openldap-software October 2007

openldap-software@openldap.org

84 participants
107 discussions

Re: slapd high CPU usage
by Aaron Richton 17 Oct '07

17 Oct '07

Please keep replies on the list. On Tue, 16 Oct 2007, Angie Cao wrote: > The high CPU problem happens when log level was not turned on (means > "loglevel 0" being set in slapd.conf) OK, so it's not (exclusively?) OpenLDAP logging that's causing your system to go slow. > Although CPU is running low right now (with slapd -d127), the message I saw is : > > => test_filter > AND > => test_filter_and > => test_filter > EQUALITY > AND > <= test_filter 5 > => test_filter > AND > => test_filter_and > AND > => test_filter_and > => test_filter > EQUALITY > <= test_filter 5 > <= test_filter_and 5 > <= test_filter 5 > bdb_search: 18222 does not match filter > > are all over the place.... Wondering if this might be related with > the high CPU problem and what this indicates about. (googling around > at the moment and hopefully find the hints) > > Angie > As recommended, try and find a debug level that's more appropriate -- "stats" might be good. These searches that you're concerned about will come up in a much easier to parse form: conn=2 op=1 SRCH base="ou=Dynamic Lists,dc=example,dc=com" scope=2 deref=0 filter="(cn=dynamic list)" conn=2 op=1 SRCH attr=* conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= If you find one of these that's slow (and yes, this might be as low-tech as just noting that there's a large time between debug messages being printed), then that might be a good place to start looking. This data also gives you enough that you can (more or less) replicate the search with ldapsearch(1). If you can do that yourself (instead of waiting for clients to beat slapd up) and find options that gun the CPU, you're a lot closer to fixing the issue...

2 1

sasl message with ldap
by Sean 17 Oct '07

17 Oct '07

I am trying to authenticate via sasl and I get the following error: esrv:~# ldapsearch -U gino -Y digest-md5 -h 72.44.44.33 -b dc=test,dc=net 'uid=test' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database esrv:~# My sasl database has the following users: test@esrv: userPassword gino@esrv: userPassword Can someone point me in the right direction here. This error is boggling me. sc

2 1

slapd high CPU usage
by Angie Cao 16 Oct '07

16 Oct '07

Hi, I am using default openldap-server-2.3.27-5 coming with red hat 5 and I am using syncrep method to replicate with master ldap server. The replication itself worked well, was able to replicate a large database. but I have a severe problem that slapd process spikes high CPU every few seconds. User time is about 85%. The whole server gets very very slow. I turned slapd to debug level -1 and grep for error. The only error i got was: ----------- -Oct 16 17:32:59 ldapserver slapd[3127]: => access_allowed: backend default search access granted to "(anonymous)" Oct 16 17:32:59 ldapserver slapd[3127]: <= test_filter 5 Oct 16 17:32:59 ldapserver slapd[3127]: <= test_filter_and 5 Oct 16 17:32:59 ldapserver slapd[3127]: <= test_filter 5 Oct 16 17:32:59 ldapserver slapd[3127]: bdb_search: 10555 does not match filter Oct 16 17:32:56 ldapserver slapd[3127]: ber_get_next on fd 24 failed errno=0 (Success) Oct 16 17:32:59 ldapserver slapd[3127]: connection_read(24): input error=-2 id=14, closing. Oct 16 17:35:24 ldapserver slapd[3127]: connection_read(17): input error=-2 id=32, closing. Oct 16 17:35:29 ldapserver slapd[3127]: connection_read(18): input error=-2 id=36, closing. Oct 16 17:35:32 ldapserver slapd[3127]: connection_read(18): input error=-2 id=37, closing. ---------- (I do not know if this is related with high CPU), there was no particular messages in /var/log/message. I have 3.2GHz CPU and 2G memory on this server. Has anybody had the similar problem before? Can anyone advice what can be done in order to troubleshoot further? Thanks. Angie

5 6

Accessing ld_error field of LDAP structure
by Laurent Birtz 16 Oct '07

16 Oct '07

Hello, I am currently debugging some weird SASL login failures on Active Directory. I am using the function ldap_sasl_bind_s() to perform the SASL negociations. I know that ldap_sasl_bind_s() calls ldap_parse_sasl_bind_result() which sets the ld_error field of the 'LDAP' connection structure to the error string returned by the AD server when a login failure occurs. The content of this string is invaluable to debug the login issues. Yet, there seems to be no way to access the content of the ld_error field without bypassing the public interface of the openldap library. Is there any other way to access the error string returned by the server? Also, has someone ever encountered a situation where half of the users of an AD server can authenticate using SASL and the other half trigger an "invalid credentials" error? All those accounts are valid & working, and simple binds can be made without errors. Thank you, Laurent Birtz

3 3

slapd still allows bind but returns no data
by Josh M. Hurd 16 Oct '07

16 Oct '07

I have been fighting with this issue for a couple months now and I really need a solution. I have 2 openldap servers recently upgraded to 2.3.38 with a brand new rebuilt bdb from an LDIF dump. The 2 servers sit behind a load balancer (read-only) and provide basic authentication for about 300 linux servers. There's not much traffic on them but those who need access need access. The problem is they stop returning data, slapd is still running otherwise seems ok. You can still bind to them using rootdn with no issues. I found an old thread describing a similar problem that suggested an upgrade which I did. I was using 2.2.13 now upgraded to 2.3.38 My level of knowledge of OpenLDAP is probably just above novice so I don't have a good base for trouble shooting. This is causing HUGE disruption and needs to be fixed immediately so any and all help is much appreciated. I turned on debug logging (-s 1) this morning so should have a bit of data to share with you if need be. Thanks, Josh

8 19

lCould not parse line... slapadd
by Naufal Sheikh 15 Oct '07

15 Oct '07

Hi, I am trying to import an ldiff file while I created using slapcat on another server. Now when I try to use slapadd to import the ldiff file to my new server, I am getting an error for a last line in the ldiff file i.e. could not parse entry line:1333... The entry on that line is something about "Timestamp" . Previously during the trial I did get the could not parse entry but I figured out that those were because of the whitespaces(emptylines) in the ldiff file, so I removed all of those, but now its is the last line which is not getting parsed by slapadd. I tried having one white space (one empty line) after the last line and with no empty line and ending the file at the last line, but to no avail. Can any one please point me to the right direction?? Thanks & Regards Naufal

5 12

OpenLDAP's backend for performance and high reliability
by Tommy Pham 15 Oct '07

15 Oct '07

Hi everyone, I'm trying to convert from MS based platform to *nix/Linux, specifically FreeBSD. I have a few questions and concerns about OpenLDAP's backend for performance and high reliability. I have no problems setting OpenLDAP 2.3.38 to run with BDB 4.4.20.4 inside FreeBSD's (6.2 RELEASE) jail, using core, cosine, and inetorgperson schemas. Using the Quick-Start guide at openldap.org's website, I manage to create the layout of OUs, CNs, etc. to my needs using phpLDAPadmin after adding the base ldif file via command line: dn: dc=example,dc=com objectclass: dcObject objectclass: organization o: Example Company dc: example After thinking about the robustness of OpenLDAP due to it's BDB backend, I tried to convert over to back-sql and use MySQL 5.0.45 for it's backend. The SQL account is granted with full permission, including reference, to the specified database. The tables are populated using sample sql files - testdb_create.sql - backsql_create.sql - testdb_metadata.sql Then I tried to add the same base ldif file via command line and get this error: ldapadd: Server is unwilling to perform (53) additional info: operation not permitted within namingContext and all of my problems begin even though the unixODBC connection is working properly, despite it's not logging to a file via syslog (not a big concern ATM). After a few days of frustration, research on documentation, and log analyzing, am I wrong to conclude after reading the contents of the sql files and this snip from log: ... slapd startup: initiated. backend_startup_one: starting "cn=config" config_back_db_open config_build_entry: "cn=config" config_build_entry: "cn=include{0}" config_build_entry: "cn=include{1}" config_build_entry: "cn=include{2}" config_build_entry: "cn=module{0}" config_build_entry: "cn=schema" config_build_entry: "cn={0}core" config_build_entry: "cn={1}cosine" config_build_entry: "cn={2}inetorgperson" config_build_entry: "olcDatabase={-1}frontend" config_build_entry: "olcDatabase={0}config" WARNING: No dynamic config support for database sql. config_build_entry: "olcDatabase={1}sql" backend_startup_one: starting "dc=sointe,dc=net" ==>backsql_db_open(): testing RDBMS connection backsql_db_open(): concat func not specified (use "concat_pattern" directive in slapd.conf) backsql_db_open(): subtree search SQL condition not specified (use "subtree_cond" directive in slapd.conf) backsql_db_open(): setting "ldap_entries.dn LIKE CONCAT('%',?)" as default backsql_db_open(): setting "ldap_entries.dn=?" as default backsql_db_open(): objectclass mapping SQL statement not specified (use "oc_query" directive in slapd.conf) backsql_db_open(): setting "SELECT id,name,keytbl,keycol,create_proc,delete_proc,expect_return FROM ldap_oc_mappings" by default ... to conclude for me to use any RDBMS for OpenLDAP's back-sql, I have to setup all the tables, functions and/or stored procedures, and insert all of those appropriately as data into the 4 tables: - ldap_attr_mappings - ldap_entries - ldap_entry_objclasses - ldap_oc_mappings before I can add the base ldif file via command line and use phpLDAPadmin to build & maintain it? What happens when I need to change directory layout/structure because my needs change? Is it feasible? Here are a few case studies scenario where I see issues: A) Small company This can be accomplished with OpenLDAP and the database servers on the same box. If the need requires more, OpenLDAP and the database server on separate boxes. (This scenario can also be accomplished using BDB for backend.) A - 1) Small company grows (still 1 site) OpenLDAP becomes it's own box if it's not already and act as master. Add more OpenLDAP box(es) for proxy requests while the master handles updates/additions. The database server is then reconfigured to be clustered. All OpenLDAP servers connect to the database cluster. (Alternatives? Still possible with OpenLDAP+back-bdb in master/slave replication? What about performance and high reliability?) A - 2) Company grows and expand to multi-site HQ (is the above scenario A - 1) and each site will have it's own OpenLDAP and database (as in scenario A) depending on requirements of each site and data connection to HQ. (Alternatives? Still possible with OpenLDAP+back-bdb in master/slave replication? What about performance and high reliability?) B) Enterprise ( or company in scenario A - 2 grows even more) HQ will be setup as in scenario A - 1 but with more servers, both OpenLDAP and databases. Each site will be setup as in scenario A or A - 1 depending upon the requirement and function of each site. C) What happens (to performance and reliability) when the total entries in OpenLDAP reaches 250,000? 1 million? or 1 billion (most likely to happen in scenario B)? Will it "shrugs it's shoulders as if nothing happens" and still function? Based on the above the scenarios, should I invest the time to create all the tables, functions/stored procedures, and insert them as data into the 4 core tables as mentioned above? I guess there could be work around for all the scenarios except scenario C. Or should I go elsewhere for my directory service/server like OpenDS or Sun's Directory Server? Thanks, Tommy

4 5

multi valued otherMailbox
by Dieter Kluenter 12 Oct '07

12 Oct '07

Hi, for particular reasons entries have to have a multi valued otherMailbox attribute, something like dn: cn=foo bar,ou=some ou objectclass: inetorgPerson objectclass: extensibleObject ... otherMailbox: SMTP$joe(a)example.com otherMailbox: smtp$foo(a)bar.com Adding the second attribute value I get error 18, inappropriate matching. Is this intended behaviour or is this a bug? -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

3 7

Best multi-password password changing setup
by Buchan Milne 11 Oct '07

11 Oct '07

(This email has been sitting in my drafts folder for a week ... if it seems incomplete, it was because I didn't want to wait till next week Tuesday when I am finally back in the office). I'm trying to complete a system which allows authentication by a number of means, for example: -Wifi authentication with WPA2 with MSCHAPv2 to FreeRADIUS against sambaNTPassword attribute in OpenLDAP -Samba domain -Kerberos with keys stored in OpenLDAP -Some hardware devices which read userPassword and compare the hash At the same time, I would like password policies applied, including: -Password expiry by default (but exempt some accounts from password expiry) -Password history checking -Password strength rules (at minimum length, preferably enforce variation of character types) It seems that Heimdal currently doesn't have password history support, and the password expiry available is quite limited (e.g. global via [kadmin]password_lifetime). However, Heimdal respects the sambaPwdMustChange attribute MIT has password history support, and support for multiple password expiry policies, but password history is not available with the LDAP backend (and I don't see mention of whether the password policies can be stored in LDAP either). Password changes via Heimdal will: -Change the password in the krb5key attributes -Change the password in sambaNTPassword -update krb5PasswordEnd -update sambaPwdMustChange (but not sambaPwdLastSet) -not change the password in userPassword -not update pwdChangedTime -not update passwords in pwdHistory Password changes via OpenLDAP (exop) with ppolicy and smbk5pwd overlays will: -Change the password in the krb5Key attributes -Change the password in the userPassword attribute -Change the password in the sambaNTPassword and sambaLMPassword attributes -update pwdChangedTime -update sambaPwdLastSet (but not sambaPwdMustChange) -update passwords in pwdHistory -Not update krb5PasswordEnd I would prefer not to rely on password changing via samba, since most users don't really know anything about samba (so, I'll probably have samba setup for 'ldap passwd sync = only' So, are there any solutions to this problem ? Or, will one of ppolicy or smbk5pwd need to be updated to take the other into account. Regards, Buchan

4 6

encrypt password by md5 twice?
by Zhang Weiwu 11 Oct '07

11 Oct '07

Dear everyone I am planing to migrate an Intranet info system to authenticate with OpenLDAP, so more of our business can be done with the same login. The old system uses their own SQL table to store user information, no problem, I can write a script to convert to LDIF format. But md5 was used to encrypt user password, and the developer of that system knows md5 is cracked, so he encrypted the md5 hash with md5 method again. clear text password --> md5 hash --> md5 hash of the md5 hash My question: 1. Have you ever heard this solution to avoid md5 crack? Now as I cannot reach the original system author, I wonder how this idea come to be (e.g. why not using SHA). 2. Does it work? (is md5 hashed md5 hash much safer with no side-effect?) 3. Now, how we can migrate this system to use openldap. AFAIK openldap have no direct support for such hash. There are a lot of users of the system and there will be problems if migration is done and everyone's password is reset.. Thanks in advance! -- Real Softservice Huateng Tower, Unit 1788 Jia 302 3rd area of Jinsong, Chao Yang Tel: +86 (10) 8773 0650 ext 603 Mobile: 135 9950 2413 http://www.realss.com

5 4

← Newer
1
...
5
6
7
8
9
10
11
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software October 2007