Openldap out of memory problem
by jsianes@andaluciajunta.es
Hello, I have a problem in a production environment using Openldap 2.2.13. The
problem is, even establishing a reduced cachesize for Berkeley backend, my
openldap server starts to consume more and more memory until all RAM is
exhausted, causing server stop running (and sometimes backend corruption). I
have followed indications included in faq-o-matic to calculate an accurate
cache size for BDB backend (8MB), but the problem doesn't solves. At
beginning, openlaps starts with few memory (as configuration indicates) but
later more and more memory is consumed by the process. Here is the information
about my ldap server and service in order you can give a solution. I want that
mi slapd process doesn't cosume all fisical memory, basically.
Server:
- RAM: 1GB
- Swap: 1GB
Openldap:
- version: 2.2.13
- sizelimit: 5000
Backend:
- Type: bdb
- checkpoint: 512 30
- cachesize: 5000
DB_CONFIG:
- Cache (8MB): set_cachesize 0 8388608 1
- Other options:
set_lg_regionmax 262144
set_lg_bsize 2097152
set_lg_dir /var/lib/ldap/logs
set_lg_max 52428800
set_flags DB_LOG_AUTOREMOVE
- dn2id.bdb size: 177MB
- id2entry.bdb size: 555MB
Top information:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP COMMAND
12547 ldap 19 0 509m 139m 13m S 1.3 13.9 9:30.32 369m slapd
If I execute a pmap over slapd PID, there is a lot of RAM used by 'anon' piece
of memory. Any commentary will be very appreciated. Thanks.
16 years, 3 months
Help needed for problems in building OpenLDAP 2.3.33 in Suse linux - reg.
by Aviator LDap
Dear Friends,
fetch.c: In function ‘ldif_open_url’:
fetch.c:52: warning: assignment discards qualifiers from pointer target type
ar: creating liblutil.a
ucdata.c: In function ‘_uccase_lookup’:
ucdata.c:411: warning: assignment discards qualifiers from pointer target
type
ar: creating liblunicode.a
*/usr/lib64/gcc/x86_64-suse-linux/4.1.0/../../../../x86_64-suse-linux/bin/ld:
/usr/local/ssl/lib/libssl.a(s3_pkt.o): relocation R_X86_64_32 against `a
local symbol' can not be used when making a shared object; recompile with
-fPIC
/usr/local/ssl/lib/libssl.a: could not read symbols: Bad value
*collect2: ld returned 1 exit status
make[2]: *** [libldap.la] Error 1
make[1]: *** [all-common] Error 1
make: *** [all-common] Error 1
I am running out with this problem while trying to build OpenLDAP2.3.33 on
Suse linux.
Could anybody help me?
regards,
dinesh V
16 years, 3 months
using both syncrepl and slurp
by Nicolas Boullis
Hi,
I'm currently using an old LDAP infrastructure, mostly using openldap
2.2.3 from Debian Sarge, with slurp-based replication.
I'm willing to switch to something newer, using openldap 2.3.30 from
Debian Etch, with syncrepl-based replication.
Since I won't be able to update all the replicas in one shot, I will
have to keep some slurp replicas around.
So I thought I would use a master server with openldap 2.3.30 which
serves as a syncrepl provider, a few (new) syncrepl replicas, a "relay"
that acts both as a syncrepl replica and as a slurpd master, and my old
slurp replicas.
The "relay" is configured like this:
(...)
replogfile /var/lib/ldap/slapd.replog
(...)
backend bdb
(...)
database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
(...)
replica host=slurp-replica.example.com:389
tls=yes
suffix="dc=example,dc=com"
binddn="cn=replica,dc=example,dc=com"
credentials=XXXXXXXX
bindmethod=simple
(...)
syncrepl rid=124
provider=ldap://master.example.com
type=refreshAndPersist
interval=00:01:00:00
searchbase="dc=example,dc=com"
sizelimit=unlimited
bindmethod=simple
binddn="cn=syncrepl,dc=example,dc=com"
credentials=XXXXXXXX
starttls=critical
Changes to the master server are correctly replicated to the relay, but
no /var/lib/ldap/slapd.replog is generated, so slurpd does nothing. If I
remove the syncrepl section and add a rootpw, then changes done locally
lead to a /var/lib/ldap/slapd.replog file, as expected.
Is it possible for a LDAP server to serve both as a syncrepl replica and
a slurpd server?
Cheers,
Nicolas Boullis
16 years, 3 months
how to use slapo-refint (or why it doesn't work?)
by Zhang Weiwu
I wish to use slapo-refint on attribute contactPerson
attributetype ( 1.3.6.1.4.1.2787.100.1.1.1 NAME 'contactPerson'
DESC 'DN of the company representative'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
The man page for slapo-refint is pretty simple, only suggesting adding
refint_attributes in slapd.conf so I did (I added it just below "index"
directive).
It doesn't work for two of my openldap 2.3.30-r2 installations, one
using bdb, one using hdb.
It's my first time using slapo-refint so I am not sure what correct
behavior it should be. I've listed my operation for experimenting the
new feature as follows (please criticize). Thanks a lot in advance!
zhangweiwu@joe:~> ldapsearch -H ldap://emerson/ -x -D uid=supertuxadmin,ou=contacts,ou=china,dc=ahk,dc=de -W -b uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de objectClass=* contactPerson
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de> with scope subtree
# filter: objectClass=*
# requesting: contactPerson
#
# Drr, contacts, china, ahk.de
dn: uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de
contactPerson: cn=Reiner Schmid,uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de
# Reiner Schmid, Drr, contacts, china, ahk.de
dn: cn=Reiner Schmid,uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de
# search result
search: 2
result: 0 Success
zhangweiwu@joe:~> ldapmodrdn -H ldap://emerson/ -x -D uid=supertuxadmin,ou=contacts,ou=china,dc=ahk,dc=de -W 'cn=Reiner Schmid,uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de' 'cn=Reiner Schtid'
Enter LDAP Password:
zhangweiwu@joe:~> ldapsearch -H ldap://emerson/ -x -D uid=supertuxadmin,ou=contacts,ou=china,dc=ahk,dc=de -W -b uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de objectClass=* contactPerson
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de> with scope subtree
# filter: objectClass=*
# requesting: contactPerson
#
# Drr, contacts, china, ahk.de
dn: uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de
contactPerson: cn=Reiner Schmid,uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de
# Reiner Schtid, Drr, contacts, china, ahk.de
dn: cn=Reiner Schtid,uid=Drr,ou=contacts,ou=china,dc=ahk,dc=de
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
--
Zhang Weiwu
Real Softservice
http://www.realss.com
+86 592 2091112
16 years, 3 months
[Push based Syncrepl on 2.3.36] Mapping contextCSN/entryCSN
by Gavin Henry
Dear all,
I'm trying to do an example for replacing slurpd on 2.3.36 for
back-porting to the 2.3 Admin Guide (will do 2.4 later, as that will be
easy), i.e. Push based Syncrepl.
I have a consumer hooked up to a provider with refreshAndPersist,
configured inside a back-ldap to push out to another slapd instance.
How do I map the contextCSN/entryCSN to a suitable remote attribute, or
store contextCSN/entryCSN locally?
slapo-rwm?
I'm obviously hitting "contextCSN: no user modification allowed" and
"entryCSN: no user modification allowed" starting up.
Thanks,
Gavin.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
16 years, 3 months
Setting up user accounts with ppolicy attributes
by Jack Emmerichs
I've been working with OpenLDAP 2.3.30 to set up ppolicy processing. I
think I have the policies set up correctly in the DLAP database using the
following ppolicy.ldif file:
dn: ou=policies, dc=my-domain,dc=com
ou: policies
objectClass: top
objectClass: organizationalUnit
dn: cn=default,ou=policies,dc=my-domain,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
# 30 day password limit (2592000 seconds) with an even longer expire warning
for testing.
pwdExpireWarning: 2592001
pwdMaxAge: 2592000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 6
pwdAllowUserChange: TRUE
# Items not currently used.
pwdMinAge: 0
pwdGraceAuthnLimit: 0
pwdLockout: FALSE
pwdLockoutDuration: 0
pwdMaxFailure: 0
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE
and the following entries in the slapd.conf file:
# password policy
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=my-domain,dc=com"
However, I'm having trouble creating user accounts.
Looking at the OpenLDAP documentation and the ppolicy.schema file, it
appears that I need to include objectClass: pwdPolicy as an auxiliary class
(along with posixAccount, which is the basic user account class), and then
include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory,
etc. The ppolicy.schema file indicates that the format in the ldif file
should actually be something like:
pwdChangedTime;pwd-userPassword: 20000103121520Z
for pwdChangedTime. The format for pwdHistory sounds really complex, and
the doc indicates that if this attribute is missing, OpenLDAP will not
support password history processing, so it sound like I need to get these
attributes into the account struture.
Trouble is, if I try to include such values I either get an import failure
without error messages, an error that says "no user modification allowed"
(even when I'm adding an account), or an indication that I'm using an
invalid format.
Does anyone have an example LDIF file that shows how to set up a user
account to track ppolicy processing? I have the feeling I'm missing
something really obvious here, but I absolutely don't see it yet.
Thanks for any help that anyone can provide.
JFE.
_________________________________________________________________
Hotmail to go? Get your Hotmail, news, sports and much more!
http://mobile.msn.com
16 years, 3 months
Unable to locat TLS libs - help needed
by Aviator LDap
Hi Friends,
I am struggling with a very basic error. While running the configure script
of OpenLDAP 2.3.33, I am getting the following Warning message
*configure: WARNING: Could not locate TLS/SSL package
configure: WARNING: TLS data protection not supported!*
**
Can anybody help me to locat what could be going wrong. I am executing the
script in Suse Linux.
I am totally struck with this.
Any kind of help is hugely appreciated.
regards,
dinesh V
16 years, 3 months
Dynamic Indexing through cn=config
by Arunachalam Parthasarathy
Hello,
I used bdb as a backend
Started slapd with , ./slapd -h "ldap://<ip>:<port>" -F
/etc/openldap/slapd.d/ -f /etc/openldap/slapd.conf"
Step 1: I added indexing on a attribute (sn), in the cn=config sub-tree,
Step 2: If I search through the tree (cn=config), the added entry is not
reflected
To Check, I added entries, it was not indexed on the added attribute (sn.bdb
is not getting generated in bdb directory)
Step 3: When I try to add one more time , the same entry as Step 1, it says
, entry already exists
Step 4: Now when I search cn=config tree, I am able to see the sn index
entry in olCDbIndex
Now I added entries, it was getting indexed on the added attribute (sn.bdb
is generated in bdb directory)
Please say why is this happening
Thanks a lot in advance,
Arunachalam.
****************************************************************************
****************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
16 years, 3 months
could not parse entry
by Daniel Guerrero
Dear list participants,
I'm using OpenLDAP Software version 2.2.26. When I attempt to load an
entry, slapadd errors with the message "slapadd: could not parse entry
(line=11)". The input file is only 10 lines long. What does this message
indicate? How do I obtain more detailed error information from slapadd(8)?
Kindly Regards,
Daniel.
16 years, 3 months
Problem with ldapmodify: Internal (implementation specific) error (80)
by openldap.lists@frei-family.ch
haven't found a solution in Mailing list archive and fix-lists of
2.3.35/2.3.36
Environment
===========
- OpenLDAP 2.3.34 on Solaris 8 with BDB 4.5.20.NC-p2
- current status (retrieved using ldapsearch -x -D
"cn=manager,cn=config" -w password -H "ldap://hostname:port" -b
"cn=config"):
# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcSuffix: ou=log
olcAccess: {0}to * by dn.base="cn=manager,cn=config" write by * read
olcRootDN: cn=manager,ou=log
olcDbDirectory: /var/malbec/mdch/mdch-accesslog-data
olcDbConfig: {0}set_cachesize 0 1280000 0
olcDbConfig: {1}set_flags DB_LOG_AUTOREMOVE
olcDbConfig: {2}set_lg_dir /var/malbec/mdch/mdch-accesslog-logs
olcDbIndex: objectClass eq
olcDbIndex: reqStart eq
olcDbIndex: reqAuthzID eq
What I'm trying to do
=====================
I'm trying to apply an ldif file having the following content (only
four lines):
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcDbCheckpoint
olcDbCheckpoint: 100000 30
with the following command:
ldapmodify -x -D "cn=manager,cn=config" -w password -H
ldap://hostname:port -f configure_db_checkpointing.ldif
Problem, Symptoms
=================
- Desired entry is not being added
- In the console I get the following error message:
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: Internal (implementation specific) error (80)
- In the ldap.log I get the following related entries:
Jun 25 16:43:39 c004503 slapd[3058]: [ID 848112 local4.debug]
conn=5515 fd=19 ACCEPT from IP=xyz:xyz (IP=0.0.0.0:port)
Jun 25 16:43:39 c004503 slapd[3058]: [ID 215403 local4.debug]
conn=5515 op=0 BIND dn="cn=manager,cn=config" method=128
Jun 25 16:43:39 c004503 slapd[3058]: [ID 600343 local4.debug]
conn=5515 op=0 BIND dn="cn=manager,cn=config" mech=SIMPLE ssf=0
Jun 25 16:43:39 c004503 slapd[3058]: [ID 588225 local4.debug]
conn=5515 op=0 RESULT tag=97 err=0 text=
Jun 25 16:43:39 c004503 slapd[3058]: [ID 249368 local4.debug]
conn=5515 op=1 MOD dn="olcDatabase={2}hdb,cn=config"
Jun 25 16:43:39 c004503 slapd[3058]: [ID 396994 local4.debug]
conn=5515 op=1 MOD attr=olcDbCheckpoint
Jun 25 16:43:39 c004503 slapd[3058]: [ID 699942 local4.debug] No
structuralObjectClass for entry (olcDatabase={2}hdb,cn=config)
Jun 25 16:43:39 c004503 slapd[3058]: [ID 588225 local4.debug]
conn=5515 op=1 RESULT tag=103 err=80 text=
Jun 25 16:43:39 c004503 slapd[3058]: [ID 218904 local4.debug]
conn=5515 op=2 UNBIND
Jun 25 16:43:39 c004503 slapd[3058]: [ID 952275 local4.debug]
conn=5515 fd=19 closed
Questions
=========
- Has anyone come across this behaviour ?
- Any hints / suggestions / tips ?
Thanks
Christoph
16 years, 3 months
