openldap-technical March 2011

openldap-technical@openldap.org

102 participants
107 discussions

Any consideration while designing schema
by sim123 17 Mar '11

17 Mar '11

Hi, I am in process of designing schema for my recent project with really basic skill set and found this article really interesting : http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/ldap-schema-… I am wondering what all things one should really keep in mind before putting LDAP schema together and in general what could cause potential overhead or considered BAD design ? Also would love to know if there is any other article/ book addressing my concerns. Thanks for the help and support.

3 4

nested dyn groups (planed?)
by Christoph Kaminski 17 Mar '11

17 Mar '11

Hi all... I know it is not possible to use nested dynamic groups (dyn group inside dyn group via labeledURI attribute) but it is planed for a release in the future? -- Greetz

1 0

How to turn on LDAP_DEVEL flag?
by Коновалов Андрей Але ксандрович 17 Mar '11

17 Mar '11

I want to test component matching support in OpenLDAP 2.4.24, but it is masked by LDAP_DEVEL flag, which is turned on only when LDAP_VENDOR_VERSION=0. So... could you tell me please, how to turn on LDAP_DEVEL directly in a proper way?

3 3

OpenLDAP reports busy and hangs
by Frank Budde 17 Mar '11

17 Mar '11

Hi, with OpenLDAP 2.4.22 on Solaris 10 we discovered following situation: from time to time the slapd log file contains message "daemon: select: listen=7 busy" while ldap continues to operate normally. After 7 days of operation suddenly ldap does not respond any more and keeps printing "daemon: select: listen=7 busy". Log file shows: daemon: select: listen=7 busy daemon: listen=7, new connection on 30 daemon: activity on 1 descriptor daemon: waked daemon: added 30r (active) listener=0 conn=5656 fd=30 ACCEPT from IP=192.168.200.131:40993 (IP=192.168.200.16:9929) daemon: select: listen=7 active_threads=1 tvp=zero daemon: activity on 2 descriptors daemon: waked daemon: select: listen=7 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 30r daemon: read activity on 30 daemon: select: listen=7 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: waked conn=5656 op=0 BIND dn="cn=ldapadmin,dc=abc,dc=com" method=128 daemon: select: listen=7 active_threads=1 tvp=zero conn=5656 op=0 BIND dn="cn=ldapadmin,dc=abc,dc=com" mech=SIMPLE ssf=0 conn=5656 op=0 RESULT tag=97 err=0 text= daemon: activity on 1 descriptor daemon: activity on: 30r daemon: read activity on 30 daemon: select: listen=7 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: waked daemon: select: listen=7 active_threads=1 tvp=zero conn=5656 op=1 SRCH base="ou=users,dc=abc,dc=com" scope=1 deref=3 filter="(uid=abcservice-prd)" daemon: activity on 1 descriptor daemon: select: listen=7 busy daemon: select: listen=7 busy daemon: select: listen=7 busy daemon: select: listen=7 busy slapd.conf contains gentlehup on idletimeout 15 conn_max_pending 10 conn_max_pending_auth 30 My question: How can the problem be solved or reproduced? The problem comes up in production environment and I need to reproduce it in test environment. How can this be done? (If the problem can be reproduced with 2.4.22 I will try it with ldap 2.4.24.) Thanks for any help, /Frank -- Schon gehört? GMX hat einen genialen Phishing-Filter in die Toolbar eingebaut! http://www.gmx.net/de/go/toolbar

2 1

"hidden" attributes in openldap?
by George Mamalakis 17 Mar '11

17 Mar '11

Hi everybody, I hope I am sending this email to the correct mailing list, if not please excuse me. I am trying to find a way to hide/unhide attributes on my DIT (openldap-2.4.21) and I cannot find a way to do this. What I mean by hide/unhide is that I want specific attributes to be listed with ldapsearch only if the owner of the records agrees. I did not find any feature that does this "automatically", so I tried to implement it through acls. I created a group called i.e. "cn=publish mail,ou=Groups,dc=example,dc=com" where people wishing to disclose their emails are members of this group. On the acl statement I couldn't find a way to restrict my acl based on "conditional attributes". Is there a way to support such a behavior (maybe through an additional overlay, or oclAccess, etc)? If someone knows an answer I would be delighted to know so. Thank you all for your time in advance, mamalos PS. I have submitted a similar question to an "ldap programmers" forum, because I thought that openldap lists don't support such questions. Nevertheless, I found analogous questions being asked on this list by googling, so I thought I should give it a try. -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379

3 6

Undefined reference to ber_* with 2.4.24
by frank.offermanns＠caseris.de 17 Mar '11

17 Mar '11

Hello, I am able to compile OpenLDAP 2.4.23 with Berkeley DB 4.8.30 with MSYS and windows with configure params: configure --prefix=/mingw --enable-acceslog --with-tls But if I try to compile OpenLDAP 2.4.24 I get several undefined references to ber_* functions when liblutil is build. Did I miss a change in the way to build OpenLDAP 2.4.24? Best regards, Frank Offermanns

2 1

PANIC: bdb fatal region
by ldap＠mm.st 17 Mar '11

17 Mar '11

I am rebuilding our aging pre 2.2 openldap servers that ran ldbm backend and slurpd. We ran this setup without any issues for many years. The new setup is: RH5 openldap 2.3.43 (Stock RH) bdb backend 4.4.20 (Stock RH) Entries in db- about 1820 LDIF file is about 1.2M Memory- Master 4GB Slave 2GB (will add two more slaves) Database section of slapd.conf: database bdb suffix "o=example.com" rootdn "cn=root">cn=root">cn=root">cn=root,o=example.com" rootpw {SSHA} ..... cachesize 1900 checkpoint 512 30 directory /var/lib/ldap index objectClass,uid,uidNumber,gidNumber,memberUid,uniqueMember eq index cn,mail,surname,givenname eq,subinitial DB_CONFIG: set_cachesize 0 4153344 1 set_lk_max_objects 1500 set_lk_max_locks 1500 set_lk_max_lockers 1500 set_lg_regionmax 1048576 set_lg_bsize 32768 set_lg_max 131072 set_lg_dir /var/lib/ldap set_flags DB_LOG_AUTOREMOVE This new setup appeared to work great for the last 10 days or so. I was able to authenticate clients, add records etc. Running slapd_db_stat -m and slapd_db_stat -c seem to indicate everything was ok. Before I put this setup into production, I got slurpd to function. Then decided to disable slurpd to use syncrepl in refreshonly mode. This also seemed to work fine. I'm not sure if the replication started this or not, but wanted to include all the events that let up to this. I have started to get: bdb(o=example.com): PANIC: fatal region error detected; run recovery On both servers at different times. During this time slapd continues to run which seems to confuse clients that try to use it and they will not try the other server that is listed in ldap.conf. To recover I did: service ldap stop, slapd_db_recover -h /var/lib/ldap, service ldap start. I then commented all the replication stuff out in the slapd.conf and restarted ldap. It will run for a while (varies 5 minutes - ?) then I get the same errors and clients are unable to authenticate. On one of the servers I deleted all the files (except DB_CONFIG) and did a slapadd of a ldif file that I generated every night (without stopping slapd). Same results once I started slapd again. I have enabled debug for slapd and have not seen anything different, I attached gdb to the running slapd and no errors are noted. I even copied a backup copy of slapd.conf prior to the replication settings (even though they are commented out) thinking that maybe something in there was causing it.. Then after several recoveries as described above the systems seem to be working again. One has not generated the error for for over 5.5 hours the other has not had any problems for 2 hours. For some reason after that period when the errors showed up for a while, things seem to be working again, at least for now. I'm nervous about putting this into production until I can get this to function properly without these issues. During the 10 day period with everything working good, the slave would occasional (rarely) get the error and I would do a recovery, but we thought this was due to possible hardware problems. Now I'm not so sure. I have a monitor script that runs slapd_db_stat -m and -c every 5 minutes and nothing seems wrong there, I far as I can tell. I'm hoping someone can help me determine possible causes or things to look at.

3 2

Re: syncrepl consumer with several providers, is it working?
by LALOT Dominique 17 Mar '11

17 Mar '11

Hi Quanah, OK, that's not so easy to migrate large infrastructures, but if you don't see other problems (about our setup), we will migrate our providers to the same version. I'm surprised, replication should be stable for years and in the real world you can't have all your servers at the same level. We are lucky that we can do that, sometimes, it's not possible. Thanks Dom 2011/3/16 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Wednesday, March 16, 2011 4:13 PM +0100 LALOT Dominique < > dom.lalot(a)gmail.com> wrote: > > Hello, >> >> I'm a little bit worried about that mail and the fact that our setup is >> getting out of sync sometimes. >> http://www.openldap.org/lists/openldap-software/200505/msg00324.html >> >> versions: the providers are all 2.4. The consumer is 2.4.23, some >> providers 2.4.21 one 2.4.11 >> > > Running multiple different versions on your master is a great way to ensure > things will not work properly. I don't know why you are surprised at having > problems. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot

1 0

multi-master and consumers
by Troy Knabe 16 Mar '11

16 Mar '11

I have a couple of master ldap servers and several consumer ldap servers. Can I set it up so that both masters sync to the consumers? That way if I lose a master, my consumers would all still be updated? Thanks -Troy

2 1

Can system schema attribute matching rules be overwritten?
by LIM Chin Ho 15 Mar '11

15 Mar '11

Hi, Say for eg, the attribute cn, it is default to caseIgnoreMatch by openldap, can we overwrite it to caseExactMatch in our own schema? Or there is no way to do it. Thanks! Chinho

1 0

← Newer
1
...
4
5
6
7
8
9
10
11
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2011