openldap-technical May 2009

openldap-technical@openldap.org

58 participants
48 discussions

database size
by Marcel Berteler 14 May '09

14 May '09

Our current database size is 7GB and we are wondering how big we can grow until we run into LDAP / BDB constrains. Are there others on the list that have extremely large databases? Any pointers to ensure we can grow our DB even further without issues? Marcel

3 2

openldap, proxy, round robin?
by Nathan Lager 14 May '09

14 May '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am attempting to setup an openldap proxy, which i'd like to connect to a number of openldap directories in a round-robin fashion. There are currently 2 ldap servers, with a round-robin DNS hostname pointing to them. I setup openldap to proxy to this hostname, but it seems that when i actually connect to the proxy, it picks one of the addresses, and holds on to it. If it gets the second server on its first connection, it then continues to use that server. Is there a way to make openldap connect to each server? Whether it uses the round robin hostname or not is irrelevant. Two methods I can think of would be to somehow keep slapd from caching the dns name. Or if I can specify each server separately in the slapd.conf on the proxy. Thanks! - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 610-330-5907 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoLLmsACgkQsZqG4IN3sumf4gCeJ3tOzX5Mk8ddbgvkg7TASbUH d9MAn3U+B8uYIj6eQy+yAHitV9Cqij/K =gFcb -----END PGP SIGNATURE-----

2 2

Re: Deleting hundreds of Entry under a OU
by Michael Ströder 11 May '09

11 May '09

Daniel, please keep responses on the list so others can comment and learn as well. Daniel Spannbauer wrote: > > Michael Ströder schrieb: >> Daniel Spannbauer wrote: >>> Hello, >>> >>> I have to deleted abount 500 Entrys under a OU in my LDAP-Tree cause I >>> have to change the objectClass from "account" to "inetorgPerson". >>> Can I do this with ldapdelete? I always used that tool only to delete >>> one entry. >> Yes. But you have to provide a file with a list of the DNs of the >> entries to be deleted. >> >> $ ldapdelete -h >> usage: ldapdelete [options] [dn]... >> dn: list of DNs to delete. If not given, it will be readed from stdin >> or from the file specified with "-f file". >> >> (You could also use some of the GUI LDAP clients for that. E.g. my >> web2ldap supports recursive deletion of all entries below an entry.) > > Thats a posibility. But the ldap-Entries are genarated by a Script. So I > have to delete it also by this script. So a gui is not the solution that > I prefer. In this case I'd prefer to use a full-featured scripting language with a decent LDAP module to do the job. You have more control in the case of an error than with invoking command-line tools from a shell script. Ciao, Michael.

1 0

Deleting hundreds of Entry under a OU
by Daniel Spannbauer 11 May '09

11 May '09

Hello, I have to deleted abount 500 Entrys under a OU in my LDAP-Tree cause I have to change the objectClass from "account" to "inetorgPerson". Can I do this with ldapdelete? I always used that tool only to delete one entry. Regards Daniel -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email ds(a)marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München

2 2

OpenLDAP server and OS X clients
by Arne Schmitz 11 May '09

11 May '09

Hi! We are running an OpenLDAP server on Debian Stable. It works very well so far, using more than 20 Linux clients. However, we now also have got a couple of Mac clients that are supposed to use the server. I have set the Mac clients (OS X 10.5.6) to use our LDAP server, using the Directory Utility. That utility is set to use a RFC 2307 server, with our LDAP's IP and the correct base name. After that I can "sudo su" to any LDAP user, also call "id" for any LDAP user, log in via SSH + key to LDAP user, but NOT authenticate via password. I.e. interactive logins or password based SSH logins are NOT possible. It seems the password authentication against LDAP is not working. What I find in /var/log/secure.log is the following: May 6 17:46:38 mymac authorizationhost[70401]: Failed to authenticate user MyLDAPUser (tDirStatus: -14090). Any ideas what might be going wrong here? Where should I look? Cheers, Arne -- Dipl.-Inform. Arne Schmitz Phone +49 (0)241 80-21817 Computer Graphics Group Fax +49 (0)241 80-22899 RWTH Aachen University http://www.rwth-graphics.de Ahornstrasse 55, 52074 Aachen, Germany

2 3

LDIF, userCertificate; and missing "binary" option
by Erwann ABALEA 07 May '09

07 May '09

Hello, Hoping it's the right list to ask for it. I'm facing a "cross-recommendations" problem. Here it is. I'm downloading an LDIF containing some inetOrgPerson and cRLDistributionPoint entries, in order to have a replication site to develop on. Those entries have userCertificate or certificateRevocationList , but not stored with the "binary" option (only the "::" indicating it's Base64-encoded). When trying to import this file with ldapadd on my directory, it failed, telling me that those attributes need to be transfered with the binary option. Right. I'm searching RFCs 2252 and 2256 (and their replacement as well), and find that effectively, those attributes *MUST* be transfered as binary ones. I told the directory maintainer that the LDIF wasn't correct according to these RFCs, and he replied that it was correct regarding RFC2849, which is the only one defining the LDIF format. Finally, that's right. And this RFC doesn't tell anything about certificates or binary option. And I can't find an obvious link between RFC2849 and RFC2252/2256. I know I can just do a 'sed s/userCertificate::/userCertificate;binary::/' of the file, but modifying something defined to be a standard for interchange doesn't seem to be a good solution. Do you have some ideas? Regards. -- Erwann.

2 1

OpenLDAP multi master replication
by Bujji S 07 May '09

07 May '09

Hi, i have openldap(2.4.9) installed in ubuntu 8.04 server. i want to create a multi master set up with two such servers(2 or more than 2) first i tried to follow http://www.openldap.org/doc/admin24/replication.htmlto form n-way master setup. but in starting only i got a problem saying database(dc=mytest,dc=com) is not configured to hold "cn=config" then i tried setting up cn=config using http://www.zytrax.com/books/ldap/ch6/slapd-config.html but that doesn't help me meaning even after configuring that cn=config as he mentioned in the site i got the same error so i removed everything(slapd.d) what i did earlier so now i have slapd.conf in both of my servers finally i found one more link http://itsecureadmin.com/wiki/index.php/OpenLDAP_Multi-Master_Replication that displays sample config file so i followed that you can check the slapd.conf below so now i set up the same configuration in the second server too. after writing these slapd.conf i just restared slapd on both servers. for the first time when i add some data the first server it got replicated on the other server only when restart slapd on second server. that is fine. when i tried to add some other data on second server its not getting replicated on the other server even if i restart slapd. after that wherever i add data not getting replicated adding locally only. what could be the problem. plz check my slapd.conf file and suggetst me how to do multi master replication on ubuntu 8.04 server. so my slapd.conf is below. # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel none # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload ppolicy.la moduleload syncprov.la moduleload back_monitor.la # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for hdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend hdb ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> database config rootdn "cn=admin,cn=config" rootpw admin123 database monitor rootdn cn=monitor rootpw admin123 ####################################################################### # Specific Directives for database #1, of type hdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database hdb # The base of your directory in database #1 suffix "dc=mytest,dc=com" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=mytest,dc=com" # Where the database file are physically stored for database #1 directory "/var/lib/ldap" serverid 3 ldap://192.168.7.88:389 serverid 4 ldap://192.168.7.89:389 cachesize 1000 checkpoint 256 5 syncrepl rid=003 provider=ldap://192.168.7.88:389 binddn="cn=admin,dc=mytest,dc=com" bindmethod=simple credentials=admin123 searchbase="dc=mytest,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 syncrepl rid=004 provider=ldap://192.168.7.89:389 binddn="cn=admin,dc=mytest,dc=com" bindmethod=simple credentials=admin123 searchbase="dc=mytest,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 mirrormode true overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # The dbconfig settings are used to generate a DB_CONFIG file the first # time slapd starts. They do NOT override existing an existing DB_CONFIG # file. You should therefore change these settings in DB_CONFIG directly # or remove DB_CONFIG and restart slapd for changes to take effect. # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 for more # information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq index cn,mail,surname,givenname eq # Save the time that the entry gets modified, for database #1 lastmod on # Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30 # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=mytest,dc=com" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=mytest,dc=com" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=mytest,dc=com" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be hdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org" --------------------------------------------------------------------- so now i set up the same configuration in the second server too. after writing these slapd.conf i just restared slapd on both servers. for the first time when i add some data the first server it got replicated on the other server only when restart slapd on second server. that is fine. when i tried to add some other data on second server its not getting replicated on the other server even if i restart slapd. after that wherever i add data not getting replicated adding locally only. what could be the problem. plz check my slapd.conf file and suggetst me how to do multi master replication on ubuntu 8.04 server. Thanks Visu

2 1

ldap users in local groups
by Justin Lintz 06 May '09

06 May '09

Hi, I'm running into an interesting problem in that when I try to add more than one ldap account to a local group, both users of that group no longer show membership in that group when running "groups" or "id". If I just add one of the users to the group, it works without a problem. I apologize if this is not the correct list of this issue. Does anyone have any ideas on what may be causing this? - Justin Lintz

3 2

Occasional corrupt DN in be_add logs under 2.4.16
by Sean Burford 06 May '09

06 May '09

Hi, As an interim measure while deploying 2.4.16 I am canarying 2.3.43 on a replication provider. As a result the current replication path is: master (2.3.39) -> provider (2.3.43) -> replica (2.4.16) The master will be upgraded in short order once the 2.3.43 canary is successful. I've been seeing occasional corrupt DNs in some be_add log lines on the 2.4.16 replica: May 5 09:35:46 host slapd[31817]: syncrepl_message_to_op: rid=100 be_add <90>Y1 ntry,ou=subtree,dc=example,dc=com (0) I've modified the DN in this log line. The missing text is "cn=l" in this example. The original DN was 65 characters long. I have performed the following search against each host with the following results. It shows that the entry replicated fine but capitalisation of the DN differs (which may be a red herring since I was already aware that DN capitalisation differed across servers): $ ldapsearch -x -b cn=lntry,ou=subtree,dc=example,dc=com -s base dn master: dn is cn=lntry,ou=Subtree,dc=example,dc=com provider: dn is cn=lntry,ou=subtree,dc=example,dc=com replica: dn is cn=lntry,ou=Subtree,dc=example,dc=com slapcat shows no problems with the entry on the 2.4.16 host. Since the database looks fine I wonder if this is just a logging issue. Should this Debug statement in syncrepl.c actually use op->ora_e->e_name.bv_val or some other attribute? rc = op->o_bd->be_add( op, &rs ); Debug( LDAP_DEBUG_SYNC, "syncrepl_message_to_op: %s be_add %s (%d)\n", si->si_ridtxt, op->o_req_dn.bv_val, rc ); With the exception of si->si_rid becoming si->si_ridtxt (and %d->%s) this Debug statement has not changed since 2.3. -- Thanks, Sean Burford

3 5

slapd-meta and paged results control
by Lajos Boróczki 06 May '09

06 May '09

Hi, I'm trying to set up an openldap proxy server using slapd-meta. Everything worked so far, but after the backend database grew bigger and bigger, searches with a fixed page size started to give strange results. Tracing the problem led me to the following: If I set a page size of 300 in my ldapsearch (where localhost:3890 is my slapd running slapd-meta): ldapsearch -x -W -D "CN=admin,DC=example,DC=org" -E pr=300 -H "ldap://localhost:3890/" -b "dc=a,dc=example,dc=org" "(objectClass=inetOrgPerson)" uid I get at most 300 results and the paging information is lost on the way. If I set 300 to 1000 I get all of the results, because I have ~500 entries. Doing an ldapsearch to the backand servers: ldapsearch -x -W -D "CN=admin,DC=example,DC=org" -E pr=300 -H "ldap:// dc1.a.example.org/" "dc=a,dc=example,dc=org" "(objectClass=user)" userPrincipalName I get 300 results and a prompt to press enter, after pressing some enters I can get every entries. My backends are Active directories... :( Thanks for your help, Lajos Config: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/ad_attr.schema include /etc/ldap/schema/ad_class.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 8 modulepath /usr/lib/ldap moduleload back_meta moduleload back_ldap moduleload rwm moduleload pcache moduleload back_bdb sizelimit 1000 tool-threads 1 database meta suffix "dc=example,dc=org" norefs yes rebind-as-user yes chase-referrals no uri "ldap://dc1.example.org/dc=example,dc=org" "ldap:// dc2.example.org/" uri "ldap://dc1.a.example.org/dc=a,dc=example,dc=org" "ldap:// dc2.a.example.org/" uri "ldap://dc1.b.example.org/dc=b,dc=example,dc=org" "ldap:// dc2.b.example.org/" overlay rwm rwm-rewriteEngine on rwm-map attribute uid userPrincipalName rwm-map objectclass inetOrgPerson user

4 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2009