November 2010 - openldap-technical

by Frank Bonnet

Hello I'm facing a cosmetic problem with email aliases. Some users has aliases for their email adresses some has not. For example a professor named Jean Dupont has two valid email adresses : dupontj(a)domain.tld ( which is unixlogin(a)domain.tld ) j.dupont(a)domain.tld ( which is the alias that point to duponj(a)domain.tld ) Students have only one email adress of the form : unixlogin(a)domain.tld In many applications we use LDAP to fetch the user's email address and other data. The problem is sometime we get unixlogin(a)domain.tld and sometime we get emailalias(a)domain.tld I would like to do the following : if a user has an alias of the form emailalias(a)domain.tld then display it first Is it possible to reorder my LDAP database to do so ? Thanks a lot !

12 years, 4 months

3
4
0 / 0

Abou 'make test'

by su heng

Hi All, I encountered an error when I was installing openLDAP. I mean 'make test' It gave me a message at the end of the output message: ... ... No race errors found after 10 iterations Found 2 errors >>>>>> Exiting with a false success status for now >>>>> ./scripts/test058-syncrepl-asymmetric completed OK for hdb. make[2]: Leaving directory `/home/suheng/Downloads/openldap-2.4.23/tests' make[1]: Leaving directory `/home/suheng/Downloads/openldap-2.4.23/tests' He said I had 2 errors encountered, however, I couldn't locate where the error is. Although I can install it, I worried about if it works fine. So, How can I locate the error location when I do 'make test'? Thanks & Best Regards, Su Heng

12 years, 4 months

2
2
0 / 0

Configuring the chain overlay with cn=config

by Jaap Winius

Hi folks, My old chain configuration in slapd.conf works fine and looks like this: ################################################# moduleload back_ldap overlay chain chain-uri ldap://ldaps.example.com:389/ chain-rebind-as-user TRUE chain-idassert-bind bindmethod=simple binddn="cn=ldaps2,dc=example,dc=com" credentials=bilineatus mode=self chain-return-error TRUE ################################################# (Debian lenny, slapd v2.4.11-1) Some research has led me to believe that the proper cn=config equivalent in LDIF format would start like this: ################################################# dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {1}back_ldap dn: olcOverlay={0}chain,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain ################################################# (Debian squeeze, slapd v2.4.23-6) Does that look correct? If so, could someone please explain how to translate the other chain overlay directives I've used as well? I've tried translating the old configuration with slaptest, but it seems to ignore the existing chain configuration completely -- not even the back_ldap module gets loaded as a result. I've also tried searching the schema for them with this command: ~# ldapsearch -LLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config \ -s base | grep -A 2 -i chain However, the list of candidates that I've found with it seems incomplete: slapd.conf chain overlay directive => cn=config equivalent attribute ---------------------------------------------------------------------- chain-cache-uri => olcChainCacheURI chain-chaining => olcChainingBehavior chain-idassert-bind => ?? chain-max-depth => olcChainMaxReferralDepth chain-rebind-as-user => ?? chain-return-error => olcChainReturnError chain-uri => ?? ?? => olcChainConfig ?? => olcChainDatabase Can anyone fill in what's missing? Thanks, Jaap

12 years, 4 months

1
1
0 / 0

Syncprov checkpoint and sessionlog with cn=config

by Jaap Winius

Hi folks, When configuring a sync provider with cn=config, it was not too difficult to figure out how to load the syncprov module and create the entry for its overlay, but it is unclear how to configure two associated statements that appear as follows when using slapd.conf: syncprov-checkpoint 100 10 syncprov-sessionlog 100 Can anyone say how this might be accomplished? Thanks, Jaap

12 years, 4 months

4
8
0 / 0

Syncrepl filtering

by Bram Cymet

Hi, I would like to control what gets replicated to my ldap slaves. How would I specify what I don't want to be replicated? Is this even possible or do I have to create a filter that finds everything that I want to send down? Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752

12 years, 4 months

2
2
0 / 0

Accesslog overlay to get IP from user connection

by Alberto Frontera

Hello this is my scenario: - Centos 5.2 - ldap 2.420 - Mysql 5.07 Ldap is used to authenticate users from Ubuntu systems. We want to storage some info from the connections: - date - IP I can see this info on ldap logs, but i want to save this info on a ldap DB (mysql backend if possible). Actually i have configured accesslog overlay, but i think this info is not registered or i can not see it. :p The question is: is access overlay the tool to register this info? (i think the answer is no) ... and if it is not, how can i do this? I need some advice on this. Thx

12 years, 4 months

2
1
0 / 0

Re: unable to perform authenticated binds

by Tim Dunphy

Hey guys, And sorry to Quanah for the type-o. ;) At any rate thanks for the ldapsearch. It did return a ton of information on the attributes defined in my schema: [root@ldap2 ~]# ldapsearch -x -h ldap.acadaca.net -s base -b "cn=subschema" + | more # extended LDIF # # LDAPv3 # base <cn=subschema> with scope baseObject # filter: (objectclass=*) # requesting: + # # Subschema dn: cn=Subschema structuralObjectClass: subentry createTimestamp: 20101105183240Z modifyTimestamp: 20101105183240Z ldapSyntaxes: ( 1.3.6.1.1.16.1 DESC 'UUID' ) ldapSyntaxes: ( 1.3.6.1.1.1.0.1 DESC 'RFC2307 Boot Parameter' ) ldapSyntaxes: ( 1.3.6.1.1.1.0.0 DESC 'RFC2307 NIS Netgroup Triple' ) ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' ) ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'Telephone Number' ) ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' X-BIN ARY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' ) ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.45 DESC 'SubtreeSpecification' ) ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.44 DESC 'Printable String' ) However, nothing shows up under the search regarding sudoRole. [root@ldap ldif]# ldapsearch -x -h ldap.acadaca.net -s base -b "cn=subschema" | grep sudoRole [root@ldap ldif]# This is curious to me as the sudoers.schema file (which has sudoRole defined) is most definitely entered correctly into my slapd.conf file. # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema inlcude /etc/openldap/schema/sudoers.schema include /etc/openldap/schema/openldap.schema I checked the modes and permissions on sudoers.schema: [root@ldap ~]# ls -l /etc/openldap/schema/sudoers.schema -r--r--r-- 1 ldap ldap 1655 Nov 4 18:38 /etc/openldap/schema/sudoers.schema But when I try to add this LDIF entry to my directory: # defaults, sudoers, Services, acadaca.net dn: cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here I am still getting this error: [root@ldap ldif]# ldapadd -h ldap.acadaca.net -a -W -x -D "cn=Manager,dc=acadaca,dc=net" -f /home/tim/txt/ldif/acadaca2.ldif Enter LDAP Password: adding new entry "cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net" ldapadd: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax And these errors in the logs: Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on: Nov 5 15:00:33 ldap slapd[4429]: Nov 5 15:00:33 ldap slapd[4429]: slap_listener_activate(7): Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7 busy Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: >>> slap_listener(ldap:///) Nov 5 15:00:33 ldap slapd[4429]: daemon: listen=7, new connection on 12 Nov 5 15:00:33 ldap slapd[4429]: daemon: added 12r (active) listener=(nil) Nov 5 15:00:33 ldap slapd[4429]: conn=5 fd=12 ACCEPT from IP=75.101.129.124:55873 (IP=0.0.0.0:389) Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on 2 descriptors Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on: Nov 5 15:00:33 ldap slapd[4429]: 12r Nov 5 15:00:33 ldap slapd[4429]: Nov 5 15:00:33 ldap slapd[4429]: daemon: read active on 12 Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: connection_get(12) Nov 5 15:00:33 ldap slapd[4429]: connection_get(12): got connid=5 Nov 5 15:00:33 ldap slapd[4429]: connection_read(12): checking for input on id=5 Nov 5 15:00:33 ldap slapd[4429]: do_bind Nov 5 15:00:33 ldap slapd[4429]: >>> dnPrettyNormal: <cn=Manager,dc=acadaca,dc=net> Nov 5 15:00:33 ldap slapd[4429]: <<< dnPrettyNormal: <cn=Manager,dc=acadaca,dc=net>, <cn=manager,dc=acadaca,dc=net> Nov 5 15:00:33 ldap slapd[4429]: do_bind: version=3 dn="cn=Manager,dc=acadaca,dc=net" method=128 Nov 5 15:00:33 ldap slapd[4429]: conn=5 op=0 BIND dn="cn=Manager,dc=acadaca,dc=net" method=128 Nov 5 15:00:33 ldap slapd[4429]: ==> bdb_bind: dn: cn=Manager,dc=acadaca,dc=net Nov 5 15:00:33 ldap slapd[4429]: conn=5 op=0 BIND dn="cn=Manager,dc=acadaca,dc=net" mech=SIMPLE ssf=0 Nov 5 15:00:33 ldap slapd[4429]: do_bind: v3 bind: "cn=Manager,dc=acadaca,dc=net" to "cn=Manager,dc=acadaca,dc=net" Nov 5 15:00:33 ldap slapd[4429]: send_ldap_result: conn=5 op=0 p=3 Nov 5 15:00:33 ldap slapd[4429]: send_ldap_result: err=0 matched="" text="" Nov 5 15:00:33 ldap slapd[4429]: send_ldap_response: msgid=1 tag=97 err=0 Nov 5 15:00:33 ldap slapd[4429]: conn=5 op=0 RESULT tag=97 err=0 text= Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on: Nov 5 15:00:33 ldap slapd[4429]: Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on: Nov 5 15:00:33 ldap slapd[4429]: 12r Nov 5 15:00:33 ldap slapd[4429]: Nov 5 15:00:33 ldap slapd[4429]: daemon: read active on 12 Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: connection_get(12) Nov 5 15:00:33 ldap slapd[4429]: connection_get(12): got connid=5 Nov 5 15:00:33 ldap slapd[4429]: connection_read(12): checking for input on id=5 Nov 5 15:00:33 ldap slapd[4429]: do_add Nov 5 15:00:33 ldap slapd[4429]: >>> dnPrettyNormal: <cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net> Nov 5 15:00:33 ldap slapd[4429]: <<< dnPrettyNormal: <cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net>, <cn=defaults,ou=sudoers,ou=services,dc=acadaca,dc=net> Nov 5 15:00:33 ldap slapd[4429]: do_add: dn (cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net) Nov 5 15:00:33 ldap slapd[4429]: conn=5 op=1 ADD dn="cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net" Nov 5 15:00:33 ldap slapd[4429]: send_ldap_result: conn=5 op=1 p=3 Nov 5 15:00:33 ldap slapd[4429]: send_ldap_result: err=21 matched="" text="objectClass: value #1 invalid per syntax" Nov 5 15:00:33 ldap slapd[4429]: send_ldap_response: msgid=2 tag=105 err=21 Nov 5 15:00:33 ldap slapd[4429]: conn=5 op=1 RESULT tag=105 err=21 text=objectClass: value #1 invalid per syntax Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on: Nov 5 15:00:33 ldap slapd[4429]: Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on: Nov 5 15:00:33 ldap slapd[4429]: 12r Nov 5 15:00:33 ldap slapd[4429]: Nov 5 15:00:33 ldap slapd[4429]: daemon: read active on 12 Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: connection_get(12) Nov 5 15:00:33 ldap slapd[4429]: connection_get(12): got connid=5 Nov 5 15:00:33 ldap slapd[4429]: connection_read(12): checking for input on id=5 Nov 5 15:00:33 ldap slapd[4429]: ber_get_next on fd 12 failed errno=0 (Success) Nov 5 15:00:33 ldap slapd[4429]: connection_read(12): input error=-2 id=5, closing. Nov 5 15:00:33 ldap slapd[4429]: connection_closing: readying conn=5 sd=12 for close Nov 5 15:00:33 ldap slapd[4429]: connection_close: deferring conn=5 sd=-1 Nov 5 15:00:33 ldap slapd[4429]: do_unbind Nov 5 15:00:33 ldap slapd[4429]: conn=5 op=2 UNBIND Nov 5 15:00:33 ldap slapd[4429]: connection_resched: attempting closing conn=5 sd=12 Nov 5 15:00:33 ldap slapd[4429]: connection_close: conn=5 sd=-1 Nov 5 15:00:33 ldap slapd[4429]: daemon: removing 12 Nov 5 15:00:33 ldap slapd[4429]: conn=5 fd=12 closed Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor Nov 5 15:00:33 ldap slapd[4429]: daemon: activity on: Nov 5 15:00:33 ldap slapd[4429]: Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov 5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8 active_threads=0 tvp=NULL And as mentioned this exact schema configuration is working fine under OpenLDAP 2.4 under FreeBSD and behaving as you saw under OpenLDAP 2.3 CentOS 5.4 And everything looks correct to me. Any further ideas on why this isn't working? Thanks! On Thu, Nov 4, 2010 at 6:03 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, November 04, 2010 5:47 PM -0400 Tim Dunphy > <bluethundr(a)gmail.com> wrote: > >> however when I do a search for sudoRole it doesn't seem to show up >> >> [root@ldap openldap]# ldapsearch -b '' -s base '(objectclass=*)' >> sudoRole -x -W -D "cn=Manager,dc=acadaca,dc=net" > > That is not a valid search of the cn=subschema entry. I would note you fail > to offer a -h or -H option, so who knows what LDAP server it is talking to. > > ldapsearch -x -h zre-ldap001 -s base -b "cn=subschema" + > > for example, searches the subschema entry on my system. > > > And my name has only one "n" in it. > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9 Share and enjoy!!

12 years, 4 months

2
1
0 / 0

Re: Issue with OpenLDAP shared libraries complie on AIX 6.1 using IBM xL Compiler

by Peter Lambrechtsen

On Wed, Nov 3, 2010 at 4:28 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > Examine config.log to see why it failed. > As per what I get in the config.log configure:8474: checking if cc_r -qlanglvl=extc89 static flag works configure:8502: result: yes configure:8570: checking for cc_r -qlanglvl=extc89 option to produce PIC configure:8774: result: configure:8841: checking if cc_r -qlanglvl=extc89 supports -c -o file.o configure:8862: cc_r -qlanglvl=extc89 -c -I/opt/openldap/include -I/opt/openldap/include -o out/conftest2.o conftest.c >&5 configure:8866: $? = 0 configure:8888: result: yes configure:8914: checking whether the cc_r -qlanglvl=extc89 linker (/usr/ccs/bin/ld) supports shared libraries configure:9790: result: no --- Any way to get a more verbose output from what it's trying to do?? configure:9861: checking dynamic linker characteristics configure:10415: result: no configure:10419: checking how to hardcode library paths into programs configure:10444: result: unsupported configure:10458: checking whether stripping libraries is possible configure:10479: result: no configure:10586: checking for shl_load configure:10642: cc_r -qlanglvl=extc89 -o conftest -I/opt/openldap/include -I/opt/openldap/include -L/opt/openldap/lib conftest.c >&5 ld: 0711-317 ERROR: Undefined symbol: .shl_load -- I think this is the prolbem, shl_load, looks like I may need another include or figure out why it's complaining. ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. configure:10648: $? = 8 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME "" | #define PACKAGE_TARNAME "" | #define PACKAGE_VERSION "" | #define PACKAGE_STRING "" | #define PACKAGE_BUGREPORT "" | #define OPENLDAP_PACKAGE "OpenLDAP" | #define OPENLDAP_VERSION "2.4.23" | #define LDAP_VENDOR_VERSION 20423 | #define LDAP_VENDOR_VERSION_MAJOR 2 | #define LDAP_VENDOR_VERSION_MINOR 4 | #define LDAP_VENDOR_VERSION_PATCH 23 | #define HAVE_MKVERSION 1 | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | #define HAVE_DLFCN_H 1 | /* end confdefs.h. */ | /* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load. | For example, HP-UX 11i <limits.h> declares gettimeofday. */ | #define shl_load innocuous_shl_load | | /* System header to define __stub macros and hopefully few prototypes, | which can conflict with char shl_load (); below. | Prefer <limits.h> to <assert.h> if __STDC__ is defined, since | <limits.h> exists even on freestanding compilers. */ | | #ifdef __STDC__ | # include <limits.h> | #else | # include <assert.h> | #endif | | #undef shl_load | | /* Override any GCC internal prototype to avoid an error. | Use char because int might match the return type of a GCC | builtin and then its argument prototype would still apply. */ | #ifdef __cplusplus | extern "C" | #endif | char shl_load (); | /* The GNU C library defines this for functions which it implements | to always fail with ENOSYS. Some functions are actually named | something starting with __ and the normal name is an alias. */ | #if defined __stub_shl_load || defined __stub___shl_load | choke me | #endif | | int | main () | { | return shl_load (); | ; | return 0; | } configure:10665: result: no configure:10670: checking for shl_load in -ldld configure:10705: cc_r -qlanglvl=extc89 -o conftest -I/opt/openldap/include -I/opt/openldap/include -L/opt/openldap/lib conftest.c -ldld >&5 ld: 0706-006 Cannot find or open library file: -l dld ld:open(): No such file or directory configure:10711: $? = 255 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME "" | #define PACKAGE_TARNAME "" | #define PACKAGE_VERSION "" | #define PACKAGE_STRING "" | #define PACKAGE_BUGREPORT "" | #define OPENLDAP_PACKAGE "OpenLDAP" | #define OPENLDAP_VERSION "2.4.23" | #define LDAP_VENDOR_VERSION 20423 | #define LDAP_VENDOR_VERSION_MAJOR 2 | #define LDAP_VENDOR_VERSION_MINOR 4 | #define LDAP_VENDOR_VERSION_PATCH 23 | #define HAVE_MKVERSION 1 | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | #define HAVE_DLFCN_H 1 | /* end confdefs.h. */ | | /* Override any GCC internal prototype to avoid an error. | Use char because int might match the return type of a GCC | builtin and then its argument prototype would still apply. */ | #ifdef __cplusplus | extern "C" | #endif | char shl_load (); | int | main () | { | return shl_load (); | ; | return 0; | } configure:10729: result: no configure:10734: checking for dlopen configure:10790: cc_r -qlanglvl=extc89 -o conftest -I/opt/openldap/include -I/opt/openldap/include -L/opt/openldap/lib conftest.c >&5 configure:10796: $? = 0 configure:10813: result: yes configure:11046: checking whether a program can dlopen itself configure:11118: cc_r -qlanglvl=extc89 -o conftest -I/opt/openldap/include -I/opt/openldap/include -DHAVE_DLFCN_H -L/opt/openldap/lib conftest.c >&5 configure:11121: $? = 0 configure:11139: result: no configure:11260: checking if libtool supports shared libraries configure:11262: result: no configure:11265: checking whether to build shared libraries configure:11286: result: no configure:11289: checking whether to build static libraries configure:11293: result: yes Also found something similar for Samba: http://samba.2283325.n4.nabble.com/Failing-to-make-Samba-3-5-4-on-AIX-5-3... So going to do more digging, or suggestions are welcome ;)

12 years, 4 months

3
4
0 / 0

loglevel question / problem

by Aaron Bennett

Hi, I have two reasonably identical Ubuntu Server 10.04 boxes running OpenLdap 2.4.21. ( I say reasonable identical because one is a master and the other pulls via syncrepl ). The master box is sending copious amount of query log info to syslog -- it looks like it's logging every search and connection. The other box looks like it's only logging syncrepl information to the debug facility. What I can't figure out is how this is happening. When I started, neither machine had olcLogLevel entries in cn=config.ldif ; I have since added olcLogLevel: none (no effect) and even olcLogLevel: 0 to the master, restarting slapd each time. I've verified that it's not getting any "-d" switch on startup, both by looking at the SLAPD_OPTIONS in /etc/default/slapd and with ps -ax (which shows /usr/sbin/slapd -h ldaps:/// ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d). Here's sample syslog output from the master: Nov 5 07:48:06 nyx slapd[5100]: conn=1008 op=1357 SRCH attr=mailRoutingAddress Nov 5 07:48:06 nyx slapd[5100]: conn=1008 op=1357 SEARCH RESULT tag=101 err=0 nentries=0 text= Nov 5 07:48:06 nyx slapd[5100]: conn=1008 op=1358 SRCH base="dc=clarku,dc=edu" scope=2 deref=0 filter="(|(mail=@clarku.edu)(mailAlternateAddress=@clarku.edu))" Nov 5 07:48:06 nyx slapd[5100]: conn=1008 op=1358 SRCH attr=mailRoutingAddress Nov 5 07:48:06 nyx slapd[5100]: conn=1008 op=1358 SEARCH RESULT tag=101 err=0 nentries=1 text= Nov 5 07:48:06 nyx slapd[5100]: conn=1007 op=10647 SRCH base="dc=clarku,dc=edu" scope=2 deref=0 filter="(|(mail=clarku.edu)(mailAlternateAddress=clarku.edu))" And here's sample from the slave: Nov 5 07:54:21 erebus slapd[7913]: syncrepl_entry: rid=001 be_modify uid=dgoldman,ou=Users,dc=clarku,dc=edu (0) Nov 5 07:54:21 erebus slapd[7913]: slap_queue_csn: queing 0x7f730550e7e0 20101105115421.300608Z#000000#000#000000 Nov 5 07:54:21 erebus slapd[7913]: slap_graduate_commit_csn: removing 0x7f730407f560 20101105115421.300608Z#000000#000#000000 Nov 5 07:54:21 erebus slapd[7913]: do_syncrep2: rid=001 cookie=rid=001,csn=20101105115421.483388Z#000000#000#000000 Nov 5 07:54:21 erebus slapd[7913]: syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) Is there some other place that this information could be living? Thanks, Aaron Bennett Clark University ITS

12 years, 4 months

1
0
0 / 0

openldap 2.4.2[13] socket close bug ?

by Arjan Filius

Hello openldap ml, while researching more or less regular xen/centos/openldap crash situation, i ran into a situation which i think is a (openldap) bug. Tested with self compiled/packed openldap 2.4.21 and 2.4.23 on centos 5.2 64 bits The most easy way to explain and test (for me) is: 1) Set threads to 2 in slapd.conf 2) Start a ldap search query which takes some time (say longer then a minute or so) ps: local or remote ldapsearch doesn't matter ps: i used ldapsearch and a "slowcat" to simulate 3) start a second ldap search querry as with 2) 4) Try to start a third ldapsearch query, which you may notice would connect (tcp backlog), but not yet handled by slapd. Normally when the first ldapsearch session would stop, the third session will be handled by slapd, which works just fine as expected, no need to test that now. >From now on you have some slightly different situations, which i will number 5a ....) 5a) while those first 2 sessions are still running, and session 3 is waiting, lets kill session 1 or 2, and here it happens: -slapd won't log the killed session, and the third session isn't going to handled. -The third session is going to be handled as soon as the second session finishes in a normal way. 5b) while those first 2 sessions are still running, and session 3 is waiting, kill all ldap search querries (press ^C within your ldapsearch for example) , and here it happens: -slapd won't log died sessions -new ldapsearch sessions are accepted by the backlog buffer, but are never going to be accepted by the slapd process. -when stopping slapd it complains about closing already died sessions/socket. So it looks like killed sessions, are not quite handled correctly within slapd, and i noticed as soon there is one session which finishes in a normal way, it will also clear and free the killed sessions. The other way arond, when killing all sessions, you've a denial of service, and no session will ever be cleared. Please confirm or deny, feedback welcome. Regards, -- Arjan Filius iafilius(a)xs4all.nl

12 years, 4 months

1
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2010