Re: Filesystem & backend options for embedded openldap
by Bruce Edge
On Sat, Dec 18, 2010 at 12:19 AM, Peter Lambrechtsen
<plambrechtsen(a)gmail.com> wrote:
> Why don't you use SQLite instead??? It's pretty rock solid backend database.
>
> Unless your client side only wants to talk LDAP.
Hi,
Thanks the the response. One of the reasons for ldap is that it
handles all the authentication for a lot of the packages we're using
out of the box so it was a natural progression to extend it to handle
the other data we need as well.
The only probems, it appears, is how to make it more failsafe on the back end.
-Bruce
>
> On Sat, Dec 18, 2010 at 6:48 AM, Bruce Edge <bruce.edge(a)gmail.com> wrote:
>>
>> Perhaps a bit more detail...
>> During testing our developers frequently hang the target machines.
>> This usually results in a corrupted ldap database even though no write
>> activity was present on the box since long before the crash.
>>
>> What ldap config tuning options are required to get slapd to sync the
>> backend to a state where power loss / kernel crashes do not corrupt
>> the data?
>>
>> Thanks
>>
>> -Bruce
>>
>> On Wed, Dec 15, 2010 at 10:25 AM, Bruce Edge <bruce.edge(a)gmail.com> wrote:
>> > I'm working on an embedded system for which I would like to use
>> > openldap as the means of config storage.
>> > I've spent a lot of time RTFM'ing and still feel that there is a lot
>> > that is escaping me as far as the optimal configuration.
>> >
>> > If the primary goal is data safety and zero human intervention, what
>> > would be the optimal combination of file system / backend storage /
>> > and config options?
>> >
>> > I would like to never have to manually recover a database and have it
>> > gracefully recover from power failures. Speed is not an issue as it's
>> > very low traffic. Integritiy is everything.
>> > It's target storage is a USB flash device. Are there any special
>> > considerations WRT flash storage and ldap?
>> >
>> > Thanks in advance.
>> >
>> > -Bruce
>> >
>
>
10 years, 4 months
Filesystem & backend options for embedded openldap
by Bruce Edge
I'm working on an embedded system for which I would like to use
openldap as the means of config storage.
I've spent a lot of time RTFM'ing and still feel that there is a lot
that is escaping me as far as the optimal configuration.
If the primary goal is data safety and zero human intervention, what
would be the optimal combination of file system / backend storage /
and config options?
I would like to never have to manually recover a database and have it
gracefully recover from power failures. Speed is not an issue as it's
very low traffic. Integritiy is everything.
It's target storage is a USB flash device. Are there any special
considerations WRT flash storage and ldap?
Thanks in advance.
-Bruce
10 years, 4 months
syncrep and memberof
by Yuri Bank
Are there any known issues with these two overlays when used together? I'm
curious what the suggested configuration would be in a single Provider +
many Consumer setup. Should the memberof overlay be enabled on the consumer
nodes or just the provider? I've noticed that when I add new users to the
database, all users under that OU will be refreshed and at which time I lose
the memberof attribute for SOME of the users, on only 1 or 2 of the consumer
nodes. It seems like a bug, but I wonder if there is any way to get around
this. I was thinking of trying delta-sync replication.
10 years, 4 months
can't contact the LDAP server
by kibirango moses
hullo everybody
I have tested the SLAPD server and it is giving me the output below
root@mailbackup:/etc/openldap# ldapsearch -x -W -D
'cn=Manager,dc=mak,dc=ac,dc=ug' -b "" -s base
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
How can i contact the LDAP server?
Thanx
10 years, 4 months
TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
by Martin Jungowski
Hi everybody,
I'm trying to run OpenLDAP 2.2.13 on a CentOS 4.8 box with TLS/SSL
enabled. Certificate should be ok (fqdn set as common name!), self-signed
since I can't copy a cacert file to all clients that will one day have to
connect to the server (among others a few iPhones).
"openssl x509 -in slapd.pem -noout -text" returns the correct contents
of the certificate, "openssl s_client -connect localhost:636 -showcerts"
works too (although it does hang at the end right after "---" which I
guess is normal.. haven't left it running for 300 seconds yet). However,
whenever trying to connect to my LDAP server through port 636 I get the
above error message. The full message when performing "ldapsearch -x -h
localhost:636 -b dc=home" (no difference if I replace localhost with the
fqdn):
> daemon: activity on 1 descriptors
> daemon: new connection on 10
> daemon: added 10r
> daemon: activity on:
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: activity on: 10r
> daemon: read activity on 10
> connection_get(10): got connid=7
> connection_read(10): checking for input on id=7
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:error in SSLv2/v3 read client hello A
> TLS: can't accept.
> TLS: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol s23_srvr.c:580
> connection_read(10): TLS accept error error=-1 id=7, closing
> connection_closing: readying conn=7 sd=10 for close
> connection_close: conn=7 sd=10
> daemon: removing 10
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptors
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
Same error message when trying to connect with jxplorer or Thunderbird.
Any ideas what else I could try? I've tried various ways of creating a
certificate, including both the CentOS recommended "make slapd.pem" in /
usr/share/ssl/certs and the "openssl" way but neither made any
difference. They all resulted in the exact same error pattern. Frankly,
I'm out of ideas.
Thanks in advance,
Martin
--
Rieke Computersysteme GmbH
Hellerholz 5
D-82061 Neuried
Email: martin[at]rhm[dot]de
10 years, 4 months
using of db_stat
by Steeg Carson
Hello,
can I really use db_stat with id2entry.bdb and dn2id.bdb without concern and
impact of production (speed of ldap) to investigate the database statistic?
- Is db_stat usable on a online database without any danger
- If I use db_stat online, which impact I have to expect?
Thanks for help!
10 years, 4 months
posixAccount Object creation failing in 2.4.23 with ndb backend
by Nathanael Anderson
after I include the nis schema in slapd.conf and try to create a user
with the new attributes, I recieve this error:
ndb_oc_create: CREATE TABLE posixAccount failed, Can't create table
'OpenLDAP.posixAccount' (errno: 157) (1005)
ndb_back_add: ndb_entry_put_data failed (80) Tuple did not exist(626)
This seems like a ndb backend issue. I have lots of free space in my
OpenLDAP ndb backend database for more tables and rows.
mysql> select * from memoryusage;
+---------+--------------+---------+------------+------------+---------+
| node_id | memory_type | used | used_pages | total | total_pages |
+---------+--------------+---------+------------+------------+---------+
| 3 | Data memory | 2457600 | 75 | 1073741824 | 2768 |
| 3 | Index memory | 475136 | 58 | 268697600 | 32800 |
| 4 | Data memory | 2457600 | 75 | 1073741824 | 32768 |
| 4 | Index memory | 475136 | 58 | 268697600 | 32800 |
+---------+--------------+---------+------------+------------+---------+
4 rows in set (0.00 sec)
and manual table creation works fine.
mysql> create table person2 (sn varchar(128)) engine=ndbcluster;
Query OK, 0 rows affected (0.06 sec)
mysql> drop table person2;
Query OK, 0 rows affected (0.03 sec)
any idea's?
Nathanael
10 years, 4 months
BDB File Size...
by Rowley, Mathew
I recently deleted about 25k entries in a specific OU. Since, the memory usage of the slapd process has consistently stayed at 70%-75% cpu usage:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
29911 openldap 18 0 12.6g 10g 4.1g S 0 69.6 1003:25 slapd
I have also noticed that the DB files have stayed the same size - specifically one is 4gigs:
-rw------- 1 openldap openldap 4.0G Nov 30 21:18 __db.003
On a slave to this box, the file size is drastically lower:
-rw------- 1 openldap openldap 321M Dec 16 05:02 __db.003
I am assuming that the reason the CPU and memory usage is so high due to trying to keep the entire directory structure in memroy.
Is this normal behavior? Is there a way to purge the database files?
One other thing that happened was the slaves that are syncing to this server did not update the OU described above.
Any help would be great. Thanks.
10 years, 4 months
enabling monitoring of database
by kibirango moses
I have installed openldap and on testing the out below is given .How can i
configure monitor database ? I thought it is enabled by --enable monitor
root@mailbackup:/# slaptest -v -f /etc/openldap/slapd.conf
bdb_monitor_db_open: monitoring disabled; configure monitor database to
enable
config file testing succeeded
Installation command :
./configure --sysconfdir=/etc --with-cyrus-sasl --with-threads --with-tls
--with-yielding-select --with-mp --enable-slapd --enable-slurpd
--enable-cleartext --enable-bdb --enable-ldap --enable-monitor --enable-perl
--enable-sql --enable-syslog --enable-spasswd
10 years, 4 months
failing to "make test" in openldap installation
by kibirango moses
Hullo everyone
I am installing Openldap but in am failing to test and below are my
installation commands:
env CPPFLAGS="-I/usr/local/BerkeleyDB.5.1/include
-I/usr/local/ssl/include/openssl" \
LDFLAGS="-L/usr/local/BerkeleyDB.5.1/lib -L/usr/local/ssl/lib" \
./configure --sysconfdir=/etc --with-cyrus-sasl --with-threads --with-tls
--with-yielding-select --with-mp --enable-slapd --enable-slurpd
--enable-cleartext --enable-bdb --enable-ldap --enable-monitor --enable-perl
--enable-sql --enable-syslog --enable-spasswd
make test has the following errors at the end
Initiating LDAP tests for BDB...
Could not locate slapd(8)
make[2]: *** [bdb-yes] Error 1
make[2]: Leaving directory `/usr/local/src/openldap-2.4.23/tests'
make[1]: *** [test] Error 2
make[1]: Leaving directory `/usr/local/src/openldap-2.4.23/tests'
make: *** [test] Error 2
*root@mailbackup:/usr/local/src/openldap-2.4.23#*
Anybody to help me go over this?
Thanx
10 years, 4 months