openldap-technical

openldap-technical@openldap.org

9937 discussions

Re: delta-synrepl consumer randomly delete objects
by Quanah Gibson-Mount 03 Nov '16

03 Nov '16

--On Wednesday, October 26, 2016 10:07 AM +0200 Raffael Sahli <public(a)raffaelsahli.com> wrote: >> This is not delta-syncrepl, this is syncrepl. What triggered your >> system to fall back to syncrepl? > Tell me, I really don't know. I can't tell you, it would be in your logs. > Is this as designed? Syncrepl as fall back mechanism if delta-syncrepl > failed? (But I don't know why delta-synrepl failed, > how can I verify that delta-syncrepl does work properly) Correct, if there is an issue, things will fall back to syncrepl. Again, you'd have to look at your logs to determine why it fell back. > However this should not happen with syncrepl anyways. How can it be that > I have only 23 objects left on my consumer after > a full re sync with thousands of objects? Because syncrepl can be buggy? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Provider-Consumer replication 2.4 OLC (second attempt)
by Quanah Gibson-Mount 01 Nov '16

01 Nov '16

--On Friday, October 28, 2016 9:50 AM -0400 Ted Hyde <laserted(a)gmail.com> wrote: > Quanah - thanks for the response. Sorry to insult if I did - but thank > you, I DID read the admin guide. Which as you have also pointed out uses > slapd.conf examples. Since I am not knee-deep in commercial OpenLdap > configuration every day (I am just a lowly IT admin, not a > paid-to-openldap-person) I would disagree in that your comment that > "conversion to cn=config" process isn't trivial, personally I get quite > swamped by it, but push through as best I can. But if you're offering to > convert my sample configs for me, I'd be happy to share them with you. You can convert your sample configs via the slaptest command, as documented. > Or > perhaps you could help the community by providing some OLC config > examples for the admin guide, that way us peons would be able to use that > as our only official source instead of having to google to find "Random" > help. My point was more that converting examples in the admin guide from slapd.conf to cn=config is fairly trivial. For example, if we look at section 18.3.1.2 in the admin guide: database mdb maxsize 1073741824 suffix dc=Example,dc=com rootdn dc=Example,dc=com directory /var/ldap/db index objectclass,entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 this is rather trivially converted to: dn: olcDatabase={1}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcSuffix: dc=example,dc=com olcRootDN: dc=example,dc=com olcDbDirectory: /var/ldap/db olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcSpCheckpoint: 100 10 olcSpSessionlog: 100 etc. Converting to cn=config from slapd.conf is not particularly difficult. > I *can* move to refreshAndPersist; but the service provides two > documented options (information I got from reading the admin guide), the > description for refreshOnly best fits my scenario and needs. I didn't > read any reason as to *not* use - perhaps you're aware of a bug report > that refreshOnly is broken? I'm aware that operating in refreshOnly is problematic, and it is advise not to use it. If you want to persist in using it, I certainly can't stop you. ;) If/when I find time to rewrite the admin guide, removing it from the examples will be one of the first steps I take. > Perhaps my research (which I'm sure isn't as broad as yours) just seemed > to point to the fact that openldap will/may be depreciating the > slapd.conf procedures, and that everyone should get on board with OLC as > soon as possible. While I can perform the setup with slapd.conf (as noted > in the admin guide), I was hoping to practice some useful technique I > could use in the future. Again, as noted in the documentation, you can set up one time with slapd.conf, and then move forward with converting it to cn=config via slaptest, and then just use cn=config from that point forward, using ldap* commands to make updates as necessary. If you want some further examples of cn=config, you may like the following: <https://git.zimbra.com/repos/zimbra-foss/ZimbraServer/conf/ldap/config/> Which has a basic cn=config layout for a standalone server with a suffix of "" and a few overlays loaded as a starting point. You may also be interested in the tools I wrote for manipulating cn=config to use as examples: <https://git.zimbra.com/repos/zimbra-foss/ZimbraServer/src/libexec/zmldapena…> <https://git.zimbra.com/repos/zimbra-foss/ZimbraServer/src/libexec/zmldapena…> <https://git.zimbra.com/repos/zimbra-foss/ZimbraServer/src/libexec/zmldaprep…> <https://git.zimbra.com/repos/zimbra-foss/ZimbraServer/src/libexec/zmldapmmr…> etc. While bits of it are specific to Zimbra, the ideas behind updating/modifying cn=config are universal. On the documentation, I would note that it is a community effort, and anyone can contribute updates, etc, via the ITS system. The sad fact is, many people complain about the documentation, but very few ever step up and contribute back, which means that it often languishes. I hope the above helps. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

password sync issues
by Arun Gupta 01 Nov '16

01 Nov '16

Hi, I have configured 2 ldap tree, one for unix account (ou=User) (below is sample ldif) dn: uid=2011150,ou=User,dc=acer,dc=in empID: 2011150 username: test1 cn: test1 centre: PN objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount oldempid: 1150 mail: test1(a)acer.in givenName: test1 uid: 2011150 shadowLastChange: 15590 loginShell: /bin/bash uidNumber: 11150 gidNumber: 11150 homeDirectory: /mbox4.2/test1 userPassword: {SHA}1SrgdEGUPa/U6KM43Kq9xTgnI7A= and another for samba tree (ou=samba) - (below is sample tree) dn: uid=test1,ou=samba,dc=acer,dc=in uid: test1 sambaSID: S-1-5-21-4079184197-2446238136-3299756537-1005 displayName: test1 sambaAcctFlags: [UX ] objectClass: sambaSamAccount objectClass: account sambaLMPassword: C2F63206FC9CF08A1AA818381E4E281B sambaNTPassword: 0242A7FEC5CD294F916925766089E573 and I am able to authenticate with samba configuration. But I am not able to find out how the password will sync means if user change his password then how NT password will reflect (here two different tree). Is it possible to sync, if yes please please help me out. -- Thanks & Regards, Arun Kumar Gupta ------------------------------------------------------------------------------------------------------------------------------- [ C-DAC is on Social-Media too. Kindly follow us at: Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ] This e-mail is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies and the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email is strictly prohibited and appropriate legal action will be taken. -------------------------------------------------------------------------------------------------------------------------------

1 0

Re: Public LDAP server, what do I need to know?
by Quanah Gibson-Mount 31 Oct '16

31 Oct '16

--On Sunday, October 16, 2016 3:29 PM -0400 John Lewis <oflameo2(a)gmail.com> wrote: > I want to host a LDAP server that contains a directory that contains the > offices of local Representatives and Public Servants, the issues they > are responsible for, and their names. I would like anyone who wants to > to browse it or put up front ends. > > Is there anything in particular that I should keep in mind? Keep your tree as flat as possible, as deep as necessary, is the guiding wisdom. ;) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Antw: openldap 2.4.40 ppolicy module and shadowInactive equivalent
by Real, Elizabeth (392K) 31 Oct '16

31 Oct '16

Ulrich, Yes, I already have nis.ldif loaded. What else do you suggest? Thank you, Liz From: Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> Date: Monday, October 24, 2016 at 11:17 PM To: "Real, Elizabeth (392K)" <Elizabeth.Real(a)jpl.nasa.gov>, "openldap-technical(a)openldap.org" <openldap-technical(a)openldap.org> Subject: Antw: openldap 2.4.40 ppolicy module and shadowInactive equivalent "Real, Elizabeth (392K)" <Elizabeth.Real(a)jpl.nasa.gov<mailto:Elizabeth.Real@jpl.nasa.gov>> schrieb am 24.10.2016 um 20:43 in Nachricht <0C90A104-2EF4-4AA6-8748-05B07154A54D(a)jpl.nasa.gov<mailto:0C90A104-2EF4-4AA6-8748-05B07154A54D@jpl.nasa.gov>>: Hello, I setup a password policy overlay on my openldap 2.4.40 servers running RHEL7. I need to enforce the following: disable accounts that have been inactive for 180 days. In the past we were able to do this by simply adding the shadowInactive attribute to each account: shadowInactive 180. But with the new openldap, it appears there is no equivalent attribute?? Why didn't you "grep shadowInactive /etc/openldap/schema/*"? It appears in nis.ldif, nis.schema, and rfc2307bis.schema. (I only have SLES11 SP4 here, but there shouldn't be a big difference) Ulrich http://www.openldap.org/doc/admin24/ http://www.zytrax.com/books/ldap/ch6/ppolicy.html Thank you, Liz

1 1

Re: Syncrepl only partially working
by Quanah Gibson-Mount 31 Oct '16

31 Oct '16

--On Sunday, October 30, 2016 11:16 AM +0100 Dieter Klünter <dieter(a)dkluenter.de> wrote: > It is a bit more complicated than that. > syncrepl is a client operation, which requires ldap client > configuration, specified in ldap.conf(5). You can set these specifically for the syncrepl client as a part of your syncrepl configuration stanza, rather than ldap.conf. See slapd.conf(5) or slapd-config(5), the section on syncrepl/olcSyncRepl, the sizelimit and timelimit parameters. But, regardless, the server limits on the master trump any client settings that are higher than the defaults, so as Dieter noted, they must be increased on the master to "unlimited" for at least the replicator DN. This is of course covered in the admin guide. For example, in section 18.3.2, we find: # Let the replica DN have limitless searches limits dn.exact="cn=replicator,dc=symas,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited as one example. etc. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Defining timeouts in slapd-ldap Backend
by Daniel Betz 31 Oct '16

31 Oct '16

Hi List, i have an problem with slapd-ldap backend and the timeouts. There are many timeouts to configure, but i think they dont work in the tls handshake phase. 5816f773 send_ldap_result: conn=-1 op=0 p=0 5816f773 backend_startup_one: starting "sid=3092,sec=webhosting,o=xxxxxx,c=de" 5816f773 ldap_back_db_open: URI=ldaps://sid3092.int.webslave.xxxxxxx ldap_create ldap_url_parse_ext(ldaps://sid3092.int.webslave.xxxxxxxx) 5816f773 =>ldap_back_getconn: conn=-1 op=0: lc=0x37c2880 inserted refcnt=1 rc=0 ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP sid3092.int.webslave.xxxxxxxxx:636 ldap_new_socket: 256 ldap_prepare_socket: 256 ldap_connect_to_host: Trying 10.xx.xx.xx:636 ldap_pvt_connect: fd: 256 tm: 5 async: 0 ldap_ndelay_on: 256 attempting to connect: connect errno: 115 ldap_int_poll: fd: 256 tm: 5 ldap_is_sock_ready: 256 ldap_ndelay_off: 256 ldap_pvt_connect: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A And then the slapd hangs and hangs. I know that the consumer ldap is running, but the server itself hangs with an error. In this slapd there are 250 more servers to serve via slapd-ldap, so this will cause an big problem when only one server hangs and the slapd stucks forever. Are there any other timeouts to configure in slapd-ldap backend ? Here´s the slapd.conf: database ldap hidden on suffix "sid=3092,sec=webhosting,o=xxxxxxxx,c=de" rootdn "cn=xxxxxxxx,sid=3092,sec=webhosting,o=xxxxxxxxx,c=de" uri ldaps://sid3092.int.webslave.xxxxxxxxx network-timeout 5 timeout bind=5 lastmod on restrict all acl-bind bindmethod=simple binddn="cn=xxxxxx,sid=3092,sec=webhosting,o=xxxxxx,c=de" credentials="PASSWORD" syncrepl rid=3092 provider=ldapi://%2Fvar%2Frun%2Fldapi binddn="cn=Manager,o=xxxxxxxxxxx,c=de" bindmethod=simple credentials=PASSWORD searchbase="sid=3092,sec=webhosting,o=xxxxxxxxxx,c=de" type=refreshAndPersist retry="10 6 30 +" overlay syncprov Regards, Daniel Freundliche Grüße, Daniel Betz System Design Engineer / Senior Systemadministration ___________________________________ domainfactory GmbH Oskar-Messter-Str. 33 85737 Ismaning Germany Telefon: +49 (0)89 / 55266-364 Telefax: +49 (0)89 / 55266-222 E-Mail: dbetz(a)df.eu<mailto:dbetz@df.eu> Internet: www.df.eu<http://www.df.eu/> Registergericht: Amtsgericht München HRB-Nummer 150294, Geschäftsführer: Tobias Mohr, Stephan Wolfram

1 0

Syncrepl only partially working
by Joshua Schaeffer 30 Oct '16

30 Oct '16

Greetings all, I'm trying to figure out why Syncrepl is only syncing part of my provider's database when I use GSSAPI to connect. Both my provider and consumer are on 2.4.40. Here are all the steps I'm taking: My provider is working fine, I've been using it for months now without any issues. I added this to the provider: dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10 structuralObjectClass: olcSyncProvConfig entryUUID: b32ac160-29e6-1036-8d0a-07ef98fd592e creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20161019012544Z olcSpSessionlog: 100 entryCSN: 20161024233803.817199Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20161024233803Z I also indexed entryCSN and entryUUID on the provider. I have olcAuthzRegexp setup on the provider as well. olcAuthzRegexp: {0}"uid=admin,cn=harmonywave.com,cn=GSSAPI,cn=auth" "cn=admin,dc=harmonywave,dc=com" olcAuthzRegexp: {1}"uid=ldap/admin,cn=harmonywave.com,cn=GSSAPI,cn=auth" "dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" olcAuthzRegexp: {2}"uid=syncprov,cn=harmonywave.com,cn=GSSAPI,cn=auth" "cn=syncprov,dc=harmonywave,dc=com" #not using this. olcAuthzRegexp: {3}"uid=.*\/admin,cn=harmonywave.com,cn=GSSAPI,cn=auth" "cn=admin,dc=harmonywave,dc=com" olcAuthzRegexp: {4}"uid=host\/([^.]*).harmonywave.com,cn=harmonywave.com,cn=GSSAPI,cn=auth" "cn=$1+ipHostNumber=.*,ou=Hosts,dc=harmonywave,dc=com" olcAuthzRegexp: {5}"uid=([^/]*),cn=harmonywave.com,cn=GSSAPI,cn=auth" "uid=$1,ou=End Users,ou=People,dc=harmonywave,dc=com" On the consumer I have slapd installed. The first thing I did was change the olcSuffix on my database. I'm not sure if this is required or not. dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcSuffix olcSuffix: dc=harmonywave,dc=com - replace: olcRootDN olcRootDN: cn=admin,dc=harmonywave,dc=com Then I'm adding my ldap keytab for the consumer. kadmin: ktadd -k /etc/ldap/ldap.keytab ldap/consumer.harmonywave.com consumer: ~# chown openldap:openldap /etc/ldap/ldap.keytab consumer: ~# chmod 0640 /etc/ldap/ldap.keytab I edited my /etc/default/slapd file and pointed the KRB5_KTNAME environment variable to the new keytab then restarted slapd. Next I installed kstart and created a ticket cache. consumer: ~# k5start -U -f /etc/ldap/ldap.keytab -K 10 -l 24h -k /tmp/krb5cc_108 -o openldap -b I can see the ldap service's keytab with klist. consumer: ~# klist /tmp/krb5cc_108 Ticket cache: FILE:/tmp/krb5cc_108 Default principal: ldap/koprulu.harmonywave.com(a)HARMONYWAVE.COM Valid starting Expires Service principal 10/28/2016 21:18:14 10/29/2016 07:18:14 krbtgt/HARMONYWAVE.COM(a)HARMONYWAVE.COM renew until 10/29/2016 21:18:14 Then I add my olcSaslRealm dn: cn=config changetype: modify add: olcSaslRealm olcSaslRealm: HARMONYWAVE.COM Here is what my database looks like right before I add olcSyncrepl: dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym ous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootPW:: ... olcDbCheckpoint: 512 30 olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig entryUUID: 9a091324-2e84-1036-8b7a-73db8891632a creatorsName: cn=admin,cn=config createTimestamp: 20161024222607Z olcSuffix: dc=harmonywave,dc=com olcRootDN: cn=admin,dc=harmonywave,dc=com olcDbIndex: cn,uid eq olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: member,memberUid eq olcDbIndex: objectClass eq olcDbIndex: uidNumber,gidNumber eq entryCSN: 20161029033105.691204Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20161029033105Z then I add olcSyncrepl to the consumer. dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: {0}rid=000 provider=ldap://provider.harmonywave.com type=RefreshAndPersist retry="30 10 1800 +" searchbase="dc=harmonywave,dc=com" bindmethod=sasl saslmech=GSSAPI starttls=critical tls_cacert=/etc/ssl/certs/ca.harmonywave.com.pem tls_reqcert=demand After that I slapcat on the consumer and I only see about 1/3 of my data from the provider. When I watch the log on the provider this is what I get: Oct 28 21:39:02 baneling slapd[12540]: conn=4421 fd=36 ACCEPT from IP=10.1.30.19:55992 (IP=0.0.0.0:389) Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=0 STARTTLS Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=0 RESULT oid= err=0 text= Oct 28 21:39:02 baneling slapd[12540]: conn=4421 fd=36 TLS established tls_ssf=128 ssf=128 Oct 28 21:39:02 baneling slapd[12540]: conn=1005 op=43768 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=krbtgt/HARMONYWAVE.COM(a)HARMONYWAVE.COM))" Oct 28 21:39:02 baneling slapd[12540]: conn=1005 op=43768 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo Oct 28 21:39:02 baneling slapd[12540]: conn=1005 op=43768 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 28 21:39:02 baneling slapd[12540]: conn=1005 op=43769 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=ldap/baneling.harmonywave.com(a)HARMONYWAVE.COM))" Oct 28 21:39:02 baneling slapd[12540]: conn=1005 op=43769 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo Oct 28 21:39:02 baneling slapd[12540]: conn=1005 op=43769 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 28 21:39:02 baneling slapd[12540]: conn=1005 op=43770 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=ldap/koprulu.harmonywave.com(a)HARMONYWAVE.COM))" Oct 28 21:39:02 baneling slapd[12540]: conn=1005 op=43770 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbLastAdminUnlock krbExtraData krbObjectReferences krbAllowedToDelegateTo Oct 28 21:39:02 baneling slapd[12540]: conn=1005 op=43770 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=1 BIND dn="" method=163 Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=2 BIND dn="" method=163 Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=2 RESULT tag=97 err=14 text=SASL(0): successful result: Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=3 BIND dn="" method=163 Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=3 BIND authcid="ldap/koprulu.harmonywave.com(a)HARMONYWAVE.COM" authzid="ldap/koprulu.harmonywave.com(a)HARMONYWAVE.COM" Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=3 BIND dn="uid=ldap/koprulu.harmonywave.com,cn=harmonywave.com,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=128 Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=3 RESULT tag=97 err=0 text= Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=4 SRCH base="dc=harmonywave,dc=com" scope=2 deref=0 filter="(objectClass=*)" Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=4 SRCH attr=* + Oct 28 21:39:02 baneling slapd[12540]: conn=4421 op=5 UNBIND Oct 28 21:39:02 baneling slapd[12540]: conn=4421 fd=36 closed The only thing I really notice from this is near the end of the file. It when it searches the base with attributes "*+", but then immediately unbinds. I've seen people stating that authzid is required, but when I don't provide it I still get a partial sync, so I'm not sure about this. I've restored my consumer to a clean install of slapd and repeated the above steps with minor variations several times but the consumer always syncs the exact same amount of data and then seems to stop. Any help to point me in the right direction would be appreciated. Thanks, Joshua Schaeffer **

3 5

Re: Provider-Consumer replication 2.4 OLC (second attempt)
by Ted Hyde 28 Oct '16

28 Oct '16

1 0

some memberUid in my database are hashed
by Giovanni Biscuolo 28 Oct '16

28 Oct '16

Hi, I've an openldap database I use for auth purposes in which some memberUid is hashed while other not, e.g.: (results given by sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ou=Groups,dc=unit,dc=company,dc=net) .......................... dn: cn=GROUP,ou=Groups,dc=unit,dc=company,dc=net objectClass: top objectClass: posixGroup cn: GROUP gidNumber: 1026 memberUid: firstuser memberUid:: IGFyaWFubmE= [...] ........................... I cannot find any documentation about this kind of "memberUid hashed storage", the only differece is the double colon after memberUid please can you point me to the documentation or tell me how to "decode" the memberUid information also, on a client machine configured to use libnss-ldapd, if I list the groups with "sudo getent group" I can see the "clear text" members (e.g. firstuser in the example above) but not the "hashed" one; the same using the "members" command ciao Giovanni -- Giovanni Biscuolo Xelera - IT infrastructures http://xelera.eu/contact-us/

4 5

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical