openldap-software April 2010

openldap-software@openldap.org

47 participants
48 discussions

Need help syncing with syncrepl 2.3
by L.B. 20 May '10

20 May '10

Hi; I've finally decided to make the move to syncrepl after much delay and procrastination. I've read the guide and also reviewed several howto's on the topic... It still isn't running correctly for me because it doesn't replicate a few new users I've added to the provider. Also I'm seeing the following issue over and over (every time it tries a sync on my 10m interval): ######### Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_del_nonpresent: rid 001 be_delete uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_search (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 uid=airftp,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: syncrepl_entry: rid 001 be_add (0) Mar 5 20:25:19 admin-agis01 slapd2.3[6147]: do_syncrep2: rid 001 LDAP_RES_SEARCH_RESULT ######### My setup is RHEL4 with Buchan's RPMs (openldap2.3-servers-2.3.39-3.rhel4, etc.). I have a fairly simple setup, one provider and one consumer. Here is my provider config: ###################### include /usr/share/openldap2.3/schema/core.schema include /usr/share/openldap2.3/schema/cosine.schema include /usr/share/openldap2.3/schema/inetorgperson.schema include /usr/share/openldap2.3/schema/nis.schema include /usr/share/openldap2.3/schema/misc.schema include /usr/share/openldap2.3/schema/corba.schema include /usr/share/openldap2.3/schema/openldap.schema include /usr/share/openldap2.3/schema/ppolicy.schema include /usr/share/openldap2.3/schema/ldapns.schema access to * by dn.exact="cn=Replicator,dc=swa,dc=com" read by self read by * none break limits group="cn=Replicator,dc=swa,dc=com" size=unlimited time=unlimited access to * by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com" read by self read by * none break access to attrs=userPassword by self write by * auth pidfile /cluster/agis-ldap/ldap-master/var/run/slapd.pid argsfile /cluster/agis-ldap/ldap-master/var/run/slapd.args modulepath /usr/lib/openldap2.3 moduleload ppolicy.la moduleload syncprov.la TLSCertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem TLSCertificateKeyFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem TLSCACertificateFile /cluster/agis-ldap/ldap-master/etc/cacerts/ldap.pem loglevel 256 database bdb suffix "dc=swa,dc=com" rootdn "cn=Manager,dc=swa,dc=com" rootpw {SSHA}YADYADAYADA directory /cluster/agis-ldap/ldap-master/var/lib/ldap overlay ppolicy ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com" ppolicy_use_lockout overlay syncprov syncprov-checkpoint 1 10 syncprov-sessionlog 100 serverid 001 cachesize 100000 idlcachesize 100000 checkpoint 256 5 index objectClass eq index ou,cn,mail,givenname eq,subinitial index uidNumber,gidNumber,memberUid,loginShell eq index uid eq,subinitial index uniqueMember pres index entryCSN,entryUUID eq ###################### Here is my consumer config: ###################### include /usr/share/openldap2.3/schema/core.schema include /usr/share/openldap2.3/schema/cosine.schema include /usr/share/openldap2.3/schema/inetorgperson.schema include /usr/share/openldap2.3/schema/nis.schema include /usr/share/openldap2.3/schema/misc.schema include /usr/share/openldap2.3/schema/corba.schema include /usr/share/openldap2.3/schema/openldap.schema include /usr/share/openldap2.3/schema/ppolicy.schema include /usr/share/openldap2.3/schema/ldapns.schema access to * by dn.exact="uid=agis-ldap,ou=SystemUsers,ou=SystemAccounts,dc=swa,dc=com" read by self read by * none break access to attrs=userPassword by self write by * auth pidfile /cluster/agis-ldap/ldap-slave/var/run/slapd.pid argsfile /cluster/agis-ldap/ldap-slave/var/run/slapd.args modulepath /usr/lib/openldap2.3 moduleload ppolicy.la moduleload syncprov.la TLSCertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem TLSCertificateKeyFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem TLSCACertificateFile /cluster/agis-ldap/ldap-slave/etc/cacerts/ldap.pem loglevel sync database bdb suffix "dc=swa,dc=com" rootdn "cn=Manager,dc=swa,dc=com" rootpw {SSHA}YADYADAYADA directory /cluster/agis-ldap/ldap-slave/var/lib/ldap overlay ppolicy ppolicy_default "cn=swaPasswordPolicy,ou=Policies,dc=swa,dc=com" ppolicy_use_lockout cachesize 100000 idlcachesize 100000 checkpoint 256 5 index objectClass eq index ou,cn,mail,givenname eq,subinitial index uidNumber,gidNumber,memberUid,loginShell eq index uid eq,subinitial index uniqueMember pres index entryCSN,entryUUID eq syncrepl rid=001 provider=ldap://ldap-agis01.mascorp.com type=refreshOnly interval=00:00:10:00 retry="60 10 300 +" searchbase="dc=swa,dc=com" filter="(objectClass=*)" binddn="cn=Replicator,dc=swa,dc=com" bindmethod=simple credentials=yadayadayada schemachecking=off updateref ldap://ldap-agis01.mascorp.com/ ###################### Any help would be much appreciated! Thanks!! Rafael

3 2

syncrepl_del_nonpresent and syncrepl issues.
by Jorgen Lundman 13 May '10

13 May '10

openldap-2.3.41 db-4.2.52.NC-PLUS_5_PATCHES Solaris 10 x86 Layout: ldapmaster <-syncrepl-> ldapslave01/02/03/04 <-syncrepl-> data-clusters. It has come to light that we have some sync inconsistencies. At the moment, a customer domain that shows correct entries on ldapmaster, ldapslave02, ldapslave04 (and all servers syncing from them). But has incorrect, or rather missing, entries on ldapslave01 and ldapslave03. There are no differences between these hosts (they are in fact HDD clones) and config files are pushed from git, with only RID changed. The logs on ldapslave03 for one of the broken entries (in this case, ou=DNS). I have loglevel=sync on all servers: slaplog.20100407.gz:Mar 3 12:27:12 ldapslave03.unix slapd[27355]: [ID 561622 local4.debug] syncrepl_del_nonpresent: rid 329 be_delete DNSHostName=(a),DNSZoneName=example.com,ou=dns,$DC (66) slaplog.20100407.gz:Mar 3 12:27:12 ldapslave03.unix slapd[27355]: [ID 561622 local4.debug] syncrepl_del_nonpresent: rid 329 be_delete DNSZoneName=example.com,ou=dns,$DC (66) What is "syncrepl_del_nonpresent"? Is it something I should be worried about? If I count the number of entries with said error: ldapslave02: 42 ldapslave03: 7240 Which makes me wonder if it is a global problem for us, but is exaggerated on some servers. I notice that the provisioning log for that customer's domain has about 24 "+dns" and "-dns" entries in a row. Not entirely sure why the customer was changing their DNS back and forth so much, but perhaps it is related. Can it be that a "delete/create/delete" sequence of the same DN, sent to master, but which has not yet been pushed out to all slaves, may trigger this situation? Surely all replication is in strict time sequence though. Is there anything I can do presently? Any advise is most appreciated. Lund -- Jorgen Lundman | <lundman(a)lundman.net> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)

3 11

too many open files
by Hugo Monteiro 04 May '10

04 May '10

Hello list, Although the subject suggests a fairly know issue, i cannot seem to understand the cause. Log file presents Apr 22 12:57:36 proxyldap1 slapd[1511]: warning: cannot open /etc/hosts.allow: Too many open files Apr 22 12:57:36 proxyldap1 slapd[1511]: warning: cannot open /etc/hosts.deny: Too many open files , but proxyldap1:~# cat /proc/sys/fs/file-max 100000 proxyldap1:~# cat /proc/sys/fs/file-nr 1088 0 100000 proxyldap1:~# lsof -p `pidof slapd`| wc -l 460 proxyldap1:~# su -c "ulimit -n" openldap 8192 slapd is version 2.4.17-2 (Debian Unstable) and is running on a xen vm, using 64bit kernel 2.6.26-2-xen-amd64 in a Debian Lenny system. Have i overlooked any aspect? Thank you in advance, Hugo Monteiro. -- fct.unl.pt:~# cat .signature Hugo Monteiro Email : hugo.monteiro(a)fct.unl.pt Telefone : +351 212948300 Ext.15307 Web : http://hmonteiro.net Divisão de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.fct.unl.pt apoio(a)fct.unl.pt fct.unl.pt:~# _

4 7

authz-regexp and invalid filters
by David Hawes 28 Apr '10

28 Apr '10

When using a search-based mapping for an authentication DN to a user's DN, certain characters, namely '(' and ')', will cause the mapping to fail. In order for the mapping to succeed, the characters need to be properly escaped so they pass str2filter(). Is there any reason that special characters used in authz-regexp filters should not be escaped when using search-based mappings? I am testing this with 2.4.21.

2 1

Seg faults with 2.4.22
by Michael Ströder 27 Apr '10

27 Apr '10

HI! I'm experiencing occasional seg faults with 2.4.22 while 2.4.21 worked without issues on the very same system (self-compiled BDB, SASL, OpenLDAP on RHEL 5 with separate prefix) with the very same configuration. I can't provide a stack trace since data on this system is private. I suspect that something's wrong with slapo-allowed and deactivated it. Have to observe that a little bit more since the problems seem to be not deterministic. Were some API changes done in 2.4.22 which are not propagated to slapo-allowed? Ciao, Michael.

2 1

Re: Exception handling!!!
by Pratima Shet 26 Apr '10

26 Apr '10

Ya, application is multi threaded, but only one thread will handle all ldap related operations. I am linking to "libldap" not "libldap_r". Crash happened only once. Am unabled to reproduce it. So, I dont have much information regarding the line in the library where it crashed exactly. Handle was not NULL, but it was corrupted. Is there any way, to check whether ldap handle is proper or valid apart from NULL check ? Regards, Pratima

2 1

working with Collect overlay (Openldap 2.4.17)
by Payasito Payasito 26 Apr '10

26 Apr '10

Hello, I'm following the slapo-collect man page but I must be missing something. For this database the collectinfo directive is pointing to "uid=template1,dc=test,dc=tld" dn and the "description" attribute as the collective one. database bdb suffix "dc=test,dc=tld" checkpoint 1024 5 cachesize 10000 rootdn "cn=root,dc=test,dc=tld" rootpw secret directory /var/lib/ldap-tests index objectClass eq access to * by * write overlay collect collectinfo "uid=template1,dc=test,dc=tld" description however, a search doesn't return the collect attribute for the result entries under "ou=people,dc=test,dc=tld" anyone knows how to resolve this problem? # ldapsearch -b "dc=test,dc=tld" -D "cn=root,dc=test,dc=tld" -w secret -LLL dn: dc=test,dc=tld objectClass: dcObject objectClass: organization dc: test o: edu dn: ou=people,dc=test,dc=tld objectClass: top objectClass: organizationalUnit ou: people dn: uid=a01,ou=people,dc=test,dc=tld objectClass: top objectClass: account uid: a01 dn: uid=a02,ou=people,dc=test,dc=tld objectClass: top objectClass: account uid: a02 dn: uid=a03,ou=people,dc=test,dc=tld objectClass: top objectClass: account uid: a03 dn: uid=template1,dc=test,dc=tld objectClass: top objectClass: account uid: template1 description: The quick brown fox jumps over the lazy dog

1 0

N-way multimaster replication problem
by Néher Márton 26 Apr '10

26 Apr '10

Hi, I have just set up openldap on two nodes (alpha, beta). I am using openldap for a passdb backend for samba. I followed this guide: http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master To a point, everything seems to work just fine, the cn=config replication works both ways. After deleting everything from my base, I run smbldap-populate on the node alpha. It creates the default users, groups pretty fine, but it failed to replicat to node beta. the log entries shows this on alpha: http://pastebin.com/Ykhvq4BY on the other node the log shows this on beta: http://pastebin.com/KNwgHQDW My configuration looks the following: cn=config: http://pastebin.com/mT5A4K5i olcDatabase={0}config,cn=config: http://pastebin.com/kwBNEaeV olcDatabase={0}hdb,cn=config: http://pastebin.com/FsPaKK90 I have the olcOverlay={0}syncprov,olcDatabase={0}config,cn=config and olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config set to olcOverlay: {0}syncprov I have nothing in slapd.conf Do you know where to search this problem? What other logs should i attach to figure it out? Have a nice day, Best Regards, Marton, Neher

3 5

ACL to deny deletes but allow entry creation.
by Aravind Gottipati 24 Apr '10

24 Apr '10

Hi, I am working on an application where we want to grant an admin account the privileges to create new entries, but prevent any further changes (or deletes) to the entry by the admin account. I have looked through the docs and the faqs for this, and I am pretty sure that this is not possible. The simile folks relate this with, is the ability to grant insert privileges to an account in mysql, but restrict selects, updates etc.. Before I tell the developers that this is not possible, I wanted to check with you folks first. Have Any of you encountered similar situations? How do others deal with cases like this? Thanks in advance, Aravind.

3 3

"Bad search filter"?
by Luis Neves 23 Apr '10

23 Apr '10

Hello, Can someone confirm this error please? Try to make a ldapsearch agains any attribute on a ldap directory with this filter please: 'Cart\xC3\xA3o' Iam geting "bad search filter' because of the '\x'. But I need this search working to be able to query a X.509 Certificate field. mod_authz_ldap is giving errors because of this Regards, Luis _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2010