openldap-technical February 2011

openldap-technical@openldap.org

96 participants
102 discussions

slapd will not start with inetorgperson
by Tim Dunphy 20 Feb '11

20 Feb '11

hello list!! I am building an ldap server on freebsd 8.1. For some reason if I include the inetorgperson schema in my slapd.conf slapd will not start here is the listing in slapd.conf # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/inetorgpreson.schema I do not know why this is the case as I can ls the file: [root@LBSD2:/usr/local/etc/openldap] #ls -l /usr/local/etc/openldap/schema/inetorgperson.schema -r--r--r-- 1 root wheel 6360 Feb 21 03:13 /usr/local/etc/openldap/schema/inetorgperson.schema If I comment out the inetorg schema slapd starts. And it looks like the ownership and permissions are the same as they are on the schema that is currently working: [root@LBSD2:/usr/local/etc/openldap] #ls -l /usr/local/etc/openldap/schema/core.schema -r--r--r-- 1 root wheel 20583 Feb 21 03:13 /usr/local/etc/openldap/schema/core.schema Boy would I love to get this working again! :) thanks for your help! -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

3 2

Re: ldap auth does not works after openldap upgrade
by Andrew Findlay 20 Feb '11

20 Feb '11

On Tue, Feb 15, 2011 at 04:04:57PM -0200, Leonardo Carneiro wrote: > Hmm, still did not worked. > > If i do a ldapsearch specifying '-D cn=root,dc=dominio,dc=com,dc=br" and the > password, the search goes ok. if i do not specify, is asks me for a sasl/md5 > authentication and fails, and just asks for a password. if i include a '-x' > parameter, also does not work: > > chester@reploid:~$ ldapsearch -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br" > '(objectclass=*)' -LLL -x > ldap_initialize( ldap://192.168.0.2 ) > filter: (objectclass=*) > requesting: All userApplication attributes > No such object (32) You always need the -x flag. (You can only leave it out if you supply SASL credentials, and that is a complexity we do not need right now). It seems that anon users still cannot see the suffix entry at all. Try adding this line just under your 'lastmod off' line: access to * by * read Make sure that you restart the slapd process after doing this. Then try the search: ldapsearch -x -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br" '(objectclass=*)' If you still get nothing, set SLAPD_OPTIONS="-d 128" in /etc/default/slapd and restart the server. It should not go into the background, and should produce some output on the screen. DO NOT REBOOT with this setting in place. Now retry just the search above, and post the debug output along with the new state of the slapd config file. Remove the "-d 128" again. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

8 30

Slapd Security based on port
by Chris Jackson 20 Feb '11

20 Feb '11

Is it possible to prevent anonymous and unauthenticated binds to ldaps:// 636 but allow them on ldap:// 389? I want to allow staff to query my ldaps:// outside of my network while requiring them to login to do so but allow anyone to bind (anonymous, unauthenticated, or authenticated) internally on ldaps//: 389. I know: Anonymous bind can be disabled by "disallow bind_anon" and Unauthenticated bind mechanism is disabled by default. But if I use "disallow bind_anon it stops in on both ports. I want to stop it just on ldaps://. Chris Jackson

8 13

Ldap with GroupOfUniqueNames + PosixGroups
by Alejandro Gándara Álvarez 20 Feb '11

20 Feb '11

Hi list, I´m using slapd 2.4.11-1+lenny1, until now I was being using posixgroup as objectclass for my groups, now we need to integrate ldap with a new application which requires GroupofUniquesnames as objectclass. My question is, can I have mix groups?. I mean, a group with two objectclass as posixgroup and GroupofUniquenames. I´ve tried but I always get errors because of conflict with both objectclass. And I cant delete posixgroup objectclass because I need it to integrate with samba and other services. Could someone head me to the right way? Thanks for all Alejandro Gándara

3 5

Re: threads and concurrency
by Omer Faruk SEN 19 Feb '11

19 Feb '11

Hi, This system has 32 GB of RAM additionally OS is RHEL 5. And this system is 16 core. I see new threads are created as the load increases and I have re-checked my system and thread count is now 28. So I think at most 32 threads is fine for me Regards. On Sun, Feb 20, 2011 at 5:03 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Saturday, February 19, 2011 6:32 PM -0800 Howard Chu <hyc(a)symas.com> > wrote: > >> Omer Faruk SEN wrote: >>> >>> Hi , >>> >>> I have and ldap server (openldap-2.4.23 ) in slapd.conf I set >>> >>> concurrency 8192 >>> threads 256 > >> Keep in mind that each thread uses a thread stack of 4MB on 32 bit >> systems, 8MB on 64 bit systems. So you're looking at 1-2GB of RAM >> dedicated to the threads with a setting like this. Make sure you don't >> configure more threads than you have RAM for... > > I would add that your threads setting is likely a rather insane value unless > you have 256*4 cores (1024 core box). You generally don't need to set the > threads value higher than 8 or 16. > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

threads and concurrency
by Omer Faruk SEN 19 Feb '11

19 Feb '11

Hi , I have and ldap server (openldap-2.4.23 ) in slapd.conf I set concurrency 8192 threads 256 but when I do top -b -H -d 2 -p 25560 I always see 8 threads ( show 9 slapd instances) not more even if I instruct to create 256 threads. Is there anything that I miss? Additionally what is the releation of threads and concurrency. Is there any calculation method that I must obey? Regards.

3 2

Mapping user names from multiple attributes
by Jaap Winius 19 Feb '11

19 Feb '11

Hi folks, My site has user accounts defined in Kerberos and LDAP. User IDs, group IDs, given names and surnames are stored in LDAP using the person schema object E.g. for uid=jwinius, these are: cn: Jaap sn: Winius However, I recently noticed that if I send email from a random host, the name included with the source email address is just "Jaap" when I would like it to be "Jaap Winius". I suspect libnss_ldap is responsible. Is there an easy way to change how these names are mapped, so that user names would be composed of cn + space + sn? Thanks, Jaap

2 1

undefined reference to `ldap_int_tls_impl' (tls2.c) ?
by Elle Y Suzuki 18 Feb '11

18 Feb '11

make is exiting with several "undefined reference to 'ldap_int_tls_impl'" error messages: ./.libs/libldap.a(tls2.o): In function `ldap_pvt_tls_ctx_free': /home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:79: undefined reference to `ldap_int_tls_impl' ./.libs/libldap.a(tls2.o): In function `tls_init': /home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:163: undefined reference to `ldap_int_tls_impl' /home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:163: undefined reference to `ldap_int_tls_impl' /home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:168: undefined reference to `ldap_int_tls_impl' ./.libs/libldap.a(tls2.o): In function `ldap_pvt_tls_check_hostname': /home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:494: undefined reference to `ldap_int_tls_impl' ./.libs/libldap.a(tls2.o):/home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap/tls2.c:860: more undefined references to `ldap_int_tls_impl' follow collect2: ld returned 1 exit status make[2]: *** [apitest] Error 1 make[2]: Leaving directory `/home/vmplanet/Downloads/openldap-2.4.24/libraries/libldap' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/home/vmplanet/Downloads/openldap-2.4.24/libraries' make: *** [all-common] Error 1 what is the proper way to fix this so that i might successfully make? BACKGROUND i am attempting to set up and install openldap 2.4.24 on a virtual kubuntu on windows xp. 'configure' and 'make depend' appear to run successfully. i execute the following steps: export CPPFLAGS="-I/usr/include/nss -I/usr/include/nspr -I/usr/local/BerkeleyDB.5.0/include" export LDFLAGS="-L/usr/lib/nss -L/usr/local/BerkeleyDB.5.0/lib" export LD_LIBRARY_PATH="/home/vmplanet/Downloads/db-5.0.32/build_unix/.libs" configure --enable-shell=yes --without-threads make depend (in case you're wondering why back-shell, i've included details in a previous thread, http://tinyurl.com/4flbgh4. note that in that thread, i successfully installed openldap directly on windows, but had questions about successfully testing back-shell -- and still do.) going back to the errors above, i note in which files this 'ldap_int_tls_impl' appears with a grep: ./libraries/libldap_r/tls2.c:40:static tls_impl *tls_imp = &ldap_int_tls_impl; ./libraries/libldap_r/tls_g.c:1095:tls_impl ldap_int_tls_impl = { ./libraries/libldap_r/tls_o.c:1253:tls_impl ldap_int_tls_impl = { ./libraries/libldap_r/tls_m.c:3040:tls_impl ldap_int_tls_impl = { ./libraries/libldap/tls2.c:40:static tls_impl *tls_imp = &ldap_int_tls_impl; ./libraries/libldap/tls_g.c:1095:tls_impl ldap_int_tls_impl = { ./libraries/libldap/ldap-tls.h:75:extern tls_impl ldap_int_tls_impl; Binary file ./libraries/libldap/.libs/libldap-2.4.so.2.6.0 matches Binary file ./libraries/libldap/.libs/libldap.so matches Binary file ./libraries/libldap/.libs/tls2.o matches Binary file ./libraries/libldap/.libs/libldap-2.4.so.2 matches Binary file ./libraries/libldap/.libs/libldap.a matches Binary file ./libraries/libldap/tls2.o matches ./libraries/libldap/tls_o.c:1253:tls_impl ldap_int_tls_impl = { ./libraries/libldap/tls_m.c:3040:tls_impl ldap_int_tls_impl = { ldap_int_tls_impl appears (defined) in the fellow tls* files above. is this then an indication that tls2.c is not communicating or 'linked' to its fellow tls* files or ? the output from 'make depend' appears to show that mkdep traversed the libldap and libldap_r subdirectories and successfully constructed the necessary sets of include file dependencies. admittedly, i am not altogether that familiar with (the intricacies of) the compile/make process. please advise; thanks in advance.

2 1

Syncrepl in openldap 2.3.43
by Michael Starling 18 Feb '11

18 Feb '11

I've been using slurpd for quite some time now with fairly good results however I wanted to take advantage of the newer features in syncrepl. Specifically the ability to have the slave push to the master. I was able to set this up in relative short order using the example provided in http://www.openldap.org/doc/admin23/syncrepl.html I start up my slave server and it does indeed grab all the database information from my master, however I can no longer write to my master server. What am i missing from the documentation? If I try to add a simple ldif file it fails with the following error: [root@myserver backups]# ldapadd -f replicator-policy.ldif -x -D cn=root,dc=somedomain,dc=somedomain -W Enter LDAP Password: adding new entry "cn=replicate,ou=policies,dc=somedomain,dc=somedomain" ldapadd: Server is unwilling to perform (53) additional info: shadow context; no update referral If I add an updateref to my slave slapd.conf pointing back to my master server the error changes to this: [root@myserver backups]# ldapadd -f replicator-policy.ldif -x -D cn=root,dc=somedomain,dc=somedomain -W Enter LDAP Password: adding new entry "cn=replicate,ou=policies,dc=somedomain,dc=somedomain" ldapadd: Referral (10) referrals: ldap://myserver.aa.bb.cc:389/cn=replicate,ou=policies,dc=somedomain,dc=somedomain Master syncrepl config #Syncrepl overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 Slave syncrepl config #SYNCREPL SETTINGS syncrepl rid=357 provider=ldap://myserver.aa.bb.cc:389 type=refreshAndPersist retry="60 10 300 +" searchbase="dc=somedomain,dc=somedomain" attrs="*,+" bindmethod=simple binddn="uid=replicator,ou=people,dc=somedomain,dc=somedomain" credentials=replicatorpassword

3 5

BDB performance issue
by Amol Kulkarni 18 Feb '11

18 Feb '11

Hi All, I'm a newbie with bdb - and I have a server not performing well - openldap shows high cpu usage and iowait of server is high. So I got stats of bdb but I'm not sure what to make out of it. With help of google I could see that the basic parameters like requested pages and locks are ok. But there are other parameters which are suspect. The output of db_stat -c is as follows : 196 Last allocated locker ID 0x7fffffff Current maximum unused locker ID 9 Number of lock modes 1000 Maximum number of locks possible 1000 Maximum number of lockers possible 1000 Maximum number of lock objects possible 25 Number of current locks 758 Maximum number of locks at any one time 163 Number of current lockers 167 Maximum number of lockers at any one time 25 Number of current lock objects 394 Maximum number of lock objects at any one time 3609M Total number of locks requested (3609996536) 3609M Total number of locks released (3609996497) 0 Total number of locks upgraded 50 Total number of locks downgraded 3054935 Lock requests not available due to conflicts, for which we waited 0 Lock requests not available due to conflicts, for which we did not wait 14 Number of deadlocks 0 Lock timeout value 0 Number of locks that have timed out 0 Transaction timeout value 0 Number of transactions that have timed out 712KB The size of the lock region 187M The number of region locks that required waiting (56%) The output of dbstat -m is ( which looks ok to me ) 1GB 869MB 672KB Total cache size 1 Number of caches 1 Maximum number of caches 1GB 869MB 672KB Pool individual cache size 0 Maximum memory-mapped file size 0 Maximum open file descriptors 0 Maximum sequential buffer writes 0 Sleep after writing maximum sequential buffers 0 Requested pages mapped into the process' address space 1535M Requested pages found in the cache (99%) 247743 Requested pages not found in the cache 5517 Pages created in the cache 247743 Pages read into the cache 3491659 Pages written from the cache to the backing file 0 Clean pages forced from the cache 0 Dirty pages forced from the cache 0 Dirty pages written by trickle-sync thread 253260 Current total page count 253253 Current clean page count 7 Current dirty page count 262147 Number of hash buckets used for page location 1535M Total number of times hash chains searched for a page (1535296125) 4 The longest hash chain searched for a page 1245M Total number of hash chain entries checked for page (1245967353) 31M The number of hash bucket locks that required waiting (0%) 30M The maximum number of times any hash bucket lock was waited for (1%) 13566 The number of region locks that required waiting (4%) 0 The number of buffers frozen 0 The number of buffers thawed 0 The number of frozen buffers freed Are the lines in red really prbs or just side effects ? How do I go abt it ? Thanks and Regards, Amol.

2 1

← Newer
1
2
3
4
5
6
7
...
11
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2011