openldap-technical September 2010

openldap-technical@openldap.org

111 participants
113 discussions

Samba 3.5.5 with ldap backend crash slapd 2.4.23 !!!
by Frank Bonnet 30 Sep '10

30 Sep '10

Hello We use here Openldap 2.4.23 server running on a FreeBSD 8.1 server compiled on the server from the FreeBSD ports. It runs well since weeks. We also use a Samba server 3.5.2 with ldap backend on a Linux Debian Lenny server compiled from source on the server, everything was running well ... Last Monday I decided to upgrade the Samba server to the latest "Stable" release ( 3.5.5 ) then the nightmare begins ... Few minutes after I restart ( reboot the server ) the samba server the slapd daemon violently crashed. After few restart it was still the same : slapd works well if samba is stopped , Linux clients can authenticate without problem, if I start samba daemons , windows clients begin to connect and after few seconds slapd crash ... Any infos welcome ! Thanks

3 4

rfc2307bis and samba woes
by Victor Mataré 29 Sep '10

29 Sep '10

Hi list, Has anybody else gone through this posixGroup vs. groupOfNames pain? I mean, what kind of a design accident is this? Samba 3.4 seems unable to deal with rfc2307bis (which makes posixGroup auxiliary). I'll definitely talk to the samba list on this, too, but maybe somebody can tell me what the status of the rfc2307bis mess is, anyway. Looks to me like this whole issue has been rotting at the ietf for like 10 years and nobody seems to care about it. Except openSuSE, who allegedly use it by default. No idea how they made samba work with it, though. In my naïve mind the patch should be almost trivial (just use groupOfNames as structuralObjectClass and add a dummy member), but I suspect it's not in vanilla samba because of the vague status of rfc2307bis. So... any insight on this whole rfc2307bis scenario is highly appreciated. Thanks a lot in advance.

2 3

Too many executing vs syncrepl
by Jorgen Lundman 29 Sep '10

29 Sep '10

Hello list, So we are in the middle of a major upgrade of our OpenLDAP software, so it is a bit unfortunate that I have to track down issues at the same time. os: Solaris 10u8 x86 old: openldap-2.3.41 db-4.2.52.NC-PLUS_5_PATCHES new: openldap-2.4.23 db-4.8.30.NC We noticed that syncrepl stopped on pop01, pop03 and pop06 yesterday and fell behind. The only hints in slaplog was: Sep 28 11:23:09 pop06.unix slapd[29027]: [ID 968320 local4.debug] do_syncrep2: L DAP_RES_INTERMEDIATE - NEW_COOKIE Sep 28 11:24:44 pop06.unix slapd[29027]: [ID 763815 local4.debug] connection_inp ut: conn=123099 deferring operation: too many executing Sep 28 11:24:44 pop06.unix slapd[29027]: [ID 763815 local4.debug] connection_inp ut: conn=123099 deferring operation: pending operations Sep 28 11:24:48 pop06.unix last message repeated 72 times and there were no more syncrepl messages until we restarted slapd, 2 hours later. I wonder if the syncrepl connection received "too many executing". Is that possible? Can we make it so sync connections get higher priority as it were. In this case, it is new-ldap syncrepl to old-ldap for loopback lookups (dovecot). Now, I would guess that getting "too many executing" is undesirable. Googling around it seems that what happens is that; one connection has more than half of the connection-pool operations already, and gets deferred. What does "one connection" mean? From one IP (all connections are over loopback, except for syncrepl), or is it operations from one-tcp-stream? Or it some other kind of cookie, like rid? Can I get slapd to tell me which connection it actually means? Having looked at the sources, it does not seem to have that ability, but I could always add our own prints. At least to get the IP of the requester. (I tried "conns" in LogLevel, but it prints all select() calls, and is unfortunately unrealistic to run on live servers. Currently I have 'stats' running.) Or rather than hacking at the sources, should I invest in getting the overlay "monitor" to run? Would it show why we receive "too many executing". I have also noticed a considerable performance drop when moving from old version to new version, and not entirely sure if that is something we can do something about. Following this email is the juicy parts of slapd on most of our slaves/loopback slapd. -- Jorgen Lundman | <lundman(a)lundman.net> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home) loglevel sync stats access to * by dn.base="cn=replicator,dc=company,dc=jp" read by * break access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by dn="cn=admin,dc=company,dc=jp" write by peername.ip=172.20.12.6 none by peername.ip=172.20.12.16 none by peername.ip=172.20.12.26 none by peername.ip=172.20.12.36 none by peername.ip=172.20.12.46 none by peername.ip=172.20.12.56 none by peername.ip=172.20.12.66 none by peername.ip=172.20.12.76 none by * read password-hash {CRYPT} database hdb suffix "dc=company,dc=jp" rootdn "cn=admin,dc=company,dc=jp" directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq ##index uid pres,eq index uid eq index uidNumber eq index mail eq index mailAlternateAddress pres,eq index deliveryMode eq index accountStatus eq index gecos eq index radiusGroupName eq index o pres,eq index entryCSN,entryUUID eq index gidNumber eq index DNSType eq index DNSIPAddr eq index DNSData eq index DNSHostName eq checkpoint 128 15 cachesize 5000 idlcachesize 15000 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 dbconfig set_lk_detect DB_LOCK_DEFAULT dbconfig set_lg_max 52428800 dbconfig set_cachesize 4 0 1 dbconfig set_flags db_log_autoremove dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 # rid is last octet of IP, plus 256. syncrepl rid=279 provider=ldap://172.20.12.163 type=refreshAndPersist interval=00:00:00:30 searchbase="dc=company,dc=jp" filter="(objectClass=*)" attrs="*,+" scope=sub schemachecking=off bindmethod=simple binddn="cn=admin,dc=company,dc=jp" credentials="<secret>" retry="60 10 300 +" updateref ldap://172.20.12.163

2 3

Re: Searched Attr=1.1
by Marco Pizzoli 29 Sep '10

29 Sep '10

Hi Quanah, you're right. Those weren't my configuration but only an indication of the order in which those "groups" of directives appear in my slapd.conf config file. This is my exact fragment of configuration which involves overlays: BEGIN ------------------------------------ overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=lan,dc=mycorp.it" ppolicy_use_lockout ppolicy_hash_cleartext ppolicy_forward_updates overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 150 overlay auditlog auditlog /srv/logs/ldap/ldap03_audit.log overlay accesslog logdb cn=log03,dc=mycorp.it logops all logold (objectclass=inetOrgPerson) logpurge 7+00:00 04:00 logsuccess FALSE overlay sssvlv sssvlv-max 4 sssvlv-maxkeys 5 overlay memberof memberof-group-oc groupOfNames memberof-member-ad member memberof-memberof-ad memberOf memberof-dn cn=Manager,dc=lan,dc=mycorp.it memberof-dangling ignore memberof-dangling-error 80 memberof-refint TRUE END ------------------------------------ I use dynamic modules. I can give more details if necessary. Thanks again Marco On Tue, Sep 28, 2010 at 5:24 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Tuesday, September 28, 2010 2:37 PM +0200 Marco Pizzoli < > marco.pizzoli(a)gmail.com> wrote: > > Today I tried to change the order of overlays inclusion and I had the >> same problem. >> If the module was not loaded, I couldn't save that data in the accesslog >> db. >> >> Someone could suggest a possible solution or an alternative trial? >> > > Do you use static or dynamic modules? > > Your directives are not in OpenLDAP's loading format, so if that's a direct > copy from your slapd.conf/cn=config db, then none of those statements makes > sense. > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

2 1

Re: id: No such userroot@garion:~# ldapsearch -x uid=connor # extended LDIF # # LDAPv3 # base <dc=muncc, dc=loc> (default) with scope subtree # filter: uid=connor # requesting: ALL # # connor, People, muncc.loc dn: uid=connor, ou=People, dc=muncc, dc
by Bjørn Ruberg 29 Sep '10

29 Sep '10

On 09/29/2010 09:06 AM, Cole wrote: > Thank you for pointing me in that direction. Switching ldapi to ldap > fixed the problem. No problem, glad to help. You obviously still have a lot to learn about using mailing lists, though. 1) Don̈́'t top post. 2) Reply to the list, not to individuals. http://www.freebsd.org/doc/en/articles/mailing-list-faq/etiquette.html is a good place to start. -- Bjørn

1 0

28 Sep '10

Hi, Please reply to the list. On 09/28/2010 08:55 PM, Cole wrote: > Sorry about the config files. I've attached them. These files are > exactly them same on the server and the client, according to diff. If the config files are identical while you have OpenLDAP running on one system and not on the other, I would assume some differences between the files would be useful. Anyways, from your config files, you need to learn how to use ldapi:// in your libnss-ldap.conf file. Good luck :-) -- Bjørn

1 0

OpenLDAP and Radius and Cisco attributes
by Francois Gelinas 28 Sep '10

28 Sep '10

Full_Name: Francois Gelinas Version: 2.3.27 OS: RedHat Enterprise Linux 5 URL: Submission from: (NULL) (216.252.95.98) I'm lookling for a Cisco LDAP Schema for Radius, i need to pass Cisco propriatary attributes back to my radius server and i want to store them into ldap. Here's the list of cisco attributes i am talking about: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_ for_windows/4.2.1/User_Guide/A_RADAtr.html I could try to create one myself but how can i get the number to create the entry (like this in pureftpd.schema) attributetype ( 1.3.6.1.4.1.6981.11.3.1 NAME 'FTPQuotaFiles' Francois Gelinas Directeur Technique - IT Manager Colba.Net Inc. 6465 Route Trans-canadienne Ville St-Laurent (Québec), H4T 1S3 Tél: (514) 856-3500 ext. 2236 Tél: (888) 477-7189 ext. 2236 Fax: (514) 856-9506 email: francois.gelinas(a)colba.net

3 3

Ldapsearch not working.
by karthik kumar 28 Sep '10

28 Sep '10

Hi, There are a few entries in the LDAP, its not showing-up in ldapsearch. But I could see the entry in the dump (ldif) file.. I ve compared with some other entries also. Some of them are showing up in the ldapsearch and some are not. Any ideas please ..How do I start debugging this ? Please advice if you need more information. Thanks Karthik

2 3

Searched Attr=1.1
by Marco Pizzoli 28 Sep '10

28 Sep '10

Hi list, I found some entries in my OL logs about searches for attribute "1.1". I've seen that the requester is the user used for the replication (syncrepl). Can anyone explain to me what this kind of attribute is this? *conn=0 op=3 SRCH attr=1.1 * Thanks in advance Marco -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

5 8

Replication process slapd 2.4.23 (value #* provided more than once)
by Nicolas Greneche 28 Sep '10

28 Sep '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I tried to setup replication on two ldap servers : a master and a slave. The master is configured like this (slapd.conf) : database hdb suffix "dc=test,dc=fr" rootdn "cn=root,dc=test,dc=fr" [...] overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 The slave is configured like this (slapd.conf). I tried to make a very simple setup : syncrepl rid=001 provider=ldap://my-master:389/ searchbase="dc=test,dc=fr" bindmethod=simple binddn="cn=root,dc=test,dc=fr" credentials=password type=refreshAndPersist retry="5 +" When I restart my slave I got this error in logfiles : Sep 24 11:08:37 kyo slapd[2296]: syncrepl_message_to_entry: rid=001 mods check (postalAddress: value #0 provided more than once) And replication stops. Master and slaves are installed from debian squeeze packages : root@kyo:/var/lib/ldap# slapd -V @(#) $OpenLDAP: slapd 2.4.23 (Sep 13 2010 07:04:08) $ @borges:/home/devel/openldap/trunk/debian/build/servers/slapd libbdb version is 4.8.30. Replication works well with a 2.3.20 slave, so i think i missed something on 2.4.23 slave configuration. Thanks for your help, - -- Nicolas Greneche - RSSI et Sysadmin Centre de Ressources Informatiques (CRI) Doctorant au sein du projet SDS - www.sds-project.fr Mail : nicolas.greneche_(at)_univ-orleans.fr GPG : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5FEBD0EF Universite d'Orleans Web : http://blog.garnett.fr Batiment 3IA - 2e etage Tel : 02 38 49 25 26 6 rue Leonard de Vinci BP 6102 45061 ORLEANS Cedex 2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyccGoACgkQTx/Y+1/r0O/gzgCfVb5pl0aH5tjhJkf3uDRjgVVr 9fIAniXYZboWSQuBPFcQBa4KNXU7ZXEJ =L9D2 -----END PGP SIGNATURE-----

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2010