We seem to be getting errors every night a couple minutes after
logrotate rotates our logs and sends a SIGHUP to syslog-ng (to force
Jul 11 04:02:46 csenet slapd: daemon: 1024 beyond descriptor
table size 1024
Nothing is touching our slapd process (i.e., same process over
This seems only to happen on our master LDAP server. We're using
slurpd for replication to our two slave servers.
This morning, something apparently corrupted our directory, which
apparently got replicated to our slaves; we restored the db from the
nightly dump (made from slapcat on another replica) and LDAP seems
We can't see anything in the logs that would lend a clue as to what
might be going on. Any suggestions as to where I should start looking?
We're running RHEL 4 with all updates applied, using RH's openldap
Looking back in the logs, it seems that the syslog message above
occurs for a couple minutes after syslog-ng is restarted, and then
stops occurring until the next time syslog-ng is restarted, but it's
apparently been happening for quite a while. Today is the first time
we've had corruption (or otherwise total failure) of the LDAP
Any suggestions or help will be greatly appreciated.
Gregory K. Ruiz-Ade
Sr. Systems Administrator
Computer Science and Engineering
University of California, San Diego
Office: EBU3b 1216
Phone: (858) 822-2625
I installed OpenLDAP 2.2.29 on a Win2003 SP2 server that is already an
AD DC (so that might be the problem).
When I start the service, I get the following error message:
service-specific error 16.
If I run sc query openldap-slapd, I get:
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1066 (0x42a)
SERVICE_EXIT_CODE : 16 (0x10)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
It does work fine on WinXP tho. So I think there is a conflict with AD.
Is there a way to change the port that OpenLDAP uses?
If not, I'll just demote the server instead.
I am using OpenLDAP 2.3 as a proxy cache to our primary eDirectory LDAP
Server. The proxy is working but in order to optimize the cache, I need
to specify the search queries and attributes to index in slapd.conf. Is
there an easy way to log what queries are being run and how often?
We are running openldap 2.3.30 on Fedora core 6. Everything seems
to be working fine since we started it up in February. However, I
have noticed that in /var/lib/ldap there are a lot of log.00000x
files incrementing from 1 through 58 so far and they are all the same
size of 5242880 bits. Can someone explain to me what the role of
these log files is and if there is anything I should do to keep the
directory clean over time? Should I just ignore them or is there
maintenance or something that is recommended for cleaning up these
log files over time? Is openldap dependent upon all of them for any reason?
-rw------- 1 ldap ldap 5242880 Apr 18 18:56 log.0000000053
-rw------- 1 ldap ldap 5242880 Apr 30 07:38 log.0000000054
-rw------- 1 ldap ldap 5242880 Jun 5 11:26 log.0000000055
-rw------- 1 ldap ldap 5242880 Jun 8 13:30 log.0000000056
-rw------- 1 ldap ldap 5242880 Jul 18 12:07 log.0000000057
-rw------- 1 ldap ldap 5242880 Jul 19 11:45 log.0000000058.
Also, are there any other ldap maintenance tasks that one might
recommend doing periodically to keep the ldap databases running
efficiently and reliably? Note we are using Berkley database in case
that matters (*.bdb).
Network Engineer - Beloit College
I have a OpenLDAP version 2.2 on ldbm database under unix with 2500 users.
I'm aware upgrading is an option but it is not clear whether it would
resolve my issue as stated below.
A search query returns a subset of the expected results.
I reindexed the data and there was no change in the results returned.
An update action to a user id not visible in the initial query becomes
visible in subsequent queries.
After an export of the data(slapcat) and import (slapadd) to an empty data
store,the same query as above
returns the expected results.
After a period of time further queries return only a subset of the expected
Please find below the slapd.conf and data base size
index objectClass eq
index cn eq
index uid eq,sub
index sn eq
index groups eq
#user limitations -1 no limit
Please find my data base files
-rw------- 1 openldap system 143360 Jul 19 21:09 cn.dbb
-rw------- 1 openldap system 589824 Jul 19 14:34 dn2id.dbb
-rw------- 1 openldap system 61440 Jul 19 21:09 groups.dbb
-rw------- 1 openldap system 1368064 Jul 19 21:09 id2entry.dbb
-rw------- 1 openldap system 8192 Jul 19 13:57 nextid.dbb
-rw------- 1 openldap system 40960 Jul 19 21:09 objectClass.dbb
-rw------- 1 openldap system 114688 Jul 19 21:09 sn.dbb
-rw------- 1 openldap system 970752 Jul 19 21:09 uid.dbb
Any assistance would be greatly appreciated.
Australia Post is committed to providing our customers with excellent service. If we can assist you in any way please telephone 13 13 18 or visit our website.
The information contained in this e-mail communication may be proprietary, confidential or legally professionally privileged. It is intended exclusively for the individual or entity to which it is addressed. You should only read, disclose, re-transmit, copy, distribute, act in reliance on or commercialise the information if you are authorised to do so. Australia Post does not represent, warrant or guarantee the integrity of this e-mail communication has been maintained nor that the communication is free of errors, virus or interference.
If you are not the addressee or intended recipient please notify us by replying direct to the sender and then destroy any electronic or paper copy of this message. Any views expressed in this e-mail communication are taken to be those of the individual sender, except where the sender specifically attributes those views to Australia Post and is authorised to do so.
I'm trying to add a group with 2 users to LDAP, but i'm running into
problems. When I add my group and then search for it, it shows a
userPassword, and garbles the memberUid of the first user I added to the
group. Any ideas?
ldapadd -D "cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w
txxxxxxxx -x -v -f
ldap_initialize( <DEFAULT> )
adding new entry
ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b
"cn=testgroup,ou=Group,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w tical123 -x
# extended LDIF
# base <cn=testgroup,ou=Group,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# testgroup, Group, gomer.mdah.state.ms.us
# search result
result: 0 Success
# numResponses: 2
# numEntries: 1
I am using opnldap with bdb database. I like to extract the mail address
from the bdb database.
I have found the mail.bdb but it is a binary file. Could any one
suggest how can I extract the mail address
from the bdb database ?
i have a request from a customer about 2 replication architectures and i
would like to know if it's possible to implement them:
1 - Master Server -> "hub" Server -> Slave Server
2 - Server1 <-> Server2 <-> Server 3
An other question:
Is the replication with slurpd or SyncREPL supported over WAN ? Are
there some restrictions ?
I am newbie in OpenLDAP. Prersently I am running an OpenLDAP as the
authentication of Postfix+IMAP email server.
How can I take backup and maintain the database of LDAP ? what are the
I like to place the associated commands in a cron jobs.
Please enlighten me. thanks
I want to force clients to use TLS except on the IPv4 loopback interface.
As suggested by Aaron I have the following ACL as the very first one
# first, make sure TLS or localhost
access to *
by tls_ssf=1 none break
by peername.ip="127.0.0.1" none break
by * none
followed by my "real" ACLs.
Everything is working as expected but I've just noticed that I can
bind to the server with my rootdn in cleartext.
Is this expected? Is there a way to prevent this?