[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap ppolicy schema entries

On Tuesday 12 February 2008 11:47:46 Aravind Arjunan wrote:

(it is really inconventient replying to this mail, because you wrote it in 
HTML format, and Outlook's text version when you write in HTML contains extra 
line breaks ...).

> * Am still facing issue while configuring ldap in master slave for
> replication.
> am using openldap 2.2 version.

I would upgrade to 2.3 ...

> OS: RHEL 4.0

You may want to consider:

> And am trying to configure master slave replication thro slurpd method.
> i had configured my master slapd.conf and slave slave slapd.conf.
> similarly i configured master and slave ldap.conf.
> After that i stopped the service in master and slave by

If you are using the bdb backend (which you are), there is no need to stop 
slapd to run slapcat.

> [root@server ~]# service ldap stop
> Stopping slapd: [ OK ]
> Stopping slurpd: [ OK ]
> [root@server ~]#
> similarly in slave also.
> then i copied the database manually using slapcat
> [root@server openldap]# slapcat -b "dc=example,dc=com" -v -l
> example.com.ldif
> # id=00000001
> # id=00000003
> [root@server openldap]# scp example.com.ldif root@
> :/var/lib/ldap/example.com/
> root@'s password:
> example.com.ldif 100% 747 0.7KB/s 00:00
> [root@server openldap]#
> In slave :
> [root@slave openldap]# slapadd -b "dc=example,dc=com" -v -l
> example.com.ldif
> added: "dc=example,dc=com" (00000001)
> added: "cn=Manager,dc=example,dc=com" (00000002)
> [root@slave openldap]#
> but when i create a user in ldapmaster and check that user in slave,i was
> not able to found.
> there was no log in replogfile.
> [root@server ~]# useradd test
> [root@server ~]# passwd test
> Changing password for user test.
> New UNIX password:
> Retype new UNIX password:
> passwd: all authentication tokens updated successfully.

I don't know what you are testing here, but the useradd command typically (and 
specifically on RHEL4) doesn't create users anywhere but in local files. The 
luseradd tool (from libuser) can create users in LDAP, but smbldap-tools (and 
other similar tools) have useradd-compatible commands that do (and support 
samba-related attributes etc.).

You should maybe use an ldap utility (e.g. ldapadd, ldapmodify) to generate 
changes which you test for replication.

> master slapd.conf


> replica uri=ldap://=
> suffix="dc=example,dc=com"
> binddn="cn=syncuser,dc=example,dc=com"
> bindmethod=simple credentials=hcllch

This should all be one statement, either on one line, or multiple lines, where 
all but the first have leading spaces as line continuations. Since you didn't 
compose in plain text, I am not sure if this is a problem in your 
configuration file, or with your copy/paste ...

I haven't looked at the rest of your slapd.conf files in detail, but besides 
this, they look mostly ok for now.

> Master ldap.conf

Which ldap.conf ? /etc/ldap.conf, or /etc/openldap/ldap.conf ? It looks like a 
mix of the two.

> # LDAP Defaults
> #
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> #BASE dc=example, dc=com
> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
> #DEREF never
> host
> base dc=example,dc=com
> binddn cn=Manager,dc=example,dc=com
> bindpw password
> bind_policy soft
> pam_password expo

These last 4 are specific to nss_ldap/pam_ldap, and as such belong 
in /etc/ldap.conf, not /etc/openldap/ldap.conf. I would avoid using your 
rootdn in a clear-text config file. You should use a proxy user with limited 
access (it just needs to be able to search for a user and retrieve specific 
attributes, which in most cases you would allow all authenticated users to 
access anyway).