openldap-software March 2007

openldap-software@openldap.org

68 participants
83 discussions

OpenLDAP 2.4
by Howard Chu 08 Nov '07

08 Nov '07

The Admin Guide still has not been updated with all of the relevant changes, so here are some notes on new features in the 2.4 release... I believe all of the manpages are up to date, so you can get specifics from them. More complete cn=config functionality: There is a new slapd-config(5) manpage for the cn=config backend. the original design called for auto-renaming of config entries when you insert or delete entries with ordered names, but that was not implemented in 2.3. It is now in 2.4. This means, e.g., if you have olcDatabase={1}bdb,cn=config olcSuffix: dc=example,dc=com and you want to add a new subordinate, now you can: ldapadd olcDatabase={1}bdb,cn=config olcSuffix: dc=foo,dc=example,dc=com this will insert a new BDB database in slot 1 and bump all following databases down one, so the original BDB database will now be named olcDatabase={2}bdb,cn=config olcSuffix: dc=example,dc=com In 2.3 you were only able to add new schema elements, not delete or modify existing elements. In 2.4 you can modify schema at will. (Except for the hardcoded system schema, of course.) More sophisticated syncrepl configurations: the original implementation of syncrepl in OpenLDAP 2.2 was intended to support multiple consumers within the same database, but that feature never worked and was removed from OpenLDAP 2.3. I.e., you could only configure a single consumer in any database. In 2.4 you can configure multiple consumers in a single database. The configuration possibilities here are quite complex and numerous. You can configure consumers over arbitrary subtrees of a database (disjoint or overlapping). Any portion of the database may in turn be provided to other consumers using the syncprov overlay. The syncprov overlay works with any number of consumers over a single database or over arbitrarily many glued databases. As a consequence of the work to support multiple consumer contexts, the syncrepl system now supports full N-way multimaster replication with entry-level conflict resolution. There are some important constraints, of course: In order to maintain consistent results across all servers, you must maintain tightly synchronized clocks across all participating servers (e.g., you must use NTP on all servers). The entryCSNs used for replication now record timestamps with microsecond resolution, instead of just seconds. The delta-syncrepl code has not been updated to support multimaster usage yet, that will come later in the 2.4 cycle. On a related note, syncrepl was explicitly disabled on cn=config in 2.3. It is now fully supported in 2.4; you can use syncrepl to replicate an entire server configuration from one server to arbitrarily many other servers. It's possible to clone an entire running slapd using just a small (less than 10 lines) seed configuration, or you can just replicate the schema subtrees, etc. Tests 049 and 050 in the test suite provide working examples of these capabilities. In 2.3 you could configure syncrepl as a full push-mode replicator by using it in conjunction with a back-ldap pointed at the target server. But because the back-ldap database needs to have a suffix corresponding to the target's suffix, you could only configure one instance per slapd. In 2.4 you can define a database to be "hidden" which means that its suffix is ignored when checking for name collisions, and the database will never be used to answer requests received by the frontend. Using this hidden database feature allows you to configure multiple databases with the same suffix, allowing you to set up multiple back-ldap instances for pushing replication of a single database to multiple targets. There may be other uses for hidden databases as well (e.g., using a syncrepl consumer to maintain a *local* mirror of a database on a separate filesystem). More extensive TLS configuration control: In 2.3, the TLS configuration in slapd was only used by the slapd listeners. For outbound connections used by e.g. back-ldap or syncrepl their TLS parameters came from the system's ldap.conf file. In 2.4 all of these sessions inherit their settings from the main slapd configuration but settings can be individually overridden on a per-config-item basis. This is particularly helpful if you use certificate-based authentication and need to use a different client certificate for different destinations. Various performance enhancements: Too many to list. Some notable changes - ldapadd used to be a couple of orders of magnitude slower than "slapadd -q". It's now at worst only about half the speed of slapadd -q. A few weeks ago I did some comparisons of all the 2.x OpenLDAP releases; the results are in the slides from my SCALE presentation and you can find a copy here: http://www.highlandsun.com/hyc/scale2007.pdf That compared 2.0.27, 2.1.30, 2.2.30, 2.3.33, and HEAD (as of a couple weeks ago). Toward the latter end of the "Cached Search Performance" chart it gets hard to see the difference because the runtimes are so small, but the new code is about 25% faster than 2.3, which was about 20% faster than 2.2, which was about 100% faster than 2.1, which was about 100% faster than 2.0, in that particular search scenario. That test basically searched a 1.3GB DB of 380836 entries (all in the slapd entry cache) in under 1 second. i.e., on a 2.4GHz CPU with DDR400 ECC/Registered RAM we can search over 500 thousand entries per second. The search was on an unindexed attribute using a filter that would not match any entry, forcing slapd to examine every entry in the DB, testing the filter for a match. Essentially the slapd entry cache in back-bdb/back-hdb is so efficient the search processing time is almost invisible; the runtime is limited only by the memory bandwidth of the machine. (The search data rate corresponds to about 3.5GB/sec; the memory bandwidth on the machine is only about 4GB/sec due to ECC and register latency.) I think it goes without saying that no other Directory Server in the world is this fast or this efficient. Couple that with the scalability, manageability, flexibility, and just the sheer know-how behind this software, and nothing else is even remotely comparable. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

7 12

LDAP authenticaton against PAM how-to
by manu＠netbsd.org 27 Apr '07

27 Apr '07

Hi I banged my head on OpenLDAP -> SASL -> PAM for two days. The status of the documentation is really horrible. Until someone eventually fix that, here is for future reference what I had to do (the NetBSD system parts are out of topic, but I added them for the sake of completeness) Configuration: NetBSD-3.1 OpenLDAP-2.3.27 from NetBSD's pkgsrc Cyrus-SASL-2.1.22 from NetBSD's pkgsrc 1) Install the software 1.1 Fix pkgsrc a bug In /usr/pkgsrc/databases/openlda-server/options.mk, change --with-spasswd into --enable-spasswd 1.2 Install the following packages: Set build options for pkgsrc: in /etc/mk.conf: PKG_RCD_SCRIPTS=YES PKG_OPTIONS.openldap-client+=sasl PKG_OPTIONS.openldap-server+=sasl PKG_OPTIONS.cyrus-saslauthd+=pam 1.3 Install the following packages: database/openldap security/cyrus-sasl security/saslauthd security/cy2-plain 1.4 Fix another pkgsrc bug: cd /usr/pkgsrc/database/openldap-server/ cd work/openldap-2.3.27/libraries/libldap_r make && make install 2) Configure PAM Create /etc/pam.ldap and populate it with your PAM configuration 3) Configure SASL 3.1 Enable saslauthd, by adding this to /etc/rc.conf: saslauthd=YES saslauthd_flags="-a pam 3.2 Then start it: /etc/rc.d/saslauthd start 3.3 Configure the SASL library for slapd, by creating /usr/pkg/lib/sasl2/slapd.conf, with the following content: pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux 3.4 Check SASL functionnality testsaslauthd -s ldap -u login -p password Make sure a wrong password really fails... 4) Configure OpenLDAP (the nasty part) 4.1 Enable PLAIN mechanism (disabled by default) in /usr/pkg/etc/openldap/slapd.conf, by adding: sasl-secprops none You don't need sasl-regex or authz-regex. 4.2 Enable TLS: Generate TLS certificate, and add certificate, key and CA to /usr/pkg/etc/openldap/slapd.conf: TLSCertificateFile /etc/openssl/certs/botin.crt TLSCertificateKeyFile /etc/openssl/private/botin.key TLSCACertificateFile /etc/openssl/certs/ca.crt 4.3 Populate the directory, make sure that user cn=jdoe,dc=example,dc=net has this: userPassword: {SASL}jdoe 4.4 Enable slapd, by adding to /etc/rc.conf: slapd=YES 4.5 Start slapd: /etc/rc.d/slapd start 4.6 Check that slapd will accept PLAIN SASL authentication: ldapsearch -x -b "" -s base supportedSASLMechanisms You should get: supportedSASLMechanisms: PLAIN 4.7 Configure the LDAP client, in /usr/pkg/etc/openldap/ldap.conf: BASE dc=example,dc=net TLS_CACERT /etc/openssl/certs/ca.crt SASL_MECH PLAIN SASL_SECPROPS none 4.8 Check that the whole thing works: ldapsearch -x -WZD cn=jdoe,dc=example,dc=net Don't forget to make sure a wrong password fails... NB1: saslauthd logs in /var/log/authlog, the error messages are useful NB2: slapd logs in /var/log/slapd.conf, the error messages are usually meaningless, especially for ACL and SASL troubles. NB3: Make sure your DN is right. I spent a lot of time running tests with an invalid DN (ie: dc=jdoe instead of cn=jdoe) -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

13 30

slapd crashing "randomly?"
by daniel＠ncsu.edu 12 Apr '07

12 Apr '07

Hi folk, I want to start this message by saying, what I'm about to describe is completely vague and I don't expect to get a solution response. ;) Basically, I'm out of ideas and am looking for some suggestions as to how to debug the issue I'm running into. Starting about half a year ago, slapd started "just dieing" out of the blue. Not a think in the logs shows up to indicate what might have caused it. The last query that I see in the logs before a crash always seems to be nothing special. I don't even see a core dump being generated yet, but then that may just be because I don't have the proper setup to get a core dump at this time. We were running the last 2.2 and upgraded to the latest release of 2.3 to make sure it wasn't an "old version" issue. Unfortunately, slapd still dies a fair amount on us. It appears to be fairly unpredictable. I've seen it crash within 1 minute of starting up slapd (then a subsequent startup 'takes' just fine). I've seen it crash when there were a number of network issues going on. I've seen it crash out of the blue when nothing appeared to be going on. I don't really have the drive space to turn on max debug logging 24/7 until the problem occurs. We're thinking about setting up something to watch all of the network traffic going to one of the boxes until it dies. (assuming we can find something with the resources to do that) That all said... since I have nothing solid to present, do you all have any suggestions of what would be the best way to track down what's going on? I'm literally out of ideas unless my berkeley db config is somehow causing the problem or something like that. I apologize for the vagueness. =/ Any ideas/suggestions? Daniel

5 11

Different output with ldapsearch
by Amos Castelli 11 Apr '07

11 Apr '07

Hi all, can anybody tell me if the following is a bug or is a normal behavior? $ ldapsearch -x -H ldap://ldap.ex.com -b ou=People,dc=ex,dc=com |grep zhiling $ ldapsearch -x -H ldap://ldap.ex.com -b ou=People,dc=ex,dc=com "(uid=zhiling)" # extended LDIF # # LDAPv3 # base <ou=People,dc=ex,dc=com> with scope subtree # filter: (uid=zhiling) # requesting: ALL # # zhiling, People, ex.com dn: uid=zhiling,ou=People,dc=ex,dc=com uid: zhiling cn: Uela Zhiling objectClass: account objectClass: posixAccount objectClass: top loginShell: /usr/local/bin/bash uidNumber: 20893 gidNumber: 30484 homeDirectory: /users/zhiling gecos: Uela Zhiling, DCS # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 why I don't get any match with the grep command? ldap server version: 2.3.34 Thanks in advance, AMos

6 9

slurpd from a
by Alec Thomas 06 Apr '07

06 Apr '07

Hi, I have a similar situation to the one mentioned here: http://www.openldap.org/lists/openldap-software/200607/msg00024.html I was wondering if somebody could clarify why this behaviour is intentional? Alec -- Evolution: Taking care of those too stupid to take care of themselves.

5 7

err=52
by jerrrry＠voila.fr 02 Apr '07

02 Apr '07

Hi all, i'm using openldap 2.2.13 as a proxy to an other ldap server. it works and after few days, authentications doesn't work any more. and i have an error 52 in my ldap log: ar 29 17:51:13 guardsdef1 slapd[23444]: conn=4 op=5 SRCH base="ou=personnes,o=st" scope=2 deref=3 filter="(&(objectClass=*)(uid=n588t67))" Mar 29 17:51:13 guardsdef1 slapd[23444]: conn=4 op=5 SRCH attr=uid Mar 29 17:51:13 guardsdef1 slapd[23444]: conn=4 op=5 SEARCH RESULT tag=101 err=52 nentries=0 text= Mar 29 17:51:13 guardsdef1 slapd[23444]: conn=4 op=5 SEARCH RESULT tag=101 err=52 nentries=0 text= this error means: LDAP_UNAVAILABLE: Indicates that the LDAP server cannot process the client's bind request, usually because it is shutting down. my slapd conf: database ldap suffix o=sg uri ldaps://ldap.s45ame.iioup.soen Do you have any idea why open ldap "is shutting down" ? thank you for your help Thomas

5 5

OpenLDAP SPEC File
by Josh Miller 01 Apr '07

01 Apr '07

Anybody have a good recent SPEC file for OpenLDAP on RHEL4 that you wouldn't mind posting? (This is for building RPMs for anybody who doesn't recognize a SPEC file.) Thanks, -- Joshua M. Miller - RHCE,VCP

5 8

Paged results and Solaris
by Aaron Richton 01 Apr '07

01 Apr '07

Some users of Solaris may use LDAP clients based on the library /usr/lib/libsldap.so.1. One such example is the Sun-provided /usr/lib/nss_ldap.so.1. These clients have historically been at best partially compatible with OpenLDAP, for various reasons. While there has been a lot of good progress towards standards compliance (or at least standards accommodation), paged results have had a long-standing bug. The results cookie was improperly handed by libsldap, causing any results in excess of the page size (1,000 in the case of libsladp) to be lost. Rutgers has significantly more than 1,000 entries, and brought this through Sun support channels. Patches were released for Solaris 9 last week, which fix this issue 6278068 native ldap client: simple page mode broken in S9 and S10 I note this to openldap-software for users considering migration to OpenLDAP slapd(8) who may have experienced this behavior and falsely attributed it to OpenLDAP software. When properly patched, I can attest that Solaris nss and OpenLDAP work "out of the box" together.

6 7

authzTo for user not copied by syncrepl - problem
by tomasz 01 Apr '07

01 Apr '07

hi, my problem about it is slave server is not copied attr authzTo from master server my slapd.conf include: access to attrs=userPassword,authzTo,entry,children by dn.exact="cn=replicant,ou=people,dc=the,dc=net" write by self read by group.base="cn=ldapadmin,ou=people,dc=thebunker,dc=net" read by anonymous auth by * and syncrepl rid=1 provider=ldap://test.the.net:389/ type=refreshAndPersist interval=00:00:01:00 searchbase="dc=the,dc=net" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off updatedn="cn=replicant,ou=people,dc=the,dc=net" bindmethod=sasl saslmech=digest-md5 realm=the.net retry=1,5,30,+ credentials=xxxx authcid="replicant" but it is not doing copy of attr: authzTo from master server master server slapd.conf include access to attrs=userPassword,authzTo,entry,children by self write by group.exact="cn=ldapadmin,ou=people,dc=the,dc=net" write by dn.exact="cn=replicant,ou=people,dc=the,dc=net" read by anonymous auth by * and idea how to sort it? cheers -- bEsT rEgArDs | "Confidence is what you have before you tomasz dereszynski | understand the problem." -- Woody Allen TD840-RIPE |

3 6

authzTo/From
by tomasz 30 Mar '07

30 Mar '07

hi, my problem about it is raplicant is not copied attr authzTo from master server my slapd.conf include: access to attrs=userPassword,authzTo,entry,children by dn.exact="cn=replicant,ou=people,dc=the,dc=net" write by self read by group.base="cn=ldapadmin,ou=people,dc=thebunker,dc=net" read by anonymous auth by * and syncrepl rid=1 provider=ldap://test.the.net:389/ type=refreshAndPersist interval=00:00:01:00 searchbase="dc=the,dc=net" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off updatedn="cn=replicant,ou=people,dc=the,dc=net" bindmethod=sasl saslmech=digest-md5 realm=the.net retry=1,5,30,+ credentials=xxxx authcid="replicant" but it is not doing copy of attr: authzTo from master server master server slapd.conf include access to attrs=userPassword,authzTo,entry,children by self write by group.exact="cn=ldapadmin,ou=people,dc=the,dc=net" write by dn.exact="cn=replicant,ou=people,dc=the,dc=net" read by anonymous auth by * and idea how to sort it? cheers -- bEsT rEgArDs | "Confidence is what you have before you tomasz dereszynski | understand the problem." -- Woody Allen TD840-RIPE |

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software March 2007