Hi!
As stated some time ago the SUSE Linux Enterprise Server 15 (SLES15) switched from OpenLDAP to 389 Directory Server. Trying the latter, I see that it still works with BDB (4.8), and setup is easy. It also seems to have modern features like these:
\n+Entry cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added
However I wonder if it's possible to integrate a 389DS (ns-slapd, http://www.port389.org/) into an OpenLDAP multi-master configuration. Definitely one cannot sync the configuration section, because it's too different.
For example the ACL Syntax looks like this: (targetattr="carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
Regards, Ulrich
389 DS is nowadays supporting the syncrepl protocol, so in theory it _might_ work but I have not tried it.
The real question is why would anyone want to use BDB in 2018 when MDB has already been around for more than a few years? On Tue, Aug 21, 2018 at 11:09 PM Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Hi!
As stated some time ago the SUSE Linux Enterprise Server 15 (SLES15) switched from OpenLDAP to 389 Directory Server. Trying the latter, I see that it still works with BDB (4.8), and setup is easy. It also seems to have modern features like these:
\n+Entry cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added
However I wonder if it's possible to integrate a 389DS (ns-slapd, http://www.port389.org/) into an OpenLDAP multi-master configuration. Definitely one cannot sync the configuration section, because it's too different.
For example the ACL Syntax looks like this: (targetattr="carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
Regards, Ulrich
On 2018-08-20 12:54, Ulrich Windl wrote:
However I wonder if it's possible to integrate a 389DS (ns-slapd, http://www.port389.org/) into an OpenLDAP multi-master configuration.
Even if you get syncrepl working you will get into trouble because schema checking in 389-DS is not as strict as with OpenLDAP. Which means a client can write data to 389-DS which is rejected in OpenLDAP. IMO this lack of schema-checking is also one of the main reasons not to use 389-DS.
Ciao, Michael.
You won't necessarily get into trouble.
1. just because schema controls are not as strict does not automatically mean that clients will enter non-compliant data 2. syncrepl schemachecking=off allows you to do what you want, in any case
Those are the facts. Leading newbies to behave according to how you think they should behave is not objective. On Thu, Aug 23, 2018 at 7:16 PM Michael Ströder michael@stroeder.com wrote:
On 2018-08-20 12:54, Ulrich Windl wrote:
However I wonder if it's possible to integrate a 389DS (ns-slapd, http://www.port389.org/) into an OpenLDAP multi-master configuration.
Even if you get syncrepl working you will get into trouble because schema checking in 389-DS is not as strict as with OpenLDAP. Which means a client can write data to 389-DS which is rejected in OpenLDAP. IMO this lack of schema-checking is also one of the main reasons not to use 389-DS.
Ciao, Michael.
On 2018-08-25 04:39, MJ J wrote:
You won't necessarily get into trouble.
- just because schema controls are not as strict does not
automatically mean that clients will enter non-compliant data
Practice shows that there will very likely be non-compliant data because people implementing various in-house LDAP clients simply do not know better.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
MJ J -
Ulrich Windl