[2066] | 1 | # To set up a new LDAP server: |
---|
[861] | 2 | |
---|
[2066] | 3 | # Temporarily move away the existing slapd-scripts folder |
---|
| 4 | mv /etc/dirsrv/slapd-scripts{,.bak} |
---|
[1645] | 5 | |
---|
[2066] | 6 | # Setup directory server |
---|
| 7 | /usr/sbin/setup-ds.pl |
---|
| 8 | # - Choose a typical install |
---|
| 9 | # - Tell it to use the fedora-ds user and group |
---|
| 10 | # - Directory server identifier: scripts |
---|
| 11 | # - Suffix: dc=scripts,dc=mit,dc=edu |
---|
| 12 | # - Input directory manager password |
---|
| 13 | # (this can be found in ~/.ldapvirc) |
---|
| 14 | |
---|
| 15 | # Move the schema back |
---|
| 16 | cp -R /etc/dirsrv/slapd-scripts.bak/{.svn,*} /etc/dirsrv/slapd-scripts |
---|
| 17 | rm -Rf /etc/dirsrv/slapd-scripts.bak |
---|
| 18 | |
---|
| 19 | # Turn dirsrv off: |
---|
| 20 | systemctl stop dirsrv.service |
---|
| 21 | |
---|
| 22 | # Apply the following configuration changes. If you're editing |
---|
| 23 | # dse.ldif, you don't want dirsrv to be on, otherwise it will |
---|
| 24 | # overwrite your changes. [XXX: show how to do these changes with |
---|
| 25 | # dsconf, which is the "blessed" method, although it seems |
---|
| 26 | # dsconf only exists for Red Hat] |
---|
| 27 | |
---|
| 28 | vim /etc/dirsrv/slapd-scripts/dse.ldif |
---|
| 29 | <<<EOF |
---|
| 30 | |
---|
[1645] | 31 | # Inside cn=config. These changes definitely require a restart. |
---|
| 32 | nsslapd-ldapilisten: on |
---|
[1698] | 33 | nsslapd-syntaxcheck: off |
---|
[1645] | 34 | |
---|
[2066] | 35 | # We need to turn off syntax check because our schema is wrong and too |
---|
| 36 | # restrictive on some value. This should get fixed. |
---|
| 37 | |
---|
[1645] | 38 | # Add these blocks |
---|
| 39 | |
---|
| 40 | # mapname, mapping, sasl, config |
---|
| 41 | # This is the most liberal mapping you can have for SASL: you can |
---|
| 42 | # basically add authentication for any given GSSAPI mechanism by |
---|
| 43 | # explicitly creating the UID for that SASL string. |
---|
| 44 | dn: cn=mapname,cn=mapping,cn=sasl,cn=config |
---|
| 45 | objectClass: top |
---|
| 46 | objectClass: nsSaslMapping |
---|
| 47 | cn: mapname |
---|
| 48 | nsSaslMapRegexString: \(.*\) |
---|
| 49 | nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 50 | nsSaslMapFilterTemplate: (objectClass=posixAccount) |
---|
| 51 | |
---|
[2066] | 52 | EOF; |
---|
[861] | 53 | |
---|
[2066] | 54 | systemctl start dirsrv.service |
---|
| 55 | |
---|
| 56 | ldapvi -b cn=config |
---|
| 57 | # Add these indexes (8 of them): |
---|
| 58 | |
---|
| 59 | <<<EOF |
---|
| 60 | |
---|
[880] | 61 | add cn=apacheServerName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 62 | objectClass: top |
---|
| 63 | objectClass: nsIndex |
---|
| 64 | cn: apacheServerName |
---|
| 65 | nsSystemIndex: false |
---|
| 66 | nsIndexType: eq |
---|
| 67 | nsIndexType: pres |
---|
| 68 | |
---|
| 69 | add cn=apacheServerAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 70 | objectClass: top |
---|
| 71 | objectClass: nsIndex |
---|
| 72 | cn: apacheServerAlias |
---|
| 73 | nsSystemIndex: false |
---|
| 74 | nsIndexType: eq |
---|
| 75 | nsIndexType: pres |
---|
| 76 | |
---|
[1473] | 77 | add cn=scriptsVhostName, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 78 | objectClass: top |
---|
| 79 | objectClass: nsIndex |
---|
| 80 | cn: scriptsVhostName |
---|
| 81 | nsSystemIndex: false |
---|
| 82 | nsIndexType: eq |
---|
| 83 | nsIndexType: pres |
---|
[880] | 84 | |
---|
[1473] | 85 | add cn=scriptsVhostAlias, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 86 | objectClass: top |
---|
| 87 | objectClass: nsIndex |
---|
| 88 | cn: scriptsVhostAlias |
---|
| 89 | nsSystemIndex: false |
---|
| 90 | nsIndexType: eq |
---|
| 91 | nsIndexType: pres |
---|
| 92 | |
---|
[1532] | 93 | add cn=scriptsVhostAccount, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 94 | objectClass: top |
---|
| 95 | objectClass: nsIndex |
---|
| 96 | cn: scriptsVhostAccount |
---|
| 97 | nsSystemIndex: false |
---|
| 98 | nsIndexType: eq |
---|
| 99 | nsIndexType: pres |
---|
| 100 | |
---|
[1473] | 101 | add cn=memberuid, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 102 | objectClass: top |
---|
| 103 | objectClass: nsIndex |
---|
| 104 | cn: memberuid |
---|
| 105 | nsSystemIndex: false |
---|
| 106 | nsIndexType: eq |
---|
| 107 | nsIndexType: pres |
---|
| 108 | |
---|
| 109 | add cn=uidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 110 | objectClass: top |
---|
| 111 | objectClass: nsIndex |
---|
| 112 | cn: uidnumber |
---|
| 113 | nsSystemIndex: false |
---|
| 114 | nsIndexType: eq |
---|
| 115 | nsIndexType: pres |
---|
| 116 | |
---|
| 117 | add cn=gidnumber, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config |
---|
| 118 | objectClass: top |
---|
| 119 | objectClass: nsIndex |
---|
| 120 | cn: gidnumber |
---|
| 121 | nsSystemIndex: false |
---|
| 122 | nsIndexType: eq |
---|
| 123 | nsIndexType: pres |
---|
| 124 | |
---|
[2066] | 125 | EOF; |
---|
| 126 | |
---|
[1473] | 127 | - Build the indexes for all the fields: |
---|
| 128 | |
---|
| 129 | /usr/lib64/dirsrv/slapd-scripts/db2index.pl -D "cn=Directory Manager" -j /etc/signup-ldap-pw -n userRoot |
---|
| 130 | |
---|
[1645] | 131 | (/etc/signup-ldap-pw is the LDAP root password, make sure it's |
---|
| 132 | chmodded correctly and chowned to signup. Also, make sure it doesn't |
---|
| 133 | have a trailing newline!) |
---|
| 134 | |
---|
[1473] | 135 | - Watch for the indexing operations to finish with this command: |
---|
| 136 | |
---|
| 137 | ldapsearch -x -y /etc/signup-ldap-pw -D 'cn=Directory Manager' -b cn=tasks,cn=config |
---|
| 138 | |
---|
[1645] | 139 | (look for nktaskstatus) |
---|
| 140 | |
---|
| 141 | - Set up replication. |
---|
| 142 | |
---|
| 143 | We used to tell people to go execute |
---|
| 144 | http://directory.fedoraproject.org/sources/contrib/mmr.pl manually |
---|
| 145 | (manually because that script assumes only two masters and we have |
---|
| 146 | every one of our servers set up as a master.) However, those |
---|
| 147 | instructions are inaccurate, because we use GSSAPI, not SSL and |
---|
| 148 | because the initializing procedure is actually prone to a race |
---|
| 149 | condition. Here are some better instructions. |
---|
| 150 | |
---|
| 151 | LDAP replication is based around producers and consumers. Producers |
---|
| 152 | push changes in LDAP to consumers: these arrangements are called |
---|
| 153 | "replication agreements" and the producer will hold a |
---|
| 154 | nsDS5ReplicationAgreement object that represents this commitment, |
---|
| 155 | as well as some extra configuration to say who consumers will accept |
---|
| 156 | replication data from (a nsDS5Replica). |
---|
| 157 | |
---|
| 158 | The procedure, at a high level, is this: |
---|
| 159 | |
---|
| 160 | 1. Pick an arbitrary existing master. The current server will |
---|
| 161 | be configured as a slave to that master. Initialize a changelog, |
---|
| 162 | then request a replication to populate our server with |
---|
| 163 | information. |
---|
| 164 | |
---|
| 165 | M1 <---> M2 ---> S |
---|
| 166 | |
---|
| 167 | 2. Configure the new server to be replicated back. |
---|
| 168 | |
---|
| 169 | M1 <---> M2 <---> S |
---|
| 170 | |
---|
[1983] | 171 | 3. Set up the rest of the replication agreements. |
---|
[1645] | 172 | |
---|
| 173 | M1 <---> M2 |
---|
| 174 | ^ ^ |
---|
| 175 | | | |
---|
| 176 | +--> S <--+ |
---|
| 177 | |
---|
[1983] | 178 | 4. Push a change from every existing server (to the new server), and |
---|
| 179 | then a change from the new server to (all) the existing servers. |
---|
| 180 | In addition to merely testing that replication works, this will |
---|
| 181 | set up the servers' changelogs properly. |
---|
| 182 | |
---|
[1986] | 183 | If this step is not completed before any server's LDAP server |
---|
| 184 | shuts down, then the replication agreements will fall apart the |
---|
| 185 | next time a change is made. You may wish to intentionally reboot |
---|
| 186 | any servers that look like they want to crash _before_ beginning |
---|
| 187 | this process. |
---|
[1983] | 188 | |
---|
[1645] | 189 | Here's how you do it. |
---|
| 190 | |
---|
[2066] | 191 | NOTE: There's this spiffy new tool MMR hammer which automates some of |
---|
| 192 | this process. Check the "MMR Hammer" sections to see how. Install it |
---|
| 193 | here: https://github.com/ezyang/mmr-hammer |
---|
| 194 | |
---|
[1986] | 195 | 0. Tell -c scripts not to go off and reboot servers until you're |
---|
| 196 | done (or to get any rebooting done with first). |
---|
[1983] | 197 | |
---|
[1645] | 198 | 1. Pull open the replication part of the database. It's fairly empty |
---|
| 199 | right now. |
---|
| 200 | |
---|
[1680] | 201 | ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config |
---|
[1645] | 202 | |
---|
| 203 | 2. Configure the server $SLAVE (this server) to accept $MASTER |
---|
| 204 | replications by adding the following LDAP entries: |
---|
| 205 | |
---|
| 206 | add cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config |
---|
| 207 | objectClass: top |
---|
| 208 | objectClass: nsDS5Replica |
---|
| 209 | cn: replica |
---|
| 210 | nsDS5ReplicaId: $REPLICA_ID |
---|
| 211 | nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu |
---|
| 212 | nsDS5Flags: 1 |
---|
| 213 | nsDS5ReplicaBindDN: uid=ldap/bees-knees.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 214 | nsDS5ReplicaBindDN: uid=ldap/busy-beaver.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 215 | nsDS5ReplicaBindDN: uid=ldap/cats-whiskers.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 216 | nsDS5ReplicaBindDN: uid=ldap/pancake-bunny.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 217 | nsDS5ReplicaBindDN: uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 218 | nsDS5ReplicaBindDN: uid=ldap/real-mccoy.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
[1677] | 219 | nsDS5ReplicaBindDN: uid=ldap/better-mousetrap.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 220 | nsDS5ReplicaBindDN: uid=ldap/old-faithful.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
[1698] | 221 | nsDS5ReplicaBindDN: uid=ldap/shining-armor.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
[2066] | 222 | nsDS5ReplicaBindDN: uid=ldap/golden-egg.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
[1645] | 223 | nsds5ReplicaPurgeDelay: 604800 |
---|
| 224 | nsds5ReplicaLegacyConsumer: off |
---|
| 225 | nsDS5ReplicaType: 3 |
---|
| 226 | |
---|
| 227 | $REPLICA_ID is the scripts$N number (stella $HOSTNAME to find |
---|
| 228 | out.) You might wonder why we are binding to all servers; |
---|
| 229 | weren't we going to replicate from only one server? That is |
---|
| 230 | correct, however, simply binding won't mean we will receive |
---|
[1677] | 231 | updates; we have to setup the $MASTER to send data $SLAVE. |
---|
[1645] | 232 | |
---|
| 233 | 3. Although we allowed those uids to bind, that user information |
---|
| 234 | doesn't exist on $SLAVE yet. So you'll need to create the entry |
---|
| 235 | for just $MASTER. |
---|
| 236 | |
---|
[2066] | 237 | REMEMBER: You need to use FOO.mit.edu for the names! Otherwise you will get |
---|
| 238 | unauthorized errors. |
---|
| 239 | |
---|
[1645] | 240 | add uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 241 | uid: ldap/$MASTER |
---|
| 242 | objectClass: account |
---|
| 243 | objectClass: top |
---|
| 244 | |
---|
| 245 | 4. Though our $SLAVE will not be making changes to LDAP, we need to |
---|
| 246 | initialize the changelog because we intend to be able to do this |
---|
| 247 | later. |
---|
| 248 | |
---|
| 249 | add cn=changelog5,cn=config |
---|
| 250 | objectclass: top |
---|
| 251 | objectclass: extensibleObject |
---|
| 252 | cn: changelog5 |
---|
| 253 | nsslapd-changelogdir: /etc/dirsrv/slapd-scripts/changelogdb |
---|
| 254 | |
---|
| 255 | 5. Ok, now go to your $MASTER server that you picked (it should have |
---|
| 256 | been one of the hosts mentioned in nsDS5ReplicaBindDN) and tell |
---|
| 257 | it to replicate to $SLAVE. |
---|
| 258 | |
---|
[1680] | 259 | The last line runs the replication. This is perhaps the most |
---|
| 260 | risky step of the process; see below for help debugging problems. |
---|
| 261 | |
---|
[2068] | 262 | MMR Hammer: |
---|
| 263 | mmr-hammer -h $MASTER init agreements $SLAVE |
---|
| 264 | mmr-hammer -h $MASTER update $SLAVE # XXX pick a better name |
---|
[1677] | 265 | |
---|
[2066] | 266 | ldapvi -b cn=\"dc=scripts,dc=mit,dc=edu\",cn=mapping\ tree,cn=config |
---|
| 267 | |
---|
[1645] | 268 | add cn="GSSAPI Replication to $SLAVE", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config |
---|
| 269 | objectClass: top |
---|
| 270 | objectClass: nsDS5ReplicationAgreement |
---|
| 271 | cn: "GSSAPI Replication to $SLAVE" |
---|
| 272 | cn: GSSAPI Replication to $SLAVE |
---|
| 273 | nsDS5ReplicaHost: $SLAVE |
---|
| 274 | nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu |
---|
| 275 | nsDS5ReplicaPort: 389 |
---|
| 276 | nsDS5ReplicaTransportInfo: LDAP |
---|
[1680] | 277 | nsDS5ReplicaBindDN: uid=ldap/$MASTER,ou=People,dc=scripts,dc=mit,dc=edu |
---|
[1645] | 278 | nsDS5ReplicaBindMethod: SASL/GSSAPI |
---|
| 279 | nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" |
---|
| 280 | nsDS5ReplicaTimeout: 120 |
---|
| 281 | nsDS5BeginReplicaRefresh: start |
---|
| 282 | |
---|
| 283 | 5. Check that the replication is running; the status will be stored |
---|
| 284 | in the object we've been mucking around with. |
---|
| 285 | |
---|
| 286 | If it fails with LDAP Error 49, check /var/log/dirsrv on $MASTER |
---|
| 287 | for more information. It might be because fedora-ds can't read |
---|
[2066] | 288 | /etc/dirsrv/keytab or because you setup the account on the SLAVE |
---|
| 289 | incorrectly. |
---|
[1645] | 290 | |
---|
| 291 | 6. Replicate in the other direction. On $MASTER, add $SLAVE |
---|
| 292 | as a nsDS5ReplicaBindDN in cn=replica,cn="dc=scripts,dc=mit,dc=edu",cn=mapping tree,cn=config |
---|
[2066] | 293 | Also, add an account for $SLAVE if it doesn't exist already. |
---|
[1645] | 294 | |
---|
| 295 | add uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 296 | uid: ldap/$SLAVE |
---|
| 297 | objectClass: account |
---|
| 298 | objectClass: top |
---|
| 299 | |
---|
| 300 | On $SLAVE, |
---|
| 301 | |
---|
[2066] | 302 | MMR Hammer: mmr-hammer -h $SLAVE init agreements $MASTER |
---|
| 303 | |
---|
[1645] | 304 | add cn="GSSAPI Replication to $MASTER", cn=replica, cn="dc=scripts,dc=mit,dc=edu", cn=mapping tree, cn=config |
---|
| 305 | objectClass: top |
---|
| 306 | objectClass: nsDS5ReplicationAgreement |
---|
| 307 | cn: "GSSAPI Replication to $MASTER" |
---|
| 308 | cn: GSSAPI Replication to $MASTER |
---|
| 309 | nsDS5ReplicaHost: $MASTER |
---|
| 310 | nsDS5ReplicaRoot: dc=scripts,dc=mit,dc=edu |
---|
| 311 | nsDS5ReplicaPort: 389 |
---|
| 312 | nsDS5ReplicaTransportInfo: LDAP |
---|
| 313 | nsDS5ReplicaBindDN: uid=ldap/$SLAVE,ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 314 | nsDS5ReplicaBindMethod: SASL/GSSAPI |
---|
| 315 | nsDS5ReplicaUpdateSchedule: "0000-2359 0123456" |
---|
| 316 | nsDS5ReplicaTimeout: 120 |
---|
| 317 | |
---|
| 318 | If you get a really scary internal server error, that might mean you |
---|
| 319 | forgot to initialize the changelog. Remove the replication |
---|
| 320 | agreement (you'll need to turn off dirsrv), add the changelog, and |
---|
| 321 | then try again. |
---|
| 322 | |
---|
[1983] | 323 | 7. Repeat step 6 to complete the graph of replications (i.e., from |
---|
| 324 | every other server to the new server, and from the new server to |
---|
| 325 | every other server). |
---|
| 326 | |
---|
| 327 | Note the only difference between steps 5 and 6 is the lack of |
---|
| 328 | nsDS5ReplicaRefresh: start. That only needs to be done once, to the |
---|
| 329 | new server. |
---|
| 330 | |
---|
[2066] | 331 | With MMR hammer, that's something like: |
---|
| 332 | |
---|
| 333 | for i in $SERVER_NAMES; do mmr-hammer -h $i init agreements $SERVER_NAMES; done |
---|
| 334 | |
---|
[1983] | 335 | 8. If at this point you look at the new server's changelog with |
---|
| 336 | cl-dump (preferably /mit/scripts/admin/cl-dump.pl, to not prompt you |
---|
| 337 | for a password), you won't see the servers you added in step 7. So, |
---|
| 338 | from each of those servers, make a change to some record so it gets |
---|
| 339 | propagated to the new server, and then one from the new server so it |
---|
| 340 | gets propagated to all the existing servers' changelogs. This is |
---|
| 341 | also good for making sure the replication agreements actually work. |
---|
| 342 | |
---|
[2066] | 343 | With MMR hammer, that's something like: |
---|
| 344 | |
---|
| 345 | for i in $SERVER_NAMES; do mmr-hammer -h $i test; sleep 20; done |
---|
| 346 | |
---|
[1672] | 347 | Troubleshooting |
---|
| 348 | =============== |
---|
| 349 | |
---|
[1677] | 350 | LDAP multimaster replication can fail in a number of colorful ways; |
---|
| 351 | combine that with GSSAPI authentication and it goes exponential. |
---|
| 352 | |
---|
| 353 | If authentication is failing with LDAP error 49, check if: |
---|
| 354 | |
---|
| 355 | * /etc/dirsrv/keytab |
---|
| 356 | * fedora-ds is able to read /etc/dirsrv/keytab |
---|
| 357 | * /etc/hosts has not been modified by Network Manager (you |
---|
| 358 | /did/ uninstall it, right? Right?) |
---|
| 359 | |
---|
[1672] | 360 | If the failure is local to a single master, usually you can recover |
---|
| 361 | by asking another master to refresh that master with: |
---|
| 362 | |
---|
| 363 | nsDS5BeginReplicaRefresh: start |
---|
| 364 | |
---|
| 365 | In practice, we've also had problems with this technique. Some of them |
---|
| 366 | include: |
---|
| 367 | |
---|
| 368 | * Something like https://bugzilla.redhat.com/show_bug.cgi?id=547503 |
---|
| 369 | on Fedora 11 ns-slapd, where replication is turned off to do the |
---|
| 370 | replication, but then it wedges and you need to forcibly kill the |
---|
| 371 | process. |
---|
| 372 | |
---|
| 373 | * Failed LDAP authentication because another master attempted to do |
---|
| 374 | an incremental update. |
---|
| 375 | |
---|
| 376 | * Repropagation of the error because the corrupt master thinks it still |
---|
| 377 | should push updates. |
---|
| 378 | |
---|
| 379 | So the extremely safe method to bring up a crashed master is as follows: |
---|
| 380 | |
---|
| 381 | 1. Disable all incoming and outgoing replication agreements by editing |
---|
| 382 | /etc/dirsrv/slapd-scripts/dse.ldif. You'll need to munge: |
---|
| 383 | |
---|
| 384 | nsDS5ReplicaBindDN in cn=replica,cn=dc\3Dscripts\2Cdc\3Dmit\2Cdc\3Dedu,cn=mapping tree,cn=config |
---|
| 385 | |
---|
| 386 | and all of the push agreements. Deleting them outright works, but |
---|
| 387 | means you'll have to reconstruct all of the agreements from scratch. |
---|
| 388 | |
---|
| 389 | 2. Bring up the server. |
---|
| 390 | |
---|
| 391 | 3. Accept incoming replication data from a single server. |
---|
| 392 | |
---|
| 393 | 4. Initiate a full update from that server. |
---|
| 394 | |
---|
| 395 | 5. Finish setting up replication as described above. |
---|
| 396 | |
---|
| 397 | If your database gets extremely fucked, other servers may not be able |
---|
| 398 | to authenticate because your authentication information has gone missing. |
---|
| 399 | In that case, the minimal set of entries you need is: |
---|
| 400 | |
---|
| 401 | add dc=scripts,dc=mit,dc=edu |
---|
| 402 | objectClass: top |
---|
| 403 | objectClass: domain |
---|
| 404 | dc: scripts |
---|
| 405 | |
---|
| 406 | add ou=People,dc=scripts,dc=mit,dc=edu |
---|
| 407 | objectClass: top |
---|
| 408 | objectClass: organizationalunit |
---|
| 409 | ou: People |
---|
| 410 | |
---|
[1677] | 411 | add uid=ldap/whole-enchilada.mit.edu,ou=People,dc=scripts,dc=mit,dc=edu |
---|
[1672] | 412 | objectClass: account |
---|
| 413 | objectClass: top |
---|
[1677] | 414 | uid: ldap/whole-enchilada.mit.edu |
---|