ldapsearch with delay (on the same machine over TLS/SSL only)
by Pavel Lisy
Hello
I've found one problem
I have latest openldap release 2.4.3 (but it is similar on former
versions too).
There is small delay (1-2s) on beginning when I query ldap server from
the same machine over TLS or SSL. Without SSL is no delay.
Is it bug or is it normal? How can I debug it more?
QUERY with delay:
from ldap1 to ldap1 (the same machine)
[root@ldap1 ~]# ldapsearch24 -Z -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
QUERY without delay:
from ldap1 to ldap1 (the same machine without TLS)
[root@ldap1 ~]# ldapsearch24 -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
from ldap1 to ldap2
[root@ldap1 ~]# ldapsearch24 -Z -h ldap2.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
from ldap2 to ldap1
[root@ldap2 ~]# ldapsearch24 -Z -h ldap1.ldapnet.tmapy.cz -x -s sub -D "cn=Manager,dc=tmapy,dc=cz" -b 'dc=tmapy,dc=cz' -w p*****d
I think my DNS/hosts settings are correct
My testing environment:
servers:
ldap1.ldapnet.tmapy.cz
ldap2.ldapnet.tmapy.cz
ldap3.ldapnet.tmapy.cz
from ldap1 config: slapd.conf
TLSCACertificateFile /etc/pki/tls/cacert.pem
TLSCertificateFile /etc/pki/tls/certs/ldap1.ldapnet.tmapy.cz-cert.pem
TLSCertificateKeyFile /etc/pki/tls/private/ldap1.ldapnet.tmapy.cz-key.pem
[root@ldap1 ~]# hostname
ldap1.ldapnet.tmapy.cz
[root@ldap1 ~]# grep ldap1 /etc/hosts
192.168.241.10 ldap1.ldapnet.tmapy.cz
[root@ldap1 ~]# ifconfig eth0
eth0 inet adr:192.168.241.10 Všesměr:192.168.241.255 Maska:255.255.255.0
[root@ldap1 ~]# grep ldap1 /etc/pki/tls/certs/ldap1.ldapnet.tmapy.cz-cert.pem
Subject: C=CS, ST=Kraj kralovehradecky, O=T-MAPY spol. s r.o.,OU=ldapnet, CN=ldap1.ldapnet.tmapy.cz
Pavel Lisy
--
Pavel Lisy <pali(a)tmapy.cz>
13 years, 1 month
Re: syncrepl partial copy
by FRLinux
On Tue, Dec 8, 2009 at 6:58 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> What you are probably really after is the "limits" directive, so that you
> only set these things to unlimited for your replication user, not every
> user.
You are right, i stand corrected.
Steph
13 years, 1 month
syncrepl partial copy
by FRLinux
Hello,
I am now facing a new issue which could well be due to me but I need
to be sure. I have set a new slave running 2.4.17 on Debian whilst the
master is a 2.3.43 running on FreeBSD 6.4. I have observed a similar
behavior on a slave running 2.3.43 also on FreeBSD.
That behavior is that when you start an empty database, syncrepl
starts copying the content but usually stops after a while (ie. copies
only part of the database but far from all objects).
Is it recommended to slapcat the objects when setting up a new slave
or is syncrepl able to do that by itself?
This is my syncrepl rules:
syncrepl rid=124 \
provider=ldaps://masterldap.example.com:636 \
type=refreshAndPersist \
searchbase="dc=example,dc=com" \
scope=sub \
filter="(objectClass=*)" \
attrs="*" \
schemachecking=off \
tls_cacert=/etc/ldap/cert/cacert.pem \
binddn="cn=ldaprep,dc=example,dc=com" \
credentials=xxxxxx
Cheers,
Steph
13 years, 1 month
SASL OTP and syncrepl
by manu@netbsd.org
Hello
When using SASL OTP, the one time password sequence number is stored in
a cmusaslsecretOTP attribute. On every successful authentication, it
should be decreased.
That works fine until used with a syncrepl setup: authenticating to a
replica may cause its local cmusaslsecretOTP, but this change will be
overriden by the value from the master.
As a result, I see sometime the sequence number decreasing just after a
succeeded authentication, but that does not last very long. Soon or
later, the older value is restored.
How is it supposed to work? As far as I understand, there needs to be
some code for the replica to send the update to the master. Is the code
missing, or do I have a configuration problem that prevent it from
working? Or do I hit a bug?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
13 years, 1 month
back-sock and Proxy Authz or SASL Authz-Name
by Michael Ströder
HI!
We a currently testing a custom OpenLDAP setup where specific modify requests
are handled via back-sock (redirected via slapo-rwm) by a handler implemented
in Python. These modify requests are checked and then passed to the real
database backend (back-hdb) on behalf of the user bound to slapd. This works
by looking at the line (binddn: ) passed to the handler by back-sock.
But now there's requirement for proxy authorization. The web application binds
via SASL bind DIGEST-MD5 and explicitly sets the authzid in the SASL bind
request which is mapped via authz-regexp to an authz-DN. This setup seems to
work (tested with commandline-tool ldapwhoami -X authzid) but the authz-DN is
not passed to the back-sock handler. binddn: still contains the bind-DN of the
web application.
Is this feasible at all? If not which parts of back-sock would have to be
patched to make that work?
Ciao, Michael.
13 years, 1 month
adding x-hidden denied
by Dieter Kluenter
Hi,
I am trying to add x-hidden to the olcAttributeOptions attribute type
but I always get error 80,
:~> ldapadd -D cn=config -w xxx -H ldap://localhost
dn: cn=config
changetype: modify
add: olcAttributeOptions
olcAttributeOptions: x-hidden
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
additional info: <olcAttributeOptions> handler exited with 1
:~> ldapadd -D cn=config -w xxx -H ldap://localhost
dn: cn=config
changetype: modify
replace: olcAttributeOptions
olcAttributeOptions: x-hidden lang-
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
Any idea how to add this attribute value? Or is x-hidden not
supported?
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E
13 years, 1 month
how to set an optimal cachesize into openldap
by fida aljounaidi
Hello
My openldap server is always crashed with segmentation fault exit.
exemple slapd[6814]: segfault at 8 rip 4af0f2 rsp 451c0530 error 4
I want to tune this server by putting a better cachesize.
The size of the openldap database into system is 125 MB
The siize of id2entry file is about 22M
The size of db2intery file is 6,7M
I read on the Administration openldap guide that i can execute db_stat -m to
look on the cachesize used by slapd.
This size is increasing every hour.
In the morning it was on about 240 M on the evening, it increase until 400 M
What does it mean and how to deal with that
Thanks
13 years, 2 months
Re: Syncrepl: 3 simple questions
by samk@twinix.com
See Thread at: http://www.techienuggets.com/Detail?tx=106135 Posted on behalf of a User
Hi,everybody
Actually, in 2.4.11 I have ?critical Extension? response with ldap_sync_init API. However with same the source code, it is functional in 2. 3.27 and 2.4.18 . all the waiters are configured in the same way.
Have you solved this trouble?
Thanks a lot
Jack
In Response To:
Hi!
What I would like to understand:
1. How do I query a master for the cookie?
2. How do I query a slave for the coolie?
3. How do I query the master in a human readable format for all changes
based on a cookie which I present?
My apologies if these questions should have been answered by reading the
documentation; I did not find it there, unfortunately.
I am sure someone who is a bit more into this can just reply with three
simple ldadpsearch statemenets.
Regards,
Torsten
13 years, 2 months
openldap 2.4.16 crash
by fida aljounaidi
Hi
Slapd process crash every day.
We have activeted debug level at 256. this lets us see this log before the
crash
conn=2 op=1 SRCH base="dc=domain,dc=com" scope=2 deref=2
filter="(&(memberUid=000678)"
slapd[13011]: conn=2 op=1 SRCH attr=cn
slapd[13011]: conn=2 op=1 SRCH attr=cn
slapd[13011]: conn=2 op=1 SRCH attr=cn
slapd[13011]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=30 text=
slapd[13011]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=30 text=
slapd[13011]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=30 text=
slapd[13011]: conn=2 fd=16 closed (connection lost)
slapd[13011]: conn=2 fd=16 closed (connection lost)
slapd[13011]: conn=2 fd=16 closed (connection lost)
We put th idletimeout to 60 s to close properly idle connexions. But this
does not provide any change.
does anybody have an idea about that ?
how to fix that ?
Thanks a lot
13 years, 2 months
