Hello, I have some basic experience interacting with & troubleshooting OpenLDAP as well as 389-ds, but I don't have a whole lot of experience setting them up or configuring an OpenLDAP server.
My goal is to setup replication from a Primary inside a trusted network outwards to a Replica that is in an untrusted network, without allowing the replica any direct access to the primary, due to firewall flows and network requirements. This is true even for the initial connection, so a simple RefreshAndPersist configuration won't work.
I have read that it is possible to setup a push-based replication using a proxy, such that:
- The proxy gets installed as a "hidden" database onto the same server as the primary - The proxy sets up replication with the primary using RefreshAndPersist - The proxy is then able to push the data out of the replica
I have skimmed over, and re-read, a lot of portions from this document: https://www.openldap.org/doc/admin24/replication.html I have also followed this basic guide to setup a Primary with replication capability: https://ubuntu.com/server/docs/service-ldap-replication
What I'm having trouble with, is finding a useful guide that will walk me through the process to setup and configure the proxy as I've described above.
Questions:
- Based on my requirements above, will the proxy with syncrepl meet my needs?
- If I put the proxy onto the same server as the primary, then due to firewall flows, the replica will not have any access to the primary. All communication will need to be initiated outbound - If I put the proxy into the same network as the replica, well.... that won't work either, for the same reason
- The following URL from the OpenLDAP docs provides some example configs: https://www.openldap.org/doc/admin24/replication.html#Syncrepl%20Proxy
- If I'm reading everything correctly, though, the "new" / "accepted" / "preferred" way to configure the ldap server is to use the `ldapadd`, `ldapmodify`, and related commands. My confusion and question here is.... should I try to configure all of this by editing the old slapd.conf file as the openldap.org docs provide examples, or is there a way to do this using the ldapmodify & related commands?
- If I can / should do this from the command line... are there any guides or tutorials that will take me step-by-step through the process as I try to build this in a lab environment?
Thanks in advance, David
Sent with ProtonMail Secure Email.
David White wrote:
Hello, I have some basic experience interacting with & troubleshooting OpenLDAP as well as 389-ds, but I don't have a whole lot of experience setting them up or configuring an OpenLDAP server.
My goal is to setup replication from a Primary inside a trusted network outwards to a Replica that is in an untrusted network, without allowing the replica any direct access to the primary, due to firewall flows and network requirements. This is true even for the initial connection, so a simple RefreshAndPersist configuration won't work.
I have read that it is possible to setup a push-based replication using a proxy, such that:
- The proxy gets installed as a "hidden" database onto the same server as the primary
- The proxy sets up replication with the primary using RefreshAndPersist
- The proxy is then able to push the data out of the replica
I have skimmed over, and re-read, a lot of portions from this document: https://www.openldap.org/doc/admin24/replication.html I have also followed this basic guide to setup a Primary with replication capability: https://ubuntu.com/server/docs/service-ldap-replication
What I'm having trouble with, is finding a useful guide that will walk me through the process to setup and configure the proxy as I've described above.
A working example is in test045 of the test suite. You can simply convert the slapd.conf files to LDIF format from there.
Questions:
Based on my requirements above, will the proxy with syncrepl meet my needs? o If I put the proxy onto the same server as the primary, then due to firewall flows, the replica will not have any access to the primary. All communication will need to be initiated outbound o If I put the proxy into the same network as the replica, well.... that won't work either, for the same reason
The following URL from the OpenLDAP docs provides some example configs: https://www.openldap.org/doc/admin24/replication.html#Syncrepl%20Proxy o If I'm reading everything correctly, though, the "new" / "accepted" / "preferred" way to configure the ldap server is to use the `ldapadd`, `ldapmodify`, and related commands. My confusion and question here is.... should I try to configure all of this by editing the old slapd.conf file as the openldap.org docs provide examples, or is there a way to do this using the ldapmodify & related commands?
o If I can / should do this from the command line... are there any guides or tutorials that will take me step-by-step through the process as I try to build this in a lab environment?
Thanks in advance, David
Sent with ProtonMail https://protonmail.com/ Secure Email.
Thank you for your response and for nudging me towards the test scripts. Shortly after your email, I had to deal with an emergency, so am only now circling back around to this.
I currently have the "ldap-utils" package installed from the base Ubuntu repositories on Ubuntu 20.04. This is version 2.4.49 of openldap.
I then downloaded the source code for openldap-2.5.9, and have figured out how to run "make test" to run all of the test scripts.
Unfortunately, the test045 script keeps failing because it says that the necessary backend isn't even available, which is really confusing to me, because I've ensured that back-mdb is enabled.
See below for output of `slapcat` as well as the modules enabled. Why is the test045 script telling me that the "LDAP backend not available, test skipped" when back-mdb and syncprov are both clearly available? Am I missing something else?
root@davidw-ldap-provider-with-proxy:~/source/openldap-2.5.9/tests# slapcat dn: dc=ma,dc=us,dc=test,dc=com objectClass: top objectClass: dcObject objectClass: organization o: ma.us.test.com dc: ma structuralObjectClass: organization entryUUID: 3ed370ee-e7c5-103b-8925-e9568cf98aa1 creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com createTimestamp: 20211202140944Z entryCSN: 20211202140944.954584Z#000000#000#000000 modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com modifyTimestamp: 20211202140944Z contextCSN: 20211202160434.733327Z#000000#000#000000
dn: cn=admin,dc=ma,dc=us,dc=test,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: REDACTED structuralObjectClass: organizationalRole entryUUID: 3ee5958a-e7c5-103b-8926-e9568cf98aa1 creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com createTimestamp: 20211202140945Z entryCSN: 20211202140945.073555Z#000000#000#000000 modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com modifyTimestamp: 20211202140945Z
dn: cn=replicate,dc=ma,dc=us,dc=test,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole description: Replication User userPassword:: REDACTED structuralObjectClass: organizationalRole cn: replicate entryUUID: 327948be-e7cf-103b-93fa-e17a6939fd39 creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com createTimestamp: 20211202152059Z entryCSN: 20211202152059.198404Z#000000#000#000000 modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com modifyTimestamp: 20211202152059Z
root@davidw-ldap-provider-with-proxy:~/source/openldap-2.5.9/tests# slapcat -n 0 | grep olcModuleLoad olcModuleLoad: {0}back_mdb olcModuleLoad: {1}syncprov
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, December 1st, 2021 at 10:23 PM, Howard Chu hyc@symas.com wrote:
David White wrote:
Hello,
I have some basic experience interacting with & troubleshooting OpenLDAP as well as 389-ds, but I don't have a whole lot of experience setting them up or
configuring an OpenLDAP server.
My goal is to setup replication from a Primary inside a trusted network outwards to a Replica that is in an untrusted network, without allowing the replica any
direct access to the primary, due to firewall flows and network requirements. This is true even for the initial connection, so a simple RefreshAndPersist
configuration won't work.
I have read that it is possible to setup a push-based replication using a proxy, such that:
- The proxy gets installed as a "hidden" database onto the same server as the primary
- The proxy sets up replication with the primary using RefreshAndPersist
- The proxy is then able to push the data out of the replica
I have skimmed over, and re-read, a lot of portions from this document: https://www.openldap.org/doc/admin24/replication.html
I have also followed this basic guide to setup a Primary with replication capability: https://ubuntu.com/server/docs/service-ldap-replication
What I'm having trouble with, is finding a useful guide that will walk me through the process to setup and configure the proxy as I've described above.
A working example is in test045 of the test suite. You can simply convert the slapd.conf files to LDIF format from there.
Questions:
- Based on my requirements above, will the proxy with syncrepl meet my needs?
o If I put the proxy onto the same server as the primary, then due to firewall flows, the replica will not have any access to the primary. All
communication will need to be initiated outbound
o If I put the proxy into the same network as the replica, well.... that won't work either, for the same reason
- The following URL from the OpenLDAP docs provides some example configs: https://www.openldap.org/doc/admin24/replication.html#Syncrepl Proxy
o If I'm reading everything correctly, though, the "new" / "accepted" / "preferred" way to configure the ldap server is to use the `ldapadd`,
`ldapmodify`, and related commands. My confusion and question here is.... should I try to configure all of this by editing the old slapd.conf file as
the openldap.org docs provide examples, or is there a way to do this using the ldapmodify & related commands?
o If I can / should do this from the command line... are there any guides or tutorials that will take me step-by-step through the process as I try to
build this in a lab environment?
Thanks in advance,
David
Sent with ProtonMail https://protonmail.com/ Secure Email.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
I tried removing the Ubuntu packages, and just building everything from source, so as to make sure the test scripts are the same version as the running server. That said, I'm still banging my head against the wall, and was never able to get the server running from source nearly as well configured as the Ubuntu packages.
I am now re-attempting using v2.4 from the Ubuntu packages.
Question: Do I need the pcache module?
I'm still trying to figure out why the test scripts are simply refusing to even run the test045 test, due to "backend not available".
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, December 26th, 2021 at 6:17 PM, David White dmwhite823@protonmail.com wrote:
Thank you for your response and for nudging me towards the test scripts. Shortly after your email, I had to deal with an emergency, so am only now circling back around to this.
I currently have the "ldap-utils" package installed from the base Ubuntu repositories on Ubuntu 20.04. This is version 2.4.49 of openldap.
I then downloaded the source code for openldap-2.5.9, and have figured out how to run "make test" to run all of the test scripts.
Unfortunately, the test045 script keeps failing because it says that the necessary backend isn't even available, which is really confusing to me, because I've ensured that back-mdb is enabled.
See below for output of `slapcat` as well as the modules enabled. Why is the test045 script telling me that the "LDAP backend not available, test skipped" when back-mdb and syncprov are both clearly available? Am I missing something else?
root@davidw-ldap-provider-with-proxy:~/source/openldap-2.5.9/tests# slapcat
dn: dc=ma,dc=us,dc=test,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: ma.us.test.com
dc: ma
structuralObjectClass: organization
entryUUID: 3ed370ee-e7c5-103b-8925-e9568cf98aa1
creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com
createTimestamp: 20211202140944Z
entryCSN: 20211202140944.954584Z#000000#000#000000
modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com
modifyTimestamp: 20211202140944Z
contextCSN: 20211202160434.733327Z#000000#000#000000
dn: cn=admin,dc=ma,dc=us,dc=test,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: REDACTED
structuralObjectClass: organizationalRole
entryUUID: 3ee5958a-e7c5-103b-8926-e9568cf98aa1
creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com
createTimestamp: 20211202140945Z
entryCSN: 20211202140945.073555Z#000000#000#000000
modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com
modifyTimestamp: 20211202140945Z
dn: cn=replicate,dc=ma,dc=us,dc=test,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Replication User
userPassword:: REDACTED
structuralObjectClass: organizationalRole
cn: replicate
entryUUID: 327948be-e7cf-103b-93fa-e17a6939fd39
creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com
createTimestamp: 20211202152059Z
entryCSN: 20211202152059.198404Z#000000#000#000000
modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com
modifyTimestamp: 20211202152059Z
root@davidw-ldap-provider-with-proxy:~/source/openldap-2.5.9/tests# slapcat -n 0 | grep olcModuleLoad
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}syncprov
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, December 1st, 2021 at 10:23 PM, Howard Chu hyc@symas.com wrote:
David White wrote:
Hello,
I have some basic experience interacting with & troubleshooting OpenLDAP as well as 389-ds, but I don't have a whole lot of experience setting them up or
configuring an OpenLDAP server.
My goal is to setup replication from a Primary inside a trusted network outwards to a Replica that is in an untrusted network, without allowing the replica any
direct access to the primary, due to firewall flows and network requirements. This is true even for the initial connection, so a simple RefreshAndPersist
configuration won't work.
I have read that it is possible to setup a push-based replication using a proxy, such that:
- The proxy gets installed as a "hidden" database onto the same server as the primary
- The proxy sets up replication with the primary using RefreshAndPersist
- The proxy is then able to push the data out of the replica
I have skimmed over, and re-read, a lot of portions from this document: https://www.openldap.org/doc/admin24/replication.html
I have also followed this basic guide to setup a Primary with replication capability: https://ubuntu.com/server/docs/service-ldap-replication
What I'm having trouble with, is finding a useful guide that will walk me through the process to setup and configure the proxy as I've described above.
A working example is in test045 of the test suite. You can simply convert the slapd.conf files to LDIF format from there.
Questions:
- Based on my requirements above, will the proxy with syncrepl meet my needs?
o If I put the proxy onto the same server as the primary, then due to firewall flows, the replica will not have any access to the primary. All
communication will need to be initiated outbound
o If I put the proxy into the same network as the replica, well.... that won't work either, for the same reason
- The following URL from the OpenLDAP docs provides some example configs: https://www.openldap.org/doc/admin24/replication.html#Syncrepl Proxy
o If I'm reading everything correctly, though, the "new" / "accepted" / "preferred" way to configure the ldap server is to use the `ldapadd`,
`ldapmodify`, and related commands. My confusion and question here is.... should I try to configure all of this by editing the old slapd.conf file as
the openldap.org docs provide examples, or is there a way to do this using the ldapmodify & related commands?
o If I can / should do this from the command line... are there any guides or tutorials that will take me step-by-step through the process as I try to
build this in a lab environment?
Thanks in advance,
David
Sent with ProtonMail https://protonmail.com/ Secure Email.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--On Thursday, December 23, 2021 3:32 PM +0000 David White dmwhite823@protonmail.com wrote:
Thank you for your response and for nudging me towards the test scripts. Shortly after your email, I had to deal with an emergency, so am only now circling back around to this.
I currently have the "ldap-utils" package installed from the base Ubuntu repositories on Ubuntu 20.04. This is version 2.4.49 of openldap.
I then downloaded the source code for openldap-2.5.9, and have figured out how to run "make test" to run all of the test scripts.
Unfortunately, the test045 script keeps failing because it says that the necessary backend isn't even available, which is really confusing to me, because I've ensured that back-mdb is enabled.
See below for output of `slapcat` as well as the modules enabled. Why is the test045 script telling me that the "LDAP backend not available, test skipped" when back-mdb and syncprov are both clearly available? Am I missing something else?
The "ldap backend" is back-ldap. back-ldap is required to do proxied syncreplication.
I'd suggest ignoring the Ubuntu packages entirely and using the free 2.5 or 2.6 packages provided by Symas for Ubuntu.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thank you, Quanah.
Is the recommendation to go with v2.5 or 2.6 because of limited features in v2.4 for what I'm trying to do? My concern is that we have several OpenLDAP servers, and we need to maintain the servers going forward. Obviously we can recompile, but that just adds complexity to our company's infrastructure that is already handled by a distributed team, and if at all possible, we'd prefer to use distro-provided packages.
That said, if there's a good reason that v2.4 won't be as easy to configure to do what I need it to do, then I think I can sell my boss on the idea. We just need to have a good patching plan in place going forward for these systems.
I did realize that back-ldap is required. I made a silly mistake, and was trying to load a completely different module in slapd.conf (question and my own answer at https://serverfault.com/questions/1088505/openldap-push-replication-via-prox... on the topic).
However, as I mentioned before, I'd really like to figure out how to build this system using ldif instead of the old .conf format. All of the guides I've been able to find thus far seem to reference the old .conf format, and only refer to basic proxy setups -- I still haven't been able to find any clear instructions on how to setup an overlay on the same system, with a push-based configurations.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 3rd, 2022 at 11:46 AM, Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, December 23, 2021 3:32 PM +0000 David White
dmwhite823@protonmail.com wrote:
Thank you for your response and for nudging me towards the test scripts.
Shortly after your email, I had to deal with an emergency, so am only now
circling back around to this.
I currently have the "ldap-utils" package installed from the base Ubuntu
repositories on Ubuntu 20.04. This is version 2.4.49 of openldap.
I then downloaded the source code for openldap-2.5.9, and have figured
out how to run "make test" to run all of the test scripts.
Unfortunately, the test045 script keeps failing because it says that the
necessary backend isn't even available, which is really confusing to me,
because I've ensured that back-mdb is enabled.
See below for output of `slapcat` as well as the modules enabled. Why is
the test045 script telling me that the "LDAP backend not available, test
skipped" when back-mdb and syncprov are both clearly available? Am I
missing something else?
The "ldap backend" is back-ldap. back-ldap is required to do proxied
syncreplication.
I'd suggest ignoring the Ubuntu packages entirely and using the free 2.5 or
2.6 packages provided by Symas for Ubuntu.
Regards,
Quanah
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
This is starting to make more sense. I found the OpenLDAP v2.6 repos that are provided by Symas at repo.symas.com, and I was able to install it for Ubuntu 20.04.
Unfortunately, it now appears that I can't use "slapcat". I just installed `ldap-utils` again from the base Ubuntu repositories (I couldn't find ldap-utils in the Symas repos), so I can now run "ldapsearch" again, but am currently troubleshooting with some search results that may or may not just be my fault and inexperience using this software. I'll keep digging.
But to confirm, is it OK to use the Ubuntu "ldap-utils" package along side the Symas-provided ldap server packages?
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 4th, 2022 at 6:43 AM, David White dmwhite823@protonmail.com wrote:
Thank you, Quanah.
Is the recommendation to go with v2.5 or 2.6 because of limited features in v2.4 for what I'm trying to do? My concern is that we have several OpenLDAP servers, and we need to maintain the servers going forward. Obviously we can recompile, but that just adds complexity to our company's infrastructure that is already handled by a distributed team, and if at all possible, we'd prefer to use distro-provided packages.
That said, if there's a good reason that v2.4 won't be as easy to configure to do what I need it to do, then I think I can sell my boss on the idea. We just need to have a good patching plan in place going forward for these systems.
I did realize that back-ldap is required. I made a silly mistake, and was trying to load a completely different module in slapd.conf (question and my own answer at https://serverfault.com/questions/1088505/openldap-push-replication-via-prox... on the topic).
However, as I mentioned before, I'd really like to figure out how to build this system using ldif instead of the old .conf format. All of the guides I've been able to find thus far seem to reference the old .conf format, and only refer to basic proxy setups -- I still haven't been able to find any clear instructions on how to setup an overlay on the same system, with a push-based configurations.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 3rd, 2022 at 11:46 AM, Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, December 23, 2021 3:32 PM +0000 David White
dmwhite823@protonmail.com wrote:
Thank you for your response and for nudging me towards the test scripts.
Shortly after your email, I had to deal with an emergency, so am only now
circling back around to this.
I currently have the "ldap-utils" package installed from the base Ubuntu
repositories on Ubuntu 20.04. This is version 2.4.49 of openldap.
I then downloaded the source code for openldap-2.5.9, and have figured
out how to run "make test" to run all of the test scripts.
Unfortunately, the test045 script keeps failing because it says that the
necessary backend isn't even available, which is really confusing to me,
because I've ensured that back-mdb is enabled.
See below for output of `slapcat` as well as the modules enabled. Why is
the test045 script telling me that the "LDAP backend not available, test
skipped" when back-mdb and syncprov are both clearly available? Am I
missing something else?
The "ldap backend" is back-ldap. back-ldap is required to do proxied
syncreplication.
I'd suggest ignoring the Ubuntu packages entirely and using the free 2.5 or
2.6 packages provided by Symas for Ubuntu.
Regards,
Quanah
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
--On Tuesday, January 4, 2022 4:49 PM +0000 David White dmwhite823@protonmail.com wrote:
This is starting to make more sense. I found the OpenLDAP v2.6 repos that are provided by Symas at repo.symas.com, and I was able to install it for Ubuntu 20.04.
Unfortunately, it now appears that I can't use "slapcat". I just installed `ldap-utils` again from the base Ubuntu repositories (I couldn't find ldap-utils in the Symas repos), so I can now run "ldapsearch" again, but am currently troubleshooting with some search results that may or may not just be my fault and inexperience using this software. I'll keep digging.
But to confirm, is it OK to use the Ubuntu "ldap-utils" package along side the Symas-provided ldap server packages?
I suggest reading the documentation at https://repo.symas.com/soldap/ that explicitly lists which Symas packages contain what.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Tuesday, January 4, 2022 9:25 AM -0800 Quanah Gibson-Mount quanah@symas.com wrote:
--On Tuesday, January 4, 2022 4:49 PM +0000 David White dmwhite823@protonmail.com wrote:
This is starting to make more sense. I found the OpenLDAP v2.6 repos that are provided by Symas at repo.symas.com, and I was able to install it for Ubuntu 20.04.
Unfortunately, it now appears that I can't use "slapcat".
I'm also not quite sure what you mean by this. You can absolutely use slapcat, but it needs to be the 2.6 version of slapcat that is a part of the Symas packages, and not the 2.4 version from Ubuntu.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thank you. I just ran "find /opt/symas -name 'slapcat'" and realized that the binary does indeed exist. A simple `ln -s` into /usr/local/sbin did the trick.
I'm learning!
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 4th, 2022 at 12:55 PM, Quanah Gibson-Mount quanah@symas.com wrote:
--On Tuesday, January 4, 2022 9:25 AM -0800 Quanah Gibson-Mount
quanah@symas.com wrote:
--On Tuesday, January 4, 2022 4:49 PM +0000 David White
dmwhite823@protonmail.com wrote:
This is starting to make more sense.
I found the OpenLDAP v2.6 repos that are provided by Symas at
repo.symas.com, and I was able to install it for Ubuntu 20.04.
Unfortunately, it now appears that I can't use "slapcat".
I'm also not quite sure what you mean by this. You can absolutely use
slapcat, but it needs to be the 2.6 version of slapcat that is a part of
the Symas packages, and not the 2.4 version from Ubuntu.
--Quanah
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
--On Tuesday, January 4, 2022 8:04 PM +0000 David White dmwhite823@protonmail.com wrote:
Thank you. I just ran "find /opt/symas -name 'slapcat'" and realized that the binary does indeed exist. A simple `ln -s` into /usr/local/sbin did the trick.
I'm learning!
Better solution would be to adjust your PATH variable to include the symas paths. But the Symas packages actually already do that, too... You just have to log out/in to regenerate your shell env to pick them up.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Next question, and if this is veering off topic, or there is documentation somewhere that I haven't found yet, I can try to go that route.
I have most of my cn=config rebuilt on Symas v2.6 that was originally in Ubuntu v2.4, but for some reason, slapcat can't see it (I assumed that cn=config would be represented with `-n 0`). Slapcat can only see my "real" database (which is represented with '-n 1`). My permissions are still a little bit wonky though, because right now (on v2.6), every time I run ldapsearch to get something out of the `cn=config` database, I have to specify the following parameters for it to work: `-W -D "cn=config"
I can, for example, view the `cn=config` ACL that I have setup for a certain user: root@ldap-provider:~# ldapsearch -H ldap:/// -LLL -b cn=config '(olcSuffix=dc=example,dc=com)' olcAccess -W -D "cn=config" Enter LDAP Password:
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact="cn=replicate,dc=example,dc=com m" read by * break
What am I missing here?
root@ldap-provider:~# slapcat -b cn=config slapcat: could not open database.
root@ldap-provider:~# slapcat -n0 slapcat: could not open database.
root@ldap-provider:~# ldapsearch -H ldap:/// -x -s base -b "" + -LLL dn: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=example,dc=com {snip}
root@ldap-provider:~# slapcat -n1 | grep "dn:" dn: dc=example,dc=com dn: dc=us,dc=example,dc=com dn: ou=People,dc=example,dc=com dn: ou=Groups,dc=example,dc=com
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 4th, 2022 at 3:12 PM, Quanah Gibson-Mount quanah@symas.com wrote:
--On Tuesday, January 4, 2022 8:04 PM +0000 David White
dmwhite823@protonmail.com wrote:
Thank you. I just ran "find /opt/symas -name 'slapcat'" and realized that
the binary does indeed exist. A simple `ln -s` into /usr/local/sbin did
the trick.
I'm learning!
Better solution would be to adjust your PATH variable to include the symas
paths. But the Symas packages actually already do that, too... You just
have to log out/in to regenerate your shell env to pick them up.
--Quanah
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
--On Tuesday, January 4, 2022 8:56 PM +0000 David White dmwhite823@protonmail.com wrote:
Next question, and if this is veering off topic, or there is documentation somewhere that I haven't found yet, I can try to go that route.
I have most of my cn=config rebuilt on Symas v2.6 that was originally in Ubuntu v2.4, but for some reason, slapcat can't see it (I assumed that cn=config would be represented with `-n 0`). Slapcat can only see my "real" database (which is represented with '-n 1`). My permissions are still a little bit wonky though, because right now (on v2.6), every time I run ldapsearch to get something out of the `cn=config` database, I have to specify the following parameters for it to work: `-W -D "cn=config"
I've no idea what you've done, so really hard to say. I don't know what parameters your slapd is running with, if it's even using a cn=config db with the new binaries, etc.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
I'll keep digging, and will try not to veer off topic here. Thank you.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 4th, 2022 at 4:01 PM, Quanah Gibson-Mount quanah@symas.com wrote:
--On Tuesday, January 4, 2022 8:56 PM +0000 David White
dmwhite823@protonmail.com wrote:
Next question, and if this is veering off topic, or there is
documentation somewhere that I haven't found yet, I can try to go that
route.
I have most of my cn=config rebuilt on Symas v2.6 that was originally in
Ubuntu v2.4, but for some reason, slapcat can't see it (I assumed that
cn=config would be represented with `-n 0`). Slapcat can only see my
"real" database (which is represented with '-n 1`). My permissions are still a little bit wonky though, because right now (on v2.6), every time I run ldapsearch to get something out of the` cn=config`database, I have to specify the following parameters for it to work:`-W -D "cn=config"
I've no idea what you've done, so really hard to say. I don't know what
parameters your slapd is running with, if it's even using a cn=config db
with the new binaries, etc.
--Quanah
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
David White dmwhite823@protonmail.com schrieb am 04.01.2022 um 21:56 in
Nachricht <M4XIZ-Tt1gRAAT3xioaiNB_MDhGxw1LmqgiO5qOQz0CC5xphpB5h8UF6r2Qv-N641tn_xtdpBYIr75s gdjXz_qGO40G1uvowznggQOeink=@protonmail.com>: ...
root@ldap-provider:~# slapcat -b cn=config slapcat: could not open database.
root@ldap-provider:~# slapcat -n0 slapcat: could not open database.
Did you try the -v or -d option to get more info?
...
Regards, Ulrich
That certainly gives me more information, but I still don't see anything in stdout related to cn=config. Thank you for the suggestion.
Prior to starting the slapd daemon on v2.6, I did the following:
root@ldap-provider:~# history | grep slaptest | grep symas 1880 /opt/symas/sbin/slaptest -f /opt/symas/etc/openldap/slapd.conf -F /var/symas/openldap-data/slapd.d/
By doing this, I thought I had created the cn=config database / converted from slapd.conf. Perhaps I'm an idiot and cn=config doesn't actually exist, and all of my config settings are being directly read from slapd.conf? But that still doesn't explain to me why I can see the ACL that I (thought I) built into cn=config. I do see in the below stdout that all of the modules, for example, are being loaded from slapd.conf. If I try to move that .conf file out of the way, slapd refuses to start. I'm sure that I'm still missing something obvious. I'll keep reading.
The following stdout is edited for brevity. When we get down to the bottom at # id=00000001, that's coming from the -n1 database.
root@ldap-provider:~# slapcat -d -1 -v slapcat init: initiated tool. slap_sasl_init: initialized! reading config file /opt/symas/etc/openldap/slapd.conf /opt/symas/etc/openldap/slapd.conf: line 18 (include /opt/symas/etc/openldap/schema/core.schema) reading config file /opt/symas/etc/openldap/schema/core.schema
{snip}
reading config file /opt/symas/etc/openldap/schema/cosine.schema
{snip}
/opt/symas/etc/openldap/slapd.conf: line 21 (modulepath /opt/symas/lib/openldap) /opt/symas/etc/openldap/slapd.conf: line 22 (moduleload back_mdb.la) loaded module back_mdb.la mdb_back_initialize: initialize MDB backend mdb_back_initialize: LMDB 0.9.29: (March 16, 2021) module back_mdb.la: null module registered /opt/symas/etc/openldap/slapd.conf: line 23 (moduleload back_ldap.la) loaded module back_ldap.la module back_ldap.la: null module registered /opt/symas/etc/openldap/slapd.conf: line 24 (moduleload syncprov.la) loaded module syncprov.la module syncprov.la: null module registered /opt/symas/etc/openldap/slapd.conf: line 25 (moduleload pcache.la) loaded module pcache.la module pcache.la: null module registered /opt/symas/etc/openldap/slapd.conf: line 26 (moduleload ppolicy.la) loaded module ppolicy.la module ppolicy.la: null module registered /opt/symas/etc/openldap/slapd.conf: line 27 (moduleload memberof.la) loaded module memberof.la module memberof.la: null module registered /opt/symas/etc/openldap/slapd.conf: line 29 (database mdb) mdb_db_init: Initializing mdb database /opt/symas/etc/openldap/slapd.conf: line 30 (suffix "dc=example,dc=com")
{snip}
slapcat startup: initiated. backend_startup_one: starting "dc=example,dc=com" mdb_db_open: "dc=example,dc=com" mdb_db_open: database "dc=example,dc=com": dbenv_open(/var/symas/openldap-data). mdb_monitor_db_open: monitoring disabled; configure monitor database to enable => mdb_entry_decode: <= mdb_entry_decode # id=00000001
{snip}
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, January 5th, 2022 at 2:21 AM, Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
David White dmwhite823@protonmail.com schrieb am 04.01.2022 um 21:56 in
Nachricht
<M4XIZ-Tt1gRAAT3xioaiNB_MDhGxw1LmqgiO5qOQz0CC5xphpB5h8UF6r2Qv-N641tn_xtdpBYIr75s
gdjXz_qGO40G1uvowznggQOeink=@protonmail.com>:
...
root@ldap-provider:~# slapcat -b cn=config
slapcat: could not open database.
root@ldap-provider:~# slapcat -n0
slapcat: could not open database.
Did you try the -v or -d option to get more info?
...
Regards,
Ulrich
openldap-technical@openldap.org
-
David White -
Howard Chu -
Quanah Gibson-Mount -
Ulrich Windl