[Fedora-directory-users] FD sync with NT4?
by Glenn
So I have a successful Windows Sync agreement set up between Fedora DS and
Active Directory, but I'm having difficulty setting up a sync agreement with
an NT4 domain. I'm at the point where I've entered the NT server info in the
agreement form. When I click Next, I get an error message:
"Unable to contact Active Directory server. Continue?"
I think this means I've entered something wrong in the form, and I'm hoping
someone can narrow down the possible things that can be entered in the form.
For instance, Windows Domain Name. The example given in the documentation
is "example.com". However, NT domains do not conform to DNS standards. Will
it work if I enter the NT domain name, e.g., "example"? If not, is there a
workaround?
The next item is Windows Subtree. This field gets filled in automatically
with "cn=Users,dc=example" using the example above. Again, can Windows Sync
use this NT domain name, or does it require a DNS name?
For Domain Controller Host, what is expected? If I put in the host name
alone, I get the error message. If I put in the fully qualified DNS host
name, the application locks up and must be terminated with Task Manager (I'm
using the console on a Windows XP machine).
Bind As seems to expect an LDAP distinguished name. How can I translate the
NT replication user name into LDAP terminology, i.e., what in NT corresponds
with cn, ou, dn, etc.?
Thanks for any ideas. -G.
16 years, 8 months
[Fedora-directory-users] Managing openLDAP et Active Directory users via Fedora DS
by Julien Garet
Hi,
I am currently looking for a solution which allows me to manage
both Windows Users in Active Directory and unix users in openLDAP, and
users in the two worlds. In fact, we have softs plugged to an openldap
server, and we need some functionalities offered by AD for Windows
extensive users. It seems Fedora Directory Server will match the
requirements. But I have a couple of questions on what can be done.
- I have seen that AD users and groups synchro was possible, are
passwords also synchro ? (will a user changing its password in Windows
will be also changed in openldap ?)
- does directory server fills the kerberos part of AD ? (we have
cifs mounts to be done by Windows Users)
- is it possible to replicate FDS base with a simple openldap server
(with syncrepl) ?
In fact, I realize I do not understand well yet what FDS is in deep,
and is able to perform, and I'd be very happy if someone explained me a
little further.
Julien GARET
INRIA Futurs,
Moyens Informatiques
16 years, 8 months
[Fedora-directory-users] Failover and SSL
by Rubin
Hi all!
I'm trying to figure out how to handle high availability in
combination with ssl. I have ssl working for both clients and
server to server connections. The problem is that i would like to
give a client only one ip/fqdn for the ldap server, like
ldap.example.com and manage failover to a second ldap multimaster
machine by bringing up that ip or switching the dns entry of the
fqdn to the at that moment designated as active ldap server.
The problem lies in the fact that the certificate on the client
has a dn that has to match the hostname to be contacted (ie.
ldap.example.com) but i don't want to have identical certificates
on the ldap servers (if the dn does not match the hostname to be contacted,
connection will fail, verified with openssl).
So how can you have a client contact ldap.example.com with ssl enabled
while having the ability to switch ldap.example.com between two machines
without douing something evilish like having identical certificates for
both ldap servers? How are others handling these things?
The reason i want to do failover this way has to do with wanting
to avoid the posibility of possible conflicts when having the
ability to write to 2 masters at the same time.
Thanks for any pointers and/or eyeopeners!
Grtz,
Rubin.
16 years, 8 months
[Fedora-directory-users] LDAP Server Crashed - Now Read-Only
by Greg Copeland
My LDAP server crashed while I was adding a user. After getting it
restarted, the database is now read-only. Where/how do I change the
database back to read/write mode? I've had to do this once before but
it's been a very long time and I no longer remember where it is at.
Help.
Best Regards,
Greg Copeland
16 years, 8 months
[Fedora-directory-users] rpm -e behavior
by Noriko Hosoi
Hello, fedora-directory-users list;
We are working on the setup and clean-up code in the next version:
(please see also
http://directory.fedoraproject.org/wiki/New_Setup_Design). I'd like to
have your thoughts on the behavior when you run "rpm -e fedora-ds". The
previous version cleaned up all the binaries and instances but the
certificate and key dbs.
# ls alias
secmod.db slapd-ID-key3.db slapd-ID-cert8.db
Do we want to leave them untouched on the next version, as well? How
about other files such as ldif files or backup files? Or do we want to
remove all the fedora-ds related files?
Your input would be greatly appreciated.
--noriko
16 years, 8 months
[Fedora-directory-users] 64-bit PassSync?
by Josh Kelley
Is a 64-bit version of the Windows PassSync program available
anywhere? If not, are there currently any plans to provide a 64-bit
version?
Thank you.
Josh Kelley
16 years, 8 months
Re: [Fedora-directory-users] Performance
by Howard Chu
> Date: Mon, 16 Jul 2007 10:12:57 -0400
> From: "Vampire D" <vampired(a)gmail.com>
> I heard it from Cisco when working with them on a project as they claims it
> has a hard time keeping up under a heavy load.
In my experience, the Cisco folks don't have a clue what they're talking about.
We recently had a customer come to us asking why OpenLDAP doesn't support
LDAPv3 (it does; it has since 2000), saying their Cisco product wasn't able to
Bind to OpenLDAP. Cisco of course claimed they were supporting LDAPv3 correctly
and that the OpenLDAP server was defective, but we asked the customer for a
network trace and they saw that the Cisco product was actually sending an
LDAPv2 Bind request. Your mileage may vary of course, but it's best to take
anything Cisco says about LDAP with a large helping of salt.
>>On 7/16/07, Norman Gaywood <ngaywood(a)une.edu.au> wrote:
>> >
>> > On 7/13/07, Vampire D <vampired(a)gmail.com> wrote:
>>> > > As I understand it, OpenLDAP doesn't perform all that well under a high
>>> > > load. How does FDS perform in comparison to other LDAP implmentations
>> > like
>>> > > OpenLDAP and Sun?
>> >
>> > Interesting. Where did you get the information that OpenLDAP does not
>> > perform under load? I was always under the impression that OpenLDAP
>> > was the fastest and most scalable LDAP server around. For example:
>> >
>> > http://www.symas.com/benchmark-auth.shtml
>> >
>> > I recall reading another benchmark somewhere comparing it with FDS but
>> > can't find it at the moment.
>> >
>> > --
>> > Norman Gaywood, Systems Administrator
>> > University of New England, Armidale,
>> > NSW 2351, Australia
>> >
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
16 years, 8 months
Re: [Fedora-directory-users] Performance
by Howard Chu
> Date: Tue, 17 Jul 2007 11:35:26 +1000
> From: Norman Gaywood <ngaywood(a)une.edu.au>
>> > Norman Gaywood wrote:
>>> > >perform under load? I was always under the impression that OpenLDAP
>>> > >was the fastest and most scalable LDAP server around. For example:
>>> > >
>>> > >http://www.symas.com/benchmark-auth.shtml
>>> > >
>>> > >I recall reading another benchmark somewhere comparing it with FDS but
>>> > >can't find it at the moment.
>> >
>> > That looks to be a read-only test. What happens when you throw some
>> > updates at it? And are there any benchmarks for FDS running in
>> > multi-master mode with update activity?
>
> Yes it was a read-only test. But then that's the main application of
> LDAP servers. Are there applications that require high LDAP write
> performance?
>
> I found the other benchmark paper here:
>
> http://highlandsun.com/hyc/SambaXP.pdf
>
> It includes figures for FDS. A summary can be found here:
>
> http://www.mail-archive.com/ldap@umich.edu/msg01151.html
>
> According to that paper, OpenLDAP pretty much blows away everyone else
> in performance and scalability. Nothing else is even close.
>
> Of course it is a benchmark. I'm sure someone will find some flaws :-)
Since everything in the code and benchmark tool set are freely available, you
can easily conduct tests on your own using your actual data. That's the best
way to get relevant results. But I'll note that on an earlier benchmark we
conducted, with a >150 million entry database at over 1 terabyte on disk,
OpenLDAP 2.3.21 was able to sustain over 4800 modifies per second concurrently
with 16000 reads per second, and full delta-syncrepl replication. (Without
writes, we were hitting 28000 reads per second, so there is definitely a
noticable cost for writes.) Granted this was a large server with 480GB of RAM
and multiple strings of RAID storage, so I/O throughput wasn't a really huge
problem. I.e., our write rate at 150M entries (4800/sec) is still higher than
anyone else's fastest read rate at 10M entries, and their performance only gets
worse if you can even stand how long it takes to load a bigger DB.
At the time we ran this test (over a year ago now) we used an SGI Altix for the
server, since Itanium systems were pretty much the only hardware that supported
a single system image with so much RAM. Today I think you could outfit a Sun
Ultrasparc with the equivalent amount of RAM. It would be interesting to rerun
this test to see how Sparc performs against Itanium.
> Date: Mon, 16 Jul 2007 20:24:51 -0600
> From: David Boreham <david_list(a)boreham.org>
> Norman Gaywood wrote:
>> > Yes it was a read-only test. But then that's the main application of
>> > LDAP servers. Are there applications that require high LDAP write
>> > performance?
>> >
> It's pretty easy to achieve performance in excess of most applications'
> requirements for reads, but write performance it typically much lower
> (due to the need to maintain the WAL with many indices, usually).
> Replication makes the situation worse because the replication changelog
> also has to be written, reducing the available I/O resources for primary
> database writes. So in any given real-world application, it's often the
> write capacity that determines overall system capacity.
Yes, eventually hardware becomes the limiting factor (disk throughput in this
case) but most software in the world today is written so inefficiently that
you'll never see the true hardware limits. That tends to come from people
writing code with the mindset "it's OK to use inefficient algorithms, CPUs will
always get faster." Of course, we see that CPUs have now stopped getting
faster, at least in the single-threaded sense, and the real cost of that
inefficiency (in raw electricity as well as simple hardware provisioning cost)
is hitting home. We've spent a lot of effort trimming the fat from OpenLDAP,
deleting most of the original junk code and rewriting it extensively. As a
result, you rarely see anything but actual hardware limits in its performance,
and a single OpenLDAP installation can often support the load of 3-10 times as
many other products on identical hardware. It pays to sweat the small stuff.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
16 years, 8 months
[Fedora-directory-users] FDS Console on Windows
by Vampire D
Has anyone use the FDS console on windows before, if so how?
--
"Do the actors on Unsolved Mysteries ever get arrested because they look
just like the criminal they are playing?"
Christopher
16 years, 8 months
[Fedora-directory-users] how to search using attributes of the parent nodes
by Sergey Ivanov
Hi,
I'm looking for a way to create a search filter, which can filter by
specifying attributes not only at the destination object, but also it's
parent's in directory tree.
Namely, I have mail aliases for virtual domains stored in ldap tree.
I have ou=mailAliases, and under it ou=<first.domain>,
ou=<second.domain> and so on.
Each of domains have entries cn=<aliasName> of class mailGroup, with
attributes of mgrpRFC822MailMember having expansion for these aliases.
The things became complicating because each of domain has different
representations. I can store them in ou attributes of domain's entry.
Can I search with filter requesting entry with cn=<local part of e-mail>
which belong to parent, having ou=<domain part of email> in it's
attributes?
Till now I understand that I can't and the only way to do it is to
create a copies of these subtrees with DNs for each representation of
domain name.
--
Sergey Ivanov.
16 years, 8 months