Re: Pls help:delete missing in multi-master environment
by Gavin Henry
ST Wong (ITSC) wrote:
> Hi,
>
> Just upgraded to 2.4.10. Seems the problem persists. The problem can
> be simulated by running copies of perl script to add/delete the same set
> of users simultaneously, e.g.
>
> add a001 - a100 &
> delete a001 - a100 &
>
> or
>
> add a100 - a100 &
> add a100 - a100 &
>
> There is no problem if multiple threads of add/delete are running, when
> operating on different sets of users. Thanks.
>
Can you please file an ITS with all your details etc.
Thanks.
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
15 years, 3 months
Don't proxy search references
by Andrew Graham
*** Before acting on this email or opening any attachment you are advised to read the disclaimer at the end of this email ***
Hi All,
When using the meta backend to amalgamate many ldap servers, is there
an option I can set to stop openldap from propagating search references
sent from the targets?
Thanks is advance!
Best Regards,
Andrew Graham
Andrew Graham
AgustaWestland UK
andrew.graham(a)agustawestland.com
*** Disclaimer ***
The information contained in this E-Mail and any subsequent correspondence may be subject to the Export Control Act (ECA) 2002. The content is private and is intended solely for the recipient(s).
For those other than the recipient any disclosure, copying, distribution, or action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful.
If received in error please return to sender immediately.
Under the laws of England misuse of information that is subject to the ECA 2002, is a criminal offence.
Westland Helicopters Ltd
Lysander Road
Yeovil BA20 2YB
England
Registered in England under No 604352
15 years, 3 months
does slapadd create a corrupt ldap-database?
by openldap
hi every
upgrading to fedora 9, which comes with penldap-servers-2.4.8-3.fc9.i386
using sleepycat as backend db.
from the last backup i took the slapcat of the ldap database for new
creation on the fedora 9 server.
./slapadd -c -l slapcat.file.ldif
/etc/init.d/ldap start
first connections to the ldap-server were successful, searches also.
then, i locally used the ldap-server for pam-ldap by changing the server
uri in /etc/ldap.conf accordingly.
and as far as pam-ladp is concerned, nothing worked as expected.
it took me 6 hours to find out that the index in the ldap database for
the attribute uidNumber had not been created.
i stopped slapd
./slapindex -c
i restarted slapd.
now, pam-ldap works as expected.
suomi
15 years, 3 months
SIGSEV in slapd (ad.c) on Solaris 10
by Duncan Brannen
I'm still seeing SIGSEV's regularly on the busier of our ldap servers
(800K connections/day, 20-20K search ops per connection)
What I can't get is a reproducible case. It happens far more often on
the busier server and not at all
on the least loaded servers. It's only happening under SPARC, using the
debian install on x86 hardware
seems stable. Any pointers for getting a reproducable case, and what
should I be trying to get out of
the core files above the basic trace below? (Parse the logfiles with
perl and replay?)
If anyone else is using a recent 2.3.x or 2.4 build on Solaris, can they
tell me if my build environment
is sane before I try upgrading to 2.4.10?
Cheers,
Duncan
DB_CONFIG
#
set_cachesize 0 209715200 1
set_lg_dir /trans_logs
set_lg_regionmax 262144
set_lg_bsize 2097152
set_lg_max 16777216
set_tmp_dir /tmp
set_flags DB_LOG_AUTOREMOVE
---
Build Environment
LDFLAGS=-R/usr/sfw/lib:/usr/local/ssl/lib:/usr/local/lib
-L/usr/local/lib -L/usr/local/ssl/lib -L/usr/sfw/lib
CPPFLAGS=-I/usr/local/include -I/usr/local/ssl/include -I/usr/sfw/include
LD=/usr/ccs/bin/ld -R/usr/sfw/lib:/usr/local/ssl/lib:/usr/local/lib
setenv PATH
"/usr/ccs/bin/:/usr/bin:/bin:/usr/sbin:/opt/local/bin:/usr/sfw/bin:/usr/local/bin"
setenv LDFLAGS "-R/usr/sfw/lib:/usr/local/ssl/lib:/usr/local/lib
-L/usr/local/lib -L/usr/local/ssl/lib -L/usr/sfw/lib"
setenv CPPFLAGS "-I/usr/local/include -I/usr/local/ssl/include
-I/usr/sfw/include"
setenv LD "/usr/ccs/bin/ld -R/usr/sfw/lib:/usr/local/ssl/lib:/usr/local/lib"
---
Configured with
./configure --disable-ipv6 --with-cyrus-sasl --with-tls --enable-dynamic
--enable-slapd --enable-modules --enable-spasswd --enable-rewrite
--enable-rlookups --enable-wrappers --enable-hdb --enable-monitor
--disable-shell --disable-sql --enable-overlays=mod --enable-crypt
---
Compiled with gcc 3.4.3, I've tried Sun Studio as well but experienced
similar crashes.
dbx gives me the following output
For information about new features see `help changes'
To remove this message, put `dbxenv suppress_startup_message 7.4' in
your .dbxrc
Reading slapd
core file header read successfully
Reading ld.so.1
Reading libldap_r-2.4.so.2.0.4
Reading liblber-2.4.so.2.0.4
Reading libltdl.so.3.1.5
Reading libdb-4.6.so
Reading librt.so.1
Reading libpthread.so.1
Reading libicuuc.so.2
Reading libicudata.so.2
Reading libsasl2.so.2.0.22
Reading libdl.so.1
Reading libssl.so.0.9.8
Reading libcrypto.so.0.9.8
Reading libresolv.so.2
Reading libgen.so.1
Reading libnsl.so.1
Reading libsocket.so.1
Reading libc.so.1
Reading libgcc_s.so.1
Reading libgcc_s.so.1
Reading libaio.so.1
Reading libmd5.so.1
Reading libm.so.2
Reading libCrun.so.1
Reading libc_psr.so.1
Reading libgssapiv2.so.2.0.22
Reading libgssapi.so.4.0.0
Reading libkrb5.so.17.4.0
Reading libasn1.so.6.1.0
Reading libroken.so.16.1.0
Reading libcom_err.so.1.1.3
Reading libncurses.so.5.4
Reading libdoor.so.1
Reading libscf.so.1
Reading libuutil.so.1
Reading libmd5_psr.so.1
Reading libmp.so.2
Reading liblogin.so.2.0.22
Reading libplain.so.2.0.22
Reading syncprov-2.4.so.2.0.4
t@1 (l@1) terminated by signal KILL (Killed)
0xfe4bd61c: __lwp_wait+0x0008: bcc,a,pt %icc,__lwp_wait+0x18 !
0xfe4bd62c
Current function is slapd_daemon
2644 ldap_pvt_thread_join( listener_tid, (void *)NULL );
(dbx) threads
> t@1 a l@1 ?() LWP suspended in __lwp_wait()
t@3 a l@3 slapd_daemon_task() LWP suspended in __pollsys()
t@4 a l@4 ldap_int_thread_pool_wrapper() sleep on 0x1dad38
in __lwp_park()
t@5 a l@5 ldap_int_thread_pool_wrapper() sleep on 0x1dad38
in __lwp_park()
t@6 a l@6 ldap_int_thread_pool_wrapper() sleep on 0x1dad38
in __lwp_park()
t@7 a l@7 ldap_int_thread_pool_wrapper() LWP suspended in
ch_malloc()
t@8 a l@8 ldap_int_thread_pool_wrapper() sleep on 0x1dad38
in __lwp_park()
t@9 a l@9 ldap_int_thread_pool_wrapper() sleep on 0x1dad38
in __lwp_park()
t@10 a l@10 ldap_int_thread_pool_wrapper() sleep on 0x1dad38
in __lwp_park()
t@11 a l@11 ldap_int_thread_pool_wrapper() sleep on 0x1dad38
in __lwp_park()
t@12 a l@12 ldap_int_thread_pool_wrapper() sleep on 0x1dad38
in __lwp_park()
o t@13 a l@13 ldap_int_thread_pool_wrapper() signal SIGSEGV in
is_ad_subtype()
(dbx) thread t@13
t@13 (l@13) stopped in is_ad_subtype at line 489 in file "ad.c"
489 for ( a = sub->ad_type; a; a=a->sat_sup ) {
(dbx) where
current thread: t@13
=>[1] is_ad_subtype(sub = (nil), super = 0x1f81b0), line 489 in "ad.c"
[2] attrs_find(a = 0x499014, desc = 0x1f81b0), line 647 in "attr.c"
[3] test_ava_filter(op = 0x6645a90, e = 0x25738c, ava = 0x9eddee4,
type = 163), line 615 in "filterentry.c"
[4] test_filter(op = 0x6645a90, e = 0x25738c, f = 0x9eddf04), line 98
in "filterentry.c"
[5] hdb_search(op = 0x6645a90, rs = 0xe87ffcb8), line 845 in "search.c"
[6] overlay_op_walk(op = 0x6645a90, rs = 0xe87ffcb8, which = 32768, oi
= 0x15c540, on = 0x8000), line 653 in "backover.c"
[7] over_op_func(op = 0x6645a90, rs = 0xe87ffcb8, which = op_search),
line 705 in "backover.c"
[8] fe_op_search(op = 0x6645a90, rs = 0xe87ffcb8), line 368 in "search.c"
[9] do_search(op = 0x6645a90, rs = 0xe87ffcb8), line 217 in "search.c"
[10] connection_operation(ctx = 0xe87ffe08, arg_v = 0x6645a90), line
1084 in "connection.c"
[11] connection_read_thread(ctx = 0xe87ffe08, argv = 0xe), line 1211
in "connection.c"
[12] ldap_int_thread_pool_wrapper(xpool = 0x1dad18), line 625 in "tpool.c"
(dbx) lsit
lsit: not found
(dbx) list
489 for ( a = sub->ad_type; a; a=a->sat_sup ) {
490 if ( a == super->ad_type ) break;
491 }
492 if( !a ) {
493 return 0;
494 }
495
496 /* ensure sub does support all flags of super */
497 lr = sub->ad_tags.bv_len ? SLAP_DESC_TAG_RANGE : 0;
498 if(( super->ad_flags & ( sub->ad_flags | lr )) !=
super->ad_flags ) {
(dbx) print *a
dbx: reference through nil pointer
(dbx) quit
--
The University of St Andrews is a charity registered in Scotland : No SC013532
15 years, 3 months
Re: can syncrepl do this?
by Michael Ströder
Stefano,
please stay on the mailing list.
Stefano Zanmarchi wrote:
> On Fri, Jun 6, 2008 at 7:04 PM, Michael Ströder <michael(a)stroeder.com> wrote:
>> Stefano Zanmarchi wrote:
>>> I need to replicate in my local openldap server all the entries in a
>>> given subtree of a
>>> remote openldap server, but the two DITs differ.
>>> That means I'd like to replicate all entries under
>>> "dc=people,dc=A,dc=it" (remote server)
>>> to "dc=employees,dc=B,dc=it" (local server).
>>>
>>> Can syncrepl do that? Or is there another way to obtain this?
>> Some setup with slapo-rwm comes to mind.
> so I believe this means syncrepl can't map a DIT fragment onto a DIT fragment
> with a different suffix.
Yes. But since syncrepl works with search requests one could try to map
things with slapo-rwm. But note that it can get tricky. I didn't try
that my self.
Maybe it would be easier to consolidate name spaces. You could also
replicate the original name space and then map search requests at your
local server to the name spaces wanted.
Ciao, Michael.
15 years, 3 months
StartTLS with a host alias
by Robert Minsk
My cert on my LDAP server contains multiple commonName entries.
> openssl x509 -noout -in s014-ldap-cert.pem -subject
subject= /C=US/ST=California/O=FooBar/CN=s014.cgi.foobar.com/CN=ldap1.cgi.foobar.com/CN=s14.cgi.foobar.com
The LDAP server FQHN is s014.cgi.foobar.com and has aliases of ldap1.cgi.foobar.com and s14.cgi.foobar.com. All hostname resolution is done with our internal DNS servers and they all have the correct FQHN and aliases.
On my secondary mirror LDAP server I have syncrepl setup to use the hostname alias ldap1.cgi.foobar.com
syncrepl ... provider=ldap://ldap1.cgi.foobar.com starttls=critical ...
and that works fine.
When I have my ldap.conf with:
URI ldap://s014.cgi.foobar.com
the command "ldapsearch -x -ZZ" works just fine.
When I change my ldap.conf to:
URI ldap://ldap1.cgi.foobar.com
the command "ldapsearch -x -ZZ" returns
ldap_start_tls: Connect error (-11)
additional info: TLS: hostname does not match CN in peer certificate.
It seems the openldap library is only checking the first CN in the certificate and not all the others. Is there any way to have it check the other CN entries in the cert?
15 years, 3 months
Re: can syncrepl do this?
by Michael Ströder
Stefano Zanmarchi wrote:
> Hi,
> I need to replicate in my local openldap server all the entries in a
> given subtree of a
> remote openldap server, but the two DITs differ.
> That means I'd like to replicate all entries under
> "dc=people,dc=A,dc=it" (remote server)
> to "dc=employees,dc=B,dc=it" (local server).
>
> Can syncrepl do that? Or is there another way to obtain this?
Some setup with slapo-rwm comes to mind.
Ciao, Michael.
15 years, 3 months
using slapo-pcache with an empty attr list
by Toby Blake
Hi all,
I'm doing a bit of playing with slapo-pcache and have it working
fairly well (particularly once I realised that an individual attr can
live in only one proxyattrset).
However, there's one bit that I can't get working - is there any way
to define a template that will match a search which doesn't provide an
attr list?
i.e. I can see quite a few searches (presumably from amd) of the
following form (spacing and formatting changed by me to make it more
readable):
Jul 23 14:54:16 host1 slapd[26671]: conn=49 op=1
SRCH base="dc=inf,dc=ed,dc=ac,dc=uk" scope=2 deref=0
filter="(&(objectClass=amdmap)(amdmapName=home)(amdmapKey=root))"
Jul 23 14:54:16 host1 slapd[26671]: query template of incoming query =
(&(objectClass=)(amdmapName=)(amdmapKey=))
Jul 23 14:54:16 host1 slapd[26671]: QUERY NOT ANSWERABLE
Jul 23 14:54:16 host1 slapd[26671]: QUERY NOT CACHEABLE
Jul 23 14:54:16 host1 slapd[26671]: conn=49 op=1 SEARCH RESULT tag=101
err=0 nentries=0 text=
Note that there's no 'SRCH attr=' line.
I've tried proxyattrset of the following forms...
proxyattrset 1 *
proxyattrset 1
(both of which crash slapd)
And also
proxyattrset 1 <full list of attrs returned when none specified>
.... but this didn't work either.
Thanks in advance for any advice,
Cheers
Toby Blake
School of Informatics
University of Edinburgh
15 years, 3 months
OpenLDAP as proxy for another LDAP-Server [Virus checked]
by ems@Sparkassen-Informatik.de
Hello,
in the mailing list's archive is a lot of stuff about OpenLDAP as proxy
for another LDAP-Server using the ldap/meta backend, but I didn't find an
answere of my question (it's possible that I don't see the wood for the
trees).
I've the following problem:
Our OpenLDAP get's an request which contained a User-ID and Password from
a LDAP-Client. Our OpenLDAP propagate the authentification (User-ID,
Password) of the request to another LDAP-Server using the ldap/meta
backend. If the authentification is o.k. our OpenLDAP contributes the
reamining attributes (tel. number, surname etc.) and gives they back to
the requester.
I need as a response of a request an interaction of two LDAP-Server. From
the other LDAP-Server the authentification and if successfull from our
LDAP-Server the attributes.
Is there a fair chance to get a solution using the ldap/meta backend.
Thanks in advance for your efforts
Klaus
15 years, 3 months
Use wildcard on ipHostNumber and gidNumber attribute
by Thibaut VdK
Hello,
I'm using OpenLDAP 2.3.3 (debian etch package).
I'm trying to use a wildcard in a ldapsearch like this :
ldapsearch -x -W -D "cn=admin,dc=planetb,dc=fr" "ipHostNumber=10.10.*"
This search return any results. I know that I can't use a wildcard on a
ipHostNumber attribut because it don't have SUBSTR MatchingRules. So i try
to change my nis.scema like this :
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
DESC 'IP address'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
But, the seach always return any results.
I would like know how to force substr search on this attribute ! It is
possible ? And it is possible on attribute "gidNumber" too?
Thanks !
Thibaut Vdk.
(Sorry for my english)
15 years, 3 months
