memberOf attribute indexing
by George Holbert
Hello,
For a bdb-backend server that utilizes slapo-memberof and services
searches filtered on memberOf,
is it beneficial to configure indexes for the memberOf attribute?
In other words, is memberOf stored pretty much like any other attribute,
or is it computed dynamically on every search (making it "un-indexable")?
Thank you for your time!
-- George
12 years, 6 months
finding the max value of an attribute
by openldap
Hi every
when searching values in the LDAP directory, it certainly has occured to
everybody to have to find the maximum value of an attribute. e.g. when
defining a new user in the directory you might specify one more than the
maximum value of all uidNumber attributes as the new user's uidNumber.
i was looking at RFC 2254 and 4515, but could not find anything obvious.
is there a way to find the maximum value of an attribute and possibly
the DN to whom it belongs only using ldap-search (no perl or php
prgramming)?
or did i just oversee something obvious?
any hint is very much appreciated. thank you very much.
suomi
12 years, 6 months
Log files building up with large group
by Steve Smith
Hi,
I have directory with a group with ~220,000 users in it. This group is
frequently updated (several times an hour). This appears to be causing
the BDB transaction logs to grow very large; over the course of a day
they grow to about 36GB. These all appear to be active; neither
'slapd_db_archive -d' or DB_LOG_AUTOREMOVE has any effect.
Is there anything that can be done about this or is this an unavoidable
side-effect of the transaction system?
Thanks,
Steve
12 years, 6 months
Query regarding the Transaction Management support in OpenLDAP
by kumar.nitin@wipro.com
Hi,
This is the query regarding the Transaction Management support in
OpenLDAP. We are planning to use OpenLDAP in our project. We are using
bdb as back-end.
We have explored so many things in OpenLDAP but couldn't find whether
Transaction Management (commit, rollback in case of failure) is possible
in OpenLDAP.
If it is possible please let us know how we can configure it.
If you need more information, please let me know.
With Regards,
Nitin Kumar
+91-9999499757
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
12 years, 6 months
ppolicy+syncrpl: pwd* attributes lost
by Chris G. Sellers
I have n-way multimaster replication setup. Works great.
I have slapo_ppolicy setup, it too works.
the problem I appear to have is that whichever server does the
password change, the pwd* attributes are set, and then removed from
the other server.
So, if I do a password change on server1, the record for user A on
server1 shows pwdChangedTime
The record for user A on server2 shows the modificationTime but the
pwdChangedTime is deleted
The same goes if I use server2 and look at server1.
At first, I thought it may be due to the clear_hash setting, but that
didn't seem to make an impact. Any ideas? I know I must have
something missing but I'm just not seeing it.
---
password-hash {SSHA}
###########################################################################
database bdb
suffix "dc=nitle,dc=org"
rootdn "cn=MASTERUSER,dc=nitle,dc=org"
rootpw {SSHA}WAYTOOSECRETFORYOU
directory /home/ldap/openldap/var/openldap-data
serverID 1
limits dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" size=unlimited
time=unlimited
syncrepl rid=010 provider=ldap://ldapserveronoe.nitle.org:999999999
binddn="cn=mirroruser,ou=ou,dc=nitle,dc=org" bindmethod=simple
credentials=OOOOOHHHH searchbase="dc=nitle,dc=org"
type=refreshAndPersist scope=sub
interval=00:00:00:10 retry="15 5 300 +" timeout=1
schemachecking=off starttls=yes
attrs
=
"*,structuralObjectClass
,entryUUID
,entryCSN
,creatorsName
,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"
# syncdata=accesslog
syncrepl rid=011 provider=ldap://ldapserverTwo.nitle.org:999999999
binddn="cn=ldap`1,dc=nitle,dc=org" bindmethod=simple
credentials=OOOOOHHHH searchbase="dc=nitle,dc=org"
type=refreshAndPersist schemachecking=off scope=sub
interval=00:00:00:10 retry="15 5 300 +" timeout=1 starttls=yes
attrs
=
"*,structuralObjectClass
,entryUUID
,entryCSN
,creatorsName
,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry"
# syncdata=accesslog
overlay syncprov
mirrormode true
## INDICES TO MAINTAIN
index objectClass eq
index cn,mail,surname,givenname
eq,subinitial
index uidNumber,gidNumber,memberuid,member,uniqueMember eq
## PASSWORD POLICY OVERLAY ##
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=nitle,dc=org"
ppolicy_hash_cleartext
# ppolicy_use_lockout
++++++++++++++++++++++++++++++++++++++
Chris G. Sellers | Internet Engineer | NITLE
734.661.2318 | chris.sellers(a)nitle.org
Jabber: csellers(a)nitle.org | AIM: imthewherd
12 years, 6 months
Re: slapd replication (push based)
by Gavin Henry
> Yes, it's really messy.
Thanks, I know.
> actually my desperate need for this made me overcome my laziness.
> i compiled the slapd from source, run the tests, immediately after the
> test045 copied the slapd.1. ...slapd.3.conf files. this made me
> understand what is really going on there.
>
> my understanding is that i need to run two instances of slapd on master
> (master + proxy) proxy is pulling down changes from master and stores
> them in it's backend (ldap backend pointing to slave server) all the
> rest is question of acl's.
>
> can you correct me please, if i'm wrong.
> trying to implement it right now.
You can do it in one slapd configuration/instance.
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
12 years, 6 months
Problem using PLAIN SASLMechanism
by Steffen Gruner
Hi,
I have to configure an second LDAP Server to store an big directory.
This server should use our primary LDAP server to check the logins.
Here My Problem:
>ldapsearch -Y PLAIN -W -D uid=root,o=yyy,c=com -b "o=yyy,c=com" -s
base supportedSASLMechanisms -d1 -O maxssf=0
ldap_create
Enter LDAP Password:
ldap_sasl_interactive_bind_s: user selected: PLAIN
ldap_int_sasl_bind: PLAIN
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 127.0.0.1:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_int_sasl_open: host=grunix
ldap_err2string
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
I have read I have to use PLAIN because of saslauthd can't use other
mechanisms, is that right? The other mechanisms don't work also :-(
Here the result of the sasl test application:
> testsaslauthd -s ldap -u root -p yyy -f /var/run/saslauthd/mux
0: OK "Success."
And here my configuration:
/usr/lib/sasl2/slapd.conf:
mech_list: PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 EXTERNAL
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
log_level: 7
Here my /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
security ssf=0
sasl-host 127.0.0.1
sasl-realm YYY.COM
sasl-secprops none
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
database bdb
suffix o=yyy,c=com
rootdn cn=admin,o=yyy,c=com
rootpw secret
directory /var/lib/openldap-data
index objectClass eq
access to dn.subtree="o=yyy,c=com"
by * read
I have entered "{SASL}root" to the userPassword attribute to forward
the password to SASL.
versions:
openldap 2.4.10
cyrus-sasl 2.1.22
Has anyone an Idea what happens?
regards, Steffen
12 years, 6 months
2.4.10 slow when deleting member from large group
by Andrew Findlay
I have a server with 20,000 account entries and one group that
has 10,000 members. Deleting members from that group is very slow
on OpenLDAP 2.4.10, though adding goes at a reasonable speed.
Here is the test operation:
-----------------------------------------------------------------------
dn: uniqueIdentifier=tenK,ou=groups,uniqueIdentifier=o_000000,dc=orgs,dc=dir,dc=example,dc=com
changetype: modify
delete: member
member:
uniqueIdentifier=a_004996,ou=accounts,uniqueIdentifier=o_000006,dc=orgs,dc=dir,dc=example,dc=com
-
add: member
member:
uniqueIdentifier=a_999999,ou=accounts,uniqueIdentifier=o_000005,dc=orgs,dc=dir,dc=example,dc=com
-----------------------------------------------------------------------
On 2.3.42 that takes about 1s with the caches warm, but on 2.4.10
it takes almost 9s, most of which is CPU time.
The test machine has 2GB of memory and the DB_CONFIG looks like this
for BDB:
-----------------------------------------------------------------------
# memory cache size
# gigabytes bytes number-of-regions
#
set_cachesize 0 150000000 1
# Logbuffer size
# bytes
#
set_lg_bsize 2097152
# Remove the roll-forward transaction logs automatically
# This reduces the space used by the database but it also reduces
# the disaster-recovery options.
set_flags DB_LOG_AUTOREMOVE
-----------------------------------------------------------------------
There is no disk activity during most of the 9s, with a large burst
of writes at the end.
There have been various discussions about *adding* members to large
groups in the past, but the problems appeared to have been solved in recent
versions.
The problem is certainly related to indexing, as if I remove indexing
from the 'member' attribute I get times of about 0.3s on 2.4.10.
(Note: overall times are measured by timing an ldapmodify script, so
not very accurate below 0.5s)
Does anyone know why this operation should have got slower from 2.3.x
to 2.4.x ?
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
12 years, 6 months
ldapmodify problems
by Jason Gerfen
I am having a problem with the following command:
ldapmodify -n -v -h DOMAIN -D "CN=DOMAINADMIN" -w DOMAINADMINPASS -f
.UID2SID/modify-06.19.2008-mclame.ldif
I am not sure why this is but if anyone could give me some pointers on
the ldapmodify command I would appreciate it.
The contents of the modify-06.19.2008-mclame.ldif
dn: CN=mclame mclame,CN=Users,DC=domain,DC=com
changetype: modify
modify: dn cn msSFUName unixHomeDirectory msSFUHomeDirectory uidNumber
gidNumber loginShell
dn: CN=mclame,CN=Users,DC=domain,DC=com
cn: mclame
cn: mclame
msSFUName: mclame
unixHomeDirectory: /home/mclame
msSFUHomeDirectory: /home/mclame
uidNumber: 100002
gidNumber: 514
loginShell: /bin/false
The user currently has the following attributes:
# mclame mclame, Users, domain.com
dn: CN=mclame mclame,CN=Users,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: mclame mclame
sn: mclame
givenName: mclame
distinguishedName: CN=mclame mclame,CN=Users,DC=domain,DC=com
instanceType: 4
whenCreated: 20080619140016.0Z
whenChanged: 20080619180607.0Z
displayName: mclame mclame
uSNCreated: 4241241
uSNChanged: 4244208
name: mclame mclame
objectGUID:: uPoBsrLWmkyZZnEepncVoQ==
userAccountControl: 66048
badPwdCount: 2
codePage: 0
countryCode: 0
badPasswordTime: 128583575598392739
pwdLastSet: 128583576167656250
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAL7j9qjJ2TgWHykd9b7YBAA==
accountExpires: 9223372036854775807
sAMAccountName: mclame
sAMAccountType: 805306368
userPrincipalName: mclame(a)domain.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
msSFUName: mclame
--
Jas
12 years, 6 months
nested groups
by Grzegorz Marszałek
Hello!
How to implement nested groups in openldap? I mean - server side. I'd
like to just to query group and find out all of it's members,
including those in nested groups.
Thanks in advance for help!
---
Grzegorz Marszałek
graf0(a)post.pl
12 years, 6 months
