I'm using ldapsearch to move a whole subtree from an existing (Novell eDirectory) server to a new OpenLDAP installation, but it seems that tool is not extracting the entries in hierarchy order, such that cn=man,ou=org,o=company comes before ou=org,o=company in the output, breaking the following ldapmodify -a.
Am I doing something wrong? Is ldapsearch the right tool?
The origin server configuration can't be changed nor it can be stopped for a cold dump.
Related
Is it possible in any of the existing LDAP servers to edit a schema in one of the editors available? Like JXplorer, Apache Directory Studio, LDAP Admin?
I tried with OpenLDAP and all of the above tools (I run the server with -F option) but it looks like it's not possible to modify schema - add new attributes, add descriptions etc.
I would be grateful if any of you have some experience with this.
Cheers
Some LDAP servers allow (authorized users) to change the schema by sending LDAP modify operation affecting the so-called subschema subentry directly, but not OpenLDAP.
In OpenLDAP you have two possible configuration methods:
Static file configuration usually with schema files being simply included (aka slapd.conf) which requires slapd to be restarted to make configuration changes effective
Dynamic configuration backend back-config (aka cn=config) for which you can also define ACLs restricting access to your LDAP admins
The dynamic configuration method allows to tweak the schema via LDAP making it effective without server-restart. But you have to modify the multiple LDAP entries in sub-tree cn=schema,cn=config which you can do with any generic LDAP client.
Since schema descriptions usually reference other schema descriptions the order is important. Standard LDAP does not know about order of entries beneath an entry or order of attribute values. Therefore OpenLDAP implements an extension specified in draft-chu-ldap-xordered.
I've got a problem with JXplorer and other LDAP browsers - they don't show schema under schema tab.
I use OpenLdap 2.4. I'm using OLC i.e. I'm running slapd daemon with the -F option.
I can connect to cn=schema,cn=config and view/modify schema there.
But I want to be able to see the schema in the LDAP browsers like JXplorer.
What may I do wrong? Maybe I'm missing any important point here?
Thanks for any suggestions
It turned out to be a permissions case:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
I'm very new to RIAK. I have a cluster with 5 nodes and I want to backup the data on the cluster. I ran the following command to backup data.
[root#PCPRIAK33 local]# riak-admin backup localhost riak /var/local/temp all
However I am getting the following error.
Attempting to restart script through sudo -H -u riak
{"init terminating in do_boot",{{nocatch,{could_not_reach_node,localhost}},[{riak_kv_backup,ensure_connected,1,[{file,"src/riak_kv_backup.erl"},{line,171}]},{riak_kv_backup,backup,3,[{file,"src/riak_kv_backup.erl"},{line,40}]},{erl_eval,do_apply,6,[{file,"erl_eval.erl"},{line,572}]},{init,start_it,1,[]},{init,start_em,1,[]}]}}
init terminating in do_boot ()
Can you please help me out? :)
Thanks.
I'll answer your immediate question (how to use riak-admin backup) first, but see the comments on preferred methods of backing up, at the end.
The command is:
riak-admin backup <node name> <erlang cookie> <file name with path> all
The node name you can find in your riak vm.args file (look for the line that looks like -name riak#127.0.0.1). It'll be of the form riak#xx.xx.xx.xx with the IP address. So, on my local machine, a single node is named riak#127.0.0.1.
The erlang cookie is also found in the vm.args file, it will most likely be erlang.
The file name parameter should be a fully-qualified path to the actual file name (meaning, you can't give it just a directory name). The filename and extension are arbitrary. So, I would use something like cluster_backup.riak.
So, to put it all together, your backup command should look like:
riak-admin backup riak#<your node ip> riak /var/local/temp/cluster_backup.riak all
Now, having said all that, I don't recommend using the riak-admin backup and restore commands to back up your whole cluster. For several reasons. One, it stores every replica of every object. Meaning, if you're running with the default replica value of n=3, you will be storing 3 copies of each object in your backup file.
Two, the code invoked by that command is single-threaded, and not connection pooled. So all in all, it's going to be SLOW to restore and backup.
Instead, I recommend one of the following approaches:
Take filesystem level snapshots of the data directories of each node. This is the approach currently recommended by Basho, and detailed here: http://docs.basho.com/riak/latest/ops/running/backups/
If you definitely want a "logical" backup (meaning, an export of the objects contained in the cluster), you can use an experimental standalone tool such as the Riak Data Migrator (but see the limitations in the Readme).
I recommend testing out / timing each of these approaches, to see which one is faster for your situation.
We in our team are planning to use gerrit. So, to get introduced, I did set up a server, used open-id for authentication and created some test-users and test-projects in it.
Now we are ready to use it. But we actually prefer LDAP for real use.
So, can I change my authentication system from open-id from LDAP? What will happen to current users then?
I want to clear test projects and changes. How can I do them?
Can I complete delete existing gerrit setup and initiate a fresh setup in same machine? (I tried extracting the jar in different folder, but I faced some problems in it)
I am using Ubuntu 12.04 as my server.
Please help.
Delete the database (you're not using the H2 database anymore, but some MySQL or PostgreSQL server, don't you?) plus the directory where Gerrit is running (the -d parameter, see docs). Additionally, remove the git repos, if you configured them to be located on a different path.
Then all your data is gone and you can start from scratch.
I am developing a project and that requires ldap validation. But, I don't have a developer/qa ldap server.
Does a small ldap server exist for windows for testing/development?.
I just want to test to validate a active account and detect if it is blocked or not, so i don't want to install a whole domain to do that.
---never mind---
I tried an compiled openldap but I was unable to understand it. Simply, I don't get how to connect to it, how to create a account and how to validate, the client ldap returned me some obfuscate error message, i tried several ways to do it and finally i give up.
Finally, i installed a domain, it was absurdly easy to install (2008 r2), restart the server and that's it.
Anyways, thanks for the advice of opendlap and aldps
If you're on Windows and use Active Directory, have a look at Active Directory Lightweight Directory Services (AD LDS) - a LDAP server you can install and use on your dev machine.
The open source LDAP server from OpenLDAP should give you what you need:
http://www.openldap.org/
Apache provide a directory server called "ApacheDS"(Apache Directory Server), and it provides a GUI management client called "Apache Directory Studio" which is based on Eclipse.
If you want to have a test only, this studio provides a built-in server for your test, easy to link.
You can also install the studio directly in Eclipse using this update site: http://directory.apache.org/studio/update/2.x/
Active Directory works fine as an LDAP server and its included in the Windows Server 2008 trial. See the answer to my question Testing LDAP Connections to Active Directory Server. I have it running in a KVM virtual machine on Linux and query it from an OpenLDAP based client.
Necromancing.
I've had the same problem.
OpenDS is very easy to get up and running, and doesn't require administrator rights.
You just need to download the ZIP file and run the installer.
The installer can populate the directory with test entries, too - if you want to see some example data.
That's exactly what you're looking for when wanting a simple dev test server.
Note:
OpenDS development has seized, and was forked into OpenDJ, a commercial project by forgerock.
While OpenDS still works on Java7, only OpenDJ will work with Java8.
However, OpenDJ is still FREE and OpenSource.
You can find the sourcecode here on Bitbucket
and you can grab it with git:
git clone https://stash.forgerock.org/scm/opendj/opendj.git
Forget OpenLDAP and AD-LDS; these are way too complicated for simple testing.
In addition, their user interface is horrible, and you need something that you can get up and running FAST, without admin rights, and have it populated with test data in a few minutes, not in a few weeks.
And ApacheDS will require administrator privileges, unfortunately (because it only works as windows service, and you can't start/stop these without being administrator).
So OpenDJ is the definite way to go.
Apache Directory Studio is a good client to browse, edit and import/export data via LDAP (LDIF).
However, despite Apache Directory Studio being written in Java, it adds a dependency to gtk, and only has binaries for x86/x64, which means it won't work on a Chromebook with ARM processor, or on a RaspberrryPI.
But with the test entries added automagically in OpenDJ/OpenDS (if you choose the option), you don't even need that.
When in doubt, use a web based interface that "talks LDAP".
Try OpenDS it is very simple and requires only Java.
You could roll your own LDAP server for testing pretty easily using godap: https://github.com/bradleypeabody/godap
It's written in Go. It's very small and simple.
You would basically need to copy the server example out of godap_test.go and wire it up however you need.
Try simple-ldap-server
I know its pretty late to answer this question. But for the reference of someone who runs into the same question.
I wrote a simple ldap server(using ldapjs on nodejs) for authentication testing purposes. Please feel free to use it. It's easy to configure. Can support both LDAP/LDAPS protocols, just require a json file including the user ids you want to add(or it comes with a pre-included users json file, which you can use if you want).
The project is on github. (I'll add a docker image too)
Feel free to visit and use
Docker image
Simple Ldap Server Git
OpenLDAP. Ships with most Unixes and Linuxes. For Windows it is available from several sources:
Cygwin
http://www.userbooster.de
as the Silver (free) edition of the CDS product http://www.symas.com/cds.shtml. This is crippled compared to the Userbooster version, which is complete.
You can use a Docker container with Samba as Domain controller, here I show how to setup one in just a few minutes
Basically you need to
Create an image with this (read the post if you want to know why)
$ git clone https://github.com/padiazg/alpine-samba-ad-container.git
$ cd alpine-samba-ad-container
# replace your-user with your username
$ docker build -t your-user/alpine-samba-ad-container .
Create some folders and files to persist the container data
mkdir /tmp/krb-conf
&& mkdir /tmp/krb-data
&& mkdir /tmp/smb-conf
&& modir /tmp/smb-data
&& touch /tmp/krb-conf/krb5.conf
Run the container
docker run -d \
-e SAMBA_ADMIN_PASSWORD=a-secure-password \
-e SAMBA_DOMAIN=local \
-e SAMBA_REALM=local.your-domain.io \
-e LDAP_ALLOW_INSECURE=true \
--mount type=bind,source=/tmp/krb-conf/krb5.conf,target=/etc/krb5.conf \
--mount type=bind,source=/tmp/krb-data,target=/var/lib/krb5kdc \
--mount type=bind,source=/tmp/smb-conf,target=/etc/samba \
--mount type=bind,source=/tmp/smb-data,target=/var/lib/samba \
-p 389:389 \
--name smb4ad \
your-user/alpine-samba-ad-container
And now you are good to go