[gentoo-server] ldap multiple dc rootdn?

[gentoo-server] ldap multiple dc rootdn?

[Chris S]

Hi all,

Starting to play with LDAP :D and having an issue where it doesn't like 
my fqdn.
(openldap 2.2.26)

In short I would like to know if I can have multiple dc for my rootdn? 
(it appears I'm limited to 2).

I want to use dc=au because I'm in Australia, ie:
dc=domain,dc=net,dc=au

I can setup ldap using that domain and search it

*Code:*
cephas # ldapsearch -D "cn=Manager,dc=domain,dc=net,dc=au" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1


but when I use the migration tools and create the base.ldif, importing 
it fails

*Code:*
cephas # ldapadd -D "cn=Manager,dc=domain,dc=net,dc=au" -W -f 
/tmp/base.ldif
Enter LDAP Password:
adding new entry "dc=net,dc=au"
ldap_add: Server is unwilling to perform (53)
       additional info: no global superior knowledge


also, phpldapadmin refuses to create it, with the same error.

Setting the system up with just dc=domain,dc=net works perfectly

Is there something special I have to do?

I can create my rootdn as dc=net,dc=au and then create another dc under 
that dc=domain, but this is quite ugly and I was hoping I could get all 
three on the one. if there is no solution I guess I could create the 
base as dc=au, then subs dc=net and dc=domain.

Is there something special I have to do?

Cheers,
Chris
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Chris S]

any ideas?

-c

Chris S wrote:

> Hi all,
>
> Starting to play with LDAP :D and having an issue where it doesn't 
> like my fqdn.
> (openldap 2.2.26)
>
> In short I would like to know if I can have multiple dc for my rootdn? 
> (it appears I'm limited to 2).
>
> I want to use dc=au because I'm in Australia, ie:
> dc=domain,dc=net,dc=au
>
> I can setup ldap using that domain and search it
>
> *Code:*
> cephas # ldapsearch -D "cn=Manager,dc=domain,dc=net,dc=au" -W
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
> # search result
> search: 2
> result: 32 No such object
> # numResponses: 1
>
>
> but when I use the migration tools and create the base.ldif, importing 
> it fails
>
> *Code:*
> cephas # ldapadd -D "cn=Manager,dc=domain,dc=net,dc=au" -W -f 
> /tmp/base.ldif
> Enter LDAP Password:
> adding new entry "dc=net,dc=au"
> ldap_add: Server is unwilling to perform (53)
>       additional info: no global superior knowledge
>
>
> also, phpldapadmin refuses to create it, with the same error.
>
> Setting the system up with just dc=domain,dc=net works perfectly
>
> Is there something special I have to do?
>
> I can create my rootdn as dc=net,dc=au and then create another dc 
> under that dc=domain, but this is quite ugly and I was hoping I could 
> get all three on the one. if there is no solution I guess I could 
> create the base as dc=au, then subs dc=net and dc=domain.
>
> Is there something special I have to do?
>
> Cheers,
> Chris

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Paul Kölle]

Chris S wrote:

>> *Code:*
>> cephas # ldapadd -D "cn=Manager,dc=domain,dc=net,dc=au" -W -f
>> /tmp/base.ldif
>> Enter LDAP Password:
>> adding new entry "dc=net,dc=au"
>> ldap_add: Server is unwilling to perform (53)
>>       additional info: no global superior knowledge
try the -b switch

ldapadd -x -b "dc=domain,dc=net,dc=au" -D "cn=yadda yadda..." -W -f
/tmp/base.ldif

cheers
 Paul

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Chris S]

Paul Kölle wrote:

>Chris S wrote:
>
>  
>
>>>*Code:*
>>>cephas # ldapadd -D "cn=Manager,dc=domain,dc=net,dc=au" -W -f
>>>/tmp/base.ldif
>>>Enter LDAP Password:
>>>adding new entry "dc=net,dc=au"
>>>ldap_add: Server is unwilling to perform (53)
>>>      additional info: no global superior knowledge
>>>      
>>>
>try the -b switch
>
>ldapadd -x -b "dc=domain,dc=net,dc=au" -D "cn=yadda yadda..." -W -f
>/tmp/base.ldif
>
>cheers
> Paul
>  
>
thank you very much! I will give this a try.
-c
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Chris S]

Paul Kölle wrote:

>Chris S wrote:
>
>  
>
>>>*Code:*
>>>cephas # ldapadd -D "cn=Manager,dc=domain,dc=net,dc=au" -W -f
>>>/tmp/base.ldif
>>>Enter LDAP Password:
>>>adding new entry "dc=net,dc=au"
>>>ldap_add: Server is unwilling to perform (53)
>>>      additional info: no global superior knowledge
>>>      
>>>
>try the -b switch
>
>ldapadd -x -b "dc=domain,dc=net,dc=au" -D "cn=yadda yadda..." -W -f
>/tmp/base.ldif
>  
>
howdy,
When I try to pass that option, it shows the help section. "man ldapadd" 
shows no such option.
I am using openldap 2.2.26. Perhaps this options has been removed now? 
Is there something else I can try?

cheers

>cheers
> Paul
>
>  
>
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Paul Kölle]

Chris S wrote:
> Paul Kölle wrote:
>> try the -b switch
>>
>> ldapadd -x -b "dc=domain,dc=net,dc=au" -D "cn=yadda yadda..." -W -f
>> /tmp/base.ldif
>>  
>>
> howdy,
> When I try to pass that option, it shows the help section. "man ldapadd"
> shows no such option.
> I am using openldap 2.2.26. Perhaps this options has been removed now?
> Is there something else I can try?
Sorry, -b is ldapsearch only. You need to tell the client about your new
base in /etc/openldap/ldap.conf (this is for the openldap client tools).

base=dc=domain,dc=net,dc=au

And of course have a "database" section with the correct "suffix" in
slapd.conf.

cheers
 Paul

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Chris S]

Paul Kölle wrote:

>Sorry, -b is ldapsearch only. You need to tell the client about your new
>base in /etc/openldap/ldap.conf (this is for the openldap client tools).
>
>base=dc=domain,dc=net,dc=au
>
>And of course have a "database" section with the correct "suffix" in
>slapd.conf.
>
>cheers
> Paul
>  
>
Hi Paul, this takes me back to the original problem.
ldapsearch works fine with*out* -b if I set the base to 
dc=domain,dc=net,dc=au
The problem is that i just can't create the base when it has all three.
I can create dc=net,dc=au base, then create dc=domain under that. And 
then set the base to dc=domain,dc=net,dc=au I can search and add just 
fine.. it's just creating the base with all three that fails.

cheers
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Paul Kölle]

Chris S wrote:
> Hi Paul, this takes me back to the original problem.
> ldapsearch works fine with*out* -b if I set the base to
> dc=domain,dc=net,dc=au
> The problem is that i just can't create the base when it has all three.
> I can create dc=net,dc=au base, then create dc=domain under that. And
> then set the base to dc=domain,dc=net,dc=au I can search and add just
> fine.. it's just creating the base with all three that fails.
please post the ldif containing the entries for you intended base, I'll
give it a shot.

cheers
 Paul
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Chris S]

Paul Kölle wrote:

> please post the ldif containing the entries for you intended base, I'll
>
>give it a shot.
>  
>
Hi Paul,
Sorry for the delay.. been super busy.

As previously mentioned, it's the base that I can't create with 3 dc 
levels, however I can get around it by creating base level of two, then 
adding the third dc, then switching the base back to 3 levels (although 
this doesn't "feel" clean). All the same, here's my configuration. Any 
pointers, slaps around the head appreciated.

openldap 2.2.26 emerged and configured

searching is successful:

*code*
dually # ldapsearch -D "cn=Manager,dc=domain,dc=net,dc=au" -W -x
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
*/code*

here is my base.ldif:

*code*
dn: dc=net,dc=au
dc: net
objectClass: top
objectClass: domain

dn: dc=domain,dc=net,dc=au
dc: domain
objectClass: top
objectClass: domain
*/code*

when I try and insert it:

*code*
dually / # ldapadd -D "cn=Manager,dc=domain,dc=net,dc=au" -W -f 
/tmp/base.ldif -x
Enter LDAP Password:
adding new entry "dc=net,dc=au"
ldap_add: Server is unwilling to perform (53)
        additional info: no global superior knowledge
*/code*

and if I try with:

*code*
dn: dc=au
dc: au
objectClass: top
objectClass: domain

dn: dc=net,dc=au
dc: net
objectClass: top
objectClass: domain

dn: dc=domain,dc=net,dc=au
dc: domain
objectClass: top
objectClass: domain
*/code*

I get:

*code*
dually / # ldapadd -D "cn=Manager,dc=domain,dc=net,dc=au" -W -f 
/tmp/base2.ldif -x
Enter LDAP Password:
adding new entry "dc=au"
ldap_add: Server is unwilling to perform (53)
        additional info: no global superior knowledge
*/code*

awaiting slap over the head!

Cheers,
Chris

>cheers
> Paul
>  
>
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Paul Kölle]

Chris S wrote:
> Paul Kölle wrote:
> 
>> please post the ldif containing the entries for you intended base, I'll
>>
>> give it a shot.
>>  
>>
> Hi Paul,
> Sorry for the delay.. been super busy.
> 
> As previously mentioned, it's the base that I can't create with 3 dc
> levels, however I can get around it by creating base level of two, then
> adding the third dc, then switching the base back to 3 levels (although
> this doesn't "feel" clean). All the same, here's my configuration. Any
> pointers, slaps around the head appreciated.
> 
> openldap 2.2.26 emerged and configured
> 
> searching is successful:
> 
> *code*
> dually # ldapsearch -D "cn=Manager,dc=domain,dc=net,dc=au" -W -x
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 32 No such object
> 
> # numResponses: 1
Again, this is NOT a successful search, there are no results.


> */code*
> 
> here is my base.ldif:
> 
> *code*
> dn: dc=net,dc=au
^^^^^^^^^^^^^^^^^^

> when I try and insert it:
> 
> *code*
> dually / # ldapadd -D "cn=Manager,dc=domain,dc=net,dc=au" -W -f
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> /tmp/base.ldif -x
> Enter LDAP Password:
> adding new entry "dc=net,dc=au"
> ldap_add: Server is unwilling to perform (53)
>        additional info: no global superior knowledge
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>From your ldapadd line, I assume you have in slapd.conf:

database bdb
suffix dc=domain,dc=net,dc=au

The thing you probably missed: You don't need to and you are not allowed
to add entries *below* the "suffix" from slapd.conf as it could be
another suffix. If you try to add something like: "dn: dc=net,dc=au"
slapd searches for *immediate parents* (here: dc=au) to that entry,
either in the directory or for a "suffix" line in slapd.conf (remember,
its a tree). If it couldn't find one you get the "no global superior
knowledge" error or an "already exists" if the enty is already there.

Solution:

ldif

dn: dc=domain,dc=net,dc=au
dc=domain
objectClass: top
objectClass: dcObject
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: domain.net.au

dn: ou=users,dc=domain,dc=net,dc=au
ou: users
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: domain.net.au

end ldif

slapd.conf

database bdb
suffix dc=domain,dc=net,dc=au
rootdn cn=manager,dc=domain,dc=net,dc=au
rootpw not24get

directory /var/lib/openldap-data
index objectClass eq

end slapd.conf

of course this is just the configuration for that backend, you'll need
more info in slapd.conf for your server to run properly.


cheers
 Paul



-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Chris S]

Paul Kölle wrote:

>Again, this is NOT a successful search, there are no results.
>
>  
>
Interesting, I thought it was successful because it didnt fail, and 
naturally there *is* nothing in my database because I can't even create 
the base dn..

> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>  
>
>>From your ldapadd line, I assume you have in slapd.conf:
>
>database bdb
>suffix dc=domain,dc=net,dc=au
>  
>
yes, exactly

>The thing you probably missed: You don't need to and you are not allowed
>to add entries *below* the "suffix" from slapd.conf as it could be
>another suffix. If you try to add something like: "dn: dc=net,dc=au"
>slapd searches for *immediate parents* (here: dc=au) to that entry,
>either in the directory or for a "suffix" line in slapd.conf (remember,
>its a tree). If it couldn't find one you get the "no global superior
>knowledge" error or an "already exists" if the enty is already there.
>  
>
ok

>Solution:
>
>ldif
>
>dn: dc=domain,dc=net,dc=au
>dc=domain
>objectClass: top
>objectClass: dcObject
>objectClass: domain
>objectClass: domainRelatedObject
>associatedDomain: domain.net.au
>
>dn: ou=users,dc=domain,dc=net,dc=au
>ou: users
>objectClass: top
>objectClass: organizationalUnit
>objectClass: domainRelatedObject
>associatedDomain: domain.net.au
>
>end ldif
>  
>
this gives me:

cephas ~ # ldapadd -D "cn=manager,dc=domain,dc=net,dc=au" -W -f base.ldif -x
Enter LDAP Password:
ldapadd: invalid format (line 2) entry: "dc=domain,dc=net,dc=au"

>slapd.conf
>
>database bdb
>suffix dc=domain,dc=net,dc=au
>rootdn cn=manager,dc=domain,dc=net,dc=au
>rootpw not24get
>
>directory /var/lib/openldap-data
>index objectClass eq
>
>end slapd.conf
>  
>
I copied what you suggested and started slapd. see error above.

>of course this is just the configuration for that backend, you'll need
>more info in slapd.conf for your server to run properly.
>
>
>cheers
> Paul
>  
>
any ideas? I don't want to make this a huge email, but here are my 
relavant configs:

*cephas ~ # sed -e 's/#.*//;/^\s*$/d' "$@" /etc/openldap/slapd.conf*
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
database bdb
suffix dc=domain,dc=net,dc=au
rootdn cn=manager,dc=domain,dc=net,dc=au
rootpw not24get
directory /var/lib/openldap-data
index objectClass eq

*cephas ~ # sed -e 's/#.*//;/^\s*$/d' "$@" /etc/openldap/ldap.conf*
BASE         dc=domain, dc=net, dc=au
URI          ldaps://localhost:636/
TLS_REQCERT  allow

*cephas ~ # cat base.ldif*
dn: dc=domain,dc=net,dc=au
dc=domain
objectClass: top
objectClass: dcObject
objectClass: domain
objectClass: domainRelatedObject
associatedDomain: domain.net.au

dn: ou=users,dc=domain,dc=net,dc=au
ou: users
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: domain.net.au


Thank you for your time.

>
>
>  
>
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Paul Kölle]

Chris S wrote:
[snipp]
> Paul Kölle wrote:
[snapp]
>>
>> ldif
>>
>> dn: dc=domain,dc=net,dc=au
>> dc=domain
>> objectClass: top
>> objectClass: dcObject
>> objectClass: domain
>> objectClass: domainRelatedObject
>> associatedDomain: domain.net.au
>>
>> dn: ou=users,dc=domain,dc=net,dc=au
>> ou: users
>> objectClass: top
>> objectClass: organizationalUnit
>> objectClass: domainRelatedObject
>> associatedDomain: domain.net.au
>>
>> end ldif
>>  
>>
> this gives me:
> 
> cephas ~ # ldapadd -D "cn=manager,dc=domain,dc=net,dc=au" -W -f
> base.ldif -x
> Enter LDAP Password:
> ldapadd: invalid format (line 2) entry: "dc=domain,dc=net,dc=au"
typo in my post, line 2 should read (of course) "dc: domain"

[snipp]
> *cephas ~ # sed -e 's/#.*//;/^\s*$/d' "$@" /etc/openldap/ldap.conf*
> BASE         dc=domain, dc=net, dc=au
                       ^^^^^^^^^^^^^^^^
leave out the spaces

cheers
 Paul

-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] ldap multiple dc rootdn?

[Chris S]

Paul Kölle wrote:

> typo in my post, line 2 should read (of course) "dc: domain"

oh yes, of course ;) thank you that seems to have made it all work! :O

>[snipp]
>  
>
>>*cephas ~ # sed -e 's/#.*//;/^\s*$/d' "$@" /etc/openldap/ldap.conf*
>>BASE         dc=domain, dc=net, dc=au
>>    
>>
>                       ^^^^^^^^^^^^^^^^
>leave out the spaces
>  
>
it seems to work with the spaces (the default gentoo config file had 
spaces, so I left them there!).

>cheers
> Paul
>
>  
>
Thank you very much for your time and effort in helping me, it is very 
much appreciated.
I am trying to set the new server up with ldap instead of mysql, so it's 
all a little new to me.

Cheers,
Chris
-- 
gentoo-server@gentoo.org mailing list

[gentoo-server] which ldap database

[Chris S]

Would people mind offering advice as to which database type I should use 
with openldap?
The machine will be a web, email, etc server. Dual Opteron 246 with 4gb 
ram, 4 x 300gb sata drives in hardware raid 5.

I am trying to get openldap to be the central authentication system for 
sftp and courier, hold aliases etc for postfix, as well as dns entries 
through bind, and if I can get mod_cfg_ldap to work then also vhosts for 
apache2.

Many thanks,
Chris
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] which ldap database

[Paul Kölle]

Chris S wrote:
> Would people mind offering advice as to which database type I should use
> with openldap?
use bdb, it's the recommended backend from the openldap folks. If your
database is huge and/or your server busy go to the openldap.org site and
read in the faq-o-matic entries about DB_CONFIG. Or go to sleepycat.com.

cheers
 Paul
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] which ldap database

[Chris S]

Paul Kölle wrote:

> use bdb, it's the recommended backend from the openldap folks. If your
>
>database is huge and/or your server busy go to the openldap.org site and
>read in the faq-o-matic entries about DB_CONFIG. Or go to sleepycat.com.
>  
>
thanks again Paul :)
-c

>cheers
> Paul
>  
>
-- 
gentoo-server@gentoo.org mailing list

[gentoo-server] VRRP Replacement

[Kirk Hoganson]

I'm looking for a good alternative to VRRP for linux.  I need something 
that can simultaneously handle the failover of multiple interfaces in 
the even that one of them fails.  I have looked at UCARP, but it does 
not gracefully handle this scenario, as it is designed around a single 
interface.  Has anyone used an open source implementation that they 
would recommend?  I have a system with interfaces on multiple subnets 
that must be rapidly switched to a backup in the even of system failure.

--Kirk
-- 
gentoo-server@gentoo.org mailing list