openldap-technical April 2011

openldap-technical@openldap.org

97 participants
98 discussions

slapo-accesslog
by Tim Gustafson 12 Apr '11

12 Apr '11

Hi, I was wondering if there was an overlay that worked somewhat like the slapo-accesslog overlay, but instead of logging the information to another OpenLDAP database, I'd like the data to be written to a CSV file or something similar. Does such a beast exist? Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg(a)soe.ucsc.edu 831-459-5354

3 6

Optimization help
by Chris Jackson 12 Apr '11

12 Apr '11

What can I do to maximize the performance of my setup? System has 16gb of ram. OpenLDAP 2.4.19-15 Import LDIF is 4,611,156 bytes. Backend is BDB. du -c -h *.bdb 6.5M cn.bdb 8.0K displayName.bdb 1.9M dn2id.bdb 3.3M givenName.bdb 17M id2entry.bdb 5.6M mail.bdb 740K objectClass.bdb 7.5M ou.bdb 3.2M sn.bdb 3.4M uid.bdb 8.0K uidNumber.bdb 48M total Portion of slapd.conf: database bdb checkpoint 1024 15 ##threads 8 cachesize 100000 idlcachesize 300000 ***no dncachesize (default infinite) Current DB_CONFIG: # one 0.25 GB cache ##set_cachesize 0 268435456 1 set_cachesize 1 0 1 # Data Directory #set_data_dir db # Transaction Log settings set_lg_regionmax 262144 set_lg_bsize 2097152 #set_lg_dir logs

2 2

access control for opattrs (memberof overlay)
by Peter Schober 12 Apr '11

12 Apr '11

How do I control access to operational attributes, in this case memberOf by the eponymous overlay? While I can put an index on 'memberOf' I can't seem to use it in an <attrlist> as part of an ACL: unknown attr "memberOf" in to clause (This is on 2.4.22 with all default settings for the memberof overlay and on a syncrepl consumer. The Changelog up to 2.4.25 does not show relevant issues from ITS, AFAICT.) Neither the slapd.access man page, FAQ or admin guide were of help wrt controlling access to operational attributes (but I may have overlooked something). (I also tried giving access to the 'entry' pseudo attribute, which didn't change the behaviour). How then are people controlling access to group memberships as provided by the memberof overlay? cheers, -peter

2 2

Re: Large "dynamic" groups and performance
by Al 11 Apr '11

11 Apr '11

>> cachesize 500000 > >> ###### DB_CONFIG > >> set_cachesize 2 0 1 >> set_flags DB_TXN_NOSYNC >> set_lg_bsize 5097152 >> set_lg_max 50485760 > > > You never state the size of your database (how many dns), or the disk size of your database (du -c -h *.bdb), so there is no way to tell if these settings are in any way valid. Thanks for getting back to me, I'm new here :) - here is some more data: Approximately 450,000 dns - about 200+/- are groups, the rest are users. du output: 163M cn.bdb 92M dn2id.bdb 415M id2entry.bdb 3.7M objectClass.bdb 16M uid.bdb 16M uniqueMember.bdb 703M total > I don't see a checkpoint setting for slapd.conf/cn=config, and I don't see an idlcachesize setting. I added those as well, no noticeable change in performance: cachesize 500000 idlcachesize 500000 checkpoint 10000 15 > Also, you are definitely not using "dynamic" groups in the OpenLDAP sense of the word, although they would probably perform significantly better for you. Yes, I understand that - thats why I put it in quotes. I looked into using OpenLDAP dynamic lists, but I think I'm limited by the fact that some of our systems requiring these groups need to do searchs off of it based on the dynamic membership (and from what I can tell, its not possible to use it that way), ie they need to search for (uniquemember=cn=xxxx,cn=users,...) on my group section of the tree. I'll openly admit some of the values I have been picking for caching and checkpoint are somewhat arbitrary. I've been trying many different values and have yet to settle on any that work well. I'll gladly try any recommendations. Thanks again, I appreciate your response. Al

3 2

Question about conversion from SunOne to OpenLDAP
by Elizabeth Good 11 Apr '11

11 Apr '11

Hello, I've been searching for information for about 2 days on how to convert a SunOne 5.2 ldif file to allow it for use with OpenLDAP 2.3.43. I'm trying to add the 99user.ldif file, which has our schema extension. When I try to do an ldapadd, I receive syntax errors: ldapadd -x -f 99user_new.ldif -D "cn=Directory Manager,o=xxxxx,c=xxxxx" -W adding new entry "cn=schema" ldapadd: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax I have already made a few syntax changes: attributeTypes to attributetype objectClasses to objectclass But still I'm receiving errors. I'm sure other people must have done something similar, but I've not been able to find anything. So, I would really appreciate some assistance. Thanks, --Beth [cid:image001.gif@01CBF853.69250940]<http://www.fuqua.duke.edu/>Beth Good Database Administrator (Oracle, SQL Server, Postgres) Duke University's Fuqua School of Business<http://www.fuqua.duke.edu/> 100 Fuqua Drive, Box 90120, Durham, NC 27708-0120 USA Tel +1.919.381.7625 | Fax +1.919.684.8620 Watch our video at www.fuqua.duke.edu/wakeup<http://www.fuqua.duke.edu/wakeup>

2 1

Large "dynamic" groups and performance
by Al 11 Apr '11

11 Apr '11

Hi All - We are currently attempting to migrate from a commercial LDAP server to OpenLDAP. Luckily our data is pretty standard, and the migration itself will be simple. I am having issues with our groups that programatically have large numbers of adds and deletes done to its member list. This transaction happens when a user logs into our website (the login mechanism compares their current groups with what they should have (from an external DB query) and makes the necessary adjustments). Other applications then use these groups for permissions. We are using the basic uniquemember within a groupOfUniqueNames. Uniquemember is indexed with equality. When the groups are small, performance is quite good - but once the groups begin growing, the adds and deletes of the members really starts suffering ( greater than 2 - 3 seconds per person). The reads still seem good. On our existing LDAP store, we see response times of less than a second for this same transaction. We have about 175 groups, that range in size from 10 members to 50,000 members. Most of the groups are around 1,000 members. I can go into more detail of the exact sizes if needed. I have a very basic configuration right now for testing. I've messed around with different transaction log settings, different caching settings and even played with DB_TXN_NOSYNC. DB_TXN_NOSYNC definitely helped, but its still not great. Can anyone recommend any settings that might help me improve the performance? Thanks in advance! My environment and settings: HP blade server, 8 cores @ 2.67Ghz, Redhat 5.3, OpenLDAP 2.4.25, Berkeley 5.1.25: ###### slapd.conf include /mypath/etc/openldap/schema/core.schema pidfile /mypath/var/run/slapd.pid argsfile /mypath/var/run/slapd.args access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * by self write by users read by anonymous auth database bdb suffix "dc=my,dc=domain,dc=com" rootdn "cn=Manager,dc=my,dc=domain,dc=com" cachesize 500000 rootpw my_pass directory /mypath/var/openldap-data index objectClass eq index uniquemember eq index cn pres,eq,sub ###### DB_CONFIG set_cachesize 2 0 1 set_flags DB_TXN_NOSYNC set_lg_bsize 5097152 set_lg_max 50485760

2 1

pcache crashes after 2.4.25 upgrade; complains of unclean shutdowns and missing DB_CONFIGs after every restart
by Tyler Gates 11 Apr '11

11 Apr '11

After upgrading from 2.4.24 to 2.4.25 my pcache overlay using hdb backend first failed to start with messages complaining about a missing suffix. Now that I've added one I'm getting the following message: hdb_db_open: database "dc=example,dc=com": unclean shutdown detected; attempting recovery. hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (14).#012Expect poor performance for suffix "dc=example,dc=com". slapd starting bdb(dc=example,dc=com): PANIC: fatal region error detected; run recovery last message repeated 3 times But DB_CONFIG does exist and has proper permissions and the unclean shutdown message repeats after every restart. I've never had to add the suffix to the pcache backend database before and the documentation examples (http://www.openldap.org/doc/admin24/proxycache.html) never mention it either. Is this a misconfiguration or do I need to file a bug? PCACHE OVERLAY: dn: olcOverlay={0}pcache objectClass: olcOverlayConfig objectClass: olcPcacheConfig olcOverlay: {0}pcache olcPcache: hdb 100000 3 1000 100 olcPcacheAttrset: 0 uid userPassword uidNumber gidNumber cn homeDirectory logi nShell gecos description memberUid uniqueMember objectClass olcPcacheAttrset: 1 cn automountInformation olcPcacheAttrset: 2 cn mail olcPcacheTemplate: "(|(cn=)(mail=)(sn=))" 2 7200 0 0 0 olcPcacheTemplate: "(&(objectClass=)(|(cn=)(cn=)(cn=)))" 1 3600 600 0 0 olcPcacheTemplate: "(&(objectClass=)(|(cn=)(cn=)))" 1 3600 600 0 0 olcPcacheTemplate: "(&(objectClass=)(|(cn=)(gidNumber=)))" 1 3600 600 0 0 olcPcacheTemplate: "(&(objectClass=)(gidNumber=))" 0 1800 0 0 0 olcPcacheTemplate: "(&(objectClass=)(uidNumber=))" 0 1800 0 0 0 olcPcacheTemplate: "(&(objectClass=)(uniqueMember=))" 0 1800 900 0 0 olcPcacheTemplate: "(&(objectClass=)(memberUid=))" 0 1800 900 0 0 olcPcacheTemplate: "(objectClass=)" 0 1800 0 0 0 olcPcacheTemplate: "(&(objectClass=))" 0 1800 0 0 0 olcPcacheTemplate: "(&(objectClass=)(cn=))" 0 1800 0 0 0 olcPcacheTemplate: "(&(objectClass=)(uid=))" 0 1800 0 0 0 olcPcacheTemplate: "(&(objectClass=)(|(memberUid=)(uniqueMember=)))" 0 1800 0 0 0 olcPcachePosition: tail olcPcacheMaxQueries: 10000 olcPcachePersist: FALSE olcPcacheValidate: FALSE olcPcacheOffline: FALSE HDB backend: dn: olcDatabase={0}hdb objectClass: olcHdbConfig objectClass: olcPcacheDatabase olcDatabase: {0}hdb olcDbDirectory: /var/lib/ldap olcDbCacheSize: 1000 olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 3000 olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 createTimestamp: 20110225174535Z olcDbConfig: {0}set_cachesize 0 10485760 1 olcDbConfig: {1}set_lg_regionmax 262144 olcDbConfig: {2}set_lg_bsize 2097152 olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE olcDbConfig: {4}set_lg_max 10485760 olcDbIndex: objectClass eq olcDbIndex: cn eq,subinitial olcDbIndex: uid eq,subinitial olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: userPassword eq olcDbIndex: description eq olcDbIndex: loginShell eq olcDbIndex: homeDirectory eq olcDbIndex: memberUid eq olcDbIndex: gecos eq olcDbIndex: automountInformation eq olcDbIndex: uniqueMember eq olcDbIndex: mail eq,subinitial olcDbIndex: sn eq,subinitial olcDbIndex: givenName eq,subinitial olcDbIndex: member eq olcDbIndex: nisMapName eq olcDbIndex: pcacheQueryID eq olcSuffix: dc=example,dc=com

3 4

help needed for tuning my openldap
by Stéphane PURNELLE 11 Apr '11

11 Apr '11

Hi all, I would like to know how I can tunning my ldap (openldap 2.4.23 on RHEL5.4 64-bits) installation: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP COMMAND 13480 root 25 0 1378m 18m 4296 S 25.9 0.5 7241:07 1.3g slapd I already read the page http://www.openldap.org/faq/data/cache/1075.html (ex: Number of hash buckets ), but I not have all informations for calculate the size. [root@xxxxxxx openldap-data]# du -h . 43M . My BDB database take only 43M The accesslog take : 62M . How can I reduce memory (swap) usage and CPU usage (sometimes I see 134%) Thank you Stéphane Purnelle ----------------------------------- Stéphane PURNELLE Admin. Systèmes et Réseaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467

2 5

Renaming of node cause a segfault crash
by Peter Schütt 11 Apr '11

11 Apr '11

Hallo, we use 2.4.19 on RedHat 6.0, 64-Bit, Kernel 2.6.32 When I renamed a node with Apache Directory Studio (e.G. cn=mynode,ou=Groups,dc=mydomain,dc=de) the OpenLDAP-Server crashed. dmesg: slapd[13129]: segfault at 7fd1a9171fb0 ip 00007fd1c47a830f sp 00007fd1a9171fb0 error 6 in slapd[7fd1c46f5000+1f7000] When I restart then the change was successful. In the PastI had a similar error on a self compiled 2.4.23 on a CentOS 5.5, 64-Bit, Kernel 2.6.18: slapd[14668]: segfault at 0000000043a3bed8 rip 000000000047d77f rsp 0000000043a3bed0 error 6 Because of our company policy we prefer to use version from the official repository of our linux distribution. So we change from self compiled 2.4.23 in an old linux to RedHat 6.0 with the "official" OpenLDAP. I try to rename a node by ldapModify to exclude an error in Apache Directory Studio but I do not understand how. Perhaps someone has a hint. Is it possible this an error which is fixed in 2.4.25? Thanks for any hints. Ciao Peter Schütt

2 1

acls for a user to join/leave a group.
by George Mamalakis 11 Apr '11

11 Apr '11

Hello everybody, Is there a way to achieve what the subject says? For example, we can imagine users like: uid=user,ou=people,dc=example,dc=com And the group that I wish the users should be able to join using ldapmodify is: cn=group,dc=example,dc=com. What I wish to achieve is to let a user write in this dn, only the memberOf attribute, by containing only their specific dn. Moreover, the user will have to be able to remove this entry from this group if they wish, using ldapmodify again. Thank you very much for your help in advance, mamalos -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379

2 3

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2011