openldap-bugs December 2007

openldap-bugs@openldap.org

45 participants
166 discussions

(ITS#5278) doc contribution - set examples - recursive groups
by andreas＠mandriva.com.br 13 Dec '07

13 Dec '07

Full_Name: Andreas Hasenack Version: 2.4.6 OS: Linux URL: http://users.mandriva.com.br/~andreas/ldap-doc/doc-set-examples/set-recursi… Submission from: (NULL) (200.140.247.99) Please find at http://users.mandriva.com.br/~andreas/ldap-doc/doc-set-examples/set-recursi… a documentation contribution giving set examples. So far, it has one example (recursive groups) and I will expand it to include more examples in the future. It is not in the form of a patch because I'm not sure in the guide where it would fit in, considering that the ACL part is duplicated (cn=config and slapd.conf) and will probably be changed. These files are derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Andreas Hasenack <andreas(a)mandriva.com.br>. These modifications are not subject to any license of Mandriva. I, Andreas Hasenack, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.

1 0

Re: (ITS#5274) add search to online docs
by h.b.furuseth＠usit.uio.no 13 Dec '07

13 Dec '07

kurt(a)OpenLDAP.org writes: > There are lots of existing ways of searching an admin guide. > > First, most web search engines can be told to localize their search to > a set of pages. For instance: > http://www.google.com/search?q=site:www.openldap.org/doc/admin24+rwm Not everyone knows how to do that. And in some cases such a Google search gives a better interface than a browser search, since it can show all resulsts together, with some context. The HTML seems easy enough - I derived this from a "search within results" form in a Google search: <form action="http://www.google.com/search"> <input type=hidden name=q value="site:openldap.org/doc/admin24"> <input type=text name=as_q size=31 maxlength=256 value=""> <input type=submit name=btnG VALUE="Search Admin Guide"> </form> I don't know how easy it is to auto-insert it in the Guide though. (Could easily be put as a third column in the /doc/index.html table I imagine.) -- Regards, Hallvard

1 0

Re: (ITS#5274) add search to online docs
by kurt＠OpenLDAP.org 13 Dec '07

13 Dec '07

On Dec 12, 2007, at 12:02 PM, craig5(a)pobox.com wrote: > Full_Name: Craig Sebenik > Version: 2.3.35 > OS: CentOS 4.5 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (209.220.152.66) > > > It would be helpful if the admin documentation on the OpenLDAP web > pages had > some way to search. There are lots of existing ways of searching an admin guide. First, most web search engines can be told to localize their search to a set of pages. For instance: http://www.google.com/search?q=site:www.openldap.org/doc/admin24+rwm Second, the guide is available as a readily searchable single HTML document. Third, the guide is available as readily searchable PDF document. > > > http://www.openldap.org/doc/admin24/ > > IMO, it would be fantastic if there was a simple search box on each > page and an > "advanced search page" with more options. Use your browsers built-in search functions to search any single page, and if they aren't advanced enough for you, try a different browser. > However, a simple search box on just > the main page would be a great start. See above suggestions. Lastly, such things are easier said than done. I simply don't see sufficient value here to warrant expending the significant resources it would take to design, implement, test, and deploy a solution fulfilling this request. -- Kurt

1 0

Re: (ITS#5274) add search to online docs
by ghenry＠OpenLDAP.org 13 Dec '07

13 Dec '07

craig5(a)pobox.com wrote: > Full_Name: Craig Sebenik > Version: 2.3.35 > OS: CentOS 4.5 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (209.220.152.66) > > > It would be helpful if the admin documentation on the OpenLDAP web pages had > some way to search. > > http://www.openldap.org/doc/admin24/ > > IMO, it would be fantastic if there was a simple search box on each page and an > "advanced search page" with more options. However, a simple search box on just > the main page would be a great start. > > Maybe htdig or similar, or a custom Google link? -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

1 0

(ITS#5277) Feature request: Impose SSL/TLS for some addresses/interfaces
by michele.codutti＠uniud.it 13 Dec '07

13 Dec '07

Full_Name: Michele Codutti Version: 2.3 OS: Linux/Debian URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (158.110.7.132) Recently I need to implement a clustered system of OpenLDAP with syncrepl replication method. Every node has two interfaces: one public (let's say eth0) and one connected to a private subnet (let's say eth1). What I want is to impose only SSL/TLS connection on eth0 and unencrypted connection on eth1. I want this because is useless to encrypt syncrepl traffic through the private (dedicated and secured) subnet. I haven't found any directive that do what I want. At last I've implemented a solution suggested by Pierangelo Masaratti. I imposed TLS/SSL by these ACL's: access to * by sockurl="ldap://$PUBLIC_NAME" ssf=128 break by sockurl="ldap://$PUBLIC_NAME" stop by sockurl="ldaps://$PUBLIC_NAME" ssf=128 break by sockurl="ldaps://$PUBLIC_NAME" stop by * break Pierangelo also suggested me to write an ITS to ask for a specific directive to do this more naturaly. So here I'm. Could it be done?

1 0

(ITS#5236) core.ldif differs from core.schema
by hyc＠symas.com 12 Dec '07

12 Dec '07

Michael Ströder wrote: > HI! > > following up on this because some older schema files reference > 'countryName' (and worked with RE23). > > Howard Chu wrote: >> I'm puzzled why RFC4519 drops the 'countryName' alias for this type >> from the RFC2256 definition. > > Me too... > > How to deal with that (except changing the schema files of other vendors)? After chatting with Kurt, we confirmed that there was no reason to drop the alias from our schema files, so I've restored it. (Implementations are allowed to recognize multiple names for the same attribute. Since slapd still only generates the canonical name in its output, we are still conformant.) -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5261) Samba4 can 'hang' OpenLDAP slapd
by hyc＠symas.com 12 Dec '07

12 Dec '07

Andrew Bartlett wrote: > On Tue, 2007-12-11 at 14:22 -0800, Howard Chu wrote: >> Andrew Bartlett wrote: >>> I wonder if there is a known issue with db 4.6 and OpenLDAP, as Fedora's >>> OpenLDAP seems to include it's own libslapd_db-4.4.so (it has a >>> slapd_db_stat to match, for 4.4). >> I think they packaged that to avoid using BDB 4.3 which was known to be >> broken. I've been using OpenLDAP with BDB 4.6.1 thru 4.6.3, and 4.6.18 thru >> 4.6.21 without any trouble. > > Where there any further clues on my deadlock in the db_stat output? I've just built Samba4 from svn and tried to run this test, but it fails much earlier on my AMD64 system. It looks like your ldbsearch client is generating an invalid request, perhaps it's not 64-bit aware. In st/dc/private/ldap/logs I see: >>> slap_listener(ldapi://%2Fhome%2Fsoftware%2FSAMBA_4_0%2Fsource%2Fst%2Fdc%2Fprivate%2Fldap%2Fldapi) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: listen=7, new connection on 20 daemon: activity on 1 descriptor daemon: activity on: 20r daemon: read active on 20 daemon: added 20r (active) listener=(nil) daemon: epoll: listen=7 active_threads=0 tvp=NULL connection_get(20) connection_get(20): got connid=0 connection_read(20): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 80 04 00 0a 01 00 0a 01 ........ ber_get_next on fd 20 failed errno=34 (Numerical result out of range) connection_read(20): input error=-2 id=0, closing. All LDAP requests should begin with 0x30, the BER Sequence tag. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#5275) Poor LDAP performance when we reach 1000 connections
by hyc＠symas.com 12 Dec '07

12 Dec '07

The ITS is for tracking actual bugs. There is no evidence of anything other than a misconfiguration issue here. Use the OpenLDAP-software mailing list for questions about how to use the software. This ITS will be closed. hodson.chris(a)orbital.com wrote: > Full_Name: Chris Hodson > Version: 2.3.32 > OS: Red Hat EL 4 Rel 4 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (198.207.0.5) > > > We're using a Red Hat EL 4 release 4 box to run openLDAP version 2.3.32. > Every night we find ourselves reaching 1000+ (netstat | grep ldap | wc -l) > connections to our LDAP server and have found the only resolution to restart the > LDAP service daily. When we get to 1000+ connections performance takes a huge > hit and no one is able to login to any box utilizing LDAP. This server consists > of 2 dual core Opeterons with 8 GBs of memory, so its not a hardware performance > issue. > We're able to duplicate this issue on a RHEL 4 release 5 box also when we reach > 1000+ connections using the same config files. Is there a setting that needs > adjusting so connections timeout or some other config file misconfiguration? > > > Any help would be much appreciated. > Thank you. > > > . > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#5276) include handler broken
by quanah＠zimbra.com 12 Dec '07

12 Dec '07

Full_Name: Quanah Gibson-Mount Version: 2.3.39 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (66.92.25.194) In discussions with a fellow on IRC, it looks like the include handler has some serious problems. For example with this slapd.conf, we get: #ucdata-path "/opt/zimbra/openldap/ucdata" include "/opt/zimbra/openldap/etc/openldap/schema/core.schema" include "/opt/zimbra/openldap/etc/openldap/schema/cosine.schema" include "/opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema" include "/opt/zimbra/openldap/etc/openldap/schema/amavisd.schema" include "/opt/zimbra/openldap/etc/openldap/schema/zimbra.schema" include "/opt/zimbra/lib/conf/zimbra-ext.schema" threads 8 pidfile "/opt/zimbra/openldap/var/run/slapd.pid" argsfile "/opt/zimbra/openldap/var/run/slapd.args" TLSCertificateFile /opt/zimbra/conf/slapd.crt TLSCertificateKeyFile /opt/zimbra/conf/slapd.key TLSVerifyClient never loglevel 32768 # Load dynamic backend modules: modulepath /opt/zimbra/openldap/libexec/openldap moduleload back_bdb.la moduleload back_monitor.la moduleload syncprov.la moduleload accesslog.la <acl lines snipped> database config rootpw {SSHA}+wKEnqbcbxssdGDKx1LeNsoL90Ha2Lzx database monitor rootdn "cn=config" access to dn.children="cn=monitor" by dn.children="cn=admins,cn=zimbra" read include /opt/zimbra/conf/bdb-conf include /opt/zimbra/conf/syncrepl-conf bdb-conf is: database bdb suffix "" rootdn "cn=config" cachesize 10000 idlcachesize 10000 checkpoint 64 5 directory "/opt/zimbra/openldap-data" index objectClass eq sizelimit unlimited timelimit unlimited And we can see it is clearly processed, so why is the syncrepl line getting tagged to the monitor backend? line 47 (index entryCSN eq) index entryCSN 0x0004 line 48 (sizelimit unlimited) line 49 (timelimit unlimited) line 154 (include /opt/zimbra/conf/syncrepl-conf) reading config file /opt/zimbra/conf/syncrepl-conf line 13 (syncrepl ***) /opt/zimbra/conf/syncrepl-conf: line 13: database monitor does not support operations required for syncrepl /opt/zimbra/conf/slapd.conf: line 154: <include> handler exited with 1! Another example of this problem can be seen at: http://pastebin.com/d16e9b905

1 0

Re: (ITS#5275) Poor LDAP performance when we reach 1000 connections
by quanah＠zimbra.com 12 Dec '07

12 Dec '07

So fix your file descriptors. --Quanah --On December 12, 2007 11:02:51 PM +0000 hodson.chris(a)orbital.com wrote: > Full_Name: Chris Hodson > Version: 2.3.32 > OS: Red Hat EL 4 Rel 4 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (198.207.0.5) > > > We're using a Red Hat EL 4 release 4 box to run openLDAP version 2.3.32. > Every night we find ourselves reaching 1000+ (netstat | grep ldap | wc > -l) connections to our LDAP server and have found the only resolution to > restart the LDAP service daily. When we get to 1000+ connections > performance takes a huge hit and no one is able to login to any box > utilizing LDAP. This server consists of 2 dual core Opeterons with 8 GBs > of memory, so its not a hardware performance issue. > We're able to duplicate this issue on a RHEL 4 release 5 box also when we > reach 1000+ connections using the same config files. Is there a setting > that needs adjusting so connections timeout or some other config file > misconfiguration? > > > Any help would be much appreciated. > Thank you. > > -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

← Newer
1
...
5
6
7
8
9
10
11
...
17
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs December 2007