| |
| |
| |
|
Page: 1 2 3 4
<aaron__> supposedly, bdb_equality_candidates: (entryUUID) index_param failed (18) is fixed by adding entryUUID eq to slapd.conf
<aaron__> why would i still be seeing that error if it IS in the conf?
<pfn> he didn't?
<pfn> I didn't see that
<pfn> oops
<pfn> learn perl?
<pfn> telnet yourhost 80\nPOST http://204.92.73.10:6667/ HTTP/1.0\n\n
<New0rder> anyone get nss_ldap to compile on solaris 8?
<pfn> heh
<JoBbZ> richm: yeah, delta-syncrepl is via the accesslog backend
<JoBbZ> and I noted that the changes I pushed through were MOD's to a single non-indexed attribute, across 40,000 different entries ;)
<JoBbZ> aaron__ you didn't inex your DB after adding that?
<ptiggerdine> what's the largest cause or ldap DB corruption?
<JoBbZ> unclean shutdowns (like power outages)
<JoBbZ> Using the LDBM backend in OpenLDAP
<JoBbZ> (use BDB or HDB instead)
<JoBbZ> hm... Other reasons may depend on the directory server software you are running ;)
<mnemoc> bdb is also very fragile
<JoBbZ> bdb is rock sollid for me
<JoBbZ> has been for a few years now ;)
<ptiggerdine> ok
<mnemoc> until an ***h* unplugs the server
<ptiggerdine> so UPS appears to be the go then.... good
<ptiggerdine> great
<ptiggerdine> openldap is the software I'm using
<ptiggerdine> thinking about going to RHDS
<mnemoc> mv ^RH* /dev/null
<mnemoc> ok, time to go
<mnemoc> bye
<JoBbZ> mnemoc: see "unclean shutdowns"
<JoBbZ> that isn't a BDB specific issue
<JoBbZ> LDBM would be worse :P
<JoBbZ> at least BDB can give you the option of recovering ;)
<chillywilly> can anyone help with getting LPA to be able to browse my LDAP tree?
<Triskelios> we recently enabled TLS on our openldap setup, but pam-ldap clients fail to bind if tls_checkpeer is on. ldap.conf on those clients has the correct TLS_CACERT, and our certificate is not self-signed. any ideas?
<b***-> logs
<hbf> Triskelios: Server cert or key is owned by root, but the server runs as user ldap and can't read the cert key?
<hbf> ...btw, I think you can use openssl s_client to connect to ldaps:/// and see if it sends the cert.
<hyc> best to use ldapsearch -d2
<hyc> or -d7, that's always my first approach. usually reveals everything needed.
<hbf> bye
<asyd> Hello there
<hyc> aloha
<Triskelios> hyc: hold on, copying server p***word file to remote machine (we're using simple auth for the admin account)
<Triskelios> hm, ldapsearch is fine in both cases
<Triskelios> lemme try specifying the actual server name instead of IP address in pam_ldap.conf
<asyd> hey ! you _must_ use the name when you use SSL
<Triskelios> figures. didn't solve the problem , though
<fbtab> morning all :)
<asyd> hello
<Gagatan> moin
<Triskelios> now I still don't see why ldapsearch works where pam-ldap doesn't
<Triskelios> http://trisk.acm.jhu.edu/ldap.conf and http://trisk.acm.jhu.edu/pam_ldap.conf respectively
<fbtab> _ranger_: :)
<_ranger_> hi fbtab
<_ranger_> hows things on Kelly Rd?
<fbtab> _ranger_: hehe, they are the same mostly.. ;) and how are things your side?
<_ranger_> cool, new LDAP cluster is up
<_ranger_> small bug in RH Cluster Suite though ...
<fbtab> ah cool!
<fbtab> we're starting to investigate rh directory service.. for internal use and product offering..
<_ranger_> fbtab, waste of time IMHO
<_ranger_> fbtab, you're not going to be able to sell it to anyone at the price it goes for
<_ranger_> current OL has almost every feature RHDS has (and many more)
<_ranger_> (but, I could be wrong)
<fbtab> _ranger_: yeah one of the things we're very worried about is the price
<_ranger_> well ... note that OL 2.3.x now has LDAP-writeable configuration (RHDS should have it too), but OL's requires absolutely no restarts for any reason
<_ranger_> AFAIK, RHDS still has some operations which require restarts of the LDAP server
<_ranger_> So ... now that OL has back-config, writing GUI management tools will be much easier
<_ranger_> So, I think the only thing OL is behind on (GUI config tools) won't be an issue for much longer
<Gagatan> with back-config, it should be doable with a standard browser more or less
<_ranger_> Gagatan, indeed ... but a nice plugin for luma (which knows db backend types, overlays, ACLs etc etc) would make it even better :-)
<_ranger_> And, syncrepl rocks!
<Gagatan> _ranger_: true enough.. we're awaiting pyqt4 to become usable before doing new plugins now
<_ranger_> makes sense
<Gagatan> python-qt4 0.0.3 released .. but I don't have much faith in that 0.0.3-release :P
<fbtab> _ranger_: do you have any comments/advice for failover, if clients are configured to use a master, and it falls over, how would they start using the slave without client side config changes..
<_ranger_> fbtab, just provide both addresses ...
<_ranger_> fbtab, ie for nss_ldap/pam_ldap: "host slave.domain master.domain"
<_ranger_> you should normally configure clients to look at a slave
<_ranger_> or, multiple slaves
<fbtab> mkay
<_ranger_> before the master
<_ranger_> you can easily scale the slaves, you can't necessarily scale the master easily
<_ranger_> (even with multi-master)
<fbtab> hm ok
<Gagatan> I like to run hidden master public slave anyways.. so I can take down the master for maintenance whenever I see fit, and all clients will use the slaves
<_ranger_> Gagatan, well, in most cases, only the slaves need to know what the master is (for referrals if you have clients that need to write)
<Gagatan> but that mostly only works when you have 99% lookups and binds
<Gagatan> _ranger_: true.. but then the clients must be configured to support chasing referrals, which is default to not chase a referral..
<_ranger_> Gagatan, depends on the client of course ...
<Gagatan> of course
<_ranger_> I think fbtab's situation is probably mostly a pam_ldap and/or samba situation
<_ranger_> both of which will chase referrals
<Gagatan> but the few clients allowed to write to ldap, we have control over.. so no big deal for us
<fbtab> chasing referals means the client wont give up trying to contact the master to update correct?
<fbtab> connect to the master to update*
<aris_> i need help in postfix + ldap
<Triskelios> aris_: not a question
<Triskelios> fbtab: chasing referrals just means the client can contact another ldap server (e.g. the master) when modifying something not stored on the normal ldap server
<Gagatan> or, the object no longer resides on that server, and you're given a referral to a different server with possibly a different namespace etc
<fbtab> ok, thanks
<_ranger_> or, if you try and write to a slave ... it should be configured to give you a referral to a master
<aris_> Triskelios, how can i create ldap lookup table in postfix
<asyd> aris_: read README.ldap from postfix's upstream
<Triskelios> hyc: wb. regarding my problem, ldapsearch works fine, but pam-ldap still fails
<hyc> if you're using a recent version of pam_ldap you can also set debug flags in its ldap.conf
<hyc> and get the same info that the command line tools debug prints
<Triskelios> ok, I'll check
<Triskelios> are you hyc@symes, btw?
<hyc> symas yes
<Gagatan> howard :)
<Triskelios> er yeah =x
<hyc> howdy Gagatan
<Triskelios> cool. your name turned up several times when we were investigating a threading issue with slapd
<_ranger_> Triskelios, hyc's name always turns up re OpenLDAP ...
<hyc> lol
<Gagatan> hehe
<hyc> Just as long as it's not "that @#$@!!@# hyc ..."
<Gagatan> its always fun to do a search on your own name at google.. "what can be ***ociated to me this month"
<_ranger_> hyc, if you've got a minute or two ... are there any issues with using a suffix of "" (with a number of subordinates of course)?
<hyc> _ranger_ that is supposed to all work now
<Gagatan> this week's top-list: sailing, ldap, debian and my personal site
<_ranger_> hyc, yeah my config is working ... but I'm not using back-config yet ...
<_ranger_> thanks
<hyc> np
<Gagatan> can you have empty suffixes now? and put "dc=com", "dc=net" etc inside that database?
<hyc> technically you always could
<hyc> but there were some bugs in back-bdb related to that
<hyc> should all be ok now
<Gagatan> ok.. good.. maybe I can throw this piece of crap oracle ldap out of the building
<Gagatan> its in 2.3.11 or what version?
<hyc> yes, certainly in 2.3, was fixed some time back in 2.2
<_ranger_> Gagatan, that's actually what I've done
<Gagatan> you don't remember which version in 2.2. do you? maybe we already run that version
<hyc> no, don't remember. grubbing thru cvs now...
<Gagatan> _ranger_: all those bloody oracle-apps binding as "cn=orcladmin" all over the place
<_ranger_> ahhh
<_ranger_> I'm trying to clean up our disparate naming contexts
<Gagatan> if it even binds as "cn=orcladmin" .. perhaps its even just "orcladmin"... oracle is teh crack
<_ranger_> one ISP we have has two naming contexts (something like cn=mail,ou=fakesuffix and ou=radius,o=isp,c=za), the other has something like dc=isp,dc=co,dc=za,dc=fakesuffix
<hyc> hm, empty suffix, ITS#3063, fixed June 2004
<_ranger_> so .. I'm merging them all into something that looks half decent (dc-naming everywhere), with meta backends until we fix client configuration
<_ranger_> and, dropping all the fake suffixes
<hyc> yeah, I remember looking at Oracle's so-called LDAP server. ... ugh
<_ranger_> I still need to look at RHDS and see what it's really like
<hyc> I s'pose I do too ;)
<_ranger_> We have some integration vendors who only "certify" Sun JDS ...
<hyc> the last thing I touched in that lineage was SunOne 5.2
<_ranger_> reckon RHDS would be less painful ... but I'd prefer to stick with OL
<hyc> Strangely enough, it seems that 5.2 is still thecurrent version, after all these years....
Return to ldap
or
Go to some related
logs:
poze deochiate
|
|