Re: Issue with index in OpenLDAP?
by External Mathieu DEDECKER (CAMPUS)
I will read the man page in order to have more informations about the
command.
I tried to reindex all the index of the database with the slapindex
command, but I allways the same behaviour:
Request1: cardnumber=2098001010034 (less than 1sec)
Request2: cardnumber=2090389917486 (nearly 20 sec).
Other .bdb files size have been updated, but my "cardnumber.bdb" has still
the same size.
Regards,
Mathieu
2012/1/4 Quanah Gibson-Mount <quanah(a)zimbra.com>
> Hi Mathieu,
>
> If you read the slapindex man page, it is possibly to just recreate a
> specific index file (for situations like this), rather than generating all
> of them.
>
> --Quanah
>
>
> --On Wednesday, January 04, 2012 10:39 AM +0100 "External Mathieu DEDECKER
> (CAMPUS)" <external.z02mdebe(a)oxylane.com**> wrote:
>
> Hello Quanah,
>>
>> First I would like to thank you for your answer.
>>
>> Indeed, I also think that the "cardnumber" index is somehow corrupted.
>> His size is to small in comparison to other indexes
>>
>> We suppressed all existing index and Used slapindex to re-create them all.
>>
>> It's undergoing.
>>
>> I will keep you informed about the solution.
>>
>> Best Regards,
>>
>> Mathieu
>>
>>
>> 2012/1/3 Quanah Gibson-Mount <quanah(a)zimbra.com>
>>
>>
>> --On Friday, December 23, 2011 11:27 AM +0100 "External Mathieu DEDECKER
>> (CAMPUS)" <external.z02mdebe(a)oxylane.com**> wrote:
>>
>>
>> Hi @All,
>>
>> We meet a performance problem with our OpenLDAP.
>>
>> We think that we face a problem with the index of the database, and we
>> think that the problem can be resolve by tunning the config (but not
>> sure).
>>
>> We would like to be sure that our configuration is correct, in order to
>> confirm if we are on a wrong track or not.
>>
>> [Description]
>>
>> We have an attribute (cardNumber) which is indexed.
>>
>> When we request the indexed attribute (cardNumber) with an LDAP Client
>> (Ldapbrowser), we have either fast or very long response time.
>>
>> For the long response time, the CPU of the server hits 100%.
>>
>> For example:
>>
>> Request1: cardnumber=2098001010034 (less than 1sec)
>> Request2: cardnumber=2090389917486 (nearly 20 sec).
>>
>> By checking the hit ratio of the attribute, we can see that cache is
>> correctly used (97%).
>>
>>
>> It sounds like you added an index to cardnumber after there was already
>> data for cardnumber in your database, and didn't run slapindex for that
>> attribute. Alternatively, your cardnumber.bdb file is corrupted.
>>
>> --Quanah
>>
>>
>> --
>>
>> Quanah Gibson-Mount
>> Sr. Member of Technical Staff
>> Zimbra, Inc
>> A Division of VMware, Inc.
>> --------------------
>> Zimbra :: the leader in open source messaging and collaboration
>>
>>
>>
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years, 10 months
TLS issue (again)
by Olivier
I had to renew my openssl certificates and now my ldap tls negociation
doesn't work anymore :
$ ldapsearch -ZZ -D uid=guillard,ou=staff,ou=people,dc=example,dc=fr
-W uid=guillard -h ldap2.th3.example.fr
ldap_start_tls: Connect error (-11)
additional info: TLS error -8172:Unknown code ___f 20
Here are the server configuration relevant directives :
olcTLSCACertificateFile /etc/openldap/cacerts/CA.crt
olcTLSCertificateFile /etc/openldap/cacerts/server.crt
olcTLSCertificateKeyFile /etc/openldap/cacerts/server.key
olcTLSCipherSuite HIGH
( see at the very end of this mail : these certificates are correct since I have
successfully proceed to openssl connexion tests).
and here are logs collected on the server side when receiving ldapsearch
request :
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(7):
daemon: epoll: listen=7 busy
>>> slap_listener(ldap://ldap2.th3.example.fr:389)
daemon: listen=7, new connection on 15
daemon: added 15r (active) listener=(nil)
conn=1003 fd=15 ACCEPT from IP=10.10.86.93:41013 (IP=10.1.92.25:389)
daemon: activity on 2 descriptors
daemon: activity on: 15r
daemon: read active on 15
daemon: epoll: listen=7 active_threads=0 tvp=zero
connection_get(15)
connection_get(15): got connid=1003
connection_read(15): checking for input on id=1003
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x7f272017aa70 ptr=0x7f272017aa70 end=0x7f272017aa8d len=29
0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
op tag 0x77, time 1325683329
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=1003 op=0 do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0x7f272017aa70 ptr=0x7f272017aa73 end=0x7f272017aa8d len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
do_extended: oid=1.3.6.1.4.1.1466.20037
conn=1003 op=0 STARTTLS
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush2: 14 bytes to sd 15
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
conn=1003 op=0 RESULT oid= err=0 text=
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 15r
daemon: read active on 15
daemon: epoll: listen=7 active_threads=0 tvp=zero
connection_get(15)
connection_get(15): got connid=1003
connection_read(15): checking for input on id=1003
tls_read: want=3, got=3
0000: 80 3a 01 .:.
tls_read: want=57, got=57
0000: 03 01 00 21 00 00 00 10 00 00 35 00 00 04 00 00 ...!......5.....
0010: 05 00 00 2f 00 00 0a 00 00 09 00 00 64 00 00 62 .../........d..b
0020: 00 00 03 00 00 06 00 00 ff 70 1e 75 15 46 04 b3 .........p.u.F..
0030: 16 ed d1 87 1c 77 58 06 48 .....wX.H
tls_write: want=2157, written=2157
0000: 16 03 01 08 68 02 00 00 4d 03 01 4f 04 52 81 3c ....h...M..O.R.<
0010: c6 b8 b6 8a d8 4a 75 83 a7 fc 09 13 2c c8 d4 d4 .....Ju.....,...
0020: ce e7 12 73 80 bc 42 f6 f2 05 de 20 6c db 35 d1 ...s..B.... l.5.
0030: e0 2b bb 93 a4 c2 8c 82 df 51 58 0a 93 e6 c9 ff .+.......QX.....
0040: 10 0d 92 08 6c 96 3e f8 92 aa d8 83 00 35 00 00 ....l.>......5..
0050: 05 ff 01 00 01 00 0b 00 06 d3 00 06 d0 00 02 e3 ................
0060: 30 82 02 df 30 82 01 c7 02 09 00 a6 1d 1f 28 63 0...0.........(c
0070: 5e 6a 57 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 ^jW0...*.H......
0080: 05 00 30 81 87 31 0b 30 09 06 03 55 04 06 13 02 ..0..1.0...U....
0090: 66 72 31 0f 30 0d 06 03 55 04 08 0c 06 66 72 61 fr1.0...U....fra
00a0: 6e 63 65 31 11 30 0f 06 03 55 04 07 0c 08 6d 6f nce1.0...U....mo
00b0: 6e 74 69 67 6e 79 31 0e 30 0c 06 03 55 04 0a 0c ntigny1.0...U...
00c0: 05 61 66 6e 69 63 31 0d 30 0b 06 03 55 04 0b 0c .example1.0...U...
00d0: 04 6c 64 61 70 31 0d 30 0b 06 03 55 04 03 0c 04 .ldap1.0...U....
00e0: 6c 64 61 70 31 26 30 24 06 09 2a 86 48 86 f7 0d ldap1&0$..*.H...
00f0: 01 09 01 16 17 6f 6c 69 76 69 65 72 2e 67 75 69 .....olivier.gui
0100: 6c 6c 61 72 64 40 6e 69 63 2e 66 72 30 1e 17 0d
llard(a)example.fr0...
0110: 31 31 31 32 32 39 31 35 33 39 35 38 5a 17 0d 32 111229153958Z..2
0120: 31 30 37 32 39 31 35 33 39 35 38 5a 30 81 a2 31 10729153958Z0..1
0130: 0b 30 09 06 03 55 04 06 13 02 66 72 31 0f 30 0d .0...U....fr1.0.
0140: 06 03 55 04 08 0c 06 66 72 61 6e 63 65 31 11 30 ..U....france1.0
0150: 0f 06 03 55 04 07 0c 08 6d 6f 6e 74 69 67 6e 79 ...U....myplace
0160: 31 0e 30 0c 06 03 55 04 0a 0c 05 61 66 6e 69 63 1.0...U....example
0170: 31 0d 30 0b 06 03 55 04 0b 0c 04 6c 64 61 70 31 1.0...U....ldap1
0180: 28 30 26 06 03 55 04 03 0c 1f 6c 64 61 70 32 2e (0&..U....ldap2.
0190: 64 61 74 61 62 61 73 65 2e 70 72 69 76 65 2e 74 t
01a0: 68 33 2e 6e 69 63 2e 66 72 31 26 30 24 06 09 2a
h3.example.fr1&0$..*
01b0: 86 48 86 f7 0d 01 09 01 16 17 4f 6c 69 76 69 65 .H........Olivie
01c0: 72 2e 47 75 69 6c 6c 61 72 64 40 6e 69 63 2e 66
r.Guillard(a)example.f
01d0: 72 30 5c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 r0\0...*.H......
01e0: 05 00 03 4b 00 30 48 02 41 00 bf 72 68 cc 54 9d ...K.0H.A..rh.T.
01f0: 10 d3 8b c0 4a 1b 5c 90 d6 03 7a 41 5e 05 6f 8d ....J.\...zA^.o.
0200: cc 2d 61 31 7b 94 0f c2 f7 c1 51 8a 4f d5 59 89 .-a1{.....Q.O.Y.
0210: 51 79 87 3f fa c3 5f af 30 8c 87 f8 ca be bb 0b Qy.?.._.0.......
0220: 28 8c d5 4a 3a 73 b5 a9 e3 d9 02 03 01 00 01 30 (..J:s.........0
0230: 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 82 ...*.H..........
0240: 01 01 00 c0 3c 2a 0a d4 af 13 24 b5 2a 2b e3 cd ....<*....$.*+..
0250: 0f 57 f6 86 99 e1 ae ba d7 b2 87 4e 02 a6 d6 a3 .W.........N....
0260: 7d 9f 7b 89 03 61 ac b6 40 9e 93 ca 8d 3a d4 95 }.{..a..@....:..
0270: 7a 48 e2 9a 01 2f ed 3d 2b c3 96 41 c0 58 39 cf zH.../.=+..A.X9.
0280: 52 a2 db 08 78 85 c4 85 17 08 d8 11 62 60 8e d0 R...x.......b`..
0290: b5 61 71 fe 83 d5 94 9d f2 42 1d b5 56 bd fa 67 .aq......B..V..g
02a0: db 8e bf 09 af ef e3 b0 c8 0a f1 38 8b bf 59 75 ...........8..Yu
02b0: 6a 21 01 c0 0b 8c cf 87 20 d2 2f d9 89 a0 37 11 j!...... ./...7.
02c0: a0 62 6a a1 32 4b ff e4 cf 30 4c 8f 8e ef d2 51 .bj.2K...0L....Q
02d0: ec cc d1 fc 21 43 58 5e 09 40 8b bf ca bb fc 4f ....!CX^.@.....O
02e0: d1 d4 e9 cf 80 8f b1 af 72 d0 ff c1 d7 52 f3 4b ........r....R.K
02f0: e3 85 69 ef e9 36 6e 4d 54 13 d2 bd 3b 93 ad ed ..i..6nMT...;...
0300: 6e 36 cc 4f e6 b9 c5 01 1e 86 c8 88 aa de a6 7b n6.O...........{
0310: c1 99 9a 3f c5 69 9e af e0 94 6e ba 51 5b ec 2a ...?.i....n.Q[.*
0320: 2c aa 09 ff 4a 27 15 96 ad 9f b0 5c f0 c4 9c 34 ,...J'.....\...4
0330: 53 32 03 1c d4 e2 dd b8 96 88 d2 5d b2 c6 e1 5e S2.........]...^
0340: 32 ba 81 00 03 e7 30 82 03 e3 30 82 02 cb a0 03 2.....0...0.....
0350: 02 01 02 02 09 00 a1 67 1e 44 66 c6 f6 59 30 0d .......g.Df..Y0.
0360: 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 87 ..*.H........0..
0370: 31 0b 30 09 06 03 55 04 06 13 02 66 72 31 0f 30 1.0...U....fr1.0
0380: 0d 06 03 55 04 08 0c 06 66 72 61 6e 63 65 31 11 ...U....france1.
0390: 30 0f 06 03 55 04 07 0c 08 6d 6f 6e 74 69 67 6e 0...U....montign
03a0: 79 31 0e 30 0c 06 03 55 04 0a 0c 05 61 66 6e 69 y1.0...U....afni
03b0: 63 31 0d 30 0b 06 03 55 04 0b 0c 04 6c 64 61 70 c1.0...U....ldap
03c0: 31 0d 30 0b 06 03 55 04 03 0c 04 6c 64 61 70 31 1.0...U....ldap1
03d0: 26 30 24 06 09 2a 86 48 86 f7 0d 01 09 01 16 17 &0$..*.H........
03e0: 6f 6c 69 76 69 65 72 2e 67 75 69 6c 6c 61 72 64 olivier.guillard
03f0: 40 6e 69 63 2e 66 72 30 1e 17 0d 31 31 31 32 32
@example.fr0...11122
0400: 39 31 34 31 33 35 35 5a 17 0d 33 31 31 32 32 34 9141355Z..311224
0410: 31 34 31 33 35 35 5a 30 81 87 31 0b 30 09 06 03 141355Z0..1.0...
0420: 55 04 06 13 02 66 72 31 0f 30 0d 06 03 55 04 08 U....fr1.0...U..
0430: 0c 06 66 72 61 6e 63 65 31 11 30 0f 06 03 55 04 ..france1.0...U.
0440: 07 0c 08 6d 6f 6e 74 69 67 6e 79 31 0e 30 0c 06 ...myplace1.0..
0450: 03 55 04 0a 0c 05 61 66 6e 69 63 31 0d 30 0b 06 .U....example1.0..
0460: 03 55 04 0b 0c 04 6c 64 61 70 31 0d 30 0b 06 03 .U....ldap1.0...
0470: 55 04 03 0c 04 6c 64 61 70 31 26 30 24 06 09 2a U....ldap1&0$..*
0480: 86 48 86 f7 0d 01 09 01 16 17 6f 6c 69 76 69 65 .H........olivie
0490: 72 2e 67 75 69 6c 6c 61 72 64 40 6e 69 63 2e 66
r.guillard(a)example.f
04a0: 72 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 r0.."0...*.H....
04b0: 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 .........0......
04c0: 01 00 c8 90 e1 61 d2 28 38 aa 35 a9 21 5b f7 2b .....a.(8.5.![.+
04d0: f2 ed 04 5c 73 03 c5 f8 f9 97 5a 53 3b 39 bf aa ...\s.....ZS;9..
04e0: 20 b8 45 c1 92 2e 27 ea bf b1 78 57 f9 41 a3 b3 .E...'...xW.A..
04f0: 23 11 fc 8d 79 ea 21 a9 01 c0 ce 01 27 e6 0f a6 #...y.!.....'...
0500: 13 8d 12 5c 72 bf ba 60 41 71 76 94 99 da 43 f7 ...\r..`Aqv...C.
0510: e0 f9 b4 2f e7 25 7c 36 4f e9 4f dc 18 26 a9 7c .../.%|6O.O..&.|
0520: ad 98 2a 9c 91 16 76 41 31 1e 5d dd 81 2a b9 38 ..*...vA1.]..*.8
0530: ec 91 5c 91 11 03 fb 14 7d 59 d5 49 6d 32 42 c7 ..\.....}Y.Im2B.
0540: 66 73 58 b0 fb 02 b4 a0 4d 3e e3 3c ab ff 8c 42 fsX.....M>.<...B
0550: 83 51 b5 51 b7 19 71 61 f8 39 5c b7 8d 1a 70 97 .Q.Q..qa.9\...p.
0560: 69 5d e6 47 9e 7e ae ec 5c 7c be 73 7b d0 df df i].G.~..\|.s{...
0570: a7 53 6d a8 d3 d3 f6 7e e6 2f 13 3e c5 80 e6 f2 .Sm....~./.>....
0580: fe 2a cc d4 1e 4d 3d 6a bc b0 a9 fa a5 51 12 31 .*...M=j.....Q.1
0590: 0e 41 2d 7a 8a 52 de 66 bd 3b 0c ef fa 9b fe 82 .A-z.R.f.;......
05a0: df ad 1c 7f d9 53 4b c0 db fe f3 e6 b9 3d ea 5d .....SK......=.]
05b0: 66 7f fb 14 41 b5 0a e7 70 11 4e 5d 80 69 04 bd f...A...p.N].i..
05c0: 9e 97 02 03 01 00 01 a3 50 30 4e 30 1d 06 03 55 ........P0N0...U
05d0: 1d 0e 04 16 04 14 24 05 af 2a 63 a4 0b 0f ae a4 ......$..*c.....
05e0: e2 2c e9 13 40 5a 8b d7 a4 41 30 1f 06 03 55 1d .,..@Z...A0...U.
05f0: 23 04 18 30 16 80 14 24 05 af 2a 63 a4 0b 0f ae #..0...$..*c....
0600: a4 e2 2c e9 13 40 5a 8b d7 a4 41 30 0c 06 03 55 ..,..@Z...A0...U
0610: 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 ....0....0...*.H
0620: 86 f7 0d 01 01 05 05 00 03 82 01 01 00 57 2d 0a .............W-.
0630: d5 88 d0 98 2b 9e f9 d7 bc e6 82 08 65 25 d9 65 ....+.......e%.e
0640: 84 98 e3 da a3 36 a1 6f 40 3b d0 d8 16 3d 48 06 .....6.o@;...=H.
0650: 6c ee 99 fd b6 4c f3 3b 10 50 bb 71 97 6e 4d e0 l....L.;.P.q.nM.
0660: 77 48 57 5b db d1 e6 ca c8 80 79 d0 f5 17 94 5d wHW[......y....]
0670: 11 93 07 74 8b 5c 4b b1 ad 45 1f 5a 2c d9 6e e8 ...t.\K..E.Z,.n.
0680: d4 7a e4 99 e7 ba 86 36 93 1d 4c 0e 9b 13 4d ef .z.....6..L...M.
0690: 25 72 7b ae b0 f1 95 c0 17 dc 4a c0 ed 04 b5 54 %r{.......J....T
06a0: 98 90 47 2f dc f0 1c 5a ca b0 2e 0d ee 58 14 e8 ..G/...Z.....X..
06b0: 2c d0 cd a8 d9 2c ae 2f 65 81 89 70 af f9 d8 01 ,....,./e..p....
06c0: 1b 14 ae 63 1d 90 af 3d 29 71 7d 74 4a e8 7a e5 ...c...=)q}tJ.z.
06d0: ed a0 fb 9b ce 1d 5a e2 82 7e c4 bc 97 88 e7 06 ......Z..~......
06e0: 66 86 77 23 85 29 2c b1 28 72 8c af a5 51 96 b1 f.w#.),.(r...Q..
06f0: d5 dc 51 62 bd 2d e6 8f 4c 22 24 4e e1 c6 a3 64 ..Qb.-..L"$N...d
0700: 40 fc e9 d8 6d b1 48 d8 80 10 3a 6a bc 35 06 d9 @...m.H...:j.5..
0710: 4c e8 4c e6 66 82 9d fd a9 a2 9f 3e 13 37 c0 52 L.L.f......>.7.R
0720: 3f c3 15 e1 3e 9c 05 67 b2 11 0d 38 a4 0d 00 01 ?...>..g...8....
0730: 38 02 01 02 01 33 00 8a 30 81 87 31 0b 30 09 06 8....3..0..1.0..
0740: 03 55 04 06 13 02 66 72 31 0f 30 0d 06 03 55 04 .U....fr1.0...U.
0750: 08 0c 06 66 72 61 6e 63 65 31 11 30 0f 06 03 55 ...france1.0...U
0760: 04 07 0c 08 6d 6f 6e 74 69 67 6e 79 31 0e 30 0c ....myplace1.0.
0770: 06 03 55 04 0a 0c 05 61 66 6e 69 63 31 0d 30 0b ..U....example1.0.
0780: 06 03 55 04 0b 0c 04 6c 64 61 70 31 0d 30 0b 06 ..U....ldap1.0..
0790: 03 55 04 03 0c 04 6c 64 61 70 31 26 30 24 06 09 .U....ldap1&0$..
07a0: 2a 86 48 86 f7 0d 01 09 01 16 17 6f 6c 69 76 69 *.H........olivi
07b0: 65 72 2e 67 75 69 6c 6c 61 72 64 40 6e 69 63 2e
er.guillard@example.
07c0: 66 72 00 a5 30 81 a2 31 0b 30 09 06 03 55 04 06 fr..0..1.0...U..
07d0: 13 02 66 72 31 0f 30 0d 06 03 55 04 08 0c 06 66 ..fr1.0...U....f
07e0: 72 61 6e 63 65 31 11 30 0f 06 03 55 04 07 0c 08 rance1.0...U....
07f0: 6d 6f 6e 74 69 67 6e 79 31 0e 30 0c 06 03 55 04 myplace1.0...U.
0800: 0a 0c 05 61 66 6e 69 63 31 0d 30 0b 06 03 55 04 ...example1.0...U.
0810: 0b 0c 04 6c 64 61 70 31 28 30 26 06 03 55 04 03 ...ldap1(0&..U..
0820: 0c 1f 6c 64 61 70 32 2e 64 61 74 61 62 61 73 65 ..ldap2.
0830: 2e 70 72 69 76 65 2e 74 68 33 2e 6e 69 63 2e 66 .th3.example.fr
0840: 72 31 26 30 24 06 09 2a 86 48 86 f7 0d 01 09 01 1&0$..*.H.......
0850: 16 17 4f 6c 69 76 69 65 72 2e 47 75 69 6c 6c 61 .Olivier.Guilla
0860: 72 64 40 6e 69 63 2e 66 72 0e 00 00 00
rd(a)example.fr....
tls_read: want=5 error=Resource temporarily unavailable
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 15r
daemon: read active on 15
daemon: epoll: listen=7 active_threads=0 tvp=zero
connection_get(15)
connection_get(15): got connid=1003
connection_read(15): checking for input on id=1003
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS: error: accept - force handshake failure: errno 11 - moznss error -12195
TLS: can't accept: TLS error -12195:Unknown code ___P 93.
connection_read(15): TLS accept failure error=-1 id=1003, closing
connection_closing: readying conn=1003 sd=15 for close
connection_close: conn=1003 sd=15
daemon: removing 15
conn=1003 fd=15 closed (TLS negotiation failure)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
^Cdaemon: shutdown requested and initiated.
daemon: closing 7
connection_closing: readying conn=1000 sd=13 for close
connection_close: conn=1000 sd=13
daemon: removing 13
conn=1000 fd=13 closed (slapd shutdown)
As far as I can see it doesn't looks like
[root@ldap2 cacerts]# openssl s_server -accept 5555 -key
/etc/openldap/cacerts/server.key -cert
/etc/openldap/cacerts/server.crt -state
Using default temp DH parameters
ACCEPT
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write session ticket A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMBBAIAOQQABDB88nXC0TcyHgrQcZ+51a/16Nw874VzV1cEEkOMwfSy
VCIJ8jOiylXmk2gHkAK7y6OhBgIETwRP56IEAgIBLKQGBAQBAAAAqwMEAQE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AES256-SHA:CAMELLIA256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is DHE-RSA-AES256-SHA
Secure Renegotiation IS supported
ERROR
shutting down SSL
CONNECTION CLOSED
ACCEPT
[guillard@fouine ~]$ openssl s_client -CAfile
/etc/openldap/cacerts/CA.crt -connect ldap2.th3.example.fr:5555
CONNECTED(00000003)
depth=1 C = fr, ST = france, L = myplace, O = example, OU = ldap, CN =
ldap, emailAddress = olivier.guillard(a)example.fr
verify return:1
depth=0 C = fr, ST = france, L = myplace, O = example, OU = ldap, CN =
ldap2.th3.example.fr, emailAddress = Olivier.Guillard(a)example.fr
verify return:1
---
Certificate chain
0 s:/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap2.th3.example.fr/emailAddress=Olivier.Guillard@example.fr
i:/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap/emailAddress=olivier.guillard@example.fr
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3zCCAccCCQCmHR8oY15qVzANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMC
ZnIxDzANBgNVBAgMBmZyYW5jZTERMA8GA1UEBwwIbW9udGlnbnkxDjAMBgNVBAoM
BWFmbmljMQ0wCwYDVQQLDARsZGFwMQ0wCwYDVQQDDARsZGFwMSYwJAYJKoZIhvcN
AQkBFhdvbG24KJJD7GJVBIYTIVHTFJCGFDHGFXGRFCYTDFYTDjkxNTM5NThaFw0y
MTA3MjkxNTM5NThaMIGiMQswCQYDVQQGEwJmcjEPMA0GA1UECAwGZnJhbmNlMREw
DwYDVQQHDAhtb250aWdueTEOMAwGA1UECgwFYWZuaWMxDTALBgNVBAsMBGxkYXAx
KDAmBgNVBAMMH2xkYXAyLmRhdGFiYXNlLnByaXZlLnRoMy5uaWMuZnIxJjAkBgkq
hkiG9w0BCQEWFNBIHGJ4UTFHGXCYTDCYXDYCYTFCUGCUTTFUYFUJKoZIhvcNAQEB
BQADSwAwSAJBAL9yaMxUnRDTi8BKG1yQ1gN6QV4Fb43MLWExe5QPwvfBUYpP1VmJ
UXmHP/rDX68wjIf4yr67CyiM1Uo6c7Wp49kCAwEAATANBgkqhkiG9w0BAQUFAAOC
AQEAwDwqCtSvEyS1KivjzQ9X9oaZ4a6617KHTgKm1qN9n3uJA2GstkCek8qNOtSV
ekjimgEv7T0rw5ZBwFg5z1Ki2wh4hcSFFwjYEWJgjtC1YXH+g9WUnfJCHbVWvfpn
246NBVJHJHVJVJJKVJHVJHVJKHVJHVJHVJHVJHVJHVJHVJHVJHVJHVJHVJHV79JR
7MzR/CFDWF4JQIu/yrv8T9HU6c+Aj7GvctD/wddS80vjhWnv6TZuTVQT0r07k63t
bjbMT+a5xQEehsiIqt6me8GZmj/FaZ6v4JRuulFb7Cosqgn/SicVlq2fsFzwxJw0
UzIDHNTi3biWiNJdssbhXjK6gQ==
-----END CERTIFICATE-----
subject=/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap2.th3.example.fr/emailAddress=Olivier.Guillard(a)example.fr
issuer=/C=fr/ST=france/L=myplace/O=example/OU=ldap/CN=ldap/emailAddress=olivier.guillard(a)example.fr
---
No client certificate CA names sent
---
SSL handshake has read 1265 bytes and written 247 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 512 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: DBCDE5CD6EB4D7FF8C38DD1557CA90EDBEDDCB27600CFA4D1FD9D58388A11EBE
Session-ID-ctx:
Master-Key:
7CF275C2D137321E0AD0719FB9D5AFF5E8DC3CEF857357570412438CC1F4B2542209F233A2CA55E69368079002BBCBA3
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - c2 bb 20 23 85 0a cf b0-bc b2 6d cd 4b d2 32 0e .. #......m.K.2.
0010 - 6f 51 29 7f 3a 44 c3 95-76 c2 c6 23 e5 8d 98 3c oQ).:D..v..#...<
0020 - 7a b9 eb 6b 8e d1 c5 c4-57 74 26 34 4c db ec fe z..k....Wt&4L...
0030 - a9 3b 77 12 fb 74 67 fb-57 f1 8f 2a 71 d3 a6 ae .;w..tg.W..*q...
0040 - 17 48 9e bf 7d 94 1f c3-d4 02 6e 7f 27 07 f4 d6 .H..}.....n.'...
0050 - 98 6f 24 6c f9 63 b7 4c-cd ce d8 85 e5 be 3e fd .o$l.c.L......>.
0060 - 65 a2 1b 36 cc 26 76 3b-d3 f6 cf e1 f9 a7 c3 c2 e..6.&v;........
0070 - 2f fe 8f 3c 7c d1 0f 58-43 be d7 a5 64 69 04 91 /..<|..XC...di..
0080 - cb 68 08 82 fe 8d 9d 4e-1b 0f 96 27 59 5e d8 76 .h.....N...'Y^.v
0090 - be 44 01 6d 53 2e 9e 67-22 07 35 d1 6f a4 80 e1 .D.mS..g".5.o...
Compression: 1 (zlib compression)
Start Time: 1325682663
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
^C
11 years, 10 months
Re: slapd-ldap as proxy to active directory
by Juan Miscaro
On 14 December 2011 17:44, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Wednesday, December 14, 2011 3:40 PM -0500 Juan Miscaro
> <jmiscaro(a)gmail.com> wrote:
>> I would like to use the slapd-ldap backend as a proxy to Active
>> Directory (Windows Server 2008 R2).
>>
>> Firstly, AD can be queried directly:
> Does your local OpenLDAP have a schema file that defines the AD attributes
> you are using?
No. I read that since OpenLDAP 2.3 this was not necessary (I'm
running 2.4.25 on Ubuntu 11.10). I got my project from a tutorial [1]
where this all worked.
[1]: http://is.gd/dqM1Ts (see section "Using OpenLDAP 2.3 to Pass
Unknown Schema" on page 2)
--
/jm
11 years, 10 months
Re: Issue with index in OpenLDAP?
by Quanah Gibson-Mount
Hi Mathieu,
If you read the slapindex man page, it is possibly to just recreate a
specific index file (for situations like this), rather than generating all
of them.
--Quanah
--On Wednesday, January 04, 2012 10:39 AM +0100 "External Mathieu DEDECKER
(CAMPUS)" <external.z02mdebe(a)oxylane.com> wrote:
> Hello Quanah,
>
> First I would like to thank you for your answer.
>
> Indeed, I also think that the "cardnumber" index is somehow corrupted.
> His size is to small in comparison to other indexes
>
> We suppressed all existing index and Used slapindex to re-create them all.
>
> It's undergoing.
>
> I will keep you informed about the solution.
>
> Best Regards,
>
> Mathieu
>
>
> 2012/1/3 Quanah Gibson-Mount <quanah(a)zimbra.com>
>
>
> --On Friday, December 23, 2011 11:27 AM +0100 "External Mathieu DEDECKER
> (CAMPUS)" <external.z02mdebe(a)oxylane.com> wrote:
>
>
> Hi @All,
>
> We meet a performance problem with our OpenLDAP.
>
> We think that we face a problem with the index of the database, and we
> think that the problem can be resolve by tunning the config (but not
> sure).
>
> We would like to be sure that our configuration is correct, in order to
> confirm if we are on a wrong track or not.
>
> [Description]
>
> We have an attribute (cardNumber) which is indexed.
>
> When we request the indexed attribute (cardNumber) with an LDAP Client
> (Ldapbrowser), we have either fast or very long response time.
>
> For the long response time, the CPU of the server hits 100%.
>
> For example:
>
> Request1: cardnumber=2098001010034 (less than 1sec)
> Request2: cardnumber=2090389917486 (nearly 20 sec).
>
> By checking the hit ratio of the attribute, we can see that cache is
> correctly used (97%).
>
>
> It sounds like you added an index to cardnumber after there was already
> data for cardnumber in your database, and didn't run slapindex for that
> attribute. Alternatively, your cardnumber.bdb file is corrupted.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years, 10 months
Re: Issue with index in OpenLDAP?
by External Mathieu DEDECKER (CAMPUS)
Hello Quanah,
First I would like to thank you for your answer.
Indeed, I also think that the "cardnumber" index is somehow corrupted. His
size is to small in comparison to other indexes
We suppressed all existing index and Used slapindex to re-create them all.
It's undergoing.
I will keep you informed about the solution.
Best Regards,
Mathieu
2012/1/3 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On Friday, December 23, 2011 11:27 AM +0100 "External Mathieu DEDECKER
> (CAMPUS)" <external.z02mdebe(a)oxylane.com**> wrote:
>
> Hi @All,
>>
>> We meet a performance problem with our OpenLDAP.
>>
>> We think that we face a problem with the index of the database, and we
>> think that the problem can be resolve by tunning the config (but not
>> sure).
>>
>> We would like to be sure that our configuration is correct, in order to
>> confirm if we are on a wrong track or not.
>>
>> [Description]
>>
>> We have an attribute (cardNumber) which is indexed.
>>
>> When we request the indexed attribute (cardNumber) with an LDAP Client
>> (Ldapbrowser), we have either fast or very long response time.
>>
>> For the long response time, the CPU of the server hits 100%.
>>
>> For example:
>>
>> Request1: cardnumber=2098001010034 (less than 1sec)
>> Request2: cardnumber=2090389917486 (nearly 20 sec).
>>
>> By checking the hit ratio of the attribute, we can see that cache is
>> correctly used (97%).
>>
>
> It sounds like you added an index to cardnumber after there was already
> data for cardnumber in your database, and didn't run slapindex for that
> attribute. Alternatively, your cardnumber.bdb file is corrupted.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years, 10 months
Issue with index in OpenLDAP?
by External Mathieu DEDECKER (CAMPUS)
Hi @All,
We meet a performance problem with our OpenLDAP.
We think that we face a problem with the index of the database, and we
think that the problem can be resolve by tunning the config (but not sure).
We would like to be sure that our configuration is correct, in order to
confirm if we are on a wrong track or not.
*[Description]*
We have an attribute (cardNumber) which is indexed.
When we request the indexed attribute (cardNumber) with an LDAP Client
(Ldapbrowser), we have either fast or very long response time.
For the long response time, the CPU of the server hits 100%.
*For example*:
Request1: cardnumber=2098001010034 (less than 1sec)
Request2: cardnumber=2090389917486 (nearly 20 sec).
By checking the hit ratio of the attribute, we can see that cache is
correctly used (97%).
*[Details]*
- We are running on a VM with RedHat with 4 process with 24 Go RAM.
- The version of the OpenLDAP is 2.4.16.
- We have 2 500 000 accounts.
*[Attachment]*
- *201111223_os.txt* -> informations about OS and Hardware.
- *openldap_version.txt* -> informations about the version of
OpenLDAP.
- *20111220_stats.txt* -> informations about index and perf.
- *olcDatabase={1}hdb.ldif.txt * -> informations about hdb config.
Do not hesitate if you need some more informations.
Thank you for your help (:
Mathieu
11 years, 11 months
Syncrepl problem
by Bram Cymet
Hi,
I have a syncrepl setup that I thought was working fine because whenever
I would change an attribute in an entry the changes would be reflected
in slave.
Recently I noticed that if I remove and entry or add a new entry that
will not get synced.
Any idea what would be going on?
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752
11 years, 11 months
suggestion regarding updating server and clients
by Götz Reinicke
Hi,
we do run an Red Hat EL 6.x server with the openldap package from Red
Hat currently version 2.4.19-15.el6_0.2. The ldap is used by our mail
and fileserver for authentication.
The last time I updated I had a big problem with the deamon crashing
after some time.
That problem should be solved now in the recent version 2.4.23-20.el6.
My question:
Could I 'mix' the installed version for now, meaning leave the ldap
clients at the current installed version .19 and only update the server
first to version .23 or should / do I have to update all systems to the
same version?
Thanks for any suggestion and best regards . Götz
--
Götz Reinicke
IT-Koordinator
Tel. +49 7141 969 420
Fax +49 7141 969 55 420
E-Mail goetz.reinicke(a)filmakademie.de
Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de
Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzender des Aufsichtsrats:
Jürgen Walter MdL
Staatssekretär im Ministerium für Wissenschaft,
Forschung und Kunst Baden-Württemberg
Geschäftsführer:
Prof. Thomas Schadt
11 years, 11 months
Merging LDAP DB's
by Alex Samad - Yieldbroker
Hi
I would like to merge data from 2 LDAP DB's into 1.
So I have windows 2008R2 AD which has all of our corporate users in there, with passwords. I would like to create another ldap DB for all the non-Windows users.
The aim is to use this LDAP db as a userid/password repo for our product.
So for example if my ad naming it
ad.com, so that the base
DN: dc=ad,dc=com
I would like to say create a openldap server (say abc.local. ) on a server and attach another DB as say dc=ldap,dc=ad,dc=com
So server abc.local I would setup 2 DB definitions
1) for a local db with base dn dc=ldap,dc=ad,dc=com
2) for a proxy (? Is this the best way or rewrite / proxy ?) with base dn dc=ad,dc=com
Now if I make a ldapsearch using -H abc.local and a base dn of dc=ad,dc=com, will it include information from both DB's ?
All I want to be able to do, is to authenticate people against LDAP but my information need to come from both sources.
I don't want to have to pay a cal for each user I am going to add and I don't want to have to places to store my companys userid/passwords.
Thanks
Alex
11 years, 11 months
openldap ssl/tls not getting started
by Jayavant Patil
Hi,
I am using openldap-2.4.19-4.fc12.x86_64 on fedora 12 machine. I want
to start slapd with ssl/tls enabled. I have followed all the necessary
steps as per specified in admin guide but still slapd not getting started
in ssl/tls mode. Whenever I do ldapsearch with -ZZ option, it shows can't
contact LDAP server(-1).
Can anybody tell me the detailed steps and settings so that I can
match those with my followed steps?
Server file names are as follows:
/etc/openldap/slapd.conf
/etc/openldap/ldap.conf
/etc/ldap.conf
/etc/nsswitch.conf
Client file names are as follows:
/etc/openldap/ldap.conf
/etc/ldap.conf
/etc/nsswitch.conf
--
Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.
11 years, 11 months