Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hello,
I want to thank everyone who reads this mailing list and especially
those who provided advice, which helped me to finally configure my
server.
You are amazing.
Thank you

Re: adding VLV support to OpenLDAP 2.4.31

[Howard Chu]

Igor Shmukler wrote:

Oops. The module is loaded. My bad. Forgot sudo. I just need to figure
out how to connect to the server.
When I use ~$ ldapsearch -h 81.91.108.76 -D "cn=admin, dc=test,dc=com"
-W -b dc=test,dc=com -E vlv=1/1:1
I get an error: VLV control requires server side sort control


There's nothing wrong with the server. You just need to specify a sort 
control, as required by the VLV specification.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Oops. The module is loaded. My bad. Forgot sudo. I just need to figure
out how to connect to the server.
When I use ~$ ldapsearch -h 81.91.108.76 -D "cn=admin, dc=test,dc=com"
-W -b dc=test,dc=com -E vlv=1/1:1
I get an error: VLV control requires server side sort control

On Thu, Nov 13, 2014 at 4:23 PM, Igor Shmukler  wrote:
> Hello,
>
> Well, I sort of jumped the gun on worked. The script worked fine. No
> errors. However, the sssvlv is unable. I did lsof and the module is
> not loaded. Just in case, I restarted slapd(8), but that did not help.
>
> What can this mean? How does one go about this?
>
> Sincerely,
>
> Igor Shmukler
>
>
> On Thu, Nov 13, 2014 at 4:10 PM, Igor Shmukler  
> wrote:
>> Hello Feri,
>>
>> Yes. This worked. Thank you. I cannot even express how grateful I am
>> for your help. Well, everyone's really. Yet, you actually managed to
>> solve my problem.
>> You are the man.
>>
>> Thank you again,
>>
>> Igor Shmukler
>>
>>
>> On Thu, Nov 13, 2014 at 4:07 PM, Ferenc Wagner  wrote:
>>> Igor Shmukler  writes:
>>>
 reinstalled Ubuntu from scratch I personally installed and configured
 OpenLDAP server. I was able to add users and groups. Yet, I am again
 unable to add sssvlv support.
 [...]
 As per Marc's suggestion, I am attaching the output of slapcat(8).
 [...]
 My sssvlv.ldif is below:
 dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
 objectClass: olcSssVlvConfig
 olcOverlay: sssvlv
 olcSssVlvMax: 10
 olcSssVlvMaxKeys: 5
>>>
>>> Write this into sssvlv.ldif:
>>>
>>> dn: cn=module{0}, cn=config
>>> changetype: modify
>>> add: olcModuleLoad
>>> olcModuleLoad: sssvlv.la
>>>
>>> dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
>>> changetype: add
>>> objectClass: olcSssVlvConfig
>>> olcSssVlvMax: 10
>>> olcSssVlvMaxKeys: 5
>>>
>>> The load it into a running slapd as root:
>>>
>>> # ldapmodify -Y external -H ldapi:/// -f sssvlv.ldif
>>>
>>> No need to touch passwords or anything else.
>>> --
>>> Good luck,
>>> Feri.

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hello,

Well, I sort of jumped the gun on worked. The script worked fine. No
errors. However, the sssvlv is unable. I did lsof and the module is
not loaded. Just in case, I restarted slapd(8), but that did not help.

What can this mean? How does one go about this?

Sincerely,

Igor Shmukler


On Thu, Nov 13, 2014 at 4:10 PM, Igor Shmukler  wrote:
> Hello Feri,
>
> Yes. This worked. Thank you. I cannot even express how grateful I am
> for your help. Well, everyone's really. Yet, you actually managed to
> solve my problem.
> You are the man.
>
> Thank you again,
>
> Igor Shmukler
>
>
> On Thu, Nov 13, 2014 at 4:07 PM, Ferenc Wagner  wrote:
>> Igor Shmukler  writes:
>>
>>> reinstalled Ubuntu from scratch I personally installed and configured
>>> OpenLDAP server. I was able to add users and groups. Yet, I am again
>>> unable to add sssvlv support.
>>> [...]
>>> As per Marc's suggestion, I am attaching the output of slapcat(8).
>>> [...]
>>> My sssvlv.ldif is below:
>>> dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
>>> objectClass: olcSssVlvConfig
>>> olcOverlay: sssvlv
>>> olcSssVlvMax: 10
>>> olcSssVlvMaxKeys: 5
>>
>> Write this into sssvlv.ldif:
>>
>> dn: cn=module{0}, cn=config
>> changetype: modify
>> add: olcModuleLoad
>> olcModuleLoad: sssvlv.la
>>
>> dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
>> changetype: add
>> objectClass: olcSssVlvConfig
>> olcSssVlvMax: 10
>> olcSssVlvMaxKeys: 5
>>
>> The load it into a running slapd as root:
>>
>> # ldapmodify -Y external -H ldapi:/// -f sssvlv.ldif
>>
>> No need to touch passwords or anything else.
>> --
>> Good luck,
>> Feri.

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hello Feri,

Yes. This worked. Thank you. I cannot even express how grateful I am
for your help. Well, everyone's really. Yet, you actually managed to
solve my problem.
You are the man.

Thank you again,

Igor Shmukler


On Thu, Nov 13, 2014 at 4:07 PM, Ferenc Wagner  wrote:
> Igor Shmukler  writes:
>
>> reinstalled Ubuntu from scratch I personally installed and configured
>> OpenLDAP server. I was able to add users and groups. Yet, I am again
>> unable to add sssvlv support.
>> [...]
>> As per Marc's suggestion, I am attaching the output of slapcat(8).
>> [...]
>> My sssvlv.ldif is below:
>> dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
>> objectClass: olcSssVlvConfig
>> olcOverlay: sssvlv
>> olcSssVlvMax: 10
>> olcSssVlvMaxKeys: 5
>
> Write this into sssvlv.ldif:
>
> dn: cn=module{0}, cn=config
> changetype: modify
> add: olcModuleLoad
> olcModuleLoad: sssvlv.la
>
> dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
> changetype: add
> objectClass: olcSssVlvConfig
> olcSssVlvMax: 10
> olcSssVlvMaxKeys: 5
>
> The load it into a running slapd as root:
>
> # ldapmodify -Y external -H ldapi:/// -f sssvlv.ldif
>
> No need to touch passwords or anything else.
> --
> Good luck,
> Feri.

Re: adding VLV support to OpenLDAP 2.4.31

[Ferenc Wagner]

Igor Shmukler  writes:

> reinstalled Ubuntu from scratch I personally installed and configured
> OpenLDAP server. I was able to add users and groups. Yet, I am again
> unable to add sssvlv support.
> [...]
> As per Marc's suggestion, I am attaching the output of slapcat(8).
> [...]
> My sssvlv.ldif is below:
> dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
> objectClass: olcSssVlvConfig
> olcOverlay: sssvlv
> olcSssVlvMax: 10
> olcSssVlvMaxKeys: 5

Write this into sssvlv.ldif:

dn: cn=module{0}, cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: sssvlv.la

dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcSssVlvConfig
olcSssVlvMax: 10
olcSssVlvMaxKeys: 5

The load it into a running slapd as root:

# ldapmodify -Y external -H ldapi:/// -f sssvlv.ldif

No need to touch passwords or anything else.
-- 
Good luck,
Feri.

RE: adding VLV support to OpenLDAP 2.4.31

[Chris Card]

Hi Igor
> I have a question regarding the line:
> olcRootPW: secret
>
> Should secret be used literally (as in secret), or do I put a password
> hash there?
>

If you put "secret" in there, then the password is "secret", but you can put a 
password hash generated with slappasswd in there.
I was just trying to get you going ...

Chris 

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hi Chris,

Thank you for your continues help. I appreciate it very much.

I have a question regarding the line:
olcRootPW: secret

Should secret be used literally (as in secret), or do I put a password
hash there?

Sincerely,

Igor Shmukler


On Thu, Nov 13, 2014 at 3:18 PM, Chris Card  wrote:
> Hi Igor,
>
> 
>> Date: Thu, 13 Nov 2014 14:45:23 +0200
>> Subject: Re: adding VLV support to OpenLDAP 2.4.31
>> From: igor.shmuk...@gmail.com
>> To: openldap-technical@openldap.org
>> CC: ctc...@hotmail.com; hans.mo...@ofd-z.niedersachsen.de; 
>> andrew.find...@skills-1st.co.uk
>>
>> Hello Andrew, Chris, Marc and everyone,
>>
>> Our system administrator accidentally blew the machine away. then
>> reinstalled Ubuntu from scratch I personally installed and configured
>> OpenLDAP server. I was able to add users and groups. Yet, I am again
>> unable to add sssvlv support.
>>
>> If I run the script as cn=admin,dc=test,dc=com, I get the below error.
>> vq@vq-HVM-domU:~$ ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f sssvlv.ldif
>> Enter LDAP Password:
>> adding new entry "olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config"
>> ldap_add: Invalid syntax (21)
>> additional info: objectClass: value #0 invalid per syntax
>>
>> Running it as cn=config gives me another error:
>> vq@vq-HVM-domU:~$ ldapadd -x -D cn=config -W -f sssvlv.ldif
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
>>
>> There is a change, though. I see "olcRootDN: cn=admin,dc=test,dc=com
>> and olcRootPW" when I do slapcat. I did not see those before.
>>
>> As per Marc's suggestion, I am attaching the output of slapcat(8).
>> While I learned a bit about OpenLDAP configuration, my "skills" are
>> clearly insufficient to figure out how to add sssvlv support.
>>
>> My sssvlv.ldif is below:
>> dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
>> objectClass: olcSssVlvConfig
>> olcOverlay: sssvlv
>> olcSssVlvMax: 10
>> olcSssVlvMaxKeys: 5
>>
> Edit your slapcat output and find this part:
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
>  ,cn=auth manage by * break
> structuralObjectClass: olcDatabaseConfig
> entryUUID: fb40d480-ff68-1033-8514-977390a9c614
> creatorsName: cn=config
> createTimestamp: 20141113101004Z
> entryCSN: 20141113101004.425496Z#00#000#00
> modifiersName: cn=config
> modifyTimestamp: 20141113101004Z
>
> Change it to
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
>  ,cn=auth manage by * break
> olcRootDN: cn=config
> olcRootPW: secret
> structuralObjectClass: olcDatabaseConfig
> entryUUID: fb40d480-ff68-1033-8514-977390a9c614
> creatorsName: cn=config
> createTimestamp: 20141113101004Z
> entryCSN: 20141113101004.425496Z#00#000#00
> modifiersName: cn=config
> modifyTimestamp: 20141113101004Z
>
> Stop slapd, and apply new config with
>
>slapadd -F /slapd.d -l  -b cn=config
>
> Start slapd, and then you should be able to do
>
>ldapadd -x -w secret -D cn=config -f sssvlv.ldif
>
> Chris
>
>

RE: adding VLV support to OpenLDAP 2.4.31

[Chris Card]

Hi Igor,


> Date: Thu, 13 Nov 2014 14:45:23 +0200
> Subject: Re: adding VLV support to OpenLDAP 2.4.31
> From: igor.shmuk...@gmail.com
> To: openldap-technical@openldap.org
> CC: ctc...@hotmail.com; hans.mo...@ofd-z.niedersachsen.de; 
> andrew.find...@skills-1st.co.uk
>
> Hello Andrew, Chris, Marc and everyone,
>
> Our system administrator accidentally blew the machine away. then
> reinstalled Ubuntu from scratch I personally installed and configured
> OpenLDAP server. I was able to add users and groups. Yet, I am again
> unable to add sssvlv support.
>
> If I run the script as cn=admin,dc=test,dc=com, I get the below error.
> vq@vq-HVM-domU:~$ ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f sssvlv.ldif
> Enter LDAP Password:
> adding new entry "olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config"
> ldap_add: Invalid syntax (21)
> additional info: objectClass: value #0 invalid per syntax
>
> Running it as cn=config gives me another error:
> vq@vq-HVM-domU:~$ ldapadd -x -D cn=config -W -f sssvlv.ldif
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>
> There is a change, though. I see "olcRootDN: cn=admin,dc=test,dc=com
> and olcRootPW" when I do slapcat. I did not see those before.
>
> As per Marc's suggestion, I am attaching the output of slapcat(8).
> While I learned a bit about OpenLDAP configuration, my "skills" are
> clearly insufficient to figure out how to add sssvlv support.
>
> My sssvlv.ldif is below:
> dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
> objectClass: olcSssVlvConfig
> olcOverlay: sssvlv
> olcSssVlvMax: 10
> olcSssVlvMaxKeys: 5
>
Edit your slapcat output and find this part:

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: fb40d480-ff68-1033-8514-977390a9c614
creatorsName: cn=config
createTimestamp: 20141113101004Z
entryCSN: 20141113101004.425496Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20141113101004Z

Change it to

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcRootDN: cn=config
olcRootPW: secret
structuralObjectClass: olcDatabaseConfig
entryUUID: fb40d480-ff68-1033-8514-977390a9c614
creatorsName: cn=config
createTimestamp: 20141113101004Z
entryCSN: 20141113101004.425496Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20141113101004Z

Stop slapd, and apply new config with 

   slapadd -F /slapd.d -l  -b cn=config

Start slapd, and then you should be able to do

   ldapadd -x -w secret -D cn=config -f sssvlv.ldif

Chris

  

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hello Andrew, Chris, Marc and everyone,

Our system administrator accidentally blew the machine away. then
reinstalled Ubuntu from scratch I personally installed and configured
OpenLDAP server. I was able to add users and groups. Yet, I am again
unable to add sssvlv support.

If I run the script as cn=admin,dc=test,dc=com, I get the below error.
vq@vq-HVM-domU:~$ ldapadd -x -D "cn=admin,dc=test,dc=com" -W -f sssvlv.ldif
Enter LDAP Password:
adding new entry "olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax

Running it as cn=config gives me another error:
vq@vq-HVM-domU:~$ ldapadd -x -D cn=config -W -f sssvlv.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

There is a change, though. I see "olcRootDN: cn=admin,dc=test,dc=com
and olcRootPW" when I do slapcat. I did not see those before.

As per Marc's suggestion, I am attaching the output of slapcat(8).
While I learned a bit about OpenLDAP configuration, my "skills" are
clearly insufficient to figure out how to add sssvlv support.

My sssvlv.ldif is below:
dn: olcOverlay=sssvlv,olcDatabase={1}hdb,cn=config
objectClass: olcSssVlvConfig
olcOverlay: sssvlv
olcSssVlvMax: 10
olcSssVlvMaxKeys: 5

It was composed by Chris, as your's truly has to clue what needs to go there.

Please advise. I am totally stumbled.

Thank you,

Igor Shmukler

On Wed, Nov 12, 2014 at 7:41 PM, Quanah Gibson-Mount  wrote:
>
>
> --On November 12, 2014 at 6:23:53 PM +0100 Marc Patermann
>  wrote:
>
>
>> You can change the exported config or post it here, if you have not
>> before. This may tell you/us how to authorize to slapd with ldapadd to
>> modify the config online.
>
>
> Ubuntu already documents how to authorize to the config db, and I already
> provided a URL to the Ubuntu documentation.  Here's the link again:
>
> 
>
> which clearly provides an example of how to bind to the root database via
> ldapsearch (which can logically be extended to ldapmodify, ldapadd, etc).
>
>
> --Quanah
>
>
>
> --
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc
> 
> Zimbra ::  the leader in open source messaging and collaboration
>
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: fb40c3be-ff68-1033-8512-977390a9c614
creatorsName: cn=config
createTimestamp: 20141113101004Z
entryCSN: 20141113101004.424994Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20141113101004Z

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
structuralObjectClass: olcModuleList
entryUUID: fb416576-ff68-1033-851a-977390a9c614
creatorsName: cn=config
createTimestamp: 20141113101004Z
entryCSN: 20141113101004.429207Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20141113101004Z

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
structuralObjectClass: olcSchemaConfig
entryUUID: fb40d9e4-ff68-1033-8515-977390a9c614
creatorsName: cn=config
createTimestamp: 20141113101004Z
entryCSN: 20141113101004.425634Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20141113101004Z

dn: cn={0}core,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {0}core
olcAttributeTypes: {0}( 2.5.4.2 NAME 'knowledgeInformation' DESC 'RFC2256: kno
 wledge information' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
 1.15{32768} )
olcAttributeTypes: {1}( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last (f
 amily) name(s) for which the entity is known by' SUP name )
olcAttributeTypes: {2}( 2.5.4.5 NAME 'serialNumber' DESC 'RFC2256: serial numb
 er of the entity' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch S
 YNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
olcAttributeTypes: {3}( 2.5.4.6 NAME ( 'c' 'countryName' ) DESC 'RFC2256: ISO-
 3166 country 2-letter code' SUP name SINGLE-VALUE )
olcAttributeTypes: {4}( 2.5.4.7 NAME ( 'l' 'localityName' ) DESC 'RFC2256: loc
 ality which this object resides in' SUP name )
olcAttributeTypes: {5}( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) DESC 'RFC2
 256: state or province which this object resides in' SUP name )
olcAttributeTypes: {6}( 2.5.4.9 NAME ( 'street' 'streetAddress' ) DESC 'RFC225
 6: street address of this object' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreS
 ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: {7}( 2.5.4.10 NAME ( 'o' 'organizationName' ) DESC 'RFC2256
 : organization this object belongs to' SUP name )
olcAttributeTypes: {8}( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC '
 RFC2256: organizational unit this object belongs to' SUP name )
olcAttributeTypes: {9}( 2.5.4.12 NAME 'title' DESC 'RFC2256: title associated 
 with the entity' SUP name )
olcAttributeTypes: {10}( 2.5.4.14 NAME 'searchGuide' DES

Re: adding VLV support to OpenLDAP 2.4.31

[Quanah Gibson-Mount]

--On November 12, 2014 at 6:23:53 PM +0100 Marc Patermann 
 wrote:




You can change the exported config or post it here, if you have not
before. This may tell you/us how to authorize to slapd with ldapadd to
modify the config online.


Ubuntu already documents how to authorize to the config db, and I already 
provided a URL to the Ubuntu documentation.  Here's the link again:




which clearly provides an example of how to bind to the root database via 
ldapsearch (which can logically be extended to ldapmodify, ldapadd, etc).


--Quanah



--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Re: adding VLV support to OpenLDAP 2.4.31

[Marc Patermann]

Igor,

Igor Shmukler schrieb (12.11.2014 11:36 Uhr):

I am guess making wild guesses...
Could it be that I need to adjust the below line:
dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config

Should I perhaps replace cn=config with dc=nodomain or something else?

No.

With slapd.d config instead of "old" slapd.conf, you now have (at least) 
two databases in slapd:

* you config database - which is always at cn=config - and
* your "data" database - which base that is under is totally up to you.

You can export the config with slapcat command, cn=config is propably 
the first database, so you use "-n 0".

(You should backup the other databases as well.)
You can change the exported config or post it here, if you have not 
before. This may tell you/us how to authorize to slapd with ldapadd to 
modify the config online.
You could import the cn=config database back with slapadd offline, but 
you might have to delete the existing database first. ldapadd is a bit 
more difficult to use but safer.


(This may have been a lot easier to explain with slapd.conf, but the 
times are changing ...)


Marc

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hi Andrew,

I definitely could not care less which backend database is used. I
only asked about this to get VLV working. Currently, it does not.
I need to get on with my job, which is programming and not *nix
administration. Until Virtual List View working, I cannot do that.

Sincerely,

Igor Shmukler

On Wed, Nov 12, 2014 at 1:11 PM, Andrew Findlay
 wrote:
> On Wed, Nov 12, 2014 at 12:41:46PM +0200, Igor Shmukler wrote:
>
>> I am also curious about another part of the olcDatabase parameter.
>> How do I know whether to use bdb or hdb? I don't care either way of
>> course. I just need my test server to work, so I could proceed with my
>> main duty - programming.
>
> For a test server it probably does not matter which database you use
> unless you need to load large amounts of data, or do unusual things
> like rename whole subtrees (bdb cannot do that).
>
> For a production server using current OpenLDAP code, mdb is the first
> choice. If you are forced to use older software then hdb may be safer.
>
> Andrew
> --
> ---
> | From Andrew Findlay, Skills 1st Ltd |
> | Consultant in large-scale systems, networks, and directory services |
> | http://www.skills-1st.co.uk/+44 1628 782565 |
> ---

Re: adding VLV support to OpenLDAP 2.4.31

[Andrew Findlay]

On Wed, Nov 12, 2014 at 12:41:46PM +0200, Igor Shmukler wrote:

> I am also curious about another part of the olcDatabase parameter.
> How do I know whether to use bdb or hdb? I don't care either way of
> course. I just need my test server to work, so I could proceed with my
> main duty - programming.

For a test server it probably does not matter which database you use
unless you need to load large amounts of data, or do unusual things
like rename whole subtrees (bdb cannot do that).

For a production server using current OpenLDAP code, mdb is the first
choice. If you are forced to use older software then hdb may be safer.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hello,

I am also curious about another part of the olcDatabase parameter.
How do I know whether to use bdb or hdb? I don't care either way of
course. I just need my test server to work, so I could proceed with my
main duty - programming.

Sincerely,

Igor Shmukler


On Wed, Nov 12, 2014 at 12:36 PM, Igor Shmukler  wrote:
> Chris,
>
> I am guess making wild guesses...
> Could it be that I need to adjust the below line:
> dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
>
> Should I perhaps replace cn=config with dc=nodomain or something else?
>
> Thank you,
>
> Igor Shmukler
>
>
> On Wed, Nov 12, 2014 at 12:30 PM, Igor Shmukler  
> wrote:
>> Hello Chris,
>>
>> Yes, I am now sure that slapd.d is being used. Last night, Andrew
>> explained how this can be checked.
>>
>> Sincerely,
>>
>> Igor Shmukler
>>
>> On Wed, Nov 12, 2014 at 12:28 PM, Chris Card  wrote:
>>>
 vq@vq-HVM-domU:~$ ldapsearch -x -w Vq0106%% -D "cn=admin,dc=nodomain"
 -b cn=config
 # extended LDIF
 #
 # LDAPv3
 # base  with scope subtree
 # filter: (objectclass=*)
 # requesting: ALL
 #

 # search result
 search: 2
 result: 32 No such object

 # numResponses: 1

 vq@vq-HVM-domU:~$ cat /usr/share/slapd/sssvlv.ldif
 dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
 objectClass: olcSssVlvConfig
 olcOverlay: sssvlv
 olcSssVlvMax: 10
 olcSssVlvMaxKeys: 5

 In order to actually get the search working, I use base dc=nodomain

 It is not my choice. I inherited the server and the configuration. Nor
 do I know much about OpenLDAP configuration. I am a programmer and my
 job is [among other things] hacking the client piece. Unfortunately,
 there is nobody else [better] qualified to configure the server.
 Hence, I am filling in for an administrator.

 The "ldapsearch -x -w SECRET -D "cn=admin,dc=nodomain" -b dc=nodomain"
 version works fine and I do in fact get results.

>>> Are you sure that slapd is using the slapd.d configuration, rather than the 
>>> old-style slapd.conf?
>>> If slapd.d is being used, then slapd should be running with -F 
>>> /slap.d, if not then it will be
>>> running with -f /slapd.conf.
>>>
>>> Chris

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Chris,

I am guess making wild guesses...
Could it be that I need to adjust the below line:
dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config

Should I perhaps replace cn=config with dc=nodomain or something else?

Thank you,

Igor Shmukler


On Wed, Nov 12, 2014 at 12:30 PM, Igor Shmukler  wrote:
> Hello Chris,
>
> Yes, I am now sure that slapd.d is being used. Last night, Andrew
> explained how this can be checked.
>
> Sincerely,
>
> Igor Shmukler
>
> On Wed, Nov 12, 2014 at 12:28 PM, Chris Card  wrote:
>>
>>> vq@vq-HVM-domU:~$ ldapsearch -x -w Vq0106%% -D "cn=admin,dc=nodomain"
>>> -b cn=config
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base  with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: ALL
>>> #
>>>
>>> # search result
>>> search: 2
>>> result: 32 No such object
>>>
>>> # numResponses: 1
>>>
>>> vq@vq-HVM-domU:~$ cat /usr/share/slapd/sssvlv.ldif
>>> dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
>>> objectClass: olcSssVlvConfig
>>> olcOverlay: sssvlv
>>> olcSssVlvMax: 10
>>> olcSssVlvMaxKeys: 5
>>>
>>> In order to actually get the search working, I use base dc=nodomain
>>>
>>> It is not my choice. I inherited the server and the configuration. Nor
>>> do I know much about OpenLDAP configuration. I am a programmer and my
>>> job is [among other things] hacking the client piece. Unfortunately,
>>> there is nobody else [better] qualified to configure the server.
>>> Hence, I am filling in for an administrator.
>>>
>>> The "ldapsearch -x -w SECRET -D "cn=admin,dc=nodomain" -b dc=nodomain"
>>> version works fine and I do in fact get results.
>>>
>> Are you sure that slapd is using the slapd.d configuration, rather than the 
>> old-style slapd.conf?
>> If slapd.d is being used, then slapd should be running with -F /slap.d, 
>> if not then it will be
>> running with -f /slapd.conf.
>>
>> Chris

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hello Chris,

Yes, I am now sure that slapd.d is being used. Last night, Andrew
explained how this can be checked.

Sincerely,

Igor Shmukler

On Wed, Nov 12, 2014 at 12:28 PM, Chris Card  wrote:
>
>> vq@vq-HVM-domU:~$ ldapsearch -x -w Vq0106%% -D "cn=admin,dc=nodomain"
>> -b cn=config
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 32 No such object
>>
>> # numResponses: 1
>>
>> vq@vq-HVM-domU:~$ cat /usr/share/slapd/sssvlv.ldif
>> dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
>> objectClass: olcSssVlvConfig
>> olcOverlay: sssvlv
>> olcSssVlvMax: 10
>> olcSssVlvMaxKeys: 5
>>
>> In order to actually get the search working, I use base dc=nodomain
>>
>> It is not my choice. I inherited the server and the configuration. Nor
>> do I know much about OpenLDAP configuration. I am a programmer and my
>> job is [among other things] hacking the client piece. Unfortunately,
>> there is nobody else [better] qualified to configure the server.
>> Hence, I am filling in for an administrator.
>>
>> The "ldapsearch -x -w SECRET -D "cn=admin,dc=nodomain" -b dc=nodomain"
>> version works fine and I do in fact get results.
>>
> Are you sure that slapd is using the slapd.d configuration, rather than the 
> old-style slapd.conf?
> If slapd.d is being used, then slapd should be running with -F /slap.d, 
> if not then it will be
> running with -f /slapd.conf.
>
> Chris

RE: adding VLV support to OpenLDAP 2.4.31

[Chris Card]

> vq@vq-HVM-domU:~$ ldapsearch -x -w Vq0106%% -D "cn=admin,dc=nodomain"
> -b cn=config
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> # numResponses: 1
>
> vq@vq-HVM-domU:~$ cat /usr/share/slapd/sssvlv.ldif
> dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
> objectClass: olcSssVlvConfig
> olcOverlay: sssvlv
> olcSssVlvMax: 10
> olcSssVlvMaxKeys: 5
>
> In order to actually get the search working, I use base dc=nodomain
>
> It is not my choice. I inherited the server and the configuration. Nor
> do I know much about OpenLDAP configuration. I am a programmer and my
> job is [among other things] hacking the client piece. Unfortunately,
> there is nobody else [better] qualified to configure the server.
> Hence, I am filling in for an administrator.
>
> The "ldapsearch -x -w SECRET -D "cn=admin,dc=nodomain" -b dc=nodomain"
> version works fine and I do in fact get results.
>
Are you sure that slapd is using the slapd.d configuration, rather than the 
old-style slapd.conf?
If slapd.d is being used, then slapd should be running with -F /slap.d, if 
not then it will be 
running with -f /slapd.conf.

Chris 

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hi Chris,

vq@vq-HVM-domU:~$ ldapsearch -x -w Vq0106%% -D "cn=admin,dc=nodomain"
-b cn=config
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

vq@vq-HVM-domU:~$ cat /usr/share/slapd/sssvlv.ldif
dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
objectClass: olcSssVlvConfig
olcOverlay: sssvlv
olcSssVlvMax: 10
olcSssVlvMaxKeys: 5

In order to actually get the search working, I use base dc=nodomain

It is not my choice. I inherited the server and the configuration. Nor
do I know much about OpenLDAP configuration. I am a programmer and my
job is [among other things] hacking the client piece. Unfortunately,
there is nobody else [better] qualified to configure the server.
Hence, I am filling in for an administrator.

The "ldapsearch -x -w SECRET -D "cn=admin,dc=nodomain" -b dc=nodomain"
version works fine and I do in fact get results.

Sincerely,

Igor Shmukler

On Wed, Nov 12, 2014 at 11:47 AM, Chris Card  wrote:
>
>
>
>> Hi Chris,
>>
>> Sorry to bother you again.
>>
>>> ldapadd -x -w  -D cn=config -f 
>>
>> -D cn=config was giving me an authentication error. I used
>> credentials, which work for ldapsearch and got a syntax error.
>>
>> vq@vq-HVM-domU:~$ ldapadd -x -w SECRET -D "cn=admin, dc=nodomain" -f
>> /usr/share/slapd/sssvlv.ldif
>> ldap_add: Invalid syntax (21)
>> additional info: objectClass: value #0 invalid per syntax
>>
> Is cn=admin,dc=nodomain the rootdn for the cn=config directory?
>
> Does
>
> ldapsearch -x -w SECRET -D "cn=admin,dc=nodomain" -b cn=config
>
> work?
>
> What are the contents of sssvlv.ldif? (it's possible I made a typo, it was 
> untested)
>
> Chris
>
>

Re: adding VLV support to OpenLDAP 2.4.31

[Andrew Findlay]

On Wed, Nov 12, 2014 at 01:02:36AM +0200, Igor Shmukler wrote:

> Interestingly, lsof does have the following entry:
> slapd   13310 openldap  memREG  202,126872 409681
> /usr/lib/ldap/sssvlv-2.4.so.2.8.3
> 
> Hence, it seems that sssvlv is loaded. At the same time, ldapsearch is
> telling me "VLV control requires server side sort control"

It would appear that the sssvlv *module* has loaded, but you still have to 
apply the overlay to the database that you want it to work on.

> Does this mean like Quanah said that my OpenLDAP from Ubuntu server is broken?

Not necessarily. Many people on this list dislike the way that some
of the major Linux distros build OpenLDAP and the old versions of
OpenLDAP that they use, so the default setup tends to get described as
'broken'. Quanah was also referring to the fact that you had hand-edited
a file under /etc/ldap/slapd.d/cn=config - that is a very risky thing
to do and you may have caused problems that way.

In this case I think it more likely that you just need to add the overlay
to the database.

On Wed, Nov 12, 2014 at 08:38:14AM +, Chris Card wrote:

> Date: Wed, 12 Nov 2014 08:38:14 +
> From: Chris Card 
> 
> dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
> objectClass: olcSssVlvConfig
> olcOverlay: sssvlv
> olcSssVlvMax: 10
> olcSssVlvMaxKeys: 5
> 
> something like 
> 
> ldapadd -x -w  -D cn=config -f 

As Chris says, ldapadd (or slapadd if the server is down) is the right
way to modify a config of this type. The exact LDIF required will
depend on your database setup: Chris has assumed that you want the
overlay on the first non-config database and that it is a bdb.
If your setup is different then the DN will have to change.

Note also that bdb is deprecated. If you continue to use the binaries
shipped with Ubuntu then you should at least consider swapping to hdb.
Ideally you should build the latest OpenLDAP from source and use mdb.
Changing to a different database type requires dumping all data to LDIF
text files and re-loading it in the new database, so this is not something
to be undertaken until you are more familiar with OpenLDAP.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hi Chris,

Sorry to bother you again.

> ldapadd -x -w  -D cn=config -f 

-D cn=config was giving me an authentication error. I used
credentials, which work for ldapsearch and got a syntax error.

vq@vq-HVM-domU:~$ ldapadd -x -w SECRET -D "cn=admin, dc=nodomain" -f
/usr/share/slapd/sssvlv.ldif
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax

Please advise.

Thank you,

Igor Shmukler

RE: adding VLV support to OpenLDAP 2.4.31

[Chris Card]

> It is clear from the man slapo-sssvlv(5) page that when slapd.conf is
> being used, the options should appear after the overlay directive.
> Even I got this. Where those options should go when cn=config is used?
> I do not understand it from the man page. Is this something to be
> specified using ldapmodify?

 You need to use ldapadd with ldif like this:

 dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
 objectClass: olcSssVlvConfig
 olcOverlay: sssvlv
 olcSssVlvMax: 10
 olcSssVlvMaxKeys: 5

 something like

 ldapadd -x -w  -D cn=config -f 

>>>
>>> Thank you Chris,
>>>
>>> This is exactly what I needed.
>>> Should I put the leif file into the
>>> /etc/ldap/slapd.d/cn=config/cn=schema directory or
>>> /etc/ldap/slapd.d/cn\=config/ directory? What is the recommended
>>> place?
>>> [I see that -D is to specify binddn, yet I am not sure whether LDIF
>>> should go there. Sorry for being stupid.]
>>>
>> Don't update anything under /etc/ldap/slapd.d/cn\=config by hand!
>>
>> The configuration is held in an LDAP directory with suffix cn=config, and
>> you add stuff to it in exactly the same way as any other LDAP directory,
>> using ldapadd, ldapmodify etc.
>>
>> The fact that you can see files under /etc/ldap/slapd.d/cn=config is just
>> an artifact of the implementation of the cn=config db in openldap, and I 
>> believe
>> it is planned to change the implementation in the future.
>>
>
> Where should I put the ldif file, then?
>
It doesn't matter where, it's just a source file. The ldapadd utility will send 
the ldif to the LDAP server, and the LDAP server
will update the cn=config directory.

Chris 

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Where should I put the ldif file, then?

On Wed, Nov 12, 2014 at 10:53 AM, Chris Card  wrote:
>
>
>
>>
>> On Wed, Nov 12, 2014 at 10:38 AM, Chris Card  wrote:
>>>
 It is clear from the man slapo-sssvlv(5) page that when slapd.conf is
 being used, the options should appear after the overlay directive.
 Even I got this. Where those options should go when cn=config is used?
 I do not understand it from the man page. Is this something to be
 specified using ldapmodify?
>>>
>>> You need to use ldapadd with ldif like this:
>>>
>>> dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
>>> objectClass: olcSssVlvConfig
>>> olcOverlay: sssvlv
>>> olcSssVlvMax: 10
>>> olcSssVlvMaxKeys: 5
>>>
>>> something like
>>>
>>> ldapadd -x -w  -D cn=config -f 
>>>
>>
>> Thank you Chris,
>>
>> This is exactly what I needed.
>> Should I put the leif file into the
>> /etc/ldap/slapd.d/cn=config/cn=schema directory or
>> /etc/ldap/slapd.d/cn\=config/ directory? What is the recommended
>> place?
>> [I see that -D is to specify binddn, yet I am not sure whether LDIF
>> should go there. Sorry for being stupid.]
>>
> Don't update anything under /etc/ldap/slapd.d/cn\=config by hand!
>
> The configuration is held in an LDAP directory with suffix cn=config, and
> you add stuff to it in exactly the same way as any other LDAP directory,
> using ldapadd, ldapmodify etc.
>
> The fact that you can see files under /etc/ldap/slapd.d/cn=config is just
> an artifact of the implementation of the cn=config db in openldap, and I 
> believe
> it is planned to change the implementation in the future.
>
> Chris
>
>

RE: adding VLV support to OpenLDAP 2.4.31

[Chris Card]

>
> On Wed, Nov 12, 2014 at 10:38 AM, Chris Card  wrote:
>>
>>> It is clear from the man slapo-sssvlv(5) page that when slapd.conf is
>>> being used, the options should appear after the overlay directive.
>>> Even I got this. Where those options should go when cn=config is used?
>>> I do not understand it from the man page. Is this something to be
>>> specified using ldapmodify?
>>
>> You need to use ldapadd with ldif like this:
>>
>> dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
>> objectClass: olcSssVlvConfig
>> olcOverlay: sssvlv
>> olcSssVlvMax: 10
>> olcSssVlvMaxKeys: 5
>>
>> something like
>>
>> ldapadd -x -w  -D cn=config -f 
>>
>
> Thank you Chris,
>
> This is exactly what I needed.
> Should I put the leif file into the
> /etc/ldap/slapd.d/cn=config/cn=schema directory or
> /etc/ldap/slapd.d/cn\=config/ directory? What is the recommended
> place?
> [I see that -D is to specify binddn, yet I am not sure whether LDIF
> should go there. Sorry for being stupid.]
>
Don't update anything under /etc/ldap/slapd.d/cn\=config by hand!

The configuration is held in an LDAP directory with suffix cn=config, and
you add stuff to it in exactly the same way as any other LDAP directory, 
using ldapadd, ldapmodify etc.

The fact that you can see files under /etc/ldap/slapd.d/cn=config is just
an artifact of the implementation of the cn=config db in openldap, and I believe
it is planned to change the implementation in the future.

Chris

  

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Thank you Chris,

This is exactly what I needed.
Should I put the leif file into the
/etc/ldap/slapd.d/cn=config/cn=schema directory or
/etc/ldap/slapd.d/cn\=config/ directory? What is the recommended
place?
[I see that -D is to specify binddn, yet I am not sure whether LDIF
should go there. Sorry for being stupid.]

Sincerely,

Igor Shmukler

On Wed, Nov 12, 2014 at 10:38 AM, Chris Card  wrote:
> Hi Igor
>
>> It is clear from the man slapo-sssvlv(5) page that when slapd.conf is
>> being used, the options should appear after the overlay directive.
>> Even I got this. Where those options should go when cn=config is used?
>> I do not understand it from the man page. Is this something to be
>> specified using ldapmodify?
>
> You need to use ldapadd with ldif like this:
>
> dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
> objectClass: olcSssVlvConfig
> olcOverlay: sssvlv
> olcSssVlvMax: 10
> olcSssVlvMaxKeys: 5
>
> something like
>
> ldapadd -x -w  -D cn=config -f 
>
> Chris

RE: adding VLV support to OpenLDAP 2.4.31

[Chris Card]

Hi Igor

> It is clear from the man slapo-sssvlv(5) page that when slapd.conf is
> being used, the options should appear after the overlay directive.
> Even I got this. Where those options should go when cn=config is used?
> I do not understand it from the man page. Is this something to be
> specified using ldapmodify?

You need to use ldapadd with ldif like this:

dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
objectClass: olcSssVlvConfig
olcOverlay: sssvlv
olcSssVlvMax: 10
olcSssVlvMaxKeys: 5

something like 

ldapadd -x -w  -D cn=config -f 

Chris 

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hello Dieter,

Thank you for your input.

> It seems you have not configured sssvlv, read man slapo-sssvlv(5) and
> https://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09

I glanced through the IETF document, and see nothing concerning the
OpenLDAP SSSVLV configuration. Please advise what section contains
relevant information.

The slapo-sssvlv(5) man page indeed covers configuration. I see only
three (3) values there: sssvlv-max, sssvlv-maxkeys and
sssvlv-maxperconn. According to the same man page, there is a default
for each of those. I assumed this means that if the value is not
specified, the default is used.
Is this wrong?

Further, I understand that the man page must be clear and I probably
read it incorrectly, yet...
It is clear from the man slapo-sssvlv(5) page that when slapd.conf is
being used, the options should appear after the overlay directive.
Even I got this. Where those options should go when cn=config is used?
I do not understand it from the man page. Is this something to be
specified using ldapmodify?

Please advise.

Sincerely,

Igor Shmukler

Re: adding VLV support to OpenLDAP 2.4.31

[Dieter Klünter]

Am Wed, 12 Nov 2014 01:02:36 +0200
schrieb Igor Shmukler :

> Interestingly, lsof does have the following entry:
> slapd   13310 openldap  memREG  202,126872 409681
> /usr/lib/ldap/sssvlv-2.4.so.2.8.3
> 
> Hence, it seems that sssvlv is loaded. At the same time, ldapsearch is
> telling me "VLV control requires server side sort control"

It seems you have not configured sssvlv, read man slapo-sssvlv(5) and
https://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09

-Dieter


> Does this mean like Quanah said that my OpenLDAP from Ubuntu server
> is broken?
> 
> On Wed, Nov 12, 2014 at 1:00 AM, Quanah Gibson-Mount
>  wrote:
> >
> >
> > --On November 12, 2014 at 12:47:10 AM +0200 Igor Shmukler
> >  wrote:
> >
> >> Thank you Andrew and Quanah. I appreciate your help.
> >>
> >> I manually added "olcModuleLoad: {1}sssvlv.la" to the
> >> /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif file. For now, it did
> >> not do anything. I will re-read the manuals and resume.
> >
> >
> > Those are database files.  If you directly modify them, you may
> > completely corrupt/destroy your installation.  You should be using
> > ldapmodify, etc, to update the configuration database.
> >
> >
> > --Quanah
> >
> > --
> > Quanah Gibson-Mount
> > Platform Architect
> > Zimbra, Inc
> > 
> > Zimbra ::  the leader in open source messaging and collaboration
> >
> 



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Interestingly, lsof does have the following entry:
slapd   13310 openldap  memREG  202,126872 409681
/usr/lib/ldap/sssvlv-2.4.so.2.8.3

Hence, it seems that sssvlv is loaded. At the same time, ldapsearch is
telling me "VLV control requires server side sort control"

Does this mean like Quanah said that my OpenLDAP from Ubuntu server is broken?

On Wed, Nov 12, 2014 at 1:00 AM, Quanah Gibson-Mount  wrote:
>
>
> --On November 12, 2014 at 12:47:10 AM +0200 Igor Shmukler
>  wrote:
>
>> Thank you Andrew and Quanah. I appreciate your help.
>>
>> I manually added "olcModuleLoad: {1}sssvlv.la" to the
>> /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif file. For now, it did
>> not do anything. I will re-read the manuals and resume.
>
>
> Those are database files.  If you directly modify them, you may completely
> corrupt/destroy your installation.  You should be using ldapmodify, etc, to
> update the configuration database.
>
>
> --Quanah
>
> --
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc
> 
> Zimbra ::  the leader in open source messaging and collaboration
>

Re: adding VLV support to OpenLDAP 2.4.31

[Quanah Gibson-Mount]

--On November 12, 2014 at 12:47:10 AM +0200 Igor Shmukler 
 wrote:



Thank you Andrew and Quanah. I appreciate your help.

I manually added "olcModuleLoad: {1}sssvlv.la" to the
/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif file. For now, it did
not do anything. I will re-read the manuals and resume.


Those are database files.  If you directly modify them, you may completely 
corrupt/destroy your installation.  You should be using ldapmodify, etc, to 
update the configuration database.


--Quanah

--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Thank you Andrew and Quanah. I appreciate your help.

I manually added "olcModuleLoad: {1}sssvlv.la" to the
/etc/ldap/slapd.d/cn=config/cn=module{0}.ldif file. For now, it did
not do anything. I will re-read the manuals and resume.

It is almost 1 AM in my timezone. To be continued tomorrow.

On Wed, Nov 12, 2014 at 12:41 AM, Andrew Findlay
 wrote:
> On Tue, Nov 11, 2014 at 11:48:59PM +0200, Igor Shmukler wrote:
>
>> Thank you for your answer. I spent quite a lot of time reading various
>> man pages including the one for slaps.conf(5), of course.
>> As I mentioned, there is no slapd-config on my system. [How] is it
>> possible that system is configured cn=config without it?
>
> slapd-config is a manual page, not an executable.
>
> man slapd-config
> Describes the LDAP/LDIF configuration method
>
> man slapd.conf
> Describes the flat text-file configuration method
>
> Both methods configure the same things, so those pages are quite
> similar. The keywords / attribute names are different though, so
> make sure you read the right one for the method you are using.
>
>> Is there a way to determine whether slapd.conf is used and where the
>> daemon is trying to find it, short of doing a system call trace?
>
> Use 'ps ax | grep slap' to see whether there are any command-line options
> applied to the slapd process. If there are, look them up in 'man slapd'
> taking particular note of the -f and -F options. If those options are not
> present then the daemon will use the default config database (see slapd-config
> above) or, failing that, will use the default config file (see slapd.conf
> above).
>
> Each of those manual pages starts with a note of exactly where the
> default database or config file will be found on your system.
>
>> Also, is there a command to list loadable modules in use?
>
> 'lsof -p ' perhaps :-)
>
> Modules can be backends or overlays. I cannot think of a single command
> that finds all loaded slapd modules. You can find what backends and
> overlays are available/active by browsing under cn=monitor. Similarly
> you could search under cn=config to find what the config says *should*
> be loaded.
>
> Andrew
> --
> ---
> | From Andrew Findlay, Skills 1st Ltd |
> | Consultant in large-scale systems, networks, and directory services |
> | http://www.skills-1st.co.uk/+44 1628 782565 |
> ---

Re: adding VLV support to OpenLDAP 2.4.31

[Andrew Findlay]

On Tue, Nov 11, 2014 at 11:48:59PM +0200, Igor Shmukler wrote:

> Thank you for your answer. I spent quite a lot of time reading various
> man pages including the one for slaps.conf(5), of course.
> As I mentioned, there is no slapd-config on my system. [How] is it
> possible that system is configured cn=config without it?

slapd-config is a manual page, not an executable.

man slapd-config
Describes the LDAP/LDIF configuration method

man slapd.conf
Describes the flat text-file configuration method

Both methods configure the same things, so those pages are quite
similar. The keywords / attribute names are different though, so
make sure you read the right one for the method you are using.

> Is there a way to determine whether slapd.conf is used and where the
> daemon is trying to find it, short of doing a system call trace?

Use 'ps ax | grep slap' to see whether there are any command-line options
applied to the slapd process. If there are, look them up in 'man slapd'
taking particular note of the -f and -F options. If those options are not
present then the daemon will use the default config database (see slapd-config
above) or, failing that, will use the default config file (see slapd.conf
above).

Each of those manual pages starts with a note of exactly where the
default database or config file will be found on your system.

> Also, is there a command to list loadable modules in use?

'lsof -p ' perhaps :-)

Modules can be backends or overlays. I cannot think of a single command
that finds all loaded slapd modules. You can find what backends and
overlays are available/active by browsing under cn=monitor. Similarly
you could search under cn=config to find what the config says *should*
be loaded.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: adding VLV support to OpenLDAP 2.4.31

[Quanah Gibson-Mount]

--On November 11, 2014 at 11:48:59 PM +0200 Igor Shmukler 
 wrote:



Thank you for your answer. I spent quite a lot of time reading various
man pages including the one for slaps.conf(5), of course.
As I mentioned, there is no slapd-config on my system. [How] is it
possible that system is configured cn=config without it?
Is there a way to determine whether slapd.conf is used and where the
daemon is trying to find it, short of doing a system call trace?


How do you know there is no slapd-config database on your system?  That's 
what Ubuntu12 and later all use by default.  I'm fairly certain yours does 
too.  You can look at the startup script for slapd to see where it is 
pulling its config from possibly.  IIRC, Ubuntu stores it under 
/etc/ldap/slapd.d, and their documentation confirms that: 




--Quanah

--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration

Re: adding VLV support to OpenLDAP 2.4.31

[Igor Shmukler]

Hello,

> a) Do not use Ubuntu's utterly broken build of OpenLDAP, to start with. You
> may want to try the builds from the LTB project.
>
> b) Ubuntu no longer uses the deprecated slapd.conf.  It uses the cn=config
> database.  So you're changes to the slapd.conf (included for reference, not
> use) are ignored.  You probably should read up on the slapd.config man page.

Thank you for your answer. I spent quite a lot of time reading various
man pages including the one for slaps.conf(5), of course.
As I mentioned, there is no slapd-config on my system. [How] is it
possible that system is configured cn=config without it?
Is there a way to determine whether slapd.conf is used and where the
daemon is trying to find it, short of doing a system call trace?

Also, is there a command to list loadable modules in use?

Sincerely,

Igor Shmukler

Re: adding VLV support to OpenLDAP 2.4.31

[Quanah Gibson-Mount]

--On November 11, 2014 at 11:05:26 PM +0200 Igor Shmukler 
 wrote:



Hello,

I apologize if I am posting to the wrong mailing list.

I have a simple problem, which I am sure any OpenLDAP administrator
can easily solve...
I am not an administrator, however. Hence being unable to answer this
trivial question presents a real problem. I am stuck. Any assistance
would be greatly appreciated.

I am trying to add Virtual List View support to an OpenLDAP server on
hosted Ubuntu. The distro version is Ubuntu 14.04.1 LTS. The OpenLDAP
server is already running. I receive responses to basic commands, but


a) Do not use Ubuntu's utterly broken build of OpenLDAP, to start with. 
You may want to try the builds from the LTB project.


b) Ubuntu no longer uses the deprecated slapd.conf.  It uses the cn=config 
database.  So you're changes to the slapd.conf (included for reference, not 
use) are ignored.  You probably should read up on the slapd.config man page.


--Quanah


--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration