openldap-technical

openldap-technical@openldap.org

15 participants
9797 discussions

Re: Replication restores deleted user
by kevin sullivan 30 Oct '14

30 Oct '14

Sorry about the confusion, I specified MirrorMode since that is a specific type of Multi-Master Replication and I wanted to be exact. To answer Michael's questions: 1. Check whether cn=syncuser,dc=example,dc=com can really read *everything* and no ACLs are preventing access to relevant CSN attributes etc. My replication user can read everything. In fact, these deletes work when both instances of slapd are online when the delete happens. My problem only occurs when one of the instances of slapd is offline when the delete occurs. 2. Try to reproduce your issue with 2.4.40. I will try this out and let you know what happens. I am also looking for any resources that explain exactly how replication works and how conflicts are resolved in a multi-master configuration. For example, I know there are two phases of replication: the present phase and the delete phase. Could server1 be replicating the data for 'deletedUser' to server2 in the present phase before server2 has communicated to server1 that 'deletedUser' no longer exists in the delete phase? I don't believe this problem happens when I just delete 'deletedUser' (instead of deleting AND modifying). I know I am butchering the technical details a little bit, which is why I am curious how this situation is expected to be resolved. Thanks, Kevin On Thu, Oct 30, 2014 at 2:42 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, October 30, 2014 7:33 PM +0100 Michael Ströder < > michael(a)stroeder.com> wrote: > > kevin sullivan wrote: >> >>> I have two servers (server1 and server2) running openldap 2.4.39-8 and >>> they are configured to replicate via MirrorMode replication. >>> >> >> Really mirror mode? Not MMR? You're config looks like MMR. >> > > Mirror mode is a way of configuring MMR. It is *not* something "separate" > from MMR. Mirror mode will *always* be MMR. > > --Quanah > > -- > > Quanah Gibson-Mount > Server Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

Replication restores deleted user
by kevin sullivan 30 Oct '14

30 Oct '14

I have two servers (server1 and server2) running openldap 2.4.39-8 and they are configured to replicate via MirrorMode replication. Here is what I am seeing in order: 1) On server1, I create a two users: deleteUser and modifyUser. 2) I can see that these users are then properly synced to server2. 3) On server1, slapd is stopped. 4) On server2, I now delete 'deleteUser' and I modify 'modifyUser'. 5) On server1, slapd is started. 6) The two slapd instances replicate. Outcome: Both servers now have the deleted user 'deleteUser' in their databases like the user was never deleted. However, the user 'modifyUser' was properly updated in both places. Expected outcome: I would expect that 'deleteUser' wouldn't exist in either database. I would expect that 'modifyUser' would be properly modified on both servers. Why would this happen? Do I need to configure something specifically so deletes are handled properly? Is this just a quirk with how replication works? Below are the relevant parts of each server's slapd.conf. server1's configuration: serverID 1 ... overlay syncprov syncrepl rid=001 provider=ldap://server2/ type=refreshAndPersist retry="10 +" searchbase="dc=example,dc=com" bindmethod=simple binddn="cn=syncuser,dc=example,dc=com credentials=secret mirrormode on ... server2's configuration: serverID 2 ... overlay syncprov syncrepl rid=001 provider=ldap://server1/ type=refreshAndPersist retry="10 +" searchbase="dc=example,dc=com" bindmethod=simple binddn="cn=syncuser,dc=example,dc=com credentials=secret mirrormode on ... Thanks, Kevin

3 2

Need information on alock file in data directory of OpenLDAP 2.4.39
by pramod kulkarni 30 Oct '14

30 Oct '14

Hi, I have taken the OpenLDAP 2.4.39 and able to work properly but when I do slapcat then it hangs and always complains on alock. But if I delete alock it works fine. I have 4.6.21 version of bdb I don't know much about alock file in bdb . Can you please suggest is it ok to delete alock file for running slapd and slapcat ? Thanks, Pramod

3 3

2.4.41?
by Michael Ströder 30 Oct '14

30 Oct '14

HI! It seems to me some import fixes were committed to git-master after cutting 2.4.40. Will there be a 2.4.41 release? Ciao, Michael.

2 1

Overlays in Consumer and provider configuration
by Uli Tehrani 30 Oct '14

30 Oct '14

Hello all, I have some questions regarding overlay configuration for consumer and provider server. It is necessary to load the same overlay modules in a consumer configuration? Is it also necessary to configure the overlay like in the provider configuration ? There are overlays that are needed only for the provider, e.g. syncprov. Others are only needed for the consumer like the chaining overlay. But for other overlays it is not that clear: Dynlist needs to be configured for both servers. But what's about dds, ppolicy and refinit? Here maybe a provider configuration is enough. Is there a simple best practise ? Thanks in advance. Regards Uli -- =================================== Ulrich Tehrani Am Ulrichshof 19 79189 Bad Krozingen +497633806246 u_tehrani(a)yahoo.de ===================================

2 2

syncrepl: turn consumer into a stand-alone ldap server
by Yannick Barbeaux 29 Oct '14

29 Oct '14

Hi everyone, I have configured an ldap replication based on the producer-consumer mechanism using the syncrepl module. It worked fine but at first, the ldap tree was only partially imported on the consumer because the autofs.schema was missing. It took me a few hours (days?) to find out that I had to import the autofs.ldif manually on the consumer to make it work properly: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/autofs.ldif (that might not be the recommended way to achieve the sync but that worked). Now that I have my producer and consumer perfectly in sync, I would like to get rid of the producer server and turn my consumer into the master ldap server (that might be used later as a producer). I wonder if it is possible... I almost achieved "un-configuring" the consumer mechanism but the "ex-consumer" has now an odd behaviour : it allows me to modify the ldap tree with ldapmodify (normally impossible on consumer) but the tree is effectively modified on the ex-producer and not on the consumer itself. Yet when I perform an ldapsearch, it searches in the consumer tree, not on the producer side. To initially configure the consumer, I had injected the following ldif file: ### consumer.ldif ### #Load the syncprov module. dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov #syncrepl specific indices dn: olcDatabase={1}bdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryUUID eq - add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://10.50.1.11 bindmethod=simple binddn="cn=synchronisator,dc=office,dc=myorg,dc=be" credentials=mysecret searchbase="dc=office,dc=myorg,dc=be" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog - add: olcUpdateRef olcUpdateRef: ldap://10.50.1.11 So I thought that after sync, disabling the consumer property would be as simple as unloading the syncprov module and removing the olcSyncRepl directive... this way: ### removeSyncprovModule.ldif ### dn: cn=module{0},cn=config changetype: modify delete: olcModuleLoad olcModuleLoad: {1}syncprov ### disableConsumer.ldif ### dn: olcDatabase={1}bdb,cn=config changetype: modify delete: olcSyncrepl - delete: olcUpdateRef But the ldapmodify returned an error when trying to inject that ldif file. Such operations are not allowed on the consumer. So I had no other choice than to edit the ldif manually (though it is not recommended!) to delete the corresponding directives and restart the ldap server ( /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif ) Of course the server complained about wrong checksums. So I applied the method suggested on this page to fix it: http://serverfault.com/questions/499856/is-there-any-bad-thing-happens-if-i… (basically removing and re-adding the schemas+data using *slapcat* and *slapadd)* Since that, the consumer is not sync-ed with the producer anymore (good) but as I mentionned above, any attempt to modify the tree on the ex-consumer sides results in a modification on the ex-producer side and not on the consumer. Is there any easier and working way to turn a consumer into a stand-alone master ldap server? Thank you. Yannick

1 0

Access right for slapd plugins
by Ulrich Windl 29 Oct '14

29 Oct '14

Hi! I have a question: I slapd bound to access rights itself, i.e. do you have to assign some rights for e.g. the password policies for slapd to read those? What are the minimum (i.e. recommended) acess right for the password policy and the pwdPolicySubentry? Regards, Ulrich

1 0

Send Email to users on account creation
by santosh pai 27 Oct '14

27 Oct '14

Hello team, I have setup Openldap and managing the same through Ldap Account manager( https://www.ldap-account-manager.org/lamcms/) . I 'm able to create the accounts through ldif file and as well as through the ldap account manager .Is it possible to send email to user once the account is created on ldap .I have googled but I'm able to get results which tells on integrating openldap with smtp server . -- Cheers, Santhosh Pai Mob# : +91 9886545674 Email to:Santoshsco@gmail.com

3 2

Duda
by Jorge Alberto Aquino Andrade 27 Oct '14

27 Oct '14

Quiero configurar lo siguiente ou=administracion ou=cobros ou=facturacion y quiero tener varios usuarios usuario1=juan.perez usuario2=perico.delospalotes usuario3=juan.lopez usuario4=juan.flores quisera asignar los usuarios a las ou ou=administracion usuario1 usuario2 ou=cobros usuario3 usuario4 ou=facturacion usuario1 usuario2 Quisiera restringir que el usuario1 solo pueda ingresar a la ou=administracion y a ou=facturacion y que NOPUEDA ingresar a la ou=cobros Como puedo hacer esto?

1 1

Advice sought regarding logging changes made to OpenLDAP server
by Philip Colmer 27 Oct '14

27 Oct '14

I've been asked to log & track changes made to our LDAP system. My initial thought was to use the auditlog overlay as it outputs to a text file, thus making it relatively straightforward to parse, but a 2009 discussion (http://www.openldap.org/lists/openldap-technical/200911/msg00092.html) suggested a potential problem, namely no logging of time and name for deletes. Replies to that discussion suggested the use of accesslog instead. However, that logs to a database which isn't really what I'm after. A 2011 discussion (http://www.openldap.org/lists/openldap-technical/201104/msg00084.html) sought answers similar to the one I'm looking for now, namely is there a way of getting changes logged into a text file? One of the replies (from Quanah) suggested ldap-stats.pl but I'm not looking for stats - I'm looking for the actual changes being made. Since both of those discussions are quite old, I was wondering if there was any up-to-date advice regarding best practice for the sort of information I'm trying to capture? Thanks. Philip

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical