difficulties to stop slapd
Hello, Our openldap is sometimes long to stop and init scripts failed to stop. Apr 20 09:10:47 ldap1 slapd[15105]: daemon: shutdown requested and initiated. Apr 20 09:10:47 ldap1 slapd[15105]: slapd shutdown: *waiting for 0 operations/tasks to finish* Apr 20 09:*12:46 *ldap1 slapd[15105]: slapd stopped. It tooks 2 minutes to stop. So the init scrit failed and restart is not safe. An auto update on ubuntu leaves slapd in a strange state once and the cause was that long wait for 0 task to finish. Normaly, zero means immediate. Here two minutes! We have 5 glued bdb databases. Is it due to the bdb close for these databases? Is there a way to get things more reliable OpenLDAP: slapd 2.4.23 (Mar 30 2011 16:20:41) $ ^Ibuildd@crested :/build/buildd/openldap-2.4.23/debian/build/servers/slapd Description:Ubuntu 10.10 2.6.35-27-server #48-Ubuntu SMP Tue Feb 22 21:53:16 UTC 2011 x86_64 GNU/Linux libdb-4.8.so Thanks Dom -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot
Re: difficulties to stop slapd
On Wednesday, 20 April 2011 09:28:26 LALOT Dominique wrote: Hello, Our openldap is sometimes long to stop and init scripts failed to stop. Apr 20 09:10:47 ldap1 slapd[15105]: daemon: shutdown requested and initiated. Apr 20 09:10:47 ldap1 slapd[15105]: slapd shutdown: *waiting for 0 operations/tasks to finish* Apr 20 09:*12:46 *ldap1 slapd[15105]: slapd stopped. It tooks 2 minutes to stop. So the init scrit failed Then the init script is partly at fault. and restart is not safe. An auto update on ubuntu leaves slapd in a strange state once and the cause was that long wait for 0 task to finish. Normaly, zero means immediate. Here two minutes! We have 5 glued bdb databases. Is it due to the bdb close for these databases? Is there a way to get things more reliable Supply your slapd configuration. It could be that you aren't checkpointing frequently enough. Regards, Buchan
Re: userCertificate
Hello, I am sorry if i didn't get to explain my problem, I gonna try again. I work for a Brazilian Government's company, We have a project to authenticate about 65.000 users on OpenLDAP using digital certificate. All users will have a Smartcard. I am storing the user certificate on the attribute userCertificate of OpenLDAP, but i don't need to read it like it was stored, i need to read some fields of the certificate stored like ASCII, is it possible? Thanks for your help. Leonardo dos Santos Dourado. 2011/4/20 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com Hi! Well, you are pretty much answering the question yourself. You read the certificate field, just as any other field! userCertificate: just read its content! Now, maybe we are not really understanding what your problem is, so, please, be a little more specific: what are you trying to do? and why isn't it working? Ildefonso Camargo On Tue, Apr 19, 2011 at 10:51 AM, Leonardo eng.leonardo.dour...@gmail.com wrote: Would i like to know if it is possible to read a certificate field directly from openldap? This certificate is stored on openldap. It attribute on OpenLDAP is userCertificate.
Installation openLDAP in Debian
Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. regards, -- Dambar Raj Paudel (Wireless Technology - Researcher) WAKHOK University, Wakkanai, Japan Skype: drpaudel
Re: userCertificate
OpenLDAP won't parse the certificate for you. Unless you define your own attributes, and populate them at certificate insertion with certificates fields, then no, you won't be able to just request your directory and retrieve certificate fields. Le 20 avr. 2011 13:47, Leonardo eng.leonardo.dour...@gmail.com a écrit : Hello, I am sorry if i didn't get to explain my problem, I gonna try again. I work for a Brazilian Government's company, We have a project to authenticate about 65.000 users on OpenLDAP using digital certificate. All users will have a Smartcard. I am storing the user certificate on the attribute userCertificate of OpenLDAP, but i don't need to read it like it was stored, i need to read some fields of the certificate stored like ASCII, is it possible? Thanks for your help. Leonardo dos Santos Dourado. 2011/4/20 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com Hi! Well, you are pretty much answering the question yourself. You read the certificate field, just as any other field! userCertificate: just read its content! Now, maybe we are not really understanding what your problem is, so, please, be a little more specific: what are you trying to do? and why isn't it working? Ildefonso Camargo On Tue, Apr 19, 2011 at 10:51 AM, Leonardo eng.leonardo.dour...@gmail.com wrote: Would i like to know if it is possible to read a certificate field directly from openldap? This certificate is stored on openldap. It attribute on OpenLDAP is userCertificate.
Simple LDAP to LDAP Integration
Hello, I am seeking a simple integration between OpenLDAP and MS AD. The DIT structures are completely different but the Posix UIDs are the same. The integration is very simple because all we need to do is update the corresponding UID in AD whenever an entry changes in OpenLDAP (i.e. OpenLDAP is the master here). I though it would be easy to use the overlays for this but after careful examination it is not what we need. All we need for the moment is to capture the entry write event in OpenLDAP and run an external subroutine/program/lib that connects to the AD and does the changes there. We already have the second part developed in Perl, that is, we have a Perl program that connects to AD and changes whatever we want. We now need to pass this program the data that have changed in OpenLDAP. We could turn the Perl program into an LDAP server as well so we could maybe use the overlays, so in this case, the Perl program would receive the LDAP, and translate that to AD. The other option is to use SLAPI and capture the change event and use that to connect to AD, maybe spawning a daemonized process in Perl in order not to hang OpenLDAP waiting for AD. Anyway, if anyone can give us a hand as to how to approach this and what are the best alternatives to do this integration would be great. We would gladly publish this OpenLDAP to AD integration as OpenSource. Or if anyone happens to know if this already exists (but needs to be flexible because we need to translate from one DIT structure to the other with different schemas on each). Thanks! Alex
Re: Installation openLDAP in Debian
--On Wednesday, April 20, 2011 6:51 PM +0900 D. R. Paudel rajme...@gmail.com wrote: Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin guide. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Installation openLDAP in Debian
Hi! it no longer uses slapd.conf by default, it uses cn=config . It is on /etc/ldap/slapd.d/ Debian will leave you with a working directory (even thought not optimal, but you will be able to use it). If you can be more specific on what you want to do, just let us know! If you are used to configure with slapd.conf, you can actually use that configuration too, or you can convert your slapd.conf configuration into cn=config with slaptest (check the docs!). Ildefonso Camargo On Wed, Apr 20, 2011 at 5:21 AM, D. R. Paudel rajme...@gmail.com wrote: Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. regards, -- Dambar Raj Paudel (Wireless Technology - Researcher) WAKHOK University, Wakkanai, Japan Skype: drpaudel
Re: Installation openLDAP in Debian
On Wed, Apr 20, 2011 at 10:53 AM, Quanah Gibson-Mount qua...@zimbra.com wrote: --On Wednesday, April 20, 2011 6:51 PM +0900 D. R. Paudel rajme...@gmail.com wrote: Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin guide. Quanah: actually, documentation is not yet complete for cn=config, I had to actually convert my slapd.conf to cn=config using slaptest in order to find out how to do the same I had on slapd.conf on cn=config. Ildefonso --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Simple LDAP to LDAP Integration
--On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass a...@p2ee.org wrote: Hello, I am seeking a simple integration between OpenLDAP and MS AD. The DIT structures are completely different but the Posix UIDs are the same. The integration is very simple because all we need to do is update the corresponding UID in AD whenever an entry changes in OpenLDAP (i.e. OpenLDAP is the master here). I though it would be easy to use the overlays for this but after careful examination it is not what we need. All we need for the moment is to capture the entry write event in OpenLDAP and run an external subroutine/program/lib that connects to the AD and does the changes there. We already have the second part developed in Perl, that is, we have a Perl program that connects to AD and changes whatever we want. We now need to pass this program the data that have changed in OpenLDAP. We could turn the Perl program into an LDAP server as well so we could maybe use the overlays, so in this case, the Perl program would receive the LDAP, and translate that to AD. The other option is to use SLAPI and capture the change event and use that to connect to AD, maybe spawning a daemonized process in Perl in order not to hang OpenLDAP waiting for AD. Anyway, if anyone can give us a hand as to how to approach this and what are the best alternatives to do this integration would be great. We would gladly publish this OpenLDAP to AD integration as OpenSource. Or if anyone happens to know if this already exists (but needs to be flexible because we need to translate from one DIT structure to the other with different schemas on each). Thanks! Alex One way to do this is to configure your OpenLDAP server to generate an accesslog. They you read the accesslog looking for any changes and apply the changes to your downstream datastore whatever it is. We do this using perl and Net::LDAPapi. I can provide an example if you are interested. Bill -- Bill MacAllister Infrastructure Delivery Group, Stanford University
Name forms with slapo-constraint
HI! I tried to use slapo-constraint on entryDN when adding new entries. Kind of poor man's name forms... constraint_attribute entryDN regex mail=[^,],departmentNumber=[0-9]+,O=MyOrg restrict=ldap:///O=MyOrg??sub?(objectClass=inetOrgPerson) But looking at the trace log it seems this is not evaluated at all probably entryDN is not present in the added entry and not yet generated. Any hints whether that might work? Ciao, Michael.
proxy Auth and authzto
Hello, I tried some configuration in order to get porxyAuth working. I would like to know if it's restricted to SASL. We use PLAIN LOGIN over TLS in order to work with all auth method, SSO and so on. Could you confirm? Thanks Dom -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot
Re: proxy Auth and authzto
On 20/04/11 19:21 +0200, LALOT Dominique wrote: Hello, I tried some configuration in order to get porxyAuth working. I would like to know if it's restricted to SASL. We use PLAIN LOGIN over TLS in order to work with all auth method, SSO and so on. Could you confirm? As far as I know, proxyAuth is restricted to SASL. SASL PLAIN supports proxy authentication, but SASL LOGIN does not (if that's what you're referring to). See pluginviewer/saslpluginviewer for a list of mechnisms which support proxy authentication (look for the PROXY_AUTHENTICATION) flag. -- Dan White
Re: Simple LDAP to LDAP Integration
On Wed, Apr 20, 2011 at 12:39 PM, Bill MacAllister w...@stanford.edu wrote: --On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass a...@p2ee.org wrote: Hello, [...] One way to do this is to configure your OpenLDAP server to generate an accesslog. They you read the accesslog looking for any changes and apply the changes to your downstream datastore whatever it is. We do this using perl and Net::LDAPapi. I can provide an example if you are interested. Hi Bill, thank you *very* much for your prompt reply. One question (actually 2) though before I ask for the trouble of providing an example do you get the clear text passwd on the accesslog? is the the log an LDIF format? It's not that I really need clear text, but I need to compute the corresponding password hashes for MS-AD. are you guys able to change the password fields as well? or are you just copying the hashes from one to the other? how does this work with the accesslog method? Again many thanks because I really feel that this could be a practical KISS way of integrating this. Thanks!!! Alex Bill -- Bill MacAllister Infrastructure Delivery Group, Stanford University
Re: Installation openLDAP in Debian
On 20/04/2011 17:30, Jose Ildefonso Camargo Tolosa wrote: Hi! it no longer uses slapd.conf by default, it uses cn=config . It is on /etc/ldap/slapd.d/ Debian will leave you with a working directory (even thought not optimal, but you will be able to use it). If you can be more specific on what you want to do, just let us know! If you are used to configure with slapd.conf, you can actually use that configuration too, or you can convert your slapd.conf configuration into cn=config with slaptest (check the docs!). Ildefonso Camargo That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way. Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/. I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported. Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597Fax. +39-055-736
Re: Installation openLDAP in Debian
Hello, It's so easy to use a single slap.conf text file, edit thorugh vi, then restart. Rsyncing include parts of slapd.conf between servers. Don't need an ldap browser to see it, can add comments easily. All my colleagues are still working with.I would change my opinion if there was a maintained official web interface to administrate the server. You shoud put a doodle to ask openldap admins. Are you using slapd.d Are you using sasl Are you using kerberos Are you using multi-master mode May be you will be surprised, may be me.. Dom PS: anyway, I would like to thank the developers for their good job. Don't take my opinons as regrets of using OpenLDAP. I am stil an happy OpenLDAP user since 2001 2011/4/20 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com On Wed, Apr 20, 2011 at 10:53 AM, Quanah Gibson-Mount qua...@zimbra.com wrote: --On Wednesday, April 20, 2011 6:51 PM +0900 D. R. Paudel rajme...@gmail.com wrote: Hi, I tried to install openLDAP in my debian 6.0.1 Squeeze but I got problem as there is no slapd.conf inside /etc/ldap/ directory. Is there any easy process for installation and configuration for beginners. Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin guide. Quanah: actually, documentation is not yet complete for cn=config, I had to actually convert my slapd.conf to cn=config using slaptest in order to find out how to do the same I had on slapd.conf on cn=config. Ildefonso --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot
Re: Installation openLDAP in Debian
On Apr 20, 2011, at 11:04 AM, Simone Piccardi picca...@truelite.it wrote: On 20/04/2011 17:30, Jose Ildefonso Camargo Tolosa wrote: Hi! it no longer uses slapd.conf by default, it uses cn=config . It is on /etc/ldap/slapd.d/ Debian will leave you with a working directory (even thought not optimal, but you will be able to use it). If you can be more specific on what you want to do, just let us know! If you are used to configure with slapd.conf, you can actually use that configuration too, or you can convert your slapd.conf configuration into cn=config with slaptest (check the docs!). Ildefonso Camargo That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way. Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/. I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported. It will not remain supported. I highly advise getting used to the new configuration. It may take a little time but it is far superior and quite frankly not that difficult. Remember too that you are free to help contribute documentation. --Quanah
Re: Installation openLDAP in Debian
Simone Piccardi wrote: On 20/04/2011 17:30, Jose Ildefonso Camargo Tolosa wrote: Hi! it no longer uses slapd.conf by default, it uses cn=config . It is on /etc/ldap/slapd.d/ Debian will leave you with a working directory (even thought not optimal, but you will be able to use it). If you can be more specific on what you want to do, just let us know! If you are used to configure with slapd.conf, you can actually use that configuration too, or you can convert your slapd.conf configuration into cn=config with slaptest (check the docs!). Ildefonso Camargo That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way. Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/. I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported. The tree of files is not meant for you to ever look at or modify directly. Just use slapcat or ldapsearch. If you know anything about LDAP at all this is MUCH easier than editing flat text files, since you can use any LDAP tool (commandline or GUI) to do all the administration. If you think the tree structure is confusing, then you obviously have not read the Admin Guide, which clearly outlines the structure. http://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Layout If you don't read the documentation you have only yourself to blame for being confused. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Simple LDAP to LDAP Integration
Alejandro Imass wrote: Hello, I am seeking a simple integration between OpenLDAP and MS AD. The DIT structures are completely different but the Posix UIDs are the same. The integration is very simple because all we need to do is update the corresponding UID in AD whenever an entry changes in OpenLDAP (i.e. OpenLDAP is the master here). I though it would be easy to use the overlays for this but after careful examination it is not what we need. All we need for the moment is to capture the entry write event in OpenLDAP and run an external subroutine/program/lib that connects to the AD and does the changes there. We already have the second part developed in Perl, that is, we have a Perl program that connects to AD and changes whatever we want. We now need to pass this program the data that have changed in OpenLDAP. We could turn the Perl program into an LDAP server as well so we could maybe use the overlays, so in this case, the Perl program would receive the LDAP, and translate that to AD. The other option is to use SLAPI and capture the change event and use that to connect to AD, maybe spawning a daemonized process in Perl in order not to hang OpenLDAP waiting for AD. Anyway, if anyone can give us a hand as to how to approach this and what are the best alternatives to do this integration would be great. We would gladly publish this OpenLDAP to AD integration as OpenSource. Or if anyone happens to know if this already exists (but needs to be flexible because we need to translate from one DIT structure to the other with different schemas on each). I would interface your perl script to back-sock running as an overlay on the main OpenLDAP database. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Simple LDAP to LDAP Integration
On Wed, Apr 20, 2011 at 3:24 PM, Howard Chu h...@symas.com wrote: Alejandro Imass wrote: Hello, [...] I would interface your perl script to back-sock running as an overlay on the main OpenLDAP database. Thanks! I will look at slapd-sock and see if I can get it working! Thanks again, -- Alejandro Imass
Re: Simple LDAP to LDAP Integration
--On Wednesday, April 20, 2011 01:59:18 PM -0400 Alejandro Imass a...@p2ee.org wrote: On Wed, Apr 20, 2011 at 12:39 PM, Bill MacAllister w...@stanford.edu wrote: --On Wednesday, April 20, 2011 10:23:20 AM -0400 Alejandro Imass a...@p2ee.org wrote: Hello, [...] One way to do this is to configure your OpenLDAP server to generate an accesslog. They you read the accesslog looking for any changes and apply the changes to your downstream datastore whatever it is. We do this using perl and Net::LDAPapi. I can provide an example if you are interested. Hi Bill, thank you *very* much for your prompt reply. One question (actually 2) though before I ask for the trouble of providing an example do you get the clear text passwd on the accesslog? is the the log an LDIF format? It's not that I really need clear text, but I need to compute the corresponding password hashes for MS-AD. are you guys able to change the password fields as well? or are you just copying the hashes from one to the other? how does this work with the accesslog method? We don't store passwords in the directory. Central authentication at Stanford is provided by Kerberos. You can think of the accesslog as just another backend database. You get information out of it by doing LDAP queries with your tool of choice. If you store passwords in the directory as hashes then when you query the accesslog the value that is returned will be the hash that is stored in the directory. Bill Again many thanks because I really feel that this could be a practical KISS way of integrating this. Thanks!!! Alex -- Bill MacAllister Infrastructure Delivery Group, Stanford University
Re: Installation openLDAP in Debian
Resending on-list. On Wed, Apr 20, 2011 at 1:33 PM, Simone Piccardi picca...@truelite.it wrote: On 20/04/2011 17:42, Jose Ildefonso Camargo Tolosa wrote: Modern OpenLDAP does not use slapd.conf. Please read the OpenLDAP Admin guide. Quanah: actually, documentation is not yet complete for cn=config, I had to actually convert my slapd.conf to cn=config using slaptest in order to find out how to do the same I had on slapd.conf on cn=config. Ildefonso That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way. Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/. Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool). The cn=config replication suggested on the docs becomes useless when you need to use TLS, because, AFAIK, we don't have a way of having different TLS parameters for each replica (and, on a multi-master setup, you will likely have different servers, with different names, and thus: different SSL certificate). I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported. +1, we shouldn't drop slapd.conf file. Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-1032433 50142 Firenze http://www.truelite.it Tel. +39-055-7879597 Fax. +39-055-736
Re: Installation openLDAP in Debian
On Wed, Apr 20, 2011 at 2:53 PM, Howard Chu h...@symas.com wrote: Simone Piccardi wrote: On 20/04/2011 17:30, Jose Ildefonso Camargo Tolosa wrote: Hi! it no longer uses slapd.conf by default, it uses cn=config . It is on /etc/ldap/slapd.d/ Debian will leave you with a working directory (even thought not optimal, but you will be able to use it). If you can be more specific on what you want to do, just let us know! If you are used to configure with slapd.conf, you can actually use that configuration too, or you can convert your slapd.conf configuration into cn=config with slaptest (check the docs!). Ildefonso Camargo That's the way I'm using it. And I suggest to anyone not needing to modify configurations on the fly to use it that way. Because apart the missing documentation, I found difficult having to deal with the obscure attribute names and the complex directory structure (and the not so explicative file names used under it) that I found in /etc/ldap/slapd.d/. I understand the needs for cn=config, but for the moment I don't need it. Having a file with a simple syntax that I can read and modify instead of a tree of LDIF files is far more convenient for me. So I hope that slapd.conf will remain supported. The tree of files is not meant for you to ever look at or modify directly. Just use slapcat or ldapsearch. If you know anything about LDAP at all this is MUCH easier than editing flat text files, since you can use any LDAP tool (commandline or GUI) to do all the administration. I don't find complex to directly modify the files, actually, I find it easier than having to write a ldif modification script every time I need to apply a change! I just go ahead and edit the corresponding ldif file on slapd.d If you think the tree structure is confusing, then you obviously have not read the Admin Guide, which clearly outlines the structure. It is not confusing, I actually find it very logic, but it is more complex than a single file. But that was discussed long ago on the list: lets face it, a single plain text file is always simpler than any more formated file, and you will always have someone complaining about it. Now, if there was a graphical LDAP administration tool that handled the configuration: there would be a lot of happy people, and writing that tool (even by creating a template for existing tools) is now possible thanks to cn=config, it was not that easy with old slapd.conf file. http://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Layout If you don't read the documentation you have only yourself to blame for being confused. Yeah, that page is incomplete when compared to: http://www.openldap.org/doc/admin24/slapdconfig.html The cn=config directives is missing the access control part, that you can get: http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration Not a big deal, but it took me a while to realize that the documentation was no longer on the same place as for slapd.conf Ildefonso Camargo
Re: Installation openLDAP in Debian
Jose Ildefonso Camargo Tolosa wrote: Resending on-list. Well, I actually got used to cn=config pretty quickly, nevertheless, I still find easier to understand and modify the slapd.conf file than the directory structure under slapd.d... it is definitely more complex (and I don't think it is easier to modify using a LDAP administration tool). The directory structure under slapd.d is private/internal to slapd. Forget it is even there. As far as you're concerned, it does not even exist. The only thing you should ever look at is the LDAP DIT, whether returned by slapcat, ldapsearch, or your LDAP GUI browser of choice. The cn=config replication suggested on the docs becomes useless when you need to use TLS, because, AFAIK, we don't have a way of having different TLS parameters for each replica (and, on a multi-master setup, you will likely have different servers, with different names, and thus: different SSL certificate). Actually no, every syncrepl directive can have its own unique set of TLS parameters. And anyway, usually all of the servers communicating with each other at a site will have the same security requirements and thus the same TLS parameters. The actual certificates might be different, but since they (currently) live in the filesystem there's no need to reflect that difference in the slapd configuration. E.g., every server can point to /etc/ssl/my-server-cert.pem and that file can be unique to each server. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Installation openLDAP in Debian
On 20/04/11 16:01 -0430, Jose Ildefonso Camargo Tolosa wrote: On Wed, Apr 20, 2011 at 2:53 PM, Howard Chu h...@symas.com wrote: I don't find complex to directly modify the files, actually, I find it easier than having to write a ldif modification script every time I need to apply a change! I just go ahead and edit the corresponding ldif file on slapd.d If you think the tree structure is confusing, then you obviously have not read the Admin Guide, which clearly outlines the structure. It is not confusing, I actually find it very logic, but it is more complex than a single file. But that was discussed long ago on the list: lets face it, a single plain text file is always simpler than any more formated file, and you will always have someone complaining about it. Now, if there was a graphical LDAP administration tool that handled the configuration: there would be a lot of happy people, and writing that tool (even by creating a template for existing tools) is now possible thanks to cn=config, it was not that easy with old slapd.conf file. I've found ldapedit/ldiff, from: http://www.aput.net/~jheiss/krbldap/tools/ to be indispensable in my own efforts to learn the new config backend. E.g.: LDAPBASE='cn=config' ./ldapedit objectClass=* opens up the entire config data within an editor (based on your EDITOR environment variable), and then performs the necessary ldap modifications for you after you save and exit. It does not properly handle changes to some of the more complex multi-line entries, such as the schema definitions. -- Dan White
Re: Installation openLDAP in Debian
On Wed, Apr 20, 2011 at 4:18 PM, Howard Chu h...@symas.com wrote: Jose Ildefonso Camargo Tolosa wrote: On Wed, Apr 20, 2011 at 2:53 PM, Howard Chuh...@symas.com wrote: The tree of files is not meant for you to ever look at or modify directly. Just use slapcat or ldapsearch. If you know anything about LDAP at all this is MUCH easier than editing flat text files, since you can use any LDAP tool (commandline or GUI) to do all the administration. I don't find complex to directly modify the files, actually, I find it easier than having to write a ldif modification script every time I need to apply a change! I just go ahead and edit the corresponding ldif file on slapd.d You are editing the backing store of a slapd internal database. If slapd is running while you're doing this, you will probably corrupt the database. Even if slapd is not running, you'll probably corrupt the database. Ok, I'll fall for this: how in the world can I corrupt a text (ldif) file? I have done that for quite some time, and I have never had a single issue with it. Off course, I need to restart slapd to make it use my changes, but it is not big deal on my environment (for other environments, you can use ldapmodify (or similar) and make changes on the fly). Btw, how does OpenLDAP currently handles when you do a really bad change to openldap parameter via ldapmodify? if I edit the ldif files (on slapd.d), I can actually use slaptest to validate it, before I restart the daemon.
Re: Installation openLDAP in Debian
On Wed, Apr 20, 2011 at 4:34 PM, Dan White dwh...@olp.net wrote: On 20/04/11 16:01 -0430, Jose Ildefonso Camargo Tolosa wrote: Now, if there was a graphical LDAP administration tool that handled the configuration: there would be a lot of happy people, and writing that tool (even by creating a template for existing tools) is now possible thanks to cn=config, it was not that easy with old slapd.conf file. I've found ldapedit/ldiff, from: http://www.aput.net/~jheiss/krbldap/tools/ to be indispensable in my own efforts to learn the new config backend. E.g.: LDAPBASE='cn=config' ./ldapedit objectClass=* opens up the entire config data within an editor (based on your EDITOR environment variable), and then performs the necessary ldap modifications for you after you save and exit. It does not properly handle changes to some of the more complex multi-line entries, such as the schema definitions. All of this actually gives me an idea, if I use slapcat, create a copy, edit the copy, and then use ldapdiff to get modification script that could be simpler than writing the modification ldifs every time I need to do a change.
Re: Installation openLDAP in Debian
--On April 20, 2011 9:17:36 PM -0430 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com wrote: Btw, how does OpenLDAP currently handles when you do a really bad change to openldap parameter via ldapmodify? if I edit the ldif files (on slapd.d), I can actually use slaptest to validate it, before I restart the daemon. Modify operations made by ldapmodify go through much stricter testing than anything the slap* tools do. This is the case for all ldap* vs slap* operations. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: new entry lost on multi-master setup (two scenarios)
Ok, then... either:I'm missing something obvious, or no one have any
idea on this... Should I create a bug report based on my findings
here?
Thanks!
Ildefonso Camargo
On Tue, Apr 19, 2011 at 2:12 PM, Jose Ildefonso Camargo Tolosa
ildefonso.cama...@gmail.com wrote:
Greetings,
Any comments on this? can anybody help me verify this possible bug?
Ildefonso.
On Sun, Apr 17, 2011 at 2:24 PM, Jose Ildefonso Camargo Tolosa
ildefonso.cama...@gmail.com wrote:
Greetings,
At first, I was going to create a bug report, but decided to send to
list first. I tried this with both: 2.4.23 (Debian package), and
2.4.25, compiled from source, bdb 4.8.
After a couple of entries just disappeared on one multi-master setup I
had, I decided to further investigate, and found this (there are two
cases, for the same procedure):
1. Configure two LDAP servers in multi-master setup.
2. Make sure they replicate correctly (off course).
3. Shutdown one of the two ldap servers.
4. Create a new entry (say, ou1) on the LDAP server that is left up.
5. Shutdown the last LDAP server.
6. Start the *other* LDAP server, the one where you didn't create the entry.
7. Create another entry, say: ou2, so that both servers has a new
entry, that is *not* on the other server.
8. Shutdown the LDAP server (both servers down now).
9. Start both LDAP servers.
Result (case 1): one of the two newly created entries is missing on
*one* of the servers, and only one of the entries is missing on the
other server.
Result (case 2): one entry is missing on *both* servers.
Both servers has NTP, and has the same timezone (ie, time is synchronized).
I'm *not* replicating cn=config (I shouldn't, because I have different
SSL certificates on each server). Now, more details:
slapd with -d 16384 gives me this on the server that misses both
entries, on this server I created the entry dn
ou=ou2,dc=st-andes,dc=com (and the server decided to delete it!, and,
for some reason, it didn't detected the new ou1 entry created on the
other server):
http://www.st-andes.com/openldap/case1/log-server2-case1.txt
The other server (the one that kept one entry and lost the other), on
this server I created the entry ou=ou1,dc=st-andes,dc=com, and it says
it was changed by peer.:
http://www.st-andes.com/openldap/case1/log-server1-case1.txt
Now, I'm seeing here that it is using 000 server id... but on the
cn=config.ldif I have:
olcServerID: 1 ldap://ldap.ildetech.com:389/
olcServerID: 2 ldap://ldap2.ildetech.com:389/
And the syncrepl:
olcSyncRepl: rid=001 provider=ldap://ldap.ildetech.com:389
binddn=cn=admin,dc=st-andes,dc=com bindmethod=simple
credentials=secret searchbase=dc=st-andes,dc=com
type=refreshAndPersist retry=3 5 5 + timeout=7 starttls=critical
olcSyncRepl: rid=002 provider=ldap://ldap2.ildetech.com:389
binddn=cn=admin,dc=st-andes,dc=com bindmethod=simple
credentials=secret searchbase=dc=st-andes,dc=com
type=refreshAndPersist retry=3 5 5 + timeout=7 starttls=critical
olcMirrorMode: TRUE
And, as you can see on the command line, I have the URL specified on
the -h parameter, but it seems to be ignoring it!. Or, should I
specify the *whole* urls that I put on the -h parameter?
(ldap://ldap2.ildetech.com:389 ldap://127.0.0.1:389/ ldaps:///
ldapi:///)
So, I decided to change the config:
On server 1 (kirara):
olcServerID: 1
and
olcSyncRepl: rid=002 provider=ldap://ldap2.ildetech.com:389
binddn=cn=admin,dc=st-andes,dc=com bindmethod=simple
credentials=secret searchbase=dc=st-andes,dc=com
type=refreshAndPersist retry=3 5 5 + timeout=7 starttls=critical
olcMirrorMode: TRUE
On server 2 (happy):
olcServerID: 2
and
olcSyncRepl: rid=002 provider=ldap://ldap2.ildetech.com:389
binddn=cn=admin,dc=st-andes,dc=com bindmethod=simple
credentials=secret searchbase=dc=st-andes,dc=com
type=refreshAndPersist retry=3 5 5 + timeout=7 starttls=critical
olcMirrorMode: TRUE
With this new setup, and following the same procedure, I get one
missing entry on *both* servers (at least servers gets to a consistent
state), but I still have a missing entry. The logs for this setup:
Server 2 (ID 2, where I created entry: ou2 while the other server was
down), this server decided, wrongly, to delete entry ou2:
http://www.st-andes.com/openldap/case2/log-server2-case2.txt
And the other server (where I created ou1):
http://www.st-andes.com/openldap/case2/log-server1-case2.txt
This one never saw the other entry, ou2.
For both cases, the syncprov module was with default configuration:
dn: olcOverlay={0}syncprov
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
structuralObjectClass: olcSyncProvConfig
entryUUID: 24354488-e5bf-102f-9e6a-ad3cba95f7f1
creatorsName: cn=config
createTimestamp: 20110318152128Z
entryCSN: 20110318152128.935227Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20110318152128Z
What do you think?
Thanks in advance!
Re: new entry lost on multi-master setup (two scenarios)
--On April 20, 2011 11:40:32 PM -0430 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com wrote: Ok, then... either:I'm missing something obvious, or no one have any idea on this... Should I create a bug report based on my findings here? That's probably the best course of action. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: Installation openLDAP in Debian
Jose Ildefonso Camargo Tolosa wrote: On Wed, Apr 20, 2011 at 4:18 PM, Howard Chuh...@symas.com wrote: Jose Ildefonso Camargo Tolosa wrote: On Wed, Apr 20, 2011 at 2:53 PM, Howard Chuh...@symas.comwrote: The tree of files is not meant for you to ever look at or modify directly. Just use slapcat or ldapsearch. If you know anything about LDAP at all this is MUCH easier than editing flat text files, since you can use any LDAP tool (commandline or GUI) to do all the administration. I don't find complex to directly modify the files, actually, I find it easier than having to write a ldif modification script every time I need to apply a change! I just go ahead and edit the corresponding ldif file on slapd.d You are editing the backing store of a slapd internal database. If slapd is running while you're doing this, you will probably corrupt the database. Even if slapd is not running, you'll probably corrupt the database. Ok, I'll fall for this: how in the world can I corrupt a text (ldif) file? I have done that for quite some time, and I have never had a single issue with it. Off course, I need to restart slapd to make it use my changes, but it is not big deal on my environment (for other environments, you can use ldapmodify (or similar) and make changes on the fly). There are many possibilities. The most obvious is leaving random whitespace at the end of a line, which frequently trips up people who manually edit flat text files. I won't go into the other possibilities because frankly, it's an internal implementation detail and not worth mentioning. Suffice to say, if you're not going to take the word of the programmer who designed and implemented all of this that editing by hand is prone to corruption, then we have nothing further to discuss. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: new entry lost on multi-master setup (two scenarios)
Quanah Gibson-Mount wrote: --On April 20, 2011 11:40:32 PM -0430 Jose Ildefonso Camargo Tolosa ildefonso.cama...@gmail.com wrote: Ok, then... either:I'm missing something obvious, or no one have any idea on this... Should I create a bug report based on my findings here? That's probably the best course of action. With a small self-contained example to reproduce the problem. The description posted thus far has been full of inconsistencies. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
