openldap-technical

openldap-technical@openldap.org

12 participants
9794 discussions

Re: slapd-meta with olc
by Howard Chu 12 Jan '17

12 Jan '17

Quanah Gibson-Mount wrote: > --On Wednesday, January 11, 2017 10:23 AM +0000 Martin Stejskal > <mstejskal(a)alps.cz> wrote: > > I'll fix this LDIF for you, although I don't know the answers to the rest of > your questions. > >> $ cat add_meta_backend.ldif >> dn: cn=module{},cn=config >> objectClass: olcModuleList >> cn: module{} >> olcModulePath: /usr/lib/ldap >> olcModuleLoad: back_meta >> olcModuleLoad: back_ldap >> olcModuleLoad: rwm > > As for olc attribute names, you can trivially grab these out of the source > code. There is no need to read source code. Just read the cn=schema,cn=config entry using ldapsearch for all of the relevant definitions. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: slapd-meta with olc
by Quanah Gibson-Mount 12 Jan '17

12 Jan '17

--On Thursday, January 12, 2017 4:23 PM +0000 Martin Stejskal <mstejskal(a)alps.cz> wrote: > > > > Hi Quannah, > > thanks for support. Now I understand little bit more ldif syntax/rules. > Yes, the source code is option as well, but I tried to avoid it :) > > I know there is slapd.conf to cn=config converter, but unfortunately I > was not able to make it work (errors during conversion). I would note that slaptest will report errors during conversion sometime and then note that they should be ignored, since the configuration isn't actually being used against a running slapd. Since you provide no details about the errors encountered, it's impossible to determine if it was a valid error or simply a note about the difference between the conversion process and an active slapd. You could of course take the configurations from test035 and test036 to trivially come up with working configurations to be converted to cn=config as a starting point. :) Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Chain 2 master LDap
by BENICHOU Fabrice - Contractor 12 Jan '17

12 Jan '17

Hello, I try to chain 2 LDAP master (Provider): My system is : -1 Master "central" with suffix="dc=com" : I contains ldap posix user like "adminCentral". -1 Master "local" with suffix="dc=com": It contains ldap posix user like"adminlocal". The goal is to chain request when a ldapclient ask to Master "local" : this later shall chain the request to Master "central" and get back the result to client. For example, if "uid=adminCentral,User,dc=com" is not found in Master "local" LDAP, the Master "local" LDAP shall find if this Entry exists in Master "central" 1) Is it possible for a Master, to chain via overlay with "olcDbURI" parameter to another master? I only see example where Slave (Consummer) are chaining to Master (Provider).. 2) My Master "local" is configured with TLS : it has a Master_pem certificate, and a rootCA_local.pem (used in fact to authentify a local slave for replication). How to have TLS between "Master local" and "Master central"? If the rootCA_central.pem (trust chain) is not the same that the a rootCA_local.pem, how to complete the trust chain of the Master local? My work is based on documentation : http://www.zytrax.com/books/ldap/ch7/referrals.html#chaining (7.3.5). but the full documentation is not available and I use dynamic configuration with "olc". I have also found at http://serverfault.com/questions/518407/openldap-2-4-chain-overlay-minimal-… the Chain Overlay Minimal LDIF Configuration But the delegation does not work. Anyone does have a tutorial ? My platform: Centos 7 Best regards. Fab [@@ THALES ALENIA SPACE INTERNAL @@]

2 1

Re: Slapd.conf for doing stress
by Quanah Gibson-Mount 12 Jan '17

12 Jan '17

--On Thursday, January 12, 2017 2:39 PM +0530 PRATIK SINGAL <pratik.singal13(a)gmail.com> wrote: > > Hello , > > > Am new to openldap and need to perform stress on openldap2.4. > Can any one please provide me with some usefull link / optimized conf > file for stress. > we are using Berkley DB. <https://mishikal.wordpress.com/> has information about benchmarking with the relevant portions of the configuration noted. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: ppolicy overlay and MMR experiencing frequent delta-sync lost issue
by Quanah Gibson-Mount 12 Jan '17

12 Jan '17

--On Monday, January 09, 2017 9:53 AM -0500 Beth Halsema <bhalsema(a)purdue.edu> wrote: > We have submitted OpenLDAP-ITS #8561 with a unit test and a possible > patch to the ppolicy overlay. > > If anyone else has run into this, we would be interested in any other > work- arounds that have been used to address the issue. Hi Beth, I'm guessing that ppolicy is writing items that are not supposed to be replicated to the accesslog. This issue (ITS8561) and ITS8444 I think are generally similar items, in that while the accesslog is writing all write operations, replication requires that some write operations not be present in the accesslog. I'll be discussing with the other team members on how best to handle what are somewhat conflicting requirements. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 2

Re: Odd ldapsearch behavior
by Quanah Gibson-Mount 11 Jan '17

11 Jan '17

--On Wednesday, January 11, 2017 1:18 PM -0500 Frank Swasey <Frank.Swasey(a)uvm.edu> wrote: > Today at 12:44pm, Michael Ströder wrote: > >> Out of curiosity: >> What happens if you slapcat the data on your development server? > > slapcat dumps the data just fine (meaning that the two attributes are not > duplicated). If you are using cn=config, slapcat it and compare? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Odd ldapsearch behavior
by Frank Swasey 11 Jan '17

11 Jan '17

Today at 12:44pm, Michael Ströder wrote: > Out of curiosity: > What happens if you slapcat the data on your development server? slapcat dumps the data just fine (meaning that the two attributes are not duplicated). - Frank

1 0

slapd-meta with olc
by Martin Stejskal 11 Jan '17

11 Jan '17

Hi, I'm trying to run "meta" database on our local LDAP server, but I'm not able to set it up. I was checking many tutorials, including man page (http://www.openldap.org/doc/admin24/slapdconfig.html, http://www.openldap.org/doc/admin24/slapdconf2.html, https://linux.die.net/man/5/slapd-relay, https://linux.die.net/man/5/slapo-rwm, https://linux.die.net/man/5/slapd-ldap, https://linux.die.net/man/5/slapd-meta, http://www.openldap.org/doc/admin24/guide.html#Metadirectory ... ) but without success. Most of them are are out-of-date (slapd.conf) and basically there is no reference to new olc migration. I just need to know few things: * Is "meta" database supported at v2.4.42 ? (assume yes) * Can "meta" database represent proxy with remote servers? (also assume yes) Our use case is following: * [ user app ] ---> [ our LDAP ] ---> LDAP1 or LDAP2 or LDAP3 .... * "Our LDAP" should change domanin (dc=abc,dc=local -> dc=sub,dc=abc,dc=org (LDAP1) or dc=sub2,dc=def,dc=com (LDAP2) , ....) and if possible binder as well Can you give us some example ldif configuration? Because at "http://www.openldap.org/doc/admin24/guide.html#Metadirectory" at 11.5.2 is only "LATER" :/ I was able to add backends, but I'm not able to add some working configuration. $ cat add_meta_backend.ldif dn: cn=module{},cn=config objectClass: olcModuleList cn: module{} olcModulePath: /usr/lib/ldap olcModuleLoad: back_meta dn: cn=module{},cn=config objectClass: olcModuleList cn: module{} olcModulePath: /usr/lib/ldap olcModuleLoad: back_ldap dn: cn=module{},cn=config objectClass: olcModuleList cn: module{} olcModulePath: /usr/lib/ldap olcModuleLoad: rwm Best regards Martin Stejskal

1 0

OpenLDAP userpassword instead SambaNTPassword
by Tian Zhiying 10 Jan '17

10 Jan '17

Hi I just intergrated OpenLDAP and Samba service, the prupose is to allow users can use one account and password to login them. But after I change the password from " Self Service Password ", only userpassword has changed, SambaNTPassword has not changed. Could you help me ? Thanks.

3 2

ppolicy overlay and MMR experiencing frequent delta-sync lost issue
by Beth Halsema 09 Jan '17

09 Jan '17

We are running Openldap 2.4.44 on RHEL6 in a delta-syncrepl MMR configuration. We are using the ppolicy overlay. This setup is resulting in frequent occurrences on the consumers of: * delta-sync lost * traversal of the entire directory * delta-syncrepl switches back into refreshAndPersist * slapd memory usage increasing We have found that this behavior is consistently triggered when the operation that is being replicated involves a password change in combination with the removal of ppolicy attributes (e.g. pwdGraceUseTime and pwdFailureTime). The detailed debugging output associated with such an occurrence is: ------------------------------------------------------------------------------ 58739e68 bdb_modify_internal: replace userPassword 58739e68 bdb_modify_internal: replace pwdChangedTime 58739e68 bdb_modify_internal: softdel pwdGraceUseTime 58739e68 bdb_modify_internal: add pwdHistory 58739e68 bdb_modify_internal: replace entryCSN 58739e68 bdb_modify_internal: replace modifiersName 58739e68 bdb_modify_internal: replace modifyTimestamp 58739e68 bdb_modify_internal: delete pwdGraceUseTime 58739e68 bdb_modify_internal: 16 modify/delete: pwdGraceUseTime: no such attribute ... 58739e68 do_syncrep2: rid=001 delta-sync lost sync on (reqStart=20170109142959.000006Z,cn=log), switching to REFRESH ------------------------------------------------------------------------------ We have submitted OpenLDAP-ITS #8561 with a unit test and a possible patch to the ppolicy overlay. If anyone else has run into this, we would be interested in any other work- arounds that have been used to address the issue. Thank you! Beth ------------------------------------------------------------------------- Beth A. Halsema - GSEC, GSSP-Java email:bhalsema@purdue.edu Sofware Engineer, Identity & Access Management OVPIT - IT Security and Policy 3495 Kent Avenue, Suite 100 Fax : (765) 464-2233 West Lafayette, IN 47906 Campus Mail: ROSS

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical