--bcaec520e733d305e204a4aefc06 Content-Type: text/plain; charset=ISO-8859-1
Do you think this could be related to: http://www.openldap.org/its/index.cgi?findid=6864 I've been having similar issues with MemberOf and Accesslog overlays used together. In your fix, is the memberof overlay enabled on your consumer nodes? -Yuri On Wed, Jun 1, 2011 at 1:00 PM, <[email protected]> wrote: > This is a multi-part message in MIME format. > --------------050703040907090602090901 > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > > I figured I would share a workaround that I'm currently using for this > issue which may be of help to others. I've disabled the memberOf overlay > in slapd, and use an external script to populate memberOf on the master > server, which then replicates to the consumer servers. I currently run > this every 5 minutes from cron as follows: > > memberof.pl --ldap > > Regards, > > -Kartik > > --------------050703040907090602090901 > Content-Type: application/x-perl; > name="memberof.pl" > Content-Transfer-Encoding: 7bit > Content-Disposition: attachment; > filename="memberof.pl" > > #! /usr/bin/perl > > # Implements memberOf reverse mapping attributes -- workaround for when > # memberOf overlay isn't available > > use Net::LDAP; > use Net::LDAP::LDIF; > use Authen::SASL; > use Fcntl qw(LOCK_EX LOCK_NB); > use Getopt::Long; > > use strict; > > my $basedn = "dc=example,dc=com"; > > my @attrs = qw(member manager); > # Note -- this filter properly excludes dynamic groupOfURLs groups > my $attrfilter = '(|' . join("", map { "($_=*)" } @attrs) . ')'; > my %revattrs = (member => 'memberOf', manager => 'directReports'); > my %fwattrs = reverse %revattrs; > my $revattrfilter = '(|' . join("", map { "($_=*)" } values %revattrs) . > ')'; > my (%entries, %reventries); > > # Prevent multiple instances from running at the same time > open(LOCKFH, $0); flock(LOCKFH, LOCK_EX|LOCK_NB) or exit 1; > > my ($generate_ldif, $update_ldap); > GetOptions('ldif' => \$generate_ldif, 'ldap' => \$update_ldap); > > my $ldifout = Net::LDAP::LDIF->new('-', 'w'); > $ldifout->{change} = 1; > my $ldap = Net::LDAP->new('ldapi://') or die "ldapi: $@\n"; > my $sasl = Authen::SASL->new(mechanism => 'EXTERNAL'); > my $sasl_client = $sasl->client_new('ldap', 'localhost'); > $ldap->bind(undef, sasl => $sasl_client); > > # Build %entries and %reventries maps > my $mesg = $ldap->search(base => $basedn, > filter => $attrfilter, > attrs => \@attrs); > $mesg->code && die($mesg->error . "\n"); > foreach my $entry ($mesg->all_entries) {$entries{lc $entry->dn} = $entry } > > $mesg = $ldap->search(base => $basedn, > filter => $revattrfilter, > attrs => [values > %revattrs]); > $mesg->code && die($mesg->error . "\n"); > foreach my $entry ($mesg->all_entries) { $reventries{lc $entry->dn} = > $entry } > > # Go through and generate updates for the reverse mapping attributes > my ($dn, $entry); > while (($dn, $entry) = each %entries) { > foreach my $attr (@attrs) { > my $revattr = $revattrs{$attr}; > foreach my $val ($entry->get_value($attr)) { > $val = lc $val; > if (!$reventries{$val}) { > $reventries{$val} = Net::LDAP::Entry->new; > $reventries{$val}->dn($val); > $reventries{$val}->changetype('modify'); > } > $reventries{$val}->add($revattr => $entry->dn) > unless grep({ lc $_ eq $dn } > > $reventries{$val}->get_value($revattr)); > } > } > } > while (($dn, $entry) = each %reventries) { > foreach my $revattr (values %revattrs) { > foreach my $val ($entry->get_value($revattr)) { > $val = lc $val; > $reventries{$dn}->delete($revattr => $val) > if !exists($entries{$val}) > || !grep({ lc $_ eq $dn } > > $entries{$val}->get_value($fwattrs{$revattr})); > > } > } > if ($entry->changes) { > $ldifout->write_entry($entry) if $generate_ldif; > if ($update_ldap) { > my $modmesg = $entry->update($ldap); > $modmesg->code && die("LDAP: " .$modmesg->error . > "\n"); > } > } > } > > --------------050703040907090602090901-- > > > --bcaec520e733d305e204a4aefc06 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Do you think this could be related to: <a href=3D"http://www.openldap.org/i= ts/index.cgi?findid=3D6864">http://www.openldap.org/its/index.cgi?findid=3D= 6864</a>=A0 <br><br>I've been having similar issues with MemberOf and A= ccesslog overlays used together.<br> <br><br>In your fix, is the memberof overlay enabled on your consumer nodes= ?<br><br>-Yuri<br><br><div class=3D"gmail_quote">On Wed, Jun 1, 2011 at 1:0= 0 PM, <span dir=3D"ltr"><<a href=3D"mailto:[email protected]";>subba= [email protected]</a>></span> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= x #ccc solid;padding-left:1ex;">This is a multi-part message in MIME format= .<br> --------------050703040907090602090901<br> Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed<br> Content-Transfer-Encoding: 7bit<br> <br> I figured I would share a workaround that I'm currently using for this<= br> issue which may be of help to others. I've disabled the memberOf overla= y<br> in slapd, and use an external script to populate memberOf on the master<br> server, which then replicates to the consumer servers. I currently run<br> this every 5 minutes from cron as follows:<br> <br> <a href=3D"http://memberof.pl"; target=3D"_blank">memberof.pl</a> --ldap<br> <br> Regards,<br> <br> =A0 =A0 =A0 =A0-Kartik<br> <br> --------------050703040907090602090901<br> Content-Type: application/x-perl;<br> =A0name=3D"<a href=3D"http://memberof.pl"; target=3D"_blank">memberof.p= l</a>"<br> Content-Transfer-Encoding: 7bit<br> Content-Disposition: attachment;<br> =A0filename=3D"<a href=3D"http://memberof.pl"; target=3D"_blank">member= of.pl</a>"<br> <br> #! /usr/bin/perl<br> <br> # Implements memberOf reverse mapping attributes -- workaround for when<br> # memberOf overlay isn't available<br> <br> use Net::LDAP;<br> use Net::LDAP::LDIF;<br> use Authen::SASL;<br> use Fcntl qw(LOCK_EX LOCK_NB);<br> use Getopt::Long;<br> <br> use strict;<br> <br> my $basedn =3D "dc=3Dexample,dc=3Dcom";<br> <br> my @attrs =3D qw(member manager);<br> # Note -- this filter properly excludes dynamic groupOfURLs groups<br> my $attrfilter =3D '(|' . join("", map { "($_=3D*)&q= uot; } @attrs) . ')';<br> my %revattrs =3D (member =3D> 'memberOf', manager =3D> 'd= irectReports');<br> my %fwattrs =3D reverse %revattrs;<br> my $revattrfilter =3D '(|' . join("", map { "($_=3D*= )" } values %revattrs) . ')';<br> my (%entries, %reventries);<br> <br> # Prevent multiple instances from running at the same time<br> open(LOCKFH, $0); flock(LOCKFH, LOCK_EX|LOCK_NB) or exit 1;<br> <br> my ($generate_ldif, $update_ldap);<br> GetOptions('ldif' =3D> \$generate_ldif, 'ldap' =3D> \= $update_ldap);<br> <br> my $ldifout =3D Net::LDAP::LDIF->new('-', 'w');<br> $ldifout->{change} =3D 1;<br> my $ldap =3D Net::LDAP->new('ldapi://') or die "ldapi: $@\n= ";<br> my $sasl =3D Authen::SASL->new(mechanism =3D> 'EXTERNAL');<br= > my $sasl_client =3D $sasl->client_new('ldap', 'localhost'= ;);<br> $ldap->bind(undef, sasl =3D> $sasl_client);<br> <br> # Build %entries and %reventries maps<br> my $mesg =3D $ldap->search(base =3D> $basedn,<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 filter =3D> $attrfilter,<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 attrs =3D> \@attrs);<br> $mesg->code && die($mesg->error . "\n");<br> foreach my $entry ($mesg->all_entries) {$entries{lc $entry->dn} =3D $= entry }<br> <br> $mesg =3D $ldap->search(base =3D> $basedn,<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 filter =3D> $revattrfilter,<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 attrs =3D> [values %revattrs]);<br> $mesg->code && die($mesg->error . "\n");<br> foreach my $entry ($mesg->all_entries) { $reventries{lc $entry->dn} = =3D $entry }<br> <br> # Go through and generate updates for the reverse mapping attributes<br> my ($dn, $entry);<br> while (($dn, $entry) =3D each %entries) {<br> =A0 =A0 =A0 =A0foreach my $attr (@attrs) {<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0my $revattr =3D $revattrs{$attr};<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0foreach my $val ($entry->get_value($attr= )) {<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$val =3D lc $val;<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (!$reventries{$val}) {<b= r> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$reventries= {$val} =3D Net::LDAP::Entry->new;<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$reventries= {$val}->dn($val);<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$reventries= {$val}->changetype('modify');<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$reventries{$val}->add($= revattr =3D> $entry->dn)<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0unless grep= ({ lc $_ eq $dn }<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$reventries{$val}->get_value($rev= attr));<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}<br> =A0 =A0 =A0 =A0}<br> }<br> while (($dn, $entry) =3D each %reventries) {<br> =A0 =A0 =A0 =A0foreach my $revattr (values %revattrs) {<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0foreach my $val ($entry->get_value($reva= ttr)) {<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$val =3D lc $val;<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$reventries{$dn}->delete= ($revattr =3D> $val)<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if !exists(= $entries{$val})<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0|| !grep({ = lc $_ eq $dn }<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 $entries{$val}->get_value($fwattrs{$revattr}));<= br> <br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}<br> =A0 =A0 =A0 =A0}<br> =A0 =A0 =A0 =A0if ($entry->changes) {<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$ldifout->write_entry($entry) if $genera= te_ldif;<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if ($update_ldap) {<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0my $modmesg =3D $entry->= update($ldap);<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$modmesg->code &&= ; die("LDAP: " .$modmesg->error . =A0"\n");<br> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}<br> =A0 =A0 =A0 =A0}<br> }<br> <br> --------------050703040907090602090901--<br> <br> <br> </blockquote></div><br> --bcaec520e733d305e204a4aefc06--
