I was wondering if there was an overlay that worked somewhat like the slapo-accesslog overlay, but instead of logging the information to another OpenLDAP database, I'd like the data to be written to a CSV file or something similar. Does such a beast exist?
Baskin School of Engineering
UC Santa Cruz
How do I control access to operational attributes, in this case
memberOf by the eponymous overlay? While I can put an index on
'memberOf' I can't seem to use it in an <attrlist> as part of an ACL:
unknown attr "memberOf" in to clause
(This is on 2.4.22 with all default settings for the memberof overlay
and on a syncrepl consumer. The Changelog up to 2.4.25 does not show
relevant issues from ITS, AFAICT.)
Neither the slapd.access man page, FAQ or admin guide were of help wrt
controlling access to operational attributes (but I may have
(I also tried giving access to the 'entry' pseudo attribute, which
didn't change the behaviour).
How then are people controlling access to group memberships as
provided by the memberof overlay?
>> cachesize 500000
>> ###### DB_CONFIG
>> set_cachesize 2 0 1
>> set_flags DB_TXN_NOSYNC
>> set_lg_bsize 5097152
>> set_lg_max 50485760
> You never state the size of your database (how many dns), or the disk size of your database (du -c -h *.bdb), so there is no way to tell if these settings are in any way valid.
Thanks for getting back to me, I'm new here :) - here is some more data:
Approximately 450,000 dns - about 200+/- are groups, the rest are users.
> I don't see a checkpoint setting for slapd.conf/cn=config, and I don't see an idlcachesize setting.
I added those as well, no noticeable change in performance:
checkpoint 10000 15
> Also, you are definitely not using "dynamic" groups in the OpenLDAP sense of the word, although they would probably perform significantly better for you.
Yes, I understand that - thats why I put it in quotes. I looked into
using OpenLDAP dynamic lists, but I think I'm limited by the fact that
some of our systems requiring these groups need to do searchs off of
it based on the dynamic membership (and from what I can tell, its not
possible to use it that way), ie they need to search for
(uniquemember=cn=xxxx,cn=users,...) on my group section of the tree.
I'll openly admit some of the values I have been picking for caching
and checkpoint are somewhat arbitrary. I've been trying many
different values and have yet to settle on any that work well. I'll
gladly try any recommendations.
Thanks again, I appreciate your response.
I've been searching for information for about 2 days on how to convert a SunOne 5.2 ldif file to allow it for use with OpenLDAP 2.3.43. I'm trying to add the 99user.ldif file, which has our schema extension. When I try to do an ldapadd, I receive syntax errors:
ldapadd -x -f 99user_new.ldif -D "cn=Directory Manager,o=xxxxx,c=xxxxx" -W
adding new entry "cn=schema"
ldapadd: Invalid syntax (21)
additional info: objectClass: value #1 invalid per syntax
I have already made a few syntax changes:
attributeTypes to attributetype
objectClasses to objectclass
But still I'm receiving errors.
I'm sure other people must have done something similar, but I've not been able to find anything. So, I would really appreciate some assistance.
Database Administrator (Oracle, SQL Server, Postgres)
Duke University's Fuqua School of Business<http://www.fuqua.duke.edu/>
100 Fuqua Drive, Box 90120, Durham, NC 27708-0120 USA
Tel +1.919.381.7625 | Fax +1.919.684.8620
Watch our video at www.fuqua.duke.edu/wakeup<http://www.fuqua.duke.edu/wakeup>
Hi All -
We are currently attempting to migrate from a commercial LDAP server to
OpenLDAP. Luckily our data is pretty standard, and the migration itself
will be simple. I am having issues with our groups that programatically
have large numbers of adds and deletes done to its member list. This
transaction happens when a user logs into our website (the login mechanism
compares their current groups with what they should have (from an external
DB query) and makes the necessary adjustments). Other applications then use
these groups for permissions.
We are using the basic uniquemember within a groupOfUniqueNames.
Uniquemember is indexed with equality. When the groups are small,
performance is quite good - but once the groups begin growing, the adds and
deletes of the members really starts suffering ( greater than 2 - 3 seconds
per person). The reads still seem good. On our existing LDAP store, we see
response times of less than a second for this same transaction. We have
about 175 groups, that range in size from 10 members to 50,000 members.
Most of the groups are around 1,000 members. I can go into more detail of
the exact sizes if needed.
I have a very basic configuration right now for testing. I've messed around
with different transaction log settings, different caching settings and even
played with DB_TXN_NOSYNC. DB_TXN_NOSYNC definitely helped, but its still
not great. Can anyone recommend any settings that might help me improve the
Thanks in advance!
My environment and settings:
HP blade server, 8 cores @ 2.67Ghz, Redhat 5.3, OpenLDAP 2.4.25, Berkeley
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
index objectClass eq
index uniquemember eq
index cn pres,eq,sub
set_cachesize 2 0 1
I would like to know how I can tunning my ldap (openldap 2.4.23 on RHEL5.4
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP COMMAND
13480 root 25 0 1378m 18m 4296 S 25.9 0.5 7241:07 1.3g slapd
I already read the page http://www.openldap.org/faq/data/cache/1075.html
(ex: Number of hash buckets ), but I not have all informations for
calculate the size.
[root@xxxxxxx openldap-data]# du -h .
My BDB database take only 43M
The accesslog take : 62M .
How can I reduce memory (swap) usage and CPU usage (sometimes I see 134%)
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
we use 2.4.19 on RedHat 6.0, 64-Bit, Kernel 2.6.32
When I renamed a node with Apache Directory Studio (e.G.
cn=mynode,ou=Groups,dc=mydomain,dc=de) the OpenLDAP-Server crashed.
slapd: segfault at 7fd1a9171fb0 ip 00007fd1c47a830f sp
00007fd1a9171fb0 error 6 in slapd[7fd1c46f5000+1f7000]
When I restart then the change was successful.
In the PastI had a similar error on a self compiled 2.4.23 on a CentOS 5.5,
64-Bit, Kernel 2.6.18:
slapd: segfault at 0000000043a3bed8 rip 000000000047d77f
rsp 0000000043a3bed0 error 6
Because of our company policy we prefer to use version from the official
repository of our linux distribution. So we change from self compiled 2.4.23
in an old linux to RedHat 6.0 with the "official" OpenLDAP.
I try to rename a node by ldapModify to exclude an error in Apache Directory
Studio but I do not understand how.
Perhaps someone has a hint.
Is it possible this an error which is fixed in 2.4.25?
Thanks for any hints.
Is there a way to achieve what the subject says? For example, we can
imagine users like:
And the group that I wish the users should be able to join using
What I wish to achieve is to let a user write in this dn, only the
memberOf attribute, by containing only their specific dn. Moreover, the
user will have to be able to remove this entry from this group if they
wish, using ldapmodify again.
Thank you very much for your help in advance,
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379