openldap-technical June 2011

openldap-technical@openldap.org

80 participants
92 discussions

olcAccess problem
by Aurélien Lafranchise 07 Jun '11

07 Jun '11

Hi, On my olcDatabase={1}bdb,cn=config I added an ACL : {0}to * by dn="cn=user1,dc=truc" write by dn="cn=user2,dc=mbqt" read by * auth I don't understand why I have to add by * auth to allow the two previous users to be logged in ? Thanks Aurélien Lafranchise | Consultant Tél. : +33 (0)1 75 43 55 12 | Fax : +33 (0)1 75 43 55 11 www.snype-consulting.com

2 2

Slapd 2.4 upgrade woes.
by ray klassen 06 Jun '11

06 Jun '11

I recently upgraded to debian squeeze and found that the slapd configuration had been completely revamped. It's now using the cn=config setup. I was authenticating against a locally replicated copy of my directory behind a firewall. I was using anonymous binding for my own purposes and I want to continue using it that way. I don't really want to enter into a prolonged discussion of why I shouldn't. I just want to know if there is a simple way of reconfiguring under the new regime so that it will work the same way it did before. Any Takers?

2 1

Novice problem
by Aurélien Lafranchise 06 Jun '11

06 Jun '11

Hi all, I am a very novice (less than a week) with OpenLDAP and I have some basics problems. First, I have the 2.4.25 version and I downloaded the Admin Guide as a documentation. I understood that the way to configure the server change from slapd.conf to cn=config and this change is not clear by reading the documention. My question is simple, how to create my own DIT without interfering with the default configuration ? The end goal of this server is to have a radius server interrogating the LDAP one to deliver IP address to a GGSN (GPRS équipement). Thanks for the help provided. Aurélien Lafranchise | Consultant Tél. : +33 (0)1 75 43 55 12 | Fax : +33 (0)1 75 43 55 11 www.snype-consulting.com

2 3

Re: Proper values for threads and tool-threads
by Mark 05 Jun '11

05 Jun '11

Does IIRC mean If I Remember Correctly? Each machine has 4 physical CPUs. Each CPU has 6 cores. ( http://ark.intel.com/Product.aspx?id=46491) So that's 24 real cores, correct?. So if I'm understanding you're suggestion: tool-threads = 24 threads <= 96 If I set threads above 32 I get the warning mentioned earlier (I assume YMMV means: Your Mileage May Vary). Should I be concerned? Thank you for replying on a weekend. On Sun, Jun 5, 2011 at 8:26 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Sunday, June 05, 2011 5:41 PM -0500 Mark <mah042(a)gmail.com> wrote: > > I'm setting up a new installation of OpenLDAP 2.4.25 on RHEL machines >> each with 128GB RAM and 4 Intel Xeon E7530 CPUs (6 cores each, each core >> supporting two threads). /proc/cpuinfo shows there are 48 processors. The >> backend hdb database will eventually have millions of records with >> thousands of concurrent readers and writers. Is there a good equation to >> use for determining a value for threads and tool-threads? I'd like to >> take advantage of the hardware available. I get a warning if I set >> threads higher than 32: >> >> olcThreads: value #0: warning, threads=48 larger than twice the default >> (2*16=32); YMMV. >> >> I shouldn't be slapcat'ing and slapadd'ing it very often, but like to set >> tool-threads to an appropriate value for the hardware. >> > > How many real cores do you have? > > Generally tool-threads should be set to that number. > > Generally threads should be set to no more than 4 threads per real core > IIRC (8 is generally good for 1 or 2 cores, 16 for 4 cores, etc). > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

Proper values for threads and tool-threads
by Mark 05 Jun '11

05 Jun '11

I'm setting up a new installation of OpenLDAP 2.4.25 on RHEL machines each with 128GB RAM and 4 Intel Xeon E7530 CPUs (6 cores each, each core supporting two threads). /proc/cpuinfo shows there are 48 processors. The backend hdb database will eventually have millions of records with thousands of concurrent readers and writers. Is there a good equation to use for determining a value for threads and tool-threads? I'd like to take advantage of the hardware available. I get a warning if I set threads higher than 32: olcThreads: value #0: warning, threads=48 larger than twice the default (2*16=32); YMMV. I shouldn't be slapcat'ing and slapadd'ing it very often, but like to set tool-threads to an appropriate value for the hardware. Any suggestions? Thank you, Mark

2 1

when use overlay translucent error
by daydayeat 03 Jun '11

03 Jun '11

openldap-2.4.23 man slapo-translucent says: If neither translucent_local nor translucent_remote are specified, the default behavior is to search the remote database with the complete search filter. If only translucent_local is specified, searches will only be run on the local database. Likewise, if only translu- cent_remote is specified, searches will only be run on the remote database. In any case, both the local and remote entries corresponding to a search result will be merged before being returned to the client. but when i test： local proxy conf: ####################################################### # Primary database definitions ####################################################### ###################################################### #databse bdb ##################################################### database bdb suffix "dc=test,dc=com" rootdn "cn=Manager,dc=test,dc=com" rootpw "123456" directory /usr/local/ldap/var/openldap-data index objectClass eq ###################################################### #overlays ###################################################### overlay translucent #translucent_remote street #translucent_local street uri ldap://remote:388 lastmod off idassert-bind bindmethod=simple binddn="cn=Manager,dc=test,dc=com" ###################################################### remote conf: ####################################################### # Primary database definitions ####################################################### database bdb suffix "dc=test,dc=com" rootdn "cn=Manager,dc=ec,dc=com" rootpw "123456" directory "/usr/local/ldap1/var/openldap-data" index objectClass eq ####################################################### remote database have a entry: # 111, GF3, ec.com dn: o=111,o=GF3,dc=test,dc=com objectClass: organization o: 111 street: remote and in the local database change the street value: # 111, GF3, ec.com dn: o=111,o=GF3,dc=test,dc=com objectClass: organization o: 111 street: local then change the value "translucent_remote and translucent_local" in the local proxy conf。Do search in local: 1 set "translucent_local street" "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local" the result is: # extended LDIF # # LDAPv3 # base <dc=test,dc=com> with scope subtree # filter: street=local # requesting: ALL # # 111, GF3, ec.com dn: o=111,o=GF3,dc=ec,dc=com objectClass: organization o: 111 street: local It is right. 2 set "translucent_remote street" "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local" have no result. "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=remote" have no result why? 3 do not set any "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local" have no result. "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=remote" have no result why?

2 1

Authenticate with smartcard or other certificate
by Thomas Gäbler 03 Jun '11

03 Jun '11

Hi @ all, is it possible, to authenticate with any kind of certificate (smartcard, softwaretoken, ...)? Now, I have the following solution: I have an additional attribute for the serialNumber of the certificate stored in the ldap-entry. If a user will auth with certificate, i search for all entries, where the serial-attribute match. for the matching entries i read the certificate from ldap and check the public key. but for an other implementation i need a possibility to auth directly with certificate. Any idea? Thanks for help! procilon IT-Solutions GmbH Leipziger Stra�e 110 04425 Taucha bei Leipzig tel: +49 34298 4878-10 fax: +49 34298 4878-11 www.procilon.de Sitz der Gesellschaft: Leipziger Stra�e 110, 04425 Taucha bei Leipzig Amtsgericht Leipzig HRB 18003 , Gesch�ftsf�hrer Steffen Scholz Diese E-Mail kann Betriebs- oder Gesch�ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt�mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielf�ltigung oder Weitergabe der E-Mail ausdr�cklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

2 1

OpenLDAP search filters
by Anita Luca 03 Jun '11

03 Jun '11

Hello all, I need to replace the standard AD filters with OpenLDAP filters. Basically, I assume that what changes is the value of the property (e.g. objectType=user might become objectType=person or any other value, not sure what OpenLDAP works with). Below the queries on AD: User search filter: (objectClass=user) User attribute: sAMAccountName User browse filter: (|(objectClass=user)(objectClass=organizationalUnit)) Group search filter: (objectClass=group) Group attribute: member Group browse filter: (|(objectClass=group)(objectClass=organizationalUnit)) User member of attribute: memberOf OU search filter: (objectClass=organizationalUnit) Hope you can help with a suggestion, or at least a list of properties and values for objects, where I could search. Thanks, Anita Luca

3 3

ldapsearch and sambaAcctFlags
by Dennis Leeuw 03 Jun '11

03 Jun '11

Hi all, I am using SAMBA with OpenLDAP. And I wanted to find the computer trust accounts within the LDAP tree. These are identified by having the S type set in the sambaAcctFlags field. In LDIF format this looks like this: sambaAcctFlags: [S ] The initial search was: ldapsearch -x -LLL '(&(objectClass=device)(sambaAcctFlags=*S*))' dn This revealed nothing. Which I knew for sure is incorrect. To test I used: ldapsearch -x -LLL '(&(objectClass=device)(sambaAcctFlags=[S ]))' dn which returned the DNs of the trust accounts. Searching for: ldapsearch -x -LLL '(&(objectClass=device)(sambaSID=*1-5-21*))' dn also returned all DNs, so it is not a generic search filter problem. It seems to be related to [] and spaces. On the sambaAcctFlags search it doesn't matter if I replace [ and/or ] for * or the spaces for *, nothing is returned. The only working search is searching for the entire string. Am I doing something wrong? Or is this a bug in the search filter system? With kind regards, Dennis Leeuw

3 2

Strange hang scenario, resumes after idletimeout, but plenty of FDs available
by Kartik Subbarao 03 Jun '11

03 Jun '11

I'm running into the following scenario. Shortly after slapd gets bombarded by a burst of operations (from several different clients) on existing connections (well under the max number of connections, about 3000 out of 16384), it suddenly hangs. It's not responsive to any new connections, and doesn't process operations on existing connections. Load average is near zero during this time, so it's not doing anything. After 20 minutes (idletimeout), slapd frees several connections (maybe say 1000), and resumes working again as if nothing happened. The load pattern that gets it into this state happens every hour, almost on the hour (most likely associated with nslcd and cron jobs, which we're looking to mitigate elsewise). Another strange thing is that slapd will survive one instance's worth of bombardment without hanging, but the *next* hour will go into a hang state. Are there any resources other than file descriptors that are freed up during the idletimeout processing? Are there any other parameters that can be tuned besides idletimeout here? Could it possibly be a case of deadlock somewhere, something grabbing all the locks? Would things like set_lk_max_locks be relevant to investigate here? Any log level settings that might reveal more of what's happening here? Thanks for any suggestions on things to look at and try. -Kartik

4 12

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2011