Re: Error 53 applying syncrepl LDIF
by Hung Luu
On Fri, Jan 29, 2010 at 3:06 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Friday, January 29, 2010 2:39 PM -0700 Hung Luu <hung.n.luu(a)gmail.com>
> wrote:
>
> Are you able to get it to work with ldapadd as well? I'm getting a
>> segmentation fault using ldapmodify (installed as part of
>> openldap-clients.x86_64 rpm 2.3.43-3.el5).
>>
>
> I would suggest you use a 2.4 version of ldapmodify and/or ldapadd.
>
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
This is interesting -- if I apply the hdb LDIF _before_ the config LDIF then
ldapadd has no complaints. Reversing the order of my entries in the LDIF so
the olcSyncrepl attribute is added to the hdb backend first did the trick.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001 provider="ldap://provider:389" type=refreshAndPersist
retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+"
bindmethod=simple binddn="cn=ldap,ou=services, dc=example,dc=com"
credentials=secret
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=000 provider="ldap://provider:389" type=refreshAndPersist
retry="5 5 300 +" searchbase="cn=config" attrs="*,+" bindmethod=simple
binddn="cn=ldap,ou=services,dc=example,dc=com" credentials=secret
I will try to find 2.4 versions of ldapadd and ldapmodify.
Thanks,
Hung
12 years, 8 months
Re: Error 53 applying syncrepl LDIF
by Hung Luu
On Fri, Jan 29, 2010 at 2:16 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Friday, January 29, 2010 1:56 PM -0700 Hung Luu <hung.n.luu(a)gmail.com>
> wrote:
>
> Hello all,
>>
>> In a syncrepl setup, I understand that the syncrepl specification is
>> defined on the consumer server. I understand this to mean that I should
>> apply my LDIF (that adds the olcSyncrepl attribute to my config and hdb
>> backends) on the consumer server. However, ldapadd was only successful in
>> configuring my config backend for syncrepl, which is defined first in the
>> LDIF, and failed with LDAP error 53 when attempting to add the
>> olcSyncrepl attribute to my hdb backend; additional error info: "shadow
>> context; no update referral."
>>
>> Is this because the olcSyncrepl attribute added to my config backend
>> already established my consumer server as a replica and hence subsequent
>> writes to the consumer server will not be accepted?
>>
>> Ideally, I wanted to add the syncrepl configuration in my slapd.conf and
>> then convert it to cn=config; however, this doesn't appear to work with
>> 2.4.21 because the slaptest added a uri="" to the olcSyncrepl attribute
>> that running slapd complained of an invalid URL for olcSyncrepl. This is
>> not an issue in 2.4.20.
>>
>> Anyway, what's the right way for me to configure syncrepl on my 2.4.21
>> consumer server for both the config and hdb backends?
>>
>
> It works for me with 2.4.21:
>
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> add: olcSyncrepl
> olcSyncrepl: rid=100 provider=${ldap_master_url} bindmethod=si
> mple timeout=0 network-timeout=0 binddn=uid=zmreplica,cn=admins,cn=zimbra c
> redentials=${ldap_replication_password} starttls=critical
> filter="(objectclass=*)" searchbase=""
> logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
> logbase=cn=access
> log scope=sub schemachecking=off type=refreshAndPersist retry="60 +"
> syncdat
> a=accesslog tls_cacertdir=/opt/zimbra/conf/ca
>
> is the LDIF I use to ldapmodify my entry.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
Are you able to get it to work with ldapadd as well? I'm getting a
segmentation fault using ldapmodify (installed as part of
openldap-clients.x86_64 rpm 2.3.43-3.el5).
Here's my LDIF file:
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=000 provider="ldap://provider:389" type=refreshAndPersist
retry="5 5 300 +" searchbase="cn=config" attrs="*,+" bindmethod=simple
binddn="cn=ldap,ou=services,dc=example,dc=com" credentials=secret
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=001 provider="ldap://provider:389" type=refreshAndPersist
retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+"
bindmethod=simple binddn="cn=ldap,ou=services,dc=example,dc=com"
credentials=secret
Something else that I tried that seems to get syncrepl working on 2.4.21 is
to use a slapd.d converted from a 2.4.20 slapd.conf, but I'm a little uneasy
about it.
Thanks,
Hung.
12 years, 8 months
Error 53 applying syncrepl LDIF
by Hung Luu
Hello all,
In a syncrepl setup, I understand that the syncrepl specification is defined
on the consumer server. I understand this to mean that I should apply my
LDIF (that adds the olcSyncrepl attribute to my config and hdb backends) on
the consumer server. However, ldapadd was only successful in configuring my
config backend for syncrepl, which is defined first in the LDIF, and failed
with LDAP error 53 when attempting to add the olcSyncrepl attribute to my
hdb backend; additional error info: "shadow context; no update referral."
Is this because the olcSyncrepl attribute added to my config backend already
established my consumer server as a replica and hence subsequent writes to
the consumer server will not be accepted?
Ideally, I wanted to add the syncrepl configuration in my slapd.conf and
then convert it to cn=config; however, this doesn't appear to work with
2.4.21 because the slaptest added a uri="" to the olcSyncrepl attribute that
running slapd complained of an invalid URL for olcSyncrepl. This is not an
issue in 2.4.20.
Anyway, what's the right way for me to configure syncrepl on my 2.4.21
consumer server for both the config and hdb backends?
Thanks,
Hung.
12 years, 8 months
All of slapd's configuration options can be changed on the fly?
by Hung Luu
Hello all,
I am just experimenting with applying LDIF to the dynamic config backend and
see what configuration directives I'm allowed to modify.
I've tried deleting an olcModuleLoad attribute and replacing the
olcModulePath attribute with a new value; both times resulted in an LDAP
error code 80.
>From the 2.4 Admin Guide on configuration slapd: "The LDAP configuration
engine allows all of slapd's configuration options to be changed on the fly,
generally without requiring a server restart for the changes to take
effect." There is also a note that says: "Some of the backends and of the
distributed overlays do not support runtime configuration yet. In those
cases, the old style slapd.conf file must be used."
Is there a list of slapd configuration directives that are allowed (or not
allowed) to be changed dynamically at runtime?
Thanks,
Hung
12 years, 8 months
Re: performance on Solaris
by Stefano Zanmarchi
Thank you very much Quanah, you sound very encouraging.
Does anyone knows how OpenLDAP performs on Sun Solaris (10) on Sun's
hardware (sparc cpus)?
Some more data to complete the picture.
- OpenLDAP 2.4.16 + Berkeley BDB 4.7 + back-bdb
- 800.000 entries occupy 880MB (log excluded), and a typical entry would
just be:
dn: uid=657321(a)myunit.myorg.org,
ou=people,dc=myorg,dc=org
objectClass: account
objectClass: simpleSecurityObject
uid: 657321(a)myunit.myorg.org
userPassword: whatever
- The "working set" is around 25% (i.e. most of the bind/updates will be
done on the same 200.000 entries)
Given these numbers, I thought 500MB be enough, do you agree?
Thanks a lot,
Stefano
On Wed, Jan 27, 2010 at 7:32 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Wednesday, January 27, 2010 7:06 PM +0100 Stefano Zanmarchi <
> zanmarchi(a)gmail.com> wrote:
>
> Hi,
>> I need to set up a LDAP production server with 800.000 entries.
>> Performance and stability are
>> my main concern, I expect around 250 binds and 50 ldapupdate/insert per
>> minute.
>> The machine is a SunFire6900 with 8 sparc US-IV+ CPUs and I'd like to
>> dedicate around 500MB
>> of ram to OpenLdap (more, if necessary). The OS is SunSolaris 10.
>>
>>
>> I'd like to know if OpenLdap is sincerely a good choice with these
>> numbers, and if anyone can
>> share his on-the-field experience with so many users.
>>
>
> 250 binds/minute and 50 updates/minute is a very low number of each. You
> fail to state what version of OpenLDAP you plan on using, or which backend
> (sql, bdb, hdb, etc) so it's hard to give you anything concrete. Assuming
> you'd be using OpenLDAP 2.4.21 + Berkeley BDB 4.8 with either back-bdb or
> back-hdb, you should be fine. I would note however any testing I've ever
> done using Solaris as the OS has been significantly slower than Linux
> running on the same hardware.
>
> If you have 800,000 entries, your main concern is definitely going to be
> the RAM. 500MB is unlikely to cut it, but it depends on the size of your
> entries. You may need upwards of 16GB of RAM depending again on how large
> your DB actually is.
>
> I.e., you fail to provide the data necessary to give you a conclusive
> answer.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
12 years, 8 months
help needed
by Piyush Joshi
Dear All,
Is there any option to dump the ldap data in ldif format
without base64 encoded value mainly for password field ....
--
Regards
******************************
Piyush Joshi
System administrator
9415414376
******************************
"Ability is what you're capable of doing. Motivation determines what you do.
Attitude determines how well you do it"
12 years, 8 months
olcSyncrepl invalid URL - OpenLDAP 2.4.21
by Hung Luu
Hello everyone,
Has anyone experienced the "<olcSyncrepl> invalid URL" error from starting
up a consumer slapd? I've tried configuring the provider setting for the
syncrepl directive as a domain name and IP address but neither works.
Thanks in advance for your help.
Here's the error from slapd:
*olcSyncrepl: value #0: <olcSyncrepl> invalid URL
config error processing olcDatabase={1}hdb,cn=config: <olcSyncrepl> invalid
URL*
Here's my consumer slapd.conf:
include /opt/openldap-2.4.21/etc/openldap/schema/core.schema
include /opt/openldap-2.4.21/etc/openldap/schema/cosine.schema
include /opt/openldap-2.4.21/etc/openldap/schema/inetorgperson.schema
pidfile /opt/openldap-2.4.21/var/run/slapd.pid
argsfile /opt/openldap-2.4.21/var/run/slapd.args
modulepath /opt/openldap-2.4.21/libexec/openldap
moduleload back_hdb.la
# Overlay for reverse group membership
moduleload memberof.la
loglevel 16383
# Global database directives
overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-dangling error
memberof-refint TRUE
# Enable cn=config changes from LDAP browser
database config
rootdn "cn=admin,cn=config"
rootpw secret
database hdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw secret
directory /opt/openldap-2.4.21/var/openldap-data/example-com
# Indices to maintain
index default eq
index cn,uid,member
index entryCSN,entryUUID eq
index objectClass eq
# Other BDB/HDB directives
cachesize 10000
checkpoint 1024 10
# Replication
syncrepl rid=000
provider=*ldap://192.168.56.3:389*
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=example,dc=com"
attrs="*,+"
bindmethod=simple
binddn="cn=admin,dc=example,dc=com"
credentials=secret
12 years, 8 months
performance on Solaris
by Stefano Zanmarchi
Hi,
I need to set up a LDAP production server with 800.000 entries.
Performance and stability are
my main concern, I expect around 250 binds and 50 ldapupdate/insert per
minute.
The machine is a SunFire6900 with 8 sparc US-IV+ CPUs and I'd like to
dedicate around 500MB
of ram to OpenLdap (more, if necessary). The OS is SunSolaris 10.
I'd like to know if OpenLdap is sincerely a good choice with these numbers,
and if anyone can
share his on-the-field experience with so many users.
Thank you very much,
Stefano
12 years, 8 months
Re: (ITS#6453) OpenLDAP memory leak on LDAP_TIMEOUT
by alin vasile
We found out that this call :
ldap_msgfree(res);
does not get executed because the LDAPMessage is NULL (res is null) in case the timeout is on the client side.
There is any other way to clean it?
12 years, 8 months
Load difference from 2.4.20 to 2.4.21
by Peter Mogensen
Hi,
I've recently upgrade slapd from 2.4.20 to 2.4.21 and I'm a little
surprised to see how huge a difference in load this made.
With 2.4.20 idle-time for the machine was around 80%, now it's around 60%.
I/O-wait time has also increased, but seems to fluctuate less now.
Are there any know reason for large load differences from 2.4.20 to 2.4.21 ?
/Peter
12 years, 8 months
