RE: (ITS#7434) idassert-bind fails after restarting slapd
by blance3459@hotmail.com
Okay, trying again with Thunderbird since Hotmail is determined only to send
in HTML format...
Quanah,
Trying to post a reply using my Hotmail account. Sorry for the
unreadable output previously posted. I'm almost embarrassed to say I've
been involved in IT for over 15 years and never used a mailing list before.
Anyhow, I did download the source packages and compiled them. However,
the semester was winding down and I was under a lot of pressure to have
something completed before the end of finals week so my professor could
assign me a grade for the work I had done. I revered back to my
previous version to to get some stuff written. Not to mention, my
algorithms professor was kicking my butt too. Will I ever "really" need
an FFT in the real world? lol
The more I looked at what I was trying to accomplish, I realized I was
attacking the problem all wrong. What I was being asked to do was
something more like configuring my two slapd servers to act more like
Active Directory global catalog servers. GC's utilize MM instead of
single master replication so I scrapped the SM replication design in
favor of MM. Once this was done, I no longer needed the chaining
overlay or proxy auth. I now have MM replication of both cn=config and
my directory data (with delta) working and my Kerberos KDC's are happy.
One thing I did find was that configuring MM replication made me learn a
little more about how to "properly" name/configure an overlay with the
syncprov and accesslog modules by digging into the test scripts. I had
some issues with sync state on the consumers , but I found a post you
made to someone else a few years back that solved my delta replication
issue by configuring an syncprov overlay on the accesslog db. Not sure
I remember seeing that in the Admin Guide.
Looking back at the original post I noticed the chain overlay I had
configured was dn:
olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,
cn=config. knowing what I know now, I'm not 100% sure that was
correct. Shouldn't that overlay have been in either config database of
my directory or ldap backend database for the chain rather than a
"frontend"? Just a thought I've been kicking around in my head.
Either way, I have my ldap config working. We can either close this
issue if you'd like or leave it open and I'll attempt to confirm my
theory on the overlay not being properly located when I get a chance.
Completely your choice.
But I do have a couple questions on my MM replication of cn=config if
you want to take them. First, does it make sense or is it possible to
do delta replication on cn=config? The data "on the wire" seems like it
would be much smaller and less frequent than directory data so perhaps
it's not as beneficial? Secondly, I am using a simple bind with this
replication agreement (versus sasl/gssapi and tls for my directory
data). When configuring limits and acl's for replication of my dit, I
created a groupofnames (cn=replicators, ou=groups, dc=example,dc=net)
that has each ldap server as a member. My thought process was that this
made the solution a bit more scalable. As ldap servers were added to
the topology, they could be added to the group of names and
automatically be given the correct permissions an limits. Likewise, as
server are decommissioned, they could easily be removed by deleting them
from the group and directory. Can I use this same group of names in
cn=config replication by creating a similar limit and acl using this
group of names? Since I am handling the formatting of the gssapi uid in
cn=config (maybe a mistake if I ever wanted to be able to handle
multiple directories/domains), can I use the gssapi authentication of
hosts in dc=example,dc=net? Seems I should be able to since it appears
that when the authorization occurs in the database, the bind id is
assumed to be already authenticated and accepted as presented with no
further authentication taking place. I'm thinking that so long as that
uid is formatted into a db listed in an acl, the matching access is
applied? Am I way off base in my thinking? Now that I have a rough
workable solution I'm just trying to pretty it up a bit and make the
design more efficient and scalable.
Thanks
Barry
10 years, 10 months
ITS#7434
by blance3459@hotmail.com
--_2dfc1396-6cab-4ee1-b5cd-ec8dfb5286a7_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Quanah=2C Trying to post a reply using my hotmail account. Sorry for the =
unreadable output previously posted. I'm almost embarassed to say I've bee=
n involved in IT for over 15 years and never used a mailing list before. An=
yhow=2C I did download the source packages and compiled them. However=2C t=
he semester was winding down and I was under a lot of pressure to have some=
thing completed before the end of finals week so my professor could assgn m=
e a grade for the work I had done. I revered back to my previous version t=
o to get some stuff written. Not to mention=2C my algorithms professor was=
kicking my butt too. Wil I ever "really" need an FFT in the real world? l=
ol The more I looked at what I was trying to accomplish=2C I realized I was=
attaking the problem all wrong. What I was being asked to do was somethin=
g more like configuring my two slapd servers to act more like Active Direct=
ory global catalog servers. GC's utilitze MM instead of single master repl=
ication so I scrapped the SM replication design in favor of MM. Once this =
was done=2C I no longer needed the chaining overlay or proxy auth. I now h=
ave MM replication of both cn=3Dconfig and my directory data (with delta) w=
orking and my Kerberos KDC's are happy. One thing I did find was that confi=
guring MM replication made me learn a little more about how to "properly" n=
ame/configure an overlay with the syncprov and accesslog modules by digging=
into the test scripts. I had some issues with sync state on the consumer=
s =2C but I found a post you made to someone else a few years back that sol=
ved my delta replication issue by configuring an syncprov overlay on the ac=
cesslog db. Not sure I remember seeing that in the Admin Guide. Looking ba=
ck at the orignal post I noticed the chain overlay I had configured was dn:=
olcDatabase=3Dldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D{-1}frontend=2C=
cn=3Dconfig. knowing what I know now=2C I'm not 100% sure that was correc=
t. Shouldn't that overlay have been in either config database of my direct=
ory or ldap backend database for the chain rather than a "frontend"? Just=
a thought I've been kicking around in my head. Either way=2C I have my lda=
p config working. We can either close this issue if you'd like or leave it=
open and I'll attempt to confirm my theory on the overlay not being proper=
ly located when I get a chance. Completely your choice.
But I do have a couple questions on my MM replication of cn=3Dconfig if you=
want to take them. First=2C does it make sense or is it possible to do de=
lta replication on cn=3Dconfig? The data "on the wire" seems like it would=
be much smaller and less frequent than directory data so perhaps it's not =
as beneficial? Secondly=2C I am using a simple bind with this replication=
agreement (versus sasl/gssapi and tls for my directoiry data). When confi=
guring limits and acl's for replication of my dit=2C I created a groupofnam=
es (cn=3Dreplicators=2C ou=3Dgroups=2C dc=3Dexample=2Cdc=3Dnet) that has ea=
ch ldap server as a member. My thought process was that this made the solu=
tion a bit more scalable. As ldap servers were added to the topology=2C th=
ey could be added to the group of names and automtically be given the corre=
ct permissions an limits. Likewise=2C as server are decomisioned=2C they c=
ould easily be removed by deleteing them from the group and directory. Ca=
n I use this same group of names in cn=3Dconfig replication by creating a s=
imilar limit and acl using this group of names? Since I am handling the fo=
rmatting of the gssapi uid in cn=3Dconfig (maybe a mistake if I ever wanted=
to be able to handle multiple directories/domains)=2C can I use the gssapi=
authtication of hosts in dc=3Dexample=2Cdc=3Dnet? Seems I sould be able t=
o since it appears that when the authorization occurs in the database=2C th=
e bind id is assumed to be already authenticated and accepted as presented =
with no further authentication taking place. I'm thinking that so long as =
that uid is formatted into a dn listed in an acl=2C the matching access is =
applied? Am I way off base in my thinking? Now that I have a rough workab=
le solution I'm just trying to pretty it up a bit and make the design more =
efficient and scalable. Thanks Barry =
--_2dfc1396-6cab-4ee1-b5cd-ec8dfb5286a7_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 12pt=3B
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'>Quanah=2C <BR> =3B<BR>Trying=
to post a reply using my hotmail account. =3B Sorry for the unreadable=
output previously posted. =3B I'm almost embarassed to say I've been i=
nvolved in IT for over 15 years and never used a mailing list before.<BR>&n=
bsp=3B<BR>Anyhow=2C I did download the source packages and compiled them.&n=
bsp=3B However=2C the semester was winding down and I was under a lot of pr=
essure to have something completed before the end of finals week so my prof=
essor could assgn me a grade for the work I had done. =3B I revered bac=
k to my previous version to to get some stuff written. =3B Not to menti=
on=2C my algorithms professor was kicking my butt too. Wil I ever "really" =
need an FFT in the real world? =3B lol<BR> =3B<BR>The more I looked=
at what I was trying to accomplish=2C I realized I was attaking the proble=
m all wrong. =3B What I was being asked to do was something more like c=
onfiguring my two slapd servers to act more like Active Directory global ca=
talog servers. GC's utilitze MM instead of =3B single master replicatio=
n so I scrapped the SM replication design in favor of MM. =3B Once this=
was done=2C I no longer needed the chaining overlay or proxy auth. =3B=
I now have MM replication of both cn=3Dconfig and my directory data (with =
delta) working and my Kerberos KDC's are happy.<BR> =3B<BR>One thing I =
did find was that configuring MM replication made me learn a little more ab=
out how to "properly" name/configure an overlay with the syncprov and acces=
slog modules by digging into the test scripts. =3B =3B =3BI had=
some issues with sync state on the consumers =3B=2C but I found a post=
you made to someone else a few years back that solved my delta replication=
issue by configuring an syncprov overlay on the accesslog db. =3B Not =
sure I remember seeing that in the Admin Guide.<BR> =3B<BR>Looking back=
at the orignal post I noticed the chain overlay I had configured was dn: o=
lcDatabase=3Dldap=2ColcOverlay=3D{0}chain=2ColcDatabase=3D{-1}frontend=2C c=
n=3Dconfig. =3B knowing what I know now=2C I'm not 100% sure that was c=
orrect. =3B Shouldn't that overlay have been in =3Beither config da=
tabase =3Bof my directory =3B or ldap backend database for the chai=
n rather than a "frontend"? =3B Just a thought I've been kicking around=
in my head.<BR> =3B<BR>Either way=2C I have my ldap config working.&nb=
sp=3B We can either close this issue if you'd like or leave it open and I'l=
l attempt to confirm my theory on the overlay not being properly located wh=
en I get a chance. =3B =3B =3BCompletely your choice.<br><BR>Bu=
t I do have a couple questions on my MM replication of cn=3Dconfig if you w=
ant to take them. =3B First=2C does it make sense or is it possible to =
do delta replication on cn=3Dconfig? =3B The data "on the wire" seems l=
ike it would be much smaller and less frequent than directory data so perha=
ps it's =3Bnot as beneficial? =3B =3B Secondly=2C I am using a =
simple bind with this replication agreement (versus sasl/gssapi and tls for=
my directoiry data). =3B When configuring limits and acl's for replica=
tion of my dit=2C I created a groupofnames (cn=3Dreplicators=2C ou=3Dgroups=
=2C dc=3Dexample=2Cdc=3Dnet) that has each ldap server as a member. =3B=
My thought process was that this made the solution a bit more scalable.&nb=
sp=3B As ldap servers were added to the topology=2C they could be added to =
the group of names and automtically be given the correct permissions an lim=
its. =3B Likewise=2C as server are decomisioned=2C they could easily be=
removed =3Bby deleteing them from the group and directory. =3B&nbs=
p=3B Can I use this same group of names in cn=3Dconfig replication by creat=
ing a similar limit and acl using this group of names? =3B Since I am h=
andling the formatting of the gssapi uid in cn=3Dconfig (maybe =3Ba mis=
take if I ever wanted to be able to handle multiple directories/domains)=2C=
can I use the gssapi authtication of hosts in dc=3Dexample=2Cdc=3Dnet?&nbs=
p=3B Seems I sould be able to since it appears that when the authorization =
occurs in the database=2C the bind id is assumed to be already authenticate=
d and accepted as presented with no further authentication taking place.&nb=
sp=3B I'm thinking that so long as that uid is formatted into a dn listed i=
n an acl=2C the matching access is applied? =3B Am I way off base in my=
thinking? =3B Now that I have a rough workable solution I'm just tryin=
g to pretty it up a bit and make the design more efficient and scalable.<BR=
> =3B<BR>Thanks<BR> =3B<BR>Barry<BR> =3B<BR> </div><=
/body>
</html>=
--_2dfc1396-6cab-4ee1-b5cd-ec8dfb5286a7_--
10 years, 10 months
Re: (ITS#7406) Search with scope for newer entries don't work
by quanah@zimbra.com
--On Monday, October 01, 2012 10:20 AM +0200 Andrea Stefanello
<a.stefanello(a)mclink.eu> wrote:
> Thanks,
>
> my 2 mirror (Master-Master) server say :
>
> ebuild U ] net-nds/openldap-2.4.30::gentoo [2.4.23-r1::MC-link-NOC]
>
> upgrading to 2.4.30 doesn't cause problems , its correct ?
>
> Can i upgrade quietly or i have to do some pre-operations ?
You should be able to upgrade in place w/o issue. I would suggest OpenLDAP
2.4.33 instead of 2.4.30 though.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
10 years, 10 months
RE: (ITS#7434) idassert-bind fails after restarting slapd
by quanah@zimbra.com
--On Tuesday, December 04, 2012 4:37 PM +0000 blance3459(a)hotmail.com wrote:
> --_e0f270ad-e1a3-48b6-986f-f9f11dfd57c0_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> Quanah=2C=20
> =20
> I finally got back around to working on this over the last couple of
> days. = Where I'm at with my project is: I have two servers (virtual
> machines)=2C = named master and replica=2C with slapd configured with my
> directory inform= ation and single-master replication between them. =20
> I created a Kerberos realm and various principals in open ldap. =20
> Replication access is authenticated using sasl/gssapi with the slapd
> princ= ipal=2C ldap/replica.example.net. =20
> k5start has been added to system startup to buid the credential cache
> for = slapd.
Hi Barry,
Two things: Please use an email client that can create emails that are
readable, instead of whatever it is you're doing now. ;)
Second, you never answered about trying a current release of OpenLDAP. I
pointed out two bits that may have resulted in your situation being fixed.
Thanks,
Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
10 years, 10 months
Re: (ITS#7487) memberof & mirrormode with delta-syncrepl crashing when using dynamic configuration
by masarati@aero.polimi.it
>> > slapd: memberof.c:1465: memberof_res_modify: Assertion `0' failed.
>>
>> If you have the core file handy, or if you can quickly reproduce the
>> problem, could you print the value of ml->sml_mod, i.e. from within gdb:
>>
>> (to see the backtrace)
>> $ bt
>> (where <x> is the number of the frame of function memberof_res_modify)
>> $ f <x>
>> (to see the value)
>> $ print ml->sml_mod
>
> (gdb) bt
> #0 0x00000032b04328a5 in raise () from /lib64/libc.so.6
> #1 0x00000032b0434085 in abort () from /lib64/libc.so.6
> #2 0x00000032b042ba1e in __assert_fail_base () from /lib64/libc.so.6
> #3 0x00000032b042bae0 in __assert_fail () from /lib64/libc.so.6
> #4 0x00000000004fc989 in memberof_res_modify (op=0x7fffebffe330,
> rs=<value optimized out>) at memberof.c:1465
> #5 0x000000000042f91e in slap_response_play (op=0x7fffebffe330,
> rs=0x7fffebffd620) at result.c:507
> #6 0x00000000004304a9 in send_ldap_response (op=0x7fffebffe330,
> rs=0x7fffebffd620) at result.c:582
> #7 0x000000000043119c in slap_send_ldap_result (op=0x7fffebffe330,
> rs=0x7fffebffd620) at result.c:860
> #8 0x00000000004b4035 in mdb_modify (op=0x7fffebffe330,
> rs=0x7fffebffd620) at modify.c:656
> #9 0x00000000004845a7 in overlay_op_walk (op=0x7fffebffe330,
> rs=0x7fffebffd620, which=op_modify, oi=0x963b20, on=0x0) at
> backover.c:671
> #10 0x0000000000484f87 in over_op_func (op=0x7fffebffe330, rs=<value
> optimized out>, which=<value optimized out>) at backover.c:723
> #11 0x000000000047738d in syncrepl_message_to_op (si=0x9636f0,
> op=0x7fffebffe330, msg=<value optimized out>) at syncrepl.c:2318
> #12 0x000000000047b1bf in do_syncrep2 (op=0x7fffebffe330, si=0x9636f0)
> at syncrepl.c:986
> #13 0x00000000004809c2 in do_syncrepl (ctx=<value optimized out>,
> arg=0x963ee0) at syncrepl.c:1523
> #14 0x00000000004210e1 in connection_read_thread (ctx=0x7fffebffeab0,
> argv=<value optimized out>) at connection.c:1288
> #15 0x00000000005230a0 in ldap_int_thread_pool_wrapper
> (xpool=0x8b7640) at tpool.c:688
> #16 0x00000032b0807851 in start_thread () from /lib64/libpthread.so.0
> #17 0x00000032b04e811d in clone () from /lib64/libc.so.6
> (gdb) f 4
> #4 0x00000000004fc989 in memberof_res_modify (op=0x7fffebffe330,
> rs=<value optimized out>) at memberof.c:1465
> 1465 assert( 0 );
> (gdb) print ml->sml_mod
> $1 = {sm_desc = 0x9640f0, sm_values = 0x7fffe00009b0, sm_nvalues =
> 0x7fffe00009d0, sm_numvals = 1, sm_op = 4097, sm_flags = 0, sm_type =
> {bv_len = 48,
> bv_val = 0x70756f72673d6e63 <Address 0x70756f72673d6e63 out of
> bounds>}}
> (gdb)
Indeed, sm_op == SLAP_MOD_SOFTDEL, as I inferred from syncrepl code,
thanks for the feedback. Internal special modification types should be
handled now in HEAD code. Could you pull it from git and test, please?
Instructions here <http://www.openldap.org/software/repo.html>.
Thanks, p.
--
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano
10 years, 10 months
