openldap-software April 2008

openldap-software@openldap.org

77 participants
72 discussions

attribute size limit?
by manu＠netbsd.org 25 Apr '08

25 Apr '08

Hello I don't find this in the documentation: is it possible to enforce a byte limit on an attribute or an object? jpegPhoto seems to be able to absorb huge amount of data. I had a bad experience with users uploading huge pictures, causing LDAP queries in some applications to timeout before getting a result, and later causing a simultaneous crash of all LDAP replicas because of resource shortage. I am looking for a way to keep this mess from hapening again. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

6 12

Fail to write in slave during replication
by Jacky Wu 25 Apr '08

25 Apr '08

Dear all, I set up my replication using syncrepl in 2.3.38. The setting is slave ***************************************************************** syncrepl rid=123 provider=ldap://master:389 type=refreshOnly interval=00:00:00:20 searchbase="dc=mycompany,dc=com" schemachecking=on updatedn="uid=repl_writer,dc=mycompany,dc=com" bindmethod=simple binddn="uid=repl_reader,dc=mycompany,dc=com" credentials=secret updateref ldap://master:389 access to * by dn.exact="uid=repl_writer,dc=mycompany,dc=com" write by dn.exact="uid=repl_reader,dc=mycompany,dc=com" read **************************************************************** master: **************************************************************** overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 access to * by dn.exact="uid=repl_writer,dc=mycompany,dc=com" write by dn.exact="uid=repl_reader,dc=mycompany,dc=com" read **************************************************************** Problem 1: When I add following user in master: **************************************************************** dn: uid=testuser,dc=mycompany,dc=com objectclass: inetorgperson uid: testuser cn: cn sn: sn *userpassword: secret* **************************************************************** *The userpassword does not replicate to slave. *The following is the replicated result in slave. **************************************************************** # testuser, mycompany.com dn: uid=testuser,dc=mycompany,dc=com objectClass: inetOrgPerson uid: testuser cn: cn sn: sn **************************************************************** Problem 2: Since the userpassword is missing in the entry, I want to add it in slave by manual. ldapmodify -x -D "cn=admin,dc=mycompany,dc=com" -w secret -f /tmp/userpassword.ldif The /tmp/userpassword.ldif is **************************************************************** dn: uid=testuser,dc=mycompany,dc=com changetype: modify add: userPassword userPassword: *NewSecret* **************************************************************** The following is the running result: **************************************************************** modifying entry "uid=testuser,dc=mycompany,dc=com" ldapmodify: Referral (10) referrals: ldap://master:389/uid=testuser,dc=mycompany,dc=com<ldap://master:389/uid=repl_reader,dc=ufreight,dc=com> **************************************************************** Even though the result shows that it will update master by referral, the userpassword in master does not change, and the testuser in slave still do not have attribute userpassword. After studying the replication configuration, and trying to search the mailist archive, I still do not know how to solve the problem. Thank you. Best regards, Jacky -- John 3:16 For God so loved the world, that He gave His only begotten Son, that whoever believes in Him shall not perish, but have eternal life. http://www.hkccc.org/flash2.htm

5 13

Openldap 2.4 and the cn=config directory
by Mike Johnston 25 Apr '08

25 Apr '08

Hi, I used -f & -F options to build my cn=config from my slapd.conf file. Everything works however, I see a directory tree created and I got the impression from the Openldap 2.4 admin manual first page Chap 5 "the new style uses a slapd backend database to store the config". I assumed it meant a bdb/hdb backend database not an actual disk directory tree. Can it use a hdb/bdb for the cn=config store? TIA, Mike --------------------------------- Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.

4 5

Problems on " Mass Entry Import / Delete " under N-Way Multi-Master enviorment
by Data Leung 24 Apr '08

24 Apr '08

Dear All , I face a problem as below environment. a.) 4 x Openldap 2.4.8 which's config as N-Way Multi-Master. b.) 4 x XEN Guest host Server running CentOS 5.1 & DB-4.6.21 c.) 4 x XEN Server running time sync every 5 min. d.) Each of the Openldap Database stored information such as: 1. Postfix e-mail account / aliases config 2. Pam-LDAP account entry 3. E-mail Address Book e.) All LDAP Server under the same Local Area Network Config file which's N-Ray Multi-Master related. /usr/local/etc/openldap/slapd.conf For Host A = serverID1 = HOSTA.TEST.COM For Host B = serverID2 = HOSTB.TEST.COM For Host C = serverID3 = HOSTC.TEST.COM For Host D = serverID4 = HOSTD.TEST.COM Below is my case details. 1. There is no problems when I add / remove e-mail related information entry one by one. Each openldap Server could replicate information ( Add / Remove entry ) in short. 2. There is no problems when I add / remove PAM-LDAP login related infomation entry one by one. Each openldap Server could replicate information ( Add / Remove entry ) in short. 3. Thee is no problems when I add / remove e-mail address book entry one by one. each Openldap Server could replicate information ( Add / Remove entry ) in short. Problems I found: 1. When I try to " mass import " E-mail address book from a LDIF file ( 200K LDIF entry which's include 1800 x cn entry ) on HOSTA , HOSTB / HOSTC / HOSTD only able to replicate around 600 ~ 1300 OR some times it could related all the 1800 entry of address book OR the openldap will shown as segment fault and services stop by itself. 2. If HOST A / B / C / D have 1800 LDAP Address book entry under ou=AddressBook,dc=test,dc=com , then I try to delete those 1800 entry. Host A could deleted those 1800 entry in short. But Host B / C / D can't replicate the entry that I delete on HOSTA by itself. That's mean my N-Ray Multi-Master config can't 100% replicate itself database to the other database IF i " MASS INPORT " or " MASS DELETE " entry. Question: a) Is that normal for this case ? b) I'm by using slapd.conf to STARTUP the slapd. And I also try to make use of -F /usr/local/etc/openldap/slapd.d to STARTUP the slapd. Both didn't have different, just want to know. If I am looking for N-Ray Multi-Master. By using slapd.conf OR slapd.d should be the best choice ? c) What kind of log i should provide in this mail list could help for you all , and get help to debug my case ? -d 256 OR -d 1024 while I startup the slapd ? Many thanks for your create help , since N-Ray Multi-Master is new for me , so looking forward all of your help. And looking forward all of your reply. Thanks Below is by DB_CONFIG on HOSTA / HOSTB / HOSTC / HOSTD ======================================================== # one 0.25 GB cache set_cachesize 0 268435456 1 # Data Directory #set_data_dir db # Transaction Log settings set_lg_regionmax 262144 set_lg_bsize 2097152 #set_lg_dir logs ========================================================== Config Symantec which's N-Ray Multi-Master Related. =================================================== HOSTA: serverID1 mirrormode on syncrepl rid=2 provider=ldap://HOSTB.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" syncrepl rid=3 provider=ldap://HOSTC.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" syncrepl rid=4 provider=ldap://HOSTD.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" =================================================== HOSTB: serverID2 mirrormode on syncrepl rid=1 provider=ldap://HOSTA.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" syncrepl rid=3 provider=ldap://HOSTC.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" syncrepl rid=4 provider=ldap://HOSTD.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" ==================================================== HOSTC: serverID3 mirrormode on syncrepl rid=1 provider=ldap://HOSTA.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" syncrepl rid=2 provider=ldap://HOSTB.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" syncrepl rid=4 provider=ldap://HOSTD.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" ============================================ HOSTD: serverID4 mirrormode on syncrepl rid=1 provider=ldap://HOSTA.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" syncrepl rid=2 provider=ldap://HOSTB.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" syncrepl rid=3 provider=ldap://HOSTC.TEST.COM bindmethod=simple binddn="cn=manager,dc=test,dc=com" credentials=secret searchbase="dc=test,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" ===================================================== _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx…

2 1

A question about log messages
by Ryan Steele 24 Apr '08

24 Apr '08

Hey folks, While researching another problem, I noticed that even on successful searches (e.g., entries returned that match the filters I set), I see the following in the logs: Apr 23 12:45:11 ldapmaster slapd[30294]: send_ldap_result: err=0 matched="" text="" It almost looks to me like it's saying didn't match anything, when in fact it does return entries. I tried looking through the man pages for an explanation, but didn't find one. If anyone could point me to said documentation, or explain how the above message is supposed to be interpreted given the context of the situation, I'd be much obliged. Thanks, Ryan

3 3

Can't allocate region- LDAP crashed.
by Sumith Narayanan 22 Apr '08

22 Apr '08

Hi All, openLDAP crashed with the below error when I fired a search. BDB version : 4.4.2 with 5 patches. OpenLDAP version : 2.3.39 == bdb_search: 510868 does not match filter slapd(5596,0x180d000) malloc: *** vm_allocate(size=8421376) failed (error code=3) slapd(5596,0x180d000) malloc: *** error: can't allocate region slapd(5596,0x180d000) malloc: *** set a breakpoint in szone_error to debug bdb(ou=groups,o=root): malloc: Cannot allocate memory: 1048 slapd(5596,0x180d000) malloc: *** vm_allocate(size=8421376) failed (error code=3) slapd(5596,0x180d000) malloc: *** error: can't allocate region slapd(5596,0x180d000) malloc: *** set a breakpoint in szone_error to debug ch_calloc of 1 elems of 832 bytes failed ch_malloc.c:107: failed assertion `0' Abort trap === Any pointers how to fix this ? Thanks, Sumith.

1 0

2.3.39 --> 2.4.7 : replication: null_callback : error code 0x10
by Bas van der Vlies 22 Apr '08

22 Apr '08

I have read the thread in the archive, but could not find an answer: - http://www.openldap.org/lists/openldap-software/200801/msg00126.html We use debian etch. We 1 producer (openldap 2.3.39) and 3 consumers (openldap 2.4.7). Apr 21 07:59:59 slave3 slapd[3123]: null_callback : error code 0x10 Apr 21 07:59:59 slave3 slapd[3123]: syncrepl_updateCookie: rid=101 be_modify failed (16) Apr 21 07:59:59 slave3 slapd[3123]: do_syncrepl: rid=101 retrying (9 retries left) -- -- ******************************************************************** * * * Bas van der Vlies e-mail: basv(a)sara.nl * * SARA - Academic Computing Services phone: +31 20 592 8012 * * Kruislaan 415 fax: +31 20 6683167 * * 1098 SJ Amsterdam * * * ********************************************************************

3 3

Confusion over MIT/Heimdal compatibility
by Dominic Hargreaves 21 Apr '08

21 Apr '08

Hello, I'm in the process of deploying an OpenLDAP cluster with a (simple) syncrepl configuration, using Kerberos GSSAPI authentication between the slaves and master. In testing this has worked fine; however the original ticket expires the connection fails without the client noticing. This has already been discussed at the thread ending with http://www.openldap.org/lists/openldap-software/200608/msg00342.html so I'm not asking for a rehash of that. However I am puzzled by the discrepancy between the statement "As mentioned on this list numerous times, do *not* use MIT kerberos with OpenLDAP. Bad things happen. Use Heimdal Kerberos." and the advice given at http://www.openldap.org/doc/admin24/install.html#{{TERM[expand]Kerberos}} which suggests (or at least implies) that MIT kerberos is usable with OpenLDAP. Is anything likely to change in this regard? Having looked into the issue it does seem that fixing this with MIT kerberos would require (at a minimum) changing the SASL library, and any such change would be a hack, since it doesn't look to the untrained eye like SASL provides a mechanism for getting information about connection lifetimes. However, I do think it could be made clearer in the docs that MIT kerberos is not suitable for use with OpenLDAP. [sidenote: I will be taking some of this up with the Debian cyrus-sasl2 maintainers too, as they do not seem to support Heimdal gssapi any more] Thanks, Dominic. -- Dominic Hargreaves, Systems Development and Support Team Computing Services, University of Oxford

6 10

unable to get syncrepl to work
by Adam Williams 18 Apr '08

18 Apr '08

I have a master ldap server named roark, and a slave ldap server named archives3 and both are running openldap 2.3.39. In roark's /etc/openldap/slapd.conf I added: index entryUUID,entryCSN eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 lastmod on and in archives3's slapd.conf I added: cachesize 100000 idlcachesize 300000 checkpoint 1024 5 syncrepl rid=1 provider=ldap://roark.mdah.state.ms.us:389 type=refreshandPersist retry="60 +" searchbase="dc=mdah,dc=state,dc=ms,dc=us" filter="(objectClass=*)" scope=sub attrs="*,+" schemachecking=off bindmethod=simple binddn= "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" credentials={SSHA}xxxxxxxxxxxxxxx and then loaded a slapcat yesterday into archives3's ldap with slapadd, and started ldap on archives3. Now I just added a user on roark's openldap with ldapadd, and it added the user fine, i can log in as them, and the timestamp on /var/lib/ldap files is current, however, on archives3, the timestamp on the files is still from yesterday. why hasn't archives3's ldap updated itself with the new user that was added? [root@roark ldap]# date Fri Apr 18 11:39:03 CDT 2008 [root@roark ldap]# ls -ltr total 5660 drwxr-xr-x 2 root root 4096 2008-02-22 11:55 rpmorig -rw------- 1 ldap ldap 8192 2008-04-13 21:51 sambaDomainName.bdb -rw------- 1 ldap ldap 8192 2008-04-13 22:14 memberUid.bdb -rw-r----- 1 root root 769 2008-04-14 11:08 DB_CONFIG -rw------- 1 ldap ldap 49152 2008-04-16 12:11 displayName.bdb -rw------- 1 ldap ldap 102400 2008-04-17 00:00 sambaSID.bdb -rw------- 1 ldap ldap 24576 2008-04-17 11:32 __db.006 -rw------- 1 ldap ldap 557056 2008-04-17 11:32 __db.005 -rw------- 1 ldap ldap 98304 2008-04-17 11:32 __db.004 -rw------- 1 ldap ldap 270336 2008-04-17 11:32 __db.003 -rw------- 1 ldap ldap 368640 2008-04-17 11:32 __db.002 -rw------- 1 ldap ldap 24576 2008-04-17 11:32 __db.001 -rw------- 1 ldap ldap 10485760 2008-04-18 11:28 log.0000000001 -rw------- 1 ldap ldap 8192 2008-04-18 11:30 uidNumber.bdb -rw------- 1 ldap ldap 53248 2008-04-18 11:30 uid.bdb -rw------- 1 ldap ldap 53248 2008-04-18 11:30 sn.bdb -rw------- 1 ldap ldap 36864 2008-04-18 11:30 objectClass.bdb -rw------- 1 ldap ldap 8192 2008-04-18 11:30 gidNumber.bdb -rw------- 1 ldap ldap 8192 2008-04-18 11:30 entryUUID.bdb -rw------- 1 ldap ldap 8192 2008-04-18 11:30 entryCSN.bdb -rw------- 1 ldap ldap 57344 2008-04-18 11:30 dn2id.bdb -rw------- 1 ldap ldap 77824 2008-04-18 11:30 cn.bdb -rw------- 1 ldap ldap 311296 2008-04-18 11:31 id2entry.bdb -rw-r--r-- 1 ldap ldap 4096 2008-04-18 11:32 alock [root@archives3 ldap]# date Fri Apr 18 11:39:32 CDT 2008 [root@archives3 ldap]# ls -ltr total 4232 -rw------- 1 ldap ldap 24576 2008-04-17 11:45 __db.006 -rw------- 1 ldap ldap 557056 2008-04-17 11:45 __db.005 -rw------- 1 ldap ldap 98304 2008-04-17 11:45 __db.004 -rw------- 1 ldap ldap 270336 2008-04-17 11:45 __db.003 -rw------- 1 ldap ldap 368640 2008-04-17 11:45 __db.002 -rw------- 1 ldap ldap 24576 2008-04-17 11:45 __db.001 -rw------- 1 ldap ldap 8192 2008-04-17 12:25 uidNumber.bdb -rw------- 1 ldap ldap 57344 2008-04-17 12:25 uid.bdb -rw------- 1 ldap ldap 53248 2008-04-17 12:25 sn.bdb -rw------- 1 ldap ldap 110592 2008-04-17 12:25 sambaSID.bdb -rw------- 1 ldap ldap 8192 2008-04-17 12:25 sambaDomainName.bdb -rw------- 1 ldap ldap 36864 2008-04-17 12:25 objectClass.bdb -rw------- 1 ldap ldap 8192 2008-04-17 12:25 memberUid.bdb -rw------- 1 ldap ldap 262144 2008-04-17 12:25 id2entry.bdb -rw------- 1 ldap ldap 8192 2008-04-17 12:25 gidNumber.bdb -rw------- 1 ldap ldap 49152 2008-04-17 12:25 dn2id.bdb -rw------- 1 ldap ldap 49152 2008-04-17 12:25 displayName.bdb -rw------- 1 ldap ldap 69632 2008-04-17 12:25 cn.bdb -rw------- 1 ldap ldap 10485760 2008-04-17 12:32 log.0000000001 -rw-r--r-- 1 ldap ldap 4096 2008-04-17 12:33 alock

2 2

Where can I get the detailed meaning of OpenLDAP's Error Code?
by jjj＠sjtu.org 18 Apr '08

18 Apr '08

Hello all, Now I am running OpenLdap and get one error code from syslog. But I have no any references about the detailed meaning of OpenLdap's error code. Where can I get the detailed meaning of OpenLDAP's Error Code? Thank you in advance. JJ

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2008