openldap-software June 2008

openldap-software@openldap.org

62 participants
64 discussions

memberOf attribute indexing
by George Holbert 30 Jun '08

30 Jun '08

Hello, For a bdb-backend server that utilizes slapo-memberof and services searches filtered on memberOf, is it beneficial to configure indexes for the memberOf attribute? In other words, is memberOf stored pretty much like any other attribute, or is it computed dynamically on every search (making it "un-indexable")? Thank you for your time! -- George

2 3

finding the max value of an attribute
by openldap 28 Jun '08

28 Jun '08

Hi every when searching values in the LDAP directory, it certainly has occured to everybody to have to find the maximum value of an attribute. e.g. when defining a new user in the directory you might specify one more than the maximum value of all uidNumber attributes as the new user's uidNumber. i was looking at RFC 2254 and 4515, but could not find anything obvious. is there a way to find the maximum value of an attribute and possibly the DN to whom it belongs only using ldap-search (no perl or php prgramming)? or did i just oversee something obvious? any hint is very much appreciated. thank you very much. suomi

2 1

Log files building up with large group
by Steve Smith 27 Jun '08

27 Jun '08

Hi, I have directory with a group with ~220,000 users in it. This group is frequently updated (several times an hour). This appears to be causing the BDB transaction logs to grow very large; over the course of a day they grow to about 36GB. These all appear to be active; neither 'slapd_db_archive -d' or DB_LOG_AUTOREMOVE has any effect. Is there anything that can be done about this or is this an unavoidable side-effect of the transaction system? Thanks, Steve

3 5

Query regarding the Transaction Management support in OpenLDAP
by kumar.nitin＠wipro.com 27 Jun '08

27 Jun '08

Hi, This is the query regarding the Transaction Management support in OpenLDAP. We are planning to use OpenLDAP in our project. We are using bdb as back-end. We have explored so many things in OpenLDAP but couldn't find whether Transaction Management (commit, rollback in case of failure) is possible in OpenLDAP. If it is possible please let us know how we can configure it. If you need more information, please let me know. With Regards, Nitin Kumar +91-9999499757 Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

1 0

ppolicy+syncrpl: pwd* attributes lost
by Chris G. Sellers 26 Jun '08

26 Jun '08

I have n-way multimaster replication setup. Works great. I have slapo_ppolicy setup, it too works. the problem I appear to have is that whichever server does the password change, the pwd* attributes are set, and then removed from the other server. So, if I do a password change on server1, the record for user A on server1 shows pwdChangedTime The record for user A on server2 shows the modificationTime but the pwdChangedTime is deleted The same goes if I use server2 and look at server1. At first, I thought it may be due to the clear_hash setting, but that didn't seem to make an impact. Any ideas? I know I must have something missing but I'm just not seeing it. --- password-hash {SSHA} ########################################################################### database bdb suffix "dc=nitle,dc=org" rootdn "cn=MASTERUSER,dc=nitle,dc=org" rootpw {SSHA}WAYTOOSECRETFORYOU directory /home/ldap/openldap/var/openldap-data serverID 1 limits dn.exact="cn=mirroruser,ou=ou,dc=nitle,dc=org" size=unlimited time=unlimited syncrepl rid=010 provider=ldap://ldapserveronoe.nitle.org:999999999 binddn="cn=mirroruser,ou=ou,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 schemachecking=off starttls=yes attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog syncrepl rid=011 provider=ldap://ldapserverTwo.nitle.org:999999999 binddn="cn=ldap`1,dc=nitle,dc=org" bindmethod=simple credentials=OOOOOHHHH searchbase="dc=nitle,dc=org" type=refreshAndPersist schemachecking=off scope=sub interval=00:00:00:10 retry="15 5 300 +" timeout=1 starttls=yes attrs = "*,structuralObjectClass ,entryUUID ,entryCSN ,creatorsName ,createTimestamp,modifiersName,modifyTimestamp,pwdPolicySubentry" # syncdata=accesslog overlay syncprov mirrormode true ## INDICES TO MAINTAIN index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq ## PASSWORD POLICY OVERLAY ## overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=nitle,dc=org" ppolicy_hash_cleartext # ppolicy_use_lockout ++++++++++++++++++++++++++++++++++++++ Chris G. Sellers | Internet Engineer | NITLE 734.661.2318 | chris.sellers(a)nitle.org Jabber: csellers(a)nitle.org | AIM: imthewherd

5 7

Re: slapd replication (push based)
by Gavin Henry 26 Jun '08

26 Jun '08

> Yes, it's really messy. Thanks, I know. > actually my desperate need for this made me overcome my laziness. > i compiled the slapd from source, run the tests, immediately after the > test045 copied the slapd.1. ...slapd.3.conf files. this made me > understand what is really going on there. > > my understanding is that i need to run two instances of slapd on master > (master + proxy) proxy is pulling down changes from master and stores > them in it's backend (ldap backend pointing to slave server) all the > rest is question of acl's. > > can you correct me please, if i'm wrong. > trying to implement it right now. You can do it in one slapd configuration/instance. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

1 0

Problem using PLAIN SASLMechanism
by Steffen Gruner 26 Jun '08

26 Jun '08

Hi, I have to configure an second LDAP Server to store an big directory. This server should use our primary LDAP server to check the logins. Here My Problem: >ldapsearch -Y PLAIN -W -D uid=root,o=yyy,c=com -b "o=yyy,c=com" -s base supportedSASLMechanisms -d1 -O maxssf=0 ldap_create Enter LDAP Password: ldap_sasl_interactive_bind_s: user selected: PLAIN ldap_int_sasl_bind: PLAIN ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_int_sasl_open: host=grunix ldap_err2string ldap_sasl_interactive_bind_s: Unknown authentication method (-6) I have read I have to use PLAIN because of saslauthd can't use other mechanisms, is that right? The other mechanisms don't work also :-( Here the result of the sasl test application: > testsaslauthd -s ldap -u root -p yyy -f /var/run/saslauthd/mux 0: OK "Success." And here my configuration: /usr/lib/sasl2/slapd.conf: mech_list: PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 EXTERNAL pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux log_level: 7 Here my /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args security ssf=0 sasl-host 127.0.0.1 sasl-realm YYY.COM sasl-secprops none access to dn.base="" by * read access to dn.base="cn=Subschema" by * read database bdb suffix o=yyy,c=com rootdn cn=admin,o=yyy,c=com rootpw secret directory /var/lib/openldap-data index objectClass eq access to dn.subtree="o=yyy,c=com" by * read I have entered "{SASL}root" to the userPassword attribute to forward the password to SASL. versions: openldap 2.4.10 cyrus-sasl 2.1.22 Has anyone an Idea what happens? regards, Steffen

2 1

2.4.10 slow when deleting member from large group
by Andrew Findlay 25 Jun '08

25 Jun '08

I have a server with 20,000 account entries and one group that has 10,000 members. Deleting members from that group is very slow on OpenLDAP 2.4.10, though adding goes at a reasonable speed. Here is the test operation: ----------------------------------------------------------------------- dn: uniqueIdentifier=tenK,ou=groups,uniqueIdentifier=o_000000,dc=orgs,dc=dir,dc=example,dc=com changetype: modify delete: member member: uniqueIdentifier=a_004996,ou=accounts,uniqueIdentifier=o_000006,dc=orgs,dc=dir,dc=example,dc=com - add: member member: uniqueIdentifier=a_999999,ou=accounts,uniqueIdentifier=o_000005,dc=orgs,dc=dir,dc=example,dc=com ----------------------------------------------------------------------- On 2.3.42 that takes about 1s with the caches warm, but on 2.4.10 it takes almost 9s, most of which is CPU time. The test machine has 2GB of memory and the DB_CONFIG looks like this for BDB: ----------------------------------------------------------------------- # memory cache size # gigabytes bytes number-of-regions # set_cachesize 0 150000000 1 # Logbuffer size # bytes # set_lg_bsize 2097152 # Remove the roll-forward transaction logs automatically # This reduces the space used by the database but it also reduces # the disaster-recovery options. set_flags DB_LOG_AUTOREMOVE ----------------------------------------------------------------------- There is no disk activity during most of the 9s, with a large burst of writes at the end. There have been various discussions about *adding* members to large groups in the past, but the problems appeared to have been solved in recent versions. The problem is certainly related to indexing, as if I remove indexing from the 'member' attribute I get times of about 0.3s on 2.4.10. (Note: overall times are measured by timing an ldapmodify script, so not very accurate below 0.5s) Does anyone know why this operation should have got slower from 2.3.x to 2.4.x ? Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

3 4

ldapmodify problems
by Jason Gerfen 24 Jun '08

24 Jun '08

I am having a problem with the following command: ldapmodify -n -v -h DOMAIN -D "CN=DOMAINADMIN" -w DOMAINADMINPASS -f .UID2SID/modify-06.19.2008-mclame.ldif I am not sure why this is but if anyone could give me some pointers on the ldapmodify command I would appreciate it. The contents of the modify-06.19.2008-mclame.ldif dn: CN=mclame mclame,CN=Users,DC=domain,DC=com changetype: modify modify: dn cn msSFUName unixHomeDirectory msSFUHomeDirectory uidNumber gidNumber loginShell dn: CN=mclame,CN=Users,DC=domain,DC=com cn: mclame cn: mclame msSFUName: mclame unixHomeDirectory: /home/mclame msSFUHomeDirectory: /home/mclame uidNumber: 100002 gidNumber: 514 loginShell: /bin/false The user currently has the following attributes: # mclame mclame, Users, domain.com dn: CN=mclame mclame,CN=Users,DC=domain,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: mclame mclame sn: mclame givenName: mclame distinguishedName: CN=mclame mclame,CN=Users,DC=domain,DC=com instanceType: 4 whenCreated: 20080619140016.0Z whenChanged: 20080619180607.0Z displayName: mclame mclame uSNCreated: 4241241 uSNChanged: 4244208 name: mclame mclame objectGUID:: uPoBsrLWmkyZZnEepncVoQ== userAccountControl: 66048 badPwdCount: 2 codePage: 0 countryCode: 0 badPasswordTime: 128583575598392739 pwdLastSet: 128583576167656250 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAL7j9qjJ2TgWHykd9b7YBAA== accountExpires: 9223372036854775807 sAMAccountName: mclame sAMAccountType: 805306368 userPrincipalName: mclame(a)domain.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com msSFUName: mclame -- Jas

4 5

nested groups
by Grzegorz Marszałek 23 Jun '08

23 Jun '08

Hello! How to implement nested groups in openldap? I mean - server side. I'd like to just to query group and find out all of it's members, including those in nested groups. Thanks in advance for help! --- Grzegorz Marszałek graf0(a)post.pl

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software June 2008