Anyone experience with openldap and dyndb from bind?
I am getting this:
critical extension is not recognized: unable to start SyncRepl session: is RFC 4533 supported by LDAP
You need to load the syncprov module.
I wrote a test for this package recently in Ubuntu, you can see the script here: https://git.launchpad.net/ubuntu/+source/bind-dyndb-ldap/tree/debian/tests/d...
On Wed, Sep 20, 2023 at 7:02 PM Marc Marc@f1-outsourcing.eu wrote:
Anyone experience with openldap and dyndb from bind?
I am getting this:
critical extension is not recognized: unable to start SyncRepl session: is RFC 4533 supported by LDAP
Yes, dyndb requires syncprov
Here a snippet if building from source on RHEL
### build-bind-dyndb-ldap
#### prep
``` wget https://pagure.io/bind-dyndb-ldap/archive/v11.9/bind-dyndb-ldap-v11.9.tar.gz -O /tmp/bind-dyndb-ldap-v11.9.tar.gz cd /tmp/ tar xf /tmp/bind-dyndb-ldap-v11.9.tar.gz cd bind-dyndb-ldap-v11.9 autoreconf -fvi ./configure --libdir=/opt/symas/lib/ make make install ```
#### install the module
``` cat /usr/local/share/doc/bind-dyndb-ldap/schema.ldif |\ sed 's/^attributeTypes:/olcAttributeTypes:/g' |\ sed 's/^objectClasses:/olcObjectClasses:/g' |\ sed 's/dn: cn=schema/#dn: cn=schema/g' |\ sed 's/#dn: cn=dns,cn=schema,cn=config/dn: cn=dns,cn=schema,cn=config/g' |\ sed 's/#objectClass: olcSchemaConfig/objectClass: olcSchemaConfig/g' |\ sed '1{/aRecord/{N;N;d}};/\n/!N;/\n.*\n/!N;/\n.*\n.*aRecord/{$d;N;N;d};P;D' |\ sed '1{/mDRecord/{N;N;d}};/\n/!N;/\n.*\n/!N;/\n.*\n.*mDRecord/{$d;N;N;d};P;D' |\ sed '1{/mXRecord/{N;N;d}};/\n/!N;/\n.*\n/!N;/\n.*\n.*mXRecord/{$d;N;N;d};P;D' |\ sed '1{/nSRecord/{N;N;d}};/\n/!N;/\n.*\n/!N;/\n.*\n.*nSRecord/{$d;N;N;d};P;D' |\ sed '1{/cNAMERecord/{N;N;d}};/\n/!N;/\n.*\n/!N;/\n.*\n.*cNAMERecord/{$d;N;N;d};P;D' | ldapadd -D cn=config -w pass ```
I just loaded the module, and had a slightly different response
error: LDAP error: Critical extension is unavailable: critical control unavailable in context: unable to start SyncRepl session: is RFC 4533 supported by LDAP server?
So I added this config
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config changeType: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint: 100 10 olcSpSessionLog: 100
Then I got a succesful connection message
Now I have things like this
1. serial (2013010102) write back to LDAP failed
I guess the named is trying to update the ldap server, which I do not want. How to resolve this? Or can this be ignored?
2. database: error: failed to convert DN 'idnsName=..com.126,idnsName=xxxxxxxxxxxxxx' to DNS name: empty label
I guess these are ldap entries that have errors, and need to be fixed manually?
3. LDAP error: Size limit exceeded: unable to start SyncRepl session LDAP data synchronization failed: socket is not connected ldap_syncrepl will reconnect in 60 seconds
No idea what is going on here.
You need to load the syncprov module.
I wrote a test for this package recently in Ubuntu, you can see the script here: https://git.launchpad.net/ubuntu/+source/bind-dyndb- ldap/tree/debian/tests/dyndb-ldap?h=applied/ubuntu/devel
Anyone experience with openldap and dyndb from bind?
I am getting this:
critical extension is not recognized: unable to start SyncRepl session:
is RFC 4533 supported by LDAP
If I enable this module, does it mean that this slapd stops receiving updates from the master?
You need to load the syncprov module.
I wrote a test for this package recently in Ubuntu, you can see the script here: https://git.launchpad.net/ubuntu/+source/bind-dyndb- ldap/tree/debian/tests/dyndb-ldap?h=applied/ubuntu/devel
On Wed, Sep 20, 2023 at 7:02 PM Marc Marc@f1-outsourcing.eu wrote:
Anyone experience with openldap and dyndb from bind?
I am getting this:
critical extension is not recognized: unable to start SyncRepl session:
is RFC 4533 supported by LDAP
--On Thursday, September 21, 2023 12:30 AM +0000 Marc Marc@f1-outsourcing.eu wrote:
If I enable this module, does it mean that this slapd stops receiving updates from the master?
No, it's perfectly fine to run syncprov on consumers as well.
--Quanah
If I enable this module, does it mean that this slapd stops receiving updates from the master?
No, it's perfectly fine to run syncprov on consumers as well.
I guess such messages are related to that my ldap is not allowing updates not? Which I want for this one.
"Server is unwilling to perform: shadow context; no update referral: connection error"
Is there some ingenious option/module that silently drops write requests? For buggy clients?
If I enable this module, does it mean that this slapd stops receiving updates from the master?
No, it's perfectly fine to run syncprov on consumers as well.
I guess such messages are related to that my ldap is not allowing updates not? Which I want for this one.
"Server is unwilling to perform: shadow context; no update referral: connection error"
What a fuckups there at redhat/fedora. This plugin served me always wel. Now these morons require ldap write access which I manage to bypass with[1]. Then I guess it downloads everything from ldap and I have more memory/swap usage and named is being slow because of the disk access.
[1] --- a/src/ldap_helper.c 2023-09-21 10:01:10.227396899 +0000 +++ b/src/ldap_helper.c 2023-09-21 10:09:50.785071437 +0000 @@ -3064,6 +3064,9 @@ isc_result_t result; ldap_connection_t *ldap_conn = NULL;
+ result = ISC_R_SUCCESS; + return result; + REQUIRE(dn != NULL); REQUIRE(mods != NULL); REQUIRE(ldap_inst != NULL);
Am Thu, Sep 21, 2023 at 11:58:50AM +0000 schrieb Marc:
What a fuckups there at redhat/fedora. This plugin served me always wel. Now these morons require ldap write access which I manage to bypass with[1]. Then I guess it downloads everything from ldap and I have more memory/swap usage and named is being slow because of the disk access.
Is there a moderator on this list?
Or should I filter this polite guy on my own?
Best regards Ulf
openldap-technical@openldap.org
-
Andreas Hasenack -
Dave -
Marc -
Quanah Gibson-Mount -
Ulf Volmer