slapd will not start with inetorgperson
by Tim Dunphy
hello list!!
I am building an ldap server on freebsd 8.1.
For some reason if I include the inetorgperson schema in my slapd.conf
slapd will not start
here is the listing in slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/inetorgpreson.schema
I do not know why this is the case as I can ls the file:
[root@LBSD2:/usr/local/etc/openldap] #ls -l
/usr/local/etc/openldap/schema/inetorgperson.schema
-r--r--r-- 1 root wheel 6360 Feb 21 03:13
/usr/local/etc/openldap/schema/inetorgperson.schema
If I comment out the inetorg schema slapd starts.
And it looks like the ownership and permissions are the same as they
are on the schema that is currently working:
[root@LBSD2:/usr/local/etc/openldap] #ls -l
/usr/local/etc/openldap/schema/core.schema
-r--r--r-- 1 root wheel 20583 Feb 21 03:13
/usr/local/etc/openldap/schema/core.schema
Boy would I love to get this working again! :)
thanks for your help!
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
12 years, 7 months
Re: ldap auth does not works after openldap upgrade
by Andrew Findlay
On Tue, Feb 15, 2011 at 04:04:57PM -0200, Leonardo Carneiro wrote:
> Hmm, still did not worked.
>
> If i do a ldapsearch specifying '-D cn=root,dc=dominio,dc=com,dc=br" and the
> password, the search goes ok. if i do not specify, is asks me for a sasl/md5
> authentication and fails, and just asks for a password. if i include a '-x'
> parameter, also does not work:
>
> chester@reploid:~$ ldapsearch -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br"
> '(objectclass=*)' -LLL -x
> ldap_initialize( ldap://192.168.0.2 )
> filter: (objectclass=*)
> requesting: All userApplication attributes
> No such object (32)
You always need the -x flag. (You can only leave it out if
you supply SASL credentials, and that is a complexity we do
not need right now).
It seems that anon users still cannot see the suffix entry
at all.
Try adding this line just under your 'lastmod off' line:
access to * by * read
Make sure that you restart the slapd process after doing
this. Then try the search:
ldapsearch -x -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br" '(objectclass=*)'
If you still get nothing, set SLAPD_OPTIONS="-d 128" in
/etc/default/slapd and restart the server. It should not go
into the background, and should produce some output on the
screen. DO NOT REBOOT with this setting in place.
Now retry just the search above, and post the debug output
along with the new state of the slapd config file.
Remove the "-d 128" again.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
12 years, 7 months
Slapd Security based on port
by Chris Jackson
Is it possible to prevent anonymous and unauthenticated binds to ldaps:// 636 but allow them on ldap:// 389?
I want to allow staff to query my ldaps:// outside of my network while requiring them to login to do so but allow anyone to bind (anonymous, unauthenticated, or authenticated) internally on ldaps//: 389.
I know:
Anonymous bind can be disabled by "disallow bind_anon" and Unauthenticated bind mechanism is disabled by default. But if I use "disallow bind_anon it stops in on both ports. I want to stop it just on ldaps://.
Chris Jackson
12 years, 7 months
Ldap with GroupOfUniqueNames + PosixGroups
by Alejandro Gándara Álvarez
Hi list,
I´m using slapd 2.4.11-1+lenny1, until now I was being using posixgroup as
objectclass for my groups, now we need to integrate ldap with a new
application which requires GroupofUniquesnames as objectclass.
My question is, can I have mix groups?. I mean, a group with two objectclass
as posixgroup and GroupofUniquenames.
I´ve tried but I always get errors because of conflict with both
objectclass. And I cant delete posixgroup objectclass because I need it to
integrate with samba and other services.
Could someone head me to the right way?
Thanks for all
Alejandro Gándara
12 years, 7 months
Re: threads and concurrency
by Omer Faruk SEN
Hi,
This system has 32 GB of RAM additionally OS is RHEL 5. And this
system is 16 core. I see new threads are created as the load increases
and I have re-checked my system and thread count is now 28. So I think
at most 32 threads is fine for me
Regards.
On Sun, Feb 20, 2011 at 5:03 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Saturday, February 19, 2011 6:32 PM -0800 Howard Chu <hyc(a)symas.com>
> wrote:
>
>> Omer Faruk SEN wrote:
>>>
>>> Hi ,
>>>
>>> I have and ldap server (openldap-2.4.23 ) in slapd.conf I set
>>>
>>> concurrency 8192
>>> threads 256
>
>> Keep in mind that each thread uses a thread stack of 4MB on 32 bit
>> systems, 8MB on 64 bit systems. So you're looking at 1-2GB of RAM
>> dedicated to the threads with a setting like this. Make sure you don't
>> configure more threads than you have RAM for...
>
> I would add that your threads setting is likely a rather insane value unless
> you have 256*4 cores (1024 core box). You generally don't need to set the
> threads value higher than 8 or 16.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
12 years, 7 months
threads and concurrency
by Omer Faruk SEN
Hi ,
I have and ldap server (openldap-2.4.23 ) in slapd.conf I set
concurrency 8192
threads 256
but when I do top -b -H -d 2 -p 25560 I always see 8 threads ( show
9 slapd instances) not more even if I instruct to create 256 threads.
Is there anything that I miss?
Additionally what is the releation of threads and concurrency. Is
there any calculation method that I must obey?
Regards.
12 years, 7 months
Mapping user names from multiple attributes
by Jaap Winius
Hi folks,
My site has user accounts defined in Kerberos and LDAP. User IDs,
group IDs, given names and surnames are stored in LDAP using the
person schema object E.g. for uid=jwinius, these are:
cn: Jaap
sn: Winius
However, I recently noticed that if I send email from a random host,
the name included with the source email address is just "Jaap" when I
would like it to be "Jaap Winius". I suspect libnss_ldap is responsible.
Is there an easy way to change how these names are mapped, so that
user names would be composed of cn + space + sn?
Thanks,
Jaap
12 years, 7 months
undefined reference to `ldap_int_tls_impl' (tls2.c) ?
by Elle Y Suzuki
make is exiting with several "undefined reference to
'ldap_int_tls_impl'" error messages:
./.libs/libldap.a(tls2.o): In function `ldap_pvt_tls_ctx_free':
/home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:79:
undefined reference to `ldap_int_tls_impl'
./.libs/libldap.a(tls2.o): In function `tls_init':
/home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:163:
undefined reference to `ldap_int_tls_impl'
/home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:163:
undefined reference to `ldap_int_tls_impl'
/home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:168:
undefined reference to `ldap_int_tls_impl'
./.libs/libldap.a(tls2.o): In function `ldap_pvt_tls_check_hostname':
/home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:494:
undefined reference to `ldap_int_tls_impl'
./.libs/libldap.a(tls2.o):/home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:860:
more undefined references to `ldap_int_tls_impl' follow
collect2: ld returned 1 exit status
make[2]: *** [apitest] Error 1
make[2]: Leaving directory
`/home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory
`/home/vmplanet/Downloads/openldap-2.4.24/libraries'
make: *** [all-common] Error 1
what is the proper way to fix this so that i might successfully make?
BACKGROUND
i am attempting to set up and install openldap 2.4.24 on a virtual
kubuntu on windows xp.
'configure' and 'make depend' appear to run successfully.
i execute the following steps:
export CPPFLAGS="-I/usr/include/nss -I/usr/include/nspr
-I/usr/local/BerkeleyDB.5.0/include"
export LDFLAGS="-L/usr/lib/nss -L/usr/local/BerkeleyDB.5.0/lib"
export LD_LIBRARY_PATH="/home/vmplanet/Downloads/db-5.0.32/build_unix/.libs"
configure --enable-shell=yes --without-threads
make depend
(in case you're wondering why back-shell, i've included details in a
previous thread, http://tinyurl.com/4flbgh4. note that in that thread,
i successfully installed openldap directly on windows, but had questions
about successfully testing back-shell -- and still do.)
going back to the errors above, i note in which files this
'ldap_int_tls_impl' appears with a grep:
./libraries/libldap_r/tls2.c:40:static tls_impl *tls_imp =
&ldap_int_tls_impl;
./libraries/libldap_r/tls_g.c:1095:tls_impl ldap_int_tls_impl = {
./libraries/libldap_r/tls_o.c:1253:tls_impl ldap_int_tls_impl = {
./libraries/libldap_r/tls_m.c:3040:tls_impl ldap_int_tls_impl = {
./libraries/libldap/tls2.c:40:static tls_impl *tls_imp = &ldap_int_tls_impl;
./libraries/libldap/tls_g.c:1095:tls_impl ldap_int_tls_impl = {
./libraries/libldap/ldap-tls.h:75:extern tls_impl ldap_int_tls_impl;
Binary file ./libraries/libldap/.libs/libldap-2.4.so.2.6.0 matches
Binary file ./libraries/libldap/.libs/libldap.so matches
Binary file ./libraries/libldap/.libs/tls2.o matches
Binary file ./libraries/libldap/.libs/libldap-2.4.so.2 matches
Binary file ./libraries/libldap/.libs/libldap.a matches
Binary file ./libraries/libldap/tls2.o matches
./libraries/libldap/tls_o.c:1253:tls_impl ldap_int_tls_impl = {
./libraries/libldap/tls_m.c:3040:tls_impl ldap_int_tls_impl = {
ldap_int_tls_impl appears (defined) in the fellow tls* files above. is
this then an indication that tls2.c is not communicating or 'linked' to
its fellow tls* files or ?
the output from 'make depend' appears to show that mkdep traversed the
libldap and libldap_r subdirectories and successfully constructed the
necessary sets of include file dependencies.
admittedly, i am not altogether that familiar with (the intricacies of)
the compile/make process.
please advise; thanks in advance.
12 years, 7 months
Syncrepl in openldap 2.3.43
by Michael Starling
I've been using slurpd for quite some time now with fairly good results however I wanted to take advantage of the newer features in syncrepl. Specifically the ability to have the slave push to the master.
I was able to set this up in relative short order using the example provided in http://www.openldap.org/doc/admin23/syncrepl.html
I start up my slave server and it does indeed grab all the database information from my master, however I can no longer write to my master server. What am i missing from the documentation?
If I try to add a simple ldif file it fails with the following error:
[root@myserver backups]# ldapadd -f replicator-policy.ldif -x -D cn=root,dc=somedomain,dc=somedomain -W
Enter LDAP Password:
adding new entry "cn=replicate,ou=policies,dc=somedomain,dc=somedomain"
ldapadd: Server is unwilling to perform (53)
additional info: shadow context; no update referral
If I add an updateref to my slave slapd.conf pointing back to my master server the error changes to this:
[root@myserver backups]# ldapadd -f replicator-policy.ldif -x -D cn=root,dc=somedomain,dc=somedomain -W
Enter LDAP Password:
adding new entry "cn=replicate,ou=policies,dc=somedomain,dc=somedomain"
ldapadd: Referral (10)
referrals:
ldap://myserver.aa.bb.cc:389/cn=replicate,ou=policies,dc=somedomain,dc=somedomain
Master syncrepl config
#Syncrepl
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Slave syncrepl config
#SYNCREPL SETTINGS
syncrepl rid=357
provider=ldap://myserver.aa.bb.cc:389
type=refreshAndPersist
retry="60 10 300 +"
searchbase="dc=somedomain,dc=somedomain"
attrs="*,+"
bindmethod=simple
binddn="uid=replicator,ou=people,dc=somedomain,dc=somedomain"
credentials=replicatorpassword
12 years, 7 months
BDB performance issue
by Amol Kulkarni
Hi All,
I'm a newbie with bdb - and I have a server not performing well - openldap shows high cpu usage and iowait of server is high. So I got stats of bdb but I'm not sure what to make out of it. With help of google I could see that the basic parameters like requested pages and locks are ok. But there are other parameters which are suspect.
The output of db_stat -c is as follows :
196 Last allocated locker ID
0x7fffffff Current maximum unused locker ID
9 Number of lock modes
1000 Maximum number of locks possible
1000 Maximum number of lockers possible
1000 Maximum number of lock objects possible
25 Number of current locks
758 Maximum number of locks at any one time
163 Number of current lockers
167 Maximum number of lockers at any one time
25 Number of current lock objects
394 Maximum number of lock objects at any one time
3609M Total number of locks requested (3609996536)
3609M Total number of locks released (3609996497)
0 Total number of locks upgraded
50 Total number of locks downgraded
3054935 Lock requests not available due to conflicts, for which we waited
0 Lock requests not available due to conflicts, for which we did not wait
14 Number of deadlocks
0 Lock timeout value
0 Number of locks that have timed out
0 Transaction timeout value
0 Number of transactions that have timed out
712KB The size of the lock region
187M The number of region locks that required waiting (56%)
The output of dbstat -m is ( which looks ok to me )
1GB 869MB 672KB Total cache size
1 Number of caches
1 Maximum number of caches
1GB 869MB 672KB Pool individual cache size
0 Maximum memory-mapped file size
0 Maximum open file descriptors
0 Maximum sequential buffer writes
0 Sleep after writing maximum sequential buffers
0 Requested pages mapped into the process' address space
1535M Requested pages found in the cache (99%)
247743 Requested pages not found in the cache
5517 Pages created in the cache
247743 Pages read into the cache
3491659 Pages written from the cache to the backing file
0 Clean pages forced from the cache
0 Dirty pages forced from the cache
0 Dirty pages written by trickle-sync thread
253260 Current total page count
253253 Current clean page count
7 Current dirty page count
262147 Number of hash buckets used for page location
1535M Total number of times hash chains searched for a page (1535296125)
4 The longest hash chain searched for a page
1245M Total number of hash chain entries checked for page (1245967353)
31M The number of hash bucket locks that required waiting (0%)
30M The maximum number of times any hash bucket lock was waited for (1%)
13566 The number of region locks that required waiting (4%)
0 The number of buffers frozen
0 The number of buffers thawed
0 The number of frozen buffers freed
Are the lines in red really prbs or just side effects ? How do I go abt it ?
Thanks and Regards,
Amol.
12 years, 7 months
