nested dyn groups (planed?)
by Christoph Kaminski
Hi all...
I know it is not possible to use nested dynamic groups (dyn group
inside dyn group via labeledURI attribute) but it is planed for a
release in the future?
--
Greetz
11 years, 2 months
How to turn on LDAP_DEVEL flag?
by Коновалов Андрей Але ксандрович
I want to test component matching support in OpenLDAP 2.4.24, but it is masked by LDAP_DEVEL flag, which is turned on only when LDAP_VENDOR_VERSION=0. So... could you tell me please, how to turn on LDAP_DEVEL directly in a proper way?
11 years, 2 months
OpenLDAP reports busy and hangs
by Frank Budde
Hi,
with OpenLDAP 2.4.22 on Solaris 10 we discovered following situation:
from time to time the slapd log file contains message
"daemon: select: listen=7 busy"
while ldap continues to operate normally.
After 7 days of operation suddenly ldap does not respond any more and keeps printing "daemon: select: listen=7 busy".
Log file shows:
daemon: select: listen=7 busy
daemon: listen=7, new connection on 30
daemon: activity on 1 descriptor
daemon: waked
daemon: added 30r (active) listener=0
conn=5656 fd=30 ACCEPT from IP=192.168.200.131:40993 (IP=192.168.200.16:9929)
daemon: select: listen=7 active_threads=1 tvp=zero
daemon: activity on 2 descriptors
daemon: waked
daemon: select: listen=7 active_threads=1 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 30r
daemon: read activity on 30
daemon: select: listen=7 active_threads=1 tvp=zero
daemon: activity on 1 descriptor
daemon: waked
conn=5656 op=0 BIND dn="cn=ldapadmin,dc=abc,dc=com" method=128
daemon: select: listen=7 active_threads=1 tvp=zero
conn=5656 op=0 BIND dn="cn=ldapadmin,dc=abc,dc=com" mech=SIMPLE ssf=0
conn=5656 op=0 RESULT tag=97 err=0 text=
daemon: activity on 1 descriptor
daemon: activity on: 30r
daemon: read activity on 30
daemon: select: listen=7 active_threads=1 tvp=zero
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=7 active_threads=1 tvp=zero
conn=5656 op=1 SRCH base="ou=users,dc=abc,dc=com" scope=1 deref=3 filter="(uid=abcservice-prd)"
daemon: activity on 1 descriptor
daemon: select: listen=7 busy
daemon: select: listen=7 busy
daemon: select: listen=7 busy
daemon: select: listen=7 busy
slapd.conf contains
gentlehup on
idletimeout 15
conn_max_pending 10
conn_max_pending_auth 30
My question: How can the problem be solved or reproduced?
The problem comes up in production environment and I need to reproduce it in test environment. How can this be done?
(If the problem can be reproduced with 2.4.22 I will try it with ldap 2.4.24.)
Thanks for any help,
/Frank
--
Schon gehört? GMX hat einen genialen Phishing-Filter in die
Toolbar eingebaut! http://www.gmx.net/de/go/toolbar
11 years, 2 months
"hidden" attributes in openldap?
by George Mamalakis
Hi everybody,
I hope I am sending this email to the correct mailing list, if not
please excuse me.
I am trying to find a way to hide/unhide attributes on my DIT
(openldap-2.4.21) and I cannot find a way to do this. What I mean by
hide/unhide is that I want specific attributes to be listed with
ldapsearch only if the owner of the records agrees. I did not find any
feature that does this "automatically", so I tried to implement it
through acls. I created a group called i.e. "cn=publish
mail,ou=Groups,dc=example,dc=com" where people wishing to disclose their
emails are members of this group. On the acl statement I couldn't find a
way to restrict my acl based on "conditional attributes".
Is there a way to support such a behavior (maybe through an additional
overlay, or oclAccess, etc)?
If someone knows an answer I would be delighted to know so.
Thank you all for your time in advance,
mamalos
PS. I have submitted a similar question to an "ldap programmers" forum,
because I thought that openldap lists don't support such questions.
Nevertheless, I found analogous questions being asked on this list by
googling, so I thought I should give it a try.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
11 years, 2 months
Undefined reference to ber_* with 2.4.24
by frank.offermanns@caseris.de
Hello,
I am able to compile OpenLDAP 2.4.23 with Berkeley DB 4.8.30 with MSYS and
windows with configure params:
configure --prefix=/mingw --enable-acceslog --with-tls
But if I try to compile OpenLDAP 2.4.24 I get several undefined references
to ber_* functions when liblutil is build.
Did I miss a change in the way to build OpenLDAP 2.4.24?
Best regards,
Frank Offermanns
11 years, 2 months
PANIC: bdb fatal region
by ldap@mm.st
I am rebuilding our aging pre 2.2 openldap servers that ran ldbm
backend and slurpd. We ran this setup without any issues for many
years.
The new setup is:
RH5
openldap 2.3.43 (Stock RH)
bdb backend 4.4.20 (Stock RH)
Entries in db- about 1820
LDIF file is about 1.2M
Memory- Master 4GB Slave 2GB (will add two more slaves)
Database section of slapd.conf:
database bdb
suffix "o=example.com"
rootdn "cn=root">cn=root">cn=root">cn=root,o=example.com"
rootpw {SSHA} .....
cachesize 1900
checkpoint 512 30
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,memberUid,uniqueMember
eq
index cn,mail,surname,givenname
eq,subinitial
DB_CONFIG:
set_cachesize 0 4153344 1
set_lk_max_objects 1500
set_lk_max_locks 1500
set_lk_max_lockers 1500
set_lg_regionmax 1048576
set_lg_bsize 32768
set_lg_max 131072
set_lg_dir /var/lib/ldap
set_flags DB_LOG_AUTOREMOVE
This new setup appeared to work great for the last 10 days or so. I was
able to authenticate clients, add records etc. Running slapd_db_stat -m
and slapd_db_stat -c seem to indicate everything was ok. Before I put
this setup into production, I got slurpd to function. Then decided to
disable slurpd to use syncrepl in refreshonly mode. This also seemed to
work fine. I'm not sure if the replication started this or not, but
wanted to include all the events that let up to this. I have started to
get:
bdb(o=example.com): PANIC: fatal region error detected; run recovery
On both servers at different times. During this time slapd continues to
run which seems to confuse clients that try to use it and they will not
try the other server that is listed in ldap.conf. To recover I did:
service ldap stop, slapd_db_recover -h /var/lib/ldap, service ldap
start.
I then commented all the replication stuff out in the slapd.conf and
restarted ldap. It will run for a while (varies 5 minutes - ?) then I
get the same errors and clients are unable to authenticate. On one of
the servers I deleted all the files (except DB_CONFIG) and did a
slapadd of a ldif file that I generated every night (without stopping
slapd). Same results once I started slapd again. I have enabled debug
for slapd and have not seen anything different, I attached gdb to the
running slapd and no errors are noted. I even copied a backup copy of
slapd.conf prior to the replication settings (even though they are
commented out) thinking that maybe something in there was causing it..
Then after several recoveries as described above the systems seem to be
working again. One has not generated the error for for over 5.5 hours
the other has not had any problems for 2 hours. For some reason after
that period when the errors showed up for a while, things seem to be
working again, at least for now.
I'm nervous about putting this into production until I can get this to
function properly without these issues. During the 10 day period with
everything working good, the slave would occasional (rarely) get the
error and I would do a recovery, but we thought this was due to possible
hardware problems. Now I'm not so sure.
I have a monitor script that runs slapd_db_stat -m and -c every 5
minutes and nothing seems wrong there, I far as I can tell. I'm hoping
someone can help me determine possible causes or things to look at.
11 years, 2 months
Re: syncrepl consumer with several providers, is it working?
by LALOT Dominique
Hi Quanah,
OK, that's not so easy to migrate large infrastructures, but if you don't
see other problems (about our setup), we will migrate our providers to the
same version. I'm surprised, replication should be stable for years and in
the real world you can't have all your servers at the same level. We are
lucky that we can do that, sometimes, it's not possible.
Thanks
Dom
2011/3/16 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On Wednesday, March 16, 2011 4:13 PM +0100 LALOT Dominique <
> dom.lalot(a)gmail.com> wrote:
>
> Hello,
>>
>> I'm a little bit worried about that mail and the fact that our setup is
>> getting out of sync sometimes.
>> http://www.openldap.org/lists/openldap-software/200505/msg00324.html
>>
>> versions: the providers are all 2.4. The consumer is 2.4.23, some
>> providers 2.4.21 one 2.4.11
>>
>
> Running multiple different versions on your master is a great way to ensure
> things will not work properly. I don't know why you are surprised at having
> problems.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
Dominique LALOT
Ingénieur Systèmes et Réseaux
http://annuaire.univmed.fr/showuser.php?uid=lalot
11 years, 2 months
multi-master and consumers
by Troy Knabe
I have a couple of master ldap servers and several consumer ldap servers. Can I set it up so that both masters sync to the consumers? That way if I lose a master, my consumers would all still be updated?
Thanks
-Troy
11 years, 2 months