openldap-software June 2007

openldap-software@openldap.org

86 participants
106 discussions

Openldap out of memory problem
by jsianes＠andaluciajunta.es 28 Jun '07

28 Jun '07

Hello, I have a problem in a production environment using Openldap 2.2.13. The problem is, even establishing a reduced cachesize for Berkeley backend, my openldap server starts to consume more and more memory until all RAM is exhausted, causing server stop running (and sometimes backend corruption). I have followed indications included in faq-o-matic to calculate an accurate cache size for BDB backend (8MB), but the problem doesn't solves. At beginning, openlaps starts with few memory (as configuration indicates) but later more and more memory is consumed by the process. Here is the information about my ldap server and service in order you can give a solution. I want that mi slapd process doesn't cosume all fisical memory, basically. Server: - RAM: 1GB - Swap: 1GB Openldap: - version: 2.2.13 - sizelimit: 5000 Backend: - Type: bdb - checkpoint: 512 30 - cachesize: 5000 DB_CONFIG: - Cache (8MB): set_cachesize 0 8388608 1 - Other options: set_lg_regionmax 262144 set_lg_bsize 2097152 set_lg_dir /var/lib/ldap/logs set_lg_max 52428800 set_flags DB_LOG_AUTOREMOVE - dn2id.bdb size: 177MB - id2entry.bdb size: 555MB Top information: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP COMMAND 12547 ldap 19 0 509m 139m 13m S 1.3 13.9 9:30.32 369m slapd If I execute a pmap over slapd PID, there is a lot of RAM used by 'anon' piece of memory. Any commentary will be very appreciated. Thanks.

4 4

Help needed for problems in building OpenLDAP 2.3.33 in Suse linux - reg.
by Aviator LDap 28 Jun '07

28 Jun '07

Dear Friends, fetch.c: In function â€˜ldif_open_urlâ€™: fetch.c:52: warning: assignment discards qualifiers from pointer target type ar: creating liblutil.a ucdata.c: In function â€˜_uccase_lookupâ€™: ucdata.c:411: warning: assignment discards qualifiers from pointer target type ar: creating liblunicode.a */usr/lib64/gcc/x86_64-suse-linux/4.1.0/../../../../x86_64-suse-linux/bin/ld: /usr/local/ssl/lib/libssl.a(s3_pkt.o): relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC /usr/local/ssl/lib/libssl.a: could not read symbols: Bad value *collect2: ld returned 1 exit status make[2]: *** [libldap.la] Error 1 make[1]: *** [all-common] Error 1 make: *** [all-common] Error 1 I am running out with this problem while trying to build OpenLDAP2.3.33 on Suse linux. Could anybody help me? regards, dinesh V

2 1

using both syncrepl and slurp
by Nicolas Boullis 28 Jun '07

28 Jun '07

Hi, I'm currently using an old LDAP infrastructure, mostly using openldap 2.2.3 from Debian Sarge, with slurp-based replication. I'm willing to switch to something newer, using openldap 2.3.30 from Debian Etch, with syncrepl-based replication. Since I won't be able to update all the replicas in one shot, I will have to keep some slurp replicas around. So I thought I would use a master server with openldap 2.3.30 which serves as a syncrepl provider, a few (new) syncrepl replicas, a "relay" that acts both as a syncrepl replica and as a slurpd master, and my old slurp replicas. The "relay" is configured like this: (...) replogfile /var/lib/ldap/slapd.replog (...) backend bdb (...) database bdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" (...) replica host=slurp-replica.example.com:389 tls=yes suffix="dc=example,dc=com" binddn="cn=replica,dc=example,dc=com" credentials=XXXXXXXX bindmethod=simple (...) syncrepl rid=124 provider=ldap://master.example.com type=refreshAndPersist interval=00:01:00:00 searchbase="dc=example,dc=com" sizelimit=unlimited bindmethod=simple binddn="cn=syncrepl,dc=example,dc=com" credentials=XXXXXXXX starttls=critical Changes to the master server are correctly replicated to the relay, but no /var/lib/ldap/slapd.replog is generated, so slurpd does nothing. If I remove the syncrepl section and add a rootpw, then changes done locally lead to a /var/lib/ldap/slapd.replog file, as expected. Is it possible for a LDAP server to serve both as a syncrepl replica and a slurpd server? Cheers, Nicolas Boullis

1 1

how to use slapo-refint (or why it doesn't work?)
by Zhang Weiwu 27 Jun '07

27 Jun '07

I wish to use slapo-refint on attribute contactPerson attributetype ( 1.3.6.1.4.1.2787.100.1.1.1 NAME 'contactPerson' DESC 'DN of the company representative' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) The man page for slapo-refint is pretty simple, only suggesting adding refint_attributes in slapd.conf so I did (I added it just below "index" directive). It doesn't work for two of my openldap 2.3.30-r2 installations, one using bdb, one using hdb. It's my first time using slapo-refint so I am not sure what correct behavior it should be. I've listed my operation for experimenting the new feature as follows (please criticize). Thanks a lot in advance! zhangweiwu@joe:~> ldapsearch -H ldap://emerson/ -x -D uid=supertuxadmin,ou=contacts,ou=china,dc=ahk,dc=de -W -b uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de objectClass=* contactPerson Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de> with scope subtree # filter: objectClass=* # requesting: contactPerson # # Drr, contacts, china, ahk.de dn: uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de contactPerson: cn=Reiner Schmid,uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de # Reiner Schmid, Drr, contacts, china, ahk.de dn: cn=Reiner Schmid,uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de # search result search: 2 result: 0 Success zhangweiwu@joe:~> ldapmodrdn -H ldap://emerson/ -x -D uid=supertuxadmin,ou=contacts,ou=china,dc=ahk,dc=de -W 'cn=Reiner Schmid,uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de' 'cn=Reiner Schtid' Enter LDAP Password: zhangweiwu@joe:~> ldapsearch -H ldap://emerson/ -x -D uid=supertuxadmin,ou=contacts,ou=china,dc=ahk,dc=de -W -b uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de objectClass=* contactPerson Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de> with scope subtree # filter: objectClass=* # requesting: contactPerson # # Drr, contacts, china, ahk.de dn: uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de contactPerson: cn=Reiner Schmid,uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de # Reiner Schtid, Drr, contacts, china, ahk.de dn: cn=Reiner Schtid,uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 -- Zhang Weiwu Real Softservice http://www.realss.com +86 592 2091112

2 1

[Push based Syncrepl on 2.3.36] Mapping contextCSN/entryCSN
by Gavin Henry 27 Jun '07

27 Jun '07

Dear all, I'm trying to do an example for replacing slurpd on 2.3.36 for back-porting to the 2.3 Admin Guide (will do 2.4 later, as that will be easy), i.e. Push based Syncrepl. I have a consumer hooked up to a provider with refreshAndPersist, configured inside a back-ldap to push out to another slapd instance. How do I map the contextCSN/entryCSN to a suitable remote attribute, or store contextCSN/entryCSN locally? slapo-rwm? I'm obviously hitting "contextCSN: no user modification allowed" and "entryCSN: no user modification allowed" starting up. Thanks, Gavin. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

1 0

Setting up user accounts with ppolicy attributes
by Jack Emmerichs 27 Jun '07

27 Jun '07

I've been working with OpenLDAP 2.3.30 to set up ppolicy processing. I think I have the policies set up correctly in the DLAP database using the following ppolicy.ldif file: dn: ou=policies, dc=my-domain,dc=com ou: policies objectClass: top objectClass: organizationalUnit dn: cn=default,ou=policies,dc=my-domain,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword # 30 day password limit (2592000 seconds) with an even longer expire warning for testing. pwdExpireWarning: 2592001 pwdMaxAge: 2592000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 6 pwdAllowUserChange: TRUE # Items not currently used. pwdMinAge: 0 pwdGraceAuthnLimit: 0 pwdLockout: FALSE pwdLockoutDuration: 0 pwdMaxFailure: 0 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdSafeModify: FALSE and the following entries in the slapd.conf file: # password policy overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=my-domain,dc=com" However, I'm having trouble creating user accounts. Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary class (along with posixAccount, which is the basic user account class), and then include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like: pwdChangedTime;pwd-userPassword: 20000103121520Z for pwdChangedTime. The format for pwdHistory sounds really complex, and the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get these attributes into the account struture. Trouble is, if I try to include such values I either get an import failure without error messages, an error that says "no user modification allowed" (even when I'm adding an account), or an indication that I'm using an invalid format. Does anyone have an example LDIF file that shows how to set up a user account to track ppolicy processing? I have the feeling I'm missing something really obvious here, but I absolutely don't see it yet. Thanks for any help that anyone can provide. JFE. _________________________________________________________________ Hotmail to go? Get your Hotmail, news, sports and much more! http://mobile.msn.com

3 4

Unable to locat TLS libs - help needed
by Aviator LDap 27 Jun '07

27 Jun '07

Hi Friends, I am struggling with a very basic error. While running the configure script of OpenLDAP 2.3.33, I am getting the following Warning message *configure: WARNING: Could not locate TLS/SSL package configure: WARNING: TLS data protection not supported!* ** Can anybody help me to locat what could be going wrong. I am executing the script in Suse Linux. I am totally struck with this. Any kind of help is hugely appreciated. regards, dinesh V

4 3

Dynamic Indexing through cn=config
by Arunachalam Parthasarathy 26 Jun '07

26 Jun '07

Hello, I used bdb as a backend Started slapd with , ./slapd -h "ldap://<ip>:<port>" -F /etc/openldap/slapd.d/ -f /etc/openldap/slapd.conf" Step 1: I added indexing on a attribute (sn), in the cn=config sub-tree, Step 2: If I search through the tree (cn=config), the added entry is not reflected To Check, I added entries, it was not indexed on the added attribute (sn.bdb is not getting generated in bdb directory) Step 3: When I try to add one more time , the same entry as Step 1, it says , entry already exists Step 4: Now when I search cn=config tree, I am able to see the sn index entry in olCDbIndex Now I added entries, it was getting indexed on the added attribute (sn.bdb is generated in bdb directory) Please say why is this happening Thanks a lot in advance, Arunachalam. **************************************************************************** **************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

2 2

could not parse entry
by Daniel Guerrero 26 Jun '07

26 Jun '07

Dear list participants, I'm using OpenLDAP Software version 2.2.26. When I attempt to load an entry, slapadd errors with the message "slapadd: could not parse entry (line=11)". The input file is only 10 lines long. What does this message indicate? How do I obtain more detailed error information from slapadd(8)? Kindly Regards, Daniel.

3 2

Problem with ldapmodify: Internal (implementation specific) error (80)
by openldap.lists＠frei-family.ch 26 Jun '07

26 Jun '07

haven't found a solution in Mailing list archive and fix-lists of 2.3.35/2.3.36 Environment =========== - OpenLDAP 2.3.34 on Solaris 8 with BDB 4.5.20.NC-p2 - current status (retrieved using ldapsearch -x -D "cn=manager,cn=config" -w password -H "ldap://hostname:port" -b "cn=config"): # {2}hdb, config dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcSuffix: ou=log olcAccess: {0}to * by dn.base="cn=manager,cn=config" write by * read olcRootDN: cn=manager,ou=log olcDbDirectory: /var/malbec/mdch/mdch-accesslog-data olcDbConfig: {0}set_cachesize 0 1280000 0 olcDbConfig: {1}set_flags DB_LOG_AUTOREMOVE olcDbConfig: {2}set_lg_dir /var/malbec/mdch/mdch-accesslog-logs olcDbIndex: objectClass eq olcDbIndex: reqStart eq olcDbIndex: reqAuthzID eq What I'm trying to do ===================== I'm trying to apply an ldif file having the following content (only four lines): dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcDbCheckpoint olcDbCheckpoint: 100000 30 with the following command: ldapmodify -x -D "cn=manager,cn=config" -w password -H ldap://hostname:port -f configure_db_checkpointing.ldif Problem, Symptoms ================= - Desired entry is not being added - In the console I get the following error message: modifying entry "olcDatabase={2}hdb,cn=config" ldap_modify: Internal (implementation specific) error (80) - In the ldap.log I get the following related entries: Jun 25 16:43:39 c004503 slapd[3058]: [ID 848112 local4.debug] conn=5515 fd=19 ACCEPT from IP=xyz:xyz (IP=0.0.0.0:port) Jun 25 16:43:39 c004503 slapd[3058]: [ID 215403 local4.debug] conn=5515 op=0 BIND dn="cn=manager,cn=config" method=128 Jun 25 16:43:39 c004503 slapd[3058]: [ID 600343 local4.debug] conn=5515 op=0 BIND dn="cn=manager,cn=config" mech=SIMPLE ssf=0 Jun 25 16:43:39 c004503 slapd[3058]: [ID 588225 local4.debug] conn=5515 op=0 RESULT tag=97 err=0 text= Jun 25 16:43:39 c004503 slapd[3058]: [ID 249368 local4.debug] conn=5515 op=1 MOD dn="olcDatabase={2}hdb,cn=config" Jun 25 16:43:39 c004503 slapd[3058]: [ID 396994 local4.debug] conn=5515 op=1 MOD attr=olcDbCheckpoint Jun 25 16:43:39 c004503 slapd[3058]: [ID 699942 local4.debug] No structuralObjectClass for entry (olcDatabase={2}hdb,cn=config) Jun 25 16:43:39 c004503 slapd[3058]: [ID 588225 local4.debug] conn=5515 op=1 RESULT tag=103 err=80 text= Jun 25 16:43:39 c004503 slapd[3058]: [ID 218904 local4.debug] conn=5515 op=2 UNBIND Jun 25 16:43:39 c004503 slapd[3058]: [ID 952275 local4.debug] conn=5515 fd=19 closed Questions ========= - Has anyone come across this behaviour ? - Any hints / suggestions / tips ? Thanks Christoph

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software June 2007