openldap-software June 2007

openldap-software@openldap.org

86 participants
106 discussions

OpenLDAP 2.4
by Howard Chu 08 Nov '07

08 Nov '07

The Admin Guide still has not been updated with all of the relevant changes, so here are some notes on new features in the 2.4 release... I believe all of the manpages are up to date, so you can get specifics from them. More complete cn=config functionality: There is a new slapd-config(5) manpage for the cn=config backend. the original design called for auto-renaming of config entries when you insert or delete entries with ordered names, but that was not implemented in 2.3. It is now in 2.4. This means, e.g., if you have olcDatabase={1}bdb,cn=config olcSuffix: dc=example,dc=com and you want to add a new subordinate, now you can: ldapadd olcDatabase={1}bdb,cn=config olcSuffix: dc=foo,dc=example,dc=com this will insert a new BDB database in slot 1 and bump all following databases down one, so the original BDB database will now be named olcDatabase={2}bdb,cn=config olcSuffix: dc=example,dc=com In 2.3 you were only able to add new schema elements, not delete or modify existing elements. In 2.4 you can modify schema at will. (Except for the hardcoded system schema, of course.) More sophisticated syncrepl configurations: the original implementation of syncrepl in OpenLDAP 2.2 was intended to support multiple consumers within the same database, but that feature never worked and was removed from OpenLDAP 2.3. I.e., you could only configure a single consumer in any database. In 2.4 you can configure multiple consumers in a single database. The configuration possibilities here are quite complex and numerous. You can configure consumers over arbitrary subtrees of a database (disjoint or overlapping). Any portion of the database may in turn be provided to other consumers using the syncprov overlay. The syncprov overlay works with any number of consumers over a single database or over arbitrarily many glued databases. As a consequence of the work to support multiple consumer contexts, the syncrepl system now supports full N-way multimaster replication with entry-level conflict resolution. There are some important constraints, of course: In order to maintain consistent results across all servers, you must maintain tightly synchronized clocks across all participating servers (e.g., you must use NTP on all servers). The entryCSNs used for replication now record timestamps with microsecond resolution, instead of just seconds. The delta-syncrepl code has not been updated to support multimaster usage yet, that will come later in the 2.4 cycle. On a related note, syncrepl was explicitly disabled on cn=config in 2.3. It is now fully supported in 2.4; you can use syncrepl to replicate an entire server configuration from one server to arbitrarily many other servers. It's possible to clone an entire running slapd using just a small (less than 10 lines) seed configuration, or you can just replicate the schema subtrees, etc. Tests 049 and 050 in the test suite provide working examples of these capabilities. In 2.3 you could configure syncrepl as a full push-mode replicator by using it in conjunction with a back-ldap pointed at the target server. But because the back-ldap database needs to have a suffix corresponding to the target's suffix, you could only configure one instance per slapd. In 2.4 you can define a database to be "hidden" which means that its suffix is ignored when checking for name collisions, and the database will never be used to answer requests received by the frontend. Using this hidden database feature allows you to configure multiple databases with the same suffix, allowing you to set up multiple back-ldap instances for pushing replication of a single database to multiple targets. There may be other uses for hidden databases as well (e.g., using a syncrepl consumer to maintain a *local* mirror of a database on a separate filesystem). More extensive TLS configuration control: In 2.3, the TLS configuration in slapd was only used by the slapd listeners. For outbound connections used by e.g. back-ldap or syncrepl their TLS parameters came from the system's ldap.conf file. In 2.4 all of these sessions inherit their settings from the main slapd configuration but settings can be individually overridden on a per-config-item basis. This is particularly helpful if you use certificate-based authentication and need to use a different client certificate for different destinations. Various performance enhancements: Too many to list. Some notable changes - ldapadd used to be a couple of orders of magnitude slower than "slapadd -q". It's now at worst only about half the speed of slapadd -q. A few weeks ago I did some comparisons of all the 2.x OpenLDAP releases; the results are in the slides from my SCALE presentation and you can find a copy here: http://www.highlandsun.com/hyc/scale2007.pdf That compared 2.0.27, 2.1.30, 2.2.30, 2.3.33, and HEAD (as of a couple weeks ago). Toward the latter end of the "Cached Search Performance" chart it gets hard to see the difference because the runtimes are so small, but the new code is about 25% faster than 2.3, which was about 20% faster than 2.2, which was about 100% faster than 2.1, which was about 100% faster than 2.0, in that particular search scenario. That test basically searched a 1.3GB DB of 380836 entries (all in the slapd entry cache) in under 1 second. i.e., on a 2.4GHz CPU with DDR400 ECC/Registered RAM we can search over 500 thousand entries per second. The search was on an unindexed attribute using a filter that would not match any entry, forcing slapd to examine every entry in the DB, testing the filter for a match. Essentially the slapd entry cache in back-bdb/back-hdb is so efficient the search processing time is almost invisible; the runtime is limited only by the memory bandwidth of the machine. (The search data rate corresponds to about 3.5GB/sec; the memory bandwidth on the machine is only about 4GB/sec due to ECC and register latency.) I think it goes without saying that no other Directory Server in the world is this fast or this efficient. Couple that with the scalability, manageability, flexibility, and just the sheer know-how behind this software, and nothing else is even remotely comparable. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

7 12

slapo-unique. several unique_base with different unique_attributes sets
by Dmitriy Kirhlarov 02 Oct '07

02 Oct '07

Hi, list I have container in my tree 'ou=cyrus,ou=mail,o=domain' and I need check 'uniqueMember' attribute -- user can be membered only in one group. Also, for 'ou=web,ou=groups,o=domain' with same types of objects, as 'ou=cyrus,ou=mail,o=domain' user can be membered in several groups, but I need uniques check for 'gidNumber' inside 'ou=groups,o=domain'. I need something: unique_base ou=users,o=domain uidNumber mail mailLocalAddress unique_base ou=groups,o=domain gidNumber unique_base ou=cyrus,ou=mail,o=domain uniqueMember I'm using openldap 2.3.35 Is it possible with this version or, may be, with 2.4.x? WBR. Dmitriy

3 4

Recovery after system shutdown
by Arunachalam Parthasarathy 26 Jul '07

26 Jul '07

Hello, When I started adding some entries to openldap server (2.3.36), suddenly my system powered off, When I started my sytem after rebooting, my slapd with BDB as backend , is unable to recover , I am getting an error as below, Please say , what am I doing wrong Thanks, Arunachalam. config_build_entry: "olcDatabase={1}bdb" backend_startup_one: starting "dc=huawei,dc=com" bdb_db_open: dc=huawei,dc=com bdb_db_open: dbenv_open(/home/Arunachalam/Res/openldapdb_36) bdb(dc=huawei,dc=com): file id2entry.bdb (meta pgno = 0) has LSN [32][3600584]. bdb(dc=huawei,dc=com): end of log is [31][937891] bdb(dc=huawei,dc=com): /home/Arunachalam/Res/openldapdb_36/id2entry.bdb: unexpected file type or format bdb_db_open: db_open(/home/Arunachalam/Res/openldapdb_36/id2entry.bdb) failed: Invalid argument (22) ====> bdb_cache_release_all bdb(dc=huawei,dc=com): Unknown locker ID: 0 backend_startup_one: bi_db_open failed! (22) slapd shutdown: initiated ====> bdb_cache_release_all bdb_db_close: alock_close failed slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. **************************************************************************** **************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

3 4

Automatic Account Deactivation?
by Aharon Verno 13 Jul '07

13 Jul '07

I was wondering if there was a way to automatically disable an account that hasn't been logged into for a period of time? We use OpenLDAP to give entitlements for our email system and we would love a way to automatically shutdown accounts that haven't been authenticated to in X days. Thanks for any help with this.

4 5

using openldap as a translation layer.
by S James S Stapleton 12 Jul '07

12 Jul '07

Can I use open-ldap as a translation layer for queries with a ldap client with minimal configuration potential? Right now the client (which cannot be trivially modified), can use LDAP authentication, sort-of. What it does, is it takes your user name, and assignes it to the 'uid' attribute, and then tacks on whatever string is in the config to form a distinguished name. For example, if I used 'stapleton' as my username and the config had 'ou=People,dc=domain,dc=tld', it would query for 'uid=stapleton,ou=People,dc=dmain,dc=tld'. Unfortunately, people usernames are everything before the '@' sign in their email, and this is not their uid. The uid is a number, that is used nowhere else. The standard process that we use is to take their user name and perform an ldap query to get the uid from the email, and then use the uid to verify if the user is correct. Example: ldap://server:389/uid=441068,ou=People,dc=mydomain,dc=tld pulls up my information Now, if I want to get my uid, I'd do this: ldap://server:389/ou=People,dc=mydomain,dc=tld?uid?sub?(mail=stapleton@mydomain.tld) The client, as described cannot do that, if a user attempts to use what they expect their user name to be, it will send: uid=stapleton,ou=People,dc=mydomain,dc=tld or uid=stapleton(a)mydomain.tld,ou=People,dc=mydomain,dc=tld Neither of which will authenticate. Is there a way to make OpenLDAP provide a middle layer to handle this? Thank you, -Jim Stapleton

6 23

How to search for all entries that have modified themselves
by Zhang Weiwu 06 Jul '07

06 Jul '07

Dear all We have accesslog feature turned on for several months. It's very useful for us to identify who have modified what (only edit access is logged). The new requirement is to search for all entries that have modified themselves; I don't know how to do (and failed after many experiments). It's very easy to identify whether or not a given user have modified herself by doing: ldapsearch ... '(&(reqDN=uid=zhangweiwu,ou=contacts,dc=eoa,dc=cn)(reqAuthzID=uid=zhangweiwu,ou=contacts,dc=eoa,dc=cn))' But I need to do this search 4000 times to locate all entries who have modified themselves. I wish I can work smarter using something like ldapsearch ... '(&(reqDN=\(.*\))(reqAuthzID=\1))' Certainly this doesn't work but you get the idea. Is there a solution? Thanks a lot in advance! Would you please kindly use "reply all" to reply this message so that my colleague on the 'cc' can be enlightened too? -- Zhang Weiwu Real Softservice http://www.realss.com +86 592 2091112

2 1

how to delete entire base dn ?
by JOYDEEP 06 Jul '07

06 Jul '07

Hi, I am very much interested to know the deletion procedure of entire base dn as I am implemeting different types of ldif to learn thanks

2 2

retrieve referral hosts after ldap_modify_s()
by Bin Lu 06 Jul '07

06 Jul '07

Hi, Could somebody kindly tell me what is the API should I use to retrieve the referral hosts information when ldap_modify_s() returns LDAP_REFERRAL? Thanks, Wenwu

2 1

referential integrity
by manu＠netbsd.org 06 Jul '07

06 Jul '07

Hello I have been reading the docs, looking for a way to acheive referential integrity as it is done in RDBMS. For instance, if I want to constraint the value of atribute title to a set of value, so that any modification to a value not in the list would be denied. Let's say the set of legal values could be stored in the directory, ad objects of a dedicated class; How can it be done? slapo-refint is not about denying changes, slapo-constraint can only enforce regex matching.. Is there anything else I missed? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

5 8

back-sql and multiple objectclasses
by Wilhelm Meier 05 Jul '07

05 Jul '07

Hi, I have a problem using back-sql and entries with multiple object classes: If I add the entry: dn: cn=testuser2,dc=kmux,dc=de cn: testuser2 sn: test objectClass: top objectClass: person objectClass: posixAccount gidNumber: 514 uidNumber: 4711 uid: test2 homeDirectory: hh I get in the logs of slapd complains that attr uidNumber in objectClass person is undefined. That's right, but the object has the additional class posixAccount, which has the attribute. When I look in the logs, I see that the table ldap_entry_objectclasses gets inserted the auxiliary class posixAccount AFTER it tries to set the attribute uidNumber. So ist clear that it doen't find the attribute. The tables in the database are constructed similar to the objectclasses. Any hints? -- Wilhelm

3 8

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software June 2007