ldapsearch with delay (on the same machine over TLS/SSL only)
by Pavel Lisy
Hello
I've found one problem
I have latest openldap release 2.4.3 (but it is similar on former
versions too).
There is small delay (1-2s) on beginning when I query ldap server from
the same machine over TLS or SSL. Without SSL is no delay.
Is it bug or is it normal? How can I debug it more?
QUERY with delay:
from ldap1 to ldap1 (the same machine)
[root@ldap1 ~]# ldapsearch24 -Z -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
QUERY without delay:
from ldap1 to ldap1 (the same machine without TLS)
[root@ldap1 ~]# ldapsearch24 -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
from ldap1 to ldap2
[root@ldap1 ~]# ldapsearch24 -Z -h ldap2.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
from ldap2 to ldap1
[root@ldap2 ~]# ldapsearch24 -Z -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
I think my DNS/hosts settings are correct
My testing environment:
servers:
ldap1.ldapnet.tmapy.cz
ldap2.ldapnet.tmapy.cz
ldap3.ldapnet.tmapy.cz
from ldap1 config: slapd.conf
TLSCACertificateFile /etc/pki/tls/cacert.pem
TLSCertificateFile /etc/pki/tls/certs/ldap1.ldapnet.tmapy.cz-cert.pem
TLSCertificateKeyFile /etc/pki/tls/private/ldap1.ldapnet.tmapy.cz-key.pem
[root@ldap1 ~]# hostname
ldap1.ldapnet.tmapy.cz
[root@ldap1 ~]# grep ldap1 /etc/hosts
192.168.241.10 ldap1.ldapnet.tmapy.cz
[root@ldap1 ~]# ifconfig eth0
eth0 inet adr:192.168.241.10 Všesměr:192.168.241.255 Maska:255.255.255.0
[root@ldap1 ~]# grep ldap1 /etc/pki/tls/certs/ldap1.ldapnet.tmapy.cz-cert.pem
Subject: C=CS, ST=Kraj kralovehradecky, O=T-MAPY spol. s r.o.,OU=ldapnet, CN=ldap1.ldapnet.tmapy.cz
Pavel Lisy
--
Pavel Lisy <pali(a)tmapy.cz>
11 years, 10 months
Re: syncrepl partial copy
by FRLinux
On Tue, Dec 8, 2009 at 6:58 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> What you are probably really after is the "limits" directive, so that you
> only set these things to unlimited for your replication user, not every
> user.
You are right, i stand corrected.
Steph
11 years, 10 months
syncrepl partial copy
by FRLinux
Hello,
I am now facing a new issue which could well be due to me but I need
to be sure. I have set a new slave running 2.4.17 on Debian whilst the
master is a 2.3.43 running on FreeBSD 6.4. I have observed a similar
behavior on a slave running 2.3.43 also on FreeBSD.
That behavior is that when you start an empty database, syncrepl
starts copying the content but usually stops after a while (ie. copies
only part of the database but far from all objects).
Is it recommended to slapcat the objects when setting up a new slave
or is syncrepl able to do that by itself?
This is my syncrepl rules:
syncrepl rid=124 \
provider=ldaps://masterldap.example.com:636 \
type=refreshAndPersist \
searchbase="dc=example,dc=com" \
scope=sub \
filter="(objectClass=*)" \
attrs="*" \
schemachecking=off \
tls_cacert=/etc/ldap/cert/cacert.pem \
binddn="cn=ldaprep,dc=example,dc=com" \
credentials=xxxxxx
Cheers,
Steph
11 years, 10 months
SASL OTP and syncrepl
by manu@netbsd.org
Hello
When using SASL OTP, the one time password sequence number is stored in
a cmusaslsecretOTP attribute. On every successful authentication, it
should be decreased.
That works fine until used with a syncrepl setup: authenticating to a
replica may cause its local cmusaslsecretOTP, but this change will be
overriden by the value from the master.
As a result, I see sometime the sequence number decreasing just after a
succeeded authentication, but that does not last very long. Soon or
later, the older value is restored.
How is it supposed to work? As far as I understand, there needs to be
some code for the replica to send the update to the master. Is the code
missing, or do I have a configuration problem that prevent it from
working? Or do I hit a bug?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
11 years, 10 months
back-sock and Proxy Authz or SASL Authz-Name
by Michael Ströder
HI!
We a currently testing a custom OpenLDAP setup where specific modify requests
are handled via back-sock (redirected via slapo-rwm) by a handler implemented
in Python. These modify requests are checked and then passed to the real
database backend (back-hdb) on behalf of the user bound to slapd. This works
by looking at the line (binddn: ) passed to the handler by back-sock.
But now there's requirement for proxy authorization. The web application binds
via SASL bind DIGEST-MD5 and explicitly sets the authzid in the SASL bind
request which is mapped via authz-regexp to an authz-DN. This setup seems to
work (tested with commandline-tool ldapwhoami -X authzid) but the authz-DN is
not passed to the back-sock handler. binddn: still contains the bind-DN of the
web application.
Is this feasible at all? If not which parts of back-sock would have to be
patched to make that work?
Ciao, Michael.
11 years, 10 months
adding x-hidden denied
by Dieter Kluenter
Hi,
I am trying to add x-hidden to the olcAttributeOptions attribute type
but I always get error 80,
:~> ldapadd -D cn=config -w xxx -H ldap://localhost
dn: cn=config
changetype: modify
add: olcAttributeOptions
olcAttributeOptions: x-hidden
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
additional info: <olcAttributeOptions> handler exited with 1
:~> ldapadd -D cn=config -w xxx -H ldap://localhost
dn: cn=config
changetype: modify
replace: olcAttributeOptions
olcAttributeOptions: x-hidden lang-
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Any idea how to add this attribute value? Or is x-hidden not
supported?
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E
11 years, 10 months
how to set an optimal cachesize into openldap
by fida aljounaidi
Hello
My openldap server is always crashed with segmentation fault exit.
exemple slapd[6814]: segfault at 8 rip 4af0f2 rsp 451c0530 error 4
I want to tune this server by putting a better cachesize.
The size of the openldap database into system is 125 MB
The siize of id2entry file is about 22M
The size of db2intery file is 6,7M
I read on the Administration openldap guide that i can execute db_stat -m to
look on the cachesize used by slapd.
This size is increasing every hour.
In the morning it was on about 240 M on the evening, it increase until 400 M
What does it mean and how to deal with that
Thanks
11 years, 10 months
Re: Syncrepl: 3 simple questions
by samk@twinix.com
See Thread at: http://www.techienuggets.com/Detail?tx=106135 Posted on behalf of a User
Hi,everybody
Actually, in 2.4.11 I have ?critical Extension? response with ldap_sync_init API. However with same the source code, it is functional in 2. 3.27 and 2.4.18 . all the waiters are configured in the same way.
Have you solved this trouble?
Thanks a lot
Jack
In Response To:
Hi!
What I would like to understand:
1. How do I query a master for the cookie?
2. How do I query a slave for the coolie?
3. How do I query the master in a human readable format for all changes
based on a cookie which I present?
My apologies if these questions should have been answered by reading the
documentation; I did not find it there, unfortunately.
I am sure someone who is a bit more into this can just reply with three
simple ldadpsearch statemenets.
Regards,
Torsten
11 years, 10 months
openldap 2.4.16 crash
by fida aljounaidi
Hi
Slapd process crash every day.
We have activeted debug level at 256. this lets us see this log before the
crash
conn=2 op=1 SRCH base="dc=domain,dc=com" scope=2 deref=2
filter="(&(memberUid=000678)"
slapd[13011]: conn=2 op=1 SRCH attr=cn
slapd[13011]: conn=2 op=1 SRCH attr=cn
slapd[13011]: conn=2 op=1 SRCH attr=cn
slapd[13011]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=30 text=
slapd[13011]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=30 text=
slapd[13011]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=30 text=
slapd[13011]: conn=2 fd=16 closed (connection lost)
slapd[13011]: conn=2 fd=16 closed (connection lost)
slapd[13011]: conn=2 fd=16 closed (connection lost)
We put th idletimeout to 60 s to close properly idle connexions. But this
does not provide any change.
does anybody have an idea about that ?
how to fix that ?
Thanks a lot
11 years, 10 months
