openldap-technical September 2008

openldap-technical@openldap.org

54 participants
58 discussions

Chage for LDAP
by Gustavo Mendes de Carvalho 13 Sep '08

13 Sep '08

Hi All, Is there any tool for LDAP that works like chage, to inform when I changed my password, when will expire, and so on. I am using Openldap 2.3.39 with ppolicy. Thanks --- Gustavo Mendes de Carvalho email: gmcarvalho(a)gmail.com

1 0

Re: Help: Slow LDAP search with high %iowait
by Victor 12 Sep '08

12 Sep '08

Would you folks mind sharing some thoughts/ideas on this? Thanks a lot! --- On Mon, 9/8/08, Victor <victorfuman(a)yahoo.com> wrote: > From: Victor <victorfuman(a)yahoo.com> > Subject: Help: Slow LDAP search with high %iowait > To: openldap-technical(a)openldap.org > Date: Monday, September 8, 2008, 5:35 PM > Hi , > > I did quite a bit reading and research before I send email > to this list for help. If I have missed some basic concepts > here, please execuse my ignorance. Thanks for your help and > time in advance. > > 1. Summary > The initial search in my prototyping with OpenLDAP (slapd + > BDB) seemed to be slow. What is the reason and How could I > fix it? > > 2. Configuration > 2.1 Environment > Linux CentOS, 1 hard disk (therefore unfortunately the BDB > transaction logs and database files are written to the same > disk), 120GB disk space (80% unused), 1GB RAM, reserved for > this prototyping, OpenLDAP 2.3.39 with default BDB > installation > > 2.2 slapd.conf (modified trivially for discussion > purpose) > # global configuration > loglevel 0 > > # BDB > database bdb > suffix "dc=test,dc=dummy,dc=com" > rootdn > "cn=Manager,dc=test,dc=dummy,dc=com" > # Cleartext passwords, especially for the rootdn, should > # be avoid. See slappasswd(8) and slapd.conf(5) for > details. > # Use of strong authentication encouraged. > rootpw secret > # The database directory MUST exist prior to running slapd > AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory /usr/local/var/openldap-data > #Other DB configuration > idlcachesize 60000 > cachesize 20000 > # Indices to maintain > # the indexes are to support search in first name, last > name and email for both exact match and wild cards in the > end > index objectClass eq > index gn pres,eq,sub > index sn pres,eq,sub > index mail pres,eq,sub > > 2.3 DB_CONFIG (for BDB) > set_cachesize 0 52428800 1 > set_lg_bsize 2097512 > set_flags DB_LOG_AUTOREMOVE > set_lg_regionmax 262144 > > 2.4 Data setup > 2 million records (users with gn, sn, email, mobile, street > address, etc. in the BDB; all records are indexed using the > index in the above slapd.conf; grouped by the first > character of lastName. For example, > dn: ou=Z,dc=test,dc=dummy,dc=com > objectclass: organizationalUnit > ou: Z > > Sample LDIF entry: > #Directory Entry > dn: > uid=ABCDEFGHIJKLMNOPQRSTUVWXYZ123459,ou=F,dc=test,dc=dummy,dc=com > objectclass: top > objectclass: person > objectclass: organizationalPerson > objectclass: inetOrgPerson > uid: ABCDEFGHIJKLMNOPQRSTUVWXYZ123459 > ...... (details omitted) > > 3. Symptom/Problem > > It was very slow in the first (fresh) search if I searched > by wildcard firstname only like "Larry*" (which > returned 478 entries/users). The response time was generally > higher than 5 seconds Depending the count of records found, > the response time might exceed 20 or even 50 seconds. During > the search, the "iostat" result showed +95% > %iowait, await was much higher that svctm, the device %util > was over 96%. Here is the "iostat" output: > > Time: 10:51:34 AM > avg-cpu: %user %nice %sys %iowait %idle > 3.10 0.00 1.40 95.50 0.00 > > Device: rrqm/s wrqm/s r/s w/s rsec/s wsec/s > rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util > hda 0.00 2.90 64.94 65.33 1322.68 580.22 > 661.34 290.11 14.61 51.99 343.51 7.44 96.92 > dm-0 0.00 0.00 64.94 72.53 1322.68 580.22 > 661.34 290.11 13.84 55.44 330.62 7.06 96.99 > dm-1 0.00 0.00 0.00 0.00 0.00 0.00 > 0.00 0.00 0.00 0.00 0.00 0.00 0.00 > > > However, The subsequent search (using the exact search > criteria) is much faster (within 200ms). I believe it is > because of the cache. > > I did a "db_stat -m" check and saw +90% cache hit > rate (I guess it is normal?). The detailed output is in the > attachment. > > 4. Questions > The "iostat" output showed obvious I/O > bottleneck. Assuming I can't upgrade my hardware (for > example, adding another disk specifically for writing > transaction logs to), assuming I won't set a limit to > the max number of entried returned, is there anything else I > can do (typically BDB/slapd tuning or configuration) to make > the fresh/first search much faster (say within 2 seconds for > the worst case)? Did I do anything wrong? Please advise. > > Thanks a lot! > > Vic

3 5

CREATE LDAP REPLICA
by LITLE TUX 12 Sep '08

12 Sep '08

Hi i install openldap in servers and create replica but is not runin perfectly My entry in ldap server: MASTER SERVER: replogfile /var/log/replica/replica.log replica host=hostname_slave.domain.com:389 binddn="cn=Administrator,dc=domain,dc=com" bindmethod=simple credentials=123456 tls=none ################################################## ###################### SLAVE SERVER: updatedn "cn=Administrator,dc=domain,dc=com" updateref ldap://hostname_master.domain.com In my /etc/hosts configure any hostnames... The file replica.log is empty and not create replica. I execute normaly /etc/init.d/slurpd start only master server. Is necessary running slurod daemon is slave server? Exist other configuration to slapd.conf? My slapd.conf is same in master and slave except lines reference the replica. Thanks for your helps..... Best

1 0

pwd* Attributes and replication
by Eyal Marantenboim 12 Sep '08

12 Sep '08

Hi, We have 1 master and 1 secondary servers (version 2.4.11) using ppolicy. When a user tries to bind with incorrect credential, the master server gets populated with pwdFailureTime attribute. After 4 times of entering wrong credentials, pwdAccountLockedTime is added to that user. Our problem is that the secondary server (using syncrepl) is not replicating the pwd* values. I've noticed that neither entryCSN nor contextCSN are being updated (on the master) when pwdFailureTime is added to the user (I'm not sure if it should actually change). But, when we change any other attribute (userPassword, etc) on the master, that does change entryCSN, and all pwd* attributes do get updated in the seconday server. appreciate your help. Thanks!

1 0

Re: Reentrant library question.
by William Jojo 12 Sep '08

12 Sep '08

---- Original message ---- >Date: Thu, 11 Sep 2008 14:55:14 +0100 >From: Duncan Gibb <Duncan.Gibb(a)SiriusIT.co.uk> >Subject: Re: Reentrant library question. >To: William Jojo <w.jojo(a)hvcc.edu> >Cc: openldap-technical(a)openldap.org > >William Jojo wrote: > >WJ> I manage a set of packages [..] for AIX 5.3 and 6.1. > >WJ> Is it safe to [..] > >WJ> libldap.so -> libldap_r.so > >Disclaimer: I do not speak AIX. > That's ok, I do. :-) :-) >The Debian Linux OpenLDAP packages have been doing this since 2.4.7. >We've deployed these and not come across any serious problems (said he, >about to roll out a 2.4.11 backport...). > Sounds wonderful! Thanks a bunch! Cheers, Bill > >Cheers > > >Duncan > >-- >Duncan Gibb, Technical Architect >Sirius Corporation - The Open Source Experts >http://www.siriusit.co.uk/ >Tel: +44 870 608 0063 || +44 7977 441 515

1 0

Reentrant library question.
by William Jojo 11 Sep '08

11 Sep '08

I manage a set of packages under the name pWare for AIX 5.3 and 6.1. I am upgrading the core OpenLDAP from 2.3.38 to 2.4.11 and wanted to do something IBM does with libc. They link libc.a -> libc_r.a Is it safe to do the same in OpenLDAP such that: libldap.so -> libldap_r.so ? Then I rebuild any packages that depended on 2.3 for 2.4. Cheers, Bill

3 3

LDAP log analysis
by Praveen Kumar 11 Sep '08

11 Sep '08

Hi, I am using LDAP server for authentication, where i am successful in making an user to log in into a machine after authentication from ldap server. Now i want to see at the server side at what time the user asked for authentication and was successfully authenticated. In other words how can the log about any authentication request and successful reply to that can be seen for each request made to the server. Regards

2 1

[Solved] AW: Re: AW: Re: AW: Re: SASL bind with Kerberos: (was: Simple binds with SASL/GSSAPI (Resource temporarily unavailable))
by Hauke Coltzau 10 Sep '08

10 Sep '08

Hi all, Wow, it seems to be done ;-) To put it in a nutshell: - apt-get purge MIT-Kerberos* - apt-get install Heimdal* - tried and failed, tried and failed, ... - apt-get purge heimdal*, cyrus*, openldap* - apt-get libssl-dev and libdb dev packages - got cyrus, openldap and heimdal tarballs - configured, compiled, tested, failed, configured, compiled, tested, failed, conf.......... ...... ...... ... --- ... ... --- ... configured, compiled, succeeded! - Followed well known configuration instructions Voila! ldapsearch -Y GSSAPI works ldaps works (without client verification, did not solve that yet, server verification works fine) login with kerberos authentication works (with proxy ticket for the machine, this way I avoid having PLAIN username/password send to slapd) su, id, etc. works Seems, as if doing it by hand is still the best way ;-) Thanks again for your help, Hauke ----- Ursprüngliche Mail ----- Von: "Quanah Gibson-Mount" <quanah(a)zimbra.com> An: "Hauke Coltzau" <hauke.coltzau(a)FernUni-Hagen.de> CC: openldap-software(a)openldap.org Gesendet: Montag, 8. September 2008 21:44:16 GMT +01:00 Amsterdam/Berlin/Bern/Rom/Stockholm/Wien Betreff: Re: AW: Re: AW: Re: SASL bind with Kerberos: (was: Simple binds with SASL/GSSAPI (Resource temporarily unavailable)) --On Monday, September 08, 2008 9:26 PM +0200 Hauke Coltzau <hauke.coltzau(a)FernUni-Hagen.de> wrote: > ii libsasl2-modules-gssapi-mit 2.1.22.dfsg1-18ubuntu2 \\ > Cyrus SASL - pluggable authentication module I would highly recommend using Heimdal on the master side. But that's up to you. ;) > - In the first approach, the user already has a TGT and asks the KDC for > a "ldap/fqdn@REALM-ticket"? This is done by ldapsearch, not by slapd? > Hence, slapd "only" needs access to its keytab to be able to decrypt the > clients messages? I believe that is correct, yes. At Stanford, I had to point slapd at the keytab in a shell script, but I believe that was because I was using SASL/GSSAPI to do replication as well. It's been a while. ;) > - And in the second one, the user provides username and password (plain), > slapd converts the username into a principle (user@REALM) and forwards > this to saslauthd? So this should be secured via TLS? You can try securing it via startTLS, but nothing blocks a user from still doing it in the clear, unfortunately (i.e., you can reject the non-secured bind, but they'll have already sent their credentials, so anyone sniffing would be able to get them). > There used to be a well-known howto for all this at > http://www.bayour.com/LDAPv3-HOWTO.html but the site is offline for some > days now. This howto is completely wrong, and the various folks have asked the author to take it down for years. I'm glad to hear it is not accessible. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration --

2 1

syncrepl - Base DN is not within the database naming context.
by Brad T Waldorf 10 Sep '08

10 Sep '08

Sorry in advance if i'm missed something obvious (which is what the text of this error makes me think), but i've spent 2 days on this and could use another set of eyes. I hit the error in the subject when trying to set up basic refreshAndPersist replication with 2 separate BDB databases defined and populated. The error happens on only 1 of the databases (replication works fine on the other.) (slapd.conf for Master....) include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=exampleb1,dc=com" rootdn "cn=kingb1,dc=exampleb1,dc=com" rootpw password directory /usr/local/var/openldap-data/bdb1 index objectClass,sn,mail,street,pager eq database bdb suffix "o=baseballs" rootdn "cn=admin,o=baseballs" rootpw password directory /usr/local/var/openldap-data/bdb2 index objectClass,sn,mail,street,pager eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 database monitor (slapd.conf for Slave...) include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=exampleb1,dc=com" rootdn "cn=kingb1,dc=exampleb1,dc=com" rootpw password directory /usr/local/var/openldap-data/bdb1 index objectClass,sn,mail,street,pager eq database bdb suffix "o=baseballs" rootdn "cn=admin,o=baseballs" rootpw password directory /usr/local/var/openldap-data/bdb2 index objectClass,sn,mail,street,pager eq syncrepl rid=492 provider=ldap://9.00.00.000:389 type=refreshAndPersist retry="120 +" searchbase="dc=exampleb1,dc=com" bindmethod=simple binddn="cn=kingb1,dc=exampleb1,dc=com" credentials=password database monitor I get the Master up and populated before starting the Slave. When i start the Slave, i get the error. Here's the output with -d 256... (line 38 is the end of the syncrepl chunk... the "credentials=password" line) OpenLDAP 2.4.6 Standalone LDAP Server (slapd)/test/slapd_multibackendsS.conf: li ne 38: Base DN "dc=exampleb1,dc=com" is not within the database naming context.+ CSMP0097I 22.50.28 CPU-C SS-BSS SSU-HPN IS-01 failed to add syncinfo+ CSMP0097I 22.50.28 CPU-C SS-BSS SSU-HPN IS-01 slapd stopped.+ CSMP0097I 22.50.28 CPU-C SS-BSS SSU-HPN IS-01 connections_destroy: nothing to destroy.+ If i modify the syncrepl statement in the slave to replicate the other database, replication of "o=baseballs" works... syncrepl rid=493 provider=ldap://9.00.00.000:389 type=refreshAndPersist retry="120 +" searchbase="o=baseballs" bindmethod=simple binddn="cn=admin,o=baseballs" credentials=password The data in "dc=exampleb1,dc=com" is straight from the output of the MakeLDIF utility. I've added/searched/modified it a bunch before trying this particular replication scenario. So... how stupid am i?? Do you see anything i'm missing? Thanks for your help...

3 4

Openldap force replication
by Govind c 10 Sep '08

10 Sep '08

Hi, Is there a way to force the replication between Master and the slave?. The number of objects and entries are the same in both master and slave,however the some fields don`t have the same content (eg : last login time)Wondering if there is way to keep both in sync in terms of content and objects/entries. Cheers CG

3 6

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2008