meheni.
Thanks for your answer, we'll try version 2.6 OpenLDAP using the
lastbind-precision.
However we have several questions for the current version we're using.
Is this a known problem and referenced somewhere? (we haven't found it)
Is it normal to find no replication error logs even in stats + sync mode?
We ran some tests in sequential mode (300,000 accounts one after the other)
and managed to reproduce the problem.
-Denis
Le mer. 11 oct. 2023 à 14:11, Quanah Gibson-Mount <quanah(a)fast-mail.org> a
écrit :
>
>
> --On Tuesday, October 10, 2023 9:30 PM +0200 Ziani Meheni
> <mehani06(a)gmail.com> wrote:
>
> >
> >
> > Hello, we are working on a project and we've come across a problem with
> > the replication after performance testing :
>
> You need to use OpenLDAP 2.6 and then set the:
>
> lastbind-precision
>
> value. I use 5 minutes.
>
> --Quanah
>
13 hours, 6 minutes
slapd 2.5 forwarding request .. please help
by enrico.becchetti@gmail.com
Hi everyone,
I have a particular setup and I need your help.
I have a Slapd 2.5 running in a debian virtual machine. This ldap server has its own tree, dc=example,dc=com.
I need this slapd server to forward the authentication requests for two domains other than its own, for example
dc=example2,dc=com towards -> 192.168.1.1
dc=example3,dc=com towards -> 192.168.2.1
I read in the documentation that it is possible to do this forward but I can't modify the configuration using ldapmodify.
Can you help me ?
Thanks
Willy
21 hours, 57 minutes
Access to cn=monitor from read-only ldap
by Kevin Cousin
Hi List,
I've got an LDAP architecture with one read-write OpenLDAP (primary)
and some read-only OpenLDAP (replica).
I load the cn=monitor backend on the primary? is it sufficient to have
the cn=monitor backend on the slave too or should I activate it on the
replicas ?
Regards,
Kevin C
1 week
Transitioning from slapd.conf to slapd.d, best practices for maintaining configuration comments?
by Ben Poliakoff
This is more of a practical question than a technical one, but it's
prompted by a technical change: I'm *very* **very** belatedly transitioning
from flat file slapd.conf config to slapd.d/OLC.
With flat file configuration, it was straightforward to include text
comments (e.g. "# blah blah"), but as far as I know there isn't any sort of
analog for comments, when using slapd.d. Looking for any tips about how
best to annotate slapd configuration, in a slapd.d/olc world. Does anyone
have a practice that they find works well for them? Do people just maintain
separate documents/wiki pages/etc that describe their servers' configs?
Ben
1 week, 2 days
syncrepl between 2.4.57.0.1 and 2.6.2-3
by Frank, Michael
Airbus Amber
Dear all,
basically I trying to establish a syncrepl/refreshAndpersist Setup between:
OpenLDAP: 2.4.57.0.1 @ Solaris < - > OpenLDAP: 2.6.2-3 @ Rhel 9.latest
(don`t ask)
An intial syncrepl activation does works properly (replication of ou`s content in both directions), but when I afterwards restart one of the replication Partners, the
sync failes and in consequence on one of replication Partner the ou`s are deleted.
From logging point of view there are somekind of issues to identify the remote object via the UUID which leads then to the deletion:
##schnipp
6538d3db.38892890 0x7f9fe65fe640 nonpresent_callback: rid=044 nonpresent UUID 25a0c72c-0364-103e-83af-fb52f2a7ef64, dn ou=permissions,dc=xxx,dc=xxxx,dc=xxxxxx
6538d3db.388983a6 0x7f9fe65fe640 nonpresent_callback: rid=044 adding entry ou=permissions,dc=xxxx,dc=xxxxx,dc=xxxx to non-present list
###schnapp
Unfortunately I cannot find any Information which says something useful about the basic backward compatibility of the synrepl/refreshAndPersist implementation from 2.6 to 2.4.
Can someone state why this mission is hopeless in detail or should the setup work basically ?
(I know the best practice : everywhere same versions...)
Best regards and thanks in advance,
michael
This Item has been reviewed and was determined as not listed under German regulation, nor EU export controls, nor U.S. export controls. However, in the case of the item has to be resold, transferred, or otherwise disposed of to an embargoed country, to an end user of concern or in support of a prohibited end use, you may be required to obtain an export license.
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
1 week, 5 days
"user"/"users" keyword in documentation
by Uwe Sauter
Hi all,
in the ACL chapter of the online documentation to OpenLDAP 2.6 (and likely the versions before)
there might be a mismatch of singular/plural usage of the "users" keyword.
In chapter 8.3.2 "who to grant access to" table 5.3 lists specifier "users" as "authenticated users"
entities. This is further shown in chapter 8.4.2 "matching anonymous and authenticated users".
In chapter 8.4.9 "tips for using regular expressions in access control" the singular is used:
"Use shorthands. The user directive matches authenticated users and the anonymous directive matches
anonymous users."
As well as in the subchapters 8.5.x where the singular is used in set definitions.
My question now is: does it matter whether singular or plural of user is used in ACLs? If so, where
to use one and where to use the other? Does it follow natural language useage?
Thanks,
Uwe
2 weeks, 2 days
Thread Safety in LMDB with MDB_NOTLS and Readonly Cursors
by xiaoya2wei@gmail.com
Greetings LMDB Community,
I am delving into the thread-safety aspects of LMDB, specifically regarding the use of readonly cursors across multiple threads. With the MDB_NOTLS flag enabled, which disables thread-local storage, my understanding is that readonly transactions may be shared between threads, provided there is proper synchronization to prevent concurrent access.
Building upon this, I seek clarity on the following: Can multiple threads safely access a single readonly cursor derived from such a synchronized readonly transaction when MDB_NOTLS is enabled?
Upon reviewing the LMDB source code, I noticed that cursors are tied to transactions (see mdb.c#L1335). This suggests that if threads can synchronously share a transaction, they might also share a cursor associated with it for data retrieval.
Meanwhile, while looking at the LMDB document (http://www.lmdb.tech/doc/group__mdb.html#gad7ea55da06b77513609efebd44b26920), it says “Cursors may not span transactions”, which is a little confusing for me. To be crystal transparent, does it mean that, even if MDB_NOTLS is set, a cursor opened by a readonly transaction still has to stay with one single thread for its entire lifetime, and cannot be used by another thread even at a different time?
Thank you in advance for your assistance!
Best,
Xiaoya
2 weeks, 6 days
Issue with refint and rwm overlay
by Maksim Saroka
Hello,
We have a strange situation with refint and rwm overlays on ldap replica.
Looks like those overlays depend on each other and on position in the
slapd.conf file regarding database section. However refint overlay is
working in any position if rwm overlay is not specified. Here are the
examples with positions in the file:
Refint overlay work if:
1.
rwm overlay section
database section
refint overlay section
Refint overlay does not work if:
1.
database section
refint overlay section
rwm overlay section
2.
rwm overlay section
refint overlay section
database section
Could you please explain to us the root cause of that as I can't find any
explanation in the docs.
--------
Maksim Saroka
DevOps/System Administrator
Exadel.com <https://exadel.com/>
Follow Us on LinkedIn <https://www.linkedin.com/company/exadel/>
--
CONFIDENTIALITY
NOTICE: This email and files attached to it are
confidential. If you
are not the intended recipient you are hereby notified
that using,
copying, distributing or taking any action in reliance on the
contents of this information is strictly prohibited. If you have
received
this email in error please notify the sender and delete this
email.
3 weeks
Scaling slapd nodes in Kubernetes with the MDB Backend
by Alejandro Imass
Hi there!
We are working on a new installation and decided to try something new..
In the past I would have gone with multi-master with ldap balancer but
after reading and researching more and more on MDB, we decided to try to
integrate OpenLDAP into our current CI/CD pipelines using K8s.
What we tried so far and it seems to work is initialize a common
persistence storage and then an auto scaling group that shares that common
drive. Ech pod has as many threads as virtual CPU it may have, and none of
the pods can write, except a dedicated write pod (single instance) with
multiple threads for writing.
Is there anything else we are missing here? Any experience scaling OpenLDAP
with Kubernetes or other container technology.
Thank you in advance for any comments, pointers or recommendations!
--
Alex
3 weeks, 1 day
