On Wed, Nov 26, 2008 at 12:04 PM, Atom Powers <[EMAIL PROTECTED]> wrote: > On Wed, Nov 26, 2008 at 8:12 AM, Gilbert Wilson <[EMAIL PROTECTED]> > wrote: >> >> Essentially, what is happening is that user accounts will "disappear" >> from workgroup manager and dscl[1]. Accounts that have maintained a >> persistent connection will continue to be authenticated. But, accounts >> that are not authenticated will be unable to authenticate. The >> Directory Administrator account, for example, cannot authenticate at >> these times. If I restart slapd, all the missing accounts that had >> persistent connections will no longer be able to authenticate. > > Sounds like your indexs may be bad, or becoming bad for some reason or > another. > Restarting slapd, rebuilding, etc. generally does not rebuild the indexes if > I recall. Take a look at 'slapindex'.
I did try shutting down slapd and running slapindex, but it's possible that I screwed it up. I'll look at this in more detail. > >> >> A restore from backup is the only way to fix it. However, I suspect >> that there is malformed data lurking somewhere in the OpenLDAP system. >> The backups all have this malformed data. Thus, it doesn't take very >> much for the system to get corrupted again. A hard shutdown does it >> every time, and a minor upgrade to the OS did it, too. > > If there is malformed data in your backup, then the import should report > that in the logs. Unless, perhaps, it is part of a encode64 attribute. And, > if I recall, Apple's Open Directory uses these quite a bit. (Which is the > primary reason I don't use OpenDirectory.) While trolling around in the guts I did notice the base64 encoded attributes. Highly annoying. > >> >> Has anyone else had this kind of persistent corruption of their LDAP >> system? What was causing it? How did you find it? > > I've been running OpenLdap for a few years, and the only "persistent > corruption" I've seen is when the indexes aren't current. This generally > causes one or more accounts or attributes to "dissapear" from the server > until the indexes are rebuilt. But I've only had this problem after making > changes to my schema and reloading the server. This is very helpful. I'll reexamine reindexing again to see if I overlooked it or did it wrong. It also gives me another term/problem to research in more detail. If you've had the problem, others have had the problem, and it sounds like that is the problem I'm having. Gil _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
