To enable shared memmory I just do this?
In DB_CONFIG: set_shm_key 1
And
Put the slapd conf: olcDbShmKey to 1
And rebuild the bdb database in /var/lib/ldap/
I have a default (centos6) DB_CONFIG setup.
==
set_cachesize 0 268435456 1
set_lg_regionmax
The filesystem is already mounted with no atime.(but it is a vmware
guest, with ide drive this still needs to be fixed)
I read the slapd-bdb man page and I get now that slapd's conf is
complementing the DB_CONFIG file. But with setting this olcDbShmKey to
1 (removed it from DB_CONFIG). I am
> >>
> >> I removed the synrepl from a ldap server. Now I am getting errors when
> >> deleting entries
> >>
> >> ldap_modify: Server is unwilling to perform (53)
> >> additional info: shadow context; no update referral
> >>
> >>
> >> I also tried adding this, but does not change anything.
> >> a) Some config changes still require a server restart.
> >>
> >> b) It sounds like it has no updateRef line configured? If this server
> is
> >> no longer a write node, why are you sending writes to it?
> >>
> >
> > I was trying to remove the slave, make it standalone and remove some
> >
I removed the synrepl from a ldap server. Now I am getting errors when
deleting entries
ldap_modify: Server is unwilling to perform (53)
additional info: shadow context; no update referral
I also tried adding this, but does not change anything.
dn: olcDatabase={0}config,cn=config
>
> I removed the synrepl from a ldap server. Now I am getting errors when
> deleting entries
>
> ldap_modify: Server is unwilling to perform (53)
> additional info: shadow context; no update referral
>
>
> I also tried adding this, but does not change anything.
>
> dn:
/openldap/slapd.d/cn=config/olcDatabase={2}monitor.ldif:olcReadOnly: FALSE
/etc/openldap/slapd.d/cn=config.ldif:olcReadOnly: FALSE
> OlcReadOnly=FALSE ?
>
>
> Sent from my iPad
>
>
> On Aug 29, 2023, at 3:25 PM, Marc wrote:
>
>
>
>
> I re
>
> Ok, thank you. I got some error logging and it said:
>
> Oct 12 19:24:07 openldap2 slapd[1713088]: slap_client_connect:
> URI=ldaps://openldap.plmail.de/ DN="uid=replica,dc=plmail,dc=de"
> ldap_sasl_bind_s failed (-1)
> Oct 12 19:24:07 openldap2 slapd[1713088]: do_syncrepl: rid=001 rc -1
>
>
> > If I enable this module, does it mean that this slapd stops receiving
> > updates from the master?
>
> No, it's perfectly fine to run syncprov on consumers as well.
>
I guess such messages are related to that my ldap is not allowing updates not?
Which I want for this one.
"Server is
>
>
>
> >
> > > If I enable this module, does it mean that this slapd stops receiving
> > > updates from the master?
> >
> > No, it's perfectly fine to run syncprov on consumers as well.
> >
>
> I guess such messages are related to that my ldap is not allowing updates
> not? Which I want for
> I'm currently experimenting with (MIT) Kerberos and got to the point where
> I need to add the Kerberos definitions to
> LDAP (krb5-kdc.ldif). (This is on Rocky Linux 9 with symas-openldap-
> servers-2.6.6-1.el9.x86_64.)
>
> First question: is this the correct schema file or should I use the
Anyone experience with openldap and dyndb from bind?
I am getting this:
critical extension is not recognized: unable to start SyncRepl session: is RFC
4533 supported by LDAP
I just loaded the module, and had a slightly different response
error: LDAP error: Critical extension is unavailable: critical control
unavailable in context: unable to start SyncRepl session: is RFC 4533 supported
by LDAP server?
So I added this config
dn:
db-
> ldap/tree/debian/tests/dyndb-ldap?h=applied/ubuntu/devel
>
> On Wed, Sep 20, 2023 at 7:02 PM Marc wrote:
> >
> > Anyone experience with openldap and dyndb from bind?
> >
> > I am getting this:
> >
> > critical extension is not recognized: unable to start SyncRepl session:
> is RFC 4533 supported by LDAP
> I am trying to create an OpenLDAP master/slave solution with syncrepl,
> but I have not been successful so far.
>
> I followed the suggestions of this site, with another sync password:
>
> https://www.itzgeek.com/how-tos/linux/configure-openldap-master-slave-
> replication.html
>
> One thing
olcAccess: {0} to dn.exact=""
by * read
olcAccess: {1} to dn.exact="cn=Subschema"
by * read
olcAccess: {2} to attrs=userPassword,shadowLastChange
by ssf=256 self read
by ssf=256 anonymous auth
by * none break
...
olcAccess: {7} to dn.subtree="xx" filter=(objectClass=posixAccount)
>
> >
> > olcAccess: {0} to dn.exact=""
> > by * read
> > olcAccess: {1} to dn.exact="cn=Subschema"
> > by * read
>
>
> The above 2 acls generally go on the frontend DB.
>
hmmm, I have everything on {-1}frontend
>
> > olcAccess: {2} to attrs=userPassword,shadowLastChange
> > by ssf=256
> 2
>
> On 8/27/23 19:01, Marc wrote:
> >>> olcAccess: {2} to attrs=userPassword,shadowLastChange
> >>>by ssf=256 self read
> >>>by ssf=256 anonymous auth
> >>>by * none break
>
> I think the problem is this rul
I have a ldapsearch that returns this object
sendmailMTAClassName: w
sendmailMTAClassValue: xxx
sendmailMTAClassValue: yyy
sendmailMTAClassValue: zzz
objectClass: sendmailMTA
objectClass: sendmailMTAClass
I thought I could strengthen the acl by just appending to with a filter
but if I add these
>
> > I am updating my ldap container and migrate from el7 to alpine. While
> > running some test queries I noticed that the new 2.6 alpine has
> probably
> > different defaults, I am getting "Size limit exceeded (4)". However
> this
> > does not show in the ldap error log.
>
> That's not an
Is it possible to specify something like allow access to all attributes -
userPassword?
ns if you say "filter=(&(objectClass=*))"
> ?
>
>
> Sean.
>
>
> On 1/08/2023 10:34 pm, Marc wrote:
>
> I have a ldapsearch that returns this object
>
> sendmailMTAClassName: w
> sendmailMTAClassValue: xxx
> sendmailM
I am updating my ldap container and migrate from el7 to alpine. While running
some test queries I noticed that the new 2.6 alpine has probably different
defaults, I am getting "Size limit exceeded (4)". However this does not show in
the ldap error log.
What would be good loglevel config to
>
> First I apologize for posting a non-technical question / follow up to
> this list, however I can speak for the high value add that having
> official support for OpenLDAP that the Symas team offers. Like most
> folks on this list, we have a great deal of in house expertise on many
> software
>
> Inspired by the proprietary server at ldap.dnssek.info, I'd like to make
> a slapd plugin that, when queried for a particular email address, finds
> the OpenPGP keys and S/MIME certificates by doing DNS lookups (possibly
> aided by DANE), and then serves them back to the requestor.
>
I have ~11 acl's that could use more attention, limiting access to what is
required (to mta, system, cron). They are working, but I would to have an
expert look at them. I think someone with experience could tune some things
better. Anyone interested?
if you say "filter=(&(objectClass=*))" ?
Sean.
On 1/08/2023 10:34 pm, Marc wrote:
I have a ldapsearch that returns this object
sendmailMTAClassName: w
sendmailMTAClassValue: xxx
sendmailMTAClassValue: yyy
sendmailMTAClassValue: zzz
objectClass: sendmailMTA
obje
>
> > I have a ldapsearch that returns this object
> >
> > sendmailMTAClassName: w
> > sendmailMTAClassValue: xxx
> > sendmailMTAClassValue: yyy
> > sendmailMTAClassValue: zzz
> > objectClass: sendmailMTA
> > objectClass: sendmailMTAClass
> >
> > I thought I could strengthen the acl by just
Any one else getting ~20 messages?
> -Original Message-
> From: openldap-technical-
> bounces+c0b8b5a8faa7db954b532a84b16686b22acfe...@openldap.org technical-bounces+c0b8b5a8faa7db954b532a84b16686b22acfe...@openldap.org>
> Sent: Friday, 19 January 2024 04:19
> T
> There is a long list of considerations/preparation needed when running
> OpenLDAP in a container setup (we use Nomad). From memory:
> - use the HA proxy protocol, now supported in 2.5/2.6 so you see
> client IP's
>
Is it not enough to just have multiple tasks with
I am doing some basic testing with ldap with this command.
ldclt \
-a 400 \
-H ldap://x.x.x.x: \
-e bindeach,bindonly,close \
-D "uid=test,dc=me,dc=local" \
-w yy \
-n 1
I was testing this on two container test environments. Both are running with
~500MB, 1 core.
> I am doing some basic testing with ldap with this command.
>
> ldclt \
> -a 400 \
> -H ldap://x.x.x.x: \
> -e bindeach,bindonly,close \
> -D "uid=test,dc=me,dc=local" \
> -w yy \
> -n 1
>
> I was testing this on two container test environments. Both are running
> > I am testing a bit with bind's. With consecutive binds with the same
> test account I always get 'result not in cache'. How can I get this in
> cache?
> >
> > access_allowed: result not in cache (userPassword)
> >
> > 6628dba5.0659c27a 0x7ff072843b38 conn=1023 op=0 BIND
>
I am testing a bit with bind's. With consecutive binds with the same test
account I always get 'result not in cache'. How can I get this in cache?
access_allowed: result not in cache (userPassword)
6628dba5.0659c27a 0x7ff072843b38 conn=1023 op=0 BIND
dn="uid=test,dc=me,dc=local" method=128
>
> > > I am testing a bit with bind's. With consecutive binds with the same
> > test account I always get 'result not in cache'. How can I get this in
> > cache?
> > >
> > > access_allowed: result not in cache (userPassword)
> > >
> > > 6628dba5.0659c27a 0x7ff072843b38 conn=1023 op=0 BIND
> >
>
> >
> > > I am doing some basic testing with ldap with this command.
> > >
> > > ldclt \
> > > -a 400 \
> > > -H ldap://x.x.x.x: \
> > > -e bindeach,bindonly,close \
> > > -D "uid=test,dc=me,dc=local" \
> > > -w yy \
> > > -n 1
> > >
> > > I was testing this on
>
> > I am doing some basic testing with ldap with this command.
> >
> > ldclt \
> > -a 400 \
> > -H ldap://x.x.x.x: \
> > -e bindeach,bindonly,close \
> > -D "uid=test,dc=me,dc=local" \
> > -w yy \
> > -n 1
> >
> > I was testing this on two container test
> >
> > > > I am testing a bit with bind's. With consecutive binds with the
> same
> > > test account I always get 'result not in cache'. How can I get this
> in
> > > cache?
> > > >
> > > > access_allowed: result not in cache (userPassword)
> > > >
> > > > 6628dba5.0659c27a 0x7ff072843b38
>
> > Am just testing with an alpine linux container and an ldap db with ~10
> > entries, almost nothing. Yet when I look in top res memory is 700MB. So
> I
> > assume everything is already cached, but I don't really get then this
> > logging. I don't even get why 700MB is being used, my data is
Anyone know if this file is still working in el9? Looks like if I put
SLAPD_URLS it is not read.
/etc/sysconfig/slapd
variable. The
> file /etc/sysconfig/slapd doesn't exist.
>
> Am 21.05.2024 um 00:10 schrieb Marc:
> >>> Anyone know if this file is still working in el9? Looks like if I put
> >> SLAPD_URLS it is not read.
> >>>
> >>> /etc/sysconfi
>
> > I don't really get what is wrong with how it was:
> >
> > "As I mentioned already, use systemd drop-in file (see `man 5
> > systemd.unit` for more details). Or use `systemctl edit --full
> > slapd.service`."
>
>
> As previously mentioned, you will need to ask RedHat their reasoning.
>
>
> How to setup replication in openldap 2.6.7
> Please let me know
:) you have to give the manuals a try. You have to decide also what replication
type you choose. I am still having the old one
add: olcSyncrepl
olcSyncrepl: {0}rid=..
> > Anyone know if this file is still working in el9? Looks like if I put
> SLAPD_URLS it is not read.
> >
> > /etc/sysconfig/slapd
> >
> That's a question for Red Hat. No one on the OpenLDAP Project has
> anything to do with that.
>
Yes I already reported it (I think) don't even know where to
that seperated.
My question is, if I can link or combine some users from ou=people
to ou=radar, that I don't have to create the user a 2nd time?
regards marc
mj romero schrieb am 01.06.2010 07:56 Uhr:
I don't understand what happens. Any help is very useful to me.
What about any log data?
Marc
://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html
AuthLDAPUrl Directive
Description:URL specifying the LDAP search parameters
Syntax: AuthLDAPUrl url
Context:directory, .htaccess
So, I think not outside of the directory context.
Marc
.
This is ldap bind.
Marc
a bit more in detail.
Marc
Isaac,
Isaac Hailperin schrieb am 27.08.2010 12:49 Uhr:
On 08/27/2010 11:12 AM, Marc Patermann wrote:
Isaac Hailperin schrieb am 25.08.2010 17:44 Uhr:
I was wondering whether there is a way to replicate more then one
branch. I tried to replicate two branches using two syncrepl sections
:
openssl rsa -in key.pem -out keyout.pem
Marc
built in multiline text editor rather than the
default inline editor. this allows for some formatting, making things a
bit more readable.
Can you please explain a bit more in detail how you did that?
Thanks!
Marc
be the problem? Thanks for the help in advance,
You did not provide any details
- on how to uses ldapsearch and
- about the server and client side config
Marc
ben,
ben thielsen schrieb am 08.09.2010 23:42 Uhr:
On Sep 01, 2010, at 10.14, Marc Patermann wrote:
b...@bitrate.net schrieb am 31.08.2010 16:47 Uhr:
some ldap clients/browsers support different editors for
different types of data. for example, in my case, i use apache
directory studio
mech_list: plain
in slapd.conf in /usr/local/sasl2 to tell slapd to just offer PLAIN?
Marc
open an ITS requesting this as an enhancement (or a bug fix, it's a
matter of taste).
Is there any yet or do I have to do it?
Marc
Is there something, I did wrong?
Marc
Hi again,
Marc Patermann schrieb am 26.11.2010 11:36 Uhr:
Pierangelo Masarati schrieb am 25.03.2008 18:52 Uhr:
LALOT Dominique wrote:
I'm testing memberof overlay and I'd like to get it working properly
for a database migration
My tests showed me that's it's working when adding members
!
Is this a configuration error on my side?
Provider is 2.4.23, consumer is 2.4.20.
Marc
Hi,
Dieter Kluenter schrieb am 01.12.2010 19:27 Uhr:
Marc Patermann hans.mo...@ofd-z.niedersachsen.de writes:
on the provider server there are 3 databases glued together with
one sync provider in the top level database:
... overlay glue overlay syncprov syncprov-checkpoint 100 10
syncprov
fd:0a 795716
/usr/lib64/sasl2/libcrammd5.so.2.0.22
7f3eed3cd000-7f3eed5cd000 ---p 4000 fd:0a 795716
Without the -q switch it is running happily till the end.
Marc
Benjamin,
Benjamin Griese schrieb am 06.12.2010 16:55 Uhr:
just for typo correction, SLES 11 SP1 is using 2.4.20, so no
misunderstandings are coming up.
Oh, ya, right, it's a typo.
Thanks!
Marc
Quanah,
Quanah Gibson-Mount schrieb am 08.12.2010 18:51 Uhr:
--On Wednesday, December 08, 2010 6:36 PM +0100 Marc Patermann
hans.mo...@ofd-z.niedersachsen.de wrote:
Marc Patermann schrieb am 06.12.2010 16:40 Uhr:
what could the following possibly be?
When I do a
# slapadd -q -v -c -l
Hi,
masar...@aero.polimi.it schrieb am 08.12.2010 18:53 Uhr:
Marc Patermann schrieb am 06.12.2010 16:40 Uhr:
what could the following possibly be?
When I do a
# slapadd -q -v -c -l dump.ldif
to a SLES 11 SP1 (openldap 2.3.20)
I get this after a few 1000 entries:
I have a fresh install
Howard,
Howard Chu schrieb am 08.12.2010 18:55 Uhr:
Marc Patermann wrote:
Marc Patermann schrieb am 06.12.2010 16:40 Uhr:
what could the following possibly be?
This looks like something valgrind ought to be able to diagnose.
I'll check if there is a package for this, but
http
Pierangelo,
Pierangelo Masarati schrieb am 09.12.2010 10:19 Uhr:
Marc Patermann wrote:
masar...@aero.polimi.it schrieb am 08.12.2010 18:53 Uhr:
Marc Patermann schrieb am 06.12.2010 16:40 Uhr:
what could the following possibly be?
When I do a
# slapadd -q -v -c -l dump.ldif
to a SLES 11 SP1
Howard,
Howard Chu schrieb am 08.12.2010 18:55 Uhr:
Marc Patermann wrote:
Marc Patermann schrieb am 06.12.2010 16:40 Uhr:
what could the following possibly be?
This looks like something valgrind ought to be able to diagnose.
OK, I installed valgrind.
Do I just start
# valgrind slapadd -q
Ralf,
Ralf Haferkamp schrieb am 15.12.2010 13:13 Uhr:
Am Freitag 10 Dezember 2010, 09:46:06 schrieb Marc Patermann:
Howard Chu schrieb am 09.12.2010 18:21 Uhr:
Marc Patermann wrote:
Marc Patermann schrieb am 09.12.2010 11:40 Uhr:
Howard Chu schrieb am 08.12.2010 18:55 Uhr:
Marc Patermann
a lot
here, if I'm right ...
Marc
instead?
Marc
/attribute/uid.html
the syntax of uid is Directory String which does not limit you either.
Your application using uid may or may not have stricter rules than that...
Marc
Vinay,
Vinay Kalkoti schrieb am 23.02.2011 11:39 Uhr:
On Wed, Feb 23, 2011 at 2:37 PM, Marc Patermann
hans.mo...@ofd-z.niedersachsen.de wrote:
Vinay Kalkoti schrieb am 23.02.2011 09:10 Uhr:
I wanted to know what all complex characters can be included for an
UID attribute.
I have
=com
rootdn cn=admin,dc=example,dc=com
? Where cn=admin,dc=example,dc=com is a valid object you can bind to.
You cannot have rootpw here, because The password can only be set
if the rootdn is within the namingContext (suffix) of the database.
man slapd.conf
Marc
.
The downside is that activating the overlay has no effect on existing
groups, because the memberof overlay has not seen any changes on these
groups.
Marc
=baseDN.
All other do a search for attribute under base and bind in a second step
with the found DN value.
I don't know about Confluence.
Marc
Hi,
Michael Ströder schrieb am 01.04.2011 08:35 Uhr:
Yes, 3rd LDAPcon 2011 is organized by DAASI, October 10 – 11 in Heidelberg,
Germany.
see http://www.ldapcon.org
Great!
Marc
object.
I tried to create another backend above this one (using subordinate
keyword) in order to host this root note but slapd always complain about
the fact the suffix is defined twice.
This will not work.
Marc
try, but is the overlay initialised before the acl or after in
your config?
Marc
Oliver,
Olivier schrieb am 18.04.2011 16:50 Uhr:
OR
SHOULD I EDIT DIRECTLY FILES IN SLAPD.D AND DEFINITIVELY
REMOVE THE SLAPD.CONF FILE ?
you do _not_ edit files unter slapd.d. You modify the cn=config backend
(which in most cases is stored in slapd.d) with ldap.
Marc
not
respond. In that case, the URI list is internally rearranged,
by moving unavailable URIs to the end, so that further connec-
tion attempts occur with respect to the last URI that succeeded.
Or is this not, what you mean?
Marc
and Unique Identifier)' SUP top STRUCTURAL MUST ( cn )
MAY (
businessCategory $ seeAlso $ owner $ ou $ o $ description $
uniqueMember ) )
Any ideas? I'm new to OpenLDAP and usually try to avoid changing
standard schema elements so I may be missing something simple.
Thanks!
Marc
and Unique Identifier)' SUP top STRUCTURAL MUST ( cn )
MAY (
businessCategory $ seeAlso $ owner $ ou $ o $ description $
uniqueMember ) )
Any ideas? I'm new to OpenLDAP and usually try to avoid changing
standard schema elements so I may be missing something simple.
Thanks!
Marc
Hello OpenLDAP Users,
i setup da openldap-instance as described at
https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html.
It seems that the Objectclass olcOverlayConfig is missed - where can i
find that objectclass?
Is there a complete manual available which describes how to
for a
openldap-to-active-directory-proxy including attribute mapping?
Regards
Marc
Am 16.07.2011 13:16, schrieb Marc Schöchlin:
Hello OpenLDAP Users,
i setup da openldap-instance as described at
https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html.
It seems that the Objectclass
see the connecting IP is in the log
file from long, long ago.
But i.e. netstat may be your friend, but it does not see any differences
between sync and normal ldap connections.
Marc
is the gbd output.
http://pastebin.com/6y83ZjqX
I tried to create a core dump, but I could not get it work.
I used this howto. The top example works, I get a core file for user
ldap. With slapd it is not.
Why does slapd crash here?
Marc
Marc Patermann schrieb am 15.08.2011 15:00 Uhr:
I tried to create a core dump, but I could not get it work.
I used this howto. The top example works, I get a core file for user
ldap. With slapd it is not.
sorry, I forgot the link:
http://www.unix.com/security/55651-how-set-coredump-suse-10
Howard,
Howard Chu schrieb am 15.08.2011 23:20 Uhr:
Marc Patermann wrote:
Why does slapd crash here?
This looks like the same trace as ITS#6892, but that was already
patched/fixed in 2.4.26.
# rpm -qa openldap2
openldap2-2.4.26-143.1
(the Ralf Haferkamp SLES rpms)
Need a bit more info
Howard,
Howard Chu schrieb am 15.08.2011 23:20 Uhr:
Marc Patermann wrote:
Why does slapd crash here?
This looks like the same trace as ITS#6892, but that was already
patched/fixed in 2.4.26. Need a bit more info from the crash. E.g.
print *ss
print *ss-s_op
Is this, what you
Howard Chu schrieb am 15.08.2011 23:20 Uhr:
Marc Patermann wrote:
Why does slapd crash here?
This looks like the same trace as ITS#6892, but that was already
patched/fixed in 2.4.26. Need a bit more info from the crash. E.g.
print *ss
print *ss-s_op
(gdb) print *ss
No symbol ss
, it is considered a continuation of
the previous line. No physical line should be over 2000 bytes long.
Blank lines and comment lines beginning with a `#' character are
ignored. Note: continuation lines are unwrapped before comment pro-
cessing is applied.
- man slapd.conf
Marc
will not accept any normal LDAP
connections
# but just connections over ldaps or ldapi. Setting this to no
does only
# make sense when either OPENLDAP_START_LDAPS or OPENLDAP_START_LDAPI is set
# yes.
#
OPENLDAP_START_LDAP=yes
Marc
ldap://server3:389/dc=suffix3,dc=com
Marc
for the
corresponding DN first and bind with this later.
Every other application which only uses auth with the rdn (by combining
the rd with the given base to an DN) is very poorly designed and should
be avoided. (IMHO)
Marc
Nick,
Nick Milas schrieb (18.10.2011 08:07 Uhr):
# Load dynamic backend modules:
modulepath /usr/local/openldap/lib64
could it be that you have to load some modules here?
Look at the directory for what is in there.
Marc
to replicate the subtree and not for
the other.
I think, this may work.
Marc
backend and add a script checking for changes.
http://www.openldap.org/doc/admin24/backends.html
http://linux.die.net/man/5/slapd-perl
Marc
be manageable on a
low-load box)?
you should enable core dumping on your server
http://www.openldap.org/lists/openldap-technical/201108/msg00161.html
You can then load the core dump on a separate debugging system.
Marc
are not like
they /should to/ nearly zero, nice.
Marc
for anonymous access you
decided to take a bind user
cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de.
So all the rights above have to be granted to this user.
Marc
1 - 100 of 253 matches
Mail list logo