attribute size limit?
by manu@netbsd.org
Hello
I don't find this in the documentation: is it possible to enforce a byte
limit on an attribute or an object?
jpegPhoto seems to be able to absorb huge amount of data. I had a bad
experience with users uploading huge pictures, causing LDAP queries in
some applications to timeout before getting a result, and later causing
a simultaneous crash of all LDAP replicas because of resource shortage.
I am looking for a way to keep this mess from hapening again.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
15 years, 1 month
Fail to write in slave during replication
by Jacky Wu
Dear all,
I set up my replication using syncrepl in 2.3.38. The setting is
slave
*****************************************************************
syncrepl rid=123
provider=ldap://master:389
type=refreshOnly
interval=00:00:00:20
searchbase="dc=mycompany,dc=com"
schemachecking=on
updatedn="uid=repl_writer,dc=mycompany,dc=com"
bindmethod=simple
binddn="uid=repl_reader,dc=mycompany,dc=com"
credentials=secret
updateref ldap://master:389
access to *
by dn.exact="uid=repl_writer,dc=mycompany,dc=com" write
by dn.exact="uid=repl_reader,dc=mycompany,dc=com" read
****************************************************************
master:
****************************************************************
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
access to *
by dn.exact="uid=repl_writer,dc=mycompany,dc=com" write
by dn.exact="uid=repl_reader,dc=mycompany,dc=com" read
****************************************************************
Problem 1:
When I add following user in master:
****************************************************************
dn: uid=testuser,dc=mycompany,dc=com
objectclass: inetorgperson
uid: testuser
cn: cn
sn: sn
*userpassword: secret*
****************************************************************
*The userpassword does not replicate to slave. *The following is the
replicated result in slave.
****************************************************************
# testuser, mycompany.com
dn: uid=testuser,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: testuser
cn: cn
sn: sn
****************************************************************
Problem 2:
Since the userpassword is missing in the entry, I want to add it in slave by
manual.
ldapmodify -x -D "cn=admin,dc=mycompany,dc=com" -w secret -f
/tmp/userpassword.ldif
The /tmp/userpassword.ldif is
****************************************************************
dn: uid=testuser,dc=mycompany,dc=com
changetype: modify
add: userPassword
userPassword: *NewSecret*
****************************************************************
The following is the running result:
****************************************************************
modifying entry "uid=testuser,dc=mycompany,dc=com"
ldapmodify: Referral (10)
referrals:
ldap://master:389/uid=testuser,dc=mycompany,dc=com<ldap://master:389/uid=repl_reader,dc=ufreight,dc=com>
****************************************************************
Even though the result shows that it will update master by referral, the
userpassword in master does not change, and the testuser in slave still do
not have attribute userpassword.
After studying the replication configuration, and trying to search the
mailist archive, I still do not know how to solve the problem.
Thank you.
Best regards,
Jacky
--
John 3:16 For God so loved the world, that He gave His only begotten Son,
that whoever believes in Him shall not perish, but have eternal life.
http://www.hkccc.org/flash2.htm
15 years, 1 month
Openldap 2.4 and the cn=config directory
by Mike Johnston
Hi,
I used -f & -F options to build my cn=config from my slapd.conf file. Everything works however, I see a directory tree created and I got the impression from the Openldap 2.4 admin manual first page Chap 5 "the new style uses a slapd backend database to store the config". I assumed it meant a bdb/hdb backend database not an actual disk directory tree. Can it use a hdb/bdb for the cn=config store?
TIA,
Mike
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
15 years, 1 month
Problems on " Mass Entry Import / Delete " under N-Way Multi-Master enviorment
by Data Leung
Dear All ,
I face a problem as below environment.
a.) 4 x Openldap 2.4.8 which's config as N-Way Multi-Master.
b.) 4 x XEN Guest host Server running CentOS 5.1 & DB-4.6.21
c.) 4 x XEN Server running time sync every 5 min.
d.) Each of the Openldap Database stored information such as:
1. Postfix e-mail account / aliases config
2. Pam-LDAP account entry
3. E-mail Address Book
e.) All LDAP Server under the same Local Area Network
Config file which's N-Ray Multi-Master related.
/usr/local/etc/openldap/slapd.conf
For Host A = serverID1 = HOSTA.TEST.COM
For Host B = serverID2 = HOSTB.TEST.COM
For Host C = serverID3 = HOSTC.TEST.COM
For Host D = serverID4 = HOSTD.TEST.COM
Below is my case details.
1. There is no problems when I add / remove e-mail related
information entry one by one. Each openldap Server could replicate
information ( Add / Remove entry ) in short.
2. There is no problems when I add / remove PAM-LDAP login related
infomation entry one by one. Each openldap Server could replicate
information ( Add / Remove entry ) in short.
3. Thee is no problems when I add / remove e-mail address book entry
one by one. each Openldap Server could replicate information ( Add /
Remove entry ) in short.
Problems I found:
1. When I try to " mass import " E-mail address book from a LDIF file (
200K LDIF entry which's include 1800 x cn entry ) on HOSTA , HOSTB /
HOSTC / HOSTD only able to replicate around 600 ~ 1300 OR some times it
could related all the 1800 entry of address book OR the openldap will
shown as segment fault and services stop by itself.
2. If HOST A / B / C / D have 1800 LDAP Address book entry under
ou=AddressBook,dc=test,dc=com , then I try to delete those 1800 entry.
Host A could deleted those 1800 entry in short. But Host B / C / D
can't replicate the entry that I delete on HOSTA by itself.
That's mean my N-Ray Multi-Master config can't 100% replicate itself
database to the other database IF i " MASS INPORT " or " MASS DELETE "
entry.
Question:
a) Is that normal for this case ?
b) I'm by using slapd.conf to STARTUP the slapd. And I also try to make
use of -F /usr/local/etc/openldap/slapd.d to STARTUP the slapd. Both
didn't have different, just want to know. If I am looking for N-Ray
Multi-Master. By using slapd.conf OR slapd.d should be the best choice ?
c) What kind of log i should provide in this mail list could help for you all , and get help to debug my case ?
-d 256 OR -d 1024 while I startup the slapd ?
Many thanks for your create help , since N-Ray Multi-Master is new for me , so looking forward all of your help.
And looking forward all of your reply.
Thanks
Below is by DB_CONFIG on HOSTA / HOSTB / HOSTC / HOSTD
========================================================
# one 0.25 GB cache
set_cachesize 0 268435456 1
# Data Directory
#set_data_dir db
# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
#set_lg_dir logs
==========================================================
Config Symantec which's N-Ray Multi-Master Related.
===================================================
HOSTA:
serverID1
mirrormode on
syncrepl rid=2
provider=ldap://HOSTB.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=3
provider=ldap://HOSTC.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=4
provider=ldap://HOSTD.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
===================================================
HOSTB:
serverID2
mirrormode on
syncrepl rid=1
provider=ldap://HOSTA.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=3
provider=ldap://HOSTC.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=4
provider=ldap://HOSTD.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
====================================================
HOSTC:
serverID3
mirrormode on
syncrepl rid=1
provider=ldap://HOSTA.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=2
provider=ldap://HOSTB.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=4
provider=ldap://HOSTD.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
============================================
HOSTD:
serverID4
mirrormode on
syncrepl rid=1
provider=ldap://HOSTA.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=2
provider=ldap://HOSTB.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncrepl rid=3
provider=ldap://HOSTC.TEST.COM
bindmethod=simple
binddn="cn=manager,dc=test,dc=com"
credentials=secret
searchbase="dc=test,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
=====================================================
_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.as...
15 years, 1 month
A question about log messages
by Ryan Steele
Hey folks,
While researching another problem, I noticed that even on successful
searches (e.g., entries returned that match the filters I set), I see
the following in the logs:
Apr 23 12:45:11 ldapmaster slapd[30294]: send_ldap_result: err=0
matched="" text=""
It almost looks to me like it's saying didn't match anything, when in
fact it does return entries. I tried looking through the man pages for
an explanation, but didn't find one. If anyone could point me to said
documentation, or explain how the above message is supposed to be
interpreted given the context of the situation, I'd be much obliged.
Thanks,
Ryan
15 years, 1 month
Can't allocate region- LDAP crashed.
by Sumith Narayanan
Hi All,
openLDAP crashed with the below error when I fired a search.
BDB version : 4.4.2 with 5 patches.
OpenLDAP version : 2.3.39
==
bdb_search: 510868 does not match filter
slapd(5596,0x180d000) malloc: *** vm_allocate(size=8421376) failed (error
code=3)
slapd(5596,0x180d000) malloc: *** error: can't allocate region
slapd(5596,0x180d000) malloc: *** set a breakpoint in szone_error to debug
bdb(ou=groups,o=root): malloc: Cannot allocate memory: 1048
slapd(5596,0x180d000) malloc: *** vm_allocate(size=8421376) failed (error
code=3)
slapd(5596,0x180d000) malloc: *** error: can't allocate region
slapd(5596,0x180d000) malloc: *** set a breakpoint in szone_error to debug
ch_calloc of 1 elems of 832 bytes failed
ch_malloc.c:107: failed assertion `0'
Abort trap
===
Any pointers how to fix this ?
Thanks, Sumith.
15 years, 1 month
2.3.39 --> 2.4.7 : replication: null_callback : error code 0x10
by Bas van der Vlies
I have read the thread in the archive, but could not find an answer:
- http://www.openldap.org/lists/openldap-software/200801/msg00126.html
We use debian etch. We 1 producer (openldap 2.3.39) and 3 consumers
(openldap 2.4.7).
Apr 21 07:59:59 slave3 slapd[3123]: null_callback : error code 0x10
Apr 21 07:59:59 slave3 slapd[3123]: syncrepl_updateCookie: rid=101
be_modify failed (16)
Apr 21 07:59:59 slave3 slapd[3123]: do_syncrepl: rid=101 retrying (9
retries left)
--
--
********************************************************************
* *
* Bas van der Vlies e-mail: basv(a)sara.nl *
* SARA - Academic Computing Services phone: +31 20 592 8012 *
* Kruislaan 415 fax: +31 20 6683167 *
* 1098 SJ Amsterdam *
* *
********************************************************************
15 years, 1 month
Confusion over MIT/Heimdal compatibility
by Dominic Hargreaves
Hello,
I'm in the process of deploying an OpenLDAP cluster with a (simple)
syncrepl configuration, using Kerberos GSSAPI authentication between the
slaves and master. In testing this has worked fine; however the original
ticket expires the connection fails without the client noticing. This
has already been discussed at the thread ending with
http://www.openldap.org/lists/openldap-software/200608/msg00342.html
so I'm not asking for a rehash of that. However I am puzzled by the
discrepancy between the statement "As mentioned on this list numerous
times, do *not* use MIT kerberos with OpenLDAP. Bad things happen. Use
Heimdal Kerberos." and the advice given at
http://www.openldap.org/doc/admin24/install.html#{{TERM[expand]Kerberos}}
which suggests (or at least implies) that MIT kerberos is usable with
OpenLDAP.
Is anything likely to change in this regard? Having looked into the
issue it does seem that fixing this with MIT kerberos would require (at
a minimum) changing the SASL library, and any such change would be a
hack, since it doesn't look to the untrained eye like SASL provides a
mechanism for getting information about connection lifetimes.
However, I do think it could be made clearer in the docs that MIT
kerberos is not suitable for use with OpenLDAP.
[sidenote: I will be taking some of this up with the Debian cyrus-sasl2
maintainers too, as they do not seem to support Heimdal gssapi any more]
Thanks,
Dominic.
--
Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford
15 years, 1 month
unable to get syncrepl to work
by Adam Williams
I have a master ldap server named roark, and a slave ldap server named
archives3 and both are running openldap 2.3.39. In roark's
/etc/openldap/slapd.conf I added:
index entryUUID,entryCSN eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
lastmod on
and in archives3's slapd.conf I added:
cachesize 100000
idlcachesize 300000
checkpoint 1024 5
syncrepl rid=1
provider=ldap://roark.mdah.state.ms.us:389
type=refreshandPersist
retry="60 +"
searchbase="dc=mdah,dc=state,dc=ms,dc=us"
filter="(objectClass=*)"
scope=sub
attrs="*,+"
schemachecking=off
bindmethod=simple
binddn= "cn=Manager,dc=mdah,dc=state,dc=ms,dc=us"
credentials={SSHA}xxxxxxxxxxxxxxx
and then loaded a slapcat yesterday into archives3's ldap with slapadd,
and started ldap on archives3. Now I just added a user on roark's
openldap with ldapadd, and it added the user fine, i can log in as them,
and the timestamp on /var/lib/ldap files is current, however, on
archives3, the timestamp on the files is still from yesterday. why
hasn't archives3's ldap updated itself with the new user that was added?
[root@roark ldap]# date
Fri Apr 18 11:39:03 CDT 2008
[root@roark ldap]# ls -ltr
total 5660
drwxr-xr-x 2 root root 4096 2008-02-22 11:55 rpmorig
-rw------- 1 ldap ldap 8192 2008-04-13 21:51 sambaDomainName.bdb
-rw------- 1 ldap ldap 8192 2008-04-13 22:14 memberUid.bdb
-rw-r----- 1 root root 769 2008-04-14 11:08 DB_CONFIG
-rw------- 1 ldap ldap 49152 2008-04-16 12:11 displayName.bdb
-rw------- 1 ldap ldap 102400 2008-04-17 00:00 sambaSID.bdb
-rw------- 1 ldap ldap 24576 2008-04-17 11:32 __db.006
-rw------- 1 ldap ldap 557056 2008-04-17 11:32 __db.005
-rw------- 1 ldap ldap 98304 2008-04-17 11:32 __db.004
-rw------- 1 ldap ldap 270336 2008-04-17 11:32 __db.003
-rw------- 1 ldap ldap 368640 2008-04-17 11:32 __db.002
-rw------- 1 ldap ldap 24576 2008-04-17 11:32 __db.001
-rw------- 1 ldap ldap 10485760 2008-04-18 11:28 log.0000000001
-rw------- 1 ldap ldap 8192 2008-04-18 11:30 uidNumber.bdb
-rw------- 1 ldap ldap 53248 2008-04-18 11:30 uid.bdb
-rw------- 1 ldap ldap 53248 2008-04-18 11:30 sn.bdb
-rw------- 1 ldap ldap 36864 2008-04-18 11:30 objectClass.bdb
-rw------- 1 ldap ldap 8192 2008-04-18 11:30 gidNumber.bdb
-rw------- 1 ldap ldap 8192 2008-04-18 11:30 entryUUID.bdb
-rw------- 1 ldap ldap 8192 2008-04-18 11:30 entryCSN.bdb
-rw------- 1 ldap ldap 57344 2008-04-18 11:30 dn2id.bdb
-rw------- 1 ldap ldap 77824 2008-04-18 11:30 cn.bdb
-rw------- 1 ldap ldap 311296 2008-04-18 11:31 id2entry.bdb
-rw-r--r-- 1 ldap ldap 4096 2008-04-18 11:32 alock
[root@archives3 ldap]# date
Fri Apr 18 11:39:32 CDT 2008
[root@archives3 ldap]# ls -ltr
total 4232
-rw------- 1 ldap ldap 24576 2008-04-17 11:45 __db.006
-rw------- 1 ldap ldap 557056 2008-04-17 11:45 __db.005
-rw------- 1 ldap ldap 98304 2008-04-17 11:45 __db.004
-rw------- 1 ldap ldap 270336 2008-04-17 11:45 __db.003
-rw------- 1 ldap ldap 368640 2008-04-17 11:45 __db.002
-rw------- 1 ldap ldap 24576 2008-04-17 11:45 __db.001
-rw------- 1 ldap ldap 8192 2008-04-17 12:25 uidNumber.bdb
-rw------- 1 ldap ldap 57344 2008-04-17 12:25 uid.bdb
-rw------- 1 ldap ldap 53248 2008-04-17 12:25 sn.bdb
-rw------- 1 ldap ldap 110592 2008-04-17 12:25 sambaSID.bdb
-rw------- 1 ldap ldap 8192 2008-04-17 12:25 sambaDomainName.bdb
-rw------- 1 ldap ldap 36864 2008-04-17 12:25 objectClass.bdb
-rw------- 1 ldap ldap 8192 2008-04-17 12:25 memberUid.bdb
-rw------- 1 ldap ldap 262144 2008-04-17 12:25 id2entry.bdb
-rw------- 1 ldap ldap 8192 2008-04-17 12:25 gidNumber.bdb
-rw------- 1 ldap ldap 49152 2008-04-17 12:25 dn2id.bdb
-rw------- 1 ldap ldap 49152 2008-04-17 12:25 displayName.bdb
-rw------- 1 ldap ldap 69632 2008-04-17 12:25 cn.bdb
-rw------- 1 ldap ldap 10485760 2008-04-17 12:32 log.0000000001
-rw-r--r-- 1 ldap ldap 4096 2008-04-17 12:33 alock
15 years, 1 month
Where can I get the detailed meaning of OpenLDAP's Error Code?
by jjj@sjtu.org
Hello all,
Now I am running OpenLdap and get one error code from syslog.
But I have no any references about the detailed meaning of OpenLdap's error code.
Where can I get the detailed meaning of OpenLDAP's Error Code?
Thank you in advance.
JJ
15 years, 1 month
