openldap-technical December 2008

openldap-technical@openldap.org

58 participants
71 discussions

Versioning entries in the DIT
by Lorenzo Pastrana 21 Dec '08

21 Dec '08

Hi, List I'm planning to store some 'versioned' data into an ldap directory, and trying not to reinvent the wheel ... if anybody has any good resource to share on the subject I'll be glad to hear. Thanks in advance, LP Lorenzo Pastrana - Happy End Vision -------------------------- Design web Conception multimédia Communication visuelle et édition -------------------------- Tél. : 01 42 47 83 09 Fax : 01 47 70 70 19 E-mail : lorenzo.pastrana(a)happyend.fr

3 6

handling forward-only links, DN+Binary and DN+String
by Andrew Bartlett 19 Dec '08

19 Dec '08

Having thought I got to the bottom of extended DN behaviour, I've come across more challenges, that I would like thoughts on. Handling renames of one-way links: OpenLDAP already does this, but Samba needs some help here (as we try to infer the rename from the presence of backlinks, but for one-way links, how should we know we are being linked to?) Handling of DN+Binary and DN+String one-way links. For example, wellKnownObjects: B:32:22b70c67d56e4efb91e9300fca3dc1aa:CN=ForeignSecurityPrincipals,DC=samba,DC=org This is a 'DN+Binary' syntax attribute (for resolving well known GUIDs into a DN), and must therefore follow when the well known target renames. MS-ADTS 3.1.1.1.6 specifies the behaviour. The challenge I see here is that I really do need an additional syntax in OpenLDAP. If I map this to just a binary string (as I do now), then the rename will not follow though. If I map it to a DN (as I had tried in the past), then the syntax is invalid. Is it entirely unreasonable to add an additional syntax? This is a bit of a 'hit and run' question, as I won't be able to carry on the discussion during Christmas/New Year, but any thoughts would be most welcome. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.

1 0

In memory cache or bdb performance degradation when upgrading from openldap v2.3.27 to v2.4.11 ?
by Chiles, Michael 19 Dec '08

19 Dec '08

Openldap Technical folk, We have inherited an openldap farm that was deployed using openldap v2.3.27. We have been testing a newly compiled v2.4.11 with same compile flags as a possible replacement due to some replication errors we have seen, but have discovered other bigger problems with the new instance. We believe the issue may be related to in memory cache not working as expected, or that 2.4.11 does not use the hdb backend as efficiently as before. Can anyone confirm a negative performance difference between these versions, or an issue with cache? We are seeing major significant differences in the db_stat output with orders of magnitude difference in the number of attempted reads against the backend cache. I assume these are unsual and that in memory entry cache would normally prevent this traffic from reach the bdb cache. I assume we simply have something wrong in configuration, but I don't see an obvious explanation. If anyone has a moment to review, we would appreciate your feedback. Here is the process we followed, with supporting config info: We have a SLAMD benchmark test based on a real world use case where 400 clients make a "near" simultaneous connection to the directory and execute a search like the following: ldapsearch -h server1 -x - b "ou=myou,dc=mydc,dc=com" "objectclass=*" There are nearly 70,000 objects in this ou with 5 attributes each ( 3 of which are objectclass ), and nearly 210,000 objects in the entire directory. We have an objectclass index. 2.4.11 tests were performed on instances compiled on SLES9.3 64bit, 4 way dual core procs, 16GB RAM, using hoard memory manager, bdb 4.6, and cyrus-sasl-2.1.22 . 2.3.27 tests were performaned on SLES9.3 64bit, 2 way single core proc, 8GB RAM, using standard memory manager, and standard bdb ( 4.2 ). On the v2.3.27 instances, we see all 400 clients get a connection, and get their results. On the new v2.4.11 instance, we see around 150-175 clients get a connection, and the rest get a failure that they cannot reach the server. After more benchmarking, tcpdump, and loglevel -1 we know that the client traffic is getting to the box, but the openldap listener thread does not pick up the connection. We also see high numbers of processes waiting in the CPU run queue. Reducing the number of objects in the directory to 100 results in successful connections to all 400 clients, which lead us to believe the issue might be due to differences in read performance between the instances. The same DB_CONFIG was used in both cases, and the slapd.conf was the same, with some minor tweaks due to slightly different cache configuration options between the versions. Please see the DB_CONFIG and the hdb backend stanza from the slapd.conf file included below. We then did some basic single query tests of both instances and looked at the logs with loglevel -1 and the db_stat output. What we saw was a major difference between both instances on the db_stat results. As mentioned in the summary above, we don't have a good explanation for the difference, although it is significant, and reliable across multiple iterations of test. Please see the db_stat differences shown below. Also seems very unusual that the initial db cache stats would be so high on the new version. slapd.conf: 2.4.11 hdb stanza ( also tested these with the same cache numbers as below 2.3.27 instance with no difference. We reduced these to reasonable levels as old version config seemed overkill ): database hdb directory /local/mnt/ldap.2.4.11/cache-data threads 32 suffix "dc=mydc,dc=com" rootdn <<snip>> rootpw <<snip>> cachesize 500000 dncachesize 1000000 idlcachesize 30000000 sizelimit 10000000 loglevel stats sync dirtyread include /opt/ldap/indexes/my.indexes 2.3.27 hdb stanza database hdb directory /local/mnt/ldap/cache-data threads 32 suffix " dc=mydc,dc=com " rootdn <<snip>> rootpw <<snip>> cachesize 20971520 dbcachesize 20971520 ( not a typo - this one is "dBcachesize. The other is dNcachesize ) idlcachesize 20971520 sizelimit 10000000 loglevel stats sync dirtyread include /opt/ldap/indexes/my.indexes DB_config ( Same for both instances ): set_cachesize 1 1048576000 12 set_flags DB_LOG_AUTOREMOVE set_lg_bsize 2097512 set_lg_dir /local/mnt/ldap/cache-data ( this value points to correct directory in both instances ) set_flags DB_TXN_NOSYNC set_lg_regionmax 500000 set_lk_max_locks 30000 set_lk_max_lockers 30000 set_lk_max_objects 30000 set_tmp_dir /dev/shm After startup with no client test ( previous database instance was completely deleted and recreated using slapadd ), here are the db_stat -m output. I excluded some of the index db info for brevity: Version 2.4.11 1GB 1000MB Total cache size 12 Number of caches 12 Maximum number of caches 168MB 688KB Pool individual cache size 0 Maximum memory-mapped file size 0 Maximum open file descriptors 0 Maximum sequential buffer writes 0 Sleep after writing maximum sequential buffers 0 Requested pages mapped into the process' address space 15M Requested pages found in the cache (99%) 24 Requested pages not found in the cache 9225 Pages created in the cache 24 Pages read into the cache 9244 Pages written from the cache to the backing file 0 Clean pages forced from the cache 0 Dirty pages forced from the cache 0 Dirty pages written by trickle-sync thread 9247 Current total page count 9247 Current clean page count 0 Current dirty page count 393252 Number of hash buckets used for page location 14M Total number of times hash chains searched for a page (14773760) 9 The longest hash chain searched for a page 14M Total number of hash chain entries checked for page (14764487) 0 The number of hash bucket locks that required waiting (0%) 0 The maximum number of times any hash bucket lock was waited for (0%) 0 The number of region locks that required waiting (0%) 0 The number of buffers frozen 0 The number of buffers thawed 0 The number of frozen buffers freed 9309 The number of page allocations 0 The number of hash buckets examined during allocations 0 The maximum number of hash buckets examined for an allocation 0 The number of pages examined during allocations 0 The max number of pages examined for an allocation 0 Threads waited on page I/O Pool File: dn2id.bdb 4096 Page size 0 Requested pages mapped into the process' address space 1005002 Requested pages found in the cache (99%) 2 Requested pages not found in the cache 3062 Pages created in the cache 2 Pages read into the cache 3064 Pages written from the cache to the backing file Pool File: id2entry.bdb 16384 Page size 0 Requested pages mapped into the process' address space 419925 Requested pages found in the cache (99%) 2 Requested pages not found in the cache 2967 Pages created in the cache 2 Pages read into the cache 2969 Pages written from the cache to the backing file Version 2.3.27 1GB 1000MB Total cache size. 12 Number of caches. 168MB 688KB Pool individual cache size. 0 Requested pages mapped into the process' address space. 22738 Requested pages found in the cache (99%). 285 Requested pages not found in the cache. 0 Pages created in the cache. 285 Pages read into the cache. 0 Pages written from the cache to the backing file. 0 Clean pages forced from the cache. 0 Dirty pages forced from the cache. 0 Dirty pages written by trickle-sync thread. 285 Current total page count. 285 Current clean page count. 0 Current dirty page count. 393252 Number of hash buckets used for page location. 23308 Total number of times hash chains searched for a page. 12 The longest hash chain searched for a page. 22738 Total number of hash buckets examined for page location. 46616 The number of hash bucket locks granted without waiting. 0 The number of hash bucket locks granted after waiting. 0 The maximum number of times any hash bucket lock was waited for. 641 The number of region locks granted without waiting. 0 The number of region locks granted after waiting. 297 The number of page allocations. 0 The number of hash buckets examined during allocations 0 The max number of hash buckets examined for an allocation 0 The number of pages examined during allocations 0 The max number of pages examined for an allocation Pool File: dn2id.bdb 4096 Page size. 0 Requested pages mapped into the process' address space. 13076 Requested pages found in the cache (99%). 132 Requested pages not found in the cache. 0 Pages created in the cache. 132 Pages read into the cache. 0 Pages written from the cache to the backing file. Pool File: id2entry.bdb 16384 Page size. 0 Requested pages mapped into the process' address space. 9659 Requested pages found in the cache (99%). 138 Requested pages not found in the cache. 0 Pages created in the cache. 138 Pages read into the cache. 0 Pages written from the cache to the backing file. After 1 client query: Version 2.4.11 1GB 1000MB Total cache size 12 Number of caches 12 Maximum number of caches 168MB 688KB Pool individual cache size 0 Maximum memory-mapped file size 0 Maximum open file descriptors 0 Maximum sequential buffer writes 0 Sleep after writing maximum sequential buffers 0 Requested pages mapped into the process' address space 15M Requested pages found in the cache (99%) 24 Requested pages not found in the cache 9244 Pages created in the cache 24 Pages read into the cache 9263 Pages written from the cache to the backing file 0 Clean pages forced from the cache 0 Dirty pages forced from the cache 0 Dirty pages written by trickle-sync thread 9266 Current total page count 9266 Current clean page count 0 Current dirty page count 393252 Number of hash buckets used for page location 14M Total number of times hash chains searched for a page (14753673) 9 The longest hash chain searched for a page 14M Total number of hash chain entries checked for page (14744381) 0 The number of hash bucket locks that required waiting (0%) 0 The maximum number of times any hash bucket lock was waited for (0%) 0 The number of region locks that required waiting (0%) 0 The number of buffers frozen 0 The number of buffers thawed 0 The number of frozen buffers freed 9328 The number of page allocations 0 The number of hash buckets examined during allocations 0 The maximum number of hash buckets examined for an allocation 0 The number of pages examined during allocations 0 The max number of pages examined for an allocation 0 Threads waited on page I/O Pool File: dn2id.bdb 4096 Page size 0 Requested pages mapped into the process' address space 997746 Requested pages found in the cache (99%) 2 Requested pages not found in the cache 3062 Pages created in the cache 2 Pages read into the cache 3064 Pages written from the cache to the backing file Pool File: id2entry.bdb 16384 Page size 0 Requested pages mapped into the process' address space 410855 Requested pages found in the cache (99%) 2 Requested pages not found in the cache 2967 Pages created in the cache 2 Pages read into the cache 2969 Pages written from the cache to the backing file Version 2.3.27 1GB 1000MB Total cache size. 12 Number of caches. 168MB 688KB Pool individual cache size. 0 Requested pages mapped into the process' address space. 299222 Requested pages found in the cache (98%). 7144 Requested pages not found in the cache. 0 Pages created in the cache. 7144 Pages read into the cache. 0 Pages written from the cache to the backing file. 0 Clean pages forced from the cache. 0 Dirty pages forced from the cache. 0 Dirty pages written by trickle-sync thread. 7144 Current total page count. 7144 Current clean page count. 0 Current dirty page count. 393252 Number of hash buckets used for page location. 313510 Total number of times hash chains searched for a page. 23 The longest hash chain searched for a page. 300752 Total number of hash buckets examined for page location. 627020 The number of hash bucket locks granted without waiting. 0 The number of hash bucket locks granted after waiting. 0 The maximum number of times any hash bucket lock was waited for. 14400 The number of region locks granted without waiting. 0 The number of region locks granted after waiting. 7164 The number of page allocations. 0 The number of hash buckets examined during allocations 0 The max number of hash buckets examined for an allocation 0 The number of pages examined during allocations 0 The max number of pages examined for an allocation Pool File: dn2id.bdb 4096 Page size. 0 Requested pages mapped into the process' address space. 173225 Requested pages found in the cache (98%). 3233 Requested pages not found in the cache. 0 Pages created in the cache. 3233 Pages read into the cache. 0 Pages written from the cache to the backing file. Pool File: id2entry.bdb 16384 Page size. 0 Requested pages mapped into the process' address space. 125990 Requested pages found in the cache (97%). 3888 Requested pages not found in the cache. 0 Pages created in the cache. 3888 Pages read into the cache. 0 Pages written from the cache to the backing file. ########################## Thanks! -Michael

1 0

how to solve invalid structural object class chain
by owen nirvana 19 Dec '08

19 Dec '08

I try to a entry like this: cn = .. ,dc=..,dc=..,dc=..,dc=.. cn = .. objectClass: person objectClass: inetOrgPerson objectClass: organizatinoalRole objectClass: device objectClass: pkiUser roleOccupant: ... employeeNumber : .. userCertificate;binary :: BASE64 Encode icSerilNumber: .. tel: ... fax: ... telex: .. log reports " invalid structural object class chain in organizatinoalRole/Person or organizatinoalRole/inetOrgPerson etc" I try many combination about the order of person ,inetOrgPerson and organizatinoalRole, and the same error was reported. thanks for help gtalk:freeespeech@gmail.com

3 2

Re: Re: N-Way Multi-Master replication - delete problem
by Adrien Futschik 19 Dec '08

19 Dec '08

Hy everyone, I have just tested the same procedure with OpenLDAP 2.4.13. The problem remains the same. Did I miss something ? Is this supposed to be like this ? I'm joining the modified script I'm using to setup both masters and the LDIF files I'm using to add and remove an entry (+ attributes). I did not use access-log, is this supposed to work with N-Way Multi-Master replication ? I thought it was only used in case of Delta Synchronization/Replication. Adrien ======================================== Message date : Dec 18 2008, 02:24 PM From : "Miguel Jinez" <miguel.jinez(a)gmail.com> To : adrien.futschik(a)atosorigin.com Copy to : openldap-technical(a)openldap.org Subject : Re: N-Way Multi-Master replication - delete problem Maybe in openLdap 2.4.13 it would be solved. I had that problem, and I fixed it using accesslog, but it makes you lose performance.... 2008/12/18 Adrien Futschik <adrien.futschik(a)atosorigin.com> > I'm testing N-Way Multi-Master replication with OpenLDAP 2.411. > > I have setup 2 Masters (m1 & m2) starting form test050-syncrepl-multimaster > and modifying it. > > Every thing seems to work fine except deleting entries. > > Let me explain. > case 1 : > . When I add an entry on m1 it is successfully replicated on m2. > . When I try to delete this entry on m1, it is successfully removed from > m1, but not replicated on m2. > . When, I try to delete this entry on m2, it is successfully removed from > m2 & m1. > > case 2 : > . When I add an entry on m2 it is successfully replicated on m1. > . When I try to delete this entry on m2, it is successfully removed from > m2, but not replicated on m1. > . When, I try to delete this entry on m1, it is successfully removed from > m1 & m2. > > I don't have the same problem when I delete an attribute or update an > entry. Is this normal ? > > Adrien Futschik > Adrien Futschik

2 1

'Has A' vs 'Is A'
by Lorenzo Pastrana 19 Dec '08

19 Dec '08

Hi list, Me again ... I've got to compose some objects by inheritance of parent classes (Is A), I'm now on the point of building the actual object tree and I was wondering what is the preferred mechanism for aggregation (Has A) and controlling children types ... can I do this in the schema ? Thanks, LP. Lorenzo Pastrana - Happy End Vision -------------------------- Design web Conception multimédia Communication visuelle et édition -------------------------- Tél. : 01 42 47 83 09 Fax : 01 47 70 70 19 E-mail : lorenzo.pastrana(a)happyend.fr

1 0

Workflow / tools / practice working on a new shema : reload to cn=config or editing cn=config in place ?
by Lorenzo Pastrana 19 Dec '08

19 Dec '08

Hi, list Still a genuine noob.. ;P I'm working on a brand new shema to store my app's data .. What do you guys use to do when working on a 'new' directory ? a) work on a shema file / restart server b) work on a shema file / reload to cn=config c) edit cn=config / a) could be ok .. a little brutal but ... b) sounds tedious c) what tool do you use ? Thx. LP Lorenzo Pastrana - Happy End Vision -------------------------- Design web Conception multimédia Communication visuelle et édition -------------------------- Tél. : 01 42 47 83 09 Fax : 01 47 70 70 19 E-mail : lorenzo.pastrana(a)happyend.fr

5 8

how to solve invalid structural object class chain
by owen nirvana 18 Dec '08

18 Dec '08

1 0

Unix id command and Openldap
by okossuth＠antel.com.uy 18 Dec '08

18 Dec '08

Hi Does the id command works with a system using OPENLDAP authentication ? I have implemented a server with openldap 2.4 and several clients use this system to authenticate users, and works fine except that when I do a "id user" on a client it only gives me the information of the primary group which the user belongs to and not of the suplementary groups that he is also a member of in the LDAP server... any ideas?? Saludos, Oskar Kossuth Administrador UNIX ANTEL Telecomunicaciones El presente correo y cualquier posible archivo adjunto está dirigido únicamente al destinatario del mensaje y contiene información que puede ser confidencial. Si Ud. no es el destinatario correcto por favor notifique al remitente respondiendo anexando este mensaje y elimine inmediatamente el e-mail y los posibles archivos adjuntos al mismo de su sistema. Está prohibida cualquier utilización, difusión o copia de este e-mail por cualquier persona o entidad que no sean las específicas destinatarias del mensaje. ANTEL no acepta ninguna responsabilidad con respecto a cualquier comunicación que haya sido emitida incumpliendo nuestra Política de Seguridad de la Información. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . This e-mail and any attachment is confidential and is intended solely for the addressee(s). If you are not intended recipient please inform the sender immediately, answering this e-mail and delete it as well as the attached files. Any use, circulation or copy of this e-mail by any person or entity that is not the specific addressee(s) is prohibited. ANTEL is not responsible for any communication emitted without respecting our Information Security Policy.

4 9

Solaris 10 LDAP Password issue
by John Gee 18 Dec '08

18 Dec '08

Hello Community, i have a problem with Solaris 10 LDAP password encryption to a OpenLDAP Server. When setting a inital Password with ldapadd login works fine, after the user changed inital Password on a Solaris-Station with 'passwd -r ldap' Solaris commited it with 'password successfully changed for john'. But the user cant login with the new Password. 1) Setting initial Password with ldapadd (Password: 8ASdhXY!Xy) version: 1 dn: uid=john,ou=people,ou=unix,o=kleinfeld,c=ch userPassword: {MD5}khVDRrTSYMHjTw7V6VEZwg== 2) User Login and change password with 'passwd -r ldap' (Password: 9DnxSF!dKS) version: 1 dn: uid=john,ou=people,ou=unix,o=kleinfeld,c=ch userPassword: {crypt}0vUAwIdPR4X2E Has someone a idea whats going wrong? I cant track down this problem. --( nsswitch.conf )--- passwd: compat passwd_compat: files ldap group: files ldap shadow_compat files ldap --( pam.conf )--- login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 --( /etc/security/policy.conf )--- CRYPT_ALGORITHMS_ALLOW=1,2a,md5 CRYPT_DEFAULT=__unix__ Regards John

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2008