Develop Reference

Migrate data from one openldap to another one

I try to do a migration from one ldap (Ubuntu) to another one (CentOS)
From actual server I do an export of database and values:
slapcat -n 0 -l slapd.conf
slapcat -n 1 -l slapd.ldif
At the other one I try to load data but I get this error:
[root#oldap01 tmp]# slapadd -f slapd.ldif
5e442f2b slapd.ldif: line 1: unknown directive <dn:> outside backend info and database definitions.
slapadd: bad configuration file!
slapd.ldif start by:
dn:
objectClass: top
objectClass: dcObject
objectClass: organization
o: no-domain
dc: no-domain
structuralObjectClass: organization
There's any way to create manually the OU,CN,... and then import the values?
Thanks in advance

how to re-enable anonymous login in openldap

I have recently installed openldap 2.4.42 and disabled anonymous login using the following content in ldif file.
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
I can even see access to dn.base="" by * read in slapd.conf file
Now, I have a application(wordpress blog) which is trying to connect to LDAP server using anonymous login and failing because of that reason. I tried few options but none of them are working. Can someone help me out on how to re-enable the LDAP anonymous login.
Thanks in advance

What type of configuration are you using ? slapd.conf or slapd.d/ folder ? You cannot use both at the same time.
Drop added olcDisallows & olcRequires configuration if you use slapd.d/ folder configuration.
Or
delete countrepart settings from slapd.conf file (disallow & require) if you use slapd.conf configuration file.
To delete what you said you added to activate this behavior, ie with an LDIF file for example:
dn: cn=config
changetype: modify
delete: olcDisallows
olcDisallows: bind_anon
-
dn: cn=config
changetype: modify
delete: olcRequires
olcRequires: authc
-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcRequires
olcRequires: authc
You should also verify that targeted anonymous access is allowed by database ACLs (olcAccess parameter)

OpenLDAP AccessLogs out of hand

I've got over 150 GB of logs in /var/lib/ldap/accesslog and for some reason they won't rotate out or purge old logs. I'm not sure what I'm missing.
I'm using HDB.
I'm using an OLC setup, so I have no slapd.conf file.
My Slapd version is 2.4.31-1+nmu2ubuntu8.2
My AccessLog overlay is configured with:
dn: olcOverlay={1}accesslog
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: {1}accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 7+00:00 1+00:00
olcAccessLogSuccess: TRUE
...
Unfortunately I still have log files dated from November of 2014, which is probably when this server was upgraded to Ubuntu 14.04 LTS and the LDAP services were re-initialized from a backup LDIF file.
I've tried creating a DB_CONFIG file in the accesslog directory containing the following:
set_flags DB_LOG_AUTOREMOVE
to no avail.

So apparently the "set_flags DB_LOG_AUTOREMOVE" didn't kick in until I restarted the slapd service. As soon as I did the old logs were purged out.

OpenLDAP - Multi Master Configuration

I have to configure two OpenLDAP nodes in multi-master mode.
I've also integrated them with our corporate Active Directory, and the integration seems to work, after some verification.
Even if the log say the replication is working fine, I verified that an entity added to one node didn't replicate on the other.
This is my slapd.conf is shown below. The only difference between the two slapd.conf is serverID
### Schema includes ###########################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/microsoft.minimal.schema
## Module paths ##############################################################
modulepath /usr/lib64/openldap/
moduleload back_ldap
moduleload rwm
moduleload syncprov
moduleload accesslog
### Logging ###################################################################
logfile /var/log/slapd/slapd.log
loglevel sync
# Main settings ###############################################################
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Allow v2 binding for legacy clients #########################################
allow bind_v2
### Database local ############################################################
database bdb
suffix "dc=farm,dc=it"
rootdn "cn=manager,dc=farm,dc=it"
rootpw {SSHA}B29rxKxtjTN8JJIppPGJt7ahvUPhd1pa
directory /var/lib/ldap
# Indexes for this back end
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uid eq,pres,sub
access to attrs=userPassword
by self =xw
by dn.exact="cn=manager,dc=farm,dc=it"
by dn.exact="cn=replica,dc=farm,dc=it"
by anonymous auth
by * none
access to *
by anonymous auth
by self write
by dn.exact="cn=replica,dc=farm,dc=it" read
by users read
by * none
# Replica #####################################################################
#Define the server ID.
serverID 2
# Replication configuration, only things you may have to change here are provider, binddn, credentials and searchbase.
syncrepl rid=001
provider=ldap://almldap01.farm.it:389
binddn="cn=replica,dc=farm,dc=it"
bindmethod=simple
credentials="3L3jkKZcSb5anj8ReCi3ZDWnbv9HNeB8"
searchbase="dc=farm,dc=it"
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
#Rest replication configuration goes to end of the file.
mirrormode TRUE
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 1000 60
### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user yes
uri "ldap://corp.farm.group:389"
suffix "dc=corp,dc=farm,dc=group"
idassert-bind bindmethod=simple
mode=none
binddn="CN=WfLdapBind,OU=Users,OU=WebFarm,DC=corp,DC=farm,DC=group"
credentials="djW5l5hvTPcMcLvV"
idassert-authzFrom "*"
overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map objectClass posixAccount person

The syncrepl rid and provider should also be different in each case. rid should be unique, and provider should point to the other OpenLDAP master.

OpenLdap - change/modify not working

I am on OpenLdap and trying to modify an entry via an LDIF with slapadd command.
#LDIF
dn: uid=ROOTADMIN,ou=users,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: MyPassWord
But I am getting below error....
54a0fc8e <= str2entry: str2ad(changetype): attribute type undefined
Why changetype is not taken by slapadd command?
Also when I manually try to change the password on ldap browser I get following on the
logs
#!RESULT ERROR
#!CONNECTION ldap://<MY_MACHINENAME>:389
#!DATE 2014-12-29T10:14:16.930
#!ERROR [LDAP: error code 8 - modifications require authentication]
dn: uid=ROOTADMIN,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: S2l0ZXNGbHk=
LDAP: error code 8 - modifications require authentication? Which Authenication is required?

An ldif file like this (containing changetype entries) should be used with ldapadd, not slapadd.