openldap-software December 2006

openldap-software@openldap.org

60 participants
65 discussions

Question about OpenLDAP
by Mark Hennessy 12 Dec '06

12 Dec '06

I have a user who tries to connect from an IP x.x.x.31, but they keep getting rejected. The ACL is using IPs to allow anonymous read-only connections. I have a client at another host that's also in the ACL by IP which is set to use an anonymous connection and that works. What should I be looking for with this client that's not working? Also, I built OpenLDAP without SASL on purpose. This is serving a simple database that could potentially have lots of reads and no writes from a couple of trusted hosts. Any help in this matter would be greatly appreciated! This is OpenLDAP from FreeBSD ports built supposedly without SASL. Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from IP=x.x.x.31:1691 (IP=0.0.0.0:389) Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH attr=supportedCapabilities Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH attr=supportedSASLMechanisms Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137 Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97 err=7 text=unknown authentication method Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed -- Mark Hennessy

2 5

Re: Cannot get "logpurge" to work
by Tony Earnshaw 12 Dec '06

12 Dec '06

Dave Horsfall wrote: >> Our format in slapd.conf is slightly different from yours: >> logpurge 02:00:00 24:00 > > Not according to the manual page... The above would say to purge entries > older than 2 hours, and to scan every 24 hours; was that your intention? Yes, the entries aren't worth much to us once they've done their job, any querying by us is done immediately after an update (which even for a modification for many hundreds of modifications happens like greased lightning over all slaves) and such a modification produces thousands of these records, since there's one record for each attribute. Leaving them for 24 hours is OK nad I really want an immediate delete. That's what our original shell script did. I'd seriously suggest you go ahead with delta-syncrepl and have a look at chaining referrals from slave servers; they're two facilities in the latest 2.3 that are worth gold to us, in any event. --Tonni -- Tonni Earnshaw tonni @ barlaeus.nl

1 0

Re: Cannot get "logpurge" to work
by Quanah Gibson-Mount 11 Dec '06

11 Dec '06

--On Tuesday, December 12, 2006 10:19 AM +1100 Dave Horsfall <daveh(a)ci.com.au> wrote: > On Sun, 10 Dec 2006, Quanah Gibson-Mount wrote: > >> Well, it works perfectly for me... >> My syntax is a bit different than yours though: > > For all intents and purposes they are identical; define the accesslog > first, then associate it with a directory. > > Here's a bigger extract; I didn't really want to clutter things up: > ># ># The accesslog database. ># > database bdb > suffix cn=log > rootdn cn=root > directory /var/tmp/slapd.accesslog > index objectClass,reqStart eq > ># ># Play with "auditlog". ># > overlay auditlog > auditlog /var/tmp/slapd.auditlog Are you confusing auditlog and accesslog? They are two entirely different things. I'm not sure they mix well, either... --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

2 1

translucent and syncprov overlay together?
by Karsten Künne 11 Dec '06

11 Dec '06

Hi, is there a way to use the translucent and the syncprov overlay together on one database? I always get "syncprov_db_open: invalid config, lastmod must be enabled" if I try. I have "lastmod on" in my config but apparently the translucent overlay or the implicit back-ldap backend it loads sets it to off which the syncprov overlay doesn't like. What I want to do is to replicate the local override entries to another server with a similar translucent configuration. I don't want to replicate the entries pulled in via the translucent overlay, of course. Karsten.

1 0

Re: Cannot get "logpurge" to work
by Howard Chu 11 Dec '06

11 Dec '06

Dave Horsfall wrote: > On Sun, 10 Dec 2006, Quanah Gibson-Mount wrote: > >>> Nope; still not purging, even with a 5-minute scan. >> Well, it works perfectly for me... >> >> My syntax is a bit different than yours though: > > [...] > >> In your example configuration, you didn't show the overlay bit being >> inside another database definition, but I assume it is... > > Yes, it is, and it took a while to work that one out; talk about > economical documentation :-) The overlay keyword is documented in slapd.conf(5) under the General Database Options. The first sentence of this section states: Options in this section only apply to the configuration file section for the database in which they are defined. The documentation for the overlay keyword begins: Add the specified overlay to this database. I would think it's clear from these statements that overlay configurations are only valid on specific databases. Why use a thousand words to say the same thing over and over again? Why write any documentation at all when the existing documents are so obviously being ignored? -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

1 0

Re: Cannot get "logpurge" to work
by Quanah Gibson-Mount 11 Dec '06

11 Dec '06

--On Monday, December 11, 2006 1:28 PM +1100 Dave Horsfall <daveh(a)ci.com.au> wrote: > OpenLDAP 2.3.27 There are known bugs with logpurge in that version, I'd advise upgrading. Get 2.3.30. ;) --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

2 1

Re: Cannot get "logpurge" to work
by Quanah Gibson-Mount 10 Dec '06

10 Dec '06

--On Monday, December 11, 2006 3:20 PM +1100 Dave Horsfall <daveh(a)ci.com.au> wrote: > On Mon, 11 Dec 2006, Dave Horsfall wrote: > >> > There are known bugs with logpurge in that version, I'd advise >> > upgrading. Get 2.3.30. ;) >> >> Thanks; I've been waiting for 2.3.30 to be marked as STABLE, but I >> haven't seen any issues with it lately. > > Nope; still not purging, even with a 5-minute scan. Well, it works perfectly for me... My syntax is a bit different than yours though: ####################################################################### # accesslog database definitions ####################################################################### database hdb suffix cn=accesslog directory /var/lib/ldap/accesslog rootdn cn=accesslog index default eq index entryCSN index objectClass index reqEnd index reqResult index reqStart .... ####################################################################### # stanford.edu database definitions ####################################################################### database hdb suffix "dc=stanford,dc=edu" rootdn "cn=manager,dc=stanford,dc=edu" .... overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE logpurge 07+00:00 01+00:00 In your example configuration, you didn't show the overlay bit being inside another database definition, but I assume it is... --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: Cannot get "logpurge" to work
by Tony Earnshaw 10 Dec '06

10 Dec '06

Dave Horsfall wrote: > OpenLDAP 2.3.27 > > I've just started playing with "accesslog" (and "auditlog"). I have the > following configuration: > > database bdb > suffix cn=log > rootdn cn=root > directory /var/tmp/slapd.accesslog > index objectClass,reqStart eq > > ... > > overlay accesslog > logdb cn=log > logops all > # Scan every hour, delete more than 1 hour > logpurge 01:00 01:00 FWIW we're running 2.3.30 on RHAS4 with delta-syncrepl from a master to 3 slaves. We had issues with logpurge before about 2.3.25, so I wrote a small shell script to purge the entries at midnight, in anticipation of the problem being fixed in the end. Around 2.3.27 I noticed that the script wasn't outputting, but the entries were getting purged anyway, so logpurge was working. Our format in slapd.conf is slightly different from yours: logpurge 02:00:00 24:00 After a mass update, the logfiles in the changelog directory get huge, so when it's working, you'd best keep an eye on these. Best, --Tonni -- Tonni Earnshaw tonni @ barlaeus.nl

1 0

Solaris 10 and openldap - help needed.
by Robert Bannocks 08 Dec '06

08 Dec '06

Hi all, I have a number of issues with OpenLDAP on solaris 10. These are mostly to do with Samba, however, boiling the problem down I have tried to simplify things. I have openldap-2.3.27 configured with this configure line and compiled with gcc version ./configure --prefix=/usr/local/opt/openldap/openldap-2.3.27 --enable-crypt --enable-ldap --enable-slapd=no --enable-shared=no I have tried to compile the following simple program: $ more ldaptest.c #include <ldap.h> main() { char *ldapname="Dn=this is a long DN"; char *result; result=ldap_dn2ad_canonical( ldapname ); } With the command line /usr/sfw/bin/gcc -I/usr/local/opt//openldap/openldap-2.3.27/include -L/usr/local/opt/openldap/openldap-2.3.27/lib/libldap.a -L/usr/local/opt/openldap-2.3.27/lib/liblber.a ldaptest.c This gives this error: Undefined first referenced symbol in file ldap_dn2ad_canonical /var/tmp//ccKJLi7T.o ld: fatal: Symbol referencing errors. No output written to a.out collect2: ld returned 1 exit status looking as the libraries: $ /usr/ccs/bin/nm /usr/local/opt/openldap/openldap-2.3.27/lib/libldap.a | grep ldap_dn2ad_canonical [57] | 3116| 120|FUNC |GLOB |0 |1 |ldap_dn2ad_canonical However when I compile against the dynamic libraries compilation works. /usr/sfw/bin/gcc -I/usr/local/opt/openldap/openldap-2.3.27/include -L/usr/local/opt/openldap/openldap-2.3.27/lib -lldap -llber ldaptest.c I am at the limit of my understanding. Can anyone help. Regards Rob

7 11

slapd responds very slowly when cpu has 100% usage (but actually low load)
by Antonis Christofides 08 Dec '06

08 Dec '06

Hi, At the almost idle Dual Core machine which runs slapd, I run: nice sh -c 'while true; do true; done' & nice sh -c 'while true; do true; done' & (i.e. I'm running this twice). Then each of the two CPUs always has some job to do, so both CPUs have 100% usage, but this is "nice". Then, slapd takes too long to respond to queries. It may take 10 or 20 seconds. If I kill or stop one of the two dummy processes, it replies instantly. If I continue both dummy processes, it's back to 10 or 20 seconds. Needless to say all machine resources seem ok; low disk usage, lots of spare memory; and slapd is not niced. If it's not something immediately obvious, could you help me debug it? I've run slapd with various "-d" options but it gives me results that I have trouble understanding. The OS is Debian 3.1 (Sarge), with a 2.6.12 SMP Linux kernel. -- Antonis Christofides +30-2107722840 (work) +30-2106521785 (home) +30-6979924665 (mobile)

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2006