The Suretec Blog

Hi All,

Here's the 16th tip in the "OpenLDAP Quick Tips" series (as requested by Bronius Motekaitis):

"You want to audit OpenLDAP for changes: who modified what at what times?":

Apart from normal logging via syslog there are two options for this; file based audit logging or LDAP^[?] based logging (in directory).

For file based see Audit Logging and related man page slapo-auditlog:

The Audit Logging overlay can be used to record all changes on a given
backend database to a specified log file. Changes are logged as stan-
dard LDIF, with an additional comment header giving the timestamp of
the change and the identity of the user making the change.

For in directory logging see Access Logging and related man page slapo-accesslog:

The Access Logging overlay can be used to record all accesses to a
given backend database on another database. This allows all of the
activity on a given database to be reviewed using arbitrary LDAP
queries, instead of just logging to local flat text files.

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

Hi All,

Here's the 15th tip in the "OpenLDAP Quick Tips" series:

"You want to change your OpenLDAP loglevel to get more information, but can't take your directory server offline":

If you've been following the OpenLDAP Quick Tips series, you would have already read Switch to the dynamic config backend (cn=config) and will now have a live slapd dynamic backend configured. If not, go back and read it over

Hi All,

Here's the 14th tip in the "OpenLDAP Quick Tips" series and today it comes from "Pablo Chamorro":

"You want to analyse your OpenLDAP logfile":

There are various ways to do this yourself by hand, but the have community already done the work for you and written the:

OpenLDAP Logfile analysis utility:

ldap^[?]-stats.pl is a Perl program that can be used to analyze and report on OpenLDAP logfiles. The available reports include: operations (e.g., Connect, Bind, Unbind) performed per host, unindexed searches, attributes requested, search filters used, total operations per server, and operation breakdowns by day, hour and month.

A short sample output would look like:

Hi All,

Here's my 13th tip in the "OpenLDAP Quick Tips" series:

"You have a question, but you're sure someone has been there before":

That's what our FAQ-O-Matic is for!

Search it, browse it and check the common areas:

1. Installation


2. Configuration


3. Integration


4. Maintenance


5. Common Errors


6. When all else fails...

When all else fails, join our mailing lists.

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

Hi All,

Here's my 12th tip in the "OpenLDAP Quick Tips" series:

"You want to switch from slapd.conf to the configuration backend to slapd":

The config backend is backward compatible with the older slapd.conf(5)
file but provides the ability to change the configuration dynamically
at runtime. If slapd is run with only a slapd.conf file dynamic changes
will be allowed but they will not persist across a server restart.
Dynamic changes are only saved when slapd is running from a slapd.d
configuration directory.

The following should be getting you very excited:

provides the ability to change the configuration dynamically
at runtime.

Dear All,

I'd like to get some examples written up for:

http://www.openldap.org/doc/admin24/appendix-deployments.html

If anyone is interested and allowed to share some information, I'd
love to hear from you.

The more strange the setup the better!

Many thanks,

Gavin.

P.S. This has also been sent to the openldap-technical@openldap.org mailing list, so if you are a subscriber please reply to that email. Thanks.

Hi All,

Here's my 11th tip in the "OpenLDAP Quick Tips" series:

"You want to make sure you have the correct indices configured for the best performance":

It's easy to discover when you do not have the correct indices set by checking your ldap^[?] log. If you see something similar to:

Hi All,

Here's my 10th tip in the "OpenLDAP Quick Tips" series:

"You want to stay up to date with the latest version of OpenLDAP to benefit from bug fixes":

There's never been a better time to upgrade to the 2.4 series. It's actually very easy. If there haven't been any significant core changes between releases (excluding a 2.3.x to 2.4.x upgrade), then you can easily just install a new version on top of the existing one and restart.

If there has been a Berkeley DB change or any form data storage change (indexing etc.) then you should follow these steps:

1. Stop the current server when convenient
2. slapcat the current data out
3. Clear out the current data directory (/usr/local/var/openldap-data/) leaving DB_CONFIG in place
4. Perform the software upgrades
5. slapadd the exported data back into the directory
6. Start the server

It is recommended to do the above anyway, just to make sure as you can always start fresh with exported data.

Obviously this doesn't cater for any complicated deployments like MirrorMode or N-Way Multi-Master, but should you need advice or help, you can use either commercial support or community support to help you....or contact Suretec.

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

OpenLDAP 2.4.13 is out today.

A huge amount of fixes and a must upgrade.

Gavin.

Hi All,

Here's my 9th tip in the "OpenLDAP Quick Tips" series:

"You want to edit data in your directory server, but only have command line access":

When you want to quickly edit some data and don't want to use the ldap^[?]* command line tools that come with OpenLDAP, why not grab ldapvi:

ldapvi is an interactive LDAP^[?] client for Unix terminals. Using it, you can update LDAP entries with a text editor.
Think of it as vipw(1) for LDAP.

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

Hi All,

Here's my 8th tip in the "OpenLDAP Quick Tips" series:

"You want to create your own LDAP^[?] Schema for your directory server":

The golden rule:

Under no circumstances should you hijack name space belonging to others!

When you want to extend or create one yourself, get your own OID or PEN using the Private Enterprise Number (PEN) Request Template.

It takes around 2 weeks and you will then always be listed on the PRIVATE ENTERPRISE NUMBERS page if you forget the number and it means your namespace will never clash with others.

Anyone in the LDAP field that is worth their salt should be listed, we are (Suretec Systems Ltd.).

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

Hi All,

Here's my 7th tip in the "OpenLDAP Quick Tips" series:

"You want to check your Access Control Lists configured in your directory server":

Hi All,

Here's my 6th tip in the "OpenLDAP Quick Tips" series:

"You want to encrypt the passwords that are stored in your directory server":

Previously we covered slaptest, so the next one we will cover in the slap* set of command lines tools is slappasswd

To create an encrypted password for a password "testing", we do:



The default is SSHA encryption, which is the recommended. You can also generate a random password with the -g option:



Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

Hi All,

Here's my 5th tip in the "OpenLDAP Quick Tips" series:

"You are not sure what LDAP^[?] attributes to chose and what LDAP ObjectClasses they belong to":

The online LDAP Schema Viewer resource is great for quickly browsing what belongs to what.

You can of course use the LDAP Schema browser of any decent LDAP GUI

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

Hi All,

Here's my forth tip in the "OpenLDAP Quick Tips" series:

"You want to test your configuration for your directory server":

The OpenLDAP Software Suite comes with many great command line tools which we will cover in the OpenLDAP Quick Tips series. The first one you should always use is slaptest:



The above means our configuration is all good. If we are using dynamic configuration, we would use -F. For more information, always use the -d flag which we will cover in another tip.

For some errors like below, it's obvious what's wrong:



Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.