Chage for LDAP
by Gustavo Mendes de Carvalho
Hi All,
Is there any tool for LDAP that works like chage, to inform when I changed
my password, when will expire, and so on.
I am using Openldap 2.3.39 with ppolicy.
Thanks
---
Gustavo Mendes de Carvalho
email: gmcarvalho(a)gmail.com
15 years
Re: Help: Slow LDAP search with high %iowait
by Victor
Would you folks mind sharing some thoughts/ideas on this? Thanks a lot!
--- On Mon, 9/8/08, Victor <victorfuman(a)yahoo.com> wrote:
> From: Victor <victorfuman(a)yahoo.com>
> Subject: Help: Slow LDAP search with high %iowait
> To: openldap-technical(a)openldap.org
> Date: Monday, September 8, 2008, 5:35 PM
> Hi ,
>
> I did quite a bit reading and research before I send email
> to this list for help. If I have missed some basic concepts
> here, please execuse my ignorance. Thanks for your help and
> time in advance.
>
> 1. Summary
> The initial search in my prototyping with OpenLDAP (slapd +
> BDB) seemed to be slow. What is the reason and How could I
> fix it?
>
> 2. Configuration
> 2.1 Environment
> Linux CentOS, 1 hard disk (therefore unfortunately the BDB
> transaction logs and database files are written to the same
> disk), 120GB disk space (80% unused), 1GB RAM, reserved for
> this prototyping, OpenLDAP 2.3.39 with default BDB
> installation
>
> 2.2 slapd.conf (modified trivially for discussion
> purpose)
> # global configuration
> loglevel 0
>
> # BDB
> database bdb
> suffix "dc=test,dc=dummy,dc=com"
> rootdn
> "cn=Manager,dc=test,dc=dummy,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoid. See slappasswd(8) and slapd.conf(5) for
> details.
> # Use of strong authentication encouraged.
> rootpw secret
> # The database directory MUST exist prior to running slapd
> AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory /usr/local/var/openldap-data
> #Other DB configuration
> idlcachesize 60000
> cachesize 20000
> # Indices to maintain
> # the indexes are to support search in first name, last
> name and email for both exact match and wild cards in the
> end
> index objectClass eq
> index gn pres,eq,sub
> index sn pres,eq,sub
> index mail pres,eq,sub
>
> 2.3 DB_CONFIG (for BDB)
> set_cachesize 0 52428800 1
> set_lg_bsize 2097512
> set_flags DB_LOG_AUTOREMOVE
> set_lg_regionmax 262144
>
> 2.4 Data setup
> 2 million records (users with gn, sn, email, mobile, street
> address, etc. in the BDB; all records are indexed using the
> index in the above slapd.conf; grouped by the first
> character of lastName. For example,
> dn: ou=Z,dc=test,dc=dummy,dc=com
> objectclass: organizationalUnit
> ou: Z
>
> Sample LDIF entry:
> #Directory Entry
> dn:
> uid=ABCDEFGHIJKLMNOPQRSTUVWXYZ123459,ou=F,dc=test,dc=dummy,dc=com
> objectclass: top
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> uid: ABCDEFGHIJKLMNOPQRSTUVWXYZ123459
> ...... (details omitted)
>
> 3. Symptom/Problem
>
> It was very slow in the first (fresh) search if I searched
> by wildcard firstname only like "Larry*" (which
> returned 478 entries/users). The response time was generally
> higher than 5 seconds Depending the count of records found,
> the response time might exceed 20 or even 50 seconds. During
> the search, the "iostat" result showed +95%
> %iowait, await was much higher that svctm, the device %util
> was over 96%. Here is the "iostat" output:
>
> Time: 10:51:34 AM
> avg-cpu: %user %nice %sys %iowait %idle
> 3.10 0.00 1.40 95.50 0.00
>
> Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s
> rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util
> hda 0.00 2.90 64.94 65.33 1322.68 580.22
> 661.34 290.11 14.61 51.99 343.51 7.44 96.92
> dm-0 0.00 0.00 64.94 72.53 1322.68 580.22
> 661.34 290.11 13.84 55.44 330.62 7.06 96.99
> dm-1 0.00 0.00 0.00 0.00 0.00 0.00
> 0.00 0.00 0.00 0.00 0.00 0.00 0.00
>
>
> However, The subsequent search (using the exact search
> criteria) is much faster (within 200ms). I believe it is
> because of the cache.
>
> I did a "db_stat -m" check and saw +90% cache hit
> rate (I guess it is normal?). The detailed output is in the
> attachment.
>
> 4. Questions
> The "iostat" output showed obvious I/O
> bottleneck. Assuming I can't upgrade my hardware (for
> example, adding another disk specifically for writing
> transaction logs to), assuming I won't set a limit to
> the max number of entried returned, is there anything else I
> can do (typically BDB/slapd tuning or configuration) to make
> the fresh/first search much faster (say within 2 seconds for
> the worst case)? Did I do anything wrong? Please advise.
>
> Thanks a lot!
>
> Vic
15 years
CREATE LDAP REPLICA
by LITLE TUX
Hi i install openldap in servers and create replica but is not runin
perfectly
My entry in ldap server:
MASTER SERVER:
replogfile /var/log/replica/replica.log
replica host=hostname_slave.domain.com:389
binddn="cn=Administrator,dc=domain,dc=com"
bindmethod=simple
credentials=123456
tls=none
################################################## ######################
SLAVE SERVER:
updatedn "cn=Administrator,dc=domain,dc=com"
updateref ldap://hostname_master.domain.com
In my /etc/hosts configure any hostnames...
The file replica.log is empty and not create replica.
I execute normaly /etc/init.d/slurpd start only master server.
Is necessary running slurod daemon is slave server?
Exist other configuration to slapd.conf?
My slapd.conf is same in master and slave except lines reference the
replica.
Thanks for your helps.....
Best
15 years
pwd* Attributes and replication
by Eyal Marantenboim
Hi,
We have 1 master and 1 secondary servers (version 2.4.11) using ppolicy.
When a user tries to bind with incorrect credential, the master server gets populated with pwdFailureTime attribute.
After 4 times of entering wrong credentials, pwdAccountLockedTime is added to that user.
Our problem is that the secondary server (using syncrepl) is not replicating the pwd* values.
I've noticed that neither entryCSN nor contextCSN are being updated (on the master) when pwdFailureTime is added to the user (I'm not sure if it should actually change).
But, when we change any other attribute (userPassword, etc) on the master, that does change entryCSN, and all pwd* attributes do get updated in the seconday server.
appreciate your help.
Thanks!
15 years
Re: Reentrant library question.
by William Jojo
---- Original message ----
>Date: Thu, 11 Sep 2008 14:55:14 +0100
>From: Duncan Gibb <Duncan.Gibb(a)SiriusIT.co.uk>
>Subject: Re: Reentrant library question.
>To: William Jojo <w.jojo(a)hvcc.edu>
>Cc: openldap-technical(a)openldap.org
>
>William Jojo wrote:
>
>WJ> I manage a set of packages [..] for AIX 5.3 and 6.1.
>
>WJ> Is it safe to [..]
>
>WJ> libldap.so -> libldap_r.so
>
>Disclaimer: I do not speak AIX.
>
That's ok, I do. :-) :-)
>The Debian Linux OpenLDAP packages have been doing this since 2.4.7.
>We've deployed these and not come across any serious problems (said he,
>about to roll out a 2.4.11 backport...).
>
Sounds wonderful! Thanks a bunch!
Cheers,
Bill
>
>Cheers
>
>
>Duncan
>
>--
>Duncan Gibb, Technical Architect
>Sirius Corporation - The Open Source Experts
>http://www.siriusit.co.uk/
>Tel: +44 870 608 0063 || +44 7977 441 515
15 years
Reentrant library question.
by William Jojo
I manage a set of packages under the name pWare for AIX 5.3 and 6.1.
I am upgrading the core OpenLDAP from 2.3.38 to 2.4.11 and wanted to do something IBM does with libc. They link libc.a -> libc_r.a
Is it safe to do the same in OpenLDAP such that:
libldap.so -> libldap_r.so
? Then I rebuild any packages that depended on 2.3 for 2.4.
Cheers,
Bill
15 years
LDAP log analysis
by Praveen Kumar
Hi,
I am using LDAP server for authentication, where i am successful in making
an user to log in into a machine after authentication from ldap server.
Now i want to see at the server side at what time the user asked for
authentication and was successfully authenticated.
In other words how can the log about any authentication request and
successful reply to that can be seen for each request made to the server.
Regards
15 years
[Solved] AW: Re: AW: Re: AW: Re: SASL bind with Kerberos: (was: Simple binds with SASL/GSSAPI (Resource temporarily unavailable))
by Hauke Coltzau
Hi all,
Wow, it seems to be done ;-)
To put it in a nutshell:
- apt-get purge MIT-Kerberos*
- apt-get install Heimdal*
- tried and failed, tried and failed, ...
- apt-get purge heimdal*, cyrus*, openldap*
- apt-get libssl-dev and libdb dev packages
- got cyrus, openldap and heimdal tarballs
- configured, compiled, tested, failed, configured, compiled,
tested, failed, conf.......... ...... ......
... --- ... ... --- ...
configured, compiled, succeeded!
- Followed well known configuration instructions
Voila!
ldapsearch -Y GSSAPI works
ldaps works
(without client verification, did not solve that yet,
server verification works fine)
login with kerberos authentication works
(with proxy ticket for the machine, this way I
avoid having PLAIN username/password send to slapd)
su, id, etc. works
Seems, as if doing it by hand is still the best way ;-)
Thanks again for your help,
Hauke
----- Ursprüngliche Mail -----
Von: "Quanah Gibson-Mount" <quanah(a)zimbra.com>
An: "Hauke Coltzau" <hauke.coltzau(a)FernUni-Hagen.de>
CC: openldap-software(a)openldap.org
Gesendet: Montag, 8. September 2008 21:44:16 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien
Betreff: Re: AW: Re: AW: Re: SASL bind with Kerberos: (was: Simple binds with SASL/GSSAPI (Resource temporarily unavailable))
--On Monday, September 08, 2008 9:26 PM +0200 Hauke Coltzau
<hauke.coltzau(a)FernUni-Hagen.de> wrote:
> ii libsasl2-modules-gssapi-mit 2.1.22.dfsg1-18ubuntu2 \\
> Cyrus SASL - pluggable authentication module
I would highly recommend using Heimdal on the master side. But that's up
to you. ;)
> - In the first approach, the user already has a TGT and asks the KDC for
> a "ldap/fqdn@REALM-ticket"? This is done by ldapsearch, not by slapd?
> Hence, slapd "only" needs access to its keytab to be able to decrypt the
> clients messages?
I believe that is correct, yes. At Stanford, I had to point slapd at the
keytab in a shell script, but I believe that was because I was using
SASL/GSSAPI to do replication as well. It's been a while. ;)
> - And in the second one, the user provides username and password (plain),
> slapd converts the username into a principle (user@REALM) and forwards
> this to saslauthd? So this should be secured via TLS?
You can try securing it via startTLS, but nothing blocks a user from still
doing it in the clear, unfortunately (i.e., you can reject the non-secured
bind, but they'll have already sent their credentials, so anyone sniffing
would be able to get them).
> There used to be a well-known howto for all this at
> http://www.bayour.com/LDAPv3-HOWTO.html but the site is offline for some
> days now.
This howto is completely wrong, and the various folks have asked the author
to take it down for years. I'm glad to hear it is not accessible.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
--
15 years
syncrepl - Base DN is not within the database naming context.
by Brad T Waldorf
Sorry in advance if i'm missed something obvious (which is what the text of
this error makes me think), but i've spent 2 days on this and could use
another set of eyes. I hit the error in the subject when trying to set up
basic refreshAndPersist replication with 2 separate BDB databases defined
and populated. The error happens on only 1 of the databases (replication
works fine on the other.)
(slapd.conf for Master....)
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=exampleb1,dc=com"
rootdn "cn=kingb1,dc=exampleb1,dc=com"
rootpw password
directory /usr/local/var/openldap-data/bdb1
index objectClass,sn,mail,street,pager eq
database bdb
suffix "o=baseballs"
rootdn "cn=admin,o=baseballs"
rootpw password
directory /usr/local/var/openldap-data/bdb2
index objectClass,sn,mail,street,pager eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
database monitor
(slapd.conf for Slave...)
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=exampleb1,dc=com"
rootdn "cn=kingb1,dc=exampleb1,dc=com"
rootpw password
directory /usr/local/var/openldap-data/bdb1
index objectClass,sn,mail,street,pager eq
database bdb
suffix "o=baseballs"
rootdn "cn=admin,o=baseballs"
rootpw password
directory /usr/local/var/openldap-data/bdb2
index objectClass,sn,mail,street,pager eq
syncrepl rid=492
provider=ldap://9.00.00.000:389
type=refreshAndPersist
retry="120 +"
searchbase="dc=exampleb1,dc=com"
bindmethod=simple
binddn="cn=kingb1,dc=exampleb1,dc=com"
credentials=password
database monitor
I get the Master up and populated before starting the Slave. When i start
the Slave, i get the error. Here's the output with -d 256... (line 38 is
the end of the syncrepl chunk... the "credentials=password" line)
OpenLDAP 2.4.6 Standalone LDAP Server
(slapd)/test/slapd_multibackendsS.conf: li
ne 38: Base DN "dc=exampleb1,dc=com" is not within the database naming
context.+
CSMP0097I 22.50.28 CPU-C SS-BSS SSU-HPN IS-01
failed to add syncinfo+
CSMP0097I 22.50.28 CPU-C SS-BSS SSU-HPN IS-01
slapd stopped.+
CSMP0097I 22.50.28 CPU-C SS-BSS SSU-HPN IS-01
connections_destroy: nothing to destroy.+
If i modify the syncrepl statement in the slave to replicate the other
database, replication of "o=baseballs" works...
syncrepl rid=493
provider=ldap://9.00.00.000:389
type=refreshAndPersist
retry="120 +"
searchbase="o=baseballs"
bindmethod=simple
binddn="cn=admin,o=baseballs"
credentials=password
The data in "dc=exampleb1,dc=com" is straight from the output of the
MakeLDIF utility. I've added/searched/modified it a bunch before trying
this particular replication scenario.
So... how stupid am i?? Do you see anything i'm missing?
Thanks for your help...
15 years
Openldap force replication
by Govind c
Hi,
Is there a way to force the replication between Master and the slave?. The number of objects and entries are the same in both master and slave,however the some fields don`t have the same content (eg : last login time)Wondering if there is way to keep both in sync in terms of content and objects/entries.
Cheers
CG
15 years