openldap-software May 2008

openldap-software@openldap.org

64 participants
55 discussions

Dynamic view
by Anders 30 May '08

30 May '08

Hello. We are using OpenLDAP for user authentication. Now we want to reuse the data for internal address books. My problem is that not all records should be shown in the address books. Just as an example, I might want to hide all records that have (active=FALSE). Adding the search constraint to every e-mail client is not suitable, as the constraints will probably change over time. I imagine having a virtual DN for address books, containing dynamic data filtered according to my configuration. From reading the documentation, it seems that an overlay would be the thing to use for this, but I have been unable to find a suitable overlay. Does one exist? Or should I approach this differently? Thanks, Anders.

4 3

Re: smbk5pwd crash for missing symbol
by Guillaume Rousse 30 May '08

30 May '08

Love Hörnquist Åstrand a écrit : > > 28 maj 2008 kl. 02.57 skrev Guillaume Rousse: > >> + hdb_entry_set_pw_change_time(context, &ent, 0); >> + >> + if (krb5_config_get_bool_default(context, NULL, FALSE, >> + "kadmin", "save-password", NULL)) { >> + ret = hdb_entry_set_password(context, >> + context->db, &ent, qpw->rs_new.bv_val); >> + if (ret != 0) >> + break; >> + } > > As Howard said, you can drop this part. It needs to be done diffrenlty > with the hdb backend. > > Other then that the patch looks fine. I changed it, everything works OK now. Thanks to both of you. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62

2 1

slapd service terminates unexpectedly
by Kyle Blaney 29 May '08

29 May '08

I'm looking for help because our slapd service occasionally terminates unexpectedly on Windows. I know that Windows isn't the ideal platform and we're moving everything to Linux eventually but we need to put up with Windows for a short while longer. Our configuration is OpenLDAP 2.3.39 with BDB 4.4.20 (although we've also seen the same problem in OpenLDAP 2.3.38 and 2.3.41) built using MinGW/MSYS. The problem is not readily reproducible but it has been seen on many different systems. I don't have any further details because we've set the service's recovery options to automatically restart the service when it terminates unexpectedly. All reports indicate that the service is not doing anything in particular when it unexpectedly terminates. For exampe, it's not being heavily accessed. In fact, it often stops when it's not being accessed at all. It runs perfectly well for hours or days and then just stops before being automatically restarted. The only indication that it even stops is an error logged in the Windows Event Viewer by the Service Control Manager that says "The slapd service terminated unexpectedly. This has happened 1 time(s)". Are there any specific logging options I should turn on so that I can provide more details as to what the service is doing just before it terminates? Is this likely to have the same root cause as ITS#5469 (Assertion failure causes slapd crash): http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5469;selectid=5 469? Kyle Blaney Software Engineer, System Management Nortel Networks

2 1

Limit slapd memory usage on Windows?
by Kyle Blaney 29 May '08

29 May '08

Is there a way to limit slapd's memory usage on Windows? I ask because we want to use OpenLDAP on memory-constrained systems. We're having performance problems that occur when other applications start and they need the memory used by slapd. A lot of page-swapping occurs and performance suffers as a result. I've tried to set a very small cachesize in slapd.conf and a very small cache size in DB_CONFIG. However, those settings only decrease the initial memory usage by slapd. When I add a single entry, slapd's memory usage increases from 66 MB to 110 MB. When I add 100 more entries, slap's memory usage increases to 276 MB. Even when I disable all indexes, the memory usage is still similar. (The memory usage numbers I state are the combination of slapd's private bytes and virtual bytes as reported by the Windows Performance tool.) Is there some way to tell slapd not to use more than X MB of memory even if it's available in order to avoid future page swaps? Note that I'm running OpenLDAP 2.3.39 with BDB 4.4.20 on Windows XP Professional with Service Pack 2. --- Kyle Blaney Software Engineer, System Management Nortel Networks

2 2

Re: Pls help:delete missing in multi-master environment
by ST Wong (ITSC) 29 May '08

29 May '08

Right, I added redundant lines. Will test again after removing them. Thanks for your help. ST Wong (ITSC) wrote: Hi all, I set up a 2 server multi-master environment using OpenLDAP 2.4.9 + BerkeleyDB 4.6 on CentOS 5.1. Make test and simple load test on add/mod/del are okay. However, seems some records are not replicated in delete phrase when there are lot of simultaneous delete operations (e.g. 10 threads spawned from 2 clients to add/del 100 users in each threads). I'm newbie to syncrepl and have no idea about the problem are scanning debug output. My slapd.conf syncrepl section follows: #master overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 #consumer syncrepl rid=001 provider=ldaps://192.168.28.69 starttls=yes tls_reqcert=never tls_cacert=/etc/CA/cacert.pem type=refreshAndPersist retry="5 + 5 +" searchbase="dc=mydomain,dc=hk" schemachecking=off bindmethod=simple binddn="cn=replicator,ou=People,dc=mydomain,dc=edu" credentials=secret Would anyone pls help? Sorry for the newbie question. Thanks a lot. /st wong Why are you running StartTSL on an ldaps server? -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

2 2

Re: TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
by Dieter Kluenter 28 May '08

28 May '08

"Arkady Shoyhet" <Arkady.Shoyhet(a)aladdin.com> writes: > OK ,folks,it is really not simple… > > HELP ME PLEASE… [...] > TLS trace: SSL_accept:error in SSLv2/v3 read client hello A > TLS: can't accept. > > TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > s23_srvr.c:562 > > connection_read(11): TLS accept failure error=-1 id=1, closing > > connection_closing: readying conn=1 sd=11 for close > > connection_close: conn=1 sd=11 > > WHY ??? What I am missing ? one question mark should be sufficient. something is wrong either with your certificate or with your TLS configuration in slapd.conf and ldap.conf, please post the relevant parts. how did you create the certificates? -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

3 2

TLS with HPUX problem
by Adam Leach 28 May '08

28 May '08

Hi, I'm having an issue with and LDAP-UX client and I'm hoping to shed some light on this problem. I'm running OpenLDAP 2.3.39 on RHEL4 and my linux clients connect fine with TLS. My HPUX clients however are having problems. Here is what my slapd says when ran with a -d 255: 11daemon: activity on 1 descriptor daemon: activity on: >>> slap_listener(ldaps:///) daemon: listen=8, new connection on 17 daemon: added 17r (active) listener=(nil) daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 17r daemon: read active on 17 connection_get(17) connection_get(17): got connid=39 connection_read(17): checking for input on id=39 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 30 1d 02 01 01 77 18 80 16 31 2e 0....w...1. TLS trace: SSL_accept:error in SSLv2/v3 read client hello A TLS: can't accept. TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol s23_srvr.c:580 connection_read(17): TLS accept failure error=-1 id=39, closing connection_closing: readying conn=39 sd=17 for close connection_close: conn=39 sd=17 daemon: removing 17 I'm not sure if it's using a different version of SSL or what. Please help as this is the final step before deploying OpenLDAP on my system. Thanks -- Adam Leach BS Computer/Electrical Engineering West Virginia University System Administrator - Raytheon (304)677-4455

3 4

Re: smbk5pwd crash for missing symbol
by Guillaume Rousse 28 May '08

28 May '08

Love Hörnquist Åstrand a écrit : > > 27 maj 2008 kl. 02.18 skrev Guillaume Rousse: > >> I tried this approach (patch attached). >> >> Converting _kadm5_free_keys to hdb_free_keys is trivial, as the former >> is just a wrapper over the second. >> >> However, converting _kadm5_set_keys to hdb_generate_key_set_password >> is much more difficult. I first tried to inline all code from >> _kadm5_set_keys in smbk5pwd.c. However, gcc complains about "request >> for member ‘context’ in something not a structure or union" because it >> doesn't have any clue about the nature of kadm_context, which is a >> void ponter for smbk5pwd. Trying to cast it as a kadm5_server_context >> pointer fails, as this seems also to be a private heimdal structure... >> >> Given my lack of C knowledge, I'm a bit stuck there. > > You can use the krb5_contex that is global in the module, just change > the code to use context instead of kadm5_context. Slightly better but I still can't access its members: smbk5pwd.c:416: error: dereferencing pointer to incomplete type According to my understanding, kadm_context type is a pointer to an internally-defined krb5_context_data structure. Inlining private function is not straightforward, especially for dumb C programmers :) Updated patch attached. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 --- smbk5pwd.c~ 2008-02-12 00:34:15.000000000 +0100 +++ smbk5pwd.c 2008-05-28 11:05:18.000000000 +0200 @@ -368,6 +368,8 @@ struct berval *keys; int kvno, i; Attribute *a; + Key *local_keys; + size_t local_num_keys; if ( !SMBK5PWD_DO_KRB5( pi ) ) break; @@ -396,7 +398,26 @@ op->o_log_prefix, e->e_name.bv_val, 0 ); } - ret = _kadm5_set_keys(kadm_context, &ent, qpw->rs_new.bv_val); + /* _kadm5_set_keys is a private function, inline its code here */ + ret = hdb_generate_key_set_password(context, ent.principal, + qpw->rs_new.bv_val, &local_keys, &local_num_keys); + if (ret != 0) + break; + + hdb_free_keys(context, ent.keys.len, ent.keys.val); + ent.keys.val = local_keys; + ent.keys.len = local_num_keys; + + hdb_entry_set_pw_change_time(context, &ent, 0); + + if (krb5_config_get_bool_default(context, NULL, FALSE, + "kadmin", "save-password", NULL)) { + ret = hdb_entry_set_password(context, + context->db, &ent, qpw->rs_new.bv_val); + if (ret != 0) + break; + } + hdb_seal_keys(context, db, &ent); krb5_free_principal( context, ent.principal ); @@ -415,7 +436,7 @@ } BER_BVZERO( &keys[i] ); - _kadm5_free_keys(kadm_context, ent.keys.len, ent.keys.val); + hdb_free_keys(context, ent.keys.len, ent.keys.val); if ( i != ent.keys.len ) { ber_bvarray_free( keys );

2 2

smbk5pwd crash for missing symbol
by Guillaume Rousse 28 May '08

28 May '08

Hello list(s). I'm having a crash as soon as I attempt to change my password when smbk5pwd is activating. strace shows an unresolved symbol in smbk5pwd.so: _kadm5_free_keys Heimdal source code shows this function is defined in libkadm5srv.so (/usr/lib/libkadm5srv.so.8.0.1) for heimdal 1.1. But this seems to be a private symbol, as objdump -T doesn't list it. Looking at heimdal Makefile.am, it seems a special configuration file is used (lib/krb5/version-script.map) to filter exported symbols, if linker support the use of -Wl,--version-script option. I couldn't find any description of this option. Is this possible smbk5pwd author would have by mistake used a private function, only working because he build heimdal on a host whose linker doesn't support --version-script option ? I'm using heimdal 1.1 and openldap 2.4.8 on mandriva linux. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62

2 2

Performance summary
by Howard Chu 27 May '08

27 May '08

For the performance-minded, I wrote an article on OpenLDAP for Linux-Magazin's Performance and Tuning book, which was just published. You can download the Table of Contents here: http://www.linux-magazin.de/technical_review/ltr08_performance_und_tuning The article summarizes some of the tuning work we've done from ~2005 to the current 2.4 release. (Despite the German publisher, I wrote the article in English.) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software May 2008