*Ldap issue*
I tried to search using below commnad and I am getting following error
ldapsearch -x -H ldap://127.0.0.1:389/ -D "cn=manager,ou=system,o=example"
-w secret
*error:*
ldap_bind: Invalid credentials (49)
*My slapd.conf contents is as below:*
database bdb
suffix o=example.com
rootdn cn=manager,ou=system,o=example.com
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
#rootpw {SSHA}JvA5Ovk302pb39afL2yVk9VeAeMNCZAm
# rootpw {crypt}ijFYNcSNctBYg
#access to *
# by * write
access to dn.subtree="o=example.com"
by dn="cn=ldaproot,ou=system,o=example.com" write
by * auth
allow update_anon
access to * by anonymous read
# This allows the ldaproot to extract as much info as possible from the DB
limits dn.exact="cn=ldaproot,ou=system,o=example.com" size=unlimited
time=unlimited
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# logging setting
loglevel none
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
Hello,
I don't clearly understand what you're trying to achieve?
There are two possible ways to do encrypted connections:
- with StartTLS via Port 389 (ldap:// - non-encrypted connections are still
possible, if onfigured in your slapd config)
- with SSL/TLS via 639 (ldaps://)
You can disable/enable each way in your /etc/sysconfig/openldap file.
Please read this: http://www.openldap.org/faq/data/cache/185.html
Bye, Benjamin
On Sat, Aug 27, 2011 at 12:00, pradyumna dash <neomatrixgem(a)gmail.com>wrote:
> List,
>
> It would be great if someone can share doc on TLS with OpenLDAP
> configuration on SLES 11, I tried all the possible ways to make it happen
> but no luck.
>
> I tried with both yast2 and by CA.pl and openssl commands, but no luck,
> When i do netstat .lnap |grep ldap it shows both 636 and 389 port listtening
> to the
> hostname, When i check the logs it shows the destination port its showing
> is 389.
>
> But when i try ldapsearch -x -H ldaps://hostname, its also showing me the
> ldap contents, dont know whats wrong, I also tried to open
> /etc/sysconfig/openldap
> and assigned the LDAP service to run on 127.0.0.1, but if i do so then its
> not able to get the server.
>
> Please help.
>
> Regards,
> Neo
>
--
To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is
to do -- Sartre | Do be do be do -- Sinatra
>> HI all,
>>
>> Taking advantage of the technical list for once and the OpenLDAP
>> "related" questions :-)
>>
>> Anyone messed with ejabberd and OpenLDAP? I'm looking for an XMPP
>> server with the best LDAP support.
>>
>> ejabberd does auth, rosters and vcards but the ability to load a list
>> of hosts/domains from LDAP like you can do
>> with Exim etc. would rule.
>>
>> Any suggestions?
>
>
> i went through this exercise, albeit some time ago, and ultimately settled
> on openfire. others i considered at the time were ejabberd, in.jabberd,
> jabberd2, openfire, prosody, and tigase. none had what i would call
> fantastic ldap support, but openfire came reasonably close, and offered
> other benefits which outweighed the areas in which its ldap implementation
> lacked. most notably, there was only support for ldaps. no starttls. i
> don't recall any providing the ability to read hosts or domains from ldap.
> prosody also seemed to have promise, but at the time, it was too early in
> it's development stages to be used as a daily service.
>
Yeah, I think I've settled on ejabberd as I need multi domains. Quite
surprised you can't
load up hosts via an RDBMS or Directory server.
--
http://www.suretecsystems.com/services/openldap/http://www.surevoip.co.uk
Reformatted:
>>>>>On 03/17/2017 04:27 PM, info(a)gwarband.de wrote:
>>>>>> Hello guys,
>>>>>>
>>>>>> actually I'm trying to configure dovecot to access openldap for
>>>>>> passwordcheck.
>>>>>> All datalinks:
>>>>>>
>>>>>> https://gwarband.de/openldap/dovecot.log
Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error
Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error
Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177)
Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=149.172.171.148, lip=188.68.37.50, session=<gcDtzHFKbwCVrKuU>
>>>>>> https://gwarband.de/openldap/dovecot-ldap.conf
uris = ldap://ldap.gwarband.de
dn = cn=T000000002,ou=tech,dc=gwarband,dc=de
dnpass = secret
tls = yes
tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem
auth_bind = yes
ldap_version = 3
base = dc=gwarband,dc=de
scope = subtree
user_attrs = mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail
user_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
pass_attrs = email=user
pass_filter = (&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
>>>>>> https://gwarband.de/openldap/openldap.log
Mar 11 10:48:38 s1 slapd[26962]: conn=1001 fd=14 ACCEPT from IP=188.68.37.50:60814 (IP=188.68.37.50:389)
Mar 11 10:48:38 s1 slapd[26962]: conn=1001 op=0 STARTTLS
Mar 11 10:48:38 s1 slapd[26962]: conn=1002 fd=15 ACCEPT from IP=188.68.37.50:60815 (IP=188.68.37.50:389)
Mar 11 10:48:38 s1 slapd[26962]: conn=1002 op=0 STARTTLS
Mar 11 10:49:42 s1 slapd[26962]: connection_get(14): got connid=1001
Mar 11 10:49:42 s1 slapd[26962]: connection_read(14): checking for input on id=1001
Mar 11 10:49:42 s1 slapd[26962]: connection_read(14): TLS accept failure error=-1 id=1001, closing
Mar 11 10:49:42 s1 slapd[26962]: connection_get(15): got connid=1002
Mar 11 10:49:42 s1 slapd[26962]: connection_read(15): checking for input on id=1002
Mar 11 10:49:42 s1 slapd[26962]: connection_read(15): TLS accept failure error=-1 id=1002, closing
Mar 11 10:49:42 s1 slapd[26962]: conn=1001 fd=14 closed (TLS negotiation failure)
Mar 11 10:49:42 s1 slapd[26962]: conn=1002 fd=15 closed (TLS negotiation failure)
>>>>>> https://gwarband.de/openldap/trace.dump
It appears that the client is sending an unbind request after the server
sends a successful starttls response.
>>>>>> The bugreportinglink from openldap:
>>>>>>
>>>>>> http://www.openldap.org/its/index.cgi/Incoming?id=8615
>>>>Am 2017-03-17 22:48, schrieb Tomas Habarta:
>>>>> been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over
>>>>> the unix socket on the same machine, but tried over inet with
>>>>> STARTTLS and it's working ok... I would suggest double-checking
>>>>> key/certs setup on OpenLDAP side; for the test I have used LE certs,
>>>>> utilizing following cn=config attributes:
>>>>>
>>>>> olcTLSCertificateKeyFile contains private key
>>>>> olcTLSCertificateFile contains certificate
>>>>> olcTLSCACertificateFile contains both certs (DST Root CA X3
>>>>> and Let's Encrypt Authority X3)
>>>>>
>>>>> and used the same CA file in Dovecot's tls_ca_cert_file
>>>>> Is ldapsearch working ok (-ZZ) and only Dovecot has
>>>>> troubles or ... ?
>>>On 03/18/2017 09:41 AM, info(a)gwarband.de wrote:
>>>> I have also installed LE certs. But nothing helps, I have
>>>> double-checking all certs. ldapsearch with -ZZ works see:
>>>>
>>>> https://gwarband.de/openldap/ldapsearch.log
ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"
>>>> I have also uploaded the TLSCACertificateFile, maybe I have a failure
>>>> in the merge of the two fiels:
>>>>
>>>> https://gwarband.de/openldap/LetsEncrypt.crt
>>>>
>>>> And also I have uploaded my complete openldap configuration:
>>>>
>>>> https://gwarband.de/openldap/openldap.conf
# Certificate
TLSCACertificateFile /etc/ssl/certs/LetsEncrypt.pem
TLSCertificateFile /etc/ssl/certs/gwarbandDE_LDAP.pem
TLSCertificateKeyFile /etc/ssl/certs/gwarbandDE_LDAP.key
TLSCipherSuite SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
TLSProtocolMin 3.1
TLSVerifyClient never
>>>> All other components can work and communicate with my openldap
>>>> server. The components are postfix, openxchange, apache
>>>> (phpldapadmin). My installated software is:
>>>>
>>>> Debian 8
>>>> OpenLDAP 2.4.40
>>>> Dovecot 2.2.13
>>Am 2017-03-18 12:30, schrieb Tomas Habarta:
>>> Well, if ldapsearch works, try to replicate its settings for dovecot
>>> client. It's not obvious what settings ldapsearch uses, have a look
>>> at default client settings in /etc/openldap/ldap.conf, there may be
>>> something set a slightly different way. Also double check permissions
>>> for files used by dovecot, I mean mainly the file listed for
>>> tls_ca_cert_file as dovecot may not have an access for reading... I
>>> cannot see anything downright bad, just posted CA cert (which is ok,
>>> tested) is *.crt and your config mentions *.pem but I consider it's
>>> the same file. Finally, I would recommend to enable debug option for
>>> dovecot's client
>>>
>>> debug_level = -1 (which logs all available) in your dovecot-ldap.conf
>>>
>>> to see what the library reports and work further on that. You can
>>> compare with output from ldapsearch by adding -d-1 switch to it. Hard
>>> to tell more at the moment.
What are the contents of /etc/ldap/ldap.conf?
>On 03/18/2017 01:31 PM, info(a)gwarband.de wrote:
>> I've replicate the settings from ldapsearch to dovecot but no success.
>>
>> To the certificate:
>>
>> Yes it's a *.crt file but I have linked the *.pem file to it and
>> dovecot has read access to that file. I have enabled the debugging in
>> dovecot and have uploaded the output:
>>
>> https://gwarband.de/openldap/dovecot-connect.log
Mar 18 12:43:31 s1 dovecot: auth: Error: ldap_extended_operation_s
Mar 18 12:43:31 s1 dovecot: auth: Error: ldap_extended_operation
Mar 18 12:43:31 s1 dovecot: auth: Error: ldap_connect_to_host: TCP ldap.gwarband.de:389
Mar 18 12:43:31 s1 dovecot: auth: Error: connect success
Mar 18 12:43:31 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: Connect error
>>
>> And the other site with ldapsearch:
>>
>> https://gwarband.de/openldap/ldapsearch-connect.log
>>
>> I'm pretty sure that there is a problem with the sslhandshaking between
>> openldap and dovecot, but I can't find the source of the problem. One
>> of the steps in the sslhandshaking is not success but in the debugging
>> output I can't find any line with a hit to it.
Am 2017-03-18 14:01, schrieb Tomas Habarta:
> Increase log level on server side as well to see what the server says...
> You may remove anything in TLSCipherSuite for the purpose of testing
> too. Hopefully anyone knowing OpenLDAP internals could help you analyse
> it more deeply.
Your ldapsearch command should reference your ldap.conf config
(ldap.conf(5)), and your dovecot-ldap.conf (assuming that it uses libldap)
will also, but overwrite any settings using dovecot-ldap.conf. Compare any
differences.
Look for permissions problems. Run your ldapsearch command as the same user
dovecot runs under.
Hi.
I have replication setup .
Full replication of o=company, but user for replication (uid=replica,ou=users,o=company) is limited by ACL.
Master configuration:
access to dn.subtree="ou=users,o=company" attrs=userPassword
by anonymous auth
access to dn.base="o=company"
by dn.exact="uid=replica,ou=users,o=company" read
access to dn.subtree="ou=dev,o=company"
by dn.exact="uid=replica,ou=users,o=company" read
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "o=company"
rootdn "cn=ldapadm,o=company"
rootpw password
directory /var/db/openldap-data/o=company
overlay syncprov
Slave configuration:
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "o=company"
rootdn "cn=ldapadm,o=company"
rootpw password
directory /var/db/openldap-data/o=company
syncrepl rid=001
provider=ldap://ro1.devel.ldap.company.ru:389
type=refreshAndPersist
retry="5 10 300 +"
searchbase="o=company"
scope=sub
schemachecking=off
starttls=critical
bindmethod=simple
tls_reqcert=never
binddn="uid=replica,ou=users,o=company"
credentials="password"
Replication works.
When i move object in forbidden by ACL subtree, then no information about this modification goes to the replica server
e.g. operation on master server:
dn: ou=groups2,ou=dev,o=company
changetype: moddn
newrdn: ou=groups2
deleteoldrdn: 1
newsuperior: ou=corp,o=company
This object is not deleted and contextCSN is not updated on the replica.
Is it expected behavior or not?
--
Konstantin Menshikov
Comment below.
-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
Sent: Tuesday, June 25, 2013 12:27 PM
To: Rodney Simioni; openldap-technical(a)openldap.org
Subject: RE: openldap and MozNSS
--On Tuesday, June 25, 2013 11:40 AM -0400 Rodney Simioni <rodney.simioni(a)verio.net> wrote:
> I'm getting further, I went to http://ltb-project.org and downloaded a
> newer version of openldap. BTW, thank you, it's a nice site.
>
> But when I do a 'ldapsearch -d -1 -x -LLL -ZZ', I'm getting "
> unsupported extended operation"
>
> Does anybody have a clue?
I would advise you to specifically use -H <URI> so it is clear what you are connecting to and how. For example, -ZZ requests startTLS, but if you are using an ldaps:// URI, that makes no sense, because they are mutually exclusive.
[[Rod's comment]] I'm using '-H', I'm still getting 'unsupported extended operation', but thanks.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
Hello,
I have been trying to configure my slave ldap servers to send changes to the master servers.
>From what I have been able to understand from previous mailing lists and various google searches I need to configure and olcUpdateref on the salve and then add the chaining overlay (I think it should be on the olcDatabase{-1}frontend database from everything I have read however slaptest using openldap-2.4.36 slapd-chain2.conf as the seed generates the overlay atop of the declared database…)
Everything I have been trying results in a failure:
ldap_modify: Server is unwilling to perform (53)
additional info: operation restricted
I cannot for the life of me figure out what needs to be done to enable this.
Any help would be appreciated, my ldifs are included below.
-Russell J. Jancewicz
University of Connecticut
dn: olcDatabase={1}mdb,cn=config
…
olcUpdateref: ldap://master.example.com
…
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: FALSE
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: ldap
olcDbURI: "ldap://master.example.com"
olcDbStartTLS: start starttls=no
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0 network-timeout=0 binddn="cn=admin,dc=example,dc=com" credentials="<SECRET>" keepalive=0:0:0
olcDbIDAssertAuthzFrom: *
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0
>>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am 13.11.2013 um 19:07 in
Nachricht <58534BED9C430B31FE4F6B5E(a)[192.168.1.93]>:
> --On Wednesday, November 13, 2013 1:02 PM -0500 "Darouichi, Aziz"
> <adarouic(a)post03.curry.edu> wrote:
>
>> Is it necessary to upgrade? I have to take my case to Management...!!!!
>
> Well, that depends. Do you want syncrepl to work, or do you want it to not
> work? I strongly advise you to read the changelog for OpenLDAP so you can
> see the numerous fixes to syncrepl replication since 2.4.23 was released.
Let me comment that I run a multi-master configuration with openldap2-2.4.26-0.16.1 (SLES11 SP2) sucessfully. I haven tested network outages, but I restarted individual servers, and there were no problems.
For the update: I contacted support, and they told me I'll have to demonstrate them how many $$ we would gain by using a later version. At that point I stopped arguing.
olcSyncrepl: {0}rid=1 provider="ldap://server.de/"
searchbase="cn=config" type="refreshAndPersist" retry="120 +" starttls=critical tls_reqcert=demand bindmethod="simple" binddn="uid=syncrepl,ou=system,dc=server,dc=de" credentials="youdontexpectittobehere,right?"
Regards,
Ulrich
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Architect - Server
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
Hi folks,
first of all thanks to all comments about my previous posts!
Finaly I'm faced with hopefully the last authentication problem and may
be somewone could tell me an answere or point me once more into the
right direction.
My consumer server should bind to the provider using sasl with the
saslmech external. (Red Hat 5.x, cyrus-sasl-2.1.22, openldap-2.3.43-3 )
I'v changed the slapd.conf files on both servers:
consumer:
syncrepl ...
bindmethod=sasl
saslmech=EXTERNAL
starttls=yes
provider:
authz-regexp
"dn=email=webmaster(a)filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de"
"cn=replicator,dc=filmakademie,dc=de"
after restarting both servers I do get the error:
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such
file or directory
I've searched my docs, online howtoos and found postings about "know
sasl before using openldap" but the sasl docs didn't help too.
Thanks for any help and best regards,
Götz
--
Götz Reinicke
IT-Koordinator
Tel. +49 7141 969 420
Fax +49 7141 969 55 420
E-Mail goetz.reinicke(a)filmakademie.de
Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de
Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner
Geschäftsführer:
Prof. Thomas Schadt
Hi
We are planing migration from openldap 2.4.20 (with bdb 4.8) to openldap
2.4.33 (bdb 5.1.29)
No of users are 4 million and about to go live within next 10 days.
We are using flat file for configuration in use.
Below is my slapd.conf and DB_CONFIG files
include /apps/openldap/etc/openldap/schema/core.schema
include /apps/openldap/etc/openldap/schema/cosine.schema
include /apps/openldap/etc/openldap/schema/nis.schema
include /apps/openldap/etc/openldap/schema/inetorgperson.schema
include /apps/openldap/etc/openldap/schema/openldap.schema
include /apps/openldap/etc/openldap/schema/dyngroup.schema
include /apps/openldap/etc/openldap/schema/ppolicy.schema
include /apps/openldap/etc/openldap/schema/channelIdentifier.schema
include /apps/openldap/etc/openldap/schema/platform.schema
include /apps/openldap/etc/openldap/schema/extendedProfileKey.schema
include
/apps/openldap/etc/openldap/schema/extendedProfileValue.schema
include /apps/openldap/etc/openldap/schema/behaviorKey.schema
include /apps/openldap/etc/openldap/schema/behaviorValue.schema
include /apps/openldap/etc/openldap/schema/questionAnswer.schema
include /apps/openldap/etc/openldap/schema/extendedTop.schema
include /apps/openldap/etc/openldap/schema/counter.schema
pidfile /apps/openldap/var/run/slapd.pid
argsfile /apps/openldap/var/run/slapd.args
logfile /apps/logs/ldap
loglevel 16640
database bdb
suffix "dc=ibm,dc=com"
access to attrs=userPassword
by self write
by anonymous auth
by * break
access to *
by
group/groupOfUniqueNames/uniqueMember.exact="cn=VWrite,ou=businessUsersGroup,dc=ibm,dc=com"
manage
by
group/groupOfUniqueNames/uniqueMember.exact="cn=VRead,ou=businessUsersGroup,dc=ibm,dc=com"
read
by * break
access to *
by self write
by anonymous auth
by * read
rootdn "cn=Manager,dc=ibm,dc=com"
rootpw {SSHA}dXDFSQeFjSoa/A1HfJ3TAzYf8
################## SSL ##########################################
#
#TLSVerifyClient allow
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificateFile /apps/openldap/etc/openldap/cacerts/nascarcacert.pem
TLSCertificateFile /apps/openldap/etc/openldap/cacerts/sj.crt
TLSCertificateKeyFile /apps/openldap/etc/openldap/cacerts/sj.key
#
index entryCSN eq
index entryUUID eq
index
mail,uid,postalCode,smail,channelType,channelValue,answer,behavName,objectclass,tokenID,type
eq
index givenName,sn,city,question,behavValue,cn,extName sub
index displayName approx
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverid 3
syncrepl rid=111
provider=ldap://mmprod04
binddn="cn=Manager,dc=ibm,dc=com"
bindmethod=simple
starttls=yes
tls_reqcert=allow
credentials=G00gle#
searchbase="dc=ibm,dc=com"
type=refreshAndPersist
retry="5 5 300 +"
interval=00:00:00:10
syncrepl rid=222
provider=ldap://mmprod05
binddn="cn=Manager,dc=ibm,dc=com"
bindmethod=simple
starttls=yes
tls_reqcert=allow
credentials=G00gle#
searchbase="dc=idm,dc=com"
type=refreshAndPersist
retry="5 5 300 +"
interval=00:00:00:10
mirrormode TRUE
cachesize 100000
idlcachesize 300000
lastmod on
checkpoint 128 15
concurrency 100
directory /apps/openldap/var/openldap-data
overlay unique
unique_attributes mail
overlay ppolicy
ppolicy_default "cn=default,ou=pwdPolicy,dc=idm,dc=com"
ppolicy_use_lockout
DB_CONFIG
set_cachesize 0 4294967295 0
set_lg_regionmax 2048576
set_lg_max 20485760
set_lg_bsize 2097152
set_lk_max_locks 10000
set_lk_max_objects 5000
set_lk_max_lockers 5000
My querries are:-
1. What should be taken care(Best Practices).
2. Data migration can be db_hotbackup will work?
3. Can same flat file method be used, if not what could be the way should
work out.
4. any thing else i should be aware and is critical.
--
Thanks&Regards
Anil Beniwal
