dynlist overlay and ldapsearch
by ben thielsen
hi-
i'm using the dynlist overlay and am not getting back the search results i expected. i'm using 2.4.11 courtesy of debian.
here is my overlay config:
>ldapsearch -xWLLLD 'cn=admin,cn=config' -b 'cn=config' "(objectclass=olcdynamiclist)"
dn: olcOverlay={5}dynlist,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {5}dynlist
olcDLattrSet: {0}groupOfNames memberURL member
olcDLattrSet: {1}mailGroup labeledURI
here is the entry in question:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' -s base -b 'cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groundnoise,dc=net'
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
objectClass: mailGroup
objectClass: top
objectClass: extensibleObject
cn: abuse
member: cn=postmaster,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail
,dc=groundnoise,dc=net
labeledURI: ldap:///ou=domains,ou=mail,dc=groundnoise,dc=net?host?sub?(objectC
lass=mailDomain)
host: phone.dipswitch.net
host: luna.mpls.mn.us
host: groundnoise.net
host: thielsen.org
host: sjva1991.org
host: dipswitch.net
host: bitrate.net
searched for another way:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(cn=abuse))' host
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
host: phone.dipswitch.net
host: luna.mpls.mn.us
host: groundnoise.net
host: thielsen.org
host: sjva1991.org
host: dipswitch.net
host: bitrate.net
however, the results from this search are missing that entry:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(host=dipswitch.net)' dn
dn: host=dipswitch.net,ou=domains,ou=mail,dc=groundnoise,dc=net
or another search:
ldapsearch -xvWD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(host=*))' host
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
filter: (&(objectclass=mailgroup)(host=*))
requesting: host
# extended LDIF
#
# LDAPv3
# base <dc=groundnoise, dc=net> (default) with scope subtree
# filter: (&(objectclass=mailgroup)(host=*))
# requesting: host
#
# search result
search: 2
result: 0 Success
# numResponses: 1
if i remove the labeledURI attribute and populate with static entries, things appear to work as expected:
here's the entry:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(cn=abuse))'
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
objectClass: mailGroup
objectClass: top
objectClass: extensibleObject
cn: abuse
member: cn=postmaster,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail
,dc=groundnoise,dc=net
host: foo
host: bar
host: com
host: net
host: org
and a search:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(host=foo)' dn
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
what am i doing wrong?
thanks
-ben
13 years, 4 months
Re: solaris compile options
by Brett @Google
i am using CFLAGS="-fast -xtarget=ultraT1 -xarch=sparcvis2 -xcode=pic32 -g
-xs -O"
one set of solaris docs i read implied that -xarch=sparcvis2 was equivalent
to -xarch=v9 (which used to trigger 64 bit), but looking at the sun studio
12 compiler options, the more specific versions of -xarch (ie. other than
-xarch=v9 or v9a or v9b) may no longer imply that the 64 bit memory model
should be used. so maybe i need to add a -m64 to the above ?
(compiling on a Sun T2000, with a homegenous build / execute environment, so
favouring speed over cpu compatibility is ok)
On Thu, Mar 12, 2009 at 1:31 AM, Aaron Richton <richton(a)nbcs.rutgers.edu>wrote:
> On Wed, 11 Mar 2009, Brett @Google wrote:
>
> /data/openldap/backups/ldap_090302.ldif: Value too large for defined data
>> type
>>
>
> man lfcompile, and/or switch to 64-bit binaries?
>
13 years, 4 months
Assertion failure in ldapsearch
by Guillaume Rousse
This server is frozen, and ldapsearch crashes:
[root@etoile main]# ldapsearch -x
ldapsearch: error.c:272: ldap_parse_result: Assertion `r != ((void *)0)'
failed.
Abandon
This is openldap 2.4.15 client, with this specific configuration:
TLS_CACERTDIR /etc/pki/tls/rootcerts
TLS_REQCERT demand
NETWORK_TIMEOUT 2
TIMEOUT 2
TIMELIMIT 2
On my own host, with 2.4.17 and no configuration, the client just hangs
indefinitly.
I'm joining the network capture.
--
BOFH excuse #229:
wrong polarity of neutron flow
13 years, 9 months
openldap configuration error
by Jittinan Suwanrueangsri
Hi
I have configure openldap 2.4.16 with following option
env CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib" ./configure --enable-bdb=mod
--enable-hdb=mod --enable-ldap=mod --enable-monitor=mod
--enable-spasswd=yes --enable-modules=yes --enable-wrappers=yes
--enable-overlays=mod --with-cyrus-sasl --with-tls=openssl
--enable-dynacl=yes --enable-crypt=yes --enable-lmpasswd=yes
After run make test command there is error as shown below
>>>>> Starting test018-syncreplication-persist ...
running defines.sh
Starting producer slapd on TCP/IP port 9011...
Using ldapsearch to check that producer slapd is running...
Using ldapadd to create the context prefix entry in the producer...
Starting consumer slapd on TCP/IP port 9014...
Using ldapsearch to check that consumer slapd is running...
Using ldapadd to populate the producer directory...
Waiting 7 seconds for syncrepl to receive changes...
Stopping the provider, sleeping 10 seconds and restarting it...
Using ldapsearch to check that producer slapd is running...
Waiting 7 seconds for consumer to reconnect...
Using ldapmodify to modify producer directory...
Using ldappasswd to change some passwords...
Waiting 7 seconds for syncrepl to receive changes...
Stopping consumer to test recovery...
Modifying more entries on the producer...
Restarting consumer...
Waiting 7 seconds for syncrepl to receive changes...
Try updating the consumer slapd...
ldapmodify failed (255)!
>>>>> ./scripts/test018-syncreplication-persist failed (exit 255)
make[2]: *** [bdb-mod] Error 255
make[2]: Leaving directory `/home/jittinans/openldap-2.4.16/tests'
make[1]: *** [test] Error 2
make[1]: Leaving directory `/home/jittinans/openldap-2.4.16/tests'
make: *** [test] Error 2
but after that I change to not build backend as module
env CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib" ./configure --enable-bdb=yes
--enable-hdb=yes --enable-ldap=yes--enable-monitor=yes
--enable-spasswd=yes --enable-modules=yes --enable-wrappers=yes
--enable-overlays=mod --with-cyrus-sasl --with-tls=openssl
--enable-dynacl=yes --enable-crypt=yes --enable-lmpasswd=yes
I work correctly.Why?
13 years, 9 months
Problems with boolean in schema
by Rodrigo Costa
Dear openldap community,
I'm using a boolean entrance in my DB which when I try to load using a
LDIF file I receive an error message.
The attribute definition is :
###############################
# ATTRIBUTES FOR INTERCEPTION
---------------------------------------------------------------------------
###############################
#
# isinterception
#
# tells if the admin user is authaurised to manage the interception flag
# of the user subscriptions
#
Attributetype ( 1.3.6.1.4.1.6287.300.1.112 NAME 'isinterception'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
Which I double checking in RFC2252 where I have definition :
6.4. Boolean
( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' )
Values in this syntax are encoded according to the following BNF:
boolean = "TRUE" / "FALSE"
Boolean values have an encoding of "TRUE" if they are logically true,
and have an encoding of "FALSE" otherwise.
My LDIF file has the entrance(with traces during load) :
=> str2entry: "dn:
loginname=protectedaccess,ou=ADMINUSERS,ou=PROFILECONF,ou=INDEXES,o=domain,c=fr
objectclass: adminuser
objectclass: interception
loginname: protectedaccess
loginpasswd: {CRYPT}inRf5tBzmUVog
profileidlist: 100,101,102,103,104,105,106,107
sitelist: brtldpvip
mailboxgroup: 255
isinterception : TRUE
interceptprefix : 88
interceptsecretcode : 1234
interceptprofileid : 104
"
>>> dnPrettyNormal:
<loginname=protectedaccess,ou=ADMINUSERS,ou=PROFILECONF,ou=INDEXES,o=domain,c=fr>
<<< dnPrettyNormal:
<loginname=protectedaccess,ou=ADMINUSERS,ou=PROFILECONF,ou=INDEXES,o=domain,c=fr>,
<loginname=protectedaccess,ou=adminusers,ou=profileconf,ou=indexes,o=domain,c=fr>
<= str2entry: str2ad(isinterception): AttributeDescription contains
inappropriate characters
slapadd: could not parse entry (line=590)
=> str2entry: "dn:
loginname=webccuser1,ou=ADMINUSERS,ou=PROFILECONF,ou=INDEXES,o=domain,c=fr
objectclass: adminuser
loginname: webccuser1
loginpasswd: {CRYPT}ajc0hX/PgdoZM
profileidlist: 100,101,102,103,105,106,107
sitelist: brtldpvip
mailboxgroup: 255
See error above as "AttributeDescription contains inappropriate characters".
The attribute isinterception has all letters in uppercase as expected.
and I also verified for unprinted characters but I do not see anything
there. This file loads in openldap 2.3 without any problems but I could
not load without this message in 2.4.x.
Do you have any idea about what it could be?
Regards,
Rodrigo.
13 years, 9 months
Deletion of 2000 records on master causes complete resync on Shadow
by Serge Dubrouski
Hello -
In our infrastructure we have one master and 2 shadow OpenLDAP 2.4.13
servers with db-4.6.21 backend database, The directory contains about
110000 records. Today we had to delete about 2000 records on the
master and that caused a complete refresh on shadows. I mean shadows
started to delete all records in their databases. In the log files it
started with appearing these messages:
Aug 27 14:59:40 berlin slapd[4138]: do_syncrep2: rid=011
LDAP_RES_INTERMEDIATE - SYNC_ID_SET
Aug 27 14:59:40 berlin slapd[4138]: do_syncrep2:
cookie=rid=011,csn=20090827205939.642722Z#000000#000#000000
Then it started deleting records:
Aug 27 14:59:45 berlin slapd[4138]: syncrepl_del_nonpresent: rid=011
be_delete cn=,,,,,
Aug 27 14:59:46 berlin slapd[4138]: syncrepl_del_nonpresent: rid=011
be_delete cn=.....
Aug 27 14:59:46 berlin slapd[4138]: syncrepl_del_nonpresent: rid=011
be_delete cn=.....
Aug 27 14:59:46 berlin slapd[4138]: syncrepl_del_nonpresent: rid=011
be_delete cn=....
Aug 27 14:59:46 berlin slapd[4138]: syncrepl_del_nonpresent: rid=011
be_delete cn=....
Aug 27 14:59:46 berlin slapd[4138]: syncrepl_del_nonpresent: rid=011
be_delete cn=...
And deleted records that were deleted records for a whole directory
and then started putting them back. Does anybody know if this is
expected behavior?
--
Serge Dubrouski.
13 years, 9 months
openldap 2.4.11 multi-master replication fails and overlay stacking order
by Alan Evans
I have two issues.
1. Multi-master replication does not seem to work reliably for me, changes
on master1 often do not get replicated to master2 or vice versa.
One thing I think is a bit weird is that I have to use "mirrormode on" but
reading the documentation mirrormode is not really multi-master, its master
w/ failover basically. All writes should go to one master but I want true
multi-master where writes can go to either master at any time.
If I remove mirrormode on I get "unwilling to perform" or update referrals
when trying to write to my masters. Should I be using mirrormode for
multi-master replication?
2. I am not sure my overlays are ordered in the best way and wonder if this
misordering is a part of the replication problems I am seeing.
Can anyone offer any suggestions as to what I might have wrong for
multi-master replication or for the proper stacking order of my overlays?
I am using openldap 2.4.11 and I am configuring everything with slapd.conf.
I am trying to update to 2.4.16 but I need a reliable RPM for it. It is
company policy that the build tools do not go on production servers so I
must find an RPM or build an RPM on our build box.
--- Begin master1 slapd.conf ---
...globals, schema and such...
password-hash {SSHA}
ServerID 1
# access.conf contains all access statements which get rsynced
# to all master and slave ldap servers
include /etc/openldap/access.conf
authz-policy both
sizelimit unlimited
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index member,uniqueMember,memberOf eq,pres
index entryCSN,entryUUID eq
overlay accesslog
logdb cn=log
logops writes session
logpurge 7+00:00 1+00:00
overlay ppolicy
ppolicy_default cn=ppolicy_default,ou=policies,dc=example,dc=com
ppolicy_use_lockout true
syncrepl rid=001
provider=ldap://master2/
bindmethod=simple
binddn="cn=replicator,dc=example,dc=com"
credentials=secret
searchbase="dc=example,dc=com"
schemachecking=off
type=refreshAndPersist
starttls=yes
tls_reqcert=never
retry="60 5 600 +"
overlay syncprov
syncprov-checkpoint 100 10
mirrormode on
overlay unique
unique_uri
"ldap:///o=*,dc=example,dc=com?uid?sub?(objectClass=posixAccount)"
unique_uri
"ldap:///o=*,dc=example,dc=com?uidNumber?sub?(objectClass=posixAccount)"
unique_uri "ldap:///o=*,dc=example,dc=com?cn?sub?(objectClass=posixGroup)"
overlay dynlist
dynlist-attrset posixGroup memberURL memberUid:uid
overlay memberof
memberof-refint TRUE
memberof-dangling error
--- End master1 slapd.conf ---
Master2 slapd.conf is identical except for being ServerID 2 and its syncrepl
provider is master1.
13 years, 9 months
cache configuration constraints question
by Rodrigo Costa
openldap community,
I would like your comments about some cache configuration. I'm sending
attached my slapd.conf for full information about my system.
Since I have some memory constraints I needed to limit using cache
configuration in slapd.conf file.
#Cache values
#cachesize 10000
cachesize 20000
dncachesize 3000000
#dncachesize 400000
#idlcachesize 10000
idlcachesize 30000
#cachefree 10
cachefree 10000
Since I was initially testing using only ldapseach through all DB,
dncachesize in 3,000,000 was controlling correctly the use of memory.
Then using the same cache constraints in slapd.conf I create a jmeter
script with a csv file that individually search for each entrance in the
DB. This would be understand as individual ldapsearch with individual
entrances search different from a ldapsearch for all entrances in DB.
But for my surprise the memory was consumed much faster and when around
500K entrances were searched , much less than the ldapsearch full in
3,000,000 cache, I already had the same memory consumption. In this way
I had a crash in slapd since the memory was all allocated.
I would like your help to understand these memory constraints
configuration and why memory consumption behavior was so different in
these 2 cases.
For summary :
Case 1: Search full DB using a single ldapsearch (ldapsearch
<parameters> filter=* )
Case2: Multiple searches to all entrances in DB using like multiple
ldapsearch (ldapsearch <parameters> filter=<unique DB>)
Is there any difference between these two cases based in cache limitation?
Maybe I've some incorrect understanding about cache configuration.
Best Regards,
Rodrigo.
13 years, 9 months
[Openldap 2.4.16] Is it possible to force synchronization: files log.xxxx not treated after a crash
by Lepoutre Lionel
Hello,
I am using openldap 2.4.16 in a multi-master configuration mode (2 servers
on linux system - LFS).
My problem is that some data are not synchronised on one of my server and I
have some "log.xxxx" files in my var/openldap-data/ directory.
I think it is normal as these files are the synchronisation files and are
not suppress until the synchronisation is validated (in my DB_CONFIG I have
set the parameter:
set_flags DB_LOG_AUTOREMOVE).
The replication is at that moment working (I have made some tests) but I
know that the ldap process has crashed as I found some logs:
*Aug 20 10:08:40 bpldap02s kernel: slapd[19783]: segfault at 0 ip 080926f3
sp ad5a03a0 error 4 in slapd[8048000+1b9000]*
But I was on holidays while it happens so I don't have more information on
how it happens.
Is there something I can do to force the files to be treated? I have read
some articles about "slurpd" but I am not sure it can be used with my
version.
For the moment I only see the solution: "slapcat -> ldapadd" to synchronize
both instances but if you have any other solution...
Thank you for your help.
Lionel
13 years, 9 months
