Re: slapd high CPU usage
by Aaron Richton
Please keep replies on the list.
On Tue, 16 Oct 2007, Angie Cao wrote:
> The high CPU problem happens when log level was not turned on (means
> "loglevel 0" being set in slapd.conf)
OK, so it's not (exclusively?) OpenLDAP logging that's causing your system
to go slow.
> Although CPU is running low right now (with slapd -d127), the message I saw is :
>
> => test_filter
> AND
> => test_filter_and
> => test_filter
> EQUALITY
> AND
> <= test_filter 5
> => test_filter
> AND
> => test_filter_and
> AND
> => test_filter_and
> => test_filter
> EQUALITY
> <= test_filter 5
> <= test_filter_and 5
> <= test_filter 5
> bdb_search: 18222 does not match filter
>
> are all over the place.... Wondering if this might be related with
> the high CPU problem and what this indicates about. (googling around
> at the moment and hopefully find the hints)
>
> Angie
>
As recommended, try and find a debug level that's more appropriate --
"stats" might be good. These searches that you're concerned about will
come up in a much easier to parse form:
conn=2 op=1 SRCH base="ou=Dynamic Lists,dc=example,dc=com" scope=2 deref=0 filter="(cn=dynamic list)"
conn=2 op=1 SRCH attr=*
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
If you find one of these that's slow (and yes, this might be as low-tech
as just noting that there's a large time between debug messages being
printed), then that might be a good place to start looking. This data also
gives you enough that you can (more or less) replicate the search with
ldapsearch(1). If you can do that yourself (instead of waiting for clients
to beat slapd up) and find options that gun the CPU, you're a lot closer
to fixing the issue...
15 years, 11 months
sasl message with ldap
by Sean
I am trying to authenticate via sasl and I get the following error:
esrv:~# ldapsearch -U gino -Y digest-md5 -h 72.44.44.33 -b
dc=test,dc=net 'uid=test'
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in
database
esrv:~#
My sasl database has the following users:
test@esrv: userPassword
gino@esrv: userPassword
Can someone point me in the right direction here. This error is
boggling me.
sc
15 years, 11 months
slapd high CPU usage
by Angie Cao
Hi,
I am using default openldap-server-2.3.27-5 coming with red hat 5 and
I am using syncrep method to replicate with master ldap server. The
replication itself worked well, was able to replicate a large
database. but I have a severe problem that slapd process spikes high
CPU every few seconds. User time is about 85%. The whole server gets
very very slow.
I turned slapd to debug level -1 and grep for error. The only error i got was:
-----------
-Oct 16 17:32:59 ldapserver slapd[3127]: => access_allowed: backend
default search access granted to "(anonymous)"
Oct 16 17:32:59 ldapserver slapd[3127]: <= test_filter 5
Oct 16 17:32:59 ldapserver slapd[3127]: <= test_filter_and 5
Oct 16 17:32:59 ldapserver slapd[3127]: <= test_filter 5
Oct 16 17:32:59 ldapserver slapd[3127]: bdb_search: 10555 does not match filter
Oct 16 17:32:56 ldapserver slapd[3127]: ber_get_next on fd 24 failed
errno=0 (Success)
Oct 16 17:32:59 ldapserver slapd[3127]: connection_read(24): input
error=-2 id=14, closing.
Oct 16 17:35:24 ldapserver slapd[3127]: connection_read(17): input
error=-2 id=32, closing.
Oct 16 17:35:29 ldapserver slapd[3127]: connection_read(18): input
error=-2 id=36, closing.
Oct 16 17:35:32 ldapserver slapd[3127]: connection_read(18): input
error=-2 id=37, closing.
----------
(I do not know if this is related with high CPU), there was no
particular messages in /var/log/message. I have 3.2GHz CPU and 2G
memory on this server.
Has anybody had the similar problem before? Can anyone advice what can
be done in order to troubleshoot further?
Thanks.
Angie
15 years, 11 months
Accessing ld_error field of LDAP structure
by Laurent Birtz
Hello,
I am currently debugging some weird SASL login failures on Active
Directory. I am using the function ldap_sasl_bind_s() to perform the SASL
negociations. I know that ldap_sasl_bind_s() calls
ldap_parse_sasl_bind_result() which sets the ld_error field of the 'LDAP'
connection structure to the error string returned by the AD server when a
login failure occurs. The content of this string is invaluable to debug
the login issues. Yet, there seems to be no way to access the content of
the ld_error field without bypassing the public interface of the openldap
library.
Is there any other way to access the error string returned by the server?
Also, has someone ever encountered a situation where half of the users of
an AD server can authenticate using SASL and the other half trigger an
"invalid credentials" error? All those accounts are valid & working, and
simple binds can be made without errors.
Thank you,
Laurent Birtz
15 years, 11 months
slapd still allows bind but returns no data
by Josh M. Hurd
I have been fighting with this issue for a couple months now and I
really need a solution.
I have 2 openldap servers recently upgraded to 2.3.38 with a brand
new rebuilt bdb from an LDIF dump.
The 2 servers sit behind a load balancer (read-only) and provide
basic authentication for about 300 linux servers.
There's not much traffic on them but those who need access need access.
The problem is they stop returning data, slapd is still running
otherwise seems ok.
You can still bind to them using rootdn with no issues.
I found an old thread describing a similar problem that suggested an
upgrade which I did.
I was using 2.2.13 now upgraded to 2.3.38
My level of knowledge of OpenLDAP is probably just above novice so I
don't have a good base for trouble shooting.
This is causing HUGE disruption and needs to be fixed immediately so
any and all help is much appreciated.
I turned on debug logging (-s 1) this morning so should have a bit of
data to share with you if need be.
Thanks,
Josh
15 years, 11 months
lCould not parse line... slapadd
by Naufal Sheikh
Hi,
I am trying to import an ldiff file while I created using slapcat on another
server. Now when I try to use slapadd to import the ldiff file to my new
server, I am getting an error for a last line in the ldiff file i.e. could
not parse entry line:1333...
The entry on that line is something about "Timestamp" . Previously during
the trial I did get the could not parse entry but I figured out that those
were because of the whitespaces(emptylines) in the ldiff file, so I removed
all of those, but now its is the last line which is not getting parsed by
slapadd. I tried having one white space (one empty line) after the last line
and with no empty line and ending the file at the last line, but to no
avail.
Can any one please point me to the right direction??
Thanks & Regards
Naufal
15 years, 11 months
OpenLDAP's backend for performance and high reliability
by Tommy Pham
Hi everyone,
I'm trying to convert from MS based platform to *nix/Linux, specifically FreeBSD. I have a few questions and concerns about OpenLDAP's backend for performance and high reliability.
I have no problems setting OpenLDAP 2.3.38 to run with BDB 4.4.20.4 inside FreeBSD's (6.2 RELEASE) jail, using core, cosine, and inetorgperson schemas. Using the Quick-Start guide at openldap.org's website, I manage to create the layout of OUs, CNs, etc. to my needs using phpLDAPadmin after adding the base ldif file via command line:
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example
After thinking about the robustness of OpenLDAP due to it's BDB backend, I tried to convert over to back-sql and use MySQL 5.0.45 for it's backend. The SQL account is granted with full permission, including reference, to the specified database. The tables are populated using sample sql files
- testdb_create.sql
- backsql_create.sql
- testdb_metadata.sql
Then I tried to add the same base ldif file via command line and get this error:
ldapadd: Server is unwilling to perform (53)
additional info: operation not permitted within namingContext
and all of my problems begin even though the unixODBC connection is working properly, despite it's not logging to a file via syslog (not a big concern ATM). After a few days of frustration, research on documentation, and log analyzing, am I wrong to conclude after reading the contents of the sql files and this snip from log:
...
slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=include{0}"
config_build_entry: "cn=include{1}"
config_build_entry: "cn=include{2}"
config_build_entry: "cn=module{0}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}inetorgperson"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
WARNING: No dynamic config support for database sql.
config_build_entry: "olcDatabase={1}sql"
backend_startup_one: starting "dc=sointe,dc=net"
==>backsql_db_open(): testing RDBMS connection
backsql_db_open(): concat func not specified (use "concat_pattern" directive in slapd.conf)
backsql_db_open(): subtree search SQL condition not specified (use "subtree_cond" directive in slapd.conf)
backsql_db_open(): setting "ldap_entries.dn LIKE CONCAT('%',?)" as default
backsql_db_open(): setting "ldap_entries.dn=?" as default
backsql_db_open(): objectclass mapping SQL statement not specified (use "oc_query" directive in slapd.conf)
backsql_db_open(): setting "SELECT id,name,keytbl,keycol,create_proc,delete_proc,expect_return FROM ldap_oc_mappings" by default
...
to conclude for me to use any RDBMS for OpenLDAP's back-sql, I have to setup all the tables, functions and/or stored procedures, and insert all of those appropriately as data into the 4 tables:
- ldap_attr_mappings
- ldap_entries
- ldap_entry_objclasses
- ldap_oc_mappings
before I can add the base ldif file via command line and use phpLDAPadmin to build & maintain it? What happens when I need to change directory layout/structure because my needs change? Is it feasible?
Here are a few case studies scenario where I see issues:
A) Small company
This can be accomplished with OpenLDAP and the database servers on the same box. If the need requires more, OpenLDAP and the database server on separate boxes. (This scenario can also be accomplished using BDB for backend.)
A - 1) Small company grows (still 1 site)
OpenLDAP becomes it's own box if it's not already and act as master. Add more OpenLDAP box(es) for proxy requests while the master handles updates/additions. The database server is then reconfigured to be clustered. All OpenLDAP servers connect to the database cluster. (Alternatives? Still possible with OpenLDAP+back-bdb in master/slave replication? What about performance and high reliability?)
A - 2) Company grows and expand to multi-site
HQ (is the above scenario A - 1) and each site will have it's own OpenLDAP and database (as in scenario A) depending on requirements of each site and data connection to HQ. (Alternatives? Still possible with OpenLDAP+back-bdb in master/slave replication? What about performance and high reliability?)
B) Enterprise ( or company in scenario A - 2 grows even more)
HQ will be setup as in scenario A - 1 but with more servers, both OpenLDAP and databases. Each site will be setup as in scenario A or A - 1 depending upon the requirement and function of each site.
C) What happens (to performance and reliability) when the total entries in OpenLDAP reaches 250,000? 1 million? or 1 billion (most likely to happen in scenario B)? Will it "shrugs it's shoulders as if nothing happens" and still function?
Based on the above the scenarios, should I invest the time to create all the tables, functions/stored procedures, and insert them as data into the 4 core tables as mentioned above? I guess there could be work around for all the scenarios except scenario C. Or should I go elsewhere for my directory service/server like OpenDS or Sun's Directory Server?
Thanks,
Tommy
15 years, 11 months
multi valued otherMailbox
by Dieter Kluenter
Hi,
for particular reasons entries have to have a multi valued otherMailbox
attribute, something like
dn: cn=foo bar,ou=some ou
objectclass: inetorgPerson
objectclass: extensibleObject
...
otherMailbox: SMTP$joe(a)example.com
otherMailbox: smtp$foo(a)bar.com
Adding the second attribute value I get error 18, inappropriate
matching. Is this intended behaviour or is this a bug?
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
15 years, 11 months
Best multi-password password changing setup
by Buchan Milne
(This email has been sitting in my drafts folder for a week ... if it seems
incomplete, it was because I didn't want to wait till next week Tuesday when
I am finally back in the office).
I'm trying to complete a system which allows authentication by a number of
means, for example:
-Wifi authentication with WPA2 with MSCHAPv2 to FreeRADIUS against
sambaNTPassword attribute in OpenLDAP
-Samba domain
-Kerberos with keys stored in OpenLDAP
-Some hardware devices which read userPassword and compare the hash
At the same time, I would like password policies applied, including:
-Password expiry by default (but exempt some accounts from password expiry)
-Password history checking
-Password strength rules (at minimum length, preferably enforce variation of
character types)
It seems that Heimdal currently doesn't have password history support, and the
password expiry available is quite limited (e.g. global via
[kadmin]password_lifetime). However, Heimdal respects the sambaPwdMustChange
attribute
MIT has password history support, and support for multiple password expiry
policies, but password history is not available with the LDAP backend (and I
don't see mention of whether the password policies can be stored in LDAP
either).
Password changes via Heimdal will:
-Change the password in the krb5key attributes
-Change the password in sambaNTPassword
-update krb5PasswordEnd
-update sambaPwdMustChange (but not sambaPwdLastSet)
-not change the password in userPassword
-not update pwdChangedTime
-not update passwords in pwdHistory
Password changes via OpenLDAP (exop) with ppolicy and smbk5pwd overlays will:
-Change the password in the krb5Key attributes
-Change the password in the userPassword attribute
-Change the password in the sambaNTPassword and sambaLMPassword attributes
-update pwdChangedTime
-update sambaPwdLastSet (but not sambaPwdMustChange)
-update passwords in pwdHistory
-Not update krb5PasswordEnd
I would prefer not to rely on password changing via samba, since most users
don't really know anything about samba (so, I'll probably have samba setup
for 'ldap passwd sync = only'
So, are there any solutions to this problem ? Or, will one of ppolicy or
smbk5pwd need to be updated to take the other into account.
Regards,
Buchan
15 years, 11 months
encrypt password by md5 twice?
by Zhang Weiwu
Dear everyone
I am planing to migrate an Intranet info system to authenticate with
OpenLDAP, so more of our business can be done with the same login. The
old system uses their own SQL table to store user information, no
problem, I can write a script to convert to LDIF format. But md5 was
used to encrypt user password, and the developer of that system knows
md5 is cracked, so he encrypted the md5 hash with md5 method again.
clear text password --> md5 hash --> md5 hash of the md5 hash
My question:
1. Have you ever heard this solution to avoid md5 crack? Now as I
cannot reach the original system author, I wonder how this idea
come to be (e.g. why not using SHA).
2. Does it work? (is md5 hashed md5 hash much safer with no side-effect?)
3. Now, how we can migrate this system to use openldap. AFAIK
openldap have no direct support for such hash. There are a lot of
users of the system and there will be problems if migration is
done and everyone's password is reset..
Thanks in advance!
--
Real Softservice
Huateng Tower, Unit 1788
Jia 302 3rd area of Jinsong, Chao Yang
Tel: +86 (10) 8773 0650 ext 603
Mobile: 135 9950 2413
http://www.realss.com
15 years, 11 months
