openldap-software March 2008

openldap-software@openldap.org

65 participants
66 discussions

Supported RFC's and "features"
by Clowser, Jeff (Contractor) 13 Jul '09

13 Jul '09

I'm currently doing a review to see how OpenLDAP compares, *feature wise* ATM, to other directory servers and specifically to the Sun DS - i.e. to get a definitive list of features it's missing that Sun has and what it has that Sun doesn't have, etc. For brevity, I haven't included all the potentially useful features of OpenLDAP, but have just focused on those associated with 1) RFC compliance (of which Sun may or may not meet) and 2) features to match the Sun DS (which it would be replacing). … [View More] So far, here's what I have for OpenLDAP: RFC 4510 (which includes 4511-4519). There was recent discussion on the list around this, such that in some cases, not everything that changed from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been updated in OpenLDAP, but I think those issues are fairly minor. The following additional RFC's are supported in OpenLDAP: - RFC 2247 and RFC 3088 - RFC 2696 simple paged results - RFC 2849 ldif - RFC 3062 password mod op - RFC 3296 named referals, manageDSAit - RFC 3673 All Op attrs + feature - RFC 3687 Component matching rules - RFC 3866 Languange tag and range - RFC 3876 matched values control - RFC 4370 proxy auth - RFC 4522 binary encoding - RFC 4523 x.509 cert schema - RFC 4524 COSINE schema - RFC 4525 Mod-increment - RFC 4526 Absolute true/false filters - RFC 4527 pre/post read control - RFC 4528 assertion control - RFC 4529 request attrs by objectclass - RFC 4530 entryUUID - RFC 4532 whoamI - RFC 4533 Content Sync op (replication) RFC's NOT supported are: - RFC 2589 dds Seems with 2.4, this has gone from experimental to production quality? - RFC 2891 server side sorting - RFC 3671 collective attributes - RFC 3928 LCUP mainly for updating cached addressbooks, etc - not replication between servers - RFC 3384 looks like just reqs for replication, not an actual replication protocol - RFC 4533 is used instead Unknown: - RFC 3672 (subentries) - RFC 3698 and 3727 (additional matching rules) - RFC 3909 LDAP Cancel operation - RFC 5020 entryDN operational attribute (There are some other, often obscure, LDAP related RFC's that I didn't include, but this seems to be the major/useful ones) Other features not supported: - VLV browse indexes (per http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09). Not an RFC, but supported by Sun and MS directories, and used by things like Outlook and Solaris. Other supported features: - dyngroup/dynlist/memberof overlay (A much more useful feature than Sun's groupOfURLs "dynamic" group and "roles" mechanism) - ppolicy overlay (matches Sun DS 5.x reasonably close, but is account lockout replicated to all servers? Sun DS 6.x claims to) - refint overlay (similar to Sun's referential integrity plugin) - unique overlay (similar to Sun's uniqueness plugin) - audit and accesslog overlays, syslog logging - much more useful/complete than Sun's access/audit/error logs. - live acl changes via LDAP Unknown features: - Per user resource limits (sizelimit, timelimit, idletimeout, etc). I think Howard Chu said OpenLDAP has some of this, but I haven't seen any reference to it or how to use it in the docs (does this functionality exist, and if so, is there any documentation?) - Tracking of last login (i.e. last successful ldap authentication) Is this still fairly accurate? The ones that are really problematic are the lack of: - VLV Browse indexes - RFC 2891 (server side sorting) - per user/entry resources limits (if they don't exist) Are there any unofficial updates/patches/overlays/plans for any of this functionality? Thanks, - Jeff [View Less]

11 29

using slapo-pcache with an empty attr list
by Toby Blake 05 Jun '08

05 Jun '08

Hi all, I'm doing a bit of playing with slapo-pcache and have it working fairly well (particularly once I realised that an individual attr can live in only one proxyattrset). However, there's one bit that I can't get working - is there any way to define a template that will match a search which doesn't provide an attr list? i.e. I can see quite a few searches (presumably from amd) of the following form (spacing and formatting changed by me to make it more readable): Jul 23 14:54:16 host1 … [View More]

3 8

syncrepl with accesslog database
by John Morrissey 17 Apr '08

17 Apr '08

I'm trying to replicate (with syncrepl) the bdb database generated by the accesslog overlay. This is with 2.3.41 on both provider and consumer. slapd complains: do_syncrep2: rid 002 got empty syncUUID do_syncrepl: rid 002 retrying (29 retries left) Sure enough, the entry for my accesslog database's suffix doesn't have an entryUUID: dn: cn=log objectClass: auditContainer cn: log structuralObjectClass: auditContainer contextCSN: 20080313163024Z#000000#00#000000 lastmod is not explicitly … [View More]

3 6

restricting slapd memory consumption
by Ralf Narozny 14 Apr '08

14 Apr '08

Hi, I'm wondering, how I could restrict the memory usage of the slapd process. We got a quite large amount of data (23 million entries) in our login ldap. Since we are still using OpenLDAP 2.0 and of course want to migrate now, I added our data into an OpenLDAP 2.3.37 (this version will be updated soon). The problem I stumble over is that while inserting the data with ldapadd (mainly to check the performance we have to expect in the future), the amount of memory the slapd uses endlessly … [View More]

7 17

slapd crashes due to assertion failure
by John Morrissey 10 Apr '08

10 Apr '08

We recently upgraded from 2.3.30 to 2.3.41. Ever since, slapd has died about once a week due to an assertion failure. A backtrace is below, but I forgot to disable optimization in the build, so there's been some inlining. The only assertions in connection_close() are: assert( connections != NULL ); assert( c != NULL ); [...] assert( c->c_struct_state == SLAP_C_USED ); assert( c->c_conn_state == SLAP_C_CLOSING ); I'm not sure if this gives enough to go on, but I've … [View More]

3 5

Problems with openLDAP 2.3
by xjol0265 07 Apr '08

07 Apr '08

We currently use RedHat Enterprise Server 4 and openLDAP 2.2.13 to provide a directory service to Mozilla Thunderbird email clients on our internal network. The information is actually stored in a MySQL Contact Database, so we use back_sql with the necessary translation databases. We are upgrading our servers to RedHat 5.1, and in the process trying to migrate to openLDAP 2.3.27 (the latest version that RH provides). The application does not work in this release. In fact, if a Thunderbird … [View More] user tries to do a directory search as before, openLDAP fails. When it fails, it does not write anything to the log explaining why. The databases, ldap.conf, slapd.conf and odbc.ini are identical in both cases. I have used an LDAP browser to eliminate some of the variables and do some simple testing to help isolate the problem. What I have found is: - One-level searches work in both releases - Sub-Tree searches work in 2.2.13 and fail in 2.3.27 (causing openLDAP to terminate) I am not familiar with the code, so I can't be very helpful there, but I did notice the following from the logs: - One-level search: The details of the log entries are somewhat different for the two releases, but the SELECT DISTINCT statements that actually pick entries from the DB are the same - Sub-Tree search: The SELECT DISTINCT statements are NOT the same. In both cases, testing was done with a base DN like: ou=Unit2,dc=company,dc=com Users use a base DN like this to isolate their directory entries to a particular company Unit. In 2.2.13, the result is: Mar 21 17:30:12 apps slapd[11205]: ==>backsql_oc_get_candidates(): oc="organizationalUnit" Mar 21 17:30:12 apps slapd[11205]: ==>backsql_srch_query() Mar 21 17:30:12 apps slapd[11205]: ==>backsql_process_filter() Mar 21 17:30:12 apps slapd[11205]: <==backsql_process_filter() succeeded Mar 21 17:30:12 apps slapd[11205]: <==backsql_srch_query() returns SELECT DISTINCT ldap_entries.id,ou.id,'organizationalUnit' AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,ou WHERE ou.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND ldap_entries.dn LIKE ? AND 1=1 Mar 21 17:30:12 apps slapd[11205]: Constructed query: SELECT DISTINCT ldap_entries.id,ou.id,'organizationalUnit' AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,ou WHERE ou.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND ldap_entries.dn LIKE ? AND 1=1 Mar 21 17:30:12 apps slapd[11205]: id: '2' Mar 21 17:30:12 apps slapd[11205]: (sub)dn: "%ou=Unit2,dc=company,dc=com" Mar 21 17:30:12 apps slapd[11205]: backsql_oc_get_candidates(): added entry id=2, keyval=3 dn="ou=Unit2,dc=company,dc=com" Mar 21 17:30:12 apps slapd[11205]: <==backsql_oc_get_candidates(): 1 In 2.3.27, the result is: Mar 21 17:33:38 db slapd[7350]: ==>backsql_oc_get_candidates(): oc="organizationalUnit" Mar 21 17:33:38 db slapd[7350]: ==>backsql_srch_query() Mar 21 17:33:38 db slapd[7350]: ==>backsql_process_filter() Mar 21 17:33:38 db slapd[7350]: <==backsql_process_filter() succeeded Mar 21 17:33:38 db slapd[7350]: <==backsql_srch_query() returns SELECT DISTINCT ldap_entries.id,ou.id,'organizationalUnit' AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,ou WHERE ou.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND 9=9 AND 3=3 Mar 21 17:33:38 db slapd[7350]: Constructed query: SELECT DISTINCT ldap_entries.id,ou.id,'organizationalUnit' AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,ou WHERE ou.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND 9=9 AND 3=3 Mar 21 17:33:38 db slapd[7350]: id: '2' Mar 21 17:33:38 db slapd[7350]: >>> dnPrettyNormal: <ou=Unit1,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: <<< dnPrettyNormal: <ou=Unit1,dc=company,dc=com>, <ou=unit1,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: backsql_oc_get_candidates(): added entry id=1, keyval=1 dn="ou=Unit1,dc=company,dc=com" Mar 21 17:33:38 db slapd[7350]: >>> dnPrettyNormal: <ou=Unit2,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: <<< dnPrettyNormal: <ou=Unit2,dc=company,dc=com>, <ou=unit2,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: backsql_oc_get_candidates(): added entry id=2, keyval=3 dn="ou=Unit2,dc=company,dc=com" Mar 21 17:33:38 db slapd[7350]: >>> dnPrettyNormal: <ou=Unit3,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: <<< dnPrettyNormal: <ou=Unit3,dc=company,dc=com>, <ou=unit3,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: backsql_oc_get_candidates(): added entry id=3, keyval=4 dn="ou=Unit3,dc=company,dc=com" Mar 21 17:33:38 db slapd[7350]: <==backsql_oc_get_candidates(): 3 In 2.2.13, openLDAP isolated the ou to the specific one requested, while in 2.3.27, openLDAP is not testing for a specific ou and instead is getting all of them. I would appreciate any help anyone can give to solve this issue. If more information is needed, please let me know. [View Less]

5 8

userCertificate:certificateExactMatch: problem
by networm＠mail15.com 02 Apr '08

02 Apr '08

Hi! I use OpenLdap 2.39. I need to find the certificate with sn 61a430c600000000000c and issuer email adm(a)test.com, but then i try this search: (userCertificate:certificateExactMatch:=61a430c600000000000c$email=adm@test.com), OpenLdap prints this error: filter=(?=undefined). I have understood that sn should be in dec form, but converting hex->dec not helped. How correctly convert sn in dec?

2 4

Checking the database.....
by Padmavathi Dt 31 Mar '08

31 Mar '08

Dear List, Can anyone please tell me how to check which database is being used by our openLDAP?Please di Also please advice me whether we can use the openldap packages that come along with O.S. Because I have seen people advicing not to use openLDAP RPms that come with O.S Waiting for help..... Warm Regards, Padmavathi. =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you … [View More]

5 4

Doubt regarding slave OpenLDAP version?????
by Padmavathi Dt 31 Mar '08

31 Mar '08

Hii List, In the starting of our project we have installed openldap-2.4.7.It was working fine.But due to incompatibility with some other application,we have installed 2.2.13 according to documentation of that application.We used the same "bdb" (berkeley db-4.6.21) as recommended by the README of earlier one ( openldap-2.4.7) .It worked fine.... We have a working slapd of openldap-2.2.13..Now we are planning to implement replication … [View More]

3 2

Slapd Not getting started after changing the "directory" value in slapd.conf!!!!!!!
by Padmavathi Dt 31 Mar '08

31 Mar '08

Hii List, I have changed the value of " directory" directive under database section of my slapd.conf file of openldap-2.2.13 (/var/lib/ldap) to the one previously used by our openldap-2.4.7(/usr/local/var/openldap-data). My berkeley db version is 4.6.21... I am not sure if the machine has some other versions of berkeley db already installed.(rpm -qa|grep berkeleydb* has not returned any value) The error when i start slapd is:( A part) /usr/sbin/slapd -d127 -h "ldap:///" slapd startup: … [View More]

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software March 2008