ACL processing performance
by Christian Manal
Hi,
I've got a question regarding ACLs and their processing performance.
I use the NIS-schema to store userinformation and the likes in
OpenLDAP (using the maps passwd, group, services, ethers, hosts,
automount stuff etc.) plus samba-schema plus some self defined stuff.
I have ACLs defined for some special attributes, like userPassword, and
for each OU (People, Groups, ...).
If I start multiple searches without a filter (so everythin accessible
will be displayed) anonymously or with some user, I can get the CPU load
of my servers up to 80-90%. It's definitely the ACLs, since I have no
problems when using the rootDN or if I reduce the ACLs.
What I'd like to know now is, what is so damn expensive in my ACLs and
how I could reduce the cost without lessening the access restrictions...
OpenLDAP version is 2.4.17 using back-hdb with BDB 4.4 from opencsw
respository on Solaris 10 (SunOS 5.10 Generic_139556-08). There are
around 30k entries in my database. I have one master and four slaves
using delta-syncrepl for replication.
Configuration files can be found here:
http://www.informatik.uni-bremen.de/~moenoel/ldap/
Thanks in advance.
Regards,
Christian Manal
13 years, 8 months
Use of syncprov overlay in slave
by rommel@buxit.nl
I am wondering whether it is possible to use the syncprov overlay in the
slave database?
The configuration at hand consists of two masters in mirror-mode and
n-replica's in syncrepl-mode. The client application connects to one of
the replica's and attempt to use the SyncControl to monitor the replica
for changes.
Both the master's and replica's have been configured with 'overlay syncprov'.
When the client application connects to one of the masters and a changes
in made in the other master, the application gets notified about the
change through the SyncControl.
However when I connect the client application to one of the replica's and
make a change in one of the master's the client does not get notified
about the change.
When I look into the replica database directly the change made on the
master is visible though.
So I'm wondering is it possible to use the syncprov overlay in the slave
database? And what would be the correct configuration to achieve this?
The version of openldap I'm using is 2.4.13
Any help is appreciated.
/Rob
13 years, 8 months
openldap and dadlauthd
by Olivier Nicole
Hi,
I have problems to get saslauthd to work with my openldap server:
- saslauthd binds/autneticates if I connect to the non SSL port
ldap://ldap.cs.ait.ac.th/
- saslauthd fails to bind/autneticate if I connect to the SSL port
ldaps://ldap.cs.ait.ac.th/
Jul 23 12:02:00 ldap slapd[41289]: conn=22 fd=19 ACCEPT from IP=192.41.170.50:62502 (IP=192.41.170.6:636)
Jul 23 12:02:00 ldap slapd[41289]: connection_closing: readying conn=22 sd=19 for close
Jul 23 12:02:00 ldap slapd[41289]: connection_close: conn=22 sd=-1
Jul 23 12:02:00 ldap slapd[41289]: conn=22 fd=19 closed (TLS negotiation failure)
I really don't know where to look.
TIA,
Olivier
13 years, 8 months
Help with slurpd referral error
by phamp008@yahoo.com
Hi,
I am new to Openldap + Keberos project. I am setting up slurpd from ldap1(master) to ldap2(replica). I am hopping someone can give me some suggestion to troubleshoot this. I ran into this error when slurpd attempt to add new DN to ldap2.
This is the error when I run slurpd -d 4
begin replication thread for ldap2.test.domain:389
Initializing session to ldap2.test.domain:389
request done: ld 0x9b27778 msgid 1
bind to ldap2.test.domain as host/krbmaster.test.domain(a)TEST.DOMAIN via GSSAPI (SASL)
request done: ld 0x9b27778 msgid 2
request done: ld 0x9b27778 msgid 3
request done: ld 0x9b27778 msgid 4
replica ldap2.test.domain:389 - add dn "uid=ppham4,ou=people,dc=test,dc=domain"
request done: ld 0x9b27778 msgid 5
Error: ldap_add_s failed adding DN "uid=ppham4,ou=people,dc=test,dc=domain": Referral
Error: ldap operation failed, data written to "/var/lib/ldap/replica/ldap2.test.domain:389.rej
Here's the slapd.conf on ldap1(master)
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
disallow bind_simple
#security tls=1
#require authc
# Create a replication log in /var/lib/ldap for use by slurpd.
# REPLICA: Comment this out on the replicas
replogfile /var/lib/ldap/master-slapd.replog
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd1-cert.pem
TLSCertificateKeyFile /etc/openldap/slapd1.key
sasl-secprops noanonymous,noplain,noactive
# Map SASL authentication DNs to LDAP DNs
# This leaves "username/admin" principals untouched
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=domain
# This should be a ^ plus, not a star, but slapd won't accept it
# REPLICA:
# On replica servers replace the first line of each section below (the
# line that allows /admin principals to write to things) with the
# following line (allowing the primary server to write instead). Thus
# admins can make changes on the primary server, and the primary
# server can push changes to the replicas.
#by dn.exact="uid=host/foo.example.com,cn=GSSAPI,cn=auth" write
# Users with /admin principals can change anything
# Users can change their shell, anyone else can see it
access to attrs=loginShell
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by self write
by * read
# Only the user can see their employeeNumber
access to attrs=employeeNumber
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by self read
by * none
# Default read access for everything else
access to *
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by * read
sizelimit 5000
threads 8
loglevel 256
# Allow LDAPv2 for Mozilla's address book
#allow bind_v2
database bdb
suffix "dc=test,dc=domain"
cachesize 10000
checkpoint 256 15
# Uncomment these only for the initial load, then comment them back
# out and restart slapd.
rootdn "cn=Manager,dc=test,dc=domain"
rootpw Secret!
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# REPLICA: Comment this out on replicas
replica host=ldap2.test.domain:389 tls=critical
bindmethod=sasl saslmech=GSSAPI
authcId=host/krbmaster.test.domain(a)TEST.DOMAIN
Here's the copy of my slapd.conf on replica ldap2 server:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#referral ldap://root.openldap.org
#pidfile /var/run/slapd.pid
#argsfile /var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
# REPLICA: Comment this out on the replicas
#replogfile /var/lib/ldap/master-slapd.replog
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateFile /etc/openldap/slapd1-cert.pem
TLSCertificateKeyFile /etc/openldap/slapd1.key
sasl-secprops noanonymous,noplain,noactive
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=test,dc=domain
access to attrs=loginShell
by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write
by self write
by * read
# Only the user can see their employeeNumber
access to attrs=employeeNumber
by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write
by self read
by * none
# Default read access for everything else
access to *
by dn.exact="uid=host/krbmaster.test.domain,cn=GSSAPI,cn=auth" write
sizelimit 5000
threads 8
idletimeout 14400
loglevel 256
# Allow LDAPv2 for Mozilla's address book
allow bind_v2
database bdb
suffix "dc=test,dc=domain"
# Increase the size of slapd's entry cache. Note that this is a
cachesize 10000
checkpoint 256 15
# Uncomment these only for the initial load, then comment them back
# out and restart slapd.
rootdn "cn=Manager,dc=test,dc=domain"
rootpw Secret!
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# The purpose of the updatedn is to tell slapd not to send the updateref
# if that DN tries to make changes. Any other user which attempts to
# submit a change will be refered to the master LDAP server found in
# updateref.
# REPLICA: Uncomment these on replicas
updatedn "uid=host/krbmaster.test.domain"
updateref ldaps://ldap1.test.domain/
Greatly appreciate any help.
Thanks
Phil
13 years, 8 months
error in SSLv3 read client certificate
by Jittinan Suwanrueangsri
Dear all
After I execute command " ldapsearch -x -W -D
'cn=admin,dc=example,dc=com' -ZZ '(uid=david)' " I get following log
portion(debug at level 1):
slapd starting
slap_listener_activate(8):
>>> slap_listener(ldap:///)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
conn=0 op=0 do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 13
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
/TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A/
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
/connection_read(13): unable to get TLS client DN, error=49 id=0/
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 44 contents:
ber_get_next
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=admin,dc=example,dc=com>
<<< dnPrettyNormal: <cn=admin,dc=example,dc=com>,
<cn=admin,dc=example,dc=com>
do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128
do_bind: v3 bind: "cn=admin,dc=example,dc=com" to
"cn=admin,dc=example,dc=com"
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=0
ber_flush2: 14 bytes to sd 13
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 55 contents:
ber_get_next
conn=0 op=2 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <dc=example,dc=com>
<<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> hdb_search
bdb_dn2entry("dc=example,dc=com")
=> hdb_dn2id("dc=example,dc=com")
<= hdb_dn2id: got id=0x1
entry_decode: ""
<= entry_decode()
search_candidates: base="dc=example,dc=com" (0x00000001) scope=2
=> hdb_dn2idl("dc=example,dc=com")
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30988)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (uid)
<= bdb_equality_candidates: (uid) not indexed
bdb_search_candidates: id=-1 first=1 last=11
hdb_search: 1 does not match filter
entry_decode: ""
<= entry_decode()
hdb_search: 2 does not match filter
entry_decode: ""
<= entry_decode()
hdb_search: 3 does not match filter
entry_decode: ""
<= entry_decode()
hdb_search: 4 does not match filter
entry_decode: ""
<= entry_decode()
hdb_search: 5 does not match filter
entry_decode: ""
<= entry_decode()
hdb_search: 6 does not match filter
entry_decode: ""
<= entry_decode()
hdb_search: 7 does not match filter
entry_decode: ""
<= entry_decode()
hdb_search: 8 does not match filter
entry_decode: ""
<= entry_decode()
hdb_search: 9 does not match filter
entry_decode: ""
<= entry_decode()
=> send_search_entry: conn 0 dn="uid=david,ou=Users,dc=example,dc=com"
ber_flush2: 199 bytes to sd 13
<= send_search_entry: conn 0 exit.
entry_decode: ""
<= entry_decode()
hdb_search: 11 does not match filter
send_ldap_result: conn=0 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=0
ber_flush2: 14 bytes to sd 13
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 13 failed errno=0 (Success)
conn=0 op=3 do_unbind
connection_close: conn=0 sd=13
TLS trace: SSL3 alert write:warning:close notify
What cause these errors? ,What do these errors mean?
/TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
//connection_read(13): unable to get TLS client DN, error=49 id=0
/How can I fix these problems?
Thankyou
Jittinan Suwanrueangsri/
/
13 years, 8 months
adding/modifying local attributes with translucent overlay
by Hart, Brian R.
Hey everyone -
I have an openldap server setup using the translucent overlay and pulling entries from a remote ldap server (running Fedora DS). I seem to have gotten the translucent overlay configured correctly as I can perform searches and obtain entries from the remote ldap server by way of the local one. I can even add local attributes for users and groups in the local server and perform searches and obtain the results with the local attributes. However when I try to change or modify anything that has been stored in the local ldap server I either get 'ldapadd: already exists (68)' or 'ldapmodify: no such object (32)'.
I'm using openldap 2.4.16 on RHEL5. When I'm trying to make these changes I'm using an ldif file just like I did when I added the attributes to begin with. I've tried just modifying the ldif file and re-adding as if it didn't already exist and I've tried writing the ldif as if it was for a modify with a changetype: modify line in the file.
If I need to post the configuration file I can I just thought I'd hold off on putting all of that here if it wasn't necessary. I hope somebody can help - thanks in advance!
Sincerely,
Brian Hart
13 years, 8 months
slow search and connection problem
by mukim pathan
Hi,
I am using openldap2.4.16 with bdb 4.5. I am doing search in database using
java. When I am doing search for first time, it is connecting and giving
response in 4-5 milliseconds. But then its is taking around 100-150ms for
search.I don't know what might be the problem. I searched online for this
but could not find any solution. Following are my ldap configuration files.
slapd.conf :
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/xxx.schema
allow bind_v2
concurrency 3
threads 3
database bdb
suffix "dc=xxx,dc=com"
rootdn "cn=Manager,dc=xxx,dc=com"
rootpw xxx
directory /usr/local/var/openldap-data
index objectClass eq
index attr1 eq
index attr2 eq
index attr3 eq
checkpoint 1024 60
cachesize 1000000
DBCONFIG:
set_cachesize 2 268435456 1
set_lg_dir /opt2/logs
set_data_dir /opt2/db
set_flags DB_LOG_AUTOREMOVE
Please help me with any improvements i must do to get fast search result.
Regards,
Mukim Pathan
13 years, 8 months
LdapErr: DSID-0C090627 with translucent proxy and AD
by Petteri Heinonen
Hello list, I've been trying to setup a translucent proxy to display a modified version of our ActiveDirectory (Server 2003) to Linux clients. The ultimate goal is to be able to transparently add UID, default shell etc. parameters missing in AD by default. Usage of Services for Unix is not possible this time because of "company policies". Config file is like this:
# Default realm
sasl-realm company.com
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 504
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_ldap
moduleload accesslog
moduleload translucent
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
backend hdb
database hdb
# The base of your directory in database #1
suffix "dc=company,dc=com"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=admin,dc=company,dc=com"
rootpw {SSHA}blaablaa
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod off
overlay translucent
uri ldap://ad1.company.com:389
acl-bind binddn="CN=ldapuser,OU=tools,DC=company,DC=com" credentials="verysecure"
Now, if I do a search with rootdn cn=admin,dc=company,dc=com, proxy binds to AD as ldapuser and search is successful. But, if I use a user existing in AD only, for example like this:
ldapsearch -x -W -D "CN=Some User,OU=Users,DC=company,DC=com" -b "CN=Some User,OU=Users,DC=company,DC=com"
I get:
# extended LDIF
#
# LDAPv3
# base <CN=Some User,OU=Users,DC=company,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
I monitored the traffic using wireshark, and from there I can see that binding is actually successful. What fails is the search request after that:
0.000361 10.65.31.26 -> 10.65.26.34 LDAP bindRequest(1) "cn=Some User,ou=Users,dc=company,dc=com" simple
0.002285 10.65.26.34 -> 10.65.31.26 LDAP bindResponse(1) success
0.002297 10.65.31.26 -> 10.65.26.34 TCP 43898 > ldap [ACK] Seq=79 Ack=23 Win=5888 Len=0 TSV=67497094 TSER=69277767
0.003840 10.65.31.26 -> 10.65.26.34 LDAP searchRequest(4) "Some User,ou=Users,dc=company,dc=com" wholeSubtree
0.004067 10.65.26.34 -> 10.65.31.26 LDAP searchResDone(4) operationsError (00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece)
OpenLDAP version is the one with Debian Lenny: slapd/lenny uptodate 2.4.11-1
Any suggestions how to continue? Is this some AD related quirk or possibly a problem problem related to how OpenLDAP does binding?
Regards, Petteri Heinonen
13 years, 8 months
Fwd: OpenLdap manual howto available
by Gavin Henry
Will take a look too.
---------- Forwarded message ----------
From: Lukasz Szybalski <szybalski(a)gmail.com>
Date: Mon, 20 Jul 2009 11:45:15 -0500
Subject: OpenLdap manual howto available
To: Debian User List <debian-user(a)lists.debian.org>
Just an FYI.
I'm working on openldap howto for Debian.
http://lucasmanual.com/mywiki/OpenLdap
This manual shows how to setup openldap and gives a workaround to some
of the known bugs that prevent openldap to be reconfigured, and
migration tools from finish migration. The setting up of openldap is
fairly easy, but without few key instructions that I've listed its
almost impossible for new user to finish.
Took me 2 weeks but after reading above OpenLdap Manual howto you will
setup ldap server in as little as 10minutes.
Enjoy. (More content coming as days go by)
Contents
1. OpenLDAP
1. What is required
2. Install
3. Authentication
4. Connect to openldap
5. Simple addressbook
1. Thunderbird
2. Outlook
2. Linux integration with LDAP
1. libnss-ldap
1. migrationtools
2. libpam
3. Troubleshooting
1. result: 32 No such object
4. References
--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
--
Sent from my mobile device
http://www.suretecsystems.com/services/openldap/
http://www.suretectelecom.com
13 years, 8 months
Suggestion for 2 domains samba+ldap and Windows AD
by Alberto Moreno
Hi people.
I want to know if this is possible.
I have right now 3 domains in my network.
Dom A = Samba 3.0.33 Gentoo + LDAP. This serve to a domain of 10
users at location 1.
Dom B = Windows 2003 AD serving 8 users at location 2.
Dom C = WinNT + samba as client serving most of the users(35) at location 2.
As u can see, the NT is the most busy, I need to remove that
domain, is in the same location as "Dom B", my path is to move all the
users from "Dom C" to "Dom B" most of the machines are windows boxes.
This is easy, the only issue I was having before is my 2 samba boxes,
I could not make possible to be part of the "Dom B", but last week I
made that possible, them I can make this move.
Well, the main reason of this email is because, after I remove the
NT server, at location 2 I would just have a Window 2k3 AD domain
working, on the other site (location 1) I would have a domain running
samba+ldap working.
Right now, if I'm at location 1 I cannot see location 2 the "Dom
B"(Win 2k3), the same thing happen at location 2.
There is a way to make this possible, can a domain with samba+ldap
see a domain with win 2k3? Is possible to share users?
I was think to setup another server at location 2 with samba+ldap
and sync users but I still have the users of the win 2k3 domain...?
Hope to be clear, if someone have some experience here at will
appreciated, thanks for your time!!!
P.S. my samba serves at location 2 are Centos 5.x Samba 3.0.33.
--
LIving the dream...
13 years, 8 months
