Re: Problem with SSL/TLS on CentOS 7 after upgrading to 2.4.59

On 21/10/2021 6:39 μ.μ., Nick Milas wrote: From the journal, some excerpts (it is very long): My fault: I copied parts from the journal before the restart :( Here is the actual log after restart: Oct 21 18:31:28 ldap.noa.gr systemd[1]: slapd.service start operation timed out. Terminating

Re: Problem with SSL/TLS on CentOS 7 after upgrading to 2.4.59

Thank you for the reply: Here it is: # ldapwhoami -H ldaps://ldap.noa.gr:636 -x -d -1 ldap_url_parse_ext(ldaps://ldap.noa.gr:636) ldap_create ldap_url_parse_ext(ldaps://ldap.noa.gr:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connec

Problem with SSL/TLS on CentOS 7 after upgrading to 2.4.59

Hello, Our main OpenLDAP Server (running on CentOS 7) has been working fine with 2.4.58. Since yesterday, after a (minor, see at the end) OS upgrade which included an update to LTB Openldap 2.4.59, SSL clients see: # ldapwhoami -H ldaps://ldap.noa.gr:636 -x ldap_sasl_bind(SIMPLE): Can't con

Replication between 2.4.x 2.5.x versions

Hello, We are running a (small) number of OpenLDAP instances with v2.4.58. There is a single master and 4 syncrepl consumers (all on CentOS 7 boxes), all running with back-mdb. We are planning our migration from 2.4 to 2.5.x My question: Would it be OK if we migrate our master server to 2.5

Re: Updating schema in cn=config

On 18/5/2021 1:55 π.μ., Michael Ströder wrote: Missing space after SUBSTR? On 18/5/2021 1:57 π.μ., Howard Chu wrote: Yes, but there is only one attribute value #2 in the attribute. Pay attention to what the error message tells you. You were both right, thank you. Turns out that all trailing

Updating schema in cn=config

Hello, We are using PowerDNS with LDAP Backend. At some point the backend schema changed so in order to upgrade we need to change the schema loaded in OpenLDAP. Unfortunately, something seems to be going wrong in the process. What I did: First, I converted the new schema to ldif by creating

Re: Syncprov shows issue with entry

On 18/1/2021 6:27 μ.μ., Quanah Gibson-Mount wrote: Nothing in the log snippet provided shows an issue.  What leads you to believe an issue has been encountered? Hi Quanah, Thanks for the reply, I can't tell whether it was an issue or not (for example, I could call it a phenomenon), but I fo

Syncprov shows issue with entry

Hello, I would like to ask you for your guidance regarding the following. We have an openldap (v2.4.56) master server syncing with three other openldap slaves. The master seems being unable to complete successfully syncing a particular entry and it keeps trying for ever. Logs follow. I hav

Best practices in storing user device data

Hello everyone, In our (non-profit, research) organization we are already using OpenLDAP for many years, storing people data and dns records (LDAP-based DNS server). We are now looking into how we could organize our LDAP DIT in order to store device data (descriptions, MAC addresses, IP Addre

Re: Syncrepl losing connection

On 2/3/2017 5:59 μμ, Quanah Gibson-Mount wrote: If setting this resolves your problem, then you have something in your network monitoring and severing connections. I used (as I have noted): keepalive=20:100:2 on one consumer and: keepalive=120:10:30 on the other (which is closer to y

Re: Syncrepl losing connection

On 2/3/2017 12:17 πμ, Quanah Gibson-Mount wrote: Have you tried setting the "keepalive" parameter in your syncrepl configs? Thank you Quanah, I just added (to syncrepl config): keepalive=20:100:2 Any suggestions on the selected values? What are the default ones? (I haven't found them i

Syncrepl losing connection

Hello, I have recently installed two syncrepl consumers using 2.4.44 on CentOS 7 using LTB rpm packages. I am almost daily facing issues with consumers losing connection to the master. I always have to restart the consumer in order to re-establish connection. Note 1: These two consumers ha

Re: Script for mass updates

On 2/2/2017 8:11 πμ, Jephte Clain wrote: just a little follow-up: - this is quick and dirty. it assumes cn is monovalued which may not be true in your DIT - I assume you just wanted a quick script for a oneshot. if you want a script that you can regularly run to "fix" your database, you shoul

Script for mass updates

Hello, Does anyone have a ready-made script (e.g. bash) that would do the following: Loop on all entries in the ou=people branch where ou <> "system" { If attribute DisplayName does not exist{ Set DisplayName to the value of attibute cn } } I could do it with a bit of work, but i

Re: looking for a graphic tool for openldap

On 20/3/2016 3:55 μμ, Michael Ströder wrote: Language sub-types (RFC 3866) are tricky to handle in a schema-aware LDAP client. For which attributes are you using this? We are using language tags (lang-el-gr, lang-en-us) for: cn, o, ou, title, sn phpLDAPadmin handles them well up to v1.1

Re: looking for a graphic tool for openldap

On 19/3/2016 1:44 πμ, Uwe Werler wrote: http://pegacat.com/jxplorer/ +1 Lightweight, reliable and powerful. Handles well both cn=config and DIT. The developer is very helpful too. phpLDAPadmin is also fine (as a web-based GUI), but practically not maintained any more since many years.

Re: Is Openldap a Authorization or Authentication system?

On 10/8/2015 2:16 μμ, Kaushal Shriyan wrote: I am not sure if i understand the difference between Authorization and Authentication. Does Openldap support both or it supports or configured as Authorization or Authentication server? I will appreciate if somebody can help me understand with some

Re: adding a custom attribute

On 2/12/2014 11:12 μμ, Igor Shmukler wrote: Do I create a new schema file for my new attribute as in ${new_attribute}.schema and another for the new object using this new attribute? See also: http://www.openldap.org/devel/admin/schema.html We have done it in this way: Got a registered OID fro

Re: OpenLDAP incroyable!

On 30/11/2014 5:30 μμ, brendan kearney wrote: I have fallen in love with phpLdapAdmin. We are using phpLDAPAdmin on a daily basis as well, but not for cn=config (only for the DIT). Unfortunately, phpLDAPAdmin has a very slow development process, if it has not stalled completely; last relea

Re: OpenLDAP incroyable!

On 30/11/2014 7:55 πμ, Da Rock wrote: Sorry to butt in, but the apache studio works with openldap too? I was under the impression it was just for ApacheDS. If it works with openldap I might give it a shot as it has been rather sticky with the other tools I've tried. ApacheDS works, but I ha

Re: Antw: Cannot add to mdb

On 26/11/2014 11:41 πμ, Da Rock wrote: How would I get a core dump, as well? That sounds like it might be more useful. See for example: http://www.openldap.org/lists/openldap-technical/20/msg00243.html Nick

Re: what happened to the openldap toolbox project?

On 15/8/2014 1:20 μμ, Miroslaw Baran wrote: Dear all, I don't want to sound too alarmistic, but it seems that the LTB project has disappeared from the 'net sometime this week. Would you happen to know what happened, what's going on (and perhaps if some help with the infrastructure is needed)?

Re: Create Distribution List

On 12/8/2014 12:23 μμ, Jerry wrote: I will have to give that a try I suppose. It is a shame that there is not a "native" way of accomplishing the creation of a distribution list like the MS Outlook address book affords. Actually, may MUAs such as claws-mail have this feature embedded into their

Re: Converting from slapd.d back to slapd.conf

On 28/3/2014 3:59 μμ, Christian Kratzer wrote: Ordering is already implemented. Thanks Christian for your feeback, but, as of v2.4.39 (which I am running), I can't confirm correct ACL ordering. As explained in the thread I provided, ordering (of ACL rule numbers) is string-based and not nu

Re: Converting from slapd.d back to slapd.conf

On 28/3/2014 1:25 μμ, Christian Kratzer wrote: I consider cn=config superior once you get your head wrapped around it. On 28/3/2014 12:53 μμ, Simone Piccardi wrote: - I can put comments on it Christian, Please allow me to intervene in the thread to say that your comments are very valid,

Changing cert paths may cause openldap to stop

Hi, On 2.4.39 (CentOS 5.10 x86_64), I found that if I attempt to change certificate values but there is an error in a path, openldap stops. I would expect this should be avoided. Openldap should reject the modification and not stop. Running the modification below, it hungs; we press Ctrl-C

Re: two entries, the same attribute

On 13/3/2014 11:58 μμ, Nick Milas wrote: On 13/3/2014 9:42 μμ, Friedrich Locke wrote: i am planning to use opendalp to build my email infra structure. What happens is two users (two entries) hold the same email address ? ... Since you are now starting this design, you may want to read

Re: Planning migration to mdb

On 14/3/2014 3:08 μμ, Howard Chu wrote: Read the schema definition of the olcHdbConfig objectclass, and compare it to the definition of the olcMdbConfig objectclass. Delete anything that isn't present in the olcMdbConfig objectclass. The schema has everything you need to know. Use it. Than

Planning migration to mdb

Hi, We have a running openldap installation (2.4.39) - a single master - with cn=config and hdb backend. So, config has the branches: I know we must slapcat our data and slapadd it in mdb afterwards. The question is: what changes should be done in the config DIT (and how) so that the config

Re: two entries, the same attribute

On 13/3/2014 9:42 μμ, Friedrich Locke wrote: i am planning to use opendalp to build my email infra structure. What happens is two users (two entries) hold the same email address ? In our setup all users have unique mail addresses / mailboxes. In such cases, we create a dummy user (we call it

Re: ldapsearch limit of 500 entries

On 14/12/2013 1:05 μμ, Michael Ströder wrote: AFAICT slapd.conf will at least be available in all OpenLDAP releases 2.4.x. Maybe even in 2.5 if I understood Howard correctly at LDAPcon 2013. There*are* very good reasons to use slapd.conf - especially when beginning to develop your slapd config

Re: OpenLDAP 2.4.36 slapd crash with "assertion failed" message

On 29/8/2013 12:42 μμ, "POISSON Frédéric" wrote: The server shutdown when i add this entry and with slapd option "-d 255" i have : slapd: result.c:813: slap_send_ldap_result: Assertion `!((rs->sr_err)<0)' failed. /etc/init.d/slapd: line 285: 5461 Aborted $SLAPD_BIN -h "$SLAPD_SERVICES" $SLAPD_

Re: OpenLDAP 2.4.36 available

On 21/8/2013 9:40 μμ, Quanah Gibson-Mount wrote: You mean ? Exactly! I think it is important to include the notice in the change log: http://www.openldap.org/software/release/changes.html ! These announcements are not re

Re: OpenLDAP 2.4.36 available

On 21/8/2013 4:33 μμ, Howard Chu wrote: slapd prints a message to this effect if it is needed. Hmm. That would probably be too late... The administrator should know beforehand to plan upgrade(s). Is there a way to know beforehand? Thanks, Nick

Re: OpenLDAP 2.4.36 available

On 21/8/2013 11:48 πμ, Clément OUDOT wrote: LTB project RPMs for OpenLDAP 2.4.36 are available: http://tools.ltb-project.org/news/40 I also created a yum repository to ease the installation: http://ltb-project.org/wiki/documentation/openldap-rpm#yum_repository Thanks Clement for your effo

Re: attribute to store system mailbox value

On 19/8/2013 6:20 μμ, Zeus Panchenko wrote: may somebody to recommend the attribute to store path to system mailbox, among attributes of schema files shipped with openldap, "system mailbox" is the path to mbox format file or maildir directory where MDA (depends on MDA configuration) stores rece

Re: How to correct delete objects from cn=config?

On 19/8/2013 3:23 μμ, Ingo wrote: To modify the cn=config DIT you'll have to modify the files under >>/etc/ldap/slapd.d/cn=config where your config is stored. > >NO. do NOT do this, Why? Directly manipulating cn=config files will result in a CRC Error and will render your configuration usel

MAC and Network Asset Inventory on LDAP

Hello, We are planning on using FreeRadius for MAC-auth based on MAC addresses (to be) stored on our OpenLDAP (in parallel to 802.1x using our ldap-stored users). With that opportunity we would be aiming at starting a comprehensive network asset inventory. So, I would like to ask people to s

Re: Reduce the influence of ldap server trouble

On 26/4/2013 12:50 μμ, Yuki Takase wrote: When I can't use a ldap server because of hardware or network trouble, I want to reduce the influence of ldap client. I changed the following configration of ldap.conf. You can setup your software to try a number of ldap servers in turn (I guess it i

Re: How to improve performance with MDB backend?

On 18/4/2013 6:16 μμ, Quanah Gibson-Mount wrote: For me, MDB writes are a minimum of 65 times faster than writes with BDB/HDB, even when BDB/HDB use an SHM key. Can you please share your compilation options (or spec file, if applicable) and test setup complete configuration so interested peo

Re: How to improve performance with MDB backend?

On 19/4/2013 2:00 μμ, Chris Card wrote: I tried reducing the maxsize, but it made no difference to the performance. So I'm still at the point where writes to BDB are roughly 4 times faster than writes to MDB. Any more suggestions? Could it be possibly related to the OS / filesystem used? Plea

Re: How to use LDAP to get user information from MySql database?

On 4/4/2013 1:57 μμ, Benin Technologies wrote: you have to use back-sql I guess you could also use http://lsc-project.org/wiki/ for an indirect interaction. Nick

Re: Crash with syncrepl refreshAndPersist and database ldap

On 20/3/2013 10:51 πμ, Raffael Sahli wrote: So what could that be? Maybe a config problem or a bug? Please post configs, OS details, BDB details, pertinent log entries, and full backtrace of the crashed process. Nick

Re: OpenLDAP slave-master synchronization problem

On 1/3/2013 5:00 πμ, Tian Zhiying wrote: > I using "openldap-2.3.43" version now. It has not been supported ? > What to go upgrade? In the begining, I use "yum" method to install . Read: http://www.mail-archive.com/openldap-technical@openldap.org/msg11414.html http://www.openldap.org/lists/openl

Re: does openldap/hdb support transactions ?

On 17/2/2013 12:27 μμ, Benin Technologies wrote: does OpenLDAP support transactions ? No, it does not. I see this is scheduled for v2.5 (see: http://www.openldap.org/software/roadmap.html) and it is unknown when v2.5 will be published. I don't even know if there is already any work in prog

Re: Problem with too many concurrent LDAP requests (Postfix+LDAP)

On 9/2/2013 9:11 μμ, Denis BUCHER (lists) wrote: * I don't even know if I'm using proxy:ldap ? My postfix config is : o virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains.cf o virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf o virtual_mailbox_maps = ldap:/etc/post

Re: Problem with too many concurrent LDAP requests (Postfix+LDAP)

On 18/1/2013 12:07 μμ, Denis BUCHER (lists) wrote: It looks like slapd server is overwhelmed with too many requests at the same time, which makes postfix getting timeouts. On the postfix side hopefully it's only a "temporary lookup failure" but I want to correct that problem. I would sugges

Re: setting rootpw for cn=monitor

On 11/1/2013 11:58 πμ, Chris Card wrote: where can I download a tar.gz file for RE24? Simply take a snapshot from here: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=shortlog;h=refs/heads/OPENLDAP_REL_ENG_2_4 This is a direct link for the snapshot: http://www.openldap.org/devel

Re: LDAP tool box

On 14/11/2012 11:24 μμ, Jignesh Patel wrote: Ok I just subscribed to the group. Now I have bunch of questions. * How is LDAP tool box project different then openLDAP? * Does this project supports HDB(not BDB) database? * Does LTB has any utility like http://phpldapadmin.sourceforge.ne

Re: Problem converting slapd.conf to cn=config format

On 4/10/2012 1:18 πμ, Patrick Lists wrote: Seems the Fedora one carries a ton of patches while the ltb one is vanilla. Out of curiosity, coz I am using LTB OpenLDAP RPMs on many CentOS 5/6 machines: What kind of patches are available in Fedora builds which are not available in LTB? LTB, as

Re: Openldap overloading

On 28/9/2012 5:14 μμ, Howard Chu wrote: But still, I see no cachesize configuration in it. That might help. Hmm, I guess you mean (in DB_CONFIG): set_cachesize 0 262144000 (I figured out that 25 MB would be fine in our case.) I should also probably add (coz it's missing) i

Re: Openldap overloading

On 28/9/2012 5:08 μμ, Clément OUDOT wrote: try to set sortvals parameter like this: sortvals uniqueMember Thank you for the suggestion. Does this apply to dynamic list attributes too? For example, in: dn: cn=allstaff,ou=Aliases,dc=example,dc=com cn: allstaff objectClass: nisMailAlias obje

Openldap overloading

Hi, I am running a v2.4.31 consumer on CentOS 5.8 to serve user accounts (and aliases) on a Postfix mail server running locally. It has been running for a long time without problems. Today, after a user sent (on 14:53:39) a mass mail (through a group alias, implemented using ldap dynlist), P

Re: Glueing together backend databases - meta, glue or chain?

On 18/7/2012 6:47 μμ, Francois Gnu wrote: Can you put the link of the Howard's post, please? I believe he meant this post: http://www.openldap.org/lists/openldap-technical/201004/msg00035.html which was referred-to recently in this thread: http://www.openldap.org/lists/openldap-technical/2

Re: syncrepl and attribute order

On 17/7/2012 9:04 μμ, Evgeniy Kosov wrote: The issue I'm facing as stated above is regarding the syncrepl and attribute order. What version of Openldap are you using on provider and consumers? What backends are you using? Which versions thereof? Nick

Re: Cannot remove LDAP entry ...

On 3/7/2012 6:00 μμ, Frank Bonnet wrote: I have a problem removing ONE ( and only ONE !!! ) entry in my directory server Is the db correctly indexed? Or may the db be corrupt? I would use "slapd_db_recover" (if needed) and "slapindex"; Then try again. Good luck, Nick

Re: Replication and acl: moddn operation problem.

On 20/6/2012 3:10 μμ, Konstantin Menshikov wrote: Please, show your replication setup at which it works correctly. OK, here is an example test setup: DN: ou=TestBranch1,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: TestBranch1 DN: dc=hostx,ou=TestBranch1,dc=example,

Re: OLC Configuration on RHEL6

On 11/6/2012 8:59 μμ, Quanah Gibson-Mount wrote: Most ldap browsers also do not understand cn=config. Apache Directory Studio would be an exception. JXplorer works fine! Nick

Re: Syncrepl replication does not work always

On 7/6/2012 6:08 μμ, Efstathios Xagoraris wrote: I have a working OpenLDAP setup ( 2.3.43 - Centos 5.8 RPM ) with a Master LDAP and consumers worldwide across datacenters. I also monitor if directories from Consumers are in Sync with the master. Consumers sometimes fail to communicate with maste

Re: attrs=@objectClassName affects objectClass attribute

On 6/6/2012 9:03 μμ, Quanah Gibson-Mount wrote: Discussed with Howard. That is how the standard track RFCs define those objectClasses, but in general, you don't want to do this with your custom AUX objectClasses. Really the RFC defined oc's should be fixed via another RFC, but fat chance of th

Re: attrs=@objectClassName affects objectClass attribute

On 6/6/2012 6:36 μμ, Howard Chu wrote: Don't inherit from top. In my case, removing top ObjectClass from an entry does not change behavior. Here is the entry, after removing top: DN: uid=tester,ou=people,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: ine

attrs=@objectClassName affects objectClass attribute

I am facing the following problem (with v2.4.31 on CentOS 5.8). I am using a - recently added - custom schema with one AUX objectclass and 3 optional attrs; I am trying to use an ACL of the form: access to dn.subtree="ou=people,dc=example,dc=com" attrs=@entryAccessEntities by group/groupO

Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)

On 6/6/2012 2:19 μμ, Howard Chu wrote: Obscure? Are those ACL statements in slapd.conf or aren't they? Do backslashes in slapd.conf need to be escaped or don't they? It's not like it says "backslashes must escaped except on alternate Tuesdays." Thanks for the humor. [ I guess I had success w

Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)

On 5/6/2012 9:58 μμ, Howard Chu wrote: What you've posted is expected behavior. The single backslashes were parsed by the slapd.conf parser. To actually get them into the regex you need to escape those backslashes as well. This is already documented in slapd.conf(5) and in the Admin Guide.

Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission 2)

On 5/6/2012 5:51 μμ, Nick Milas wrote: becomes: olcAccess: {xx}to dn.regex="^dc=\b\d{1,3}\.\d{1,3}\.\d{1,3}\b\.in-addr\.arpa,ou=dns,dc=example,dc=com$" by group/groupOfNames In the end, I might manage to send the *actual* converted regex :( : access to dn.regex="^d

Re: slaptest conversion of acl regex'es drops backslashes (correct resubmission)

On 5/6/2012 5:51 μμ, Nick Milas wrote: becomes: olcAccess: {xx}to dn.regex="^dc=\b\d{1,3}\.\d{1,3}\.\d{1,3}\b\.in-addr\.arpa,ou=dns,dc=example,dc=com$" by group/groupOfNames Sorry, I copied the wrong string. I re-send: For example: access to dn.regex="^dc=\b\d{1,

slaptest conversion of acl regex's drops backslashes

Hi, I used slaptest to convert a set of ACLs from standard to dynamic format using slaptest. I noticed that backslashes (used to escape characters) in regexes are silently dropped after conversion. For example: access to dn.regex="^dc=\b\d{1,3}\.\d{1,3}\.\d{1,3}\b\.in-addr\.arpa,ou=dns,d

Re: ACL control with break

On 27/5/2012 10:25 μμ, Nick Milas wrote: For example, you could set up an ACL with a filter clause and answer your own question about whether that affects the attrs matched. OK, I'll do it. I owe an answer on this; I have done the required research and found that if we use an ACL o

Re: Syncrepl partial replication based on attribute problem

On 2/6/2012 11:18 πμ, Nick Milas wrote: In other words, syncprov does not produce messages based on the differences between the results of standard ldapsearch'es? And if it does not, shouldn't it? My tests (with v2.4.31 on both provider and consumer) show that syncrepl (refresh

Re: Syncrepl partial replication based on attribute problem

On 1/6/2012 4:38 πμ, Howard Chu wrote: Visibility changes due to ACL rules are not detected. syncprov only checks an entry against the search parameters of the original sync search operation, i.e., the base, scope, and filter. If an entry matches these params before the modification, and no lo

Re: Replication and acl: moddn operation problem.

On 25/5/2012 4:56 μμ, Konstantin Menshikov wrote: When i move object in forbidden by ACL subtree, then no information about this modification goes to the replica server I don't know if you have followed a recent thread, but according to Howard Chu: (quote) "Visibility changes due to ACL ru

Re: Syncrepl partial replication based on attribute problem

On 1/6/2012 8:54 πμ, Jeffrey Crawford wrote: Are you saying that syncprov looks at the account that is bound and sends deletes if a record would become invisible after a modification? I understand the opposite: syncprov will only send add/delete message based on base/scope/filter and not on A

Re: Very quick pointer

On 29/5/2012 7:42 μμ, Michael Ströder wrote: There's a SLAPI plugin for 389 DS which supports MIT Kerberos. A C programmer might be able to adapt this as an OpenLDAP overlay (similar to OpenLDAP's slapo-smbk5pwd). Sorry, couldn't one use the SLAPI plugin as is in OpenLDAP, since SLAPI support

Re: Replication and acl: moddn operation problem.

On 29/5/2012 9:01 πμ, Konstantin Menshikov wrote: somebody? anybody? I would say: if you can use test servers with 2.4.31 and BDB >= 4.6.21, then you could try to reproduce by doing some experiments (moving to branch visible by consumer binddn, moving to branch not visible by consumer) and

Re: ACL control with break

On 27/5/2012 6:33 πμ, Philip Guenther wrote: @extensibleObject covers*EVERYTHING*, including the pseudo-attrs entry and children. Then, the first example at: http://www.openldap.org/faq/data/cache/1140.html is a bit deceptive, or it just aims in emphasizing the entry pseudo-attr, by specifyi

Re: ACL control with break

On 25/5/2012 6:59 μμ, Nick Milas wrote: You mean that if we use a statement without an "attrs=" clause, then it affects children and entry pseudo-attributes as well? And what if there is a filter specified too (still without an "attrs=" clause)? From some researc

Re: question on syncprov

On 25/5/2012 10:20 μμ, Steve Reveliotty wrote: I'm hoping I just missed something in the configuration, and that 2.4.23-20.el6.x86_6 (which looks to be the latest in RedHat's repo), will work, rather than build 2.4.31 from source. We use Puppet to manage as much as possible, and while we do h

Re: question on syncprov

On 25/5/2012 9:15 μμ, Steve Reveliotty wrote: I'm trying to migrate from OpenLDAP 2.3.43-12.el5_6.7 to OpenLDAP 2.4.23-20.el6.x86_6. Can't tell you about the specific issue, but, as has been discussed numerous times in this list, avoid using the distro-provided RPMs, esp. if you are using re

Re: ACL control with break

On 25/5/2012 6:44 μμ, Philip Guenther wrote: Because that's a popular style of ACL processing logic to use for those attributes. As you note, this is done in "most cases", i.e., not all, so obviously there nothing in the software that requires it. I'm not sure why the ACLs for entry and childr

Re: Replication and acl: moddn operation problem.

On 25/5/2012 4:56 μμ, Konstantin Menshikov wrote: I have replication setup . What version of OpenLDAP are you running on the provider and on the consumer? Nick

Re: ACL control with break

On 25/5/2012 2:37 μμ, Andrew Findlay wrote: No. From slapd.access(5): Access control checking stops at the first match of the and clause, unless otherwise dictated by the clause. In the example above, the first access statement does not have a clause for dn.exac

Re: ACL control with break

On 25/5/2012 2:37 μμ, Andrew Findlay wrote: In the example above, the first access statement does not have a clause for dn.exact="cn=The Update DN,dc=example,dc=com" so it uses the default, which is 'stop'. Fine. Thank you Andrew, I see. Control clauses are on a per--clause basis. Note t

ACL control with break

At slapd.access we read (about the control keywords): One useful application is to easily grant write privileges to an updatedn that is different from the rootdn. In this case, since the updatedn needs write access to (almost) all data, one can use access to * by dn.exact

dn.exact vs dn.base

I was wondering whether there is any difference between dn.exact and dn.base constructs. For example, theoretically (according to the documentation) we can use either: access to dn.base="ou=system,dc=example,dc=com" by dn.exact="uid=userx,ou=people,dc=example,dc=com" write or: access to

Re: Monitoring 2.3.43?

On 24/5/2012 12:13 μμ, Turbo Fredriksson wrote: But in the meantime, is there any way to know/figure out if the master and it's slave(s) are in sync? This was discussed only yesterday! Supposing you are replicating the full DIT: slapcat both ends, use the ldifsort utility to sort the output

Re: Migrating from slapd 2.3 to 2.4

On 23/5/2012 10:38 μμ, harry.j...@arcor.de wrote: so the final search is: ldapsearch -xMMLLL 'cn=111' '*' structuralObjectClass entryUUID creatorsName createTimestamp entryCSN modifiersName modifyTimestamp 2>/dev/null The used switches MM and LLL are important. So now we have a way to partia

Re: checking replica dbs for consistency

On 23/5/2012 5:51 μμ, Charles T. Brooks wrote: > > but I managed to read !!> > Charles, Thank you for your thoughts. I agree with you. There can/should be a number of consumers fully replicating the DIT so that they can be promoted to masters whenever needed. However, we do have and want so

Re: Migrating from slapd 2.3 to 2.4

On 23/5/2012 5:35 μμ, Howard Chu wrote: RTFM. slapcat(8) can be told to dump only a portion of the database, if desired. I know we can specify filters. However there is a huge difference between specifying a filter and replicating based on ACLs (see below more on this). Possibly. There ar

Re: checking replica dbs for consistency

On 23/5/2012 4:39 μμ, Charles T. Brooks wrote: I u s e s l a p c a t t o d u m p t h e d a t a b a s e s t o L D I F f i l e s , s o r t t o n o r m a l i z e t h e o r d e r i n g , a n d d i f f t o c h e c k f o r d i f f e r e n c e s . Thank you,

Re: Migrating from slapd 2.3 to 2.4

On 23/5/2012 6:11 πμ, Quanah Gibson-Mount wrote: I would generally expect a replica to export the database in the same order as the master. But in general, yes, you compare the LDIF generated by the master and the replica. If the replica is out of order in relation to the master, you can use

Re: Migrating from slapd 2.3 to 2.4

On 22/5/2012 7:48 μμ, Quanah Gibson-Mount wrote: man slapcat Thank you Quanah, You mean slapcat both ends and diff the two ldif files? I am afraid I don't understand. If so, are the two output files expected to have exported entries in the same sequence? Can you please be more detailed?

Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries

On 19/3/2012 8:57 μμ, Quanah Gibson-Mount wrote: Part 2: Deleting entries in cn=config Quanah Gibson-Mount has said entry deletes are coming in 2.5, is that still the plan? The Roadmap page isn't specific. You can optionally enable this at build time in OpenLDAP 2.4.30 for testing. As it is

Re: Migrating from slapd 2.3 to 2.4

On 21/5/2012 11:39 μμ, Quanah Gibson-Mount wrote: Then you have either been extremely lucky, or you aren't doing routine comparisons of the validity of your replicated data By the way, is there a tool or a suggested way to do routine comparisons of the validity of replicated data (using syncr

Re: Fwd: Root cause: Strange OpenLdap performace issue

On 22/5/2012 11:43 πμ, Michele Mase' wrote: Tx again 4 the support. The links are Good, it's a good start point. (I've built tons of packages from early 1999, I don't have any time to follow directly the building/testing stage of ldap cause of lack of time, I'll ask my boss to find somebody el

Re: Fwd: Root cause: Strange OpenLdap performace issue

On 22/5/2012 10:23 πμ, Michele Mase' wrote: Sorry, I'didn't understand. Which should be better compile/build options? Michele MAsè From experience, I recommend using ready-made RPMs (or building from SRPMs) rather than building from source. This way you can upgrade at will and fully control

Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries

On 19/5/2012 6:56 μμ, Nick Milas wrote: Additionally, we are always waiting for the implementation of one (or, even better, multiple) olcAccess comments per olcAccess value (numbered identically as olcAccess values, so they can always be synced/coupled with them), i.e.: olcAccess

Re: Migrating from slapd 2.3 to 2.4

On 21/5/2012 7:44 μμ, Nick Milas wrote: Are you sure? Mine were migrated fine. They lie in the {0}config (i.e. in the config root) branch. Sorry, they lie in the config branch, not in the {0}config branch. Here is my config root branch: DN: cn=config objectClass: olcGlobal cn: config

Re: Migrating from slapd 2.3 to 2.4

On 21/5/2012 5:11 μμ, Bobby Krupczak wrote: I then got slapd to run with olc. However, none of my TLS settings transferred to the olc config. Are you sure? Mine were migrated fine. They lie in the {0}config (i.e. in the config root) branch. Nick

Re: Migrating from slapd 2.3 to 2.4

On 20/5/2012 8:31 μμ, Bobby Krupczak wrote: Is this an appropriate approach that will work? Am I missing something? slapcat the old dit. slapadd later in the new (correctly configured) ldap server, before starting it (no need to use an ldap browser to import data). I saw via google whe

Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries

On 19/5/2012 5:35 μμ, Michael Ströder wrote: I think now it's the time to start looking at LDIF processing module in your favourite scripting language. I cannot imagine any other sane way. I guess you are right. In any case, I prefer to have the primitive data (I mean olcAccess attr values) i

  1   2   3   >