We have OpenLDAP 2.3 running on Linux. It is set up in SASL mode authenticating
against multiple ADs. Everything works fine there, which is our Production env.
We recently installed a new instance of OpenLDAP 2.4.23 running on RedHat Linux 6
in our Dev and QA env. Then, we moved the slapd.conf and slapd-meta.conf file to
the new instance, and created the required users.
When we run testsaslauthd, we are successfully able to authenticate against the
appropriate AD that the user is under.
testsaslauthd -u ravi@SONEPAR -p secret - WORKS
ldapsearch -x -D uid=ravi,ou=People,ou=company,dc=inside,dc=devserver,dc=com -w
secret
results in: ldap_bind: Invalid credentials (49)
But when we do a ldap search or connect using LDAP Browser, the user is not able
to get autheticated. We are not able to bind to the OpenLDAP by using the same credentials.
I get a Invalid credentials err 49, which indcates either credentials are incorrect,
which in this case its not, or the bind info is incorrect.
I seems as though the user is not able to bind to OpenLDAP 2.4 or it does not know how
to. When I change the password form {SASL}ralthuru@SONEPAR to a text say "secret", it works fine.
Here is the log output from the same user authetication in OpenLDAP 2.3 and OpenLDAP 2.4:
SUCCESS - QA 2.4 - testsaslauthd -u ralthuru@SONEPAR -p secret
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:44500 (IP=127.0.0.1:391)
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND dn="cn=Manager,dc=local" method=128
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 RESULT tag=97 err=0 text=
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(?SMACCOUNTNAME=ralthuru))"
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH attr=dn
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND anonymous mech=implicit ssf=0
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi Althuru,cn=Users,ou=SONEPAR,dc=local" method=128
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi Althuru,cn=Users,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 RESULT tag=97 err=0 text=
SUCCESS - QA 2.4 - login as cn=Manager/Password1 from LDAP Browser
Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 fd=12 ACCEPT from IP=10.108.138.66:64931 (IP=0.0.0.0:389)
Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" method=128
Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" mech=SIMPLE ssf=0
Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 RESULT tag=97 err=0 text=
Feb 2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 op=1 UNBIND
Feb 2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 fd=12 closed
FAIL - QA 2.4 - login as uid=ralthuru/Sonepar123 from LDAP Browser
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 ACCEPT from IP=10.108.138.66:64939 (IP=0.0.0.0:389)
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sdusadevl,dc=com" mthod=128
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 RESULT tag=97 err=49 text=
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=1 UNBIND
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 closed
SUCCESS - PRODUCTION 2.3 - testsaslauthd -u ralthuru@SONEPAR -p secret
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND anonymous mech=implicit ssf=0
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND dn="cn=Manager,dc=local" method=128
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 RESULT tag=97 err=0 text=
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH attr=dn
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND anonymous mech=implicit ssf=0
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 RESULT tag=97 err=0 text=
SUCCESS - PRODUCTION 2.3 - login as uid=ralthuru/secret from LDAP Browser
eb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 fd=15 ACCEPT from IP=10.108.138.66:54298 (IP=0.0.0.0:389)
Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND anonymous mech=implicit ssf=0
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND dn="cn=Manager,dc=local" method=128
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 RESULT tag=97 err=0 text=
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH attr=dn
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND anonymous mech=implicit ssf=0
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 RESULT tag=97 err=0 text=
Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" mech=SIMPLE ssf=0
Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 RESULT tag=97 err=0 text=
Feb 3 10:44:47 pavfldapp01 slapd[4806]: conn=50825 op=1 UNBIND
SUCCESS - PRODUCTION 2.3 - LDAP Search command as uid=ralthuru/secret
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 ACCEPT from IP=10.199.204.205:44578 (IP=0.0.0.0:389)
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND anonymous mech=implicit ssf=0
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND dn="cn=Manager,dc=local" method=128
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 RESULT tag=97 err=0 text=
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH attr=dn
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND anonymous mech=implicit ssf=0
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 RESULT tag=97 err=0 text=
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" mech=SIMPLE ssf=0
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 RESULT tag=97 err=0 text=
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SRCH base="dc=inside,dc=sonepar-us,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text=
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=2 UNBIND
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 closed
Here is the ldap.conf
URI ldap://10.99.19.179
BASE dc=inside,dc=sdusadevl,dc=com
TLS_REQCERT never
Here is the slapd.conf, only the relevant info:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/schema_extension.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
loglevel 256
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=inside,dc=sdusadevl,dc=com"
rootdn "cn=Manager,dc=inside,dc=sdusadevl,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw xyz123
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index uniqueMember eq,pres
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
# adding to ignore error for slaptest
cachesize 2000
sasl-host localhost
sasl-secprops none
----------------------
Here is the slapd-meta.conf containing the AD where the user ralthuru is autheticating to:
uri ldap://sdusa-dc-01.sdusadevl.com:3268/ou=SONEPAR,dc=local
lastmod off
suffixmassage "ou=SONEPAR,dc=local" "dc=sdusadevl,dc=com"
idassert-bind bindmethod=simple
binddn="CN=Vignette\\, Service Account,OU=Vignette Service,OU=Vignette,OU=Enterpise Systems,DC=sdusadevl,DC=com"
credentials="hiddenpassword"
mode=none
flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=Manager,dc=local"
I have searched across many forums, compared the set up on the OpenLDAP 2.3 and
OpenLDAP 2.4 instances and cannot find any differences.
Any suggestions on how to resolve this is appreciated!
Hi,
For weeks I have being reading about openldap, in the mailing lists, etc. Basically I have Samba with ldap and I need a GUI to administrate the users(I can use smbldap-tools and a shell, but not some of the administrators). I installed phpldapadmin, and I can log in with the user "Administrator", but I can change, remove or add any user or anything. I have read about people that have similar configurations to mine and solve this problem. Besides the user interface everything seems to work fine, the machines are logged to the domain, the samba server is a PDC.
As far as I understand I need to create an ACL in /etc/openldap/slapd.conf for the group that is going to administrate, and the problem is because I am trying to grant permisions to the Group "Domain Admins", and domain admins is more like samba group. So far I can figure out why is not working the stuff I try, but I dont know how to fix it. It has to do with the objectclass.
One of my ideas was to create an extra group, just for administrators, and called something like bofhs. I used this as a reference
http://www.openldap.org/faq/data/cache/52.html
dn: cn=bofh,dc=mydomain,dc=com,dc=ec
cn: bofhs
objectclass: groupofNames
member: cn=administrator,dc=mydomain,dc=com,dc=ec
Can I add something to the "Domain Admins" group so they can change data.
But i had problems creating this group, didnt work, in some examples they use ou=Group, I dont understand what the ou thing does.
Here is a sample of a backup of the ldap db,
dn: dc=mydomain,dc=com,dc=ec
objectClass: dcObject
objectClass: organization
o: Company
dc: mydomain
structuralObjectClass: organization
entryUUID: 9c8201ce-ccc9-102f-9758-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210326Z
entryCSN: 20110214210326Z#000000#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210326Z
dn: cn=Manager,dc=mydomain,dc=com,dc=ec
objectClass: organizationalRole
cn: Manager
structuralObjectClass: organizationalRole
entryUUID: 9c82917a-ccc9-102f-9759-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210326Z
entryCSN: 20110214210326Z#000001#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210326Z
dn: ou=People,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
entryUUID: b071f8b0-ccc9-102f-975a-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000000#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: organizationalUnit
ou: Group
structuralObjectClass: organizationalUnit
entryUUID: b0727074-ccc9-102f-975b-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000001#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: ou=Computers,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: organizationalUnit
ou: Computers
structuralObjectClass: organizationalUnit
entryUUID: b072cd3a-ccc9-102f-975c-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000002#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: ou=Idmap,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: organizationalUnit
ou: Idmap
structuralObjectClass: organizationalUnit
entryUUID: b07343a0-ccc9-102f-975d-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000003#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec
cn: Administrator
sn: Administrator
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 0
uid: Administrator
uidNumber: 0
homeDirectory: /home/Administrator
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\IESS\Administrator
sambaHomeDrive: H:
sambaProfilePath: \\IESS\profiles\Administrator
sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-512
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-500
loginShell: /bin/false
gecos: Netbios Domain Administrator
structuralObjectClass: inetOrgPerson
entryUUID: b0739f26-ccc9-102f-975e-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
sambaLMPassword: 71DAB35FA93A2AB817306D272A9441BB
sambaAcctFlags: [U]
sambaNTPassword: AB9EA058E462D1881CD7AAC70FC462F2
sambaPwdLastSet: 1305237753
sambaPwdMustChange: 1309125753
userPassword:: e1NTSEF9Mnl6SUJjNTZEN1AxaW5oVmhFaE05dWtLNE1CdGR6Tkw=
shadowLastChange: 15106
shadowMax: 45
entryCSN: 20110512220224Z#000001#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110512220224Z
dn: uid=nobody,ou=People,dc=mydomain,dc=com,dc=ec
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\IESS\nobody
sambaHomeDrive: H:
sambaProfilePath: \\IESS\profiles\nobody
sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD ]
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-2998
loginShell: /bin/false
structuralObjectClass: inetOrgPerson
entryUUID: b07615da-ccc9-102f-975f-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000005#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Domain Admins,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: b0769776-ccc9-102f-9760-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000006#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Domain Users,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-513
sambaGroupType: 2
displayName: Domain Users
structuralObjectClass: posixGroup
entryUUID: b07735b4-ccc9-102f-9761-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
memberUid: user1
memberUid: user2
memberUid: user3
entryCSN: 20110511142120Z#000002#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110511142120Z
dn: cn=Domain Guests,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-514
sambaGroupType: 2
displayName: Domain Guests
structuralObjectClass: posixGroup
entryUUID: b077a364-ccc9-102f-9762-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000008#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Domain Computers,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-515
sambaGroupType: 2
displayName: Domain Computers
structuralObjectClass: posixGroup
entryUUID: b0781966-ccc9-102f-9763-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#000009#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Administrators,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaDom
ainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
structuralObjectClass: posixGroup
entryUUID: b07892b0-ccc9-102f-9764-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#00000a#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Account Operators,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators
structuralObjectClass: posixGroup
entryUUID: b07907c2-ccc9-102f-9765-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#00000b#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Print Operators,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
structuralObjectClass: posixGroup
entryUUID: b079790a-ccc9-102f-9766-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#00000c#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Backup Operators,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
structuralObjectClass: posixGroup
entryUUID: b079eab6-ccc9-102f-9767-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#00000d#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: cn=Replicators,ou=Group,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
structuralObjectClass: posixGroup
entryUUID: b07a6950-ccc9-102f-9768-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
entryCSN: 20110214210400Z#00000e#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210400Z
dn: sambaDomainName=IESS,dc=mydomain,dc=com,dc=ec
structuralObjectClass: sambaDomain
entryUUID: b07ad228-ccc9-102f-9769-316f6ec95723
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210400Z
sambaPwdHistoryLength: 0
sambaLockoutThreshold: 0
sambaMaxPwdAge: -1
gidNumber: 1000
uidNumber: 1000
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaSID: S-1-5-21-2323392562-1448967901-2038806033
sambaNextRid: 1000
sambaDomainName: IESS
entryCSN: 20110512220215Z#000000#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110512220215Z
dn: uid=user1,ou=People,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: user1
sn: user1
givenName: user1
uid: user1
uidNumber: 1002
gidNumber: 513
homeDirectory: /home/user1
loginShell: /bin/false
gecos: System User
userPassword:: e2NyeXB0fXg=
structuralObjectClass: inetOrgPerson
entryUUID: e660228a-ccc9-102f-9447-ffc7e9a6c1f6
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210530Z
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: rloor
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3004
sambaLMPassword: XXX
sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513
sambaNTPassword: XXX
sambaLogonScript: logon.bat
sambaHomePath: \\IESS\user1
sambaHomeDrive: H:
entryCSN: 20110214210530Z#000006#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210530Z
dn: uid=user2,ou=People,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: user2
sn: user2
givenName: user2
uid: user2
uidNumber: 1003
gidNumber: 513
homeDirectory: /home/user2
loginShell: /bin/false
gecos: System User
userPassword:: e2NyeXB0fXg=
structuralObjectClass: inetOrgPerson
entryUUID: e692c104-ccc9-102f-9448-ffc7e9a6c1f6
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210530Z
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: user2
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3006
sambaLMPassword: XXX
sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513
sambaNTPassword: XXX
sambaLogonScript: logon.bat
sambaHomePath: \\IESS\user2
sambaHomeDrive: H:
entryCSN: 20110214210530Z#00000b#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110214210530Z
dn: uid=user3,ou=People,dc=mydomain,dc=com,dc=ec
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: user3
sn: user3
givenName: user3
uid: user3
uidNumber: 1204
gidNumber: 513
homeDirectory: /home/user3
loginShell: /bin/false
gecos: System User
structuralObjectClass: inetOrgPerson
entryUUID: e6c4c500-ccc9-102f-9449-ffc7e9a6c1f6
creatorsName: cn=Manager,dc=mydomain,dc=com,dc=ec
createTimestamp: 20110214210531Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: user3
sambaSID: S-1-5-21-2323392562-1448967901-2038806033-3008
sambaPrimaryGroupSID: S-1-5-21-2323392562-1448967901-2038806033-513
sambaLogonScript: logon.bat
sambaHomePath: \\IESS\user3
sambaHomeDrive: H:
sambaLMPassword: 57D26D340E8A2411AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 79715183CF6136D501018FF3F5C381E4
sambaPwdLastSet: 1297878031
sambaPwdMustChange: 1301766031
userPassword:: e1NTSEF9MXQ3dHJoWUxRT05hUnFuQWQ0N3A5QTAwQUNkR05tZGg=
shadowLastChange: 15021
shadowMax: 45
entryCSN: 20110216174031Z#000003#00#000000
modifiersName: cn=Manager,dc=mydomain,dc=com,dc=ec
modifyTimestamp: 20110216174031Z
And here is my slapd.conf, I erased the acls I created to test most of it, none worked.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib64/openldap
# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#access to *
# by self write
# by users read
# by anonymous auth
#access to attrs=userpassword
# by self =xw
# by anonymous auth by anonymous auth
#access to *
# by self write
# by users read
access to attrs=userpassword by self write by anonymous auth by * none
access to * by self write by users read by anonymous read by * none
access to * by uid=Administrator,ou=People,dc=mydomain,dc=com,dc=ec write
#access to dn.regex = "ou = personal_addressbook or =(.+),, dc = korrigan, dc = org"
#by dn.regex="cn=$1,ou=Users,dc=korrigan,dc=org" write by dn.regex = "cn = $ 1, ou = Users, dc = korrigan, dc = org" write
#by dn="cn=admin,dc=korrigan,dc=org" write by dn = "cn = admin, dc = korrigan, dc = org" write
#by * none by * none
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=mydomain,dc=com,dc=ec"
rootdn "cn=Manager,dc=mydomain,dc=com,dc=ec"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
# Extras para ser servidor master de ldap
loglevel 256
Sorry for the long email.
JDC
Where did you read that those were needed anyway? If it was the admin
guide then I need to fix it ;-)
Gavin.
On 23/12/2008, Pat Riehecky <prieheck(a)iwu.edu> wrote:
> On Tue, 2008-12-23 at 15:55 +0000, Gavin Henry wrote:
>> Try dropping nopresent and reloadhint relating to ITS5669. You only
>> need these two syncprov settings on an accesslog db.
>>
>> Gavin.
>
> Thanks, that did the job!
>
> Pat
>
>>
>> On 23/12/2008, Pat Riehecky <prieheck(a)iwu.edu> wrote:
>> > On Tue, 2008-12-23 at 11:45 +0000, Gavin Henry wrote:
>> >> Can you post your config somewhere?
>> >
>> >
>> > allow bind_v2
>> >
>> > include /etc/ldap/schema/core.schema
>> > include /etc/ldap/schema/cosine.schema
>> > include /etc/ldap/schema/nis.schema
>> > include /etc/ldap/schema/inetorgperson.schema
>> > include /etc/ldap/schema/samba.schema
>> > include /etc/ldap/schema/eduperson-200412.schema
>> > include /etc/ldap/schema/hdb.schema
>> > include /etc/ldap/schema/IWU.schema
>> >
>> > pidfile /var/run/slapd/slapd.pid
>> > argsfile /var/run/slapd/slapd.args
>> >
>> > modulepath /usr/lib/ldap
>> > moduleload back_hdb
>> > moduleload back_monitor
>> > moduleload memberof
>> > moduleload syncprov
>> > moduleload smbk5pwd
>> >
>> > tool-threads 2
>> > sizelimit 500
>> > idletimeout 7200
>> >
>> > TLSCACertificateFile /etc/ldap/ssl/IWU.crt
>> > TLSCertificateFile /etc/ldap/ssl/ldap.iwu.edu.crt
>> > TLSCertificateKeyFile /etc/ldap/ssl/ldap.iwu.edu.key
>> > TLSVerifyClient allow
>> >
>> > localSSF 160
>> > security ssf=1 update_ssf=128 simple_bind=112
>> > sasl-secprops noanonymous
>> >
>> > access to dn.base="" by * read
>> > access to dn.base="cn=Subschema" by * read
>> >
>> > backend hdb
>> > database hdb
>> >
>> > overlay memberof
>> > overlay smbk5pwd
>> > overlay syncprov
>> >
>> > smbk5pwd-enable samba
>> > smbk5pwd-enable krb5
>> > smbk5pwd-must-change 0
>> >
>> > syncprov-checkpoint 100 10
>> > syncprov-sessionlog 200
>> > syncprov-nopresent TRUE
>> > syncprov-reloadhint TRUE
>> >
>> > suffix "dc=iwu,dc=edu"
>> >
>> > rootdn "cn=admin,dc=iwu,dc=edu"
>> > rootpw {redacted}
>> >
>> > authz-regexp "uidNumber=0\\\
>> > +gidNumber=.*,cn=peercred,cn=external,cn=auth"
>> > "cn=ldapi,dc=iwu,dc=edu"
>> > authz-regexp "gidNumber=.*\\\
>> > +uidNumber=0,cn=peercred,cn=external,cn=auth"
>> > "cn=ldapi,dc=iwu,dc=edu"
>> >
>> > authz-regexp "uid=(.+),cn=.+,cn=auth" "uid=$1,ou=People,dc=iwu,dc=edu"
>> >
>> > directory "/var/lib/ldap/"
>> >
>> > dbconfig set_cachesize 0 62914560 0
>> > dbconfig set_lk_max_objects 1500
>> > dbconfig set_lk_max_locks 1500
>> > dbconfig set_lk_max_lockers 1500
>> >
>> > # Make sure to do a nightly slapcat
>> > dbconfig set_flags DB_LOG_AUTOREMOVE
>> >
>> > index objectClass eq,pres
>> > index default eq,sub,pres
>> > index mail eq,sub,pres
>> > index sn eq,sub,pres
>> > index cn eq,sub,pres
>> > index displayName eq,sub,pres
>> > index gecos eq,sub,pres
>> > index uid eq,sub,pres
>> > index memberUid eq,sub,pres
>> > index uidNumber eq,pres
>> > index gidNumber eq,pres
>> > index entryCSN eq,pres
>> > index entryUUID eq,pres
>> > index uniqueMember eq,pres
>> > index userPassword eq,pres
>> > index krb5PrincipalName eq,pres
>> > index krb5PrincipalRealm eq,pres
>> > index sambaDomainName eq,pres
>> > index sambaSID eq,pres
>> > index sambaPrimaryGroupSID eq,pres
>> > index sambaSIDList eq,pres
>> >
>> > lastmod on
>> >
>> > checkpoint 256 15
>> >
>> > password-hash {SSHA}
>> >
>> > limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
>> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> > limits dn.exact="cn=ldapi,dc=iwu,dc=edu" size.hard=unlimited
>> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> > limits dn.exact="cn=sambaadmin,dc=iwu,dc=edu" size.hard=unlimited
>> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> > limits dn.exact="cn=mirror,dc=iwu,dc=edu" size.hard=unlimited
>> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> > limits dn.exact="cn=freeradius,dc=iwu,dc=edu" size.hard=unlimited
>> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> >
>> > access to dn.sub="dc=iwu,dc=edu"
>> > by dn.exact="cn=ldapi,dc=iwu,dc=edu" write
>> > by dn.exact="cn=sambaadmin,dc=iwu,dc=edu" write
>> > by dn.exact="cn=mirror,dc=iwu,dc=edu" read
>> > by dn.exact="cn=freeradius,dc=iwu,dc=edu" read
>> > by * break
>> >
>> > access to dn.sub="dc=iwu,dc=edu"
>> > attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword,krb5Key
>> > by anonymous auth
>> > by self write
>> > by dn.exact="cn=passwordmanager,dc=iwu,dc=edu" write
>> > by users auth
>> > by * break
>> >
>> > access to dn.exact="cn=ldapi,dc=iwu,dc=edu" by * none
>> > access to dn.exact="cn=sambaadmin,dc=iwu,dc=edu" by * none
>> > access to dn.exact="cn=mirror,dc=iwu,dc=edu" by * none
>> > access to dn.exact="cn=freeradius,dc=iwu,dc=edu" by * none
>> > access to dn.exact="cn=passwordmanager,dc=iwu,dc=edu" by * none
>> > access to dn.exact="cn=admin,dc=iwu,dc=edu" by * none
>> >
>> > access to dn.regex="uid=.*\$,ou=People,dc=iwu,dc=edu" by self read by *
>> > none
>> > access to dn.sub="ou=Computers,dc=iwu,dc=edu" by self read by * none
>> > access to dn.sub="ou=Idmap,dc=iwu,dc=edu" by self read by * none
>> > access to dn.exact="sambaDomainName=IWU.EDU,dc=iwu,dc=edu" by self read
>> > by * none
>> > access to dn.exact="uid=Administrator,ou=People,dc=iwu,dc=edu" by self
>> > read by * none
>> > access to dn.exact="uid=root,ou=People,dc=iwu,dc=edu" by self read by *
>> > none
>> >
>> > access to
>> > dn.regex="krb5PrincipalName=.*(a)IWU.EDU,ou=People,dc=iwu,dc=edu" by self
>> > read by * none
>> >
>> > access to dn.sub="dc=iwu,dc=edu"
>> > attrs=telephoneNumber,mobileTelephoneNumber,homePostalAddress,streetAddress,physicalDeliveryOfficeName,roomNumber,preferredLanguage,localityName,postOfficeBox,postalCode,stateOrProvinceName
>> > by self write
>> > by users read
>> > by anonymous none
>> > by * break
>> >
>> > access to dn.sub="dc=iwu,dc=edu"
>> > attrs=krb5PrincipalName,krb5MaxLife,krb5MaxRenew,krb5KDCFlags,krb5KeyVersionNumber
>> > by self read
>> > by anonymous none
>> > by * break
>> >
>> > access to dn.sub="dc=iwu,dc=edu"
>> > attrs=sambaPrimaryGroupSID,sambaSID,sambaAlgorithmicRidBase,sambaNextRid
>> > by * none
>> >
>> > access to dn.sub="dc=iwu,dc=edu"
>> > attrs=sambaPwdCanChange,sambaLogonTime,sambaLogoffTime,sambaAcctFlags,sambaPasswordHistory,sambaPwdLastSet,sambaGroupType,sambaPwdMustChange,sambaKickoffTime,sambaLockoutThreshold,sambaForceLogoff,sambaRefuseMachinePwdChange,sambaLockoutObservationWindow,sambaLockoutDuration,sambaMinPwdAge,sambaMaxPwdAge,sambaLogonToChgPwd,sambaPwdHistoryLength,sambaMinPwdLength
>> > by self read
>> > by anonymous none
>> > by * break
>> >
>> > access to dn.sub="dc=iwu,dc=edu" by * read
>> >
>> > serverID 1
>> >
>> > syncrepl rid=2
>> > provider=ldap://ldap2.iwu.edu/
>> > schemachecking=off
>> > searchbase="dc=iwu,dc=edu"
>> > scope=sub
>> > type=refreshAndPersist
>> > binddn="cn=mirror,dc=iwu,dc=edu"
>> > credentials={redacted}
>> > bindmethod=simple
>> > starttls=yes
>> > tls_cert=/etc/ldap/ssl/ldap.iwu.edu.crt
>> > tls_key=/etc/ldap/ssl/ldap.iwu.edu.key
>> > tls_cacert=/etc/ldap/ssl/IWU.crt
>> > tls_reqcert=try
>> > interval=00:00:00:30
>> > retry="15 +"
>> > timeout=1
>> > timelimit=unlimited
>> > sizelimit=unlimited
>> >
>> > mirrormode on
>> >
>> > ###############################
>> > database monitor
>> > limits dn.exact="cn=admin,dc=iwu,dc=edu" size.hard=unlimited
>> > time.hard=unlimited size.soft=unlimited time.soft=unlimited
>> >
>> > access to dn.exact="cn=Monitor"
>> > by dn.exact="cn=admin,dc=iwu,dc=edu" read
>> > by * none
>> >
>> > access to dn.subtree="cn=Monitor"
>> > by dn.exact="cn=admin,dc=iwu,dc=edu" read
>> > by * none
>> >
>> >
>> >>
>> >> On 22/12/2008, Pat Riehecky <prieheck(a)iwu.edu> wrote:
>> >> > Here is the quick and dirty what I am trying to do:
>> >> >
>> >> > ldap1 and ldap2 are supposed to be in MultiMaster. They are time
>> >> > synced
>> >> > to pool.ntp.org and each other (if they drift I would rather they
>> >> > sorta
>> >> > drift together, but pool should be keeping that in check).
>> >> >
>> >> > Right now I am just beating them up to see how 2.4.13 performs. (So
>> >> > far
>> >> > VERY well, minus this little problem)
>> >> >
>> >> > I have a rather small ldif (41 entries) that just wont sync (I'm
>> >> > starting small). Debug gives me
>> >> >
>> >> > ber_scanf fmt (m}) ber:
>> >> > ber_dump: buf=0xb806f120 ptr=0xb806f137 end=0xb806f175 len=62
>> >> > 0000: 00 3c 72 69 64 3d 30 30 31 2c 73 69 64 3d 30
>> >> > 30 .<rid=001,sid=00
>> >> > 0010: 32 2c 63 73 6e 3d 32 30 30 38 31 32 32 32 31 37
>> >> > 2,csn=2008122217
>> >> > 0020: 34 37 32 31 2e 38 35 35 39 30 34 5a 23 30 30 30
>> >> > 4721.855904Z#000
>> >> > 0030: 30 30 30 23 30 30 31 23 30 30 30 30 30 30
>> >> > 000#001#000000
>> >> > do_syncrep2:
>> >> > cookie=rid=001,sid=002,csn=20081222174721.855904Z#000000#001#000000
>> >> > do_syncrep2: rid=001 CSN too old, ignoring
>> >> > 20081222174721.855904Z#000000#001#000000
>> >> > ldap_msgfree
>> >> >
>> >> > I am not exactly sure how it gotten to be "too old." The ldif I am
>> >> > importing is not the result of a slapcat or anything that would
>> >> > preserve
>> >> > the CSN or UUID attributes (not that syncrepl uses UUID). I am
>> >> > loading
>> >> > one single file with ldapadd which, in my understanding, sets up the
>> >> > CSN
>> >> > and wouldn't let me import one anyway.
>> >> >
>> >> > Each server has no entries until I load the one, so there shouldn't
>> >> > be
>> >> > any weird stale CSNs causing this. They are "sync'ed" almost
>> >> > instantly
>> >> > after the one system is loaded - I just don't have everything.
>> >> >
>> >> > After a sync:
>> >> > ldap1 - slapcat |grep dn: |wc -l = 41
>> >> > ldap2 - slapcat |grep dn: |wc -l = 18
>> >> >
>> >> > Right now I can get them in sync with a slapcat/slapadd, but when the
>> >> > go
>> >> > into production I wont be able to say for certain which one is
>> >> > authoritative. That is the purpose of multi-master....
>> >> >
>> >> > OpenLDAP 2.4.13, built by me (passed all tests) on Ubuntu Linux 32
>> >> > bit
>> >> >
>> >> > Any ideas as to what I can do to stop this from happening?
>> >> >
>> >> > Pat
>> >> >
>> >> >
>> >> >
>> >> >
>> >>
>> >
>> >
>>
>
>
--
Sent from my mobile device
http://www.suretecsystems.com/services/openldap/