openldap-software July 2007

openldap-software@openldap.org

108 participants
124 discussions

performance tuning
by Jason Peters 05 Jul '07

05 Jul '07

I am testing an OpenLDAP server with 3000 fake 'people' entries, but it does not perform as well as I would expect. I have added some tweaks based on my research of the documentation. Is there anything I am missing here? Is there any way to further tune this setup? I have written a script to test the directory. It is written in PHP using the standard LDAP libraries. Both the script, and the LDAP server are running on the same box. The script is calling the server via the public interface (not the loopback) using standard port 80. It basically does a search on a matching query. The search query was "sn=BE*". Below is the info for my setup: Linux Debian etch system OpenLDAP version: # /usr/sbin/slapd -V @(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 05:43:02) $ Here are my additions to the slapd.conf file (other than these, the file is essentially like the default): . . . . TLSCipherSuite HIGH TLSCACertificateFile /etc/ldap/demoCA/cacert.pem TLSCertificateFile /etc/ldap/newcert.pem TLSCertificateKeyFile /etc/ldap/newreq.pem TLS_REQCERT never ############################################### # Performance tweaks added by me -JLP index sn subinitial cachesize 100000 dbcachesize 1000000 # Tells openldap how many threads to use # more does not necessarily mean better performance unless you have multiple cpus threads 8 # Tells slapd to close connections that have been idle for 30 seconds or more. idletimeout 30 # Tells slapd to store the 20,000 most used IDL's frequented when accessing entries in memory. idlcachesize 20000 EOF tia, Jason

4 5

Windows OpenLDAP (slapd) startup error
by S James S Stapleton 05 Jul '07

05 Jul '07

I'm trying to look up this error, but cant find what it means. I'm using windows, and this is the error I find in the windows logs: The description for Event ID ( 1281 ) in Source ( openldap-slapd ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: The event log file is corrupt.. When I try to start the service, I specifically get: Windows could not start the OpenLDAP Directory Service on Local Computer. For more information, review the System Event log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 19. I am using the default slapd.conf and ldap.conf files. I received the LDAP schema from the original server that this is to be a pass-through for. The schema is in a set (read: horde) of plain text ldiff files from a Sun Directory Service server, and I suspect given what I have seen in google, there is an incompatibility in these files. I was wondering if anyone had any ideas for me on how to narrow down the location of the error in the horde of files? Any suggestions? Thank you, -Jim Stapleton

2 1

Lock is no longer valid / deferring operation
by Toby Blake 05 Jul '07

05 Jul '07

Hi all, For largely historical reasons we run slapd servers on most clients (this will probably change in the future - I'm just giving this information as background). We're seeing problems when some of these machines are busy, particularly, it seems, with memory intensive activity, although it's hard to substantiate as I generally only see the machines after they've broken. It's annoying as I can't reproduce these problems. We see quite a few problems with slapd getting into a state where it's deferring operations, for whatever reason - I think I understand these - these are when slapd basically says sorry, I'm too busy doing X, so I'll defer Y until I have time. Is this accurate? The second case I'm also seeing is bdb complaining about locks being no longer valid, e.g. slapd[3780]: bdb(dc=inf,dc=ed,dc=ac,dc=uk): DB_LOCK->lock_put: Lock is no longer valid slapd seems to keep going for the time being until getting into a state where it defers all binding operations and goes into some kind of spin where it sits at 99% cpu and has to be killed with a -9. I suppose I have a couple of questions about the "Lock is no longer valid" error.... - What causes it? - Is it something I can prevent by configuration changes (for instance, would increasing the numbers of locks, lockers and objects help?) We're running openldap 2.3.35 with ITS#4924 and ITS#4925 patches with a bdb backend running 4.2.52 with all 6 recommended patches. The only DBCONFIG settings we currently have are: dbconfig set_cachesize 0 67108864 1 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 Thanks in advance Toby Blake School of Informatics University of Edinburgh

4 11

Challenge With Access Control
by Brian Gaber 05 Jul '07

05 Jul '07

Hope someone can explain this to me. I am sure it is very trivial. I have a primary LDAP server (10.16.13.84), a replica LDAP server (10.16.13.85) and a few clients all with a 10.16.13.x address. Here is the access control I thought would work: access to * by self write by peername=10.16.13.84 write by peername=10.16.13.81 read by peername=10.16.13.82 read by peername=10.16.13.83 read by peername=10.16.13.85 read by peername=10.16.13.86 read Here is what does work: access to * by self write by peername.ip=10.16.13.84 write by * read By work I mean that when I am on the replica (10.16.13.85) and issue an ldapsearch to itself I get a 32 no such object with the top access, but I get the expected result with the bottom access. Brian Gaber

5 10

Sync Cached BDB data
by Arunachalam Parthasarathy 05 Jul '07

05 Jul '07

Hello, Is it possible to sync the cached bdb data to disk at regular interval ? Does openldap uses Db::Sync Api for this ? Please answer me in this regard Thanks in advance, Arunachalam. **************************************************************************** **************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

3 2

Problem with mysql backend
by Manuel Rodríguez Salgado 05 Jul '07

05 Jul '07

Hi, i have installed openldap with mysql backend. It work ok when my database use numeric keys in the table , but it not work when i use string keys. I can solve it ??? thanks

2 1

Re: Lock is no longer valid / deferring operation
by Gabriel Stein 04 Jul '07

04 Jul '07

And about your DBCONFIG? Is everything ok? Cheers. On 7/4/07, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > > --On Wednesday, July 04, 2007 8:40 PM +0100 Gavin Henry > <ghenry(a)suretecsystems.com> wrote: > > >> We're running openldap 2.3.35 with ITS#4924 and ITS#4925 patches with > >> a bdb backend running 4.2.52 with all 6 recommended patches. > > > > I hope you mean 5, as there are only 5 listed on the Oracle site. > > There are 6 recommended patches to BDB 4.2.52, 5 of which come from the > Oracle site. > > --Quanah > > > -- > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- /\ Gabriel Stein gabrielstein(a)gmail.com MSN: gabrielstein(a)hotmail.com Administrador de Redes - Network Administrador Linux User #223750 51-92796310 Porto Alegre - RS - Brasil

1 0

cmusaslsecretPLAIN attribute
by John Burian 04 Jul '07

04 Jul '07

I'm running RedHat EL 5 with stock RPMs for OpenLDAP, Cyrus SASL and OpenSSL: OpenLDAP 2.3.27 Cyrus-SASL 2.1.22 OpenSSL 0.9.8b I've created a CA on the server, used that to sign a cert, and put the appropriate entries in slapd.conf (to use the cert) and in ldap.conf (to trust the CA). If I run 'ldapwhoami: $ ldapwhoami SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed and in the logs (appended below) I see text about an undefined attribute type 'cmusaslsecretPLAIN'. I've looked around for that string, and all the fixes I've seen seem to want to patch Cyrus-SASL. I'd like to stick with Red Hat's stock RPMs, if possible. Is there a CMU specific schema I need to include, that defines that attribute? I'd also like to keep my auth information in LDAP, rather than have a separate SASL password database. My understanding is that the PLAIN authentication will be secured by the underlying SASL/TLS transport, is that correct? Thanks, John Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_get: [1] attr userPassword Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: to all values by "", (=0) Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: self Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: uid=root,ou=people,dc=cqcb Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: * Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] applying auth(=xd) (stop) Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] mask: auth(=xd) Jul 3 07:50:49 Hodgkin slapd[1342]: => access_allowed: auth access granted by auth(=xd) Jul 3 07:50:49 Hodgkin slapd[1342]: slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: conn=5 op=1 p=3 Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: err=0 matched="" text="" Jul 3 07:50:49 Hodgkin slapd[1342]: SASL [conn=5] Failure: Password verification failed

6 12

No such object error after converting from 2.0.27 to 2.3.32
by Brian Gaber 04 Jul '07

04 Jul '07

Took the slapcat output from version 2.0.27 (ldbm) to version 2.3.32 (bdm). Used /usr/local/bin/slapadd on 2.3.32 and am using Berkeley 4.5.20. The slapadd works fine. Then I issued chown ldap:ldap on the /var/lib/ldap-2.3.32 directory and files. Any type of ldapsearch results in a 32 no such object. The identical ldapsearch on the old ldap works fine. Search: /usr/local/bin/ldapsearch -h 10.16.13.85 -x -b o=pwgsc -s sub uid=gaberb Slapd.conf: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/fw1ng.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args allow bind_v2 #loglevel 296 sizelimit 500000 access to * by self write by peername=10.16.13.84 write by peername=10.16.13.81 read by peername=10.16.13.82 read by peername=10.16.13.83 read by peername=10.16.13.85 read by peername=10.16.13.86 read database bdb suffix "o=pwgsc" rootdn "cn=admin,o=pwgsc" rootpw {CRYPT}iWkhys7q1iVpM directory /var/lib/ldap-2.3.32 # Indices to maintain index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial # Master from which we should accept changes updatedn "cn=admin,o=pwgsc" updateref ldap://10.16.13.84 Log: do_bind: v3 anonymous bind daemon: activity on 1 descriptor daemon: activity on: 10r daemon: read activity on 10 connection_get(10) connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 2d 02 01 02 63 28 04 0-...c(. ldap_read: want=39, got=39 0000: 07 6f 3d 70 77 67 73 63 0a 01 02 0a 01 00 02 01 .o=pwgsc........ 0010: 00 02 01 00 01 01 00 a3 0c 04 03 75 69 64 04 05 ...........uid.. 0020: 66 61 74 61 6d 30 00 fatam0. ber_get_next: tag 0x30 len 45 contents: ber_dump: buf=0x081ff3d8 ptr=0x081ff3d8 end=0x081ff405 len=45 0000: 02 01 02 63 28 04 07 6f 3d 70 77 67 73 63 0a 01 ...c(..o=pwgsc.. 0010: 02 0a 01 00 02 01 00 02 01 00 01 01 00 a3 0c 04 ................ 0020: 03 75 69 64 04 05 66 61 74 61 6d 30 00 .uid..fatam0. ber_get_next do_search ber_scanf fmt ({miiiib) ber: ldap_read: want=8 error=Resource temporarily unavailable ber_dump: buf=0x081ff3d8 ptr=0x081ff3db end=0x081ff405 len=42 0000: 63 28 04 07 6f 3d 70 77 67 73 63 0a 01 02 0a 01 c(..o=pwgsc..... 0010: 00 02 01 00 02 01 00 01 01 00 a3 0c 04 03 75 69 ..............ui 0020: 64 04 05 66 61 74 61 6d 30 00 d..fatam0. daemon: select: listen=6 active_threads=0 tvp=NULL >>> dnPrettyNormal: <o=pwgsc> => ldap_bv2dn(o=pwgsc,0) <= ldap_bv2dn(o=pwgsc)=0 => ldap_dn2bv(272) <= ldap_dn2bv(o=pwgsc)=0 => ldap_dn2bv(272) <= ldap_dn2bv(o=pwgsc)=0 <<< dnPrettyNormal: <o=pwgsc>, <o=pwgsc> SRCH "o=pwgsc" 2 0 0 0 0 begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0x081ff3d8 ptr=0x081ff3f5 end=0x081ff405 len=16 0000: a3 0c 04 03 75 69 64 04 05 66 61 74 61 6d 30 00 ....uid..fatam0. end get_filter 0 filter: (uid=fatam) ber_scanf fmt ({M}}) ber: ber_dump: buf=0x081ff3d8 ptr=0x081ff403 end=0x081ff405 len=2 0000: 00 00 .. attrs: ==> limits_get: conn=0 op=1 dn="[anonymous]" => bdb_search bdb_dn2entry("o=pwgsc") => bdb_dn2id("o=pwgsc") <= bdb_dn2id: got id=0x00000001 send_ldap_result: conn=0 op=1 p=3 send_ldap_result: err=32 matched="" text="" send_ldap_response: msgid=2 tag=101 err=32 ber_flush: 14 bytes to sd 10 0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e... .... ldap_write: want=14, written=14 0000: 30 0c 02 01 02 65 07 0a 01 20 04 00 04 00 0....e... .... daemon: activity on 1 descriptor daemon: activity on: 10r daemon: read activity on 10 connection_get(10) connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x082008e0 ptr=0x082008e0 end=0x082008e5 len=5 0000: 02 01 03 42 00 ...B. ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 10 failed errno=0 (Success) connection_read(10): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=10 for close do_unbind connection_close: deferring conn=0 sd=10 daemon: select: listen=6 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked connection_resched: attempting closing conn=0 sd=10 daemon: select: listen=6 active_threads=0 tvp=NULL connection_close: conn=0 sd=10 daemon: removing 10 daemon: shutdown requested and initiated. daemon: closing 6 slapd shutdown: waiting for 0 threads to terminate slapd shutdown: initiated ====> bdb_cache_release_all slapd destroy: freeing system resources. slapd stopped.

2 1

index_param failed
by JOYDEEP 03 Jul '07

03 Jul '07

Dear list, from the log I am getting these errors like ====================== <= bdb_equality_candidates: (uid) index_param failed (18) <= bdb_equality_candidates: (uid) index_param failed (18) <= bdb_equality_candidates: (uidNumber) index_param failed (18) <= bdb_equality_candidates: (memberUid) index_param failed (18) <= bdb_equality_candidates: (uid) index_param failed (18) <= bdb_equality_candidates: (uid) index_param failed (18) <= bdb_equality_candidates: (uid) index_param failed (18) ================================== could any one tell me the possible reason behind it and how to fix it ? thanks

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software July 2007