openldap-technical

openldap-technical@openldap.org

22 participants
9789 discussions

Re: delta syncrepl errors
by Quanah Gibson-Mount 29 Aug '17

29 Aug '17

--On Tuesday, August 22, 2017 12:36 PM +0200 Gerard Ranke <gerard.ranke(a)hku.nl> wrote: > 2017-08-18T14:54:39.153660+02:00 del slapd[25530]: do_syncrep2: rid=001 > got search entry without Sync State control > (reqStart=20170815125023.000001Z,cn=accesslog) You appear to be missing the syncprov overlay from the accesslog DB. I would suggest revisting the configuration on your master. Both the primary database and the accesslog database require having syncprov present, with different options set. It should be something along the lines of: dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE as can be found in test063 --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: RedHat dropping OpenLDAP server support
by Howard Chu 28 Aug '17

28 Aug '17

Robert Heller wrote: > At Mon, 28 Aug 2017 11:44:27 -0700 Quanah Gibson-Mount <quanah(a)symas.com> wrote: > >> >> Hello All, >> >> As noted in the RHEL7.4 release notes >> (<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ht…>), >> RedHat will no longer support OpenLDAP Server starting with RHEL8. > > Will RedHat be supporting an alternitive Lightweight Directory Access Protocol > server? Or is RedHat dropping all sopport for Lightweight Directory Access > Protocol servers? RedHat is supporting their commercial server, RedHat Directory Server. It's the commercial version of 389DS, derived from the old Netscape LDAP server. Worth noting that that lineage of code has been abandoned by everyone else (e.g. Sun/Oracle DSEE has also been EOL'd). > >> >> This is likely a good time to start planning your migration plans if you >> currently rely on RedHat's build of OpenLDAP. I would note that Symas >> provides certified builds for OpenLDAP with various support options >> available. An alternative for those who do not require support and do not >> wish to build OpenLDAP themselves would be to use the LTB project builds. >> >> Regards, >> Quanah >> >> -- >> >> Quanah Gibson-Mount >> Product Architect >> Symas Corporation >> Packaged, certified, and supported LDAP solutions powered by OpenLDAP: >> <http://www.symas.com> >> >> >> > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Re: RedHat dropping OpenLDAP server support
by Douglas Duckworth 28 Aug '17

28 Aug '17

They want you to buy their identity management server which is based upon 389 directory server. Or you could go with freeipa https://www.freeipa.org/page/Main_Page Will this change also affect centos? Doug Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690 On Mon, Aug 28, 2017 at 4:19 PM, Robert Heller <heller(a)deepsoft.com> wrote: > At Mon, 28 Aug 2017 11:44:27 -0700 Quanah Gibson-Mount <quanah(a)symas.com> > wrote: > > > > > Hello All, > > > > As noted in the RHEL7.4 release notes > > (<https://urldefense.proofpoint.com/v2/url?u=https- > 3A__access.redhat.com_documentation_en-2DUS_Red- > 5FHat-5FEnterprise-5FLinux_7_html_7.4-5FRelease-5FNotes_ > chap-2DRed-5FHat-5FEnterprise-5FLinux-2D7.4-5FRelease- > 5FNotes-2DDeprecated-5FFunctionality.html-23idp12778832&d=DwIBAg&c= > lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e- > CbhH6xUjnRkaqPFUS2wTJ2cw&m=-nX2P-9jJkqd2VhDD2sJ3alWs9cDEp6jpNb6 > lhNQAiY&s=rcOr9W4Z0-adDX11ERL8Oq5r0dEwVwaS9V-qnhKeslA&e=>), > > RedHat will no longer support OpenLDAP Server starting with RHEL8. > > Will RedHat be supporting an alternitive Lightweight Directory Access > Protocol > server? Or is RedHat dropping all sopport for Lightweight Directory Access > Protocol servers? > > > > > This is likely a good time to start planning your migration plans if you > > currently rely on RedHat's build of OpenLDAP. I would note that Symas > > provides certified builds for OpenLDAP with various support options > > available. An alternative for those who do not require support and do > not > > wish to build OpenLDAP themselves would be to use the LTB project builds. > > > > Regards, > > Quanah > > > > -- > > > > Quanah Gibson-Mount > > Product Architect > > Symas Corporation > > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > > <https://urldefense.proofpoint.com/v2/url?u=http- > 3A__www.symas.com&d=DwIBAg&c=lb62iw4YL4RFalcE2hQUQealT9- > RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=-nX2P- > 9jJkqd2VhDD2sJ3alWs9cDEp6jpNb6lhNQAiY&s=oU0KzuQoUpgOc_GP- > Td3CN9qNf1XHk2_Z2zUALSywxg&e=> > > > > > > > > -- > Robert Heller -- 978-544-6933 > Deepwoods Software -- Custom Software Services > https://urldefense.proofpoint.com/v2/url?u=http-3A__www. > deepsoft.com_&d=DwIBAg&c=lb62iw4YL4RFalcE2hQUQealT9- > RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=-nX2P- > 9jJkqd2VhDD2sJ3alWs9cDEp6jpNb6lhNQAiY&s=s5sTP_ > 3py5Bv17Mc1dePXqoepTBDYF9TXZuokHV3Thw&e= -- Linux Administration Services > heller(a)deepsoft.com -- Webhosting Services > > >

1 0

RedHat dropping OpenLDAP server support
by Quanah Gibson-Mount 28 Aug '17

28 Aug '17

Hello All, As noted in the RHEL7.4 release notes (<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ht…>), RedHat will no longer support OpenLDAP Server starting with RHEL8. This is likely a good time to start planning your migration plans if you currently rely on RedHat's build of OpenLDAP. I would note that Symas provides certified builds for OpenLDAP with various support options available. An alternative for those who do not require support and do not wish to build OpenLDAP themselves would be to use the LTB project builds. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: DB Indexing
by Quanah Gibson-Mount 28 Aug '17

28 Aug '17

--On Saturday, August 26, 2017 2:18 PM +0000 openldap.org(a)jrogers.org wrote: > In other words, does OpenLDAP consider them both options to be the same, > where each (uidNumber and gidNumber) are indexed separately into separate > indices? The same, indexed separately. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

DB Indexing
by openldap.org＠jrogers.org 26 Aug '17

26 Aug '17

To Whom It May Concern: Is there a difference in indexing between the following two OLC config options: Option 1: olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq Option 2: olcDbIndex: uidNumber,gidNumber eq In other words, does OpenLDAP consider them both options to be the same, where each (uidNumber and gidNumber) are indexed separately into separate indices? Or, does option 2 index the possible combinations of uidNumber/gidNumber, whereas option 1 indexes them separately? Thank you for you help. Thx, Jeff

1 0

accesslog contextcsn isn't always updated
by btb 26 Aug '17

26 Aug '17

hi, i am seeing a symptom where the accesslog contextcsn is not always updated when a new entry is added to the accesslog. i have a test setup [config is below], with a content database using the accesslog and syncprov overlays, and an accesslog database using the syncprov overlay. for the purposes of testing, i'm not using it as a provider for any consumers. just running by itself, and watching its behavior. when a modification is made to an entry in the content db, the contextcsn value for the content db is always updated, and a new entry is always added to the accesslog db. but when the accesslog db gets a new entry, the accesslog contextcsn does not always update to match the new entry [see example below]. ldap_accesslog_noop is just a small shell script which updates the info attribute for an entry. it's somewhat anecdotal, but there may be a timing factor involved. if there is no activity for a little while [as little as a few minutes, sometimes], then a modification performed, that does not update the accesslog contextcsn. but if subsequent modifications are done within a few moments, it then eventually updates the accesslog contextcsn correctly, typically as of the second modification, but sometimes the third. if modifications then continue, with little delay between them, then the contextcsn seems to stay consistently up to date. if activity then stops, and some time passes as before, the symptom reappears. this is version 2.4.44 on freebsd 10.3-release, built from ports. i'm hoping someone can offer some guidance on how to troubleshoot this further, or what i might be doing wrong. i can provide more config details, logs, debugging ,etc., if needed. apologies for the long collections of details following, and thanks! ###### first mod, after some time of inactivity: ###### >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170825225855.866010Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503221460 entryCSN: 20170825225855.866010Z#000000#001#000000 >./ldap_accesslog_noop >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717700 entryCSN: 20170826032140.674259Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b dc=example,dc=com -s base contextcsn dn: dc=example,dc=com contextCSN: 20170826032140.674259Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 (reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com) entrycsn dn: reqStart=20170825034142.000004Z,cn=accesslog2 entryCSN: 20170825034142.304465Z#000000#001#000000 dn: reqStart=20170825034147.000004Z,cn=accesslog2 entryCSN: 20170825034147.248214Z#000000#001#000000 dn: reqStart=20170825034238.000004Z,cn=accesslog2 entryCSN: 20170825034238.430123Z#000000#001#000000 dn: reqStart=20170825034239.000004Z,cn=accesslog2 entryCSN: 20170825034239.815833Z#000000#001#000000 dn: reqStart=20170825034320.000004Z,cn=accesslog2 entryCSN: 20170825034320.198025Z#000000#001#000000 dn: reqStart=20170825034321.000004Z,cn=accesslog2 entryCSN: 20170825034321.767124Z#000000#001#000000 dn: reqStart=20170825225347.000004Z,cn=accesslog2 entryCSN: 20170825225347.344528Z#000000#001#000000 dn: reqStart=20170825225849.000007Z,cn=accesslog2 entryCSN: 20170825225849.109615Z#000000#001#000000 dn: reqStart=20170825225855.000007Z,cn=accesslog2 entryCSN: 20170825225855.866010Z#000000#001#000000 dn: reqStart=20170826032140.000007Z,cn=accesslog2 entryCSN: 20170826032140.674259Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170825225855.866010Z#000000#001#000000 ###### second mod, a few seconds later: ###### ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170825225855.866010Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717700 entryCSN: 20170826032140.674259Z#000000#001#000000 >./ldap_accesslog_noop >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717721 entryCSN: 20170826032201.236788Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b dc=example,dc=com -s base contextcsn dn: dc=example,dc=com contextCSN: 20170826032201.236788Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 (reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com) entrycsn dn: reqStart=20170825034142.000004Z,cn=accesslog2 entryCSN: 20170825034142.304465Z#000000#001#000000 dn: reqStart=20170825034147.000004Z,cn=accesslog2 entryCSN: 20170825034147.248214Z#000000#001#000000 dn: reqStart=20170825034238.000004Z,cn=accesslog2 entryCSN: 20170825034238.430123Z#000000#001#000000 dn: reqStart=20170825034239.000004Z,cn=accesslog2 entryCSN: 20170825034239.815833Z#000000#001#000000 dn: reqStart=20170825034320.000004Z,cn=accesslog2 entryCSN: 20170825034320.198025Z#000000#001#000000 dn: reqStart=20170825034321.000004Z,cn=accesslog2 entryCSN: 20170825034321.767124Z#000000#001#000000 dn: reqStart=20170825225347.000004Z,cn=accesslog2 entryCSN: 20170825225347.344528Z#000000#001#000000 dn: reqStart=20170825225849.000007Z,cn=accesslog2 entryCSN: 20170825225849.109615Z#000000#001#000000 dn: reqStart=20170825225855.000007Z,cn=accesslog2 entryCSN: 20170825225855.866010Z#000000#001#000000 dn: reqStart=20170826032140.000007Z,cn=accesslog2 entryCSN: 20170826032140.674259Z#000000#001#000000 dn: reqStart=20170826032201.000007Z,cn=accesslog2 entryCSN: 20170826032201.236788Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170825225855.866010Z#000000#001#000000 ###### third mod, a few seconds after second mod: ###### ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170825225855.866010Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717721 entryCSN: 20170826032201.236788Z#000000#001#000000 >./ldap_accesslog_noop >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717758 entryCSN: 20170826032238.330244Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b dc=example,dc=com -s base contextcsn dn: dc=example,dc=com contextCSN: 20170826032238.330244Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 (reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com) entrycsn dn: reqStart=20170825034142.000004Z,cn=accesslog2 entryCSN: 20170825034142.304465Z#000000#001#000000 dn: reqStart=20170825034147.000004Z,cn=accesslog2 entryCSN: 20170825034147.248214Z#000000#001#000000 dn: reqStart=20170825034238.000004Z,cn=accesslog2 entryCSN: 20170825034238.430123Z#000000#001#000000 dn: reqStart=20170825034239.000004Z,cn=accesslog2 entryCSN: 20170825034239.815833Z#000000#001#000000 dn: reqStart=20170825034320.000004Z,cn=accesslog2 entryCSN: 20170825034320.198025Z#000000#001#000000 dn: reqStart=20170825034321.000004Z,cn=accesslog2 entryCSN: 20170825034321.767124Z#000000#001#000000 dn: reqStart=20170825225347.000004Z,cn=accesslog2 entryCSN: 20170825225347.344528Z#000000#001#000000 dn: reqStart=20170825225849.000007Z,cn=accesslog2 entryCSN: 20170825225849.109615Z#000000#001#000000 dn: reqStart=20170825225855.000007Z,cn=accesslog2 entryCSN: 20170825225855.866010Z#000000#001#000000 dn: reqStart=20170826032140.000007Z,cn=accesslog2 entryCSN: 20170826032140.674259Z#000000#001#000000 dn: reqStart=20170826032201.000007Z,cn=accesslog2 entryCSN: 20170826032201.236788Z#000000#001#000000 dn: reqStart=20170826032238.000007Z,cn=accesslog2 entryCSN: 20170826032238.330244Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170826032238.330244Z#000000#001#000000 ###### fourth mod, after ~5 minutes have passed ###### >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170826032238.330244Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503717758 entryCSN: 20170826032238.330244Z#000000#001#000000 >./ldap_accesslog_noop >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com -s base info entrycsn dn: uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com info: 1503718313 entryCSN: 20170826033153.554034Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b dc=example,dc=com -s base contextcsn dn: dc=example,dc=com contextCSN: 20170826033153.554034Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 (reqdn=uid=accesslog_noop,ou=replication,ou=system,ou=accounts,dc=example,dc=com) entrycsn dn: reqStart=20170825034142.000004Z,cn=accesslog2 entryCSN: 20170825034142.304465Z#000000#001#000000 dn: reqStart=20170825034147.000004Z,cn=accesslog2 entryCSN: 20170825034147.248214Z#000000#001#000000 dn: reqStart=20170825034238.000004Z,cn=accesslog2 entryCSN: 20170825034238.430123Z#000000#001#000000 dn: reqStart=20170825034239.000004Z,cn=accesslog2 entryCSN: 20170825034239.815833Z#000000#001#000000 dn: reqStart=20170825034320.000004Z,cn=accesslog2 entryCSN: 20170825034320.198025Z#000000#001#000000 dn: reqStart=20170825034321.000004Z,cn=accesslog2 entryCSN: 20170825034321.767124Z#000000#001#000000 dn: reqStart=20170825225347.000004Z,cn=accesslog2 entryCSN: 20170825225347.344528Z#000000#001#000000 dn: reqStart=20170825225849.000007Z,cn=accesslog2 entryCSN: 20170825225849.109615Z#000000#001#000000 dn: reqStart=20170825225855.000007Z,cn=accesslog2 entryCSN: 20170825225855.866010Z#000000#001#000000 dn: reqStart=20170826032140.000007Z,cn=accesslog2 entryCSN: 20170826032140.674259Z#000000#001#000000 dn: reqStart=20170826032201.000007Z,cn=accesslog2 entryCSN: 20170826032201.236788Z#000000#001#000000 dn: reqStart=20170826032238.000007Z,cn=accesslog2 entryCSN: 20170826032238.330244Z#000000#001#000000 dn: reqStart=20170826033153.000007Z,cn=accesslog2 entryCSN: 20170826033153.554034Z#000000#001#000000 >ldapsearch -xLLLH ldap://localhost/ -D uid=admin,dc=example,dc=com -w xxxxxx -b cn=accesslog2 -s base contextcsn dn: cn=accesslog2 contextCSN: 20170826032238.330244Z#000000#001#000000 ###### configuration ###### dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/openldap/slapd.args olcLogLevel: stats sync olcPasswordCryptSaltFormat: $6$rounds=8000$%.16s olcPidFile: /var/run/openldap/slapd.pid olcSaslSecProps: noanonymous olcServerID: 1 olcTLSCACertificateFile: /usr/local/etc/pki/trusted_root_authorities/example_roo t_ca-cert.pem olcTLSCertificateFile: /usr/local/etc/openldap/pki/dsa0.example.com-cert.pe m olcTLSCertificateKeyFile: /usr/local/etc/openldap/pki/dsa0.example.com-key. pem olcTLSVerifyClient: never structuralObjectClass: olcGlobal entryUUID: 5e961a2a-290d-1036-96af-778fc97ab8bc creatorsName: cn=config createTimestamp: 20161017233001Z entryCSN: 20170520231408.133014Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20170520231408Z dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/local/libexec/openldap olcModuleLoad: {0}back_monitor.la olcModuleLoad: {1}back_mdb.la olcModuleLoad: {2}nssov.la olcModuleLoad: {3}ppolicy.la olcModuleLoad: {4}refint.la olcModuleLoad: {5}unique.la olcModuleLoad: {6}constraint.la olcModuleLoad: {7}memberof.la olcModuleLoad: {8}dynlist.la olcModuleLoad: {9}translucent.la olcModuleLoad: {10}valsort.la olcModuleLoad: {11}pw-sha2.la olcModuleLoad: {12}syncprov.la olcModuleLoad: {13}accesslog.la structuralObjectClass: olcModuleList entryUUID: 5e962542-290d-1036-96b0-778fc97ab8bc creatorsName: cn=config createTimestamp: 20161017233001Z entryCSN: 20161017233001.558726Z#000000#001#000000 modifiersName: cn=config modifyTimestamp: 20161017233001Z [...] dn: olcDatabase={4}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {4}mdb olcDbDirectory: /var/db/openldap-data/example.com olcSuffix: dc=example,dc=com olcAccess:: ezB9dG8gYXR0cnM9dXNlclBhc3N3b3JkCglieSBhbm9ueW1vdXMgYXV0aAoJYnkg c2VsZiA9eHcKCWJ5ICogbm9uZQ== olcAccess:: ezF9dG8gKg0JYnkgc2VsZiB3cml0ZQ0JYnkgdXNlcnMgcmVhZA0JYnkgKiBub25l olcRootDN: uid=admin,dc=example,dc=com structuralObjectClass: olcMdbConfig entryUUID: 4801edee-14ed-1037-9fb8-99e8705e53d3 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com createTimestamp: 20170814033454Z entryCSN: 20170814035744.555520Z#000000#001#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com modifyTimestamp: 20170814035744Z dn: olcOverlay={0}syncprov,olcDatabase={4}mdb,cn=config objectClass: olcSyncProvConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}syncprov olcSpCheckpoint: 10 5 olcSpSessionlog: 500 olcSpReloadHint: TRUE structuralObjectClass: olcSyncProvConfig entryUUID: 198df6be-14ee-1037-9fbd-99e8705e53d3 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com createTimestamp: 20170814034045Z entryCSN: 20170814034045.759202Z#000000#001#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com modifyTimestamp: 20170814034045Z dn: olcOverlay={1}accesslog,olcDatabase={4}mdb,cn=config objectClass: olcAccessLogConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {1}accesslog olcAccessLogDB: cn=accesslog2 olcAccessLogOps: writes olcAccessLogPurge: 14+00:00 1+00:00 olcAccessLogSuccess: TRUE structuralObjectClass: olcAccessLogConfig entryUUID: 0a21a20c-14ee-1037-9fbc-99e8705e53d3 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com createTimestamp: 20170814034019Z entryCSN: 20170814034019.883417Z#000000#001#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com modifyTimestamp: 20170814034019Z dn: olcDatabase={5}mdb,cn=config objectClass: olcMdbConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcDatabase: {5}mdb olcDbDirectory: /var/db/openldap-data/accesslog2 olcSuffix: cn=accesslog2 olcRootDN: uid=admin,dc=example,dc=com structuralObjectClass: olcMdbConfig entryUUID: 16132114-14ec-1037-9fb7-99e8705e53d3 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com createTimestamp: 20170814032620Z entryCSN: 20170814034648.206981Z#000000#001#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com modifyTimestamp: 20170814034648Z dn: olcOverlay={0}syncprov,olcDatabase={5}mdb,cn=config objectClass: olcSyncProvConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE structuralObjectClass: olcSyncProvConfig entryUUID: e2927c2a-14ed-1037-9fbb-99e8705e53d3 creatorsName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com createTimestamp: 20170814033913Z entryCSN: 20170814033913.514143Z#000000#001#000000 modifiersName: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=com modifyTimestamp: 20170814033913Z

2 1

OpenLDAP Replication Error
by Zpyro . 25 Aug '17

25 Aug '17

Hi All - I am trying to setup replication between a Centos 5 (2.3) and Centos 7 (2.4) server. Partial replication is working - however it has not fully replicated. I am receiving an error of "syncrepl_message_to_entry: rid=123 mods check (postalAddress: value #0 invalid per syntax)" in the logs. >From the research I was doing, it looks like this is a reference to a missing schema - however I am pretty sure they are all in place. Below are the results from querying the schemas on both - ldapsearch -H ldap://localhost -x -s base -b "cn=subschema" objectclasses as well as the slapd.conf files from both hosts. Any insight into what I am missing would be greatly appreciated!! Please let me know if you need any more information. Thank You!! ----- PRIMARY SERVER ---- # # # base <cn=subschema> with scope baseObject dn: cn=Subschema # extended LDIF # filter: (objectclass=*) # LDAPv3 # numEntries: 1 # numResponses: 2 objectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST domainComponent MAY ( associatedName $ organizationName $ description $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $ stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) ) objectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP domain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) ) objectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord ) ) objectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associatedDomain ) objectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST friendlyCountryName ) objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPassword ) objectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName ) objectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STRUCTURAL MAY dSAQuality ) objectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximumQuality ) ) objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilotPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelephoneNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature ) ) objectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host ) ) objectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ documentTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) ) objectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) ) objectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ localityName $ organizationName $ organizationalUnitName ) ) objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device with a MAC address' SUP top AUXILIARY MAY macAddress ) objectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A device with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) ) objectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction of an IP protocol' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber $ description ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an ONC/RPC binding' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber $ description ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) ) objectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of an IP network' SUP top STRUCTURAL MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ l $ description $ manager ) ) objectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction of a netgroup' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstraction of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description ) objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid object' SUP top AUXILIARY MUST uid ) objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC2252: extensible object' SUP top AUXILIARY ) objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: domain component object' SUP top AUXILIARY MUST dc ) objectClasses: ( 1.3.6.1.4.1.16331.2.2.2.1 NAME 'contactPerson' DESC 'Contact - Addressbook entry' AUXILIARY MAY ( anniversary $ marker $ birthday $ sendHolidayCard $ externalUID $ externalUIDSyncTimestamp $ modifyObjectTimestamp $ prefix $ middleName $ suffix $ custom1 $ custom2 $ custom3 $ custom4 $ country ) ) objectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI ) objectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.0 NAME 'olcConfig' DESC 'OpenLDAP configuration object' SUP top ABSTRACT ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.1 NAME 'olcGlobal' DESC 'OpenLDAP Global configuration options' SUP olcConfig STRUCTURAL MAY ( cn $ olcConfigFile $ olcConfigDir $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcDisallows $ olcGentleHUP $ olcIdleTimeout $ olcIndexSubstrIfMaxLen $ olcIndexSubstrIfMinLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcLogLevel $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPluginLogFile $ olcReadOnly $ olcReferral $ olcReplicaPidFile $ olcReplicaArgsFile $ olcReplicationInterval $ olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ olcRootDSE $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcSrvtab $ olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcToolThreads $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.2 NAME 'olcSchemaConfig' DESC 'OpenLDAP schema object' SUP olcConfig STRUCTURAL MAY ( cn $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.3 NAME 'olcBackendConfig' DESC 'OpenLDAP Backend-specific options' SUP olcConfig STRUCTURAL MUST olcBackend ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.4 NAME 'olcDatabaseConfig' DESC 'OpenLDAP Database-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase MAY ( olcSuffix $ olcSubordinate $ olcAccess $ olcLastMod $ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncrepl $ olcTimeLimit $ olcUpdateDN $ olcUpdateRef ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.5 NAME 'olcOverlayConfig' DESC 'OpenLDAP Overlay-specific options' SUP olcConfig STRUCTURAL MUST olcOverlay ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.6 NAME 'olcIncludeFile' DESC 'OpenLDAP configuration include file' SUP olcConfig STRUCTURAL MUST olcInclude MAY ( cn $ olcRootDSE ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.7 NAME 'olcFrontendConfig' DESC 'OpenLDAP frontend configuration' AUXILIARY MAY ( olcDefaultSearchBase $ olcPasswordHash ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.8 NAME 'olcModuleList' DESC 'OpenLDAP dynamic module info' SUP olcConfig STRUCTURAL MAY ( cn $ olcModulePath $ olcModuleLoad ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.1 NAME 'olcBdbConfig' DESC 'BDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.2 NAME 'olcHdbConfig' DESC 'HDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.2.1 NAME 'olcLdifConfig' DESC 'LDIF backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.3.1 NAME 'olcLDAPConfig' DESC 'LDAP backend configuration' SUP olcDatabaseConfig STRUCTURAL MAY ( olcDbURI $ olcDbStartTLS $ olcDbACLAuthcDn $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertAuthcDn $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbTFSupport $ olcDbProxyWhoAmI $ olcDbTimeout $ olcDbIdleTimeout $ olcDbSingleConn $ olcDbCancel $ olcDbQuarantine $ olcDbUseTemporaryConn $ olcDbConnectionPoolMax ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.4.1 NAME 'olcMonitorConfig' DESC 'Monitor backend configuration' SUP olcDatabaseConfig STRUCTURAL ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Provider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ olcSpSessionlog $ olcSpNoPresent ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.12.1 NAME 'olcPPolicyConfig' DESC 'Password Policy configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcPPolicyDefault $ olcPPolicyHashCleartext $ olcPPolicyUseLockout ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.1 NAME 'olcChainConfig' DESC 'Chain configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcChainCacheURI $ olcChainMaxReferralDepth $ olcChainReturnError ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.2 NAME 'olcChainDatabase' DESC 'Chain remote server configuration' AUXILIARY ) objectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) objectClasses: ( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule ) objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) ) objectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: named subordinate referral' SUP top STRUCTURAL MUST ref ) objectClasses: ( 2.5.17.0 NAME 'subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) ) objectClasses: ( 2.5.20.1 NAME 'subschema' DESC 'RFC2252: controlling subschema (sub)entry' AUXILIARY MAY ( dITStructureRules $ nameForms $ dITContentRules $ objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) ) objectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRACT MUST objectClass ) objectClasses: ( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an residential person' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l ) ) objectClasses: ( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an application process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ description ) ) objectClasses: ( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an application entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) ) objectClasses: ( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory system agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformation ) objectClasses: ( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) objectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC2256: a strong authentication user' SUP top AUXILIARY MUST userCertificate ) objectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP certificationAuthority AUXILIARY MAY deltaRevocationList ) objectClasses: ( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256: a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair ) objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) objectClasses: ( 2.5.6.18 NAME 'userSecurityInformation' DESC 'RFC2256: a user security information' SUP top AUXILIARY MAY supportedAlgorithms ) objectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL MUST cn MAY ( certificateRevocationList $ authorityRevocationList $ deltaRevocationList ) ) objectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC2256: an alias' SUP top STRUCTURAL MUST aliasedObjectName ) objectClasses: ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST dmdName MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' SUP top AUXILIARY MAY userCertificate ) objectClasses: ( 2.5.6.22 NAME 'pkiCA' DESC 'RFC2587: PKI certificate authority' SUP top AUXILIARY MAY ( authorityRevocationList $ certificateRevocationList $ cACertificate $ crossCertificatePair ) ) objectClasses: ( 2.5.6.23 NAME 'deltaCRL' DESC 'RFC2587: PKI user' SUP top AUXILIARY MAY deltaRevocationList ) objectClasses: ( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) ) objectClasses: ( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SUP top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) objectClasses: ( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organization' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) objectClasses: ( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) ) objectClasses: ( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an organizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) objectClasses: ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) # requesting: objectclasses result: 0 Success search: 2 # search result # Subschema ---- REPLICA SERVER ---- # # # base <cn=subschema> with scope baseObject dn: cn=Subschema # extended LDIF # filter: (objectclass=*) # LDAPv3 # numEntries: 1 # numResponses: 2 objectClasses: ( 0.9.2342.19200300.100.4.13 NAME 'domain' SUP top STRUCTURAL MUST domainComponent MAY ( associatedName $ organizationName $ description $ businessCategory $ seeAlso $ searchGuide $ userPassword $ localityName $ stateOrProvinceName $ streetAddress $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) ) objectClasses: ( 0.9.2342.19200300.100.4.14 NAME 'RFC822localPart' SUP domain STRUCTURAL MAY ( commonName $ surname $ description $ seeAlso $ telephoneNumber $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ streetAddress $ facsimileTelephoneNumber $ internationalISDNNumber $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ preferredDeliveryMethod $ destinationIndicator $ registeredAddress $ x121Address ) ) objectClasses: ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord ) ) objectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'RFC1274: an object related to an domain' SUP top AUXILIARY MUST associatedDomain ) objectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST friendlyCountryName ) objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPassword ) objectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName ) objectClasses: ( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa STRUCTURAL MAY dSAQuality ) objectClasses: ( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData' SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMaximumQuality ) ) objectClasses: ( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPilotPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rfc822Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber $ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod $ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelephoneNumber $ organizationalStatus $ mailPreferenceOption $ personalSignature ) ) objectClasses: ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host ) ) objectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STRUCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ documentTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) ) objectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTURAL MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNumber ) ) objectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' SUP top STRUCTURAL MUST commonName MAY ( description $ seeAlso $ telephonenumber $ localityName $ organizationName $ organizationalUnitName ) ) objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device with a MAC address' SUP top AUXILIARY MAY macAddress ) objectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A device with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) ) objectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction of an IP protocol' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber $ description ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an ONC/RPC binding' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber $ description ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) ) objectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of an IP network' SUP top STRUCTURAL MUST ( cn $ ipNetworkNumber ) MAY ( ipNetmaskNumber $ l $ description $ manager ) ) objectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction of a netgroup' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstraction of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description ) objectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid object' SUP top AUXILIARY MUST uid ) objectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC2252: extensible object' SUP top AUXILIARY ) objectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: domain component object' SUP top AUXILIARY MUST dc ) objectClasses: ( 1.3.6.1.4.1.16331.2.2.2.1 NAME 'contactPerson' DESC 'Contact - Addressbook entry' AUXILIARY MAY ( anniversary $ marker $ birthday $ sendHolidayCard $ externalUID $ externalUIDSyncTimestamp $ modifyObjectTimestamp $ prefix $ middleName $ suffix $ custom1 $ custom2 $ custom3 $ custom4 $ country ) ) objectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI ) objectClasses: ( 1.3.6.1.4.1.4203.1.4.1 NAME ( 'OpenLDAProotDSE' 'LDAProotDSE' ) DESC 'OpenLDAP Root DSE object' SUP top STRUCTURAL MAY cn ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.0 NAME 'olcConfig' DESC 'OpenLDAP configuration object' SUP top ABSTRACT ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.1 NAME 'olcGlobal' DESC 'OpenLDAP Global configuration options' SUP olcConfig STRUCTURAL MAY ( cn $ olcConfigFile $ olcConfigDir $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcDisallows $ olcGentleHUP $ olcIdleTimeout $ olcIndexSubstrIfMaxLen $ olcIndexSubstrIfMinLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcLocalSSF $ olcLogLevel $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPluginLogFile $ olcReadOnly $ olcReferral $ olcReplicaPidFile $ olcReplicaArgsFile $ olcReplicationInterval $ olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ olcRootDSE $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcSizeLimit $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcSrvtab $ olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcToolThreads $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.2 NAME 'olcSchemaConfig' DESC 'OpenLDAP schema object' SUP olcConfig STRUCTURAL MAY ( cn $ olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ olcDitContentRules ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.3 NAME 'olcBackendConfig' DESC 'OpenLDAP Backend-specific options' SUP olcConfig STRUCTURAL MUST olcBackend ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.4 NAME 'olcDatabaseConfig' DESC 'OpenLDAP Database-specific options' SUP olcConfig STRUCTURAL MUST olcDatabase MAY ( olcSuffix $ olcSubordinate $ olcAccess $ olcLastMod $ olcLimits $ olcMaxDerefDepth $ olcPlugin $ olcReadOnly $ olcReplica $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDN $ olcRootPW $ olcSchemaDN $ olcSecurity $ olcSizeLimit $ olcSyncrepl $ olcTimeLimit $ olcUpdateDN $ olcUpdateRef ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.5 NAME 'olcOverlayConfig' DESC 'OpenLDAP Overlay-specific options' SUP olcConfig STRUCTURAL MUST olcOverlay ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.6 NAME 'olcIncludeFile' DESC 'OpenLDAP configuration include file' SUP olcConfig STRUCTURAL MUST olcInclude MAY ( cn $ olcRootDSE ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.7 NAME 'olcFrontendConfig' DESC 'OpenLDAP frontend configuration' AUXILIARY MAY ( olcDefaultSearchBase $ olcPasswordHash ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.0.8 NAME 'olcModuleList' DESC 'OpenLDAP dynamic module info' SUP olcConfig STRUCTURAL MAY ( cn $ olcModulePath $ olcModuleLoad ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.1 NAME 'olcBdbConfig' DESC 'BDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.1.2 NAME 'olcHdbConfig' DESC 'HDB backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ olcDbMode $ olcDbSearchStack $ olcDbShmKey $ olcDbCacheFree ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.2.1 NAME 'olcLdifConfig' DESC 'LDIF backend configuration' SUP olcDatabaseConfig STRUCTURAL MUST olcDbDirectory ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.3.1 NAME 'olcLDAPConfig' DESC 'LDAP backend configuration' SUP olcDatabaseConfig STRUCTURAL MAY ( olcDbURI $ olcDbStartTLS $ olcDbACLAuthcDn $ olcDbACLPasswd $ olcDbACLBind $ olcDbIDAssertAuthcDn $ olcDbIDAssertPasswd $ olcDbIDAssertBind $ olcDbIDAssertMode $ olcDbIDAssertAuthzFrom $ olcDbRebindAsUser $ olcDbChaseReferrals $ olcDbTFSupport $ olcDbProxyWhoAmI $ olcDbTimeout $ olcDbIdleTimeout $ olcDbSingleConn $ olcDbCancel $ olcDbQuarantine $ olcDbUseTemporaryConn $ olcDbConnectionPoolMax ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.2.4.1 NAME 'olcMonitorConfig' DESC 'Monitor backend configuration' SUP olcDatabaseConfig STRUCTURAL ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Provider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ olcSpSessionlog $ olcSpNoPresent ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.12.1 NAME 'olcPPolicyConfig' DESC 'Password Policy configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcPPolicyDefault $ olcPPolicyHashCleartext $ olcPPolicyUseLockout ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.1 NAME 'olcChainConfig' DESC 'Chain configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcChainCacheURI $ olcChainMaxReferralDepth $ olcChainReturnError ) ) objectClasses: ( 1.3.6.1.4.1.4203.666.11.1.4.3.3.2 NAME 'olcChainDatabase' DESC 'Chain remote server configuration' AUXILIARY ) objectClasses: ( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXILIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) objectClasses: ( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule ) objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RFC2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) ) objectClasses: ( 2.16.840.1.113730.3.2.6 NAME 'referral' DESC 'namedref: named subordinate referral' SUP top STRUCTURAL MUST ref ) objectClasses: ( 2.5.17.0 NAME 'subentry' SUP top STRUCTURAL MUST ( cn $ subtreeSpecification ) ) objectClasses: ( 2.5.20.1 NAME 'subschema' DESC 'RFC2252: controlling subschema (sub)entry' AUXILIARY MAY ( dITStructureRules $ nameForms $ dITContentRules $ objectClasses $ attributeTypes $ matchingRules $ matchingRuleUse ) ) objectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABSTRACT MUST objectClass ) objectClasses: ( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an residential person' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l ) ) objectClasses: ( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an application process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ description ) ) objectClasses: ( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an application entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) ) objectClasses: ( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory system agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformation ) objectClasses: ( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) objectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC2256: a strong authentication user' SUP top AUXILIARY MUST userCertificate ) objectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP certificationAuthority AUXILIARY MAY deltaRevocationList ) objectClasses: ( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256: a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair ) objectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) objectClasses: ( 2.5.6.18 NAME 'userSecurityInformation' DESC 'RFC2256: a user security information' SUP top AUXILIARY MAY supportedAlgorithms ) objectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL MUST cn MAY ( certificateRevocationList $ authorityRevocationList $ deltaRevocationList ) ) objectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC2256: an alias' SUP top STRUCTURAL MUST aliasedObjectName ) objectClasses: ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST dmdName MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' SUP top AUXILIARY MAY userCertificate ) objectClasses: ( 2.5.6.22 NAME 'pkiCA' DESC 'RFC2587: PKI certificate authority' SUP top AUXILIARY MAY ( authorityRevocationList $ certificateRevocationList $ cACertificate $ crossCertificatePair ) ) objectClasses: ( 2.5.6.23 NAME 'deltaCRL' DESC 'RFC2587: PKI user' SUP top AUXILIARY MAY deltaRevocationList ) objectClasses: ( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) ) objectClasses: ( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SUP top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) ) objectClasses: ( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organization' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) objectClasses: ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) ) objectClasses: ( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) ) objectClasses: ( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an organizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) ) objectClasses: ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) ) # requesting: objectclasses result: 0 Success search: 2 # search result # Subschema -------SLAPD - PRIMARY---------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/ldapab.schema include /etc/openldap/schema/ppolicy.schema #include /etc/openldap/schema/apple.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap moduleload ppolicy.la TLSCertificateFile /etc/openldap/ldap.cert TLSCertificateKeyFile /etc/openldap/ldap.key ####################################################################### # ldbm and/or bdb database definitions ####################################################################### sizelimit 100000 database bdb suffix "dc=domainname,dc=com" rootdn "uid=rootdn,ou=People,dc=domainname,dc=com" rootpw secret_here overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=domainname,dc=com" ppolicy_use_lockout # sync stuff overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 loglevel 256 directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub replogfile /var/lib/ldap/openldap-master-replog access to attrs=userPassword by anonymous auth by self write by * none access to dn.regex="(.*,)?ou=Contacts,uid=([^,]+),ou=People,(.*)$" by dn.regex="uid=$2,ou=People,$3" write by * none access to dn.subtree="ou=Contacts,dc=domainname,dc=com" by users write by users read access to * by users read by peername="IP=192\.168\.200\.5" read access to * by users read by peername="IP=192\.168\.201\.12" read ----------SLAPD - REPLICA ---------- Same as above with sync repl at the bottom: index entryCSN eq index entryUUID eq syncrepl rid=123 provider=ldap://192.168.200.12:389 type=refreshAndPersist interval=00:00:00:01 searchbase="dc=domainname,dc=com" filter="(objectClass=*)" scope=sub retry="5 5 300 +" attrs="*,+" bindmethod=simple binddn="uid=rootdn,ou=People,dc=domainname,dc=com" credentials=secret_here updateref ldap://primaryLDAP.domainname.com

2 1

Re: Removing Berkeley DB Log Files
by Howard Chu 25 Aug '17

25 Aug '17

Douglas Duckworth wrote: > Hi > > I am running openldap-servers-2.4.40-16.el6.x86_64 cluster on Centos 6.9. My > /var/lib/ldap directory contains many 10MB log files. /var partition rather > small... > > I've read they can be removed either by running "sudo db_archive -d -h > /var/lib/ldap/domain" or by defining "DB_LOG_AUTOREMOVE" within the file > "DB_CONFIG." That file does not presently exist whereas the db_archive > command does not actually remove any of the log files. If the db_archive command doesn't remove anything, that means it thinks all of the log files are still in active use. Read the docs more carefully. http://docs.oracle.com/cd/E17076_05/html/programmer_reference/transapp_logf… > > Can I remove the old log files manually using rm? Not if the above is true, you will corrupt the logs and the DB will fail to open on a subsequent restart. > If not should I create > /var/lib/ldap/DB_CONFIG then restart slapd to make this removal automatic? > Do you have any idea why db_archive does not work or produce any helpful error > to stdout? There's no error message because there's no error, everything is working as designed. You need to do periodic checkpoints to allow log files to be closed, and then db_archive will be able to remove some of them. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Removing Berkeley DB Log Files
by Douglas Duckworth 25 Aug '17

25 Aug '17

Hi I am running openldap-servers-2.4.40-16.el6.x86_64 cluster on Centos 6.9. My /var/lib/ldap directory contains many 10MB log files. /var partition rather small... I've read they can be removed either by running "sudo db_archive -d -h /var/lib/ldap/domain" or by defining "DB_LOG_AUTOREMOVE" within the file "DB_CONFIG." That file does not presently exist whereas the db_archive command does not actually remove any of the log files. Can I remove the old log files manually using rm? If not should I create /var/lib/ldap/DB_CONFIG then restart slapd to make this removal automatic? Do you have any idea why db_archive does not work or produce any helpful error to stdout? Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical