openldap-technical

openldap-technical@openldap.org

14 participants
9795 discussions

replication between different slapds versions
by jakjr 15 May '09

15 May '09

Hello, Is there any problem to use the syncprov (refreshAndPersist) between a ldap master version 2.3.30 and a consumer version 2.4.16 ? I did some tests and couldn't find any problem. Best regards, João Alfredo

1 0

OpenLDAP 2.1 High Availability
by Kukkala Prasad 15 May '09

15 May '09

Hi All, We are planning to configure High Availability for OpenLDAP 2.1 on Linux CentOS. We are looking at following options and we want to check our understanding about corresponding options and looking for your valuable suggestions. 1. Using Replica Service a. This is not enough because if master machine goes down then LDAP updates will not be possible. 2. Migrating to OpenLDAP2.4 a. Master-Master solution looks promising but in our current project time line it is not possible to migrate. 3. Sharing LDAP file system on NFS a. After going through the thread http://www.openldap.org/lists/openldap-software/200209/msg00256.html it is understood that OpenLDAP does not support GFS or NFS. b. But the thread discussion happened very long back around in 2000 to 2002. ????Is that conclusion applicable to OpenLDAP 2.1???? 4. Hosting LDAP Service on CentOS Cluster Suite a. ????Is it possible to configure "Active-Passive" setup using CentOS Cluster Suite???? 5. H/W based clustering a. We don't know what are the possible solutions in this approach and cost incurred. !!!!Please share your ideas.!!!! 6. NetApp2020 a. We have NetApp 2020 Appliance http://www.b2net.co.uk/netapp/network_appliance_netapp_fas2020.htm with us. ????Does this any way help us???? 7. Other alternatives a. !!!!We need your valuable ideas and suggestions.!!!! Please help me in this regard. Regards, Prasad. ________________________________ The information contained in this communication is confidential, intended solely for the use of the individual or entity to whom it is addressed and may be legally privileged and protected by professional secrecy. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. This email does not constitute any commitment from Cordys Holding BV or any of its subsidiaries except when expressly agreed in a written agreement between the intended recipient and Cordys Holding BV or its subsidiaries. Cordys is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. Cordys does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies.

6 13

database size
by Marcel Berteler 14 May '09

14 May '09

Our current database size is 7GB and we are wondering how big we can grow until we run into LDAP / BDB constrains. Are there others on the list that have extremely large databases? Any pointers to ensure we can grow our DB even further without issues? Marcel

3 2

openldap, proxy, round robin?
by Nathan Lager 14 May '09

14 May '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am attempting to setup an openldap proxy, which i'd like to connect to a number of openldap directories in a round-robin fashion. There are currently 2 ldap servers, with a round-robin DNS hostname pointing to them. I setup openldap to proxy to this hostname, but it seems that when i actually connect to the proxy, it picks one of the addresses, and holds on to it. If it gets the second server on its first connection, it then continues to use that server. Is there a way to make openldap connect to each server? Whether it uses the round robin hostname or not is irrelevant. Two methods I can think of would be to somehow keep slapd from caching the dns name. Or if I can specify each server separately in the slapd.conf on the proxy. Thanks! - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 610-330-5907 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoLLmsACgkQsZqG4IN3sumf4gCeJ3tOzX5Mk8ddbgvkg7TASbUH d9MAn3U+B8uYIj6eQy+yAHitV9Cqij/K =gFcb -----END PGP SIGNATURE-----

2 2

Re: Deleting hundreds of Entry under a OU
by Michael Ströder 11 May '09

11 May '09

Daniel, please keep responses on the list so others can comment and learn as well. Daniel Spannbauer wrote: > > Michael Ströder schrieb: >> Daniel Spannbauer wrote: >>> Hello, >>> >>> I have to deleted abount 500 Entrys under a OU in my LDAP-Tree cause I >>> have to change the objectClass from "account" to "inetorgPerson". >>> Can I do this with ldapdelete? I always used that tool only to delete >>> one entry. >> Yes. But you have to provide a file with a list of the DNs of the >> entries to be deleted. >> >> $ ldapdelete -h >> usage: ldapdelete [options] [dn]... >> dn: list of DNs to delete. If not given, it will be readed from stdin >> or from the file specified with "-f file". >> >> (You could also use some of the GUI LDAP clients for that. E.g. my >> web2ldap supports recursive deletion of all entries below an entry.) > > Thats a posibility. But the ldap-Entries are genarated by a Script. So I > have to delete it also by this script. So a gui is not the solution that > I prefer. In this case I'd prefer to use a full-featured scripting language with a decent LDAP module to do the job. You have more control in the case of an error than with invoking command-line tools from a shell script. Ciao, Michael.

1 0

Deleting hundreds of Entry under a OU
by Daniel Spannbauer 11 May '09

11 May '09

Hello, I have to deleted abount 500 Entrys under a OU in my LDAP-Tree cause I have to change the objectClass from "account" to "inetorgPerson". Can I do this with ldapdelete? I always used that tool only to delete one entry. Regards Daniel -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email ds(a)marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München

2 2

OpenLDAP server and OS X clients
by Arne Schmitz 11 May '09

11 May '09

Hi! We are running an OpenLDAP server on Debian Stable. It works very well so far, using more than 20 Linux clients. However, we now also have got a couple of Mac clients that are supposed to use the server. I have set the Mac clients (OS X 10.5.6) to use our LDAP server, using the Directory Utility. That utility is set to use a RFC 2307 server, with our LDAP's IP and the correct base name. After that I can "sudo su" to any LDAP user, also call "id" for any LDAP user, log in via SSH + key to LDAP user, but NOT authenticate via password. I.e. interactive logins or password based SSH logins are NOT possible. It seems the password authentication against LDAP is not working. What I find in /var/log/secure.log is the following: May 6 17:46:38 mymac authorizationhost[70401]: Failed to authenticate user MyLDAPUser (tDirStatus: -14090). Any ideas what might be going wrong here? Where should I look? Cheers, Arne -- Dipl.-Inform. Arne Schmitz Phone +49 (0)241 80-21817 Computer Graphics Group Fax +49 (0)241 80-22899 RWTH Aachen University http://www.rwth-graphics.de Ahornstrasse 55, 52074 Aachen, Germany

2 3

LDIF, userCertificate; and missing "binary" option
by Erwann ABALEA 07 May '09

07 May '09

Hello, Hoping it's the right list to ask for it. I'm facing a "cross-recommendations" problem. Here it is. I'm downloading an LDIF containing some inetOrgPerson and cRLDistributionPoint entries, in order to have a replication site to develop on. Those entries have userCertificate or certificateRevocationList , but not stored with the "binary" option (only the "::" indicating it's Base64-encoded). When trying to import this file with ldapadd on my directory, it failed, telling me that those attributes need to be transfered with the binary option. Right. I'm searching RFCs 2252 and 2256 (and their replacement as well), and find that effectively, those attributes *MUST* be transfered as binary ones. I told the directory maintainer that the LDIF wasn't correct according to these RFCs, and he replied that it was correct regarding RFC2849, which is the only one defining the LDIF format. Finally, that's right. And this RFC doesn't tell anything about certificates or binary option. And I can't find an obvious link between RFC2849 and RFC2252/2256. I know I can just do a 'sed s/userCertificate::/userCertificate;binary::/' of the file, but modifying something defined to be a standard for interchange doesn't seem to be a good solution. Do you have some ideas? Regards. -- Erwann.

2 1

OpenLDAP multi master replication
by Bujji S 07 May '09

07 May '09

Hi, i have openldap(2.4.9) installed in ubuntu 8.04 server. i want to create a multi master set up with two such servers(2 or more than 2) first i tried to follow http://www.openldap.org/doc/admin24/replication.htmlto form n-way master setup. but in starting only i got a problem saying database(dc=mytest,dc=com) is not configured to hold "cn=config" then i tried setting up cn=config using http://www.zytrax.com/books/ldap/ch6/slapd-config.html but that doesn't help me meaning even after configuring that cn=config as he mentioned in the site i got the same error so i removed everything(slapd.d) what i did earlier so now i have slapd.conf in both of my servers finally i found one more link http://itsecureadmin.com/wiki/index.php/OpenLDAP_Multi-Master_Replication that displays sample config file so i followed that you can check the slapd.conf below so now i set up the same configuration in the second server too. after writing these slapd.conf i just restared slapd on both servers. for the first time when i add some data the first server it got replicated on the other server only when restart slapd on second server. that is fine. when i tried to add some other data on second server its not getting replicated on the other server even if i restart slapd. after that wherever i add data not getting replicated adding locally only. what could be the problem. plz check my slapd.conf file and suggetst me how to do multi master replication on ubuntu 8.04 server. so my slapd.conf is below. # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel none # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload ppolicy.la moduleload syncprov.la moduleload back_monitor.la # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for hdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend hdb ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> database config rootdn "cn=admin,cn=config" rootpw admin123 database monitor rootdn cn=monitor rootpw admin123 ####################################################################### # Specific Directives for database #1, of type hdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database hdb # The base of your directory in database #1 suffix "dc=mytest,dc=com" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=mytest,dc=com" # Where the database file are physically stored for database #1 directory "/var/lib/ldap" serverid 3 ldap://192.168.7.88:389 serverid 4 ldap://192.168.7.89:389 cachesize 1000 checkpoint 256 5 syncrepl rid=003 provider=ldap://192.168.7.88:389 binddn="cn=admin,dc=mytest,dc=com" bindmethod=simple credentials=admin123 searchbase="dc=mytest,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 syncrepl rid=004 provider=ldap://192.168.7.89:389 binddn="cn=admin,dc=mytest,dc=com" bindmethod=simple credentials=admin123 searchbase="dc=mytest,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 mirrormode true overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # The dbconfig settings are used to generate a DB_CONFIG file the first # time slapd starts. They do NOT override existing an existing DB_CONFIG # file. You should therefore change these settings in DB_CONFIG directly # or remove DB_CONFIG and restart slapd for changes to take effect. # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 for more # information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq index cn,mail,surname,givenname eq # Save the time that the entry gets modified, for database #1 lastmod on # Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30 # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=mytest,dc=com" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=mytest,dc=com" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=mytest,dc=com" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be hdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org" --------------------------------------------------------------------- so now i set up the same configuration in the second server too. after writing these slapd.conf i just restared slapd on both servers. for the first time when i add some data the first server it got replicated on the other server only when restart slapd on second server. that is fine. when i tried to add some other data on second server its not getting replicated on the other server even if i restart slapd. after that wherever i add data not getting replicated adding locally only. what could be the problem. plz check my slapd.conf file and suggetst me how to do multi master replication on ubuntu 8.04 server. Thanks Visu

2 1

ldap users in local groups
by Justin Lintz 06 May '09

06 May '09

Hi, I'm running into an interesting problem in that when I try to add more than one ldap account to a local group, both users of that group no longer show membership in that group when running "groups" or "id". If I just add one of the users to the group, it works without a problem. I apologize if this is not the correct list of this issue. Does anyone have any ideas on what may be causing this? - Justin Lintz

3 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical