I'd probably set it up a little differently. Something like this (very
general/generic):
2 of your 6 servers as suppliers/masters, accepting writes. If you are
using a load balancer, set it up so that you have a vip that always goes
to one of these servers (the "primary" supplier), and directs t
> This is due to a common mistake of using "attrs=*", which removes the
> operational attributes that syncrepl uses to track changes.
> I really wish
> I knew where people got this from, because 99.99% of the
> time you do
> not want to use this value. You should not specify the
> attr
> When behind the F5 in the LDAP server logs all connections
> appear to come from the F5's IP
This strikes me as odd. Load balancers (including the F5) typically
preserve the client IP... The most common case I've seen of this is
when the load balancer is proxying a request vs rerouting it to
> We've certainly seen that F5 load balancers cause problems
> just like your
> seeing when used with LDAP. They just slow things down way
> too much to be worthwhile.
Do you have any facts/numbers to back this up? I've never seen F5's
slow things down noticably. The most common problem loa
> Why bother with the load balancer? I am curious, I am sure there is a
> reason, but it isn't making a lot of sense to me. You can
> either do round
> robin dns, or just pass out the 3 read server addy's to the
> clients for
> failover (and change the order for real poor mans load balancing.)
T
> Clowser, Jeff wrote:
> > - Consider this example - the place I run into this most
> often is our
> > Internet proxies, which are password protected. There are
> many apps a
> > user uses that connects through the proxy (which in turn
> auths against
> >
> Aravind Gottipati wrote:
> > On Sun, Jul 12, 2009 at 10:53 PM, Howard Chu wrote:
> >> Fix the real problem, not just the symptom. The approach
> you're pushing for
> >> is just putting a bandaid on a problem, not fixing it.
> This may be how other
> >> folks handle their software design proble
> On Wednesday 24 June 2009 07:00:06 Dieter Kluenter wrote:
> > "Clowser, Jeff" writes:
> > > I want to set up a cluster of ldap servers. In that
> > > cluster, I want:
> > >
> > > - One primary supplier server
> > > - One h
> > I want to set up a cluster of ldap servers. In that
> cluster, I want:
> >
> > - One primary supplier server
> > - One hot standby supplier server
> > - N read only consumer replicas.
> > - a load balancer that directs all writes to the primary
> master if it's
> > up,
> > or the standby i
I want to set up a cluster of ldap servers. In that cluster, I want:
- One primary supplier server
- One hot standby supplier server
- N read only consumer replicas.
- a load balancer that directs all writes to the primary master if it's
up,
or the standby if it's down.
However, I want operati
>I can for example expire passwords, reset them or use the password
>history feature,
>but I can't figure out how to get an "account locked" message instead
of
>"invalid credentials"
>when a user fails to log in more than 5 times.
That's by intention (or should be). You never want to differenti
At this point, I'm playing devils advocate a bit. I'm not 100% sure
I'm sold on this myself, but it's definitely an attempt to deal with
a problem I face daily, so I'm continuing this to fully explore the
idea.
>> Also, I am not sure how this will be any greater security risk than
>> the curre
>> Also, I am not sure how this will be any greater security risk than
>> the current system of storing a SSHA hash of the current password
>> within LDAP? We could store similar hashes of all the passwords
tried
>> (upto pwdMaxFailure) and compare against that?
>
>I'm wondering if that's even nec
Kurt Zeilenga wrote:
>On Jan 27, 2009, at 12:14 PM, Clowser, Jeff wrote:
>
>> That would be nice, but I can't help but think (without having
thought
>> it
>> out in detail) that there would be a gotcha to this - performance
>> issue,
>> security vulnerabi
Aravind Gottipatu wrote:
>On Tue, Jan 27, 2009 at 9:28 AM, Howard Chu wrote:
>> What makes you think a legitimate user who forgot their password
won't try
>> multiple times with different passwords? I.e., what makes you think
you can
>> distinguish a cracker from a legit user this way?
>>
>True,
>> I'm really missing something: you configure slapo-dynlist with
>>
>> overlay dynlist
>> dynlist-attrset groupOfURLs memberURL member
>>
>> this means that the entryDN (i.e. the DN) of each entry matching the
>> search URI should be added to the group entry as "member" (the last
arg
>> to the dy
>> What are you trying to accomplish?
>>
>Add high availability to my master servers, avoiding replication.
Why avoid replication? Multimastering is not necessarily bad, if done
right. If you have two masters, but always write to one, with the
other as a hot standby, you have the high avai
>-Original Message-
>From: [EMAIL PROTECTED]
[mailto:openldap-software->[EMAIL PROTECTED]
rg] On Behalf Of John Madden
>Sent: Thursday, December 06, 2007 1:39 PM
>To: Howard Chu
>Cc: Buchan Milne; openldap-software@openldap.org; Taymour A. El Erian
>Subject: Re: Active/Active servers
>
>> I
> Howard Chu wrote:
>> Aaron Richton wrote:
>> Multimaster support is present in OpenLDAP 2.4.
>
>That's not quite the complete answer though. He's also talking about
two
>servers sharing the same storage. In general, that is not supported in
>BerkeleyDB and is certainly not supported by back-bdb
What did you use when you generated your certificate? Important thing is that
they match.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cristian Laufer
Sent: Thursday, December 06, 2007 9:50 AM
To: Quanah Gibson-Mount; openldap-software@openldap.org
S
>I'm not sure if this is truly a vulnerability, but I thought I'd put it
out there for discussion.
>
>I have set up so a default ppolicy such that 3 old passwords are stored
in a users pwdHistory attribute.
>
>When I back up the bdb database via slapcat -l backup.ldif the
userPassword field looks t
I believe you can just not create a rootdn (or not define a password for
it? Or maybe define a password like {crypt}*NOLOGIN* (or an
md5/sha/ssha equivalent) that can't be used (not a valid hash)?), so you
effectively disable the rootdn, but create a normal account that has
full access to everythi
>From: Hallvard Breien Furuseth [mailto:[EMAIL PROTECTED]
>Are you interested in non-RFC features in OpenLDAP that Sun does not
>have? First you say yes, then no.
>
>Also, are you interested in clients? The library? Otherwise don't say
>just "OpenLDAP", since that's both server, libraries and c
>Howard Chu <[EMAIL PROTECTED]> writes:
>> I suppose we need to update our published roadmap. I don't consider
SSS
>> or VLV to be particularly important or well-designed features. In
fact
>> OpenLDAP has an RFC-compliant implementation of SSS which is a pure
>> no-op; this is perfectly compliant
>> I see one valuable use for SSS - guaranteed search return order.
>> Regardless of the sort algorithm, knowing that searches will always
>> return entries in the same order allows for easy comparison, merge
>> sorts, or differentials with another list - as in necessary during
the
>> reconciliatio
>>> from reading the AdminGuide and a quick search through the
FAQ-o-Matic I
>>> couldn't gather how I'd insert a new ACL between the existing rules
2
>>> and 3...
>>
>> Reread section 5.3.6 of the Admin Guide. This has been documented for
>> more than a year.
>
>I took my time to read that secti
>Clowser, Jeff (Contractor) wrote:
>>
>> Unknown:
>
>I guess "unknown" means you couldn't determine the status of support in
>slapd.
Correct - means _I_ couldn't find it in the faq, admin guide, or man pages
(doesn't mean it wasn't ther
Looks like the trailing " (quotes) on the dn in your ldif file.
> why if i want to add user to base i have error: ldap_add: Invalid DN
syntax (34) , i can't find where can be problem :/ , somebody know which
mistake i do ?
>...
>// tester.ldif //
>dn: cn=test_5,ou=stud,dc=aaa,dc=ws,dc=com" //
>> Unknown features:
>> - Per user resource limits (sizelimit, timelimit, idletimeout, etc).
I
>> think Howard Chu said OpenLDAP has some of this, but I haven't seen
any
>> reference to it or how to use it in the docs (does this functionality
>> exist, and if so, is there any documentation?)
>
>man
I'm currently doing a review to see how OpenLDAP compares, *feature
wise* ATM, to other directory servers and specifically to the Sun DS -
i.e. to get a definitive list of features it's missing that Sun has and
what it has that Sun doesn't have, etc. For brevity, I haven't included
all the potenti
Your search was for "cn=NextFreeUnixId...", but then tried to update
"cn=NextFreeUnixIdPool...". Is the "Pool" on the end supposed to be
there - does THAT entry exist (that's not what your searched for)?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
g] On Behalf Of
>> I suppose the *real* solution is to use the multi-mastering
capability
>> in 2.4 to keep it in sync, but use it as if it's mirror mode (i.e.
all
>> writes to a single master, with the second as a hot standby), with
the
>> MM conflict resolution kicking in if needed because someone wrote to
the
>Howard Chu wrote:
>> When a network partition occurs, there are a number of cases where
>> synchronization may still fail. I.e., we don't yet support
attribute-level
>> conflict resolution, so if multiple changes are made to the same
entry, even
>> if they are non-conflicting from a logical stand
I have a question about mirror mode, and how it's different from
"multimaster".
In servers like Sun or Red Hat's directory server, a simplified
description of what they term multimaster is that more than one server
can accept writes simultaneously, and it will then propogate all changes
to other s
Just as a refresher, here's your logs from a previous post (had to go
back and look em up):
Nov 2 11:15:07 pen slapd[18902]: conn=8 op=0 BIND
dn="cn=Manager,dc=ncl,dc=ac,dc=uk" method=128
Nov 2 11:15:07 pen slapd[18902]: conn=8 op=0 BIND
dn="cn=Manager,dc=ncl,dc=ac,dc=uk" mech=SIMPLE ssf=0
Nov
That's because ou=SOMETHING,o=SOMETHING and ou=something,o=something are
equivalent DNs.
In general, that's just plain a bad idea to design a tree where you have
dn's that are identical other than case (assuming it's even possible),
for the exact case you are running into. But... my guess would
In slapd.com, you have:
Suffix "dc=ggw,dc=nws,dc=noaa"
So your server is not defined to know anything above that. By
attempting to add the "dc=nws,dc=noaa" entry, you are effectively trying
to add something your server is not configured to serve. Try removing
that from your ldif file (or make th
37 matches
Mail list logo
