eDirectory - openLDAP password synchronization with jdap
Hi, I'm trying to synchronize passwords from eDirectory to openLDAP using jdap. The passwords in eDirectory are not stored in plain text i.e. Secure Login SSO is used (protocom-SSO-Entries in ldiff flie). In ldiff are also present: nDSPKIUserCertificateInfo, userCertificate. Is it possible to do the synchronization ? Thanks in advance. Regards, Martin
Re: Heavy load problems
El 13/01/12 22:43, Philip Guenther escribió: On Fri, 13 Jan 2012, Angel L. Mateo wrote: ... The only difference between the old and the new farm is that the old farm was replicating information with slurpd. The new one is a multimaster configuration. The configuration of the replica is: ... This configuration is in the 4 farm nodes. We have checked indexes and both farms have the same. You have the exact same indexes on your new syncrepl-based systems as you did on your old slurpd-based systems? If so, then you probably don't have equality indexes on entryCSN and entryUUID, which will make syncrepl's internal searches much slower and inefficient than they can be. I have the same indexed than the old farm, plus indexes on entryCSN and entryUUID. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Re: Heavy load problems
El 13/01/12 21:34, Quanah Gibson-Mount escribió: --On Friday, January 13, 2012 10:55 AM +0100 Angel L. Mateo ama...@um.es wrote: Now we have migrated to two openldap (2.4.21, ubuntu lucid 64btis) farms. One with 4 nodes (xen vm with two cpu cores, Xeon E5450 3GHz, 2 GB of RAM) for the authentication database, and other with 2 nodes (with the same resources than the other) for the other database. OpenLDAP 2.4.21 is over 2 years old. I would first suggest upgrading to a current release, given the hundreds of bug fixes since then. If you still see load issues, I highly advise reading over http://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning. I'd already followed the db tuning (but not the shared memmory). I'll take a look on this. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
syncprov_db_open: invalid config, lastmod must be enabled
Hi, I'm trying to configure chain overlay in a ldap replica consumer. My final purpose is that if this node receives an update, it directly tries to make it in the provider node, instead of returning the referrral. Is that possible? I think so... But I have a problem with the configuration. My config is ... moduleload back_ldap moduleload syncprov ... databasehdb suffix dc=mysuffix ... overlay syncprov syncrepl rid=31 provider=ldap://provider binddn=replica user dn bindmethod=simple credentials=password searchbase=dc=mysuffix type=refreshAndPersist interval=00:00:00:10 retry=5 5 300 + timeout=1 overlay chain chain-max-depth 1 chain-return-error true chain-uri ldap://provider chain-rebind-as-user yes chain-idassert-bind bindmethod=simple binddn=replica user dn credentials=password starttls=no mode=self But when I test configuration with slaptest, I get: root@canis32:/etc/ldap# slaptest -f /etc/ldap/slapd.conf syncprov_db_open: invalid config, lastmod must be enabled backend_startup_one (type=hdb, suffix=mysuffix): bi_db_open failed! (-1) slap_startup failed (test would succeed using the -u switch) and I can't run slapd. Any idea? I'm running slapd 2.4.21 (ubuntu lucid package) -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Re: syncprov_db_open: invalid config, lastmod must be enabled
Am Mon, 16 Jan 2012 11:03:25 +0100 schrieb Angel L. Mateo ama...@um.es: Hi, I'm trying to configure chain overlay in a ldap replica consumer. My final purpose is that if this node receives an update, it directly tries to make it in the provider node, instead of returning the referrral. Is that possible? I think so... But I have a problem with the configuration. My config is ... moduleload back_ldap moduleload syncprov ... database hdb suffixdc=mysuffix ... overlay syncprov syncrepl rid=31 provider=ldap://provider binddn=replica user dn bindmethod=simple credentials=password searchbase=dc=mysuffix type=refreshAndPersist interval=00:00:00:10 retry=5 5 300 + timeout=1 overlay chain chain-max-depth 1 chain-return-error true chain-uri ldap://provider chain-rebind-as-user yes chain-idassert-bind bindmethod=simple binddn=replica user dn credentials=password starttls=no mode=self But when I test configuration with slaptest, I get: root@canis32:/etc/ldap# slaptest -f /etc/ldap/slapd.conf syncprov_db_open: invalid config, lastmod must be enabled backend_startup_one (type=hdb, suffix=mysuffix): bi_db_open failed! (-1) slap_startup failed (test would succeed using the -u switch) and I can't run slapd. Any idea? I'm running slapd 2.4.21 (ubuntu lucid package) The chain overlay has to be configured in the global part, prior to any database declaration. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95N 10°08'02,42E
Re: syncprov_db_open: invalid config, lastmod must be enabled
I have found the problem. It is that chain configuration has to be put before any backend configuration. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 868887590 Fax: 86337
Extending smbk5pwd overlay
Hello, I am interested in extending the features of smbk5pwd overlay to manage more password mechanisms: * Digest MD5 for authentication (see http://en.wikipedia.org/wiki/Digest_access_authentication): we will have MD5(user:domain:password), with configuration for user attribute to use and the domain string * Active Directory password: will use the syntax of AD unicodePwd, in order to sync the attribute into AD Are you interested by adding these features in the current smbk5pwd overlay or do you prefer that we create new overlay(s) for this? Another question: would you accept an option on the smbk5pwd overlay so it can be triggered by simple userPassword modifications instead of only extended password modification operation? Regards, Clément OUDOT.
Re: Extending smbk5pwd overlay
On 01/16/2012 02:43 PM, Clément OUDOT wrote: Hello, I am interested in extending the features of smbk5pwd overlay to manage more password mechanisms: * Digest MD5 for authentication (see http://en.wikipedia.org/wiki/Digest_access_authentication): we will have MD5(user:domain:password), with configuration for user attribute to use and the domain string * Active Directory password: will use the syntax of AD unicodePwd, in order to sync the attribute into AD What about shadowLastChange updating? Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597Fax. +39-055-736
Re: Extending smbk5pwd overlay
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 16-01-2012 12:27, Simone Piccardi wrote: On 01/16/2012 02:43 PM, Clément OUDOT wrote: I am interested in extending the features of smbk5pwd overlay to manage more password mechanisms: * Digest MD5 for authentication (see http://en.wikipedia.org/wiki/Digest_access_authentication): we will have MD5(user:domain:password), with configuration for user attribute to use and the domain string * Active Directory password: will use the syntax of AD unicodePwd, in order to sync the attribute into AD What about shadowLastChange updating? - From what I can see here[1] the patch was merged (a while ago, back in June 2011). http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=d5920a42b142c32e9670da90e48d25a5dbc642f4 Kind regards, - -- Felipe Augusto van de Wiel felipe.w...@hpp.org.br Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/T: +55 41 3310 1747 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJPFEBjAAoJECCPPxLgxLxPbXYQAItyGb/UfrKNy5aSQECOFEw6 dUs67d7UOaBcGcqrQTyWmTvy403RVqGWlBLLa9QHQnCR0YPWVb+0EyNTJ4UY8B3f LHqd7eXe5gwKxJEsqYcPqgTuNd24Ine940kxljLrrYDn/LAqxQUPcjIyVkA7PH7y ex34gW8QoZ0PiQTu5eyywJRZ/v81ivsviV+Iq4JofOyJBjTPBXGLpsYTv722/5MO iBZLmsuYIacS5hLYUYpt0TxYhg6ebWdW1EuW2pDX0mJRTJrrtHNKMNfVmJ3U6Vno mPvh1DLIR/aFaqwivf0E/OutZ1Mf6++IjqSc2mC2+UzrBHQvbSdORVVtBl1ZGhli wJSRz1tydU2Vv0wPHrRLDCOJiNdwCg4WGKYdxzk7AX+ykqIR8bmnv8XtiFH7Y7Uf 2ntwGJ6ZoPg3EkDcPeYnvDCsqL+GwfCTOlYVz0nr3+Jm20RxUq7HaetXQQf+wVev 0jIRezKu6DrwAbGsh3ESJfmZDXpTv/sHBxIxtFvB3fR79Cerupa4aWvSHGeKh51s gYC3rIG4jTV8N6bUYhgywTl6J7J38AC+LGVrsNNCwQ+vy14OTd2KovDefLCb7dtq GJVGSJk86An8hZzammozED1N6UGIcstcRHiTk3GYZXkxDbONhgaoL3+W7/Yqjs9m ltQHEGCbznhVy/abJkex =gfCZ -END PGP SIGNATURE-
Re: syncprov_db_open: invalid config, lastmod must be enabled
Dieter Klünter wrote: Am Mon, 16 Jan 2012 11:03:25 +0100 schrieb Angel L. Mateoama...@um.es: Hi, I'm trying to configure chain overlay in a ldap replica consumer. My final purpose is that if this node receives an update, it directly tries to make it in the provider node, instead of returning the referrral. Is that possible? I think so... But I have a problem with the configuration. My config is ... moduleload back_ldap moduleload syncprov ... databasehdb suffix dc=mysuffix ... overlay syncprov syncrepl rid=31 provider=ldap://provider binddn=replica user dn bindmethod=simple credentials=password searchbase=dc=mysuffix type=refreshAndPersist interval=00:00:00:10 retry=5 5 300 + timeout=1 overlay chain chain-max-depth 1 chain-return-error true chain-uri ldap://provider chain-rebind-as-user yes chain-idassert-bind bindmethod=simple binddn=replica user dn credentials=password starttls=no mode=self But when I test configuration with slaptest, I get: root@canis32:/etc/ldap# slaptest -f /etc/ldap/slapd.conf syncprov_db_open: invalid config, lastmod must be enabled backend_startup_one (type=hdb, suffix=mysuffix): bi_db_open failed! (-1) slap_startup failed (test would succeed using the -u switch) and I can't run slapd. Any idea? I'm running slapd 2.4.21 (ubuntu lucid package) The chain overlay has to be configured in the global part, prior to any database declaration. That might be true, but the actual error here is that the syncprov overlay has been included even though there is no need for it. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
memberOf and glued databases
Hi, short question first: Is overlay memberOf supposed to work with glued databases in any direction? I tried with 2.4.28 and get the following results: slapd.conf with two databases 1. step --- This is simple. MemberOf overlay only in one database ou=groups,ou=foo,ou=bar (subordinated). database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof database bdb suffix ou=bar ... - created one inetOrgPerson object employeenumber=11,ou=groups,ou=foo,ou=bar - created one group ou=2,ou=groups,ou=foo,ou=bar with member: employeenumber=11,ou=groups,ou=foo,ou=bar = memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and unset just fine. = no modifications in superior database ou=bar 2. step --- overlay loaded in both databases database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof = modification in the subordinated database work in 1. step. - created one inetOrgPerson object employeenumber=1,ou=bar - created one group ou=1,ou=bar with member: employeenumber=1,ou=bar = memberOf in employeenumber=1,ou=bar is set and unset just fine. memberOf is working in the superior database. - setting group ou=1,ou=bar member: employeenumber=11,ou=groups,ou=foo,ou=bar = memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and unset just fine. Changes in groups of superior databases work in subordinate databases! - setting group ou=2,ou=groups,ou=foo,ou=bar member: employeenumber=1,ou=bar = does _not_ work: memberof_value_modify DN=employeenumber=1,ou=bar add memberOf =ou=2,ou=groups,ou=foo,ou=bar failed err=32 Changes in groups of subordinated databases do not work in the superior database! 3. step --- setting overlay glue explicitly and removing overlay memberof from the subordinate database: database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof overlay glue = changes in the subordinated database are _not_ managed by the overlay. = changes in groups of superior databases work in subordinate databases and in the superior database! 3. step II -- if glue is located in slapd.conf before memberof (which is IMHO wrong) and MOD on member in a group in the subordinated database is send, slapd segfaults! 4. step --- setting overlay glue explicitly and overlay memberof in both databases: database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof overlay glue = like 2. step So the best I get is - memberOf works in the database, where it is set - memberOf works for group changes in superior database on members in subordinated databases - memberOf does not work for group changes in subordinated databases to members in superior databases. Is this the way it is supposed to work? What I really wanted to achieve is to get memerOf to work between database (under glue) of the same level. (Like ou=1,ou=foo and ou=2,ou=foo both subordinated of ou=foo.) But while my testings above did not succeed, it did not tried. Marc
Re: syncprov_db_open: invalid config, lastmod must be enabled
El 16/01/12 17:04, Howard Chu escribió: The chain overlay has to be configured in the global part, prior to any database declaration. That might be true, but the actual error here is that the syncprov overlay has been included even though there is no need for it. If it is not necessary, how do I synchronyzed both ldap directories? I think I need it. I have configured chain overlay in global part and the problem has been fixed.
Re: How to enable monitoring in OpenLdap with cn=config Backend
Am 15.01.2012 09:13, schrieb Dieter Klünter: i tried now to import the config from above with an ldif-file. abirndt@ubuntunb:~/tmp/openldap_2axels-company$ 0_ldapadd_sample.bash cn_Monitor.ldif Importing the following ldif-File(s): cn_Monitor.ldif Enter LDAP Password: adding new entry olcdatabase=monitor,cn=config ldap_add: Other (e.g., implementation specific) error (80) additional info:olcDatabase failed init But i got the failure as shown. Could you give me a hint what i could do? Is the monitor module loaded at all? If it is not provided as module, run slapd -VVV to see whether it is build in. I put the -VVV option in /etc/default/slapd, but with this the LdapServer won't start: Put the -VVV into the variable SLAPD_OPTIONS: # Additional options to pass to slapd SLAPD_OPTIONS=-VVV -l LOCAL4 abirndt@ubuntunb:/etc/init.d$ sudo ./slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd - failed: @(#) $OpenLDAP: slapd 2.4.21 (Nov 14 2011 20:35:32) $ buildd@vernadsky:/build/buildd/openldap-2.4.21/debian/build/servers/slapd If i put a space bitween the - and the VVV = - VVV the ldapserver is starting, but i don't see any other behavior. I only found the -vvv option for example with the ldapadd command: sudo ldapadd -vvv -- Gruß Axel --
Re: How to enable monitoring in OpenLdap with cn=config Backend
On Mon, Jan 16, 2012 at 2:31 PM, Axel Birndt towerl...@gmx.de wrote:
Am 15.01.2012 09:13, schrieb Dieter Klünter:
i tried now to import the config from above with an ldif-file.
abirndt@ubuntunb:~/tmp/openldap_2axels-company$ 0_ldapadd_sample.bash
cn_Monitor.ldif
Importing the following ldif-File(s):
cn_Monitor.ldif
Enter LDAP Password:
adding new entry olcdatabase=monitor,cn=config
ldap_add: Other (e.g., implementation specific) error (80)
additional info:olcDatabase failed init
But i got the failure as shown.
Could you give me a hint what i could do?
Is the monitor module loaded at all?
If it is not provided as module, run slapd -VVV to see whether it is
build in.
I put the -VVV option in /etc/default/slapd, but with this the LdapServer
won't start:
Put the -VVV into the variable SLAPD_OPTIONS:
# Additional options to pass to slapd
SLAPD_OPTIONS=-VVV -l LOCAL4
abirndt@ubuntunb:/etc/init.d$ sudo ./slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd - failed:
@(#) $OpenLDAP: slapd 2.4.21 (Nov 14 2011 20:35:32) $
buildd@vernadsky:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
If i put a space bitween the - and the VVV = - VVV the ldapserver is
starting, but i don't see any other behavior.
I only found the -vvv option for example with the ldapadd command:
sudo ldapadd -vvv
You probably also need something on these lines (take with a VW
worth of salt; I do a lot of typos):
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: monitor
--
Gruß Axel
--
Re: How to enable monitoring in OpenLdap with cn=config Backend
Hi @All,
Am 16.01.2012 21:06, schrieb Mauricio Tavares:
abirndt@ubuntunb:/etc/init.d$ sudo ./slapd restart
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd - failed:
@(#) $OpenLDAP: slapd 2.4.21 (Nov 14 2011 20:35:32) $
buildd@vernadsky:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
If i put a space bitween the - and the VVV = - VVV the ldapserver is
starting, but i don't see any other behavior.
I only found the -vvv option for example with the ldapadd command:
sudo ldapadd -vvv
You probably also need something on these lines (take with a VW
worth of salt; I do a lot of typos):
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: monitor
i'am a little bit confused...
I created a new ldif file:
#dn: olcdatabase=monitor,cn=config
objectclass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to dn.subtree=cn=monitor by users read
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: monitor
and added it with the following command:
ldapadd -H ldap://localhost -x -D cn=admin,cn=config -f
cn_Monitor_modify.ldif -W
ldapadd: attributeDescription dn: (possible missing newline after line
4, entry olcdatabase=monitor,cn=config?)
adding new entry olcdatabase=monitor,cn=config
ldap_add: Undefined attribute type (17)
additional info: dn: attribute type undefined
Is there the possibility to provide me an file in ldif-format which i
could import?
Of course i'am able to provide some more information. Could someone give
me some hints, what i could do?
A Lookup inside the configuration gives me no more information. I used
ldapvi and phpldapadmin
ldapvi -D cn=admin,cn=config -b cn=config
But there was no content with the new olcdatabase=monitor,cn=config...
--
Gruß Axel
--
The problem of BINDDN/BINDPW in ldap.conf
Hi, all, I'm using Ubuntu 10.04 and LDAP 2.4.23. I'm having difficulty with the basic binding. I don't want to allow anonymous ldapsearch on the LDAP server so I specify a dn and password for the bind. If I use the following parameters for ldapsearch like ldapsearch -b dc=ucsd,dc=edu -D cn=admin,dc=ucsd,dc=edu -w 1234 This works quite fine. Then, I write the parameters into ldap.conf as follows: -ldap.conf--- BASEdc=ucsd,dc=edu BINDDN cn=admin,dc=ucsd,dc=edu BINDPW 12345 - Then only BASE has effect. According to the ldap.conf manual, BINDDN is a user-only attribute and needs to go in ~/.ldaprc; it doesn't mention BINDPW at all. But searching on the web, I found several cases that used binddn and bindpw in ldap.conf and worked successfully. So I'm quite confused for these two directives. Could anyone explain a little bit to me on BINDDN and BINDPW? Thanks a lot!! Tianyin -- Tianyin XU, http://cseweb.ucsd.edu/~tixu/
Re: The problem of BINDDN/BINDPW in ldap.conf
Tianyin Xu wrote: Hi, all, I'm using Ubuntu 10.04 and LDAP 2.4.23. I'm having difficulty with the basic binding. I don't want to allow anonymous ldapsearch on the LDAP server so I specify a dn and password for the bind. If I use the following parameters for ldapsearch like ldapsearch -b dc=ucsd,dc=edu -D cn=admin,dc=ucsd,dc=edu -w 1234 This works quite fine. Then, I write the parameters into ldap.conf as follows: -ldap.conf--- BASEdc=ucsd,dc=edu BINDDN cn=admin,dc=ucsd,dc=edu BINDPW 12345 - Then only BASE has effect. According to the ldap.conf manual, BINDDN is a user-only attribute and needs to go in ~/.ldaprc; it doesn't mention BINDPW at all. But searching on the web, I found several cases that used binddn and bindpw in ldap.conf and worked successfully. So I'm quite confused for these two directives. Those were not OpenLDAP's ldap.conf. BINDPW isn't mentioned in OpenLDAP documentation because it does not exist in OpenLDAP. Reading non-OpenLDAP documentation and attempting to apply it to OpenLDAP software is a pretty reliable means of confusing yourself. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: The problem of BINDDN/BINDPW in ldap.conf
thx, Howard! that makes sense! but if bindpw is not an OpenLDAP directive, why OpenLDAP is so quite to accept it? It should tell the configuration errors in the conf file, right? :P btw, do you know what are those configuration files using BINDPW for? actually I'm trying to reply the configuration error reported. Best, Tianyin On Mon, Jan 16, 2012 at 5:42 PM, Howard Chu h...@symas.com wrote: Tianyin Xu wrote: Hi, all, I'm using Ubuntu 10.04 and LDAP 2.4.23. I'm having difficulty with the basic binding. I don't want to allow anonymous ldapsearch on the LDAP server so I specify a dn and password for the bind. If I use the following parameters for ldapsearch like ldapsearch -b dc=ucsd,dc=edu -D cn=admin,dc=ucsd,dc=edu -w 1234 This works quite fine. Then, I write the parameters into ldap.conf as follows: -ldap.conf**--- BASEdc=ucsd,dc=edu BINDDN cn=admin,dc=ucsd,dc=edu BINDPW 12345 --**--- Then only BASE has effect. According to the ldap.conf manual, BINDDN is a user-only attribute and needs to go in ~/.ldaprc; it doesn't mention BINDPW at all. But searching on the web, I found several cases that used binddn and bindpw in ldap.conf and worked successfully. So I'm quite confused for these two directives. Those were not OpenLDAP's ldap.conf. BINDPW isn't mentioned in OpenLDAP documentation because it does not exist in OpenLDAP. Reading non-OpenLDAP documentation and attempting to apply it to OpenLDAP software is a pretty reliable means of confusing yourself. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/**project/http://www.openldap.org/project/ -- Tianyin XU, http://cseweb.ucsd.edu/~tixu/
Re: syncprov_db_open: invalid config, lastmod must be enabled
Am Mon, 16 Jan 2012 20:11:02 +0100 schrieb Angel L. Mateo ama...@um.es: El 16/01/12 17:04, Howard Chu escribió: The chain overlay has to be configured in the global part, prior to any database declaration. That might be true, but the actual error here is that the syncprov overlay has been included even though there is no need for it. If it is not necessary, how do I synchronyzed both ldap directories? I think I need it. I have configured chain overlay in global part and the problem has been fixed. If you declare a database as provider (by calling the syncprov overlay) this database accepts write operations, so there is no need for chaining. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95N 10°08'02,42E
Re: The problem of BINDDN/BINDPW in ldap.conf
Am Mon, 16 Jan 2012 17:59:52 -0800 schrieb Tianyin Xu t...@cs.ucsd.edu: thx, Howard! that makes sense! but if bindpw is not an OpenLDAP directive, why OpenLDAP is so quite to accept it? It should tell the configuration errors in the conf file, right? :P btw, do you know what are those configuration files using BINDPW for? actually I'm trying to reply the configuration error reported. It is most likely the configuration for nss_ldap, found in /etc/ldap.conf, while openLDAP clients are configured in /etc/openldap/ldap.conf. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95N 10°08'02,42E
