openldap-software December 2006

openldap-software@openldap.org

60 participants
65 discussions

a small patch for back-sql
by Robert Brooks 20 Dec '06

20 Dec '06

Pierangelo, back-sql fails to compile with BACKSQL_TRACE defined, I think this is the correct fix. It also appears that objectClass searches fail (with mysql odbc) if there is no data in the ldap_entry_objclasses table. Just a simple dummy entry like this is enough to fix the problem. +----------+----------+ | entry_id | oc_name | +----------+----------+ | 0 | dcObject | +----------+----------+ Let me know if you'd like more information. I believe this is the issue noted here... http://www.openldap.org/lists/openldap-software/200508/msg00450.html Regards, Rob -- Robert Brooks, Network Manager, Cable & Wireless UK <robb(a)wtg.cw.com> http://wtg.cw.com/ Tel: +44 (0)20 7339 8600 Fax: +44 (0)20 7339 8601 - "What was your username again?" - BOFH -

2 1

Question about conn_max_pending configuration options
by TechnoSophos 20 Dec '06

20 Dec '06

On the conn_max_pending and conn_max_pending_auth params, what exactly is a "pending request"? Is this a request that slapd has not yet processed? For example, is a search request "pending" if slapd is in the process of evaluating it, but has not yet returned? Thanks, Matt

3 2

using jpegPhoto
by Roger Thomas 20 Dec '06

20 Dec '06

I came across the . Database Creation and Maintenance Tools at http://www.openldap.org/doc/admin23/dbtools.html which outlined 2 methods of storing jpegPhoto (towards the end of the documentation). One using base64 encode and the other using location indicated by URL: # Bjorn's Entry dn: cn=Bjorn J Jensen,dc=example,dc=com cn: Bjorn J Jensen cn: Bjorn Jensen objectClass: person sn: Jensen # Base64 encoded JPEG photo jpegPhoto:: /9j/4AAQSkZJRgABAAAAAQABAAD/2wBDABALD A4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQ ERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVG # Jennifer's Entry dn: cn=Jennifer J Jensen,dc=example,dc=com cn: Jennifer J Jensen cn: Jennifer Jensen objectClass: person sn: Jensen # JPEG photo from file jpegPhoto:< file:///path/to/file.jpeg Which is the recommended method? Please advise. -- roger --------------------------------------------------- Sign Up for free Email at http://ureg.home.net.my/ ---------------------------------------------------

4 3

Re: Question about conn_max_pending configuration options
by Howard Chu 20 Dec '06

20 Dec '06

TechnoSophos wrote: > Thanks. Your answer was more informative than I had hoped for. > > At what point will the server start denying service to incomming > connections? Or will it ever? It doesn't do so explicitly. When it runs out of descriptors, obviously it won't be able to handle any more connections. > > Does the timelimit (or limit) directive in slapd.conf apply to those > requests that are sitting there waiting to be handled? In other words, > is it possible for a request to time out before it has been handled? > In this case, I would guess that it would still sit in the queue until > a thread picks it up, in which case it would immediately return a > timelimit exceeded error. Is that right? No, the timelimit controls how long the request actually executes, so it is based on when the request starts executing. The time the request spends in various queues is not execution time. > Also, as long as I'm on the topic of threads, is there a convenient > way to calculate the cost of adding threads? If I want to double the > thread pool, how many additional reasources will this take? There are a number of large chunks of memory allocated per thread. First is the actual thread stack, which defaults to 1048576 * sizeof(pointer), so 4MB on a 32 bit machine and 8MB on a 64 bit machine. Also slapd allocates a 1MB slab per thread for per-operation temporary storage. The back-bdb/hdb backends also allocate a search stack per thread, for evaluating indexed filters. As documented in the slapd-bdb(5) manpage, this defaults to 8MB per thread. Those are the most obvious costs in the OpenLDAP code; the C library and whatever other libraries you're using (OpenSSL etc.) have their own per-thread overheads. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

1 0

proxying authentication
by sishkebab 19 Dec '06

19 Dec '06

Hi everyone, consider the following setup: * A central accounts OpenLDAP directory, where user credentials are stored, among others. * An LDAP enabled service using a separate OpenLDAP directory containing service related attributes for a subject of the user objects contained in the central directory. Is it possible to configure my servers so that users connecting to the service directory can authenticate using the credentials stored in the central directory, while the proccess stays transparent for the end user? I know that this may be achieved by replicating user credentials to the service directory, but it would be prefered if it was done without replication. So, is there any way doing it, either using some overlay or some means of proxy authentication? Thanks, Michalis

3 2

Still unable to configure glue and rwm overlay correctly
by Andrew Kay 18 Dec '06

18 Dec '06

Hi, I am attempting to configure OpenLDAP such that it acts as a subordinate to a Microsoft Active Directory server, and presents a unified directory tree to any applications. The directory tree I am aiming for is as follows: ou=XYZ, dc=xyz, dc=com Microsoft Active Directory ou=Extranet, ou=XYZ, dc=xyz, dc=com OpenLDAP bdb database (subordinate) I was previously having problems with the rewrite rules required to ensure that user and group objects within AD were transformed into inetOrgPerson and groupOfName objects that are being stored in the "ou=Extranet, ou=XYZ, dc=xyz, dc=com", thanks to Howard Chu's response I have altered my configuration file and the rewriting now only occurs to the directory entries stored within the AD portion. The database section of my configuration file is now as follows: database bdb suffix "ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootdn "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq database ldap suffix "ou=XYZ, dc=xyz, dc=com" uri "ldap://dc1" acl-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret" idassert-bind bindmethod=simple binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" credentials="secret" mode=none authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com" overlay rwm rwm-map objectclass inetOrgPerson user rwm-map objectclass groupOfNames group rwm-map attribute uid sAMAccountname rwm-map attribute cn name rwm-map attribute sn sn rwm-map attribute mail mail rwm-map attribute member member rwm-map attribute * overlay glue glue-sub "ou=Extranet, ou=XYZ, dc=xyz, dc=com" With the above configuration, while the rewrite only occurs to directory entries stored within the AD portion, the functionality I expected from the glue overlay no longer appears. If I perform a search with a base "ou=XYZ, dc=xyz, dc=com" entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory are not retrieved, unless I explicility set the search base to that portion. Obviously in order to unify the two databases I would wish entries from the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory to be included along with entries from the AD portion when the search base is "ou=XYZ, dc=xyz, dc=com". I am running OpenLDAP version 2.3.30. I'd greatly appreciate any help I could get in achieving the correct glue configuration. Andrew Below is an example showing how unless the search base is explicitly set to the "ou=Extranet, ou=XYZ, dc=xyz, dc=com" portion of the directory, the entries are not retrieved: extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=XYZ, dc=xyz, dc=com" "(uid=john.smith)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (uid=john.smith) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(uid=john.smith)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=Extranet, ou=XYZ, dc=xyz, dc=com> with scope subtree # filter: (uid=john.smith) # requesting: ALL # # John Smith, Users, Extranet, XYZ, xyz.com dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com objectClass: inetOrgPerson cn: John Smith sn: Smith uid: john.smith userPassword:: am9obi5zbWl0aA== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 extranet:~#

3 11

Re: ldapsearch performance debugging
by Howard Chu 18 Dec '06

18 Dec '06

Chris Hane wrote: > Howard, > > Thanks! The strace did it. It showed me that it was delaying on a > poll() event to our dns servers. Once I fixed that, all is working like > I expect. Glad to hear it. Please keep all replies on the mailing list, so that others can also see the resolution of the question. > > Thanks again, > Chris.... > > Howard Chu wrote: >> Chris Hane wrote: >>> When I execute the following command: >>> >>> ldapsearch -v -x -b "dc=abmas,dc=biz" -d 5 -h 127.0.0.1 >>> >>> there is a significant lag between hitting return and when I see the >>> debug output - 6-8 seconds. >>> >>> I'm pretty sure this is a configuration problem or network problem on >>> my end as this same command in a different environment executes >>> immediately. >>> >>> To help me isolate where the problem is, is there another method to >>> debug what ldapsearch is doing before I see the first lines listed in >>> the debug output with -d 5? Or is there another utility I could use >>> than ldapsearch? >> >> Try using strace and see what system calls get executed and where the >> delay is. Alternatively you could try running ldapsearch under gdb and >> interrupting it to get a stack trace from where the delay occurs. >> > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

1 0

can't delete userPassword when ppolicy is used
by Andreas Hasenack 18 Dec '06

18 Dec '06

openldap-2.3.30 Not sure if this it intended or not, but it seems to be impossible to delete the userPassword attribute from an entry if the ppolicy overlay is loaded. I found this out when I accidentally added a userPassword attribute to a posixGroup entry and discovered I could no longer remove it: $ ldapmodify -x -D cn=manager,dc=example,dc=com -w secret dn: cn=ldapusers,ou=group,dc=example,dc=com changetype: modify delete: userpassword modifying entry "cn=ldapusers,ou=group,dc=example,dc=com" ldap_modify: Internal (implementation specific) error (80) additional info: Internal Error If I unload the ppolicy overlay, the operation succeeds. I have a default policy set which only specified the password attribute: $ ldapsearch -x -LLL -b "ou=Password Policies,dc=example,dc=com" dn: ou=Password Policies,dc=example,dc=com ou: Password Policies objectClass: organizationalUnit description: Container for OpenLDAP password policies dn: cn=default,ou=Password Policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: namedObject pwdAttribute: userPassword

1 0

ldapsearch performance debugging
by Chris Hane 17 Dec '06

17 Dec '06

When I execute the following command: ldapsearch -v -x -b "dc=abmas,dc=biz" -d 5 -h 127.0.0.1 there is a significant lag between hitting return and when I see the debug output - 6-8 seconds. I'm pretty sure this is a configuration problem or network problem on my end as this same command in a different environment executes immediately. To help me isolate where the problem is, is there another method to debug what ldapsearch is doing before I see the first lines listed in the debug output with -d 5? Or is there another utility I could use than ldapsearch? The debug out I see starts with and I want to try and figure out what it happening before this: [chane@samba ~]$ ldapsearch -v -x -b "dc=abmas,dc=biz" -d 5 -h 127.0.0.1 ldap_initialize( ldap://127.0.0.1 ) ldap_create ldap_url_parse_ext(ldap://127.0.0.1) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 </snip rest of output> Thanks, Chris....

2 1

Slapadd Problem
by Ted Johnson 15 Dec '06

15 Dec '06

Hi; I ran the following command: # slapadd -b dc=example,dc=com -l urls.ldif -f slapd.conf -d 1 Here is what I think is the relevant output: >>> dnPrettyNormal: <cn=log> <<< dnPrettyNormal: <cn=log>, <cn=log> >>> dnPrettyNormal: <uid=root,cn=log> <<< dnPrettyNormal: <uid=root,cn=log>, <uid=root,cn=log> bdb_db_init: Initializing BDB database >>> dnPrettyNormal: <dc=example,dc=com> <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com> >>> dnPrettyNormal: <cn=admin,dc=example,dc=com> <<< dnPrettyNormal: <cn=admin,dc=example,dc=com>, <cn=admin,dc=example,dc=com> >>> dnPrettyNormal: <cn=log> <<< dnPrettyNormal: <cn=log>, <cn=log> ...and here is the complaint: slapadd: slap_init no backend for "dc=example,dc=com" Please advise. TIA, Ted ____________________________________________________________________________________ Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2006