I'm currently doing a review to see how OpenLDAP compares, *feature
wise* ATM, to other directory servers and specifically to the Sun DS -
i.e. to get a definitive list of features it's missing that Sun has and
what it has that Sun doesn't have, etc. For brevity, I haven't included
all the potentially useful features of OpenLDAP, but have just focused
on those associated with 1) RFC compliance (of which Sun may or may not
meet) and 2) features to match the Sun DS (which it would be replacing).
So far, here's what I have for OpenLDAP:
RFC 4510 (which includes 4511-4519). There was recent discussion on the
list around this, such that in some cases, not everything that changed
from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been
updated in OpenLDAP, but I think those issues are fairly minor.
The following additional RFC's are supported in OpenLDAP:
- RFC 2247 and RFC 3088
- RFC 2696 simple paged results
- RFC 2849 ldif
- RFC 3062 password mod op
- RFC 3296 named referals, manageDSAit
- RFC 3673 All Op attrs + feature
- RFC 3687 Component matching rules
- RFC 3866 Languange tag and range
- RFC 3876 matched values control
- RFC 4370 proxy auth
- RFC 4522 binary encoding
- RFC 4523 x.509 cert schema
- RFC 4524 COSINE schema
- RFC 4525 Mod-increment
- RFC 4526 Absolute true/false filters
- RFC 4527 pre/post read control
- RFC 4528 assertion control
- RFC 4529 request attrs by objectclass
- RFC 4530 entryUUID
- RFC 4532 whoamI
- RFC 4533 Content Sync op (replication)
RFC's NOT supported are:
- RFC 2589 dds Seems with 2.4, this has gone from experimental to
- RFC 2891 server side sorting
- RFC 3671 collective attributes
- RFC 3928 LCUP mainly for updating cached addressbooks, etc - not
replication between servers
- RFC 3384 looks like just reqs for replication, not an actual
replication protocol - RFC 4533 is used instead
- RFC 3672 (subentries)
- RFC 3698 and 3727 (additional matching rules)
- RFC 3909 LDAP Cancel operation
- RFC 5020 entryDN operational attribute
(There are some other, often obscure, LDAP related RFC's that I didn't
include, but this seems to be the major/useful ones)
Other features not supported:
- VLV browse indexes (per
http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09). Not an
RFC, but supported by Sun and MS directories, and used by things like
Outlook and Solaris.
Other supported features:
- dyngroup/dynlist/memberof overlay (A much more useful feature than
Sun's groupOfURLs "dynamic" group and "roles" mechanism)
- ppolicy overlay (matches Sun DS 5.x reasonably close, but is account
lockout replicated to all servers? Sun DS 6.x claims to)
- refint overlay (similar to Sun's referential integrity plugin)
- unique overlay (similar to Sun's uniqueness plugin)
- audit and accesslog overlays, syslog logging - much more
useful/complete than Sun's access/audit/error logs.
- live acl changes via LDAP
- Per user resource limits (sizelimit, timelimit, idletimeout, etc). I
think Howard Chu said OpenLDAP has some of this, but I haven't seen any
reference to it or how to use it in the docs (does this functionality
exist, and if so, is there any documentation?)
- Tracking of last login (i.e. last successful ldap authentication)
Is this still fairly accurate?
The ones that are really problematic are the lack of:
- VLV Browse indexes
- RFC 2891 (server side sorting)
- per user/entry resources limits (if they don't exist)
Are there any unofficial updates/patches/overlays/plans for any of this
I'm doing a bit of playing with slapo-pcache and have it working
fairly well (particularly once I realised that an individual attr can
live in only one proxyattrset).
However, there's one bit that I can't get working - is there any way
to define a template that will match a search which doesn't provide an
i.e. I can see quite a few searches (presumably from amd) of the
following form (spacing and formatting changed by me to make it more
Jul 23 14:54:16 host1 slapd: conn=49 op=1
SRCH base="dc=inf,dc=ed,dc=ac,dc=uk" scope=2 deref=0
Jul 23 14:54:16 host1 slapd: query template of incoming query =
Jul 23 14:54:16 host1 slapd: QUERY NOT ANSWERABLE
Jul 23 14:54:16 host1 slapd: QUERY NOT CACHEABLE
Jul 23 14:54:16 host1 slapd: conn=49 op=1 SEARCH RESULT tag=101
err=0 nentries=0 text=
Note that there's no 'SRCH attr=' line.
I've tried proxyattrset of the following forms...
proxyattrset 1 *
(both of which crash slapd)
proxyattrset 1 <full list of attrs returned when none specified>
.... but this didn't work either.
Thanks in advance for any advice,
School of Informatics
University of Edinburgh
we are currently running openldap 2.2.13 with a bdb-4.2.52 backend as it
comes with RHEL4. We have about 50.000 cn's each having about 5-10
attributes with a length of no longer than 100 characters. So our
dataset is not very big.
We have a lot of concurrent reads since or ldap provides the data for
incoming and pop3/imap servers. But we have only about 100 changes/adds
a day, not more.
Yesterday we had the second bdb problem in our 1 year ldap setup. The
problem is, that we cannot really detect the crash, since ldap queries
just hang, but neither they timeout nor openldap is crashing. We just
notice the mailserver issues and have to track it down to openldap and
bdb. As with last time, we had to shutdown openldap and recover bdb.
Fortunately we have been able to recover the data-directory both times
using dv_recover. But in fact, we want to have a backend, that doesn't
crash twice a year. And as our setup is growing and we want to start
with replication, we want a backend to whom we can trust.
I read through the backend documentation of openldap and berkeley db is
praised as very fast and efficient. Amazing, that berkeleydb is not
called stable anywhere in the documentation. And from my experience, bdb
is not stable. Whenever you here about bdb, you here about it because a
database went corrupt. bdb is just a key/value database that seems to
work fine as long it is read-only. Different projects, e.g. subversion,
have turned away from bdb and use a different backend.
Often they use SQLite. Since SQLite handles complete table layouts, it
would also be possible to create one table with two columns (key and
value as in bdb). SQLite shall also be transactional.
But why is openldap sticking on bdb? Does bdb have any other important
features the SQLite doesn't have? Benchmark issues? Replication?
I have to admit, that I'm not using the latest releases of bdb. But I'm
using and watching bdb for years and I hardly believe, that it has
become stable in the latest release.
I want to setup a local ldap server that will add my local entries to
the master server.
The config is this one :
A central server that is replicate on my "ldap_relay" server (I have
access to the configuration of this server) . This one replicate from a
central ldap (I have no access to this one) via classical syncrepl. So I
can read my ldap_relay but I can't add my own attributes. I try several
* I've tried to setup multimaster replication between ldap_relay and a
local ldap server (ldap1). In this config I can update users and add my
own attributes but if someone is deleted from de central ldap, he is
delete from the "ldap_relay" server and not delete in the ldap1 server
* I've tried to use translucent overlay between ldap_relay and ldap1 but
the problem is tha it's not possible to search local entries with
* I read the config from Oren Laadan (
This seems to be what I need, but I don't realy understand how to
If someone can help me to set up this solution with my servers.
Thanks in advance.
I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also CVS
RE24). I'm making use of authz-regexp to map user entries when they do a
SASL Bind with DIGEST-MD5. Also some ACLs are in effect. This together
used to work on 2.3.x with the existing ACLs.
With 2.4.7 this worked no longer. The user wasn't found. In the ACL
debug log I've noticed that access to the search root database entry
(suffix) is requested. When I explicitly grant auth access to this entry
it works. But why is that needed? Was this an intended change?
I have two openldap 2.4 servers, one a sync provider to the other. The
Provider always seems to get about 8 seconds behind the consumer. I do
run ntpd on both. Would this time difference cause the consumer not to
If I restart the consumer, it will pull updates until it becomes synced.
It will even pull updates for a few minutes. Then it will no longer
sync until I restart it.
Here is some pertinent info:
retry="5 5 300 +"
syncprov-checkpoint 25 5
I have an ldap installation with almost 100 users in it, and now I've
realised I need to change the structural objectClass. Because I need some
attributes I don't have and my current objectClass won't allow me to have
this attributes (or that's what I think). Now my objects are accounts and I
need them to be organizationalPerson, so I can have telephon info, and
picture, and some other things.
Is there a way I can make this change without having to create all the users
again? It's not that much for the time I have to waste but just because I
don't know the users passwords so I would have to ask them to enter their
password again and I think they would kill me if I asked them to do so.
So if you know a way to just create new accounts and then import the
passwords from the old ones that'll work for me too.
Thanks a lot!
I'm running 2.3.39 and using ppolicy to enforce our password policy.
Got an LDIF file:
description: OpenLDAP ppolicy to implement NPG2810-like restrictions
When I try to slapadd it, I get an error indicating it doesn't like
sudo sbin/slapadd -l ldifs/6_policies.ldif
str2entry: invalid value for attributeType pwdAttribute #0 (syntax
slapadd: could not parse entry (line=51)
The ppolicy.schema file says:
# This holds the name of the attribute to which the password policy is
# applied. For example, the password policy may be applied to the
# userPassword attribute.
attributetype ( 18.104.22.168.22.214.171.124.126.96.36.199
SYNTAX 188.8.131.52.4.1.14184.108.40.206.38 )
And my slapd.conf includes ppolicy.schema in addition to core.schema,
cosine.schema, and inetorgperson.schema.
Oddly, replacing the "userPassword" value with a random number, like
"42" or "3.14159" causes no error.
I cannot find userPassword defined in any of the schemas, tho it is
commented out in core.schema. If I uncomment it from core.schema it
complains that it's a dupe:
sbin/slapadd -l ldifs/6_policies.ldif
schema/core.schema: line 244: Duplicate attributeType: "220.127.116.11"
slapadd: bad configuration file!
What am I missing?
Nik Svoboda wrote:
> In the case that it is useful, here is what I am seeing. This picture
> is taken from gq. The symptom that lead me to look for this was that no
> partial-matches were being returned from LDAP searches, even when
> explicitly specified in the search.
The screenshot isn't that useful. You should rather post the
commands you invoked when searching and no results were returned.
Probably together with your slapd.conf (indexing config) and LDIF
of your data.
> I am not sending this to the entire list to avoid creating a very
> large traffic amount.
Cc:-ed openldap-software list again. Please let's stay there.