Re: Re : OpenLDAP 2.4 - Problem with rewrite overlay
KISTER RAPHAEL wrote: Hello, Thank you for your response.I try to test the config file without the microsoft.schema, but i still have the problem. If i delete all the rwm-map lines, OpenLDAP have a good configuration file and start fine. The microsoft.schema is the file a find in OpenLDAP source (i just put in this file user objectclass, sAMAccountName attribut and all the user class attributes). When i try to start OpenLDAP, i get the same error. I join you the result in the openldap_start.txt file. Please keep replies in CC to the list. I see your problem, it's when you restart the server using the in-directory configuration. I couldn't investigate things further right now; please file an ITS http://www.openldap.org/its/ p.
Re: Re : OpenLDAP 2.4 - Problem with rewrite overlay
Please keep replies on the list. --Quanah --On Friday, December 18, 2009 2:36 AM -0800 KISTER RAPHAEL kr...@yahoo.com wrote: Hello, My command to test the configuration is :su - openldap -c /opt/openldap/sbin/slaptest -v -u -F /opt/donnees/etc/openldap/slapd.d/ If i use this commande line, i don't get any error or warning :su - openldap -c /opt/openldap/sbin/slaptest -v -u -f /opt/donnees/etc/openldap/slapd.conf -F /opt/donnees/etc/openldap/slapd.d/ But, when i want to start my openldap server, i get the same error. I join you the result of the start command. modulepath is commented out because all my module are includes in openldap. I try to use modulepath and moduleload, but i still have the error. Best resgards, Raphael KISTER - Message d'origine De : Quanah Gibson-Mount qua...@zimbra.com À : KISTER RAPHAEL kr...@yahoo.com; openldap-technical@openldap.org Envoyé le : Mer 16 Décembre 2009, 20 h 14 min 13 s Objet : Re: OpenLDAP 2.4 - Problem with rewrite overlay --On Wednesday, December 16, 2009 8:07 AM -0800 KISTER RAPHAEL kr...@yahoo.com wrote: Hello, I have to configure an OpenLDAP directory that store some informations about users and groups and that is a proxy with Active Directory. To do this, i configure two suffix on my openldap server : the first one is to store informations about users and groups and the second is for the Active Directory proxy (second suffix is embedded in the first one. To configure the Active Directory proxy, i use an ldap backend with rwm overlay to rewrite some attributes and objectclass. When i test my configuration with slaptest binary, i get this error : config error processing olcOverlay={0}rwm,olcDatabase={2}ldap,cn=config: olcRwmMap handler exited with 1 slaptest: bad configuration directory! What is your exact slaptest command? Why is modulepath commented out in your slapd.conf? --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Syncrepl and rootdn
Hi all, This question has to do with syncrepl and the use of the rootdn option in slapd.conf. My understanding is that on a provider server (where writes are possible), it is not necessary to use the rootdn option in slapd.conf. Instead it is enough to have an account that only exists in the directory, with ACLs that give it the same unrestricted access. This works fine for me. On syncrepl consumers a rootdn in the local slapd.conf is apparently required (according to the man page for slapd.conf). Why is this, and does it make a difference what the name of the account is? For example, should it be the same as the binddn for syncrepl? For that matter, should rootpw also be set, and should it then be the same as the credentials value used for syncrepl? Thanks, Jaap PS -- I'm using OpenLDAP 2.4.11-1 on Debian lenny.
Re: Syncrepl and rootdn
Dieter Kluenter wrote: Jaap Winiusjwin...@umrk.nl writes: Hi all, This question has to do with syncrepl and the use of the rootdn option in slapd.conf. My understanding is that on a provider server (where writes are possible), it is not necessary to use the rootdn option in slapd.conf. Instead it is enough to have an account that only exists in the directory, with ACLs that give it the same unrestricted access. This works fine for me. Any database requires a rootdn but not a rootpw. If no rootdn is defined in slapd.conf it defaults to cn=manager,$suffix, AFAIK. No, and no. The only database that has a rootdn by default is back-config. Your question should be what is the function of rootdn? On syncrepl consumers a rootdn in the local slapd.conf is apparently required (according to the man page for slapd.conf). Why is this, and Because the consumer needs to be able to store anything it receives, regardless of ACLs. does it make a difference what the name of the account is? No. For example, should it be the same as the binddn for syncrepl? No. For that matter, should rootpw also be set, No, that's not required. and should it then be the same as the credentials value used for syncrepl? No. The binddn within syncrepl has to have read access to the provider database and this should not be rootdn of the provider, rootdn of the consumer manages the consumer database only. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/