Samba 3.5.5 with ldap backend crash slapd 2.4.23 !!!
by Frank Bonnet
Hello
We use here Openldap 2.4.23 server running on a FreeBSD 8.1 server
compiled on the server from the FreeBSD ports. It runs well since
weeks.
We also use a Samba server 3.5.2 with ldap backend on a Linux
Debian Lenny server compiled from source on the server, everything
was running well ...
Last Monday I decided to upgrade the Samba server to the latest "Stable"
release ( 3.5.5 ) then the nightmare begins ...
Few minutes after I restart ( reboot the server ) the samba server
the slapd daemon violently crashed.
After few restart it was still the same :
slapd works well if samba is stopped , Linux clients can authenticate
without problem, if I start samba daemons , windows clients begin
to connect and after few seconds slapd crash ...
Any infos welcome !
Thanks
10 years, 6 months
rfc2307bis and samba woes
by Victor Mataré
Hi list,
Has anybody else gone through this posixGroup vs. groupOfNames pain? I mean,
what kind of a design accident is this? Samba 3.4 seems unable to deal with
rfc2307bis (which makes posixGroup auxiliary). I'll definitely talk to the
samba list on this, too, but maybe somebody can tell me what the status of the
rfc2307bis mess is, anyway. Looks to me like this whole issue has been rotting
at the ietf for like 10 years and nobody seems to care about it. Except
openSuSE, who allegedly use it by default. No idea how they made samba work
with it, though. In my naïve mind the patch should be almost trivial (just use
groupOfNames as structuralObjectClass and add a dummy member), but I suspect
it's not in vanilla samba because of the vague status of rfc2307bis. So... any
insight on this whole rfc2307bis scenario is highly appreciated.
Thanks a lot in advance.
10 years, 6 months
Too many executing vs syncrepl
by Jorgen Lundman
Hello list,
So we are in the middle of a major upgrade of our OpenLDAP software, so it is a
bit unfortunate that I have to track down issues at the same time.
os: Solaris 10u8 x86
old: openldap-2.3.41 db-4.2.52.NC-PLUS_5_PATCHES
new: openldap-2.4.23 db-4.8.30.NC
We noticed that syncrepl stopped on pop01, pop03 and pop06 yesterday and fell
behind. The only hints in slaplog was:
Sep 28 11:23:09 pop06.unix slapd[29027]: [ID 968320 local4.debug] do_syncrep2: L
DAP_RES_INTERMEDIATE - NEW_COOKIE
Sep 28 11:24:44 pop06.unix slapd[29027]: [ID 763815 local4.debug] connection_inp
ut: conn=123099 deferring operation: too many executing
Sep 28 11:24:44 pop06.unix slapd[29027]: [ID 763815 local4.debug] connection_inp
ut: conn=123099 deferring operation: pending operations
Sep 28 11:24:48 pop06.unix last message repeated 72 times
and there were no more syncrepl messages until we restarted slapd, 2 hours
later. I wonder if the syncrepl connection received "too many executing". Is
that possible? Can we make it so sync connections get higher priority as it
were. In this case, it is new-ldap syncrepl to old-ldap for loopback lookups
(dovecot).
Now, I would guess that getting "too many executing" is undesirable. Googling
around it seems that what happens is that; one connection has more than half of
the connection-pool operations already, and gets deferred.
What does "one connection" mean? From one IP (all connections are over loopback,
except for syncrepl), or is it operations from one-tcp-stream? Or it some other
kind of cookie, like rid?
Can I get slapd to tell me which connection it actually means? Having looked at
the sources, it does not seem to have that ability, but I could always add our
own prints. At least to get the IP of the requester. (I tried "conns" in
LogLevel, but it prints all select() calls, and is unfortunately unrealistic to
run on live servers. Currently I have 'stats' running.)
Or rather than hacking at the sources, should I invest in getting the overlay
"monitor" to run? Would it show why we receive "too many executing".
I have also noticed a considerable performance drop when moving from old version
to new version, and not entirely sure if that is something we can do something
about.
Following this email is the juicy parts of slapd on most of our slaves/loopback
slapd.
--
Jorgen Lundman | <lundman(a)lundman.net>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell)
Japan | +81 (0)3 -3375-1767 (home)
loglevel sync stats
access to *
by dn.base="cn=replicator,dc=company,dc=jp" read
by * break
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self write
by dn="cn=admin,dc=company,dc=jp" write
by peername.ip=172.20.12.6 none
by peername.ip=172.20.12.16 none
by peername.ip=172.20.12.26 none
by peername.ip=172.20.12.36 none
by peername.ip=172.20.12.46 none
by peername.ip=172.20.12.56 none
by peername.ip=172.20.12.66 none
by peername.ip=172.20.12.76 none
by * read
password-hash {CRYPT}
database hdb
suffix "dc=company,dc=jp"
rootdn "cn=admin,dc=company,dc=jp"
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
##index uid pres,eq
index uid eq
index uidNumber eq
index mail eq
index mailAlternateAddress pres,eq
index deliveryMode eq
index accountStatus eq
index gecos eq
index radiusGroupName eq
index o pres,eq
index entryCSN,entryUUID eq
index gidNumber eq
index DNSType eq
index DNSIPAddr eq
index DNSData eq
index DNSHostName eq
checkpoint 128 15
cachesize 5000
idlcachesize 15000
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
dbconfig set_lk_detect DB_LOCK_DEFAULT
dbconfig set_lg_max 52428800
dbconfig set_cachesize 4 0 1
dbconfig set_flags db_log_autoremove
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
# rid is last octet of IP, plus 256.
syncrepl rid=279
provider=ldap://172.20.12.163
type=refreshAndPersist
interval=00:00:00:30
searchbase="dc=company,dc=jp"
filter="(objectClass=*)"
attrs="*,+"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=admin,dc=company,dc=jp"
credentials="<secret>"
retry="60 10 300 +"
updateref ldap://172.20.12.163
10 years, 6 months
Re: Searched Attr=1.1
by Marco Pizzoli
Hi Quanah,
you're right. Those weren't my configuration but only an indication of the
order in which those "groups" of directives appear in my slapd.conf config
file.
This is my exact fragment of configuration which involves overlays:
BEGIN ------------------------------------
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=lan,dc=mycorp.it"
ppolicy_use_lockout
ppolicy_hash_cleartext
ppolicy_forward_updates
overlay syncprov
syncprov-checkpoint 50 10
syncprov-sessionlog 150
overlay auditlog
auditlog /srv/logs/ldap/ldap03_audit.log
overlay accesslog
logdb cn=log03,dc=mycorp.it
logops all
logold (objectclass=inetOrgPerson)
logpurge 7+00:00 04:00
logsuccess FALSE
overlay sssvlv
sssvlv-max 4
sssvlv-maxkeys 5
overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-dn cn=Manager,dc=lan,dc=mycorp.it
memberof-dangling ignore
memberof-dangling-error 80
memberof-refint TRUE
END ------------------------------------
I use dynamic modules.
I can give more details if necessary.
Thanks again
Marco
On Tue, Sep 28, 2010 at 5:24 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Tuesday, September 28, 2010 2:37 PM +0200 Marco Pizzoli <
> marco.pizzoli(a)gmail.com> wrote:
>
> Today I tried to change the order of overlays inclusion and I had the
>> same problem.
>> If the module was not loaded, I couldn't save that data in the accesslog
>> db.
>>
>> Someone could suggest a possible solution or an alternative trial?
>>
>
> Do you use static or dynamic modules?
>
> Your directives are not in OpenLDAP's loading format, so if that's a direct
> copy from your slapd.conf/cn=config db, then none of those statements makes
> sense.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
10 years, 6 months
Re: id: No such userroot@garion:~# ldapsearch -x uid=connor # extended LDIF # # LDAPv3 # base <dc=muncc, dc=loc> (default) with scope subtree # filter: uid=connor # requesting: ALL # # connor, People, muncc.loc dn: uid=connor, ou=People, dc=muncc, dc
by Bjørn Ruberg
On 09/29/2010 09:06 AM, Cole wrote:
> Thank you for pointing me in that direction. Switching ldapi to ldap
> fixed the problem.
No problem, glad to help. You obviously still have a lot to learn about
using mailing lists, though.
1) Don̈́'t top post.
2) Reply to the list, not to individuals.
http://www.freebsd.org/doc/en/articles/mailing-list-faq/etiquette.html
is a good place to start.
--
Bjørn
10 years, 6 months
Re: id: No such userroot@garion:~# ldapsearch -x uid=connor # extended LDIF # # LDAPv3 # base <dc=muncc, dc=loc> (default) with scope subtree # filter: uid=connor # requesting: ALL # # connor, People, muncc.loc dn: uid=connor, ou=People, dc=muncc, dc
by Bjørn Ruberg
Hi,
Please reply to the list.
On 09/28/2010 08:55 PM, Cole wrote:
> Sorry about the config files. I've attached them. These files are
> exactly them same on the server and the client, according to diff.
If the config files are identical while you have OpenLDAP running on one
system and not on the other, I would assume some differences between the
files would be useful.
Anyways, from your config files, you need to learn how to use ldapi://
in your libnss-ldap.conf file.
Good luck :-)
--
Bjørn
10 years, 6 months
OpenLDAP and Radius and Cisco attributes
by Francois Gelinas
Full_Name: Francois Gelinas
Version: 2.3.27
OS: RedHat Enterprise Linux 5
URL:
Submission from: (NULL) (216.252.95.98)
I'm lookling for a Cisco LDAP Schema for Radius, i need to pass Cisco
propriatary attributes back to my radius server and i want to store them
into
ldap.
Here's the list of cisco attributes i am talking about:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_
for_windows/4.2.1/User_Guide/A_RADAtr.html
I could try to create one myself but how can i get the number to create the
entry (like this in pureftpd.schema)
attributetype ( 1.3.6.1.4.1.6981.11.3.1 NAME 'FTPQuotaFiles'
Francois Gelinas
Directeur Technique - IT Manager
Colba.Net Inc.
6465 Route Trans-canadienne
Ville St-Laurent (Québec), H4T 1S3
Tél: (514) 856-3500 ext. 2236
Tél: (888) 477-7189 ext. 2236
Fax: (514) 856-9506
email: francois.gelinas(a)colba.net
10 years, 6 months
Ldapsearch not working.
by karthik kumar
Hi,
There are a few entries in the LDAP, its not showing-up in
ldapsearch. But I could see the entry in the dump (ldif) file.. I ve
compared with some other entries also. Some of them are showing up in the
ldapsearch and some are not. Any ideas please ..How do I start debugging
this ?
Please advice if you need more information.
Thanks
Karthik
10 years, 6 months
Searched Attr=1.1
by Marco Pizzoli
Hi list,
I found some entries in my OL logs about searches for attribute "1.1". I've
seen that the requester is the user used for the replication (syncrepl).
Can anyone explain to me what this kind of attribute is this?
*conn=0 op=3 SRCH attr=1.1
*
Thanks in advance
Marco
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
10 years, 6 months
Replication process slapd 2.4.23 (value #* provided more than once)
by Nicolas Greneche
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I tried to setup replication on two ldap servers : a master and a slave.
The master is configured like this (slapd.conf) :
database hdb
suffix "dc=test,dc=fr"
rootdn "cn=root,dc=test,dc=fr"
[...]
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
The slave is configured like this (slapd.conf). I tried to make a very
simple setup :
syncrepl rid=001 provider=ldap://my-master:389/
searchbase="dc=test,dc=fr" bindmethod=simple
binddn="cn=root,dc=test,dc=fr" credentials=password
type=refreshAndPersist retry="5 +"
When I restart my slave I got this error in logfiles :
Sep 24 11:08:37 kyo slapd[2296]: syncrepl_message_to_entry: rid=001 mods
check (postalAddress: value #0 provided more than once)
And replication stops.
Master and slaves are installed from debian squeeze packages :
root@kyo:/var/lib/ldap# slapd -V
@(#) $OpenLDAP: slapd 2.4.23 (Sep 13 2010 07:04:08) $
@borges:/home/devel/openldap/trunk/debian/build/servers/slapd
libbdb version is 4.8.30.
Replication works well with a 2.3.20 slave, so i think i missed
something on 2.4.23 slave configuration.
Thanks for your help,
- --
Nicolas Greneche - RSSI et Sysadmin
Centre de Ressources Informatiques (CRI)
Doctorant au sein du projet SDS - www.sds-project.fr
Mail : nicolas.greneche_(at)_univ-orleans.fr
GPG : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5FEBD0EF
Universite d'Orleans Web : http://blog.garnett.fr
Batiment 3IA - 2e etage Tel : 02 38 49 25 26
6 rue Leonard de Vinci
BP 6102 45061 ORLEANS Cedex 2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkyccGoACgkQTx/Y+1/r0O/gzgCfVb5pl0aH5tjhJkf3uDRjgVVr
9fIAniXYZboWSQuBPFcQBa4KNXU7ZXEJ
=L9D2
-----END PGP SIGNATURE-----
10 years, 6 months
