Re: Best way to merge two local DITs vs empty search base suffix
Where is it documented how the conf file slapd.conf file is processed? I've read the documentation, more than once, and still don't know. I suspect this whole 'order thing' is pretty darn important (outside of access config). Seriously, please me at it. Thanks, - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jac...@apollogrp.edu - Original Message - From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org To: guy.baconni...@swisscom.com guy.baconni...@swisscom.com; openldap-technical@openldap.org openldap-technical@openldap.org Sent: Sun Jun 13 20:20:07 2010 Subject: Re: Best way to merge two local DITs vs empty search base suffix --On Sunday, June 13, 2010 12:17 PM +0200 guy.baconni...@swisscom.com wrote: Hello, We want to update our old OpenLDAP server from 2.1.x to 2.4.x but the current configuration do not use a regular suffix (o=foo,c=bar nor dc=foo,dc=bar) but use an empty suffix (). We want to move away from empty suffix as we cannot use cn=monitor or any additional suffixes as they can not bind when a suffix is in use in a hdb database : You can do this just fine. I do it in all my installs. You simply need to declare them in the right order. I.e., you must declare monitor, etc before the empty suffix. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Re: Best way to merge two local DITs vs empty search base suffix
--On Monday, June 14, 2010 7:51 AM -0700 Chris Jacobs chris.jac...@apollogrp.edu wrote: Where is it documented how the conf file slapd.conf file is processed? I've read the documentation, more than once, and still don't know. I suspect this whole 'order thing' is pretty darn important (outside of access config). Seriously, please me at it. The slapd configuration is broken up into parts. This is well described in the slapd.conf(5) man page: The slapd.conf file consists of a series of global configuration options that apply to slapd as a whole (including all backends), fol- lowed by zero or more database backend definitions that contain infor- mation specific to a backend instance. The configuration options are case-insensitive; their value, on a case by case basis, may be case- sensitive. The global section is covered in the main slapd.conf/cn=config man pages. It is even clearly titled so as GLOBAL CONFIGURATION OPTIONS in the man page itself. The slapd.conf/cn=config man pages also cover the general database options that apply to all backends (or as otherwise noted in that section). Options specific to a given backend are clearly documented in the man pages for that backend, such as back-hdb, back-bdb, etc. This is also clearly detailed in the slapd.conf/cn=config man pages: DATABASE-SPECIFIC OPTIONS Each database may allow specific configuration options; they are documented separately in the backends' manual pages. See the slapd.backends(5) manual page for an overview of available backends. In any case, it all looks pretty clear to me. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Best way to merge two local DITs vs empty search base suffix
Chris Jacobs wrote: Where is it documented how the conf file slapd.conf file is processed? I've read the documentation, more than once, and still don't know. I suspect this whole 'order thing' is pretty darn important (outside of access config). slapd.conf(5): suffix dn suffix Specify the DN suffix of queries that will be passed to this backend database. Multiple suffix lines can be given and at least one is required for each database definition. If the suffix of one database is inside that of another, the database with the inner suffix must come first in the configuration file. Seriously, please me at it. Thanks, - chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jac...@apollogrp.edu - Original Message - From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.orgopenldap-technical-bounces+chris.jacobs=apollogrp@openldap.org To: guy.baconni...@swisscom.comguy.baconni...@swisscom.com; openldap-technical@openldap.orgopenldap-technical@openldap.org Sent: Sun Jun 13 20:20:07 2010 Subject: Re: Best way to merge two local DITs vs empty search base suffix --On Sunday, June 13, 2010 12:17 PM +0200 guy.baconni...@swisscom.com wrote: Hello, We want to update our old OpenLDAP server from 2.1.x to 2.4.x but the current configuration do not use a regular suffix (o=foo,c=bar nor dc=foo,dc=bar) but use an empty suffix (). We want to move away from empty suffix as we cannot use cn=monitor or any additional suffixes as they can not bind when a suffix is in use in a hdb database : You can do this just fine. I do it in all my installs. You simply need to declare them in the right order. I.e., you must declare monitor, etc before the empty suffix. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Best way to merge two local DITs vs empty search base suffix
Hello, We want to update our old OpenLDAP server from 2.1.x to 2.4.x but the current configuration do not use a regular suffix (o=foo,c=bar nor dc=foo,dc=bar) but use an empty suffix (). We want to move away from empty suffix as we cannot use cn=monitor or any additional suffixes as they can not bind when a suffix is in use in a hdb database : suffix namingContext o=... already served by a preceding hdb database serving namingContext We still have some old applications which are using empty search base and query implicitly the union of o=A and o=B stored within the same ldbm database. To maintain the backward compatibility we did a meta backend to merge the two local DITs under suffit . The side effect of meta backend with ldap://localhost is the increase of the number opened tcp connection to slapd which are eating thread connections for nothing. The number of thread in use is linked to the number of suffixmassage used in meta backend (2 in our case). We want to try to avoid increasing by two the number of theads in use to maintain the backward compatibility. Do you know an alternative way to merge two local DITs without using meta backend ? Can we use relay/ldap backend with rwm overlay instead of using meta backend ? databasemeta suffix uri ldap://localhost/o=test1; suffixmassage o=test1 o=test1 uri ldap://localhost/o=test2; suffixmassage o=test2 o=test2 Thank you for your help. Best Regards, Guy Baconniere. CURRENT CONFIG (slapd 2.1.x) suffix database ldbm rootdn cn=manager directory /var/lib/ldap # o=test1, o=test2, cn=manager are stored within the same ldbm database CURRENT LDAPSEARCH (slapd 2.1.x) ldapsearch -LLL -h localhost -p 389 -x -b '' -s one '(objectclass=*)' '1.1' dn: o=test1 dn: o=test2 dn: cn=manager TEST CONFIG WITH BACKWARD COMPATIBILITY (slapd 2.4.x) database hdb suffix o=test1 rootdn cn=admin,dc=test3,dc=com directory /var/lib/ldap/test1 database hdb suffix o=test2 rootdn cn=admin,dc=test3,dc=com directory /var/lib/ldap/test2 database hdb suffix dc=test3,dc=com rootdn cn=admin,dc=test3,dc=com directory /var/lib/ldap/dc=test3,dc=com database relay suffix cn=manager overlay rwm rwm-rewriteEngine on rwm-suffixmassage cn=manager cn=manager,o=admin rwm-normalize-mapped-attrs yes databasemeta suffix uri ldap://localhost/o=test1; suffixmassage o=test1 o=test1 uri ldap://localhost/o=test2; suffixmassage o=test2 o=test2 LDAPSEARCH WITHOUT META BACKEND (slapd 2.4.x) ldapsearch -LLL -h localhost -p 389 -x -b '' -s one '(objectclass=*)' '1.1' No such object (32) LDAPSEARCH WITH META BACKEND (slapd 2.4.x) ldapsearch -LLL -h localhost -p 389 -x -b '' -s one '(objectclass=*)' '1.1' dn: o=test1 dn: o=test2 OPENLDAP LOGS SHOWING THE LOCAL CONNECTIONS OF META BACKEND slapd[29622]: conn=11 fd=37 ACCEPT from IP=127.0.0.1:33680 (IP=0.0.0.0:389) slapd[29622]: conn=11 op=0 BIND dn= method=128 slapd[29622]: conn=11 op=0 RESULT tag=97 err=0 text= slapd[29622]: conn=11 op=1 SRCH base= scope=1 deref=0 filter=(objectClass=*) slapd[29622]: conn=11 op=1 SRCH attr=1.1 slapd[29622]: conn=8 op=3 SRCH base=o=test1 scope=0 deref=0 filter=(objectClass=*) slapd[29622]: conn=8 op=3 SRCH attr=1.1 slapd[29622]: conn=8 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[29622]: conn=9 op=3 SRCH base=o=test2 scope=0 deref=0 filter=(objectClass=*) slapd[29622]: conn=9 op=3 SRCH attr=1.1 slapd[29622]: conn=9 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[29622]: conn=11 op=1 SEARCH RESULT tag=101 err=0 nentries=2 text= slapd[29622]: conn=11 op=2 UNBIND slapd[29622]: conn=11 fd=37 closed
Re: Best way to merge two local DITs vs empty search base suffix
--On Sunday, June 13, 2010 12:17 PM +0200 guy.baconni...@swisscom.com wrote: Hello, We want to update our old OpenLDAP server from 2.1.x to 2.4.x but the current configuration do not use a regular suffix (o=foo,c=bar nor dc=foo,dc=bar) but use an empty suffix (). We want to move away from empty suffix as we cannot use cn=monitor or any additional suffixes as they can not bind when a suffix is in use in a hdb database : You can do this just fine. I do it in all my installs. You simply need to declare them in the right order. I.e., you must declare monitor, etc before the empty suffix. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
