2:23 p.m.
Hello,
I have some basic experience interacting with & troubleshooting OpenLDAP as well as
389-ds, but I don't have a whole lot of experience setting them up or configuring an
OpenLDAP server.
My goal is to setup replication from a Primary inside a trusted network outwards to a
Replica that is in an untrusted network, without allowing the replica any direct access to
the primary, due to firewall flows and network requirements. This is true even for the
initial connection, so a simple RefreshAndPersist configuration won't work.
I have read that it is possible to setup a push-based replication using a proxy, such
that:
- The proxy gets installed as a "hidden" database onto the same server as the
primary
- The proxy sets up replication with the primary using RefreshAndPersist
- The proxy is then able to push the data out of the replica
I have skimmed over, and re-read, a lot of portions from this
document: https://www.openldap.org/doc/admin24/replication.html
I have also followed this basic guide to setup a Primary with replication
capability: https://ubuntu.com/server/docs/service-ldap-replication
What I'm having trouble with, is finding a useful guide that will walk me through the
process to setup and configure the proxy as I've described above.
Questions:
- Based on my requirements above, will the proxy with syncrepl meet my needs?
- If I put the proxy onto the same server as the primary, then due to firewall flows,
the replica will not have any access to the primary. All communication will need to be
initiated outbound
- If I put the proxy into the same network as the replica, well.... that won't work
either, for the same reason
- The following URL from the OpenLDAP docs provides some example
configs: https://www.openldap.org/doc/admin24/replication.html#Syncrepl%20Proxy
- If I'm reading everything correctly, though, the "new" /
"accepted" / "preferred" way to configure the ldap server is to use
the `ldapadd`, `ldapmodify`, and related commands. My confusion and question here is....
should I try to configure all of this by editing the old slapd.conf file as the
openldap.org docs provide examples, or is there a way to do this using the ldapmodify
& related commands?
- If I can / should do this from the command line... are there any guides or tutorials
that will take me step-by-step through the process as I try to build this in a lab
environment?
Thanks in advance,
David
Sent with ProtonMail Secure Email.
7:23 p.m.
David White wrote:
Hello,
I have some basic experience interacting with & troubleshooting OpenLDAP as well as
389-ds, but I don't have a whole lot of experience setting them up or
configuring an OpenLDAP server.
My goal is to setup replication from a Primary inside a trusted network outwards to a
Replica that is in an untrusted network, without allowing the replica any
direct access to the primary, due to firewall flows and network requirements. This is
true even for the initial connection, so a simple RefreshAndPersist
configuration won't work.
I have read that it is possible to setup a push-based replication using a proxy, such
that:
* The proxy gets installed as a "hidden" database onto the same server as the
primary
* The proxy sets up replication with the primary using RefreshAndPersist
* The proxy is then able to push the data out of the replica
I have skimmed over, and re-read, a lot of portions from this
document: https://www.openldap.org/doc/admin24/replication.html
I have also followed this basic guide to setup a Primary with replication
capability: https://ubuntu.com/server/docs/service-ldap-replication
What I'm having trouble with, is finding a useful guide that will walk me through the
process to setup and configure the proxy as I've described above.
A working example is in test045 of the test suite. You can simply convert the slapd.conf
files to LDIF format from there.
Questions:
* Based on my requirements above, will the proxy with syncrepl meet my needs?
o If I put the proxy onto the same server as the primary, then due to firewall
flows, the replica will not have any access to the primary. All
communication will need to be initiated outbound
o If I put the proxy into the same network as the replica, well.... that won't
work either, for the same reason
* The following URL from the OpenLDAP docs provides some example
configs: https://www.openldap.org/doc/admin24/replication.html#Syncrepl%20Proxy
o If I'm reading everything correctly, though, the "new" /
"accepted" / "preferred" way to configure the ldap server is to use
the `ldapadd`,
`ldapmodify`, and related commands. My confusion and question here is.... should
I try to configure all of this by editing the old slapd.conf file as
the openldap.org docs provide examples, or is there a way to do this using the
ldapmodify & related commands?
o If I can / should do this from the command line... are there any guides or
tutorials that will take me step-by-step through the process as I try to
build this in a lab environment?
Thanks in advance,
David
Sent with ProtonMail <https://protonmail.com/> Secure Email.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7:32 a.m.
Thank you for your response and for nudging me towards the test scripts. Shortly after
your email, I had to deal with an emergency, so am only now circling back around to this.
I currently have the "ldap-utils" package installed from the base Ubuntu
repositories on Ubuntu 20.04. This is version 2.4.49 of openldap.
I then downloaded the source code for openldap-2.5.9, and have figured out how to run
"make test" to run all of the test scripts.
Unfortunately, the test045 script keeps failing because it says that the necessary backend
isn't even available, which is really confusing to me, because I've ensured that
back-mdb is enabled.
See below for output of `slapcat` as well as the modules enabled. Why is the test045
script telling me that the "LDAP backend not available, test skipped" when
back-mdb and syncprov are both clearly available? Am I missing something else?
root@davidw-ldap-provider-with-proxy:~/source/openldap-2.5.9/tests# slapcat
dn: dc=ma,dc=us,dc=test,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: ma.us.test.com
dc: ma
structuralObjectClass: organization
entryUUID: 3ed370ee-e7c5-103b-8925-e9568cf98aa1
creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com
createTimestamp: 20211202140944Z
entryCSN: 20211202140944.954584Z#000000#000#000000
modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com
modifyTimestamp: 20211202140944Z
contextCSN: 20211202160434.733327Z#000000#000#000000
dn: cn=admin,dc=ma,dc=us,dc=test,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: REDACTED
structuralObjectClass: organizationalRole
entryUUID: 3ee5958a-e7c5-103b-8926-e9568cf98aa1
creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com
createTimestamp: 20211202140945Z
entryCSN: 20211202140945.073555Z#000000#000#000000
modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com
modifyTimestamp: 20211202140945Z
dn: cn=replicate,dc=ma,dc=us,dc=test,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Replication User
userPassword:: REDACTED
structuralObjectClass: organizationalRole
cn: replicate
entryUUID: 327948be-e7cf-103b-93fa-e17a6939fd39
creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com
createTimestamp: 20211202152059Z
entryCSN: 20211202152059.198404Z#000000#000#000000
modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com
modifyTimestamp: 20211202152059Z
root@davidw-ldap-provider-with-proxy:~/source/openldap-2.5.9/tests# slapcat -n 0 | grep
olcModuleLoad
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}syncprov
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, December 1st, 2021 at 10:23 PM, Howard Chu <hyc(a)symas.com> wrote:
David White wrote:
> Hello,
>
> I have some basic experience interacting with &
troubleshooting OpenLDAP as well as 389-ds, but I don't have a whole lot of experience
setting them up or
>
> configuring an OpenLDAP server.
>
> My goal is to setup replication from a Primary inside a trusted
network outwards to a Replica that is in an untrusted network, without allowing the
replica any
>
> direct access to the primary, due to firewall flows and network
requirements. This is true even for the initial connection, so a simple RefreshAndPersist
>
> configuration won't work.
>
> I have read that it is possible to setup a push-based
replication using a proxy, such that:
>
> - The proxy gets installed as a "hidden" database
onto the same server as the primary
> - The proxy sets up replication with the primary using RefreshAndPersist
> - The proxy is then able to push the data out of the replica
>
> I have skimmed over, and re-read, a lot of portions from this
document: https://www.openldap.org/doc/admin24/replication.html
>
> I have also followed this basic guide to setup a Primary with
replication capability: https://ubuntu.com/server/docs/service-ldap-replication
>
> What I'm having trouble with, is finding a useful guide that
will walk me through the process to setup and configure the proxy as I've described
above.
A working example is in test045 of the test suite. You can simply
convert the slapd.conf files to LDIF format from there.
> Questions:
>
> - Based on my requirements above, will the proxy with syncrepl
meet my needs?
>
> o If I put the proxy onto the same server as the primary,
then due to firewall flows, the replica will not have any access to the primary. All
>
> communication will need to be initiated outbound
>
> o If I put the proxy into the same network as the replica,
well.... that won't work either, for the same reason
>
> - The following URL from the OpenLDAP docs provides some
example configs: https://www.openldap.org/doc/admin24/replication.html#Syncrepl Proxy
>
> o If I'm reading everything correctly, though, the
"new" / "accepted" / "preferred" way to configure the ldap
server is to use the `ldapadd`,
>
> `ldapmodify`, and related commands. My confusion and
question here is.... should I try to configure all of this by editing the old slapd.conf
file as
>
> the openldap.org docs provide examples, or is there a way to
do this using the ldapmodify & related commands?
>
> o If I can / should do this from the command line... are
there any guides or tutorials that will take me step-by-step through the process as I try
to
>
> build this in a lab environment?
>
>
> > Thanks in advance,
>
> > David
>
> Sent with ProtonMail https://protonmail.com/ Secure Email.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9:23 a.m.
I tried removing the Ubuntu packages, and just building everything from source, so as to
make sure the test scripts are the same version as the running server. That said, I'm
still banging my head against the wall, and was never able to get the server running from
source nearly as well configured as the Ubuntu packages.
I am now re-attempting using v2.4 from the Ubuntu packages.
Question: Do I need the pcache module?
I'm still trying to figure out why the test scripts are simply refusing to even run
the test045 test, due to "backend not available".
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, December 26th, 2021 at 6:17 PM, David White <dmwhite823(a)protonmail.com>
wrote:
> > > - The following URL from the OpenLDAP docs provides some example configs:
https://www.openldap.org/doc/admin24/replication.html#Syncrepl Proxy
> > > Thanks in advance,
> > > David
> > > Sent with ProtonMail https://protonmail.com/ Secure Email.
> > --
> > -- Howard Chu
> > CTO, Symas Corp. http://www.symas.com
> > Director, Highland Sun http://highlandsun.com/hyc/
Thank you for your response and for nudging me towards the test
scripts. Shortly after your email, I had to deal with an emergency, so am only now
circling back around to this.
I currently have the "ldap-utils" package installed from
the base Ubuntu repositories on Ubuntu 20.04. This is version 2.4.49 of openldap.
I then downloaded the source code for openldap-2.5.9, and have
figured out how to run "make test" to run all of the test scripts.
Unfortunately, the test045 script keeps failing because it says that
the necessary backend isn't even available, which is really confusing to me, because
I've ensured that back-mdb is enabled.
See below for output of `slapcat` as well as the modules enabled. Why
is the test045 script telling me that the "LDAP backend not available, test
skipped" when back-mdb and syncprov are both clearly available? Am I missing
something else?
root@davidw-ldap-provider-with-proxy:~/source/openldap-2.5.9/tests#
slapcat
dn: dc=ma,dc=us,dc=test,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
dc: ma
structuralObjectClass: organization
entryUUID: 3ed370ee-e7c5-103b-8925-e9568cf98aa1
creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com
createTimestamp: 20211202140944Z
entryCSN: 20211202140944.954584Z#000000#000#000000
modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com
modifyTimestamp: 20211202140944Z
contextCSN: 20211202160434.733327Z#000000#000#000000
dn: cn=admin,dc=ma,dc=us,dc=test,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: REDACTED
structuralObjectClass: organizationalRole
entryUUID: 3ee5958a-e7c5-103b-8926-e9568cf98aa1
creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com
createTimestamp: 20211202140945Z
entryCSN: 20211202140945.073555Z#000000#000#000000
modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com
modifyTimestamp: 20211202140945Z
dn: cn=replicate,dc=ma,dc=us,dc=test,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Replication User
userPassword:: REDACTED
structuralObjectClass: organizationalRole
cn: replicate
entryUUID: 327948be-e7cf-103b-93fa-e17a6939fd39
creatorsName: cn=admin,dc=ma,dc=us,dc=test,dc=com
createTimestamp: 20211202152059Z
entryCSN: 20211202152059.198404Z#000000#000#000000
modifiersName: cn=admin,dc=ma,dc=us,dc=test,dc=com
modifyTimestamp: 20211202152059Z
root@davidw-ldap-provider-with-proxy:~/source/openldap-2.5.9/tests#
slapcat -n 0 | grep olcModuleLoad
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}syncprov
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, December 1st, 2021 at 10:23 PM, Howard Chu
hyc(a)symas.com wrote:
> David White wrote:
> > Hello,
> > I have some basic experience interacting with &
troubleshooting OpenLDAP as well as 389-ds, but I don't have a whole lot of experience
setting them up or
> > configuring an OpenLDAP server.
> > My goal is to setup replication from a Primary inside a
trusted network outwards to a Replica that is in an untrusted network, without allowing
the replica any
> > direct access to the primary, due to firewall flows and
network requirements. This is true even for the initial connection, so a simple
RefreshAndPersist
> > configuration won't work.
> > I have read that it is possible to setup a push-based
replication using a proxy, such that:
> > - The proxy gets installed as a "hidden"
database onto the same server as the primary
> > - The proxy sets up replication with the primary using RefreshAndPersist
> > - The proxy is then able to push the data out of the replica
> > I have skimmed over, and re-read, a lot of portions from
this document: https://www.openldap.org/doc/admin24/replication.html
> > I have also followed this basic guide to setup a Primary
with replication capability: https://ubuntu.com/server/docs/service-ldap-replication
> > What I'm having trouble with, is finding a useful guide
that will walk me through the process to setup and configure the proxy as I've
described above.
> A working example is in test045 of the test suite. You can
simply convert the slapd.conf files to LDIF format from there.
> > Questions:
> > - Based on my requirements above, will the proxy with
syncrepl meet my needs?
> > o If I put the proxy onto the same server as the
primary, then due to firewall flows, the replica will not have any access to the primary.
All
> >
> > communication will need to be initiated outbound
> >
> > o If I put the proxy into the same network as the
replica, well.... that won't work either, for the same reason
> >
> > o If I'm reading everything correctly, though, the
"new" / "accepted" / "preferred" way to configure the ldap
server is to use the `ldapadd`,
> >
> > `ldapmodify`, and related commands. My confusion and
question here is.... should I try to configure all of this by editing the old slapd.conf
file as
> >
> > the openldap.org docs provide examples, or is there a
way to do this using the ldapmodify & related commands?
> >
> > o If I can / should do this from the command line...
are there any guides or tutorials that will take me step-by-step through the process as I
try to
> >
> > build this in a lab environment?
> >
> Chief Architect, OpenLDAP http://www.openldap.org/project/
8:46 a.m.
--On Thursday, December 23, 2021 3:32 PM +0000 David White
<dmwhite823(a)protonmail.com> wrote:
Thank you for your response and for nudging me towards the test
scripts.
Shortly after your email, I had to deal with an emergency, so am only now
circling back around to this.
I currently have the "ldap-utils" package installed from the base Ubuntu
repositories on Ubuntu 20.04. This is version 2.4.49 of openldap.
I then downloaded the source code for openldap-2.5.9, and have figured
out how to run "make test" to run all of the test scripts.
Unfortunately, the test045 script keeps failing because it says that the
necessary backend isn't even available, which is really confusing to me,
because I've ensured that back-mdb is enabled.
See below for output of `slapcat` as well as the modules enabled. Why is
the test045 script telling me that the "LDAP backend not available, test
skipped" when back-mdb and syncprov are both clearly available? Am I
missing something else?
The "ldap backend" is back-ldap. back-ldap is required to do proxied
syncreplication.
I'd suggest ignoring the Ubuntu packages entirely and using the free 2.5 or
2.6 packages provided by Symas for Ubuntu.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
3:43 a.m.
Thank you, Quanah.
Is the recommendation to go with v2.5 or 2.6 because of limited features in v2.4 for what
I'm trying to do? My concern is that we have several OpenLDAP servers, and we need to
maintain the servers going forward. Obviously we can recompile, but that just adds
complexity to our company's infrastructure that is already handled by a distributed
team, and if at all possible, we'd prefer to use distro-provided packages.
That said, if there's a good reason that v2.4 won't be as easy to configure to do
what I need it to do, then I think I can sell my boss on the idea. We just need to have a
good patching plan in place going forward for these systems.
I did realize that back-ldap is required. I made a silly mistake, and was trying to load a
completely different module in slapd.conf (question and my own answer at
https://serverfault.com/questions/1088505/openldap-push-replication-via-p...
on the topic).
However, as I mentioned before, I'd really like to figure out how to build this system
using ldif instead of the old .conf format. All of the guides I've been able to find
thus far seem to reference the old .conf format, and only refer to basic proxy setups -- I
still haven't been able to find any clear instructions on how to setup an overlay on
the same system, with a push-based configurations.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 3rd, 2022 at 11:46 AM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
--On Thursday, December 23, 2021 3:32 PM +0000 David White
dmwhite823(a)protonmail.com wrote:
> Thank you for your response and for nudging me towards the test
scripts.
>
> Shortly after your email, I had to deal with an emergency, so am
only now
>
> circling back around to this.
>
> I currently have the "ldap-utils" package installed
from the base Ubuntu
>
> repositories on Ubuntu 20.04. This is version 2.4.49 of
openldap.
>
> I then downloaded the source code for openldap-2.5.9, and have
figured
>
> out how to run "make test" to run all of the test
scripts.
>
> Unfortunately, the test045 script keeps failing because it says
that the
>
> necessary backend isn't even available, which is really
confusing to me,
>
> because I've ensured that back-mdb is enabled.
>
> See below for output of `slapcat` as well as the modules
enabled. Why is
>
> the test045 script telling me that the "LDAP backend not
available, test
>
> skipped" when back-mdb and syncprov are both clearly
available? Am I
>
> missing something else?
The "ldap backend" is back-ldap. back-ldap is required to
do proxied
syncreplication.
I'd suggest ignoring the Ubuntu packages entirely and using the
free 2.5 or
2.6 packages provided by Symas for Ubuntu.
Regards,
Quanah
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by
OpenLDAP:
8:49 a.m.
This is starting to make more sense.
I found the OpenLDAP v2.6 repos that are provided by Symas at repo.symas.com, and I was
able to install it for Ubuntu 20.04.
Unfortunately, it now appears that I can't use "slapcat". I just installed
`ldap-utils` again from the base Ubuntu repositories (I couldn't find ldap-utils in
the Symas repos), so I can now run "ldapsearch" again, but am currently
troubleshooting with some search results that may or may not just be my fault and
inexperience using this software. I'll keep digging.
But to confirm, is it OK to use the Ubuntu "ldap-utils" package along side the
Symas-provided ldap server packages?
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 4th, 2022 at 6:43 AM, David White <dmwhite823(a)protonmail.com>
wrote:
Thank you, Quanah.
Is the recommendation to go with v2.5 or 2.6 because of limited
features in v2.4 for what I'm trying to do? My concern is that we have several
OpenLDAP servers, and we need to maintain the servers going forward. Obviously we can
recompile, but that just adds complexity to our company's infrastructure that is
already handled by a distributed team, and if at all possible, we'd prefer to use
distro-provided packages.
That said, if there's a good reason that v2.4 won't be as
easy to configure to do what I need it to do, then I think I can sell my boss on the idea.
We just need to have a good patching plan in place going forward for these systems.
I did realize that back-ldap is required. I made a silly mistake, and
was trying to load a completely different module in slapd.conf (question and my own answer
at
https://serverfault.com/questions/1088505/openldap-push-replication-via-p...
on the topic).
However, as I mentioned before, I'd really like to figure out how
to build this system using ldif instead of the old .conf format. All of the guides
I've been able to find thus far seem to reference the old .conf format, and only refer
to basic proxy setups -- I still haven't been able to find any clear instructions on
how to setup an overlay on the same system, with a push-based configurations.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 3rd, 2022 at 11:46 AM, Quanah Gibson-Mount
quanah(a)symas.com wrote:
> --On Thursday, December 23, 2021 3:32 PM +0000 David White
>
> dmwhite823(a)protonmail.com wrote:
>
> > Thank you for your response and for nudging me towards the
test scripts.
> >
> > Shortly after your email, I had to deal with an emergency,
so am only now
> >
> > circling back around to this.
> >
> > I currently have the "ldap-utils" package
installed from the base Ubuntu
> >
> > repositories on Ubuntu 20.04. This is version 2.4.49 of
openldap.
> >
> > I then downloaded the source code for openldap-2.5.9, and
have figured
> >
> > out how to run "make test" to run all of the test
scripts.
> >
> > Unfortunately, the test045 script keeps failing because it
says that the
> >
> > necessary backend isn't even available, which is really
confusing to me,
> >
> > because I've ensured that back-mdb is enabled.
> >
> > See below for output of `slapcat` as well as the modules
enabled. Why is
> >
> > the test045 script telling me that the "LDAP backend
not available, test
> >
> > skipped" when back-mdb and syncprov are both clearly
available? Am I
> >
> > missing something else?
>
> The "ldap backend" is back-ldap. back-ldap is required
to do proxied
>
> syncreplication.
>
> I'd suggest ignoring the Ubuntu packages entirely and using
the free 2.5 or
>
> 2.6 packages provided by Symas for Ubuntu.
>
> Regards,
>
> Quanah
>
> Quanah Gibson-Mount
>
> Product Architect
>
> Symas Corporation
>
> Packaged, certified, and supported LDAP solutions powered by
OpenLDAP:
>
9:25 a.m.
--On Tuesday, January 4, 2022 4:49 PM +0000 David White
<dmwhite823(a)protonmail.com> wrote:
This is starting to make more sense.
I found the OpenLDAP v2.6 repos that are provided by Symas at
repo.symas.com, and I was able to install it for Ubuntu 20.04.
Unfortunately, it now appears that I can't use "slapcat". I just
installed `ldap-utils` again from the base Ubuntu repositories (I
couldn't find ldap-utils in the Symas repos), so I can now run
"ldapsearch" again, but am currently troubleshooting with some search
results that may or may not just be my fault and inexperience using this
software. I'll keep digging.
But to confirm, is it OK to use the Ubuntu "ldap-utils" package along
side the Symas-provided ldap server packages?
I suggest reading the documentation at <https://repo.symas.com/soldap/>
that explicitly lists which Symas packages contain what.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
9:55 a.m.
--On Tuesday, January 4, 2022 9:25 AM -0800 Quanah Gibson-Mount
<quanah(a)symas.com> wrote:
--On Tuesday, January 4, 2022 4:49 PM +0000 David White
<dmwhite823(a)protonmail.com> wrote:
> This is starting to make more sense.
> I found the OpenLDAP v2.6 repos that are provided by Symas at
> repo.symas.com, and I was able to install it for Ubuntu 20.04.
>
> Unfortunately, it now appears that I can't use "slapcat".
I'm also not quite sure what you mean by this. You can absolutely use
slapcat, but it needs to be the 2.6 version of slapcat that is a part of
the Symas packages, and not the 2.4 version from Ubuntu.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
12:04 p.m.
Thank you. I just ran "find /opt/symas -name 'slapcat'" and realized
that the binary does indeed exist. A simple `ln -s` into /usr/local/sbin did the trick.
I'm learning!
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 4th, 2022 at 12:55 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
--On Tuesday, January 4, 2022 9:25 AM -0800 Quanah Gibson-Mount
quanah(a)symas.com wrote:
> --On Tuesday, January 4, 2022 4:49 PM +0000 David White
>
> dmwhite823(a)protonmail.com wrote:
>
> > This is starting to make more sense.
> >
> > I found the OpenLDAP v2.6 repos that are provided by Symas
at
> >
> > repo.symas.com, and I was able to install it for Ubuntu
20.04.
> >
> > Unfortunately, it now appears that I can't use
"slapcat".
I'm also not quite sure what you mean by this. You can absolutely
use
slapcat, but it needs to be the 2.6 version of slapcat that is a part
of
the Symas packages, and not the 2.4 version from Ubuntu.
--Quanah
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by
OpenLDAP:
12:12 p.m.
--On Tuesday, January 4, 2022 8:04 PM +0000 David White
<dmwhite823(a)protonmail.com> wrote:
Thank you. I just ran "find /opt/symas -name
'slapcat'" and realized that
the binary does indeed exist. A simple `ln -s` into /usr/local/sbin did
the trick.
I'm learning!
Better solution would be to adjust your PATH variable to include the symas
paths. But the Symas packages actually already do that, too... You just
have to log out/in to regenerate your shell env to pick them up.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
12:56 p.m.
Next question, and if this is veering off topic, or there is documentation somewhere that
I haven't found yet, I can try to go that route.
I have most of my cn=config rebuilt on Symas v2.6 that was originally in Ubuntu v2.4, but
for some reason, slapcat can't see it (I assumed that cn=config would be represented
with `-n 0`). Slapcat can only see my "real" database (which is represented with
'-n 1`). My permissions are still a little bit wonky though, because right now (on
v2.6), every time I run ldapsearch to get something out of the `cn=config` database, I
have to specify the following parameters for it to work: `-W -D "cn=config"
I can, for example, view the `cn=config` ACL that I have setup for a certain user:
root@ldap-provider:~# ldapsearch -H ldap:/// -LLL -b cn=config
'(olcSuffix=dc=example,dc=com)' olcAccess -W -D "cn=config"
Enter LDAP Password:
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to * by dn.exact="cn=replicate,dc=example,dc=com
m" read by * break
What am I missing here?
root@ldap-provider:~# slapcat -b cn=config
slapcat: could not open database.
root@ldap-provider:~# slapcat -n0
slapcat: could not open database.
root@ldap-provider:~# ldapsearch -H ldap:/// -x -s base -b "" + -LLL
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=example,dc=com
{snip}
root@ldap-provider:~# slapcat -n1 | grep "dn:"
dn: dc=example,dc=com
dn: dc=us,dc=example,dc=com
dn: ou=People,dc=example,dc=com
dn: ou=Groups,dc=example,dc=com
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 4th, 2022 at 3:12 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
--On Tuesday, January 4, 2022 8:04 PM +0000 David White
dmwhite823(a)protonmail.com wrote:
> Thank you. I just ran "find /opt/symas -name
'slapcat'" and realized that
>
> the binary does indeed exist. A simple `ln -s` into
/usr/local/sbin did
>
> the trick.
>
> I'm learning!
Better solution would be to adjust your PATH variable to include the
symas
paths. But the Symas packages actually already do that, too... You
just
have to log out/in to regenerate your shell env to pick them up.
--Quanah
1:01 p.m.
--On Tuesday, January 4, 2022 8:56 PM +0000 David White
<dmwhite823(a)protonmail.com> wrote:
Next question, and if this is veering off topic, or there is
documentation somewhere that I haven't found yet, I can try to go that
route.
I have most of my cn=config rebuilt on Symas v2.6 that was originally in
Ubuntu v2.4, but for some reason, slapcat can't see it (I assumed that
cn=config would be represented with `-n 0`). Slapcat can only see my
"real" database (which is represented with '-n 1`). My permissions are
still a little bit wonky though, because right now (on v2.6), every time
I run ldapsearch to get something out of the `cn=config` database, I have
to specify the following parameters for it to work: `-W -D "cn=config"
I've no idea what you've done, so really hard to say. I don't know what
parameters your slapd is running with, if it's even using a cn=config db
with the new binaries, etc.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1:30 p.m.
I'll keep digging, and will try not to veer off topic here. Thank you.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 4th, 2022 at 4:01 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
--On Tuesday, January 4, 2022 8:56 PM +0000 David White
dmwhite823(a)protonmail.com wrote:
> Next question, and if this is veering off topic, or there is
>
> documentation somewhere that I haven't found yet, I can try
to go that
>
> route.
>
> I have most of my cn=config rebuilt on Symas v2.6 that was
originally in
>
> Ubuntu v2.4, but for some reason, slapcat can't see it (I
assumed that
>
> cn=config would be represented with `-n 0`). Slapcat can only
see my
>
> "real" database (which is represented with '-n
1`). My permissions are still a little bit wonky though, because right now (on v2.6),
every time I run ldapsearch to get something out of the` cn=config`database, I have to
specify the following parameters for it to work:`-W -D "cn=config"
I've no idea what you've done, so really hard to say. I
don't know what
parameters your slapd is running with, if it's even using a
cn=config db
with the new binaries, etc.
--Quanah
11:21 p.m.
New subject: Antw: [EXT] Re: Guide to setup syncrepl with proxy‑based push config
>> David White <dmwhite823(a)protonmail.com> schrieb am
04.01.2022 um 21:56 in
Nachricht
<M4XIZ-Tt1gRAAT3xioaiNB_MDhGxw1LmqgiO5qOQz0CC5xphpB5h8UF6r2Qv-N641tn_xtdpBYIr75s
gdjXz_qGO40G1uvowznggQOeink=(a)protonmail.com>:
...
root@ldap-provider:~# slapcat -b cn=config
slapcat: could not open database.
root@ldap-provider:~# slapcat -n0
slapcat: could not open database.
Did you try the -v or -d option to get more info?
...
Regards,
Ulrich
3:55 a.m.
New subject: Antw: [EXT] Re: Guide to setup syncrepl with proxy‑based push config
That certainly gives me more information, but I still don't see anything in stdout
related to cn=config. Thank you for the suggestion.
Prior to starting the slapd daemon on v2.6, I did the following:
root@ldap-provider:~# history | grep slaptest | grep symas
1880 /opt/symas/sbin/slaptest -f /opt/symas/etc/openldap/slapd.conf -F
/var/symas/openldap-data/slapd.d/
By doing this, I thought I had created the cn=config database / converted from slapd.conf.
Perhaps I'm an idiot and cn=config doesn't actually exist, and all of my config
settings are being directly read from slapd.conf? But that still doesn't explain to me
why I can see the ACL that I (thought I) built into cn=config. I do see in the below
stdout that all of the modules, for example, are being loaded from slapd.conf. If I try to
move that .conf file out of the way, slapd refuses to start. I'm sure that I'm
still missing something obvious. I'll keep reading.
The following stdout is edited for brevity. When we get down to the bottom at #
id=00000001, that's coming from the -n1 database.
root@ldap-provider:~# slapcat -d -1 -v
slapcat init: initiated tool.
slap_sasl_init: initialized!
reading config file /opt/symas/etc/openldap/slapd.conf
/opt/symas/etc/openldap/slapd.conf: line 18 (include
/opt/symas/etc/openldap/schema/core.schema)
reading config file /opt/symas/etc/openldap/schema/core.schema
{snip}
reading config file /opt/symas/etc/openldap/schema/cosine.schema
{snip}
/opt/symas/etc/openldap/slapd.conf: line 21 (modulepath /opt/symas/lib/openldap)
/opt/symas/etc/openldap/slapd.conf: line 22 (moduleload back_mdb.la)
loaded module back_mdb.la
mdb_back_initialize: initialize MDB backend
mdb_back_initialize: LMDB 0.9.29: (March 16, 2021)
module back_mdb.la: null module registered
/opt/symas/etc/openldap/slapd.conf: line 23 (moduleload back_ldap.la)
loaded module back_ldap.la
module back_ldap.la: null module registered
/opt/symas/etc/openldap/slapd.conf: line 24 (moduleload syncprov.la)
loaded module syncprov.la
module syncprov.la: null module registered
/opt/symas/etc/openldap/slapd.conf: line 25 (moduleload pcache.la)
loaded module pcache.la
module pcache.la: null module registered
/opt/symas/etc/openldap/slapd.conf: line 26 (moduleload ppolicy.la)
loaded module ppolicy.la
module ppolicy.la: null module registered
/opt/symas/etc/openldap/slapd.conf: line 27 (moduleload memberof.la)
loaded module memberof.la
module memberof.la: null module registered
/opt/symas/etc/openldap/slapd.conf: line 29 (database mdb)
mdb_db_init: Initializing mdb database
/opt/symas/etc/openldap/slapd.conf: line 30 (suffix "dc=example,dc=com")
{snip}
slapcat startup: initiated.
backend_startup_one: starting "dc=example,dc=com"
mdb_db_open: "dc=example,dc=com"
mdb_db_open: database "dc=example,dc=com":
dbenv_open(/var/symas/openldap-data).
mdb_monitor_db_open: monitoring disabled; configure monitor database to enable
=> mdb_entry_decode:
<= mdb_entry_decode
# id=00000001
{snip}
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, January 5th, 2022 at 2:21 AM, Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
> > > David White dmwhite823(a)protonmail.com schrieb am
04.01.2022 um 21:56 in
Nachricht
<M4XIZ-Tt1gRAAT3xioaiNB_MDhGxw1LmqgiO5qOQz0CC5xphpB5h8UF6r2Qv-N641tn_xtdpBYIr75s
gdjXz_qGO40G1uvowznggQOeink=(a)protonmail.com>:
...
> root@ldap-provider:~# slapcat -b cn=config
>
> slapcat: could not open database.
>
> root@ldap-provider:~# slapcat -n0
>
> slapcat: could not open database.
Did you try the -v or -d option to get more info?
...
Regards,
Ulrich
451
days inactive
486
days old
openldap-technical@openldap.org
15 comments
4 participants
participants (4)
-
David White -
Howard Chu -
Quanah Gibson-Mount -
Ulrich Windl