olcAccess problem
by Aurélien Lafranchise
Hi,
On my olcDatabase={1}bdb,cn=config I added an ACL :
{0}to * by dn="cn=user1,dc=truc" write by dn="cn=user2,dc=mbqt" read by *
auth
I don't understand why I have to add by * auth to allow the two previous
users to be logged in ?
Thanks
Aurélien Lafranchise | Consultant
Tél. : +33 (0)1 75 43 55 12 | Fax : +33 (0)1 75 43 55 11
www.snype-consulting.com
11 years, 9 months
Slapd 2.4 upgrade woes.
by ray klassen
I recently upgraded to debian squeeze and found that the slapd configuration
had been completely revamped. It's now using the cn=config setup. I was authenticating against a locally
replicated copy of my directory behind a firewall. I was using anonymous binding for my own purposes and I want to continue using it that way. I don't really want to enter into a prolonged discussion of why I
shouldn't. I just want to know if there is a simple way of reconfiguring under the new regime so that it will work the same way it did before.
Any Takers?
11 years, 9 months
Novice problem
by Aurélien Lafranchise
Hi all,
I am a very novice (less than a week) with OpenLDAP and I have some basics
problems.
First, I have the 2.4.25 version and I downloaded the Admin Guide as a
documentation.
I understood that the way to configure the server change from slapd.conf to
cn=config and this change is not clear by reading the documention.
My question is simple, how to create my own DIT without interfering with the
default configuration ?
The end goal of this server is to have a radius server interrogating the
LDAP one to deliver IP address to a GGSN (GPRS équipement).
Thanks for the help provided.
Aurélien Lafranchise | Consultant
Tél. : +33 (0)1 75 43 55 12 | Fax : +33 (0)1 75 43 55 11
www.snype-consulting.com
11 years, 9 months
Re: Proper values for threads and tool-threads
by Mark
Does IIRC mean If I Remember Correctly?
Each machine has 4 physical CPUs. Each CPU has 6 cores. (
http://ark.intel.com/Product.aspx?id=46491) So that's 24 real cores,
correct?. So if I'm understanding you're suggestion:
tool-threads = 24
threads <= 96
If I set threads above 32 I get the warning mentioned earlier (I assume YMMV
means: Your Mileage May Vary). Should I be concerned?
Thank you for replying on a weekend.
On Sun, Jun 5, 2011 at 8:26 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Sunday, June 05, 2011 5:41 PM -0500 Mark <mah042(a)gmail.com> wrote:
>
> I'm setting up a new installation of OpenLDAP 2.4.25 on RHEL machines
>> each with 128GB RAM and 4 Intel Xeon E7530 CPUs (6 cores each, each core
>> supporting two threads). /proc/cpuinfo shows there are 48 processors. The
>> backend hdb database will eventually have millions of records with
>> thousands of concurrent readers and writers. Is there a good equation to
>> use for determining a value for threads and tool-threads? I'd like to
>> take advantage of the hardware available. I get a warning if I set
>> threads higher than 32:
>>
>> olcThreads: value #0: warning, threads=48 larger than twice the default
>> (2*16=32); YMMV.
>>
>> I shouldn't be slapcat'ing and slapadd'ing it very often, but like to set
>> tool-threads to an appropriate value for the hardware.
>>
>
> How many real cores do you have?
>
> Generally tool-threads should be set to that number.
>
> Generally threads should be set to no more than 4 threads per real core
> IIRC (8 is generally good for 1 or 2 cores, 16 for 4 cores, etc).
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years, 9 months
Proper values for threads and tool-threads
by Mark
I'm setting up a new installation of OpenLDAP 2.4.25 on RHEL machines each
with 128GB RAM and 4 Intel Xeon E7530 CPUs (6 cores each, each core
supporting two threads). /proc/cpuinfo shows there are 48 processors. The
backend hdb database will eventually have millions of records with thousands
of concurrent readers and writers. Is there a good equation to use for
determining a value for threads and tool-threads? I'd like to take advantage
of the hardware available. I get a warning if I set threads higher than 32:
olcThreads: value #0: warning, threads=48 larger than twice the default
(2*16=32); YMMV.
I shouldn't be slapcat'ing and slapadd'ing it very often, but like to set
tool-threads to an appropriate value for the hardware.
Any suggestions?
Thank you,
Mark
11 years, 9 months
when use overlay translucent error
by daydayeat
openldap-2.4.23
man slapo-translucent says:
If neither translucent_local nor translucent_remote are specified, the default behavior is
to search the remote database with the complete search filter. If only translucent_local is
specified, searches will only be run on the local database. Likewise, if only translu-
cent_remote is specified, searches will only be run on the remote database. In any case,
both the local and remote entries corresponding to a search result will be merged before
being returned to the client.
but when i test:
local proxy conf:
#######################################################
# Primary database definitions
#######################################################
######################################################
#databse bdb
#####################################################
database bdb
suffix "dc=test,dc=com"
rootdn "cn=Manager,dc=test,dc=com"
rootpw "123456"
directory /usr/local/ldap/var/openldap-data
index objectClass eq
######################################################
#overlays
######################################################
overlay translucent
#translucent_remote street
#translucent_local street
uri ldap://remote:388
lastmod off
idassert-bind bindmethod=simple
binddn="cn=Manager,dc=test,dc=com"
######################################################
remote conf:
#######################################################
# Primary database definitions
#######################################################
database bdb
suffix "dc=test,dc=com"
rootdn "cn=Manager,dc=ec,dc=com"
rootpw "123456"
directory "/usr/local/ldap1/var/openldap-data"
index objectClass eq
#######################################################
remote database have a entry:
# 111, GF3, ec.com
dn: o=111,o=GF3,dc=test,dc=com
objectClass: organization
o: 111
street: remote
and in the local database change the street value:
# 111, GF3, ec.com
dn: o=111,o=GF3,dc=test,dc=com
objectClass: organization
o: 111
street: local
then change the value "translucent_remote and translucent_local" in the local proxy conf。Do search in local:
1 set "translucent_local street"
"ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local"
the result is:
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: street=local
# requesting: ALL
#
# 111, GF3, ec.com
dn: o=111,o=GF3,dc=ec,dc=com
objectClass: organization
o: 111
street: local
It is right.
2 set "translucent_remote street"
"ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local"
have no result.
"ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=remote"
have no result
why?
3 do not set any
"ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local"
have no result.
"ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=remote"
have no result
why?
11 years, 9 months
Authenticate with smartcard or other certificate
by Thomas Gäbler
Hi @ all,
is it possible, to authenticate with any kind of certificate (smartcard,
softwaretoken, ...)?
Now, I have the following solution:
I have an additional attribute for the serialNumber of the certificate
stored in the ldap-entry.
If a user will auth with certificate, i search for all entries, where the
serial-attribute match.
for the matching entries i read the certificate from ldap and check the
public key.
but for an other implementation i need a possibility to auth directly with
certificate.
Any idea?
Thanks for help!
procilon IT-Solutions GmbH
Leipziger Stra�e 110
04425 Taucha bei Leipzig
tel: +49 34298 4878-10
fax: +49 34298 4878-11
www.procilon.de
Sitz der Gesellschaft: Leipziger Stra�e 110, 04425 Taucha bei Leipzig
Amtsgericht Leipzig HRB 18003 , Gesch�ftsf�hrer Steffen Scholz
Diese E-Mail kann Betriebs- oder Gesch�ftsgeheimnisse oder sonstige vertrauliche Informationen
enthalten. Sollten Sie diese E-Mail irrt�mlich erhalten haben, ist Ihnen eine Kenntnisnahme des
Inhalts, eine Vervielf�ltigung oder Weitergabe der E-Mail ausdr�cklich untersagt.
Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail.
Vielen Dank.
This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential
information. If you have received this e-mail in error, you are hereby notified that any review,
copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy
the original transmittal. Thank you for your cooperation.
11 years, 9 months
OpenLDAP search filters
by Anita Luca
Hello all,
I need to replace the standard AD filters with OpenLDAP filters. Basically, I assume that what changes is the value of the property (e.g. objectType=user might become objectType=person or any other value, not sure what OpenLDAP works with).
Below the queries on AD:
User search filter: (objectClass=user)
User attribute: sAMAccountName
User browse filter: (|(objectClass=user)(objectClass=organizationalUnit))
Group search filter: (objectClass=group)
Group attribute: member
Group browse filter: (|(objectClass=group)(objectClass=organizationalUnit))
User member of attribute: memberOf
OU search filter: (objectClass=organizationalUnit)
Hope you can help with a suggestion, or at least a list of properties and values for objects, where I could search.
Thanks,
Anita Luca
11 years, 9 months
ldapsearch and sambaAcctFlags
by Dennis Leeuw
Hi all,
I am using SAMBA with OpenLDAP. And I wanted to find the computer trust
accounts within the LDAP tree. These are identified by having the S type
set in the sambaAcctFlags field. In LDIF format this looks like this:
sambaAcctFlags: [S ]
The initial search was:
ldapsearch -x -LLL '(&(objectClass=device)(sambaAcctFlags=*S*))' dn
This revealed nothing. Which I knew for sure is incorrect. To test I used:
ldapsearch -x -LLL '(&(objectClass=device)(sambaAcctFlags=[S
]))' dn
which returned the DNs of the trust accounts. Searching for:
ldapsearch -x -LLL '(&(objectClass=device)(sambaSID=*1-5-21*))' dn
also returned all DNs, so it is not a generic search filter problem. It
seems to be related to [] and spaces. On the sambaAcctFlags search it
doesn't matter if I replace [ and/or ] for * or the spaces for *,
nothing is returned. The only working search is searching for the entire
string.
Am I doing something wrong? Or is this a bug in the search filter system?
With kind regards,
Dennis Leeuw
11 years, 9 months
Strange hang scenario, resumes after idletimeout, but plenty of FDs available
by Kartik Subbarao
I'm running into the following scenario. Shortly after slapd gets
bombarded by a burst of operations (from several different clients) on
existing connections (well under the max number of connections, about
3000 out of 16384), it suddenly hangs. It's not responsive to any new
connections, and doesn't process operations on existing connections.
Load average is near zero during this time, so it's not doing anything.
After 20 minutes (idletimeout), slapd frees several connections (maybe
say 1000), and resumes working again as if nothing happened.
The load pattern that gets it into this state happens every hour, almost
on the hour (most likely associated with nslcd and cron jobs, which
we're looking to mitigate elsewise). Another strange thing is that slapd
will survive one instance's worth of bombardment without hanging, but
the *next* hour will go into a hang state.
Are there any resources other than file descriptors that are freed up
during the idletimeout processing? Are there any other parameters that
can be tuned besides idletimeout here? Could it possibly be a case of
deadlock somewhere, something grabbing all the locks? Would things like
set_lk_max_locks be relevant to investigate here? Any log level settings
that might reveal more of what's happening here?
Thanks for any suggestions on things to look at and try.
-Kartik
11 years, 9 months
