slapo-accesslog
by Tim Gustafson
Hi,
I was wondering if there was an overlay that worked somewhat like the slapo-accesslog overlay, but instead of logging the information to another OpenLDAP database, I'd like the data to be written to a CSV file or something similar. Does such a beast exist?
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg(a)soe.ucsc.edu
831-459-5354
10 years, 7 months
Optimization help
by Chris Jackson
What can I do to maximize the performance of my setup? System has 16gb of ram.
OpenLDAP 2.4.19-15
Import LDIF is 4,611,156 bytes. Backend is BDB.
du -c -h *.bdb
6.5M cn.bdb
8.0K displayName.bdb
1.9M dn2id.bdb
3.3M givenName.bdb
17M id2entry.bdb
5.6M mail.bdb
740K objectClass.bdb
7.5M ou.bdb
3.2M sn.bdb
3.4M uid.bdb
8.0K uidNumber.bdb
48M total
Portion of slapd.conf:
database bdb
checkpoint 1024 15
##threads 8
cachesize 100000
idlcachesize 300000
***no dncachesize (default infinite)
Current DB_CONFIG:
# one 0.25 GB cache
##set_cachesize 0 268435456 1
set_cachesize 1 0 1
# Data Directory
#set_data_dir db
# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
#set_lg_dir logs
10 years, 7 months
access control for opattrs (memberof overlay)
by Peter Schober
How do I control access to operational attributes, in this case
memberOf by the eponymous overlay? While I can put an index on
'memberOf' I can't seem to use it in an <attrlist> as part of an ACL:
unknown attr "memberOf" in to clause
(This is on 2.4.22 with all default settings for the memberof overlay
and on a syncrepl consumer. The Changelog up to 2.4.25 does not show
relevant issues from ITS, AFAICT.)
Neither the slapd.access man page, FAQ or admin guide were of help wrt
controlling access to operational attributes (but I may have
overlooked something).
(I also tried giving access to the 'entry' pseudo attribute, which
didn't change the behaviour).
How then are people controlling access to group memberships as
provided by the memberof overlay?
cheers,
-peter
10 years, 7 months
Re: Large "dynamic" groups and performance
by Al
>> cachesize 500000
>
>> ###### DB_CONFIG
>
>> set_cachesize 2 0 1
>> set_flags DB_TXN_NOSYNC
>> set_lg_bsize 5097152
>> set_lg_max 50485760
>
>
> You never state the size of your database (how many dns), or the disk size of your database (du -c -h *.bdb), so there is no way to tell if these settings are in any way valid.
Thanks for getting back to me, I'm new here :) - here is some more data:
Approximately 450,000 dns - about 200+/- are groups, the rest are users.
du output:
163M cn.bdb
92M dn2id.bdb
415M id2entry.bdb
3.7M objectClass.bdb
16M uid.bdb
16M uniqueMember.bdb
703M total
> I don't see a checkpoint setting for slapd.conf/cn=config, and I don't see an idlcachesize setting.
I added those as well, no noticeable change in performance:
cachesize 500000
idlcachesize 500000
checkpoint 10000 15
> Also, you are definitely not using "dynamic" groups in the OpenLDAP sense of the word, although they would probably perform significantly better for you.
Yes, I understand that - thats why I put it in quotes. I looked into
using OpenLDAP dynamic lists, but I think I'm limited by the fact that
some of our systems requiring these groups need to do searchs off of
it based on the dynamic membership (and from what I can tell, its not
possible to use it that way), ie they need to search for
(uniquemember=cn=xxxx,cn=users,...) on my group section of the tree.
I'll openly admit some of the values I have been picking for caching
and checkpoint are somewhat arbitrary. I've been trying many
different values and have yet to settle on any that work well. I'll
gladly try any recommendations.
Thanks again, I appreciate your response.
Al
10 years, 7 months
Question about conversion from SunOne to OpenLDAP
by Elizabeth Good
Hello,
I've been searching for information for about 2 days on how to convert a SunOne 5.2 ldif file to allow it for use with OpenLDAP 2.3.43. I'm trying to add the 99user.ldif file, which has our schema extension. When I try to do an ldapadd, I receive syntax errors:
ldapadd -x -f 99user_new.ldif -D "cn=Directory Manager,o=xxxxx,c=xxxxx" -W
adding new entry "cn=schema"
ldapadd: Invalid syntax (21)
additional info: objectClass: value #1 invalid per syntax
I have already made a few syntax changes:
attributeTypes to attributetype
objectClasses to objectclass
But still I'm receiving errors.
I'm sure other people must have done something similar, but I've not been able to find anything. So, I would really appreciate some assistance.
Thanks,
--Beth
[cid:image001.gif@01CBF853.69250940]<http://www.fuqua.duke.edu/>Beth Good
Database Administrator (Oracle, SQL Server, Postgres)
Duke University's Fuqua School of Business<http://www.fuqua.duke.edu/>
100 Fuqua Drive, Box 90120, Durham, NC 27708-0120 USA
Tel +1.919.381.7625 | Fax +1.919.684.8620
Watch our video at www.fuqua.duke.edu/wakeup<http://www.fuqua.duke.edu/wakeup>
10 years, 7 months
Large "dynamic" groups and performance
by Al
Hi All -
We are currently attempting to migrate from a commercial LDAP server to
OpenLDAP. Luckily our data is pretty standard, and the migration itself
will be simple. I am having issues with our groups that programatically
have large numbers of adds and deletes done to its member list. This
transaction happens when a user logs into our website (the login mechanism
compares their current groups with what they should have (from an external
DB query) and makes the necessary adjustments). Other applications then use
these groups for permissions.
We are using the basic uniquemember within a groupOfUniqueNames.
Uniquemember is indexed with equality. When the groups are small,
performance is quite good - but once the groups begin growing, the adds and
deletes of the members really starts suffering ( greater than 2 - 3 seconds
per person). The reads still seem good. On our existing LDAP store, we see
response times of less than a second for this same transaction. We have
about 175 groups, that range in size from 10 members to 50,000 members.
Most of the groups are around 1,000 members. I can go into more detail of
the exact sizes if needed.
I have a very basic configuration right now for testing. I've messed around
with different transaction log settings, different caching settings and even
played with DB_TXN_NOSYNC. DB_TXN_NOSYNC definitely helped, but its still
not great. Can anyone recommend any settings that might help me improve the
performance?
Thanks in advance!
My environment and settings:
HP blade server, 8 cores @ 2.67Ghz, Redhat 5.3, OpenLDAP 2.4.25, Berkeley
5.1.25:
###### slapd.conf
include /mypath/etc/openldap/schema/core.schema
pidfile /mypath/var/run/slapd.pid
argsfile /mypath/var/run/slapd.args
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
database bdb
suffix "dc=my,dc=domain,dc=com"
rootdn "cn=Manager,dc=my,dc=domain,dc=com"
cachesize 500000
rootpw my_pass
directory /mypath/var/openldap-data
index objectClass eq
index uniquemember eq
index cn pres,eq,sub
###### DB_CONFIG
set_cachesize 2 0 1
set_flags DB_TXN_NOSYNC
set_lg_bsize 5097152
set_lg_max 50485760
10 years, 7 months
pcache crashes after 2.4.25 upgrade; complains of unclean shutdowns and missing DB_CONFIGs after every restart
by Tyler Gates
After upgrading from 2.4.24 to 2.4.25 my pcache overlay using hdb
backend first failed to start with messages complaining about a
missing suffix. Now that I've added one I'm getting the following
message:
hdb_db_open: database "dc=example,dc=com": unclean shutdown detected;
attempting recovery.
hdb_db_open: warning - no DB_CONFIG file found in directory
/var/lib/ldap: (14).#012Expect poor performance for suffix
"dc=example,dc=com".
slapd starting
bdb(dc=example,dc=com): PANIC: fatal region error detected; run recovery
last message repeated 3 times
But DB_CONFIG does exist and has proper permissions and the unclean
shutdown message repeats after every restart. I've never had to add
the suffix to the pcache backend database before and the documentation
examples (http://www.openldap.org/doc/admin24/proxycache.html) never
mention it either.
Is this a misconfiguration or do I need to file a bug?
PCACHE OVERLAY:
dn: olcOverlay={0}pcache
objectClass: olcOverlayConfig
objectClass: olcPcacheConfig
olcOverlay: {0}pcache
olcPcache: hdb 100000 3 1000 100
olcPcacheAttrset: 0 uid userPassword uidNumber gidNumber cn homeDirectory logi
nShell gecos description memberUid uniqueMember objectClass
olcPcacheAttrset: 1 cn automountInformation
olcPcacheAttrset: 2 cn mail
olcPcacheTemplate: "(|(cn=)(mail=)(sn=))" 2 7200 0 0 0
olcPcacheTemplate: "(&(objectClass=)(|(cn=)(cn=)(cn=)))" 1 3600 600 0 0
olcPcacheTemplate: "(&(objectClass=)(|(cn=)(cn=)))" 1 3600 600 0 0
olcPcacheTemplate: "(&(objectClass=)(|(cn=)(gidNumber=)))" 1 3600 600 0 0
olcPcacheTemplate: "(&(objectClass=)(gidNumber=))" 0 1800 0 0 0
olcPcacheTemplate: "(&(objectClass=)(uidNumber=))" 0 1800 0 0 0
olcPcacheTemplate: "(&(objectClass=)(uniqueMember=))" 0 1800 900 0 0
olcPcacheTemplate: "(&(objectClass=)(memberUid=))" 0 1800 900 0 0
olcPcacheTemplate: "(objectClass=)" 0 1800 0 0 0
olcPcacheTemplate: "(&(objectClass=))" 0 1800 0 0 0
olcPcacheTemplate: "(&(objectClass=)(cn=))" 0 1800 0 0 0
olcPcacheTemplate: "(&(objectClass=)(uid=))" 0 1800 0 0 0
olcPcacheTemplate: "(&(objectClass=)(|(memberUid=)(uniqueMember=)))" 0 1800 0
0 0
olcPcachePosition: tail
olcPcacheMaxQueries: 10000
olcPcachePersist: FALSE
olcPcacheValidate: FALSE
olcPcacheOffline: FALSE
HDB backend:
dn: olcDatabase={0}hdb
objectClass: olcHdbConfig
objectClass: olcPcacheDatabase
olcDatabase: {0}hdb
olcDbDirectory: /var/lib/ldap
olcDbCacheSize: 1000
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 3000
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
createTimestamp: 20110225174535Z
olcDbConfig: {0}set_cachesize 0 10485760 1
olcDbConfig: {1}set_lg_regionmax 262144
olcDbConfig: {2}set_lg_bsize 2097152
olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE
olcDbConfig: {4}set_lg_max 10485760
olcDbIndex: objectClass eq
olcDbIndex: cn eq,subinitial
olcDbIndex: uid eq,subinitial
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: userPassword eq
olcDbIndex: description eq
olcDbIndex: loginShell eq
olcDbIndex: homeDirectory eq
olcDbIndex: memberUid eq
olcDbIndex: gecos eq
olcDbIndex: automountInformation eq
olcDbIndex: uniqueMember eq
olcDbIndex: mail eq,subinitial
olcDbIndex: sn eq,subinitial
olcDbIndex: givenName eq,subinitial
olcDbIndex: member eq
olcDbIndex: nisMapName eq
olcDbIndex: pcacheQueryID eq
olcSuffix: dc=example,dc=com
10 years, 7 months
help needed for tuning my openldap
by Stéphane PURNELLE
Hi all,
I would like to know how I can tunning my ldap (openldap 2.4.23 on RHEL5.4
64-bits) installation:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP COMMAND
13480 root 25 0 1378m 18m 4296 S 25.9 0.5 7241:07 1.3g slapd
I already read the page http://www.openldap.org/faq/data/cache/1075.html
(ex: Number of hash buckets ), but I not have all informations for
calculate the size.
[root@xxxxxxx openldap-data]# du -h .
43M .
My BDB database take only 43M
The accesslog take : 62M .
How can I reduce memory (swap) usage and CPU usage (sometimes I see 134%)
Thank you
Stéphane Purnelle
-----------------------------------
Stéphane PURNELLE Admin. Systèmes et Réseaux
Service Informatique Corman S.A. Tel : 00 32 (0)87/342467
10 years, 7 months
Renaming of node cause a segfault crash
by Peter Schütt
Hallo,
we use 2.4.19 on RedHat 6.0, 64-Bit, Kernel 2.6.32
When I renamed a node with Apache Directory Studio (e.G.
cn=mynode,ou=Groups,dc=mydomain,dc=de) the OpenLDAP-Server crashed.
dmesg:
slapd[13129]: segfault at 7fd1a9171fb0 ip 00007fd1c47a830f sp
00007fd1a9171fb0 error 6 in slapd[7fd1c46f5000+1f7000]
When I restart then the change was successful.
In the PastI had a similar error on a self compiled 2.4.23 on a CentOS 5.5,
64-Bit, Kernel 2.6.18:
slapd[14668]: segfault at 0000000043a3bed8 rip 000000000047d77f
rsp 0000000043a3bed0 error 6
Because of our company policy we prefer to use version from the official
repository of our linux distribution. So we change from self compiled 2.4.23
in an old linux to RedHat 6.0 with the "official" OpenLDAP.
I try to rename a node by ldapModify to exclude an error in Apache Directory
Studio but I do not understand how.
Perhaps someone has a hint.
Is it possible this an error which is fixed in 2.4.25?
Thanks for any hints.
Ciao
Peter Schütt
10 years, 7 months
acls for a user to join/leave a group.
by George Mamalakis
Hello everybody,
Is there a way to achieve what the subject says? For example, we can
imagine users like:
uid=user,ou=people,dc=example,dc=com
And the group that I wish the users should be able to join using
ldapmodify is:
cn=group,dc=example,dc=com.
What I wish to achieve is to let a user write in this dn, only the
memberOf attribute, by containing only their specific dn. Moreover, the
user will have to be able to remove this entry from this group if they
wish, using ldapmodify again.
Thank you very much for your help in advance,
mamalos
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
10 years, 7 months
