Re: el9 bind ip address
Hi, in RedHat 7 the file /usr/lib/systemd/system/slapd.service contains: ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS In RedHat 9 the file /usr/lib/systemd/system/slapd.service contains: ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///" So the urls are directly configured there and not via a variable. The file /etc/sysconfig/slapd doesn't exist. Am 21.05.2024 um 00:10 schrieb Marc: Anyone know if this file is still working in el9? Looks like if I put SLAPD_URLS it is not read. /etc/sysconfig/slapd That's a question for Red Hat. No one on the OpenLDAP Project has anything to do with that. Yes I already reported it (I think) don't even know where to report for el9 at this bugzilla. Just wondering if I was crazy or others noticed the same. -- Viele Gruesse, Dirk Kastens Universitaet Osnabrueck, Rechenzentrum (Computer Center) Nelson-Mandela-Str. 4, 49076 Osnabrueck, Germany Tel.: +49-541-969-2347, FAX: -2470 smime.p7s Description: Kryptografische S/MIME-Signatur
dds overlay on mirrored master
Hi, I'm running a mirrored master server and several read-only replicas. Now I want to deal with dynamic objects, so I enabled the dds overlay. Because the config is mirrored, the dds-state is TRUE on both master servers. In my syncrepl statement I set schemachecking=off and exattrs=entryTtl,entryExpireTimestamp. The replication of dynamic objects is working. My question is: will there be a conflict when both master servers are trying to delete expired objects at the same time? What's the best way to configure the dds overlay on a mirrored master? Thanks in advance. Dirk smime.p7s Description: S/MIME Cryptographic Signature
Re: How to move from hdb to mdb
Hi, Do you know a good policy for increamental backup? I mean i only have now 1 users but in the future it will really get bigger and i hate to dump the whole database every night. Why not? I'm dumping our directory with 70.000 entries using slapcat every night in less than a minute. Dirk smime.p7s Description: S/MIME Cryptographic Signature
Re: slapd-meta
Hi, does the admin account exist on the meta directory server and does it have the correct access rights? ldapsearch -D "cn=admin,dc=server1,dc=" -w XXX -p 389 -h ldap.server0. -b "ou=users,dc=server1,dc=" -s sub "(uid=john)" Dirk smime.p7s Description: S/MIME Cryptographic Signature
Re: slapd-meta
Hi, dn: olcDatabase={3}meta,cn=config objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: {3}meta olcSuffix: dc=loc1,dc=root olcSuffix: dc=loc2,dc=root olcSuffix: dc=loc3,dc=root I've never used meta backend, but the above doesn't look valid to me (multiple suffixes). The man page shows a single suffix, with URI directives for additional representations of the DB. Indeed, you can only have one olcSuffix. This is the suffix under which your source URIs will be presented. I'm running a meta backend with the following configuration: I have two source servers, first and second. Both have a subtree ou=people,ou=mydomain. The trees are combined on the meta server under the new suffix ou=newsuffix,dc=mydomain as ou=apeople and ou=bpeople. dn: olcDatabase={1}meta, cn=config olcDatabase: {1}meta olcSuffix: ou=newsuffix,dc=mydomain objectClass: olcDatabaseConfig objectClass: olcMetaConfig dn: olcMetaSub={0}uri, olcDatabase={1}meta, cn=config olcDbURI: "ldap://first.source.server/ou=apeople,ou=newsuffix,dc=mydomain"; objectClass: olcMetaTargetConfig olcMetaSub: {0}uri olcDbRewrite: {0}suffixmassage "ou=apeople,ou=newsuffix,dc=mydomain" "ou=people,dc=mydomain" olcDbIDAssertBind: mode=none flags=override,prescriptive,proxy-authz-critical bindmethod=simple binddn="cn=myadmin" credentials="secret" starttls=yes tls_cert="/etc/openldap/certs/mycert.pem" tls_key="/etc/openldap/certs/mycert.key" tls_cacert="/etc/openldap/cacerts/cacerts.pem" tls_cacertdir="/etc/openldap/cacerts" tls_reqcert=demand dn: olcMetaSub={1}uri, olcDatabase={1}meta, cn=config olcDbURI: "ldap://second.source.server/ou=bpeople,ou=newsuffix,dc=mydomain"; objectClass: olcMetaTargetConfig olcMetaSub: {1}uri olcDbRewrite: {0}suffixmassage "ou=bpeople,ou=newsuffix,dc=mydomain" "ou=people,dc=mydomain" olcDbIDAssertBind: mode=none flags=override,prescriptive,proxy-authz-critical bindmethod=simple binddn="cn=myadmin" credentials="secret" starttls=yes tls_cert="/etc/openldap/certs/mycert.pem" tls_key="/etc/openldap/certs/mycert.key" tls_cacert="/etc/openldap/cacerts/cacerts.pem" tls_cacertdir="/etc/openldap/cacerts" tls_reqcert=demand Hope this helps. Dirk smime.p7s Description: S/MIME Cryptographic Signature
Re: DB_LOG_AUTOREMOVE fails to suppress the log files
Hi, I am running the same package version openldap-2.4.40-6.el6_7.x86_64 as you do. I've double checked the /etc/openldap/slapd.d//olcDatabase={2}bdb.ldif, the olcDbCheckpoint: 1024 15 has already been defined in that file, and I did restarted slapd, but the log files are still glowing. What else I could still be missing? How big is your db? I've set the logsize to 100 MB and only the last two files are kept. Install the db4-utils and run the command db_archive. This will show you the logfiles that are no longer used. "db_archive -d" will delete the unused logfiles. But this should be done by slapd automatically. Dirk smime.p7s Description: S/MIME Cryptographic Signature
Re: DB_LOG_AUTOREMOVE fails to suppress the log files
Hi, I am running openldap servers 2.4.40 with bdb on CentOS 6 1) Do not use the broken build from RHEL. See the LTB project or the Symas builds, as noted on this list numerous times for current OpenLDAP builds. I'm running openldap-2.4.40-6.el6_7.x86_64 on Scientific Linux 6.7. Autoremove works as expected. As Quanah asked: did you define a checkpoint? Regards, Dirk smime.p7s Description: S/MIME Cryptographic Signature
Re: SASL/EXTERNAL not available
Hi Frank, if you want SASL to work, you need to have the cyrus-sasl libraries installed. And slapd has to be compiled with sasl support: # rpm -qa | grep sasl cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64 # ldd /usr/sbin/slapd ... libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x7f8152dbb000) ... I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use client-side certificates via the SASL/EXTERNAL mechanism. I have successfully configured server-side certs with TLS and was wanting to expand my configuration on the client-side. If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y EXTERNAL", I get the following message: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL (-4): no mechaism available: If I do a search on the DSE, I get the following available methods: dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN I know that other people are using this but nobody (here at work) knows why my particular configuration is getting this error. Can anyone help me figure this out? Regards, Dirk Kastens smime.p7s Description: S/MIME Cryptographic Signature
Re: Antw: Re: external authentication source
Hi Ulrich, Thanks for the hint, but I fail to use it: First it seems I cannot use it in olcSecurity (as I can use update_ssf), and then I fail to set it at the database level: It's a global option. Just set it as an attribute of cn=config. dn: cn=config olcLocalSSF: 256 Then use ldapsearch without TLS. This should work. Regards, Dirk smime.p7s Description: S/MIME Cryptographic Signature
Re: Antw: Re: external authentication source
Hi, So this does not answer my question of how to cover the ldapi:// URI. Or maybe there's an easier way to override the "confidentiality required" for ldapi://? You missed to read the essential part of my message, namely: "ldapwhoami -Y EXTERNAL -H ldapi://" (For a normal ldap: connection I have no problems with the settings) Have a look at the global option localSSF (or olcLocalSSF). Set this to the value that is required for your slapd, for example 256. Regards, Dirk smime.p7s Description: S/MIME Cryptographic Signature