The Admin Guide still has not been updated with all of the relevant changes,
so here are some notes on new features in the 2.4 release... I believe all of
the manpages are up to date, so you can get specifics from them.
More complete cn=config functionality:
There is a new slapd-config(5) manpage for the cn=config backend.
the original design called for auto-renaming of config entries when you
insert or delete entries with ordered names, but that was not implemented in
2.3. It is now in 2.4. This means, e.g., if you have
and you want to add a new subordinate, now you can:
this will insert a new BDB database in slot 1 and bump all following
databases down one, so the original BDB database will now be named
In 2.3 you were only able to add new schema elements, not delete or
modify existing elements. In 2.4 you can modify schema at will. (Except for
the hardcoded system schema, of course.)
More sophisticated syncrepl configurations:
the original implementation of syncrepl in OpenLDAP 2.2 was intended to
support multiple consumers within the same database, but that feature never
worked and was removed from OpenLDAP 2.3. I.e., you could only configure a
single consumer in any database.
In 2.4 you can configure multiple consumers in a single database. The
configuration possibilities here are quite complex and numerous. You can
configure consumers over arbitrary subtrees of a database (disjoint or
overlapping). Any portion of the database may in turn be provided to other
consumers using the syncprov overlay. The syncprov overlay works with any
number of consumers over a single database or over arbitrarily many glued
As a consequence of the work to support multiple consumer contexts, the
syncrepl system now supports full N-way multimaster replication with
entry-level conflict resolution. There are some important constraints, of
course: In order to maintain consistent results across all servers, you must
maintain tightly synchronized clocks across all participating servers (e.g.,
you must use NTP on all servers). The entryCSNs used for replication now
record timestamps with microsecond resolution, instead of just seconds. The
delta-syncrepl code has not been updated to support multimaster usage yet,
that will come later in the 2.4 cycle.
On a related note, syncrepl was explicitly disabled on cn=config in 2.3.
It is now fully supported in 2.4; you can use syncrepl to replicate an entire
server configuration from one server to arbitrarily many other servers. It's
possible to clone an entire running slapd using just a small (less than 10
lines) seed configuration, or you can just replicate the schema subtrees,
etc. Tests 049 and 050 in the test suite provide working examples of these
In 2.3 you could configure syncrepl as a full push-mode replicator by
using it in conjunction with a back-ldap pointed at the target server. But
because the back-ldap database needs to have a suffix corresponding to the
target's suffix, you could only configure one instance per slapd.
In 2.4 you can define a database to be "hidden" which means that its
suffix is ignored when checking for name collisions, and the database will
never be used to answer requests received by the frontend. Using this hidden
database feature allows you to configure multiple databases with the same
suffix, allowing you to set up multiple back-ldap instances for pushing
replication of a single database to multiple targets. There may be other uses
for hidden databases as well (e.g., using a syncrepl consumer to maintain a
*local* mirror of a database on a separate filesystem).
More extensive TLS configuration control:
In 2.3, the TLS configuration in slapd was only used by the slapd
listeners. For outbound connections used by e.g. back-ldap or syncrepl their
TLS parameters came from the system's ldap.conf file.
In 2.4 all of these sessions inherit their settings from the main slapd
configuration but settings can be individually overridden on a
per-config-item basis. This is particularly helpful if you use
certificate-based authentication and need to use a different client
certificate for different destinations.
Various performance enhancements:
Too many to list. Some notable changes - ldapadd used to be a couple of
orders of magnitude slower than "slapadd -q". It's now at worst only about
half the speed of slapadd -q. A few weeks ago I did some comparisons of all
the 2.x OpenLDAP releases; the results are in the slides from my SCALE
presentation and you can find a copy here:
That compared 2.0.27, 2.1.30, 2.2.30, 2.3.33, and HEAD (as of a couple
weeks ago). Toward the latter end of the "Cached Search Performance" chart it
gets hard to see the difference because the runtimes are so small, but the
new code is about 25% faster than 2.3, which was about 20% faster than 2.2,
which was about 100% faster than 2.1, which was about 100% faster than 2.0,
in that particular search scenario. That test basically searched a 1.3GB DB
of 380836 entries (all in the slapd entry cache) in under 1 second. i.e., on
a 2.4GHz CPU with DDR400 ECC/Registered RAM we can search over 500 thousand
entries per second. The search was on an unindexed attribute using a filter
that would not match any entry, forcing slapd to examine every entry in the
DB, testing the filter for a match.
Essentially the slapd entry cache in back-bdb/back-hdb is so efficient
the search processing time is almost invisible; the runtime is limited only
by the memory bandwidth of the machine. (The search data rate corresponds to
about 3.5GB/sec; the memory bandwidth on the machine is only about 4GB/sec
due to ECC and register latency.)
I think it goes without saying that no other Directory Server in the world is
this fast or this efficient. Couple that with the scalability, manageability,
flexibility, and just the sheer know-how behind this software, and nothing
else is even remotely comparable.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/
I have container in my tree 'ou=cyrus,ou=mail,o=domain' and I need check
'uniqueMember' attribute -- user can be membered only in one group.
Also, for 'ou=web,ou=groups,o=domain' with same types of objects, as
'ou=cyrus,ou=mail,o=domain' user can be membered in several groups, but
I need uniques check for 'gidNumber' inside 'ou=groups,o=domain'.
I need something:
uidNumber mail mailLocalAddress
I'm using openldap 2.3.35
Is it possible with this version or, may be, with 2.4.x?
When I started adding some entries to openldap server (2.3.36), suddenly my
system powered off,
When I started my sytem after rebooting, my slapd with BDB as backend , is
unable to recover , I am getting an error as below, Please say , what am I
backend_startup_one: starting "dc=huawei,dc=com"
bdb(dc=huawei,dc=com): file id2entry.bdb (meta pgno = 0) has LSN
bdb(dc=huawei,dc=com): end of log is 
unexpected file type or format
failed: Invalid argument (22)
bdb(dc=huawei,dc=com): Unknown locker ID: 0
backend_startup_one: bi_db_open failed! (22)
slapd shutdown: initiated
bdb_db_close: alock_close failed
slapd destroy: freeing system resources.
connections_destroy: nothing to destroy.
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
I was wondering if there was a way to automatically disable an account that
hasn't been logged into for a period of time? We use OpenLDAP to give
entitlements for our email system and we would love a way to automatically
shutdown accounts that haven't been authenticated to in X days. Thanks for
any help with this.
Can I use open-ldap as a translation layer for queries with a ldap client
with minimal configuration potential?
Right now the client (which cannot be trivially modified), can use LDAP
authentication, sort-of. What it does, is it takes your user name, and
assignes it to the 'uid' attribute, and then tacks on whatever string is in
the config to form a distinguished name. For example, if I used 'stapleton'
as my username and the config had 'ou=People,dc=domain,dc=tld', it would
query for 'uid=stapleton,ou=People,dc=dmain,dc=tld'. Unfortunately, people
usernames are everything before the '@' sign in their email, and this is not
their uid. The uid is a number, that is used nowhere else. The standard
process that we use is to take their user name and perform an ldap query to
get the uid from the email, and then use the uid to verify if the user is
pulls up my information
Now, if I want to get my uid, I'd do this:
The client, as described cannot do that, if a user attempts to use what they
expect their user name to be, it will send:
Neither of which will authenticate. Is there a way to make OpenLDAP provide
a middle layer to handle this?
We have accesslog feature turned on for several months. It's very useful
for us to identify who have modified what (only edit access is logged).
The new requirement is to search for all entries that have modified
I don't know how to do (and failed after many experiments). It's very
easy to identify whether or not a given user have modified herself by
ldapsearch ... '(&(reqDN=uid=zhangweiwu,ou=contacts,dc=eoa,dc=cn)(reqAuthzID=uid=zhangweiwu,ou=contacts,dc=eoa,dc=cn))'
But I need to do this search 4000 times to locate all entries who have
modified themselves. I wish I can work smarter using something like
ldapsearch ... '(&(reqDN=\(.*\))(reqAuthzID=\1))'
Certainly this doesn't work but you get the idea. Is there a solution?
Thanks a lot in advance! Would you please kindly use "reply all" to
reply this message so that my colleague on the 'cc' can be enlightened
+86 592 2091112
I have been reading the docs, looking for a way to acheive referential
integrity as it is done in RDBMS.
For instance, if I want to constraint the value of atribute title to a
set of value, so that any modification to a value not in the list would
be denied. Let's say the set of legal values could be stored in the
directory, ad objects of a dedicated class;
How can it be done? slapo-refint is not about denying changes,
slapo-constraint can only enforce regex matching.. Is there anything
else I missed?
I have a problem using back-sql and entries with multiple object classes:
If I add the entry:
I get in the logs of slapd complains that attr uidNumber in objectClass person
is undefined. That's right, but the object has the additional class
posixAccount, which has the attribute.
When I look in the logs, I see that the table ldap_entry_objectclasses gets
inserted the auxiliary class posixAccount AFTER it tries to set the attribute
uidNumber. So ist clear that it doen't find the attribute.
The tables in the database are constructed similar to the objectclasses.