openldap-software May 2009

openldap-software@openldap.org

41 participants
44 discussions

Questions about the Monitor Backend
by Thierry Lacoste 10 May '09

10 May '09

Hello, I have recently upgraded from 2.3.24 to 2.4.16. I find two points confusing in the "Monitor Backend" section of the B annex "Upgrading from 2.3.x" in the admin guide (http://www.openldap.org/doc/admin24/appendix-upgrading.html#Monitor%20Backe… ). First my slapd happily starts even when I have no rootdn in my "database monitor" section. Second the example of the admin guide reads: database monitor rootdn cn=monitor rootpw change_me Is it on purpose that the rootdn equals the hadcoded suffix of the monitor database? In the "Monitor" section of the admin guide, the example reads: database monitor rootdn "cn=monitoring,cn=Monitor" rootpw monitoring The choice of the rootdn seems much more intuitive but then it seems a bit weird to not use it in the ACL below: access to dn.subtree="cn=Monitor" by dn.exact="uid=Admin,dc=my,dc=org" write by users read by * none Can someone please post his monitor configuration? Regards, Thierry

4 7

Re: back-sql Varchar2 Primary Key Support
by deckrider＠gmail.com 08 May '09

08 May '09

Pierangelo Masarati wrote: > > King, Leon C wrote: > > > > Hi all, > > > > Is there a way to wrap oracle functions to where clauses passed > > into back-sql? I have a non-numeric primary key value of my > > users' table which in some cases is preceeded by a '0'. None of > > the data mapped via the ldap_entries.keyval and my table are > > being retrieve when I execute an ldap search. If I remove the > > preceeding '0' the values are retrieved. > > Manually edit servers/slapd/back-sql/back-sql.h and #define > BACKSQL_ARBITRARY_KEY (it's #undef'd right now). This allows to use > arbitrary keys (treated as strings) instead of integers. Note: it's not > very well tested, and performances obviously may decrease (lots of > mallocs/frees, more demanding comparisons and so).\ I need this also, but get a compile time error: servers/slapd/back-sql/search.c:2420: error: invalid operands to binary << (have ‘struct berval’ and ‘int’)

2 2

strange behavior of openldap: missing record in ldapsearch
by Zhang Weiwu 07 May '09

07 May '09

First there is a record with value that fits (businessCategory=C16.1*), verified in STEP 1, second, searching with '(businessCategory=C16.1*)' couldn't find it, demonstrated in STEP2. ===== STEP 1 ===== $ ldapsearch -xD uid=supertuxadmin,ou=contacts,ou=china,dc=ahk,dc=de -W -b ou=contacts,ou=china,dc=ahk,dc=de '(o=Homag Machinery * Co., Ltd.)' dn businessCategory # extended LDIF # # LDAPv3 # base <ou=contacts,ou=china,dc=ahk,dc=de> with scope subtree # filter: (o=Homag Machinery * Co., Ltd.) # requesting: dn businessCategory # # SH0180, contacts, china, ahk.de dn: uid=SH0180,ou=contacts,ou=china,dc=ahk,dc=de businessCategory: C16.10 Sawmilling and planing of wood businessCategory;lang-zh:: QzE2LjEwIOmUr+acqOWPiuWIqOacqA== businessCategory;lang-de:: QzE2LjEwIFPDpGdlLSwgSG9iZWwtIHVuZCBIb2x6aW1wcsOkZ25 pZXJ3ZXJrZQ== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ===== STEP 2 ===== $ ldapsearch -xD uid=supertuxadmin,ou=contacts,ou=china,dc=ahk,dc=de -W -b ou=contacts,ou=china,dc=ahk,dc=de '(businesscategory=C16.1*)' dn # extended LDIF # # LDAPv3 # base <ou=contacts,ou=china,dc=ahk,dc=de> with scope subtree # filter: (businesscategory=C16.1*) # requesting: dn # # German_Perfect_2, contacts, china, ahk.de dn: uid=German_Perfect_2,ou=contacts,ou=china,dc=ahk,dc=de # Keenmax, contacts, china, ahk.de dn: uid=Keenmax,ou=contacts,ou=china,dc=ahk,dc=de # SH1625, contacts, china, ahk.de dn: uid=SH1625,ou=contacts,ou=china,dc=ahk,dc=de # id6505, contacts, china, ahk.de dn: uid=id6505,ou=contacts,ou=china,dc=ahk,dc=de # Davidyang1981, contacts, china, ahk.de dn: uid=Davidyang1981,ou=contacts,ou=china,dc=ahk,dc=de # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5 ======== FINISH ====== I expected to see uid=SH0180,ou=contacts,ou=china,dc=ahk,dc=de in the search result in step 2 but couldn't. Similiar problem happen on commonName as well, on both of our two installations, one is running 2.4.9 and the other 2.3.30. Both using hdb. It is totally confusing to me that I don't even know where to start look for the problem. Should I also attach full slapd.conf? Thanks for any input in advance. I am totally clueless now, even after running the installation for 3 years it's the first time see such frastrating situation. Thanks. Best regards Zhang Weiwu

3 3

Re: openldap2.4.16 and BDB4.7 not sync configured as provider/consumer
by Rodrigo Costa 07 May '09

07 May '09

Quanah, Thanks a lot! The replication is just fine after loading the LDIF with operational attributes. No overload in consumer to sync database now. Regards, Rodrigo. Quanah Gibson-Mount wrote: > --On Thursday, May 07, 2009 10:36 AM -0700 Rodrigo Costa > <rlvcosta(a)yahoo.com> wrote: > >> >> Quanah, >> >> My understanding is that attrs doesn't need to exist in config since by >> default all attributes are shared. > > I think that is what I said. You should not specify the attrs= line > in the syncrepl stanza on the replica, and just use the default. That > way, the entire database is replicated in full to the replica. > >> My original plan was to remove some tasks from the provider, like >> backup, running a slapcat in the consumer(slave). Based in the >> requirement to load the consumer(slave) using a master LDIF dump I'm not >> sure if this is really feasible. > > Why is it a requirement to use a master LDIF dump? I never said that. > What I said, is that you are required to have a fully formed LDIF file > to load LDAP servers that will be syncing (I.e., an LDIF file with the > operational attributes, vs a generated LDIF file from a program that > is missing them.). If you do a slapcat from an existing server, then > it should be fully formed. > >> My idea was : >> 1)Have a provider/consumer running; >> 2)Execute LDIF and binary backups in the consumer(slave) >> 3)In a case of problem in the master just let a HA SW move the master to >> slave and then load "old master" using the slave LDIF file(recovering >> procedure). >> >> Is this feasible? > > Yes, this is pretty standard procedure, minus the binary backups. You > could of course just set up mirror mode or multi-master, as well... > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > >

1 0

Re: openldap2.4.16 and BDB4.7 not sync configured as provider/consumer
by Rodrigo Costa 07 May '09

07 May '09

Quanah, My understanding is that attrs doesn't need to exist in config since by default all attributes are shared. My original plan was to remove some tasks from the provider, like backup, running a slapcat in the consumer(slave). Based in the requirement to load the consumer(slave) using a master LDIF dump I'm not sure if this is really feasible. My idea was : 1)Have a provider/consumer running; 2)Execute LDIF and binary backups in the consumer(slave) 3)In a case of problem in the master just let a HA SW move the master to slave and then load "old master" using the slave LDIF file(recovering procedure). Is this feasible? Could for replication purposes copy the binary bdb files from master to slave or vice-verse to recover system? Regards, Rodrigo. Regards, Rodrigo. Quanah Gibson-Mount wrote: > --On Wednesday, May 06, 2009 1:55 PM -0700 John Du <jjohndu(a)gmail.com> > wrote: > > >> Is it necessary to explicitly specify the '+' in slapd.conf to replicate >> operational attributes? >> > > You shouldn't specify the "attrs=" line in slapd.conf at all, unless > you only want to replicate a subset of attributes. The default is > usually all you want. But yes, if you plan on doing replication, and > want it to work, and you are going to specify the attrs= line, then > you better include "+" in there. > > --Quanah -- > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > >

2 1

Re: openldap2.4.16 and BDB4.7 not sync configured as provider/consumer
by Rodrigo Costa 07 May '09

07 May '09

Buchan, I made exactly what you said even using the -q flag in the slapadd command. So in summary I did : 1) Load the master DB using LDIF file through slapdd(-q flag and DB_CACHEZIZE to 1GB); 2) Load the slave DB using LDIF(same) file through slapdd(-q flag and DB_CACHEZIZE to 1GB); 3)Then have the slapd.conf files appropriately configured 4)Start master and then after some minutes start slave. So the slave is not starting blank but exactly loaded and in terms of data there isn't any difference between provider(master) and consumer(slave). I just see when the consumer slapd process start at slave machine(slapd started with -d 256 flag) the connection from the consumer to the provider slapd process. Then all behavior explained start to happen. Please see the provider and consumer configuration file attached. Something appears not being following the expect behavior. Also the memory consumed in the consumer is growing too fast and doesn't appear to really follow the caches directives. Regards, Rodrigo. Buchan Milne wrote: > On Sunday 03 May 2009 04:15:47 Rodrigo Costa wrote: > >> openldap software, >> >> Sometime ago I open the ITS#5860 about some memory cache limitations not >> being respected by config files. Even this issue was solved when I tried >> to configured openldap to use replication(syncrepl) the system never >> enter into sync and the behavior appears similar to the ITS#5860 bug. >> >> The system start to sync and in the provider(master) I see the query for >> the DB sync. But the consumer(slave) memory consumption start to grow >> very fast making me to constrain much more the dncachesize to a 1/10 of >> the size of the provider(master) where at least system doesn't crash at >> consumer. >> >> Since changes were done in the openldap 2.4.16 I download and made tests >> with this version. I get into the same behavior with consumer(slave) >> never getting in sync with provider(master). >> >> The behaviors are : >> >> 1) Consumer(slave) start query to the provider(master) DB; >> 2) Memory allocation and number of threads in the provider(master) start >> to increase as expected; >> 3) dncachesize directive into provider(master) controls as expected the >> maximum memory to be allocated by slapd process in provider(master); >> 4) Consumer(slave) consumer memory in a much faster pace. dncachesize >> configured to 1/10 of provider(master) to avoid memory allocation problems; >> 5) After sometime the consumer(slave) CPU usage maintains in 200%. >> Provider(master) stays with low CPU usage, around 1 to 3 %; >> 6) A new provisioning in provider(master) isn't propagated to >> consumer(slave); >> 7) Bases never get in sync and CPU usage in consumer still high. Queries >> to provider(master) are answer very fast and even multiple individual >> queries to consumer(slave) are also answer in reasonable time. >> >> It looks like could exist certain issue in the replication logic where >> some processing dead loop could be found by the replication >> consumer(slave) logic. >> >> The newest openldap version and Berkeley DB 4.7 with all patches were >> compiled in the platform running the code. >> >> Any idea about this behavior? >> > > I have seen behaviour like this when there was something preventing > synchronisation, and the comsumer would spawn more consumer threads, until the > box ran out of memory. I fixed the real issue, and haven't seen it since (and > haven't had time to try and reproduce it). > > However, on a large database, you may have better success by initialising the > consumer via 'slapadd' with an export from a provider, instead of using > syncrepl to do it. Since slapadd can run multiple threads (syncrepl only runs > one thread), and doesn't need to bother serving client requests, and can run > without transactions (see -q flag), it is much more efficient. > > Note that you could consider different tuning for import vs run-time, e.g. I > usually increase the BDB cache_size for imports with slapadd, and decrease it > for runtime. > > Regards, > Buchan > > > > >

5 7

Let "self" create new entries
by Wolfgang Lorenz 06 May '09

06 May '09

Hello, I'm quite new to LDAP and at the moment I'm really just playing around, and trying to learn how to configure and use OpenLDAP correctly. So I set up some kind of a small address directory, as could be used by my family to have a central place, where addresses can be stored, just to keep in contact. The setup looks like this: # reading out data as authenticated user access to dn.children="ou=people,dc=example,dc=org" by self write by users read access to dn.base="ou=people,dc=example,dc=org" by users read access to dn.base="dc=example,dc=org" by users read This seems to work, fine: I can log in, using my dn uid=wolfgang,ou=people,dc=example,dc=org and I can change my details, and view the details of the other uids. Then I thought, it would be nice to be able, to create my own address books within my "self" contact. Such as ou=adrbook01,uid=wolfgang,ou=people,dc=example,dc=org and have in there contacts, that can only be shown by me. All other users should be able to do the same thing, of course. So I tried to create the new ou=adrbook01 entry and got a "no write access to entry". As I understand it, I may only add and change attributes, that lie within my binddn. So, now my question is, how can I configure slapd to enable users, to build their own subtrees, without having to give a rule for every single uid, that lies within ou=people? Thanks in advance, Wolfgang

3 4

Re: openldap2.4.16 and BDB4.7 not sync configured as provider/consumer
by Rodrigo Costa 06 May '09

06 May '09

Quanah, This means I cannot use the same original LDIF file to load in parallel the master and slave at the same time. I need to load the master, then slapcat it and then finally load the slave to have a correct startup. Just confirming the procedure. Regards, Rodrigo. Quanah Gibson-Mount wrote: > --On Tuesday, May 05, 2009 6:50 PM -0700 Rodrigo Costa > <rlvcosta(a)yahoo.com> wrote: > >> Buchan, >> >> I made exactly what you said even using the -q flag in the slapadd >> command. So in summary I did : >> >> 1) Load the master DB using LDIF file through slapdd(-q flag and >> DB_CACHEZIZE to 1GB); >> 2) Load the slave DB using LDIF(same) file through slapdd(-q flag and >> DB_CACHEZIZE to 1GB); >> 3)Then have the slapd.conf files appropriately configured >> 4)Start master and then after some minutes start slave. > > Unless the LDIF was a valid export from a master, you should have > slapcat'd the master after step 1, and used that LDIF to load the > replica in step 2. > > --Quanah > > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > >

2 1

Re: slapd-meta and paged results control
by Quanah Gibson-Mount 05 May '09

05 May '09

--On Tuesday, May 05, 2009 9:46 PM +0200 Lajos Boróczki <boroczki.lajos(a)gmail.com> wrote: > I forgot to include: 2.4.11 Please keep your replies on the list. I'd suggest you try a newer release of OpenLDAP (2.4.16 is the current stable release). --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

sync problem
by Leonardo Carneiro 05 May '09

05 May '09

Hi everyone, i'm no ldap expert at all. in fact i'm very noob. a few months ago i'd configured 2 ldap servers. they were set in 2 separated networks, and syncronized via a openvpn link. all was working ok when when about a month ago they stop syncing. the replogfile is empty. main server (piece of slapd.conf): replogfile /var/lib/ldap/openldap-master-replog replica host=192.168.0.2:389 binddn="cn=root,dc=dominio,dc=com,dc=br" bindmethod=simple credentials=[pass] secondary server (piece of slapd.conf) updatedn "cn=root,dc=dominio,dc=com,dc=br" updateref ldap://192.168.1.2:380 Sorry about my poor english, i'm from brasil. -- *Leonardo de Souza Carneiro* *Veltrac - Tecnologia em Logística.* lscarneiro(a)veltrac.com.br <mailto:lscarneiro@veltrac.com.br> http://www.veltrac.com.br <http://www.veltrac.com.br/> /Fone Com.: (43)2105-5600/ /Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/ /Londrina- PR/ /Cep: 86015-010/ /Esta mensagem pode conter informação confidencial e/ou privilegiada./ /Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o./ /This message may contain confidential and/or privileged information./ /If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message./

3 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software May 2009