openldap-technical August 2010

openldap-technical@openldap.org

83 participants
85 discussions

Unknown objectClass in search filter alters the filter?
by Marius Flage 24 Aug '10

24 Aug '10

Hi! How does OpenLDAP behave when it encounters a search filter with an unknown objectClass? From what I've been able to gather, it translates the search filter into (?objectClass=value), thus yielding the rest of the search invalid. What can I do about this? Either just pass the search as it is, or remove it altogether? The reason I'm asking about this is that I'm setting up OpenLDAP as a proxy for Active Directory. After months of researching I've discovered that the problem lays exactly here - OpenLDAP alters the search filter for object classes it knows nothing about. Example: (| (& (objectClass=group) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfNames) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfUniqueNames) (uniqueMember=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=accessGroup) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=univentionGroup) (uniqueMember=cn=username,ou=test,dc=example,dc=com) ) ) Yields no entries. I've looked at the syslog (loglevel = 256) and I see that the last two clauses have been "translated" into "?objectClass=accessGroup" and "?objectClass=univentionGroup". But if I then remove the last two clauses, like so... (| (& (objectClass=group) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfNames) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfUniqueNames) (uniqueMember=cn=username,ou=test,dc=example,dc=com) ) ) ... then I get the entries I want back. Problem here is that I'm unable to alter the search filter, since this is generated by a 3rd-party app that I can't change, so I need to fix my OpenLDAP to let this stuff pass through. Any idea? - Marius

3 5

Translating back_ldap config to cn=config format
by Mark J. Reed 24 Aug '10

24 Aug '10

To your mailing list welcome. I here am new... I'm trying to configure an LDAP backend, but the man page is still slapd.conf-style, and the mappings to cn=config I've tried aren't working. For instance, to supply the backend LDAP URL, the man page lists: uri <ldapurl> so I tried this: olcURI: ldap://foo.bar/ and got Aug 24 13:30:36 bottom slapd[2265]: UNKNOWN attributeDescription "OLCURI" inserted. Maybe I'm just missing the objectClass that defines those attributes, but I don't know what that would be. I just have olcDatabaseConfig; I tried olcLdapConfig, but that wasn't recognized as a legal class name. Where can I find the config schema? Any help, pointers to someplace this is actually documented, etc. appreciated. Thanks! -- Mark J. Reed <markjreed(a)gmail.com>

1 1

Re: Openldap2.4.16 performance issue
by William E Jojo 24 Aug '10

24 Aug '10

----- Original Message ----- > From: "Dieter Kluenter" <dieter(a)dkluenter.de> > To: openldap-technical(a)openldap.org > Sent: Saturday, August 21, 2010 3:07:04 AM > Subject: Re: Openldap2.4.16 performance issue > "Singh, Devender (GE Capital, consultant)" <Devender.Singh2(a)ge.com> > writes: > > > Hi Dieter, > > > > Please find the below details: > > > > 1. hardware related > > > > - type of storage - Simply SATA had disk attached. > > > > - raid level, if any- No RAID > > > > - file system of disk(s)- ext3 on LVm > > > > - type of network, 100MB, 1G, 10G > > > > > > > > 2. is this host running on a virtual machine or on bare metal. > > > > - if virtual machine, -Yes, OS installed on VM > > > > -- what type ---Don’t know > > There is nothing suspicious, except for the virtual machine. Your > really should carefully check layout and configuration of this VM, do > not use virtual disks. > Hi Dieter, Could you kindly explain what this means? I've been all over the inter-webs and I'm not finding anything concrete about OpenLDAP and VM's or Databases and VM's in general. The closest I came was about some database latency studies and some VMware propaganda. We are about to launch a master and two replicas (utilizing delta-syncrepl) running in Ubuntu 10.04 on a VMware VSphere ESXi 4.0 cluster with four IBM x3650-M2's (2 Quad Nahalem and 64GB memory each) with virtual disks carved from NFS mounts to all of the VSphere servers in the cluster to facilitate HA and FT - by the VMware book. (BTW, I took one of Howard's old posts to heart and we are following the Ubuntu playbook and we have purchased Canonical 24x7 support/maintenance. :-) ) We have had no problems with this environment in development and get better results than on bare metal with or without RAID. I know that it is recommended that the logs live on another "disk" from the database and RAID is frowned upon, but I have difficulty with a few points: 1) Separate, unprotected disks seems illogical. The last log and the BDB files are necessary to start BDB in slapd, correct? So, if you lose either disk, you're in trouble. Backups are ok, but daily seems too long a time. Seeing as we process new user accounts every 15 minutes, this would not be ideal for us. 2) RAID-1 I can understand having an issue on writes. But what about LUNs in FC from a NetApp 3140? Virtual disks on NFS in VMware? Both of these are in the best practices of both VMware and NetApp documentation. 3) 13-disk 7200RPM SATA RAID-DP (NetApp) is far faster than a single disk, dual diak or RAID-1, so why wouldn't you use SAN/NAS storage? I seriously want to understand the VM concern as it pertains to OpenLDAP. I think more and more people are doing this very thing and will benefit from this discussion. Our database is 86K+ DN's averaging about 40 attributes each. We've tuned the HDB cache to 768MB in a shared memory segment and the pertinent master slapd.conf file shows: shm_key 100 cachesize 200000 idlcachesize 600000 dncachesize 400000 checkpoint 1024 15 . . . # main database . . . index objectClass eq index cn eq,sub index sn eq,sub index gn eq,sub index mail eq,sub index uid eq,sub index displayname sub,eq index memberUid eq,sub index uidNumber eq index gidNumber eq index sambaSID eq index sambaSIDlist eq index sambaDomainName eq index sambaPrimaryGroupSID eq index sambaGroupType eq index entryCSN eq index entryUUID eq index default sub,eq Replicas have identical indexes and shared memory usage. Basically, just running database population tests with full checking turned on, I get the following results: Ubuntu 10.04.1 on all with OpenLDAP 2.4.21/BDB 4.7.25 (all generate 200-10MB log files): IBM x3550 2-quad 5450 16GB, RAID-1 15K 73GB 3.0Gb/s SAS, 86K DN's - 30 minutes IBM x3550 2-quad 5450 16GB, Single 15K 73GB 3.0Gb/s SAS, 86K DN's - 28 minutes IBM x3550 2-quad 5450 16GB, 2-single 15K 73GB (db and logs on separate disks) 3.0Gb/s SAS, 86K DN's - 28 minutes VMware guest 2-vCPU, 3GB memory, 100GB virtual disk on VMware NFS mount of 13-1TB 7200RPM SATA disks in NetApp 3140 - 4 minutes. We can replicate to another VM in 9 minutes and two VMs simultaneously to the same 13-disk aggregate in 13 minutes. Aside from VM clock skew problems, I don't see the benefit of Bare Metal and I'm feeling pretty dumb at the moment. Any insight from you, Quanah and/or Howard is humbly accepted and appreciated - I am here to learn. :-) Thank you, Bill > -Dieter > > -- Dieter Klünter | Systemberatung > sip: 7770535(a)sipgate.de > http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6

4 5

Setting up anonymous access for certain objects and attributes ...
by Christopher Koeber 23 Aug '10

23 Aug '10

Hello, I am trying to set up anonymous binding where systems can only see certain objects and subtrees. In addition, I want to have limits on the attributes that can be seen on those objects. Below is my config file but so far only the manager CN can bind. What else do I need to do? Thanks. slapd.conf: ------------------------------------------------------------------------- # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/sendmail.schema include /etc/openldap/schema/postfix.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/lib64/openldap/openldap # moduleload back_sock.so # moduleload back_shell.so # moduleload back_relay.so # moduleload back_perl.so # moduleload back_passwd.so # moduleload back_null.so # moduleload back_monitor.so # moduleload back_meta.so # moduleload back_ldap.so # moduleload back_dnssrv.so moduleload back_hdb.so # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read # ################################################### # # --- # # Directory Service Access Policy # ################################################### # # Allow folks to read basic attributes from everyone access to dn.subtree="dc=domain,dc=com" attr=displayName,givenName,employeeNumber,mail by anonymous read # ################################################### # # End Security Setup. # ################################################### # access to * by self write by users read by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database hdb suffix "dc=domain,dc=com" # <kbyte> <min> checkpoint 32 30 rootdn "cn=Manager,dc=domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw --- # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/openldap-data # Indices to maintain index objectClass eq ------------------------------------------------------------------------- Regards, Christopher Koeber

1 0

Syncrepl REFRESH_PRESENT leads to glue nodes on branch nodes in the tree on the consumer
by Robert Hanson 23 Aug '10

23 Aug '10

Hi. Using 2.4.23, and bdb 4.2.52. I have two nodes, A and B. When I start up the nodes (in either order), B performs a REFRESH_PRESENT phase. In this phase, it executes syncrepl_del_nonpresent(). This identifies a number of nodes that it thinks need to be deleted, and deletes them. Since many of the nodes are non-leaf nodes, instead of deleting them it replaces them with glue nodes. My question is: should I post this as a bug for tracking purposes? What information exactly should I post as a followup to this email so that someone can help me with this issue? I can provide slapcat output for both nodes, and slapd.conf files for both nodes. Where should I post these?

1 0

Re: replication from child to Parent domain
by owen nirvana 23 Aug '10

23 Aug '10

parent is customer """ suffix "dc=SCNCA,dc=ROOTCA" rootdn "cn=admin,dc=SCNCA,dc=ROOTCA" rootpw secret checkpoint 512 30 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 ServerID 000 syncrepl rid=001 provider=ldap://${SON_LDAP_ADDRESS}:${SON_LDAP_PORT} type=refreshOnly # five minutes, you should do syncrepl once a day in practice interval=00:01:00:00 searchbase="${SON_BASE}" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="${SON_ADMIN}" credentials=${SON_PASSWD} retry="5 5 300 +" mirrormode on """ son is provider """ suffix "dc=sonCA,dc=SCNCA,dc=ROOTCA" rootdn "cn=admin,dc=sonCA,dc=SCNCA,dc=ROOTCA" rootpw secret checkpoint 512 30 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 ServerID 001 """ and son's log is """ <<< dnPrettyNormal: <dc=sonca,dc=scnca,dc=rootca>, <dc=sonca,dc=scnca,dc=rootca> SRCH "dc=sonca,dc=scnca,dc=rootca" 2 0 0 0 0 ber_scanf fmt (m) ber: ber_dump: buf=010E1060 ptr=010E109C end=010E1136 len=154 0000: 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 06 04 ..objectClass0.. 0010: 01 2a 04 01 2b a0 81 82 30 62 04 18 31 2e 33 2e .*..+...0b..1.3. 0020: 36 2e 31 2e 34 2e 31 2e 34 32 30 33 2e 31 2e 39 6.1.4.1.4203.1.9 0030: 2e 31 2e 31 04 46 30 44 0a 01 01 04 3c 72 69 64 .1.1.F0D....<rid 0040: 3d 30 30 31 2c 73 69 64 3d 30 30 30 2c 63 73 6e =001,sid=000,csn 0050: 3d 32 30 31 30 30 38 31 33 30 37 34 38 34 36 2e =20100813074846. 0060: 34 35 37 32 37 39 5a 23 30 30 30 30 30 30 23 30 457279Z#000000#0 0070: 30 30 23 30 30 30 30 30 30 01 01 ff 30 1c 04 17 00#000000...0... 0080: 32 2e 31 36 2e 38 34 30 2e 31 2e 31 31 33 37 33 2.16.840.1.11373 0090: 30 2e 33 2e 34 2e 32 01 01 ff 0.3.4.2... filter: (objectClass=*) ber_scanf fmt ({M}}) ber: ber_dump: buf=010E1060 ptr=010E10A9 end=010E1136 len=141 0000: 00 06 04 01 2a 04 01 2b a0 81 82 30 62 04 18 31 ....*..+...0b..1 0010: 2e 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 30 33 2e .3.6.1.4.1.4203. 0020: 31 2e 39 2e 31 2e 31 04 46 30 44 0a 01 01 04 3c 1.9.1.1.F0D....< 0030: 72 69 64 3d 30 30 31 2c 73 69 64 3d 30 30 30 2c rid=001,sid=000, 0040: 63 73 6e 3d 32 30 31 30 30 38 31 33 30 37 34 38 csn=201008130748 0050: 34 36 2e 34 35 37 32 37 39 5a 23 30 30 30 30 30 46.457279Z#00000 0060: 30 23 30 30 30 23 30 30 30 30 30 30 01 01 ff 30 0#000#000000...0 0070: 1c 04 17 32 2e 31 36 2e 38 34 30 2e 31 2e 31 31 ...2.16.840.1.11 0080: 33 37 33 30 2e 33 2e 34 2e 32 01 01 ff 3730.3.4.2... => get_ctrls ber_scanf fmt ({m) ber: ber_dump: buf=010E1060 ptr=010E10B4 end=010E1136 len=130 0000: 30 62 04 18 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 0b..1.3.6.1.4.1. 0010: 34 32 30 33 2e 31 2e 39 2e 31 2e 31 04 46 30 44 4203.1.9.1.1.F0D 0020: 0a 01 01 04 3c 72 69 64 3d 30 30 31 2c 73 69 64 ....<rid=001,sid 0030: 3d 30 30 30 2c 63 73 6e 3d 32 30 31 30 30 38 31 =000,csn=2010081 0040: 33 30 37 34 38 34 36 2e 34 35 37 32 37 39 5a 23 3074846.457279Z# 0050: 30 30 30 30 30 30 23 30 30 30 23 30 30 30 30 30 000000#000#00000 0060: 30 01 01 ff 30 1c 04 17 32 2e 31 36 2e 38 34 30 0...0...2.16.840 0070: 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 2e 32 01 .1.113730.3.4.2. 0080: 01 ff .. ber_scanf fmt (m) ber: ber_dump: buf=010E1060 ptr=010E10D0 end=010E1136 len=102 0000: 00 46 30 44 0a 01 01 04 3c 72 69 64 3d 30 30 31 .F0D....<rid=001 0010: 2c 73 69 64 3d 30 30 30 2c 63 73 6e 3d 32 30 31 ,sid=000,csn=201 0020: 30 30 38 31 33 30 37 34 38 34 36 2e 34 35 37 32 00813074846.4572 0030: 37 39 5a 23 30 30 30 30 30 30 23 30 30 30 23 30 79Z#000000#000#0 0040: 30 30 30 30 30 01 01 ff 30 1c 04 17 32 2e 31 36 00000...0...2.16 0050: 2e 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e .840.1.113730.3. 0060: 34 2e 32 01 01 ff 4.2... => get_ctrls: oid="1.3.6.1.4.1.4203.1.9.1.1" (noncritical) ber_scanf fmt ({i) ber: ber_dump: buf=010E10D2 ptr=010E10D2 end=010E1118 len=70 0000: 30 44 0a 01 01 04 3c 72 69 64 3d 30 30 31 2c 73 0D....<rid=001,s 0010: 69 64 3d 30 30 30 2c 63 73 6e 3d 32 30 31 30 30 id=000,csn=20100 0020: 38 31 33 30 37 34 38 34 36 2e 34 35 37 32 37 39 813074846.457279 0030: 5a 23 30 30 30 30 30 30 23 30 30 30 23 30 30 30 Z#000000#000#000 0040: 30 30 30 01 01 ff 000... ber_scanf fmt (m) ber: ber_dump: buf=010E10D2 ptr=010E10D7 end=010E1118 len=65 0000: 04 3c 72 69 64 3d 30 30 31 2c 73 69 64 3d 30 30 .<rid=001,sid=00 0010: 30 2c 63 73 6e 3d 32 30 31 30 30 38 31 33 30 37 0,csn=2010081307 0020: 34 38 34 36 2e 34 35 37 32 37 39 5a 23 30 30 30 4846.457279Z#000 0030: 30 30 30 23 30 30 30 23 30 30 30 30 30 30 01 01 000#000#000000.. 0040: ff . ber_scanf fmt (b) ber: ber_dump: buf=010E10D2 ptr=010E1115 end=010E1118 len=3 0000: 00 01 ff ... ber_scanf fmt (}) ber: ber_dump: buf=010E10D2 ptr=010E1118 end=010E1118 len=0 ber_scanf fmt ({m) ber: ber_dump: buf=010E1060 ptr=010E1118 end=010E1136 len=30 0000: 00 1c 04 17 32 2e 31 36 2e 38 34 30 2e 31 2e 31 ....2.16.840.1.1 0010: 31 33 37 33 30 2e 33 2e 34 2e 32 01 01 ff 13730.3.4.2... ber_scanf fmt (b) ber: ber_dump: buf=010E1060 ptr=010E1133 end=010E1136 len=3 0000: 00 01 ff ... => get_ctrls: oid="2.16.840.1.113730.3.4.2" (critical) <= get_ctrls: n=2 rc=0 err="" attrs: * + send_ldap_result: conn=1001 op=1 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=2 tag=101 err=0 ber_flush2: 14 bytes to sd 2984 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........ ldap_write: want=14, written=14 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........ daemon: activity on 5 descriptors daemon: activity on: 4r daemon: read activity on 4 daemon: WSselect: listen=2 active_threads=0 tvp=zero connection_get(4) daemon: WSselect: listen=3 active_threads=0 tvp=zero connection_get(4): got connid=1001 connection_read(4): checking for input on id=1001 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=013E5460 ptr=013E5460 end=013E5465 len=5 0000: 02 01 03 42 00 ...B. op tag 0x42, time 1282112561 ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 4 failed errno=0 (unknown WSA error) connection_read(4): input error=-2 id=1001, closing. connection_closing: readying conn=1001 sd=4 for close daemon: activity on 1 descriptor connection_close: deferring conn=1001 sd=4 daemon: waked daemon: WSselect: listen=2 active_threads=0 tvp=zero conn=1001 op=2 do_unbind daemon: WSselect: listen=3 active_threads=0 tvp=zero connection_resched: attempting closing conn=1001 sd=4 connection_close: conn=1001 sd=4 daemon: removing 4 """ gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com> On Mon, Aug 16, 2010 at 10:54 PM, Marc Patermann < hans.moser(a)ofd-z.niedersachsen.de> wrote: > Off list: > > owen nirvana schrieb am 16.08.2010 16:08 Uhr: > > However, the method of different search for different node is not > effective. > > > > In my configuration of parent CA, > > ''" > > syncrepl rid=001 > > ... > > searchbase = "dc=sonCA,dc=parentCA,dc=rootCA" > > ... > > """ > Did you try my first glue with multiple databases? > > > I believe the reason is the two nodes have not the same DIT. > What did you mean by that? > your tree from dc=sonCA,dc=parenCA,dc=rootCA will be replicated beyond > dc=parenCA,dc=rootCA if you configure it in the right way. > > > Maybe syncrepl could not support it. > You better try one of the approaches und post the consumer and provider > config and replication logs to the list (and maybe some data) > > Marc >

2 1

Openldap2.4.16 performance issue
by Singh, Devender (GE Capital, consultant) 21 Aug '10

21 Aug '10

Hi All, I need help for openldap slapd 200% cpu utilization issue. I have configured three openldap servers(2 Masters and 1 Slave). I have configure PEN load balancer for failover setup on 2 master openldap servers.It means application server first of all hit the loadbalancer port and than PEN LB will forwad that request to Master 1 or 2 openldap server. Hardware configuration on all boxes: OS: RHEL5(x86_64) RAM: 2GB Number of CPU: 2(Intel(R) Xeon(R)2.00GHz) Number of BDB databases: 2 Databse1: Number of users : 830000 Number of dns: 830000 Database2: Number of users: 2000 Number of dns: 800000 My Application1 using Databse1 and Application2 using Databse2. Application2 just authenticating the users and store last 10 password history only, It means Application1 is not using openldap too much. In Application2(90% dependent on openldap) every user have 1000+ sub leafs entries. when I want to do major changes(number of leafs write) into this, it.s got hanged and got socket closed error in application logs and CPU utilization goes 200% and RAM 52%. My DB_CONFIG file is below: # $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.3.2.4 2007/12/18 11:53:27 ghenry Exp $ # Example DB_CONFIG file for use with slapd(8) BDB/HDB databases. # # See the Oracle Berkeley DB documentation # <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/d b_config.html <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/d b_config.html> > # for detail description of DB_CONFIG syntax and semantics. # # Hints can also be found in the OpenLDAP Software FAQ # <http://www.openldap.org/faq/index.cgi?file=2 <http://www.openldap.org/faq/index.cgi?file=2> > # in particular: # <http://www.openldap.org/faq/index.cgi?file=1075 <http://www.openldap.org/faq/index.cgi?file=1075> > # Note: most DB_CONFIG settings will take effect only upon rebuilding # the DB environment. # one 0.25 GB cache set_cachesize 0 268435456 1 # Data Directory #set_data_dir db # Transaction Log settings set_lg_regionmax 262144 set_lg_bsize 2097152 #set_lg_dir logs # Note: special DB_CONFIG flags are no longer needed for "quick" # slapadd(8) or slapindex(8) access (see their -q option). Please help me here that what I need to do for better performance. Thanks in advance. My contact number is +919650477441 Thanks & Regards, Devender Singh Senior Unix Administrator, (SOA Support Team) ________________________________________________________________________ ________________________________________________ SDG Software India Pvt. Ltd A-10, Sector 2, Noida 201301, U.P, India M: +91-9910024231 O: +91.120.401.4000 F: +91.120.401.4020 website : www.sdgc.com <http://www.sdgc.com/> ________________________________________________________________________ ________________________________________________ Please Note: The e-mail content is intended for the sole use of the intended recipient/s and may contain material that is CONFIDENTIAL AND PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or distribution or forwarding of any or all of the contents in this message is STRICTLY PROHIBITED. If you have erroneously received this message, please delete it immediately and notify the sender. Before opening any attachments please check them for viruses and defects.

11 32

Re: How to check LDAP replication status?
by Gavin Henry 20 Aug '10

20 Aug '10

On 22/07/10 13:55, Paul Harvey wrote: > On 07/22/2010 02:34 PM, Priyesh Potdar wrote: >> Hi, >> >> Check out this link: >> http://docs.hp.com/en/5991-7504/ar01s08.html >> >> Refer to the section: >> Monitoring the Replication Status >> >> Hope this helps... >> >> On Thu, 2010-07-22 at 07:17 -0500, Proskurin Kirill wrote: >> >>> On 22/07/10 15:40, Priyesh Potdar wrote: >>> >>>> Hi, >>>> >>>> Two things you can do: >>>> 1) Check the replog file, if the data is getting pushed to slave from >>>> there or not. >>>> >>> As I understand it is deprecated and only used with Slurpd? >>> >>> I fogot to say - I use LDAP 2.4.11+ with Syncrepl. >>> >>> >>>> 2) Issue an ldapsearch command on the slave servers to check a newly >>>> updated data. >>>> >>> I don`t know what data is changing _now_ so what to search? >>> >>> >> > Precisely what i was after, thanks. > > Is there any way to manually create a hidden entry, in a similar style > to the contextCSN, or would this require the an overlay to be written? That's what the contextCSN is for. Just ldapsearch for it and if they match, they are up to date: http://blog.suretecsystems.com/archives/146-OpenLDAP-Quick-Tips-Checking-th… I really need to start those "Quick Tips" up again! If anyone wants to contribute some? -- Kind Regards, Gavin Henry. OpenLDAP Engineering Team. E ghenry(a)OpenLDAP.org Community developed LDAP software. http://www.openldap.org/project/

3 2

Syncrepl: Reliable method to ask a server for its own URL
by Torsten Schlabach (Tascel eG) 20 Aug '10

20 Aug '10

Hi all! I do have a multi-master replication setup. So I do have an olcServerID attribute with multiple values, for example: dn: cn=config olcServerID: 1 ldap://ldapserver1.some.tld/ olcServerID: 2 ldap://ldapserver2.some.tld/ olcServerID: 3 ldap://ldapserver3.some.tld/ I understand that the meaning of this is: Each server will pick the attribute value which matches its own URL to determine the actual ServerID to be used in contextCSN generation, right? So if the server listening to ldap://ldapserver2.some.tld/ will come up, it will pick the attribute value "2 ldap://ldapserver2.some.tld/" and thus decide that its serverID is 2 in this case. I also understand that this mechanism has been created to allow the cn=config database to be replicated across all servers which are part of the cluster. Now obviously, if I made a mistake here, for example I make a typo: dn: cn=config olcServerID: 1 ldap://ldapserver1.some.tld/ olcServerID: 2 ldap://ldapsrever2.some.tld/ olcServerID: 3 ldap://ldapserver3.some.tld/ the server ldap://ldapserver2.some.tld/ will not find its entry and thus its serverID will default to 0, right? And I guess this will lead to results of the sychronization which are not what I expect. Of course I can carefully watch the config to guess what the effective ServerID *should* be. But would there be any way to actually query the server for what it thinks its ID is? I tried ldapsearch -x -D 'cn=admin,cn=config' -w XXXX -b '' -s base olcServerID but this also just gives me: # config dn: cn=config olcServerID: 1 ldap://192.168.5.11:389/ olcServerID: 2 ldap://192.168.5.12:389/ olcServerID: 3 ldap://192.168.9.2:389/ in my case. I guess I may have to query -b "", right? Any hints are welcome. I hope I was able to make my question clear. Regards, Torsten

2 1

pass-through authentication
by Brent Bice 20 Aug '10

20 Aug '10

I tried to send this yesterday but didn't see it come back from the list (and didn't see any replies). So I'll try once more. Apologies if anyone gets this twice. I've been trying to get Pass-Through authentication to work using a userPassword attribute of the form {SASL}username@realm. Is there a way to tell slapd what pathspec to use to talk to saslauthd? (I'm guessing maybe it's using one path but saslauthd is using a different one for the socket file) I've got saslauthd running ok and can authenticate using testsaslauthd so I'm fairly sure saslauthd is configured right and working. And I've got openldap compiled with --enable-spasswd option so it ought to support the SASL pass-through option, right? I ran saslauthd with debugging on so I can see every auth request and whether it succeeds or fails and I can see it when testsaslauth connects and succeeds. But when I try to bind to slapd using the DN whose userPassword is {SASL}bbice@ldap the authentication to slapd fails and saslauthd doesn't show any authentication attempt at all. It's as if it's not even trying (or can't find) saslauthd. I ran slapd with the -d 255 option and saved the output to a file. Here's all the lines containing the string sasl: >>> dnPretty: <cn=SASL> => ldap_bv2dn(cn=SASL,0) <= ldap_bv2dn(cn=SASL)=0 <= ldap_dn2bv(cn=SASL)=0 <<< dnPretty: <cn=SASL> >>> dnNormalize: <cn=SASL> <<< dnNormalize: <cn=sasl> ldap_sasl_bind_s ldap_sasl_bind SASL Canonicalize [conn=1000]: authcid="bbice@ldap" SASL Canonicalize [conn=1000]: authcid="bbice@ldap" SASL Canonicalize [conn=1001]: authcid="bbice@ldap" SASL Canonicalize [conn=1001]: authcid="bbice@ldap" So if I'm reading that right, slapd does see that it's supposed to hand off the authentication to saslauthd and it has picked out the username and realm. But it doesn't seem to be connecting to or using saslauthd. Any ideas? What am I missing here? Brent Bice bbice(a)sgi.com

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2010