accesslog contextcsn isn't always updated

hi, i am seeing a symptom where the accesslog contextcsn is not always updated when a new entry is added to the accesslog. i have a test setup [config is below], with a content database using the accesslog and syncprov overlays, and an accesslog database using the syncprov overlay. for the

Re: mmr pair stops replicating: "consumer state is newer than provider"

wow, that's a mess. So #000# is serverID 0, which would be for any entries prior to moving to MMR. The fact that you have different values for #000# on dsa1 accesslog vs the other 3 databases is disturbing. It would appear DSA1 is serverID 1, and its CSNs make sense:

Re: mmr pair stops replicating: "consumer state is newer than provider"

On 6/29/17 11:15 AM, Quanah Gibson-Mount wrote: --On Thursday, June 29, 2017 2:12 AM -0400 btb <b...@bitrate.net> wrote: i see, thanks. i tested this, and did a modify on each, but didn't see replication resume. emulating the syncrepl connection with a manual search against each

Re: mmr pair stops replicating: "consumer state is newer than provider"

On 6/27/17 4:55 PM, Quanah Gibson-Mount wrote: --On Tuesday, June 27, 2017 5:35 PM -0400 btb <b...@bitrate.net> wrote: On 6/27/17 10:27 AM, Quanah Gibson-Mount wrote: --On Tuesday, June 27, 2017 10:37 AM -0400 btb <b...@bitrate.net> wrote: i'm using 2.4.44 on freebsd, built from p

Re: mmr pair stops replicating: "consumer state is newer than provider"

On 6/27/17 10:27 AM, Quanah Gibson-Mount wrote: --On Tuesday, June 27, 2017 10:37 AM -0400 btb <b...@bitrate.net> wrote: i'm using 2.4.44 on freebsd, built from ports. i can provide any config details etc - i just didn't want to inundate the post with guesses on detail that

mmr pair stops replicating: "consumer state is newer than provider"

hi. i have two servers, in an mmr arrangement, using delta-syncrepl. on a couple of occasions, the servers have stopped replicating, and the following is logged: dsa1: Jun 27 06:13:29 ldap0 slapd[8699]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT Jun 27 06:13:29 ldap0 slapd[8699]:

Re: PROXIED attributeDescription "" inserted

On Nov 10, 2016, at 20.47, Howard Chu wrote: > > b...@bitrate.net wrote: >> recently i noticed these entries in slapcat output: >> >>> slapcat -F '/var/lib/ldap/config' -b 'cn=config' -H >>> 'ldap:///cn=config??base' >> 5824aae9 PROXIED attributeDescription "OU" inserted. >>

PROXIED attributeDescription "" inserted

recently i noticed these entries in slapcat output: > slapcat -F '/var/lib/ldap/config' -b 'cn=config' -H 'ldap:///cn=config??base' 5824aae9 PROXIED attributeDescription "OU" inserted. 5824aae9 PROXIED attributeDescription "DC" inserted. dn: cn=config objectClass: olcGlobal cn: config

Re: OpenLDAP server attack surface analysis shows UDP port 63515 in unknown state

> On Sep 30, 2016, at 06.55, Michael Ströder wrote: > > Sreekanth Sukumaran wrote: >> >> Sorry, I missed to add subject in the last mail. Resending with subject. >> sorry >> about spamming the group >> >> Hi All, >> >> OpenLDAP version : 2.4.39 on windows >> Tool used

Re: openldap client cert validation

> On Aug 06, 2016, at 12.14, Matwey V. Kornilov > wrote: > > After inspecting source code I've just found that TLS_KEY and TLS_CERT > are ignored if located in /etc/openldap/ldap.conf. > Why does it not written in man ldap.conf(5) explicitly? from ldap.conf(5):

Re: Removing olcAccess entry

> On Jan 12, 2016, at 13.02, Katherine Faella wrote: > > For the life of me I can not figure out the syntax for performing this. Here > is my snippet of config.ldif: > > > dn: olcDatabase={1}hdb,cn=config > objectClass: olcDatabaseConfig > objectClass: olcHdbConfig >

Re: Human-friendly olcAccess management

On Nov 10, 2015, at 00.49, Bogdan Rudas wrote: > > Hello all, > > I would like to start use of olcAccess rules, are there human-friendly editor > for that ACLs? > I can't even use line breaks in ldif file to make my restrictions a bit more > readable! I strongly dislike

Re: slapcat command

On 2015.01.12 03.17, Eileen(=^ω^=) wrote: Hi team! I face a question. When I use slapcat -l filename.ldif , the output file will include the createTimestamp、modifyTimestamp、entrycsn and entryUUID etc. These attributes will cause the output file can not put back to the bdb database. output

Re: nssov not working after upgrading nss-pam-ldapd

On Jan 07, 2015, at 10.56, Ryan Tandy r...@nardis.ca wrote: On Wed, Jan 07, 2015 at 08:26:12AM -0500, btb wrote: On 2015.01.06 23.54, Ryan Tandy wrote: The nslcd protocol changed from 0.8.x to 0.9.x. I'm working on a patch (nss done, pam still WIP) and hope to send it to the ITS soon

Re: nssov not working after upgrading nss-pam-ldapd

On 2015.01.06 23.54, Ryan Tandy wrote: Hi, On Tue, Jan 06, 2015 at 11:11:03PM -0500, b...@bitrate.net wrote: i use the nss and pam stub libraries from nss-pam-ldapd [no nslcd] with nssov. i've just upgraded nss-pam-ldapd from 0.8.13 to 0.9.4. The nslcd protocol changed from 0.8.x to 0.9.x.

Re: back-sql deployment woes

On Jan 06, 2015, at 16.00, Nick Atzert tlkg...@gmail.com wrote: It's pretty messy and convoluted IMO. That's with a fairly pedestrian view of the project. Considering it's (apparently) unmaintained I'd assume it's the same for development. The biggest issue I've been having is mostly with

nssov not working after upgrading nss-pam-ldapd

i use the nss and pam stub libraries from nss-pam-ldapd [no nslcd] with nssov. i've just upgraded nss-pam-ldapd from 0.8.13 to 0.9.4. at the moment, i'm using openldap version 2.4.31. after upgrading nss-pam-ldapd, nss and pam stopped working with ldap, and i see this in slapd's debug log:

Re: Client doesn't send certificate for LDAPS

On Mar 8, 2014, at 08.50, Joshua Schaeffer jschaeffer0...@gmail.com wrote: I'm in the process of setting up my slapd server to operate over LDAPS and having trouble when using a CA certificate (being my own certificate authority). I've been able to setup LDAPS when using a self-signed

Re: SETTING UP MONITOR

On 2014.01.14 14.54, Michael Ströder wrote: Dieter Klünter wrote: Am Tue, 14 Jan 2014 11:06:34 -0500 schrieb Borresen, John - 0442 - MITLL john.borre...@ll.mit.edu: First, my apologies for the adding you, Quanah, to the cc list. Over the last few weeks, my emails have not been getting

Re: ldapsearch limit of 500 entries

On Dec 13, 2013, at 13.00, Clint Petty cpe...@luthresearch.com wrote: I know you are suppose to make changes through the command line, when using cn=config. no, you are supposed make changes using the same methods you'd use for any other openldap database. that's via ldap operations, or

Re: slapo-nssov and authz2dn

i'm hoping a bump might get this on someone's radar it previously missed. On Oct 19, 2013, at 20.10, b...@bitrate.net wrote: i'm experimenting with the authz2dn setting for olcnsspam: dn: olcOverlay={7}nssov,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcNssOvConfig

slapo-nssov and authz2dn

i'm experimenting with the authz2dn setting for olcnsspam: dn: olcOverlay={7}nssov,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcNssOvConfig objectClass: olcOverlayConfig olcOverlay: {7}nssov olcNssMap: group uniquemember member olcNssPam: authz2dn hostservice

Re: sasl/plain with hashed password not working

On Oct 8, 2013, at 09.56, Dan White dwh...@olp.net wrote: That was referring to auxprop. In newer versions ( 2.1.23) of Cyrus SASL there is an undocumented 'pwcheck_method: auxprop-hashed' which you can use to support hashed passwords, but I do not believe that slapd/ldapdb are supported. I

Re: sasl/plain with hashed password not working

On Oct 2, 2013, at 09.44, Dan White dwh...@olp.net wrote: libsasl2, with default configuration, requires that the password be stored in cleartext, even for PLAIN. To support {ssha} in this scenario, I recommend you configure your SASL slapd.conf file to authenticate against saslauthd, which

Re: Openldap server with TLS not working

On Oct 3, 2013, at 04.46, Dieter Klünter die...@dkluenter.de wrote: You are connnecting to port 389, but s_client is not able to initiate a LDAP startTLS session (only SMTP and IMAP), so you have to connect ldaps and port 636. s_client does support starttls for other protocols aside from

Re: Openldap server with TLS not working

-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of btb Sent: Wednesday, 2 October 2013 10:57 PM To: openldap-technical@openldap.org Subject: Re: Openldap server with TLS not working On 2013.10.02 07.29, Axel Grosse wrote: when I test on the server itself

Re: Openldap server with TLS not working

On 2013.10.03 12.13, Michael Ströder wrote: b...@bitrate.net wrote: On Oct 2, 2013, at 11.47, Michael Ströder mich...@stroeder.com wrote: btb wrote: On 2013.10.02 07.29, Axel Grosse wrote: when I test on the server itself .. openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile

Re: Openldap server with TLS not working

On Oct 3, 2013, at 17.46, Axel Grosse agro...@axway.com wrote: Hi all, Ben, Dieter, thank you for your help ... got it working on ldaps without TLS :-)) we can close that thread glad you had success. a note of pedantry - just because ldaps was used doesn't mean tls was not. those two

sasl/plain with hashed password not working

i've enabled the plain sasl mech, and testing with ldapwhoami works, but only if the userpassword is left as plaintext. if hashing [ssha] is used, it fails. a simple bind succeeds. what am i doing wrong? ldapwhoami -H 'ldap://dsa4.example.com/' -Y 'plain' -U 'flash' -w ''

Re: Openldap server with TLS not working

On 2013.10.02 07.29, Axel Grosse wrote: when I test on the server itself .. openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile ./ssl/VordelCA.crt CONNECTED(0003) 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: ldaps [port 636] is deprecated.

Re: Openldap server with TLS not working

On Oct 2, 2013, at 11.47, Michael Ströder mich...@stroeder.com wrote: btb wrote: On 2013.10.02 07.29, Axel Grosse wrote: when I test on the server itself .. openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile ./ssl/VordelCA.crt CONNECTED(0003) 710:error:140790E5:SSL

Re: How to start slapd without slapd.conf?

On 2013.08.20 03.17, Steppacher Ralf wrote: Ben, I re-read those sections. But they only describe how to convert a pre-existing slapd.conf file. So, to bootstrap slapd I created a minimal slapd.conf with just the config database and a rootdn/pw for it and converted that with slaptest. But I

Re: How to start slapd without slapd.conf?

On 2013.08.20 07.59, Steppacher Ralf wrote: And how to use such a bootstrap LDIF? Starting slapd with -f pointing to the LDIF does not work. That is what I have been looking for and could not find. read man 5 slapd-config [this is referenced from section 5 of the admin guide]. specifically,

Re: How to start slapd without slapd.conf?

On 2013.08.19 07.35, Steppacher Ralf wrote: Hello all, this is probably a really stupid question... But I cannot figure out how to start a freshly built slapd using only slapd-config configuration. please see section 5 [configuring slapd] of the administrator's guide. also see man 5

Re: How to correct delete objects from cn=config?

On 2013.08.19 08.23, Ingo wrote: On 13.08.2013 19:02, btb wrote: On 2013.08.13 12.17, Quentin PETEL wrote: Hi, To modify the cn=config DIT you'll have to modify the files under /etc/ldap/slapd.d/cn=config where your config is stored. NO. do NOT do this, Why? read section 5

Re: How to correct delete objects from cn=config?

On 2013.08.13 08.34, Robert Wolf wrote: Hello people, I would like to ask for correct and/or official way how to remove objects from cn=config. currently, the delete operation is not supported. this may change in a subsequent version. currently, use slapcat to generate an ldif, modify the

Re: How to correct delete objects from cn=config?

On 2013.08.13 12.17, Quentin PETEL wrote: Hi, To modify the cn=config DIT you'll have to modify the files under /etc/ldap/slapd.d/cn=config where your config is stored. NO. do NOT do this, and please STOP telling other people to do this. -ben

Re: Post-clone Cleanup of Hostname on Version Query

it really is a complete non issue which has zero actual impact on anything, but if it bothers your sense of style, build openldap on a computer that has a generic/neutral hostname. -ben On May 30, 2013, at 16.58, Quanah Gibson-Mount qua...@zimbra.com wrote: --On Thursday, May 30, 2013 8:25

Re: Understanding dynamic configuration

On Jan 20, 2013, at 13.59, Ori Bani wrote: Hello, I'm struggling a little with understanding the dynamic configuration system (sorry, but wanted to say my vote is for file-based config; the way some of this config has been put into LDAP feels forced and unnecessarily convoluted).

Re: OpenLDAP-Client TLS

On 2012.11.16 03.45, martin.heinzm...@belden.com wrote: Hi, i am trying to write my own client which connects to an active directory and searches for an user. So far it works, i call ldap_initialize, set version 3, ldap_simple_bind_s and then search the directory. Now i want the connection to be

Re: Nssov overlay in Ubuntu 12.04

On Nov 11, 2012, at 18.21, Simone Scremin wrote: Frankly no. I was under the impression that my quoted example was what you need to activate the overlay. I tried to load the module as you suggested but I get a different error: have you read the README? it explicitly states: ...

Re: Nssov overlay in Ubuntu 12.04

On Nov 09, 2012, at 14.14, Simone Scremin wrote: ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax have you loaded the nssov module? e.g.: dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModuleLoad: nssov olcModulePath:

trouble with slapo-pcache

hi- i'm having a few different issues with slapo-pcache. i did a bit of searching in the its and did not find any items which seemed to match my symptoms. i'm using 2.4.31, on ubuntu 12.10. the first is that i so to not be able to add, via ldapadd, additional olcPcacheTemplate attributes to

Re: new versions

On Aug 05, 2012, at 08.07, Friedrich Locke wrote: Hi folks, i have noticed openldap keeps releasing new versions from time to time. I have not noticed changes in protocol specification. So why does openldap release new versions ? Isn't it mature enough yet ? I am asking cause i am used to

Re: Anyone using ejabberd with OpenLDAP?

On 07/05/2012 06:18 PM, Gavin Henry wrote: HI all, Taking advantage of the technical list for once and the OpenLDAP related questions :-) Anyone messed with ejabberd and OpenLDAP? I'm looking for an XMPP server with the best LDAP support. ejabberd does auth, rosters and vcards but the ability

autogenerated/virtual attributes

given an entry such as: dn=cn=abuse,ou=example.net,ou=mail,ou=groups,dc=example,dc=com objectclass=mailgroup cn=abuse member=uid=jdoe,ou=people,ou=accounts,dc=example,dc=com i'd like the entry to also include an attribute, generated automatically, based on the rdn of the entry and the

Re: autogenerated/virtual attributes

On Apr 21, 2012, at 14.12, Michael Ströder wrote: I doubt that this is possible with slapo-rwm. thanks, i'd wondered this. But you could at least enforce that attribute values match according to what you've subscribed above with a set-based constraint to avoid having false user input in

Re: groups added to provider not replicating to consumer

On Apr 02, 2012, at 14.34, Quanah Gibson-Mount wrote: A quick perusal of http://www.openldap.org/software/release/changes.html shows specifically that this was fixed in 2.4.26. ah, of course. you're right. admittedly, i sometimes forget to think about checking change logs - especially when

Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries

On 2012.03.22 07.19, Nick Milas wrote: Cos with JXPlorer (as with standard tools) I see string-based and not number-based ordering, for example: yes, it is string based ordering.

Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries

On 2012.03.22 07.45, Nick Milas wrote: Please tell me: How do you enter newlines in Apache Dir Studio? You simply type \n or you enter a particular key combination? i press the enter key on my keyboard Also, which ADS version are you using? currently, 2.0.0.v20120224. this behavior hasn't

Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries

On Mar 21, 2012, at 22.00, Chris Hiestand wrote: On Mar 21, 2012, at 5:59 PM, David Arroyo wrote: What is the correct way to delete a database from olc? I get the feeling it is frowned upon, but I think you could: 1. slapcat -s 'cn=config' config.ldif 2. edit config.ldif 3. delete or

Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries

On 2012.03.19 14.39, Chris Hiestand wrote: Editing via an ldap client is easy if you're just editing an attribute here and there, but because of the interacting nature of ACLs and schema elements, poor readability (no newlines) makes editing via an ldap client more difficult (a gui with smart