openldap-software March 2008

openldap-software@openldap.org

65 participants
66 discussions

Supported RFC's and "features"
by Clowser, Jeff (Contractor) 13 Jul '09

13 Jul '09

I'm currently doing a review to see how OpenLDAP compares, *feature wise* ATM, to other directory servers and specifically to the Sun DS - i.e. to get a definitive list of features it's missing that Sun has and what it has that Sun doesn't have, etc. For brevity, I haven't included all the potentially useful features of OpenLDAP, but have just focused on those associated with 1) RFC compliance (of which Sun may or may not meet) and 2) features to match the Sun DS (which it would be replacing). So far, here's what I have for OpenLDAP: RFC 4510 (which includes 4511-4519). There was recent discussion on the list around this, such that in some cases, not everything that changed from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been updated in OpenLDAP, but I think those issues are fairly minor. The following additional RFC's are supported in OpenLDAP: - RFC 2247 and RFC 3088 - RFC 2696 simple paged results - RFC 2849 ldif - RFC 3062 password mod op - RFC 3296 named referals, manageDSAit - RFC 3673 All Op attrs + feature - RFC 3687 Component matching rules - RFC 3866 Languange tag and range - RFC 3876 matched values control - RFC 4370 proxy auth - RFC 4522 binary encoding - RFC 4523 x.509 cert schema - RFC 4524 COSINE schema - RFC 4525 Mod-increment - RFC 4526 Absolute true/false filters - RFC 4527 pre/post read control - RFC 4528 assertion control - RFC 4529 request attrs by objectclass - RFC 4530 entryUUID - RFC 4532 whoamI - RFC 4533 Content Sync op (replication) RFC's NOT supported are: - RFC 2589 dds Seems with 2.4, this has gone from experimental to production quality? - RFC 2891 server side sorting - RFC 3671 collective attributes - RFC 3928 LCUP mainly for updating cached addressbooks, etc - not replication between servers - RFC 3384 looks like just reqs for replication, not an actual replication protocol - RFC 4533 is used instead Unknown: - RFC 3672 (subentries) - RFC 3698 and 3727 (additional matching rules) - RFC 3909 LDAP Cancel operation - RFC 5020 entryDN operational attribute (There are some other, often obscure, LDAP related RFC's that I didn't include, but this seems to be the major/useful ones) Other features not supported: - VLV browse indexes (per http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09). Not an RFC, but supported by Sun and MS directories, and used by things like Outlook and Solaris. Other supported features: - dyngroup/dynlist/memberof overlay (A much more useful feature than Sun's groupOfURLs "dynamic" group and "roles" mechanism) - ppolicy overlay (matches Sun DS 5.x reasonably close, but is account lockout replicated to all servers? Sun DS 6.x claims to) - refint overlay (similar to Sun's referential integrity plugin) - unique overlay (similar to Sun's uniqueness plugin) - audit and accesslog overlays, syslog logging - much more useful/complete than Sun's access/audit/error logs. - live acl changes via LDAP Unknown features: - Per user resource limits (sizelimit, timelimit, idletimeout, etc). I think Howard Chu said OpenLDAP has some of this, but I haven't seen any reference to it or how to use it in the docs (does this functionality exist, and if so, is there any documentation?) - Tracking of last login (i.e. last successful ldap authentication) Is this still fairly accurate? The ones that are really problematic are the lack of: - VLV Browse indexes - RFC 2891 (server side sorting) - per user/entry resources limits (if they don't exist) Are there any unofficial updates/patches/overlays/plans for any of this functionality? Thanks, - Jeff

11 29

using slapo-pcache with an empty attr list
by Toby Blake 05 Jun '08

05 Jun '08

Hi all, I'm doing a bit of playing with slapo-pcache and have it working fairly well (particularly once I realised that an individual attr can live in only one proxyattrset). However, there's one bit that I can't get working - is there any way to define a template that will match a search which doesn't provide an attr list? i.e. I can see quite a few searches (presumably from amd) of the following form (spacing and formatting changed by me to make it more readable): Jul 23 14:54:16 host1 slapd[26671]: conn=49 op=1 SRCH base="dc=inf,dc=ed,dc=ac,dc=uk" scope=2 deref=0 filter="(&(objectClass=amdmap)(amdmapName=home)(amdmapKey=root))" Jul 23 14:54:16 host1 slapd[26671]: query template of incoming query = (&(objectClass=)(amdmapName=)(amdmapKey=)) Jul 23 14:54:16 host1 slapd[26671]: QUERY NOT ANSWERABLE Jul 23 14:54:16 host1 slapd[26671]: QUERY NOT CACHEABLE Jul 23 14:54:16 host1 slapd[26671]: conn=49 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Note that there's no 'SRCH attr=' line. I've tried proxyattrset of the following forms... proxyattrset 1 * proxyattrset 1 (both of which crash slapd) And also proxyattrset 1 <full list of attrs returned when none specified> .... but this didn't work either. Thanks in advance for any advice, Cheers Toby Blake School of Informatics University of Edinburgh

3 8

syncrepl with accesslog database
by John Morrissey 17 Apr '08

17 Apr '08

I'm trying to replicate (with syncrepl) the bdb database generated by the accesslog overlay. This is with 2.3.41 on both provider and consumer. slapd complains: do_syncrep2: rid 002 got empty syncUUID do_syncrepl: rid 002 retrying (29 retries left) Sure enough, the entry for my accesslog database's suffix doesn't have an entryUUID: dn: cn=log objectClass: auditContainer cn: log structuralObjectClass: auditContainer contextCSN: 20080313163024Z#000000#00#000000 lastmod is not explicitly enabled for this database, but slapd.conf(5) says the default is on. I'm reasonably sure I didn't specify 'lastmod off' for that database at the time it would have been created. Given that my consumers are using delta-syncrepl (hence the accesslog), is there any reason I can't/shouldn't replicate the accesslog itself, too? john -- John Morrissey _o /\ ---- __o jwm(a)horde.net _-< \_ / \ ---- < \, www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__

3 6

restricting slapd memory consumption
by Ralf Narozny 14 Apr '08

14 Apr '08

Hi, I'm wondering, how I could restrict the memory usage of the slapd process. We got a quite large amount of data (23 million entries) in our login ldap. Since we are still using OpenLDAP 2.0 and of course want to migrate now, I added our data into an OpenLDAP 2.3.37 (this version will be updated soon). The problem I stumble over is that while inserting the data with ldapadd (mainly to check the performance we have to expect in the future), the amount of memory the slapd uses endlessly grows. The slapd process uses 11GB of memory after the insert has finished. We are using the BDB backend which is currently configured to use 4GB of shared memory. Machine: Linux masterldap 2.6.21.5 #1 SMP Mon Jul 2 13:54:33 CEST 2007 x86_64 GNU/Linux, with 2 Dual-Core AMD Opteron(tm) Processor 2218 and 16GB of RAM. slapd.conf (converted to cn=config format): include /usr/local/our/ldap/etc/openldap/schema/core.schema include /usr/local/our/ldap/etc/openldap/schema/our.schema pidfile /usr/local/our/ldap/var/ldap/run/slapd.pid argsfile /usr/local/our/ldap/var/ldap/run/slapd.args # Load dynamic backend modules: modulepath /usr/local/our/ldap/lib moduleload back_bdb.la access to * by * write loglevel 0 sizelimit 10000 timelimit 3600 cachesize 1000000 tool-threads 2 # backend definition backend bdb database config rootdn "cn=root,cn=config" rootpw {SSHA}*** ####################################################################### # BDB database definitions ####################################################################### # first database definition & config directives database bdb directory /usr/local/our/ldap/var/ldap/openldap-data/ replogfile /usr/local/our/ldap/log/replica.log suffix "o=our" rootdn "cn=root,o=our" rootpw {SSHA}*** index cid eq index cn eq,sub index objectClass eq index folderName eq index locked eq DB_CONFIG: set_flags DB_LOG_AUTOREMOVE set_cachesize 4 0 2 set_lg_max 524288000 set_lg_regionmax 512000 set_lg_bsize 268435456

7 17

slapd crashes due to assertion failure
by John Morrissey 10 Apr '08

10 Apr '08

We recently upgraded from 2.3.30 to 2.3.41. Ever since, slapd has died about once a week due to an assertion failure. A backtrace is below, but I forgot to disable optimization in the build, so there's been some inlining. The only assertions in connection_close() are: assert( connections != NULL ); assert( c != NULL ); [...] assert( c->c_struct_state == SLAP_C_USED ); assert( c->c_conn_state == SLAP_C_CLOSING ); I'm not sure if this gives enough to go on, but I've rebuilt with optimization disabled and have a debugger attached for the next time it fails. Program received signal SIGABRT, Aborted. [Switching to Thread -1884128336 (LWP 26138)] 0xb7b98947 in raise () from /lib/tls/libc.so.6 #0 0xb7b98947 in raise () from /lib/tls/libc.so.6 #1 0xb7b9a0c9 in abort () from /lib/tls/libc.so.6 #2 0xb7b9205f in __assert_fail () from /lib/tls/libc.so.6 #3 0x0806d052 in connection_close (c=<value optimized out>) at /var/jwm/openldap/servers/slapd/connection.c:680 #4 0x0806d67d in connection_operation (ctx=0x8fb272c8, arg_v=0x993a830) at /var/jwm/openldap/servers/slapd/connection.c:1722 #5 0xb7f14e7f in ldap_int_thread_pool_wrapper (xpool=0x814d358) at /var/jwm/openldap/libraries/libldap_r/tpool.c:478 #6 0xb7ca70bd in start_thread () from /lib/tls/libpthread.so.0 #7 0xb7c3c01e in clone () from /lib/tls/libc.so.6 john -- John Morrissey _o /\ ---- __o jwm(a)horde.net _-< \_ / \ ---- < \, www.horde.net/ __(_)/_(_)________/ \_______(_) /_(_)__

3 5

Problems with openLDAP 2.3
by xjol0265 07 Apr '08

07 Apr '08

We currently use RedHat Enterprise Server 4 and openLDAP 2.2.13 to provide a directory service to Mozilla Thunderbird email clients on our internal network. The information is actually stored in a MySQL Contact Database, so we use back_sql with the necessary translation databases. We are upgrading our servers to RedHat 5.1, and in the process trying to migrate to openLDAP 2.3.27 (the latest version that RH provides). The application does not work in this release. In fact, if a Thunderbird user tries to do a directory search as before, openLDAP fails. When it fails, it does not write anything to the log explaining why. The databases, ldap.conf, slapd.conf and odbc.ini are identical in both cases. I have used an LDAP browser to eliminate some of the variables and do some simple testing to help isolate the problem. What I have found is: - One-level searches work in both releases - Sub-Tree searches work in 2.2.13 and fail in 2.3.27 (causing openLDAP to terminate) I am not familiar with the code, so I can't be very helpful there, but I did notice the following from the logs: - One-level search: The details of the log entries are somewhat different for the two releases, but the SELECT DISTINCT statements that actually pick entries from the DB are the same - Sub-Tree search: The SELECT DISTINCT statements are NOT the same. In both cases, testing was done with a base DN like: ou=Unit2,dc=company,dc=com Users use a base DN like this to isolate their directory entries to a particular company Unit. In 2.2.13, the result is: Mar 21 17:30:12 apps slapd[11205]: ==>backsql_oc_get_candidates(): oc="organizationalUnit" Mar 21 17:30:12 apps slapd[11205]: ==>backsql_srch_query() Mar 21 17:30:12 apps slapd[11205]: ==>backsql_process_filter() Mar 21 17:30:12 apps slapd[11205]: <==backsql_process_filter() succeeded Mar 21 17:30:12 apps slapd[11205]: <==backsql_srch_query() returns SELECT DISTINCT ldap_entries.id,ou.id,'organizationalUnit' AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,ou WHERE ou.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND ldap_entries.dn LIKE ? AND 1=1 Mar 21 17:30:12 apps slapd[11205]: Constructed query: SELECT DISTINCT ldap_entries.id,ou.id,'organizationalUnit' AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,ou WHERE ou.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND ldap_entries.dn LIKE ? AND 1=1 Mar 21 17:30:12 apps slapd[11205]: id: '2' Mar 21 17:30:12 apps slapd[11205]: (sub)dn: "%ou=Unit2,dc=company,dc=com" Mar 21 17:30:12 apps slapd[11205]: backsql_oc_get_candidates(): added entry id=2, keyval=3 dn="ou=Unit2,dc=company,dc=com" Mar 21 17:30:12 apps slapd[11205]: <==backsql_oc_get_candidates(): 1 In 2.3.27, the result is: Mar 21 17:33:38 db slapd[7350]: ==>backsql_oc_get_candidates(): oc="organizationalUnit" Mar 21 17:33:38 db slapd[7350]: ==>backsql_srch_query() Mar 21 17:33:38 db slapd[7350]: ==>backsql_process_filter() Mar 21 17:33:38 db slapd[7350]: <==backsql_process_filter() succeeded Mar 21 17:33:38 db slapd[7350]: <==backsql_srch_query() returns SELECT DISTINCT ldap_entries.id,ou.id,'organizationalUnit' AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,ou WHERE ou.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND 9=9 AND 3=3 Mar 21 17:33:38 db slapd[7350]: Constructed query: SELECT DISTINCT ldap_entries.id,ou.id,'organizationalUnit' AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,ou WHERE ou.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND 9=9 AND 3=3 Mar 21 17:33:38 db slapd[7350]: id: '2' Mar 21 17:33:38 db slapd[7350]: >>> dnPrettyNormal: <ou=Unit1,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: <<< dnPrettyNormal: <ou=Unit1,dc=company,dc=com>, <ou=unit1,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: backsql_oc_get_candidates(): added entry id=1, keyval=1 dn="ou=Unit1,dc=company,dc=com" Mar 21 17:33:38 db slapd[7350]: >>> dnPrettyNormal: <ou=Unit2,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: <<< dnPrettyNormal: <ou=Unit2,dc=company,dc=com>, <ou=unit2,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: backsql_oc_get_candidates(): added entry id=2, keyval=3 dn="ou=Unit2,dc=company,dc=com" Mar 21 17:33:38 db slapd[7350]: >>> dnPrettyNormal: <ou=Unit3,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: <<< dnPrettyNormal: <ou=Unit3,dc=company,dc=com>, <ou=unit3,dc=company,dc=com> Mar 21 17:33:38 db slapd[7350]: backsql_oc_get_candidates(): added entry id=3, keyval=4 dn="ou=Unit3,dc=company,dc=com" Mar 21 17:33:38 db slapd[7350]: <==backsql_oc_get_candidates(): 3 In 2.2.13, openLDAP isolated the ou to the specific one requested, while in 2.3.27, openLDAP is not testing for a specific ou and instead is getting all of them. I would appreciate any help anyone can give to solve this issue. If more information is needed, please let me know.

5 8

userCertificate:certificateExactMatch: problem
by networm＠mail15.com 02 Apr '08

02 Apr '08

Hi! I use OpenLdap 2.39. I need to find the certificate with sn 61a430c600000000000c and issuer email adm(a)test.com, but then i try this search: (userCertificate:certificateExactMatch:=61a430c600000000000c$email=adm@test.com), OpenLdap prints this error: filter=(?=undefined). I have understood that sn should be in dec form, but converting hex->dec not helped. How correctly convert sn in dec?

2 4

Checking the database.....
by Padmavathi Dt 31 Mar '08

31 Mar '08

Dear List, Can anyone please tell me how to check which database is being used by our openLDAP?Please di Also please advice me whether we can use the openldap packages that come along with O.S. Because I have seen people advicing not to use openLDAP RPms that come with O.S Waiting for help..... Warm Regards, Padmavathi. =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 4

Doubt regarding slave OpenLDAP version?????
by Padmavathi Dt 31 Mar '08

31 Mar '08

Hii List, In the starting of our project we have installed openldap-2.4.7.It was working fine.But due to incompatibility with some other application,we have installed 2.2.13 according to documentation of that application.We used the same "bdb" (berkeley db-4.6.21) as recommended by the README of earlier one ( openldap-2.4.7) .It worked fine.... We have a working slapd of openldap-2.2.13..Now we are planning to implement replication on similar machine(Red Hat Linux). My doubt is about the version of slave LDAP.Should it be the same as Master? If so we already have the openldap-2.2.13 rpms installed on our target machine.So can we use them? What about the version of "bdb" to be installed on the slave.Should it match with the master? I am really new to all these things so please dont get annoyed at my questions........... Also please guide me where I can get the Admin guide for this version as I have the one for openLDAP-2.4.7 I am eagerly waiting for a response.........Loads of Thanx in advance. Regards, Padma.. Padmavathi =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

3 2

Slapd Not getting started after changing the "directory" value in slapd.conf!!!!!!!
by Padmavathi Dt 31 Mar '08

31 Mar '08

Hii List, I have changed the value of " directory" directive under database section of my slapd.conf file of openldap-2.2.13 (/var/lib/ldap) to the one previously used by our openldap-2.4.7(/usr/local/var/openldap-data). My berkeley db version is 4.6.21... I am not sure if the machine has some other versions of berkeley db already installed.(rpm -qa|grep berkeleydb* has not returned any value) The error when i start slapd is:( A part) /usr/sbin/slapd -d127 -h "ldap:///" slapd startup: initiated. bdb_db_open: dc=bsnl,dc=com bdb_db_open: dbenv_open(/usr/local/var/openldap-data) bdb(dc=bsnl,dc=com): Program version 4.2 doesn't match environment version bdb_db_open: dbenv_open failed: Invalid argument (22) backend_startup: bi_db_open(0) failed! (22) slapd shutdown: initiated ====> bdb_cache_release_all bdb(dc=bsnl,dc=com): DB_ENV->lock_id_free interface requires an environment conf igured for the locking subsystem slapd shutdown: freeing system resources. bdb(dc=bsnl,dc=com): txn_checkpoint interface requires an environment configured for the transaction subsystem bdb_db_destroy: txn_checkpoint failed: Invalid argument (22) slapd stopped. connections_destroy: nothing to destroy. Anyone please help me as soon as possible..... Thanx in advance Regards, Padmavathi Devi T =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software March 2008