openldap-software December 2009

openldap-software@openldap.org

28 participants
29 discussions

ldapsearch with delay (on the same machine over TLS/SSL only)
by Pavel Lisy 08 Dec '09

08 Dec '09

Hello I've found one problem I have latest openldap release 2.4.3 (but it is similar on former versions too). There is small delay (1-2s) on beginning when I query ldap server from the same machine over TLS or SSL. Without SSL is no delay. Is it bug or is it normal? How can I debug it more? QUERY with delay: from ldap1 to ldap1 (the same machine) [root@ldap1 ~]# ldapsearch24 -Z -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d QUERY without delay: from ldap1 to ldap1 (the same machine without TLS) [root@ldap1 ~]# ldapsearch24 -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d from ldap1 to ldap2 [root@ldap1 ~]# ldapsearch24 -Z -h ldap2.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d from ldap2 to ldap1 [root@ldap2 ~]# ldapsearch24 -Z -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d I think my DNS/hosts settings are correct My testing environment: servers: ldap1.ldapnet.tmapy.cz ldap2.ldapnet.tmapy.cz ldap3.ldapnet.tmapy.cz from ldap1 config: slapd.conf TLSCACertificateFile /etc/pki/tls/cacert.pem TLSCertificateFile /etc/pki/tls/certs/ldap1.ldapnet.tmapy.cz-cert.pem TLSCertificateKeyFile /etc/pki/tls/private/ldap1.ldapnet.tmapy.cz-key.pem [root@ldap1 ~]# hostname ldap1.ldapnet.tmapy.cz [root@ldap1 ~]# grep ldap1 /etc/hosts 192.168.241.10 ldap1.ldapnet.tmapy.cz [root@ldap1 ~]# ifconfig eth0 eth0 inet adr:192.168.241.10 Všesměr:192.168.241.255 Maska:255.255.255.0 [root@ldap1 ~]# grep ldap1 /etc/pki/tls/certs/ldap1.ldapnet.tmapy.cz-cert.pem Subject: C=CS, ST=Kraj kralovehradecky, O=T-MAPY spol. s r.o.,OU=ldapnet, CN=ldap1.ldapnet.tmapy.cz Pavel Lisy -- Pavel Lisy <pali(a)tmapy.cz>

2 1

Re: syncrepl partial copy
by FRLinux 08 Dec '09

08 Dec '09

On Tue, Dec 8, 2009 at 6:58 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > What you are probably really after is the "limits" directive, so that you > only set these things to unlimited for your replication user, not every > user. You are right, i stand corrected. Steph

1 0

syncrepl partial copy
by FRLinux 08 Dec '09

08 Dec '09

Hello, I am now facing a new issue which could well be due to me but I need to be sure. I have set a new slave running 2.4.17 on Debian whilst the master is a 2.3.43 running on FreeBSD 6.4. I have observed a similar behavior on a slave running 2.3.43 also on FreeBSD. That behavior is that when you start an empty database, syncrepl starts copying the content but usually stops after a while (ie. copies only part of the database but far from all objects). Is it recommended to slapcat the objects when setting up a new slave or is syncrepl able to do that by itself? This is my syncrepl rules: syncrepl rid=124 \ provider=ldaps://masterldap.example.com:636 \ type=refreshAndPersist \ searchbase="dc=example,dc=com" \ scope=sub \ filter="(objectClass=*)" \ attrs="*" \ schemachecking=off \ tls_cacert=/etc/ldap/cert/cacert.pem \ binddn="cn=ldaprep,dc=example,dc=com" \ credentials=xxxxxx Cheers, Steph

5 5

SASL OTP and syncrepl
by manu＠netbsd.org 08 Dec '09

08 Dec '09

Hello When using SASL OTP, the one time password sequence number is stored in a cmusaslsecretOTP attribute. On every successful authentication, it should be decreased. That works fine until used with a syncrepl setup: authenticating to a replica may cause its local cmusaslsecretOTP, but this change will be overriden by the value from the master. As a result, I see sometime the sequence number decreasing just after a succeeded authentication, but that does not last very long. Soon or later, the older value is restored. How is it supposed to work? As far as I understand, there needs to be some code for the replica to send the update to the master. Is the code missing, or do I have a configuration problem that prevent it from working? Or do I hit a bug? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

5 7

back-sock and Proxy Authz or SASL Authz-Name
by Michael Ströder 05 Dec '09

05 Dec '09

HI! We a currently testing a custom OpenLDAP setup where specific modify requests are handled via back-sock (redirected via slapo-rwm) by a handler implemented in Python. These modify requests are checked and then passed to the real database backend (back-hdb) on behalf of the user bound to slapd. This works by looking at the line (binddn: ) passed to the handler by back-sock. But now there's requirement for proxy authorization. The web application binds via SASL bind DIGEST-MD5 and explicitly sets the authzid in the SASL bind request which is mapped via authz-regexp to an authz-DN. This setup seems to work (tested with commandline-tool ldapwhoami -X authzid) but the authz-DN is not passed to the back-sock handler. binddn: still contains the bind-DN of the web application. Is this feasible at all? If not which parts of back-sock would have to be patched to make that work? Ciao, Michael.

2 1

adding x-hidden denied
by Dieter Kluenter 04 Dec '09

04 Dec '09

Hi, I am trying to add x-hidden to the olcAttributeOptions attribute type but I always get error 80, :~> ldapadd -D cn=config -w xxx -H ldap://localhost dn: cn=config changetype: modify add: olcAttributeOptions olcAttributeOptions: x-hidden modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcAttributeOptions> handler exited with 1 :~> ldapadd -D cn=config -w xxx -H ldap://localhost dn: cn=config changetype: modify replace: olcAttributeOptions olcAttributeOptions: x-hidden lang- modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80) Any idea how to add this attribute value? Or is x-hidden not supported? -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

1 0

how to set an optimal cachesize into openldap
by fida aljounaidi 02 Dec '09

02 Dec '09

Hello My openldap server is always crashed with segmentation fault exit. exemple slapd[6814]: segfault at 8 rip 4af0f2 rsp 451c0530 error 4 I want to tune this server by putting a better cachesize. The size of the openldap database into system is 125 MB The siize of id2entry file is about 22M The size of db2intery file is 6,7M I read on the Administration openldap guide that i can execute db_stat -m to look on the cachesize used by slapd. This size is increasing every hour. In the morning it was on about 240 M on the evening, it increase until 400 M What does it mean and how to deal with that Thanks

1 0

Re: Syncrepl: 3 simple questions
by samk＠twinix.com 02 Dec '09

02 Dec '09

See Thread at: http://www.techienuggets.com/Detail?tx=106135 Posted on behalf of a User Hi,everybody Actually, in 2.4.11 I have ?critical Extension? response with ldap_sync_init API. However with same the source code, it is functional in 2. 3.27 and 2.4.18 . all the waiters are configured in the same way. Have you solved this trouble? Thanks a lot Jack In Response To: Hi! What I would like to understand: 1. How do I query a master for the cookie? 2. How do I query a slave for the coolie? 3. How do I query the master in a human readable format for all changes based on a cookie which I present? My apologies if these questions should have been answered by reading the documentation; I did not find it there, unfortunately. I am sure someone who is a bit more into this can just reply with three simple ldadpsearch statemenets. Regards, Torsten

1 0

openldap 2.4.16 crash
by fida aljounaidi 01 Dec '09

01 Dec '09

Hi Slapd process crash every day. We have activeted debug level at 256. this lets us see this log before the crash conn=2 op=1 SRCH base="dc=domain,dc=com" scope=2 deref=2 filter="(&(memberUid=000678)" slapd[13011]: conn=2 op=1 SRCH attr=cn slapd[13011]: conn=2 op=1 SRCH attr=cn slapd[13011]: conn=2 op=1 SRCH attr=cn slapd[13011]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=30 text= slapd[13011]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=30 text= slapd[13011]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=30 text= slapd[13011]: conn=2 fd=16 closed (connection lost) slapd[13011]: conn=2 fd=16 closed (connection lost) slapd[13011]: conn=2 fd=16 closed (connection lost) We put th idletimeout to 60 s to close properly idle connexions. But this does not provide any change. does anybody have an idea about that ? how to fix that ? Thanks a lot

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2009