openldap-technical January 2010

openldap-technical@openldap.org

56 participants
66 discussions

Re: Error 53 applying syncrepl LDIF
by Hung Luu 29 Jan '10

29 Jan '10

On Fri, Jan 29, 2010 at 3:06 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Friday, January 29, 2010 2:39 PM -0700 Hung Luu <hung.n.luu(a)gmail.com> > wrote: > > Are you able to get it to work with ldapadd as well? I'm getting a >> segmentation fault using ldapmodify (installed as part of >> openldap-clients.x86_64 rpm 2.3.43-3.el5). >> > > I would suggest you use a 2.4 version of ldapmodify and/or ldapadd. > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > This is interesting -- if I apply the hdb LDIF _before_ the config LDIF then ldapadd has no complaints. Reversing the order of my entries in the LDIF so the olcSyncrepl attribute is added to the hdb backend first did the trick. dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: rid=001 provider="ldap://provider:389" type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=ldap,ou=services, dc=example,dc=com" credentials=secret dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: rid=000 provider="ldap://provider:389" type=refreshAndPersist retry="5 5 300 +" searchbase="cn=config" attrs="*,+" bindmethod=simple binddn="cn=ldap,ou=services,dc=example,dc=com" credentials=secret I will try to find 2.4 versions of ldapadd and ldapmodify. Thanks, Hung

1 0

Re: Error 53 applying syncrepl LDIF
by Hung Luu 29 Jan '10

29 Jan '10

On Fri, Jan 29, 2010 at 2:16 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Friday, January 29, 2010 1:56 PM -0700 Hung Luu <hung.n.luu(a)gmail.com> > wrote: > > Hello all, >> >> In a syncrepl setup, I understand that the syncrepl specification is >> defined on the consumer server. I understand this to mean that I should >> apply my LDIF (that adds the olcSyncrepl attribute to my config and hdb >> backends) on the consumer server. However, ldapadd was only successful in >> configuring my config backend for syncrepl, which is defined first in the >> LDIF, and failed with LDAP error 53 when attempting to add the >> olcSyncrepl attribute to my hdb backend; additional error info: "shadow >> context; no update referral." >> >> Is this because the olcSyncrepl attribute added to my config backend >> already established my consumer server as a replica and hence subsequent >> writes to the consumer server will not be accepted? >> >> Ideally, I wanted to add the syncrepl configuration in my slapd.conf and >> then convert it to cn=config; however, this doesn't appear to work with >> 2.4.21 because the slaptest added a uri="" to the olcSyncrepl attribute >> that running slapd complained of an invalid URL for olcSyncrepl. This is >> not an issue in 2.4.20. >> >> Anyway, what's the right way for me to configure syncrepl on my 2.4.21 >> consumer server for both the config and hdb backends? >> > > It works for me with 2.4.21: > > dn: olcDatabase={2}hdb,cn=config > changetype: modify > add: olcSyncrepl > olcSyncrepl: rid=100 provider=${ldap_master_url} bindmethod=si > mple timeout=0 network-timeout=0 binddn=uid=zmreplica,cn=admins,cn=zimbra c > redentials=${ldap_replication_password} starttls=critical > filter="(objectclass=*)" searchbase="" > logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" > logbase=cn=access > log scope=sub schemachecking=off type=refreshAndPersist retry="60 +" > syncdat > a=accesslog tls_cacertdir=/opt/zimbra/conf/ca > > is the LDIF I use to ldapmodify my entry. > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > Are you able to get it to work with ldapadd as well? I'm getting a segmentation fault using ldapmodify (installed as part of openldap-clients.x86_64 rpm 2.3.43-3.el5). Here's my LDIF file: dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: rid=000 provider="ldap://provider:389" type=refreshAndPersist retry="5 5 300 +" searchbase="cn=config" attrs="*,+" bindmethod=simple binddn="cn=ldap,ou=services,dc=example,dc=com" credentials=secret dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: rid=001 provider="ldap://provider:389" type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=ldap,ou=services,dc=example,dc=com" credentials=secret Something else that I tried that seems to get syncrepl working on 2.4.21 is to use a slapd.d converted from a 2.4.20 slapd.conf, but I'm a little uneasy about it. Thanks, Hung.

2 1

Error 53 applying syncrepl LDIF
by Hung Luu 29 Jan '10

29 Jan '10

Hello all, In a syncrepl setup, I understand that the syncrepl specification is defined on the consumer server. I understand this to mean that I should apply my LDIF (that adds the olcSyncrepl attribute to my config and hdb backends) on the consumer server. However, ldapadd was only successful in configuring my config backend for syncrepl, which is defined first in the LDIF, and failed with LDAP error 53 when attempting to add the olcSyncrepl attribute to my hdb backend; additional error info: "shadow context; no update referral." Is this because the olcSyncrepl attribute added to my config backend already established my consumer server as a replica and hence subsequent writes to the consumer server will not be accepted? Ideally, I wanted to add the syncrepl configuration in my slapd.conf and then convert it to cn=config; however, this doesn't appear to work with 2.4.21 because the slaptest added a uri="" to the olcSyncrepl attribute that running slapd complained of an invalid URL for olcSyncrepl. This is not an issue in 2.4.20. Anyway, what's the right way for me to configure syncrepl on my 2.4.21 consumer server for both the config and hdb backends? Thanks, Hung.

2 1

All of slapd's configuration options can be changed on the fly?
by Hung Luu 28 Jan '10

28 Jan '10

Hello all, I am just experimenting with applying LDIF to the dynamic config backend and see what configuration directives I'm allowed to modify. I've tried deleting an olcModuleLoad attribute and replacing the olcModulePath attribute with a new value; both times resulted in an LDAP error code 80. >From the 2.4 Admin Guide on configuration slapd: "The LDAP configuration engine allows all of slapd's configuration options to be changed on the fly, generally without requiring a server restart for the changes to take effect." There is also a note that says: "Some of the backends and of the distributed overlays do not support runtime configuration yet. In those cases, the old style slapd.conf file must be used." Is there a list of slapd configuration directives that are allowed (or not allowed) to be changed dynamically at runtime? Thanks, Hung

2 1

Re: performance on Solaris
by Stefano Zanmarchi 28 Jan '10

28 Jan '10

Thank you very much Quanah, you sound very encouraging. Does anyone knows how OpenLDAP performs on Sun Solaris (10) on Sun's hardware (sparc cpus)? Some more data to complete the picture. - OpenLDAP 2.4.16 + Berkeley BDB 4.7 + back-bdb - 800.000 entries occupy 880MB (log excluded), and a typical entry would just be: dn: uid=657321(a)myunit.myorg.org, ou=people,dc=myorg,dc=org objectClass: account objectClass: simpleSecurityObject uid: 657321(a)myunit.myorg.org userPassword: whatever - The "working set" is around 25% (i.e. most of the bind/updates will be done on the same 200.000 entries) Given these numbers, I thought 500MB be enough, do you agree? Thanks a lot, Stefano On Wed, Jan 27, 2010 at 7:32 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Wednesday, January 27, 2010 7:06 PM +0100 Stefano Zanmarchi < > zanmarchi(a)gmail.com> wrote: > > Hi, >> I need to set up a LDAP production server with 800.000 entries. >> Performance and stability are >> my main concern, I expect around 250 binds and 50 ldapupdate/insert per >> minute. >> The machine is a SunFire6900 with 8 sparc US-IV+ CPUs and I'd like to >> dedicate around 500MB >> of ram to OpenLdap (more, if necessary). The OS is SunSolaris 10. >> >> >> I'd like to know if OpenLdap is sincerely a good choice with these >> numbers, and if anyone can >> share his on-the-field experience with so many users. >> > > 250 binds/minute and 50 updates/minute is a very low number of each. You > fail to state what version of OpenLDAP you plan on using, or which backend > (sql, bdb, hdb, etc) so it's hard to give you anything concrete. Assuming > you'd be using OpenLDAP 2.4.21 + Berkeley BDB 4.8 with either back-bdb or > back-hdb, you should be fine. I would note however any testing I've ever > done using Solaris as the OS has been significantly slower than Linux > running on the same hardware. > > If you have 800,000 entries, your main concern is definitely going to be > the RAM. 500MB is unlikely to cut it, but it depends on the size of your > entries. You may need upwards of 16GB of RAM depending again on how large > your DB actually is. > > I.e., you fail to provide the data necessary to give you a conclusive > answer. > > --Quanah > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 2

help needed
by Piyush Joshi 28 Jan '10

28 Jan '10

Dear All, Is there any option to dump the ldap data in ldif format without base64 encoded value mainly for password field .... -- Regards ****************************** Piyush Joshi System administrator 9415414376 ****************************** "Ability is what you're capable of doing. Motivation determines what you do. Attitude determines how well you do it"

2 1

olcSyncrepl invalid URL - OpenLDAP 2.4.21
by Hung Luu 27 Jan '10

27 Jan '10

Hello everyone, Has anyone experienced the "<olcSyncrepl> invalid URL" error from starting up a consumer slapd? I've tried configuring the provider setting for the syncrepl directive as a domain name and IP address but neither works. Thanks in advance for your help. Here's the error from slapd: *olcSyncrepl: value #0: <olcSyncrepl> invalid URL config error processing olcDatabase={1}hdb,cn=config: <olcSyncrepl> invalid URL* Here's my consumer slapd.conf: include /opt/openldap-2.4.21/etc/openldap/schema/core.schema include /opt/openldap-2.4.21/etc/openldap/schema/cosine.schema include /opt/openldap-2.4.21/etc/openldap/schema/inetorgperson.schema pidfile /opt/openldap-2.4.21/var/run/slapd.pid argsfile /opt/openldap-2.4.21/var/run/slapd.args modulepath /opt/openldap-2.4.21/libexec/openldap moduleload back_hdb.la # Overlay for reverse group membership moduleload memberof.la loglevel 16383 # Global database directives overlay memberof memberof-group-oc groupOfNames memberof-member-ad member memberof-memberof-ad memberOf memberof-dangling error memberof-refint TRUE # Enable cn=config changes from LDAP browser database config rootdn "cn=admin,cn=config" rootpw secret database hdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw secret directory /opt/openldap-2.4.21/var/openldap-data/example-com # Indices to maintain index default eq index cn,uid,member index entryCSN,entryUUID eq index objectClass eq # Other BDB/HDB directives cachesize 10000 checkpoint 1024 10 # Replication syncrepl rid=000 provider=*ldap://192.168.56.3:389* type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials=secret

1 3

performance on Solaris
by Stefano Zanmarchi 27 Jan '10

27 Jan '10

Hi, I need to set up a LDAP production server with 800.000 entries. Performance and stability are my main concern, I expect around 250 binds and 50 ldapupdate/insert per minute. The machine is a SunFire6900 with 8 sparc US-IV+ CPUs and I'd like to dedicate around 500MB of ram to OpenLdap (more, if necessary). The OS is SunSolaris 10. I'd like to know if OpenLdap is sincerely a good choice with these numbers, and if anyone can share his on-the-field experience with so many users. Thank you very much, Stefano

2 1

Re: (ITS#6453) OpenLDAP memory leak on LDAP_TIMEOUT
by alin vasile 27 Jan '10

27 Jan '10

We found out that this call : ldap_msgfree(res); does not get executed because the LDAPMessage is NULL (res is null) in case the timeout is on the client side. There is any other way to clean it?

1 0

Load difference from 2.4.20 to 2.4.21
by Peter Mogensen 27 Jan '10

27 Jan '10

Hi, I've recently upgrade slapd from 2.4.20 to 2.4.21 and I'm a little surprised to see how huge a difference in load this made. With 2.4.20 idle-time for the machine was around 80%, now it's around 60%. I/O-wait time has also increased, but seems to fluctuate less now. Are there any know reason for large load differences from 2.4.20 to 2.4.21 ? /Peter

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2010