Re: VRF support in openldap
tisha...@gmail.com wrote: > Hi Howard, > > Sorry for the confusion. I meant virtual routing and forwarding(VRF), where > in we will have to bind the socket to a particular vrf-id when connecting to > ldap-server. In Linux you must explicitly bind a socket to a VRF, as doc'd here https://docs.kernel.org/networking/vrf.html After you've bound your socket, you can give it to libldap with ldap_init_fd() and then use it normally thereafter. > > Thanks, > Smitha > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: dynlist vs memberof performance issues
On Tue, Jan 10, 2023 at 01:41:58PM +0100, Ondřej Kuzník wrote: > The latest manpage update should make it clearer how dynamic *lists* > differ from dynamic *groups*. And yes, no need to change config for > groups. Cool, thank you both for the clarification. > If you can give the current 2.5/2.6 branch a go, or if you decide to > wait until we get a call for testing out, feedback is always welcome. Will do, thanks again...
Re: Queries regarding Openldap migration from 2.4.51 to 2.6.2
--On Wednesday, January 11, 2023 5:33 AM + "Nagesh Nikavade (EXT-NSB)" wrote: Hi Team, We are migrating openldap from 2.4.51 to 2.6.2 and we have the following queries • What is the End of life date for 2.4.x series? It has already reached EOL from the project perspective. • OpenLdap 2.6.x doesn't have BDB Data base Support but has MDB, but in our existing machines where 2.4.51 is installed. Our data is populated in ".BDB" files. So is there is any guide where and how our data will be migrated from .BDB format to .MDB format ? back-bdb was deprecated many years ago, and back-mdb has been the supported backend in OpenLDAP 2.4 for years. I would advise migrating your current deployment to back-mdb under OpenLDAP 2.4 prior to working on the OpenLDAP 2.6 upgrade. The general process would be: 1. export the current database(s) to ldif using slapcat 2. update the configuration to use back-mdb instead of back-bdb/hdb 3. import the LDIF file using slapadd • There is a utility db_verify which verifies .BDB files which is not working for .MDB files. What is utility to verify .MDB data files? back-mdb doesn't require such a utility. Regards, Quanah
RE: Queries regarding Openldap migration from 2.4.51 to 2.6.2
Hi Nagesh, 1. Your 2.4.x won't be supported here. 2. See slapcat and slapadd to dump and reload your DB from BDB to MDB 3. See "mdb_stat/dump/copy/load" Chris Paul | Rex Consulting | https://www.rexconsulting.net Hi Team, We are migrating openldap from 2.4.51 to 2.6.2 and we have the following queries 1. What is the End of life date for 2.4.x series? 2. OpenLdap 2.6.x doesn't have BDB Data base Support but has MDB, but in our existing machines where 2.4.51 is installed. Our data is populated in ".BDB" files. So is there is any guide where and how our data will be migrated from .BDB format to .MDB format ? 3. There is a utility db_verify which verifies .BDB files which is not working for .MDB files. What is utility to verify .MDB data files? Best Regards, Nagesh
Re: Queries regarding Openldap migration from 2.4.51 to 2.6.2
Nagesh Nikavade (EXT-NSB) wrote: > Hi Team, > > > > We are migrating openldap from 2.4.51 to 2.6.2 and we have the following > queries > > > > 1. What is the End of life date for 2.4.x series? September 2021. https://lists.openldap.org/hyperkitty/list/openldap-annou...@openldap.org/thread/5RJ3FXOE2C3UGJSHOV4AIR4DXEPPWD6P/ > 2. OpenLdap 2.6.x doesnt have BDB Data base Support but has MDB, but in our > existing machines where 2.4.51 is installed. Our data is populated in .BDB > files. So is there is any guide where and how our data will be migrated > from .*BDB format* to *.MDB format *? Same as for any other upgrade. slapcat / slapadd. Read the Admin Guide. > 3. There is a utility *db_verify* which verifies *.BDB *files which is not > working for *.MDB files. *What is utility to *verify .MDB data files?* There is no such utility. LMDB is corruption proof. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: VRF support in openldap
Hi Howard, Sorry for the confusion. I meant virtual routing and forwarding(VRF), where in we will have to bind the socket to a particular vrf-id when connecting to ldap-server. Thanks, Smitha
Queries regarding Openldap migration from 2.4.51 to 2.6.2
Hi Team, We are migrating openldap from 2.4.51 to 2.6.2 and we have the following queries 1. What is the End of life date for 2.4.x series? 2. OpenLdap 2.6.x doesn't have BDB Data base Support but has MDB, but in our existing machines where 2.4.51 is installed. Our data is populated in ".BDB" files. So is there is any guide where and how our data will be migrated from .BDB format to .MDB format ? 3. There is a utility db_verify which verifies .BDB files which is not working for .MDB files. What is utility to verify .MDB data files? Best Regards, Nagesh
Re: VRF support in openldap
tisha...@gmail.com wrote: > Hi, > > I would like to know is there any support for passing vrf-id to openldap > library ? VRF in OpenLDAP means ValueReturnFilter, which has been supported for years. Look at the ldapsearch(1) manpage, or read the ldapsearch source code. > > Thanks, > Smitha > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: newer TLS clients (> 3.0?) can't connect to OpenLDAP's TLS with SSSD
> On Jan 10, 2023, at 1:25 AM, Jarett wrote: > > I have actually read this post before, and it describes the problem I’m > having exactly, but the purported fix does not work for me. My SSSD > configuration file contains “ldap_tls_reqcert = never,” “ldap_tls_cacert = > (certificate path for ca)” and “ldap_tls_cert = (certificate path for > server).” > > Ulrich: I actually don’t even remember what SANs or CNs are in the > certificate, but it shouldn’t matter as we have reqcert set to never. Too, if > I turn verification off in SSSD entirely with “certificate_verification = > no_verification,” I have the exact same problem. (We really could not care > less about TLS security on this particular network, but SSSD simply will not > work without at least nominally connecting over TLS/SSL.) > SSSD uses the openldap client config on a particular machine. So, you can sidestep (SSSD) by issuing command line operations from the same machine, to troubleshoot. Ldapsearch, ldapwhoami, ... It’s almost always something wrong with the CA cert, e.g. can’t find it, doesn’t match the server, etc. Meaning, TLS paras in the ldap.conf file — Shawn
