Question about OpenLDAP
by Mark Hennessy
I have a user who tries to connect from an IP x.x.x.31, but they keep getting
rejected. The ACL is using IPs to allow anonymous read-only connections. I
have a client at another host that's also in the ACL by IP which is set to
use an anonymous connection and that works. What should I be looking for
with this client that's not working? Also, I built OpenLDAP without SASL on
purpose. This is serving a simple database that could potentially have lots
of reads and no writes from a couple of trusted hosts. Any help in this
matter would be greatly appreciated!
This is OpenLDAP from FreeBSD ports built supposedly without SASL.
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from IP=x.x.x.31:1691
(IP=0.0.0.0:389)
Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH attr=supportedCapabilities
Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT tag=101 err=0
nentries=1 text=
Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH attr=supportedSASLMechanisms
Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137
Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97 err=7 text=unknown
authentication method
Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
--
Mark Hennessy
14 years, 10 months
Re: Cannot get "logpurge" to work
by Tony Earnshaw
Dave Horsfall wrote:
>> Our format in slapd.conf is slightly different from yours:
>> logpurge 02:00:00 24:00
>
> Not according to the manual page... The above would say to purge entries
> older than 2 hours, and to scan every 24 hours; was that your intention?
Yes, the entries aren't worth much to us once they've done their job,
any querying by us is done immediately after an update (which even for a
modification for many hundreds of modifications happens like greased
lightning over all slaves) and such a modification produces thousands of
these records, since there's one record for each attribute. Leaving them
for 24 hours is OK nad I really want an immediate delete. That's what
our original shell script did.
I'd seriously suggest you go ahead with delta-syncrepl and have a look
at chaining referrals from slave servers; they're two facilities in the
latest 2.3 that are worth gold to us, in any event.
--Tonni
--
Tonni Earnshaw
tonni @ barlaeus.nl
14 years, 10 months
Re: Cannot get "logpurge" to work
by Quanah Gibson-Mount
--On Tuesday, December 12, 2006 10:19 AM +1100 Dave Horsfall
<daveh(a)ci.com.au> wrote:
> On Sun, 10 Dec 2006, Quanah Gibson-Mount wrote:
>
>> Well, it works perfectly for me...
>> My syntax is a bit different than yours though:
>
> For all intents and purposes they are identical; define the accesslog
> first, then associate it with a directory.
>
> Here's a bigger extract; I didn't really want to clutter things up:
>
>#
># The accesslog database.
>#
> database bdb
> suffix cn=log
> rootdn cn=root
> directory /var/tmp/slapd.accesslog
> index objectClass,reqStart eq
>
>#
># Play with "auditlog".
>#
> overlay auditlog
> auditlog /var/tmp/slapd.auditlog
Are you confusing auditlog and accesslog? They are two entirely different
things. I'm not sure they mix well, either...
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
14 years, 10 months
translucent and syncprov overlay together?
by Karsten Künne
Hi,
is there a way to use the translucent and the syncprov overlay together on one
database? I always get "syncprov_db_open: invalid config, lastmod must be
enabled" if I try. I have "lastmod on" in my config but apparently the
translucent overlay or the implicit back-ldap backend it loads sets it to off
which the syncprov overlay doesn't like.
What I want to do is to replicate the local override entries to another server
with a similar translucent configuration. I don't want to replicate the
entries pulled in via the translucent overlay, of course.
Karsten.
14 years, 10 months
Re: Cannot get "logpurge" to work
by Howard Chu
Dave Horsfall wrote:
> On Sun, 10 Dec 2006, Quanah Gibson-Mount wrote:
>
>>> Nope; still not purging, even with a 5-minute scan.
>> Well, it works perfectly for me...
>>
>> My syntax is a bit different than yours though:
>
> [...]
>
>> In your example configuration, you didn't show the overlay bit being
>> inside another database definition, but I assume it is...
>
> Yes, it is, and it took a while to work that one out; talk about
> economical documentation :-)
The overlay keyword is documented in slapd.conf(5) under the General
Database Options. The first sentence of this section states:
Options in this section only apply to the configuration file
section for the database in which they are defined.
The documentation for the overlay keyword begins:
Add the specified overlay to this database.
I would think it's clear from these statements that overlay
configurations are only valid on specific databases.
Why use a thousand words to say the same thing over and over again? Why
write any documentation at all when the existing documents are so
obviously being ignored?
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
14 years, 10 months
Re: Cannot get "logpurge" to work
by Quanah Gibson-Mount
--On Monday, December 11, 2006 1:28 PM +1100 Dave Horsfall
<daveh(a)ci.com.au> wrote:
> OpenLDAP 2.3.27
There are known bugs with logpurge in that version, I'd advise upgrading.
Get 2.3.30. ;)
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
14 years, 10 months
Re: Cannot get "logpurge" to work
by Quanah Gibson-Mount
--On Monday, December 11, 2006 3:20 PM +1100 Dave Horsfall
<daveh(a)ci.com.au> wrote:
> On Mon, 11 Dec 2006, Dave Horsfall wrote:
>
>> > There are known bugs with logpurge in that version, I'd advise
>> > upgrading. Get 2.3.30. ;)
>>
>> Thanks; I've been waiting for 2.3.30 to be marked as STABLE, but I
>> haven't seen any issues with it lately.
>
> Nope; still not purging, even with a 5-minute scan.
Well, it works perfectly for me...
My syntax is a bit different than yours though:
#######################################################################
# accesslog database definitions
#######################################################################
database hdb
suffix cn=accesslog
directory /var/lib/ldap/accesslog
rootdn cn=accesslog
index default eq
index entryCSN
index objectClass
index reqEnd
index reqResult
index reqStart
....
#######################################################################
# stanford.edu database definitions
#######################################################################
database hdb
suffix "dc=stanford,dc=edu"
rootdn "cn=manager,dc=stanford,dc=edu"
....
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00
In your example configuration, you didn't show the overlay bit being inside
another database definition, but I assume it is...
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
14 years, 10 months
Re: Cannot get "logpurge" to work
by Tony Earnshaw
Dave Horsfall wrote:
> OpenLDAP 2.3.27
>
> I've just started playing with "accesslog" (and "auditlog"). I have the
> following configuration:
>
> database bdb
> suffix cn=log
> rootdn cn=root
> directory /var/tmp/slapd.accesslog
> index objectClass,reqStart eq
>
> ...
>
> overlay accesslog
> logdb cn=log
> logops all
> # Scan every hour, delete more than 1 hour
> logpurge 01:00 01:00
FWIW we're running 2.3.30 on RHAS4 with delta-syncrepl from a master to
3 slaves. We had issues with logpurge before about 2.3.25, so I wrote a
small shell script to purge the entries at midnight, in anticipation of
the problem being fixed in the end. Around 2.3.27 I noticed that the
script wasn't outputting, but the entries were getting purged anyway, so
logpurge was working.
Our format in slapd.conf is slightly different from yours:
logpurge 02:00:00 24:00
After a mass update, the logfiles in the changelog directory get huge,
so when it's working, you'd best keep an eye on these.
Best,
--Tonni
--
Tonni Earnshaw
tonni @ barlaeus.nl
14 years, 10 months
Solaris 10 and openldap - help needed.
by Robert Bannocks
Hi all,
I have a number of issues with OpenLDAP on solaris 10. These are mostly
to do with Samba, however, boiling the problem down I have tried to
simplify things.
I have openldap-2.3.27 configured with this configure line and compiled
with gcc version
./configure --prefix=/usr/local/opt/openldap/openldap-2.3.27
--enable-crypt --enable-ldap --enable-slapd=no --enable-shared=no
I have tried to compile the following simple program:
$ more ldaptest.c
#include <ldap.h>
main()
{
char *ldapname="Dn=this is a long DN";
char *result;
result=ldap_dn2ad_canonical( ldapname );
}
With the command line
/usr/sfw/bin/gcc -I/usr/local/opt//openldap/openldap-2.3.27/include
-L/usr/local/opt/openldap/openldap-2.3.27/lib/libldap.a
-L/usr/local/opt/openldap-2.3.27/lib/liblber.a ldaptest.c
This gives this error:
Undefined first referenced
symbol in file
ldap_dn2ad_canonical /var/tmp//ccKJLi7T.o
ld: fatal: Symbol referencing errors. No output written to a.out
collect2: ld returned 1 exit status
looking as the libraries:
$ /usr/ccs/bin/nm /usr/local/opt/openldap/openldap-2.3.27/lib/libldap.a
| grep ldap_dn2ad_canonical
[57] | 3116| 120|FUNC |GLOB |0 |1
|ldap_dn2ad_canonical
However when I compile against the dynamic libraries compilation works.
/usr/sfw/bin/gcc -I/usr/local/opt/openldap/openldap-2.3.27/include
-L/usr/local/opt/openldap/openldap-2.3.27/lib -lldap -llber ldaptest.c
I am at the limit of my understanding. Can anyone help.
Regards
Rob
14 years, 10 months
slapd responds very slowly when cpu has 100% usage (but actually low load)
by Antonis Christofides
Hi,
At the almost idle Dual Core machine which runs slapd, I run:
nice sh -c 'while true; do true; done' &
nice sh -c 'while true; do true; done' &
(i.e. I'm running this twice). Then each of the two CPUs always has
some job to do, so both CPUs have 100% usage, but this is "nice".
Then, slapd takes too long to respond to queries. It may take 10 or
20 seconds. If I kill or stop one of the two dummy processes, it
replies instantly. If I continue both dummy processes, it's back to
10 or 20 seconds. Needless to say all machine resources seem ok; low
disk usage, lots of spare memory; and slapd is not niced.
If it's not something immediately obvious, could you help me debug it?
I've run slapd with various "-d" options but it gives me results that
I have trouble understanding.
The OS is Debian 3.1 (Sarge), with a 2.6.12 SMP Linux kernel.
--
Antonis Christofides
+30-2107722840 (work)
+30-2106521785 (home)
+30-6979924665 (mobile)
14 years, 10 months
