Syncrepl connections failing
by John Kane
I am having a problem with what appears (to me) to be 'stale' TCP
connections for syncrepl between the master and a pair of slaves. After
restarting all, I see changes on the master replicated to both slaves.
BUT, if I wait about 30 minutes or more, then make a change, the
replication fails (most of the time). netstat on the LDAP port show the
connections still established, but queued packets at the master server.
After about 15 minutes, the master server drops the connection. An
overnight tcpdump on the master showed LDAP occasionally sending a
keep-alive, with 2hrs between the keep-alive messages (these keep-alives
are inconsistent, though, some nights I see none).
I am running Red Hat EL5 and Openldap 2.3.43 on all servers with no TLS
or SASL (in our integration/test facility).
I don't see anything in the documentation pertaining to keep-alives,
other than ITS#4708 for 2.3.38.
Here's the syncrepl for one slave:
syncrepl rid=004
type=refreshAndPersist
provider=ldap://172.24.1.191
retry="30 10 300 3"
searchbase="o=partner_x,dc=ourcompany-int,dc=net"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=syncRepl,o=partner_x,dc=ourcompany-int,dc=net
"
credentials="secret"
updateref ldap://172.24.1.191
The other slave's slapd.conf is indentical except rid=002.
On the master I have:
overlay syncprov
syncprov-checkpoint 100 30
syncprov-sessionlog 100
Note: The 2 slaves are running on blades in an IBM chassis, and the
master is on a 1U Linux server, just 'one-hop' away. Prior to this,
when I had a master/slave pair running on the blades, syncRepl was
working fine for several months. It was not until I moved the master to
the another server did the failures start.
Thanks in advance for any help or info.
John Kane
This message is confidential to Prodea Systems, Inc unless otherwise indicated
or apparent from its nature. This message is directed to the intended recipient
only, who may be readily determined by the sender of this message and its
contents. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended
recipient:(a)any dissemination or copying of this message is strictly
prohibited; and(b)immediately notify the sender by return message and destroy
any copies of this message in any form(electronic, paper or otherwise) that you
have.The delivery of this message and its information is neither intended to be
nor constitutes a disclosure or waiver of any trade secrets, intellectual
property, attorney work product, or attorney-client communications. The
authority of the individual sending this message to legally bind Prodea Systems
is neither apparent nor implied,and must be independently verified.
14 years, 4 months
Help for special ACL needed
by Florian Götz
A warm "Hello" from germany to the openldap-technical list!
I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server.
I need to write an ACL which allows a user to see his own entry (objectClass
build up on inetOrgPerson) and nothing else.
I know that this isn´t the intended use of the LDAP system, but our manager
wants it that way.
I tried it with somekind of that:
access to dn.regex="uid=([^,]+),dc=justushere,dc=de$" attrs=entry
by dn.regex="uid=$1,ou=Users,dc=justushere,dc=de" write
by users none
but I just get a message about invalid credentials.
Used command was:
ldapsearch -xWD uid=user1,ou=users,dc=justushere,dc=de uid=user1
ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=user1 with the rootdn
account shows the information, but if the uid of the user1 is used for binding
it fails.
Has anyone an idea how to realize these restrictions?
Additionally not all attributes should get listed to the user, only a few
important for him. My idea was to use a ACL like the above to be sure the user
only gets access to his object and then add a second ACL below who restricts
the access to the important attributes.
Best regards
Florian Götz
14 years, 4 months
slapd + gssapi/heimdal: using false realm in principal
by Friedemann Stoyan
Hello,
I struggle with an Debian GNU/Linux (Lenny) and
* slapd 2.4.11-1
* heimdal-kdc 1.2.dfsg.1-2.1
* libsasl2-modules-gssapi-heimdal 2.1.22.dfsg1-23
With this configuration:
/etc/ldap/slapd.conf:
# Kerberos Configuration
sasl-host kerberos.lab.swapon.de
sasl-realm LAB.SWAPON.DE
# Mapping Kerberos Authentication Identities
authz-regexp
uid=([^,]*),cn=lab.swapon.de,cn=gssapi,cn=auth
ldap:///ou=people,dc=lab,dc=swapon,dc=de??one?(&(uid=$1)(objectClass=person))
/etc/ldap/sasl2/slapd.conf:
mech_list: GSSAPI
log_level: 7
Then I get a kerberos ticket and start ldapsaerch:
$ ldapsearch -H ldaps://ldap.lab.swapon.de/
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
The slapd logfile isn't very helpfull:
slapd[11480]: conn=2 fd=14 ACCEPT from IP=[2001:6f8:12ec:11::389:fefe]:60487 (IP=[2001:6f8:12ec:11::389:fefe]:636)
slapd[11480]: conn=2 fd=14 TLS established tls_ssf=128 ssf=128
slapd[11480]: conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
slapd[11480]: conn=2 op=0 SRCH attr=supportedSASLMechanisms
slapd[11480]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[11480]: conn=2 op=1 BIND dn="" method=163
slapd[11480]: SASL [conn=2] Failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
slapd[11480]: conn=2 op=1 RESULT tag=97 err=80 text=SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)
slapd[11480]: conn=2 fd=14 closed (connection lost)
The KDCs logfile is more interesting:
Authentication Server Request from slapd (successfull):
14:37:13 AS-REQ host/reliant.lab.swapon.de(a)LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for krbtgt/LAB.SWAPON.DE(a)LAB.SWAPON.DE
14:37:13 Client sent patypes: encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp, encrypted-timestamp
14:37:13 Looking for PKINIT pa-data -- host/reliant.lab.swapon.de(a)LAB.SWAPON.DE
14:37:13 Looking for ENC-TS pa-data -- host/reliant.lab.swapon.de(a)LAB.SWAPON.DE
14:37:13 ENC-TS Pre-authentication succeeded -- host/reliant.lab.swapon.de(a)LAB.SWAPON.DE using aes256-cts-hmac-sha1-96
14:37:13 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc
14:37:13 Using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
14:37:13 AS-REQ authtime: 2009-04-27T14:37:13 starttime: unset endtime: 2009-04-28T00:37:13 renew till: unset
14:37:13 sending 670 bytes to IPv6:2001:6f8:12ec:11::88:fefe
Ticket Granting Server Request from slapd (fails):
14:37:13 TGS-REQ host/reliant.lab.swapon.de(a)LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for digest/LAB(a)LAB.SWAPON.DE [canonicalize]
14:37:13 Searching referral for LAB
14:37:13 Server not found in database: digest/LAB(a)LAB.SWAPON.DE: No such entry in the database
14:37:13 Failed building TGS-REP to IPv6:2001:6f8:12ec:11::88:fefe
14:37:13 sending 107 bytes to IPv6:2001:6f8:12ec:11::88:fefe
14:37:13 TGS-REQ host/reliant.lab.swapon.de(a)LAB.SWAPON.DE from IPv6:2001:6f8:12ec:11::88:fefe for krbtgt/LAB(a)LAB.SWAPON.DE
14:37:13 Server not found in database: krbtgt/LAB(a)LAB.SWAPON.DE: No such entry in the database
14:37:13 Failed building TGS-REP to IPv6:2001:6f8:12ec:11::88:fefe
14:37:13 sending 107 bytes to IPv6:2001:6f8:12ec:11::88:fefe
It's clear that this TGS-REQ is failing: the realm "LAB" in the principal
"krbtgt/LAB(a)LAB.SWAPON.DE" doesn't exist. Correct would be:
"krbtgt/LAB.SWAPON.DE(a)LAB.SWAPON.DE".
At present I have no clue how to fix this. Good ideas would be
appreciated.
Regards
Friedemann
14 years, 4 months
RE: CSN Too Old potential Bug
by Victor Andres Sina Sotomayor
Hi all
I was reading this post in openldap-technical forum.
I am in the process to install a full authenticate service here using samba
and openldap, my pdc and bdc are ldap based servers, and are in different
locations, using a router to connect them, then. a full master ldap is
needed in these two locations.
I have two ldap servers in mirror mode (in a virtual machines, using
vmware), these two servers are time synchronized using the same time server.
When a update a ldap entry in one server, the data replicate fine, but when
I use the other, I have the following error in my logs.
Apr 29 11:50:15 srvped2master slapd[7377]: do_syncrep2:
cookie=rid=002,sid=002,csn=20090429165015.624045Z#000000#001#000000
Apr 29 11:50:15 srvped2master slapd[7377]: do_syncrep2: rid=002 CSN too old,
ignoring 20090429165015.624045Z#000000#001#000000
The time is very difficult to maintain in sync when virtual machines are in
use, and Openldap servers are extremely sensitive to time lag.
Apparently this is a bug in ldap 2.4.11 and will be fixed in ldap 2.4.16
<http://www.openldap.org/lists/openldap-bugs/200903/msg00202.html>
http://www.openldap.org/lists/openldap-bugs/200903/msg00202.html
Anyone could solve the problem?
Im using debian lenny
srvped2master:/etc/ldap# apt-cache policy slapd
slapd:
Installed: 2.4.11-1
Candidate: 2.4.11-1
Version table:
*** 2.4.11-1 0
500 http://ftp.us.debian.org lenny/main Packages
100 /var/lib/dpkg/status
This is my slapd.conf
#################
serverID 1
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 16384
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload syncprov
sizelimit 500
tool-threads 1
backend hdb
database hdb
suffix "dc=avhlima,dc=edu,dc=pe"
rootdn "cn=admin,dc=avhlima,dc=edu,dc=pe"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
syncrepl rid=001
provider=ldap://192.168.4.8
type=refreshAndPersist
retry="60 +"
searchbase="dc=avhlima,dc=edu,dc=pe"
attrs="*,+"
bindmethod=simple
binddn="cn=admin,dc=avhlima,dc=edu,dc=pe"
credentials=XXXXXXXXXXXX
mirrormode on
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
lastmod on
checkpoint 512 30
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
access to
attrs=userPassword,sambaLMPassword,sambaNTPassword,shadowLastChange
by dn="cn=admin,dc=avhlima,dc=edu,dc=pe" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=avhlima,dc=edu,dc=pe" write
by * read
##########################
The diff between servers are only in:
serverID 2
syncrepl rid=002
provider=ldap://192.168.3.8
Thanx 4 your time
Victor
14 years, 4 months
openldap on windows
by singularity suse
How do I set openldap running on my windows xp machine. I edited the conf
fie, but it doesn't work.
Thanks
14 years, 5 months
Ldap error: Logging region out of memory; you may need to increase its size
by vaibhav lokhande
Hi all ,
I am new in world of ldap. following is info about my ldap.
*openldap-2.4.11-1.3.el5
openldap-servers-2.4.11-1.3.el5
nss_ldap-253-3
compat-openldap-2.4.11_2.3.27-1.3.el5
openldap-clients-2.4.11-1.3.el5
php-ldap-5.1.6-5.el5
openldap-devel-2.4.11-1.3.el5*
And m getting error on command slapcat
*
bdb(o=******_ldap): Logging region out of memory; you may need to increase
its size
bdb_db_open: database "o=******_ldap": db_open(/var/lib/ldap/id2entry.bdb)
failed: Cannot allocate memory (12).
backend_startup_one: bi_db_open failed! (12)*
*Can any one please guide me to solve this issues. Other things are working
fine.
But still m getting this error.
Regards
Vaibhav
*
14 years, 5 months
Adapt memberof overlay for host attribute
by Vince Rafale
Hi list,
I would like to know whether anybody has succeeded in using the memberof
overlay for others attributes.
I would like a user entry (specifically the host attribute) to be
populated when a user is added to a posixGroup. Let's say this
posixGroup contains a "hostOfGroup" attribute.
Is it feasible? Or do I need to code my own overlay for that purpose?
If writing an overlay is not needed, is there an esaier way to do that?
Thanks.
Regards,
Vince
14 years, 5 months
getting distinguishedName as a distinct attribute in seach result
by Erik De Zeeuw
Hello,
We need to get a line with "distinguishedName: <dn>" in our search
results, in order for a specific software to work with our LDAP setup.
I tried to play around with rwm-map and rewrite, but could not find a
solution to get this working.
To be clear, I would like to get this as a search result:
dn: uid=myuser,ou=people,dc=my,dc=suffix
givenName: My User
... other attributes ...
distinguishedName: uid=myuser,ou=people,dc=my,dc=suffix
... other attributes ...
I know this might not be standard, and it indeed looks quite stupid as
we already get the dn: line, but this seems to be the way it works when
using active directory, and software we bought just wait for this to work.
Thanks for any constructive answer that will popup :)
14 years, 5 months
Segfault during Auth Benchmark request
by SAGNIMORTE Thomas (CAMPUS)
Hi,
I am working on building and benchmarking OpenLDAP v2.4.16 for a large
entries directory (actual test: 2 000 000 but final objective 10 000 000
users).
I use SLAMD to test authentication in order to evaluate what is the
maximum number of authentication I can do on my server. So I try to do 5
authentications per 5ms during 5min.
My OpenLDAP 2.4.16 is install on the X86 two core 2.8Ghz server with 4Go
of memory.
I set 3Go in cache of DB_Config and I have look a lot on how configure
properly slapd.
Is it normal because I have reach system limits or can I change some
parameter to optimize slapd performance?
Do some people have some figures about slapd performance with large
entries directory on standard server?
Regards,
---
Thomas
14 years, 5 months
