openldap-software June 2008

openldap-software@openldap.org

62 participants
64 discussions

Re: Pls help:delete missing in multi-master environment
by Gavin Henry 10 Jun '08

10 Jun '08

ST Wong (ITSC) wrote: > Hi, > > Just upgraded to 2.4.10. Seems the problem persists. The problem can > be simulated by running copies of perl script to add/delete the same set > of users simultaneously, e.g. > > add a001 - a100 & > delete a001 - a100 & > > or > > add a100 - a100 & > add a100 - a100 & > > There is no problem if multiple threads of add/delete are running, when > operating on different sets of users. Thanks. > Can you please file an ITS with all your details etc. Thanks. -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

1 0

Don't proxy search references
by Andrew Graham 10 Jun '08

10 Jun '08

*** Before acting on this email or opening any attachment you are advised to read the disclaimer at the end of this email *** Hi All, When using the meta backend to amalgamate many ldap servers, is there an option I can set to stop openldap from propagating search references sent from the targets? Thanks is advance! Best Regards, Andrew Graham Andrew Graham AgustaWestland UK andrew.graham(a)agustawestland.com *** Disclaimer *** The information contained in this E-Mail and any subsequent correspondence may be subject to the Export Control Act (ECA) 2002. The content is private and is intended solely for the recipient(s). For those other than the recipient any disclosure, copying, distribution, or action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful. If received in error please return to sender immediately. Under the laws of England misuse of information that is subject to the ECA 2002, is a criminal offence. Westland Helicopters Ltd Lysander Road Yeovil BA20 2YB England Registered in England under No 604352

1 0

does slapadd create a corrupt ldap-database?
by openldap 09 Jun '08

09 Jun '08

hi every upgrading to fedora 9, which comes with penldap-servers-2.4.8-3.fc9.i386 using sleepycat as backend db. from the last backup i took the slapcat of the ldap database for new creation on the fedora 9 server. ./slapadd -c -l slapcat.file.ldif /etc/init.d/ldap start first connections to the ldap-server were successful, searches also. then, i locally used the ldap-server for pam-ldap by changing the server uri in /etc/ldap.conf accordingly. and as far as pam-ladp is concerned, nothing worked as expected. it took me 6 hours to find out that the index in the ldap database for the attribute uidNumber had not been created. i stopped slapd ./slapindex -c i restarted slapd. now, pam-ldap works as expected. suomi

2 1

SIGSEV in slapd (ad.c) on Solaris 10
by Duncan Brannen 09 Jun '08

09 Jun '08

I'm still seeing SIGSEV's regularly on the busier of our ldap servers (800K connections/day, 20-20K search ops per connection) What I can't get is a reproducible case. It happens far more often on the busier server and not at all on the least loaded servers. It's only happening under SPARC, using the debian install on x86 hardware seems stable. Any pointers for getting a reproducable case, and what should I be trying to get out of the core files above the basic trace below? (Parse the logfiles with perl and replay?) If anyone else is using a recent 2.3.x or 2.4 build on Solaris, can they tell me if my build environment is sane before I try upgrading to 2.4.10? Cheers, Duncan DB_CONFIG # set_cachesize 0 209715200 1 set_lg_dir /trans_logs set_lg_regionmax 262144 set_lg_bsize 2097152 set_lg_max 16777216 set_tmp_dir /tmp set_flags DB_LOG_AUTOREMOVE --- Build Environment LDFLAGS=-R/usr/sfw/lib:/usr/local/ssl/lib:/usr/local/lib -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/sfw/lib CPPFLAGS=-I/usr/local/include -I/usr/local/ssl/include -I/usr/sfw/include LD=/usr/ccs/bin/ld -R/usr/sfw/lib:/usr/local/ssl/lib:/usr/local/lib setenv PATH "/usr/ccs/bin/:/usr/bin:/bin:/usr/sbin:/opt/local/bin:/usr/sfw/bin:/usr/local/bin" setenv LDFLAGS "-R/usr/sfw/lib:/usr/local/ssl/lib:/usr/local/lib -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/sfw/lib" setenv CPPFLAGS "-I/usr/local/include -I/usr/local/ssl/include -I/usr/sfw/include" setenv LD "/usr/ccs/bin/ld -R/usr/sfw/lib:/usr/local/ssl/lib:/usr/local/lib" --- Configured with ./configure --disable-ipv6 --with-cyrus-sasl --with-tls --enable-dynamic --enable-slapd --enable-modules --enable-spasswd --enable-rewrite --enable-rlookups --enable-wrappers --enable-hdb --enable-monitor --disable-shell --disable-sql --enable-overlays=mod --enable-crypt --- Compiled with gcc 3.4.3, I've tried Sun Studio as well but experienced similar crashes. dbx gives me the following output For information about new features see `help changes' To remove this message, put `dbxenv suppress_startup_message 7.4' in your .dbxrc Reading slapd core file header read successfully Reading ld.so.1 Reading libldap_r-2.4.so.2.0.4 Reading liblber-2.4.so.2.0.4 Reading libltdl.so.3.1.5 Reading libdb-4.6.so Reading librt.so.1 Reading libpthread.so.1 Reading libicuuc.so.2 Reading libicudata.so.2 Reading libsasl2.so.2.0.22 Reading libdl.so.1 Reading libssl.so.0.9.8 Reading libcrypto.so.0.9.8 Reading libresolv.so.2 Reading libgen.so.1 Reading libnsl.so.1 Reading libsocket.so.1 Reading libc.so.1 Reading libgcc_s.so.1 Reading libgcc_s.so.1 Reading libaio.so.1 Reading libmd5.so.1 Reading libm.so.2 Reading libCrun.so.1 Reading libc_psr.so.1 Reading libgssapiv2.so.2.0.22 Reading libgssapi.so.4.0.0 Reading libkrb5.so.17.4.0 Reading libasn1.so.6.1.0 Reading libroken.so.16.1.0 Reading libcom_err.so.1.1.3 Reading libncurses.so.5.4 Reading libdoor.so.1 Reading libscf.so.1 Reading libuutil.so.1 Reading libmd5_psr.so.1 Reading libmp.so.2 Reading liblogin.so.2.0.22 Reading libplain.so.2.0.22 Reading syncprov-2.4.so.2.0.4 t@1 (l@1) terminated by signal KILL (Killed) 0xfe4bd61c: __lwp_wait+0x0008: bcc,a,pt %icc,__lwp_wait+0x18 ! 0xfe4bd62c Current function is slapd_daemon 2644 ldap_pvt_thread_join( listener_tid, (void *)NULL ); (dbx) threads > t@1 a l@1 ?() LWP suspended in __lwp_wait() t@3 a l@3 slapd_daemon_task() LWP suspended in __pollsys() t@4 a l@4 ldap_int_thread_pool_wrapper() sleep on 0x1dad38 in __lwp_park() t@5 a l@5 ldap_int_thread_pool_wrapper() sleep on 0x1dad38 in __lwp_park() t@6 a l@6 ldap_int_thread_pool_wrapper() sleep on 0x1dad38 in __lwp_park() t@7 a l@7 ldap_int_thread_pool_wrapper() LWP suspended in ch_malloc() t@8 a l@8 ldap_int_thread_pool_wrapper() sleep on 0x1dad38 in __lwp_park() t@9 a l@9 ldap_int_thread_pool_wrapper() sleep on 0x1dad38 in __lwp_park() t@10 a l@10 ldap_int_thread_pool_wrapper() sleep on 0x1dad38 in __lwp_park() t@11 a l@11 ldap_int_thread_pool_wrapper() sleep on 0x1dad38 in __lwp_park() t@12 a l@12 ldap_int_thread_pool_wrapper() sleep on 0x1dad38 in __lwp_park() o t@13 a l@13 ldap_int_thread_pool_wrapper() signal SIGSEGV in is_ad_subtype() (dbx) thread t@13 t@13 (l@13) stopped in is_ad_subtype at line 489 in file "ad.c" 489 for ( a = sub->ad_type; a; a=a->sat_sup ) { (dbx) where current thread: t@13 =>[1] is_ad_subtype(sub = (nil), super = 0x1f81b0), line 489 in "ad.c" [2] attrs_find(a = 0x499014, desc = 0x1f81b0), line 647 in "attr.c" [3] test_ava_filter(op = 0x6645a90, e = 0x25738c, ava = 0x9eddee4, type = 163), line 615 in "filterentry.c" [4] test_filter(op = 0x6645a90, e = 0x25738c, f = 0x9eddf04), line 98 in "filterentry.c" [5] hdb_search(op = 0x6645a90, rs = 0xe87ffcb8), line 845 in "search.c" [6] overlay_op_walk(op = 0x6645a90, rs = 0xe87ffcb8, which = 32768, oi = 0x15c540, on = 0x8000), line 653 in "backover.c" [7] over_op_func(op = 0x6645a90, rs = 0xe87ffcb8, which = op_search), line 705 in "backover.c" [8] fe_op_search(op = 0x6645a90, rs = 0xe87ffcb8), line 368 in "search.c" [9] do_search(op = 0x6645a90, rs = 0xe87ffcb8), line 217 in "search.c" [10] connection_operation(ctx = 0xe87ffe08, arg_v = 0x6645a90), line 1084 in "connection.c" [11] connection_read_thread(ctx = 0xe87ffe08, argv = 0xe), line 1211 in "connection.c" [12] ldap_int_thread_pool_wrapper(xpool = 0x1dad18), line 625 in "tpool.c" (dbx) lsit lsit: not found (dbx) list 489 for ( a = sub->ad_type; a; a=a->sat_sup ) { 490 if ( a == super->ad_type ) break; 491 } 492 if( !a ) { 493 return 0; 494 } 495 496 /* ensure sub does support all flags of super */ 497 lr = sub->ad_tags.bv_len ? SLAP_DESC_TAG_RANGE : 0; 498 if(( super->ad_flags & ( sub->ad_flags | lr )) != super->ad_flags ) { (dbx) print *a dbx: reference through nil pointer (dbx) quit -- The University of St Andrews is a charity registered in Scotland : No SC013532

1 0

Re: can syncrepl do this?
by Michael Ströder 09 Jun '08

09 Jun '08

Stefano, please stay on the mailing list. Stefano Zanmarchi wrote: > On Fri, Jun 6, 2008 at 7:04 PM, Michael Ströder <michael(a)stroeder.com> wrote: >> Stefano Zanmarchi wrote: >>> I need to replicate in my local openldap server all the entries in a >>> given subtree of a >>> remote openldap server, but the two DITs differ. >>> That means I'd like to replicate all entries under >>> "dc=people,dc=A,dc=it" (remote server) >>> to "dc=employees,dc=B,dc=it" (local server). >>> >>> Can syncrepl do that? Or is there another way to obtain this? >> Some setup with slapo-rwm comes to mind. > so I believe this means syncrepl can't map a DIT fragment onto a DIT fragment > with a different suffix. Yes. But since syncrepl works with search requests one could try to map things with slapo-rwm. But note that it can get tricky. I didn't try that my self. Maybe it would be easier to consolidate name spaces. You could also replicate the original name space and then map search requests at your local server to the name spaces wanted. Ciao, Michael.

1 0

StartTLS with a host alias
by Robert Minsk 07 Jun '08

07 Jun '08

My cert on my LDAP server contains multiple commonName entries. > openssl x509 -noout -in s014-ldap-cert.pem -subject subject= /C=US/ST=California/O=FooBar/CN=s014.cgi.foobar.com/CN=ldap1.cgi.foobar.com/CN=s14.cgi.foobar.com The LDAP server FQHN is s014.cgi.foobar.com and has aliases of ldap1.cgi.foobar.com and s14.cgi.foobar.com. All hostname resolution is done with our internal DNS servers and they all have the correct FQHN and aliases. On my secondary mirror LDAP server I have syncrepl setup to use the hostname alias ldap1.cgi.foobar.com syncrepl ... provider=ldap://ldap1.cgi.foobar.com starttls=critical ... and that works fine. When I have my ldap.conf with: URI ldap://s014.cgi.foobar.com the command "ldapsearch -x -ZZ" works just fine. When I change my ldap.conf to: URI ldap://ldap1.cgi.foobar.com the command "ldapsearch -x -ZZ" returns ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate. It seems the openldap library is only checking the first CN in the certificate and not all the others. Is there any way to have it check the other CN entries in the cert?

3 4

Re: can syncrepl do this?
by Michael Ströder 06 Jun '08

06 Jun '08

Stefano Zanmarchi wrote: > Hi, > I need to replicate in my local openldap server all the entries in a > given subtree of a > remote openldap server, but the two DITs differ. > That means I'd like to replicate all entries under > "dc=people,dc=A,dc=it" (remote server) > to "dc=employees,dc=B,dc=it" (local server). > > Can syncrepl do that? Or is there another way to obtain this? Some setup with slapo-rwm comes to mind. Ciao, Michael.

1 0

using slapo-pcache with an empty attr list
by Toby Blake 05 Jun '08

05 Jun '08

Hi all, I'm doing a bit of playing with slapo-pcache and have it working fairly well (particularly once I realised that an individual attr can live in only one proxyattrset). However, there's one bit that I can't get working - is there any way to define a template that will match a search which doesn't provide an attr list? i.e. I can see quite a few searches (presumably from amd) of the following form (spacing and formatting changed by me to make it more readable): Jul 23 14:54:16 host1 slapd[26671]: conn=49 op=1 SRCH base="dc=inf,dc=ed,dc=ac,dc=uk" scope=2 deref=0 filter="(&(objectClass=amdmap)(amdmapName=home)(amdmapKey=root))" Jul 23 14:54:16 host1 slapd[26671]: query template of incoming query = (&(objectClass=)(amdmapName=)(amdmapKey=)) Jul 23 14:54:16 host1 slapd[26671]: QUERY NOT ANSWERABLE Jul 23 14:54:16 host1 slapd[26671]: QUERY NOT CACHEABLE Jul 23 14:54:16 host1 slapd[26671]: conn=49 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Note that there's no 'SRCH attr=' line. I've tried proxyattrset of the following forms... proxyattrset 1 * proxyattrset 1 (both of which crash slapd) And also proxyattrset 1 <full list of attrs returned when none specified> .... but this didn't work either. Thanks in advance for any advice, Cheers Toby Blake School of Informatics University of Edinburgh

3 8

OpenLDAP as proxy for another LDAP-Server [Virus checked]
by ems＠Sparkassen-Informatik.de 03 Jun '08

03 Jun '08

Hello, in the mailing list's archive is a lot of stuff about OpenLDAP as proxy for another LDAP-Server using the ldap/meta backend, but I didn't find an answere of my question (it's possible that I don't see the wood for the trees). I've the following problem: Our OpenLDAP get's an request which contained a User-ID and Password from a LDAP-Client. Our OpenLDAP propagate the authentification (User-ID, Password) of the request to another LDAP-Server using the ldap/meta backend. If the authentification is o.k. our OpenLDAP contributes the reamining attributes (tel. number, surname etc.) and gives they back to the requester. I need as a response of a request an interaction of two LDAP-Server. From the other LDAP-Server the authentification and if successfull from our LDAP-Server the attributes. Is there a fair chance to get a solution using the ldap/meta backend. Thanks in advance for your efforts Klaus

6 9

Use wildcard on ipHostNumber and gidNumber attribute
by Thibaut VdK 03 Jun '08

03 Jun '08

Hello, I'm using OpenLDAP 2.3.3 (debian etch package). I'm trying to use a wildcard in a ldapsearch like this : ldapsearch -x -W -D "cn=admin,dc=planetb,dc=fr" "ipHostNumber=10.10.*" This search return any results. I know that I can't use a wildcard on a ipHostNumber attribut because it don't have SUBSTR MatchingRules. So i try to change my nis.scema like this : attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IP address' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) But, the seach always return any results. I would like know how to force substr search on this attribute ! It is possible ? And it is possible on attribute "gidNumber" too? Thanks ! Thibaut Vdk. (Sorry for my english)

3 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software June 2008