Re: Fwd: Root cause: Strange OpenLdap performace issue
by Michele Mase'
Is it really bad? Is it buggy? Since redhat has its own ldap 389 dir.
server, I suppose they don't care of openldap. isn't it?
Michele Masè
On Mon, May 21, 2012 at 6:33 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Sunday, May 20, 2012 2:13 PM +0200 Michele Mase' <
> michele.mase(a)gmail.com> wrote:
>
> Tx for the suggestion! We plan to migrate where possible to rhel6, that
>> has included the 2.4.x openldap (and the possibility of hot adding ram
>> and cpu in VM env). We have already tested a multi-master conf. that
>> works fine.
>>
>
> Using the OpenLDAP included with RHEL6 is a terrible idea. If you want to
> use OpenLDAP as a server, then build it yourself, or use packages from any
> of the numerous other sites that will build it out for you, so that you can
> stay current. Distro packages are in general only for using the client
> libraries.
>
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years, 6 months
Migrating from slapd 2.3 to 2.4
by Bobby Krupczak
Hi!
I'm finally updating my file/ldap server and am struggling with
converting my 2.3 slapd.conf file to 2.4 ldif format.
My plan to upgrade was:
- dump my old ldap db to a single ldif file
- convert slapd.conf using slaptest
- connect to slapd using an ldap browser and import my
old db via the ldif file I created
Is this an appropriate approach that will work? Am I missing
something?
I ran the slaptest program on my old slapd.conf file and generated a
slew of configs under slapd.d.
However, I'm now running into an error when I try to start slapd.
slapd[4320]: config error processing cn={1}core,cn=schema,cn=config:
olcAttributeTypes: Duplicate attributeType: "2.5.4.2"
slaptest: bad configuration file!
systemd[1]: PID file /var/run/slapd.pid not readable (yet?) after start.
I saw via google where the attribute is duplicated but I never could
find how to edit/modify the configs to remove the duplicate entry.
Any ideas how to remove this duplicate entry?
Thanks,
Bobby
11 years, 6 months
RE: Migrating from slapd 2.3 to 2.4
by Quanah Gibson-Mount
--On Monday, May 21, 2012 5:18 PM -0400 "Charles T. Brooks"
<brooksct(a)hbcs.org> wrote:
> I prefer testing and solid evidence rather than trusting to luck. And
> I'm well aware of OpenSSL/NSS issues. But I think our architectures are
> based on different assumptions, Quanah.
>
> I don't use syncrepl. I use slurpd, and I run it without incident for
> years at a time. I am currently feeding OL 2.4 systems (Red Hat 6.2)
> and 2.3 systems (Red Hat 5.x) from a master 2.3 system without issues,
> all using Red Hat packages. Slurpd is more bandwidth efficient than
> syncrepl, and I do not have any of the problems syncrepl was designed to
> solve, so using syncrepl would be a regression for me. I already have
> the ability to sync any or all replicas in minutes if needed, and all my
> applications implement LDAP failover at the client, so I can bring down
> any server any time I wish. Syncrepl offers me nothing. Cn=config
> offers less; it does not yet have all the functions of slapd.conf
> (although I am running it on the 2.4 nodes) and it puts a master
> password in the database, a password which previously was not LDAP
> accessible.
Then your usage vastly differs from the norm, and should not in any way,
shape, or form, be used as a platform for giving advice to people who are
freshly deploying OpenLDAP.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
11 years, 6 months
size of bdb database, master vs replica
by jehan procaccia
hello
I use syncrepl between my master and replicas
I am surprise with the apparent size of my database (~4000 people
entries with jpegphotos of ~10KB each)
on the master I have
# du -sk *.bdb | sort -n
172 gidNumber.bdb
188 uidNumber.bdb
332 memberUid.bdb
772 ou.bdb
812 modifyTimestamp.bdb
1020 givenName.bdb
1204 uid.bdb
1368 dn2id.bdb
1620 sn.bdb
1908 IntEPersInetServ.bdb
2068 objectClass.bdb
2804 eduPersonOrgUnitDN.bdb
2828 eduPersonPrimaryOrgUnitDN.bdb
3064 cn.bdb
3368 schacUserStatus.bdb
6784 mail.bdb
*195412 id2entry.bdb
*
Plus BDB
# du -sk __db* | sort -n
12 __db.001
12 __db.006
464 __db.005
548 __db.004
67540 __db.002
205072 __db.003
but these are shared memory and doesn't matter I suppose !?
On the replica I have
# du -sk *.bdb | sort -n
8 cn.bdb
8 dn2id.bdb
8 eduPersonOrgUnitDN.bdb
8 eduPersonPrimaryOrgUnitDN.bdb
8 entryCSN.bdb
8 entryUUID.bdb
8 gidNumber.bdb
8 givenName.bdb
8 IntEPersInetServ.bdb
8 mail.bdb
8 memberUid.bdb
8 modifyTimestamp.bdb
8 objectClass.bdb
8 ou.bdb
8 schacUserStatus.bdb
8 sn.bdb
8 uid.bdb
8 uidNumber.bdb
*32 id2entry.bdb*
# du -sk __* | sort -n 12 __db.001
12 __db.006
380 __db.005
740 __db.004
7060 __db.002
53860 __db.003
So the size of the file are very different, why ?
4000 objects with at least 3000 jpegphoto of 10K each seems to fit in a
32K id2entry.bdb, but why then on the master it is at 195412K
id2entry.bdb !?
Thanks .
11 years, 6 months
Re: Fwd: Root cause: Strange OpenLdap performace issue
by Michele Mase'
Tx! We'plan to upgrade the system, so we'll use openldap2.4.x. We have more
than 1500 server and about 50% of them are linux, we must use rhel rpms
(due to our datacenter roles, all the servers should be identical). The
worst thing was that testing with the same db without the index files, all
the results of the query are almost immediate. I'm unable to reproduce the
problem in test environment.
Regards
Michele MAsè
On Tue, May 15, 2012 at 6:24 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Tuesday, May 15, 2012 2:55 PM +0200 Michele Mase' <
> michele.mase(a)gmail.com> wrote:
>
> Anyone???????
>>
>>
> OpenLDAP 2.3 has not been supported for several years. Since it stopped
> development, there have been hundreds, if not over a thousand, bug fixes
> and improvements. Furthermore, I'm going to guess that you are running
> RH's build of OpenLDAP 2.3, which was even further behind than the last
> release of OpenLDAP 2.3. Given the information you provided, I would guess
> that there is some bug in the version of BDB that OpenLDAP was linked to
> that caused the error. I would note that at one point RH was linking
> OpenLDAP against BDB version 4.3, despite the fact OpenLDAP's configure
> script explicitly disabled such linking because BDB 4.3 was known to have
> serious issues. If your 2.3 OpenLDAP is linked to BDB 4.3 that could well
> be the cause of your issue.
>
> Beyond that, trying to investigate any further is a waste of everyone's
> time. Upgrade to a modern supported version of OpenLDAP, and build your
> own packages, don't rely on distribution packages.
>
> <http://www.openldap.org/faq/**data/cache/1456.html<http://www.openldap.org/faq/data/cache/1456.html>
> >
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years, 6 months
Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries
by Chris Hiestand
Part 1: Readability
I know you veterans are probably sick to death of us late-comers asking
questions about cn=config. I understand but please hear me out because I feel
I have done due diligence; but I still have some concerns with the transition.
Workflow has been discussed before, but I suspect it hasn't been fleshed out
because the switch from editing schema and ACLs in flat files to LDAP entries
reduces readability. I have no problem using cn=config for most configuration
attributes, but it gets a lot less user friendly when the value is, what used
to be in slapd.conf, a multi-line string. But I could just be missing something.
Your help is appreciated.
Attached are some screenshots of editing ACLs and a custom schema via 3 methods:
1. cn=config via ldap client (ie apache directory studio)
2. cn=config via ldif
3. old style slapd.conf
Look at the pictures and pick which method you'd like to use to edit
ACLs or a schema:
http://snl.salk.edu/~chiestand/openldap/ACLs-via-ldap.png
http://snl.salk.edu/~chiestand/openldap/ACLs-via-ldif.png
http://snl.salk.edu/~chiestand/openldap/ACLs-via-slapd.conf.png
http://snl.salk.edu/~chiestand/openldap/schema-via-ldap.png
http://snl.salk.edu/~chiestand/openldap/schema-via-ldif.png
http://snl.salk.edu/~chiestand/openldap/schema-via-slapd.conf.png
I think the choice is clearly old style slapd.conf. Otherwise you miss
comments and ordering (until Howard Chu's X-ORDERED ldap extension is implemented),
and unlimited whitespace to substantially improve readability.
The LDIF files are a mess because of the way words are split unpredictably by new
lines. You can't use a simple search and replace with any hope of it working.
Readability would be vastly improved with new lines before keywords (eg to, filter, attrs …)
but I don't think it's possible to have ldapsearch output this way.
Editing via an ldap client is easy if you're just editing an
attribute here and there, but because of the interacting nature of ACLs and schema
elements, poor readability (no newlines) makes editing via an ldap client more difficult
(a gui with smart sorting and syntax highlighting could make it better).
Am I just missing workflow techniques or key concepts that improves readability?
Or is your advice to just suck it up and get used to it?
Part 2: Deleting entries in cn=config
Quanah Gibson-Mount has said entry deletes are coming in 2.5, is that still
the plan? The Roadmap page isn't specific.
What about whole schema deletes? From a sysadmin perspective, I should be able
to add, modify, or delete anything from the configuration. For QA reasons, you
want to be have the exact configuration you want; not the configuration you
want plus legacy boogers.
I understand if this isn't trivial to achieve from the developer perspective.
Granted I don't have the whole picture here, but I'd argue that it's worth it.
Lastly, I thank everyone who contributes to OpenLDAP.
11 years, 6 months
OLC version of plugin directive
by Joseph L. Casale
I am trying to adapt a plugin preoperation|postoperation setup from an older slapd.conf
to my current OLC based config. I can not seem to find any applicable olc based directives
that accomplish the same, anyone have a pointer?
Thanks!
jlc
11 years, 6 months
SSL client cert authc problems with OpenLDAP client and OpenDJ server
by Michael Ströder
HI!
(cross-posted since OpenLDAP and OpenDJ are involved)
I have some SSL client cert authc problems with a OpenLDAP 2.4.23 LDAP client
(dynamically linked to OpenSSL 0.9.8e on RHEL 5.6) and OpenDJ 2.4.5 running
under control of Java 1.6.0_31. I cross-checked all the cert and trust stuff
several times. It seems to be correct. Unfortunately we're stuck with 2.4.23
in this setup because of OpenLDAP's ITS#6997.
(I manually obfuscated parameters and log lines herein.)
At first glance OpenLDAP's ldapwhoami seems to work correctly with the first
OpenDJ replica:
$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H
ldaps://master1.example.com -Y EXTERNAL
SASL/EXTERNAL authentication started
SASL username: cn=ldapclient,o=example,c=DE
SASL SSF: 0
dn:cn=ldapclient,ou=Users,cn=example
But in OpenDJ's access-log file there's written:
[18/May/2012:16:52:00 +0200] CONNECT conn=15 from=x.x.x.x:33358
to=x.x.x.x:63677 protocol=LDAPS
[18/May/2012:16:52:00 +0200] BIND REQ conn=15 op=0 msgID=1 type=SASL
mechanism=EXTERNAL dn=""
[18/May/2012:16:52:00 +0200] BIND RES conn=15 op=0 msgID=1 result=0
authDN="cn=ldapclient,o=example,c=DE" etime=0
[18/May/2012:16:52:00 +0200] EXTENDED REQ conn=15 op=1 msgID=2 name="Who Am
I?" oid="1.3.6.1.4.1.4203.1.11.3"
[18/May/2012:16:52:00 +0200] EXTENDED RES conn=15 op=1 msgID=2 result=0
additionalInfo="authzID="dn:cn=ldapclient,ou=Users,cn=example"" etime=1
[18/May/2012:16:52:00 +0200] DISCONNECT conn=15 reason="Protocol Error"
msg="The client sent a request to the Directory Server that could not be
properly decoded as an LDAP message: javax.net.ssl.SSLException: Inbound
closed before receiving peer's close_notify: possible truncation attack?"
The attempt to do the same on another OpenDJ replica fails completely (no
differences in TLS configuration - checked cn=config for potential differences
with diff):
$ LDAPTLS_CERT=ldap-client.crt LDAPTLS_KEY=client.key ldapwhoami -H
ldaps://consumer1.example.com -Y EXTERNAL
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
In OpenDJ's access-log file there's written:
[18/May/2012:16:52:38 +0200] CONNECT conn=6 from=x.x.x.x:61841
to=x.x.x.x:63677 protocol=LDAPS
[18/May/2012:16:52:38 +0200] DISCONNECT conn=6 reason="Protocol Error"
msg="The client sent a request to the Directory Server that could not be
properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException:
General SSLEngine problem"
[18/May/2012:16:53:06 +0200] CONNECT conn=7 from=x.x.x.x:61842
to=x.x.x.x:63677 protocol=LDAPS
[18/May/2012:16:53:07 +0200] DISCONNECT conn=7 reason="Protocol Error"
msg="The client sent a request to the Directory Server that could not be
properly decoded as an LDAP message: javax.net.ssl.SSLHandshakeException:
General SSLEngine problem"
Any clue what's going on here?
Ciao, Michael.
11 years, 6 months
slapadd -S defaulting to 0
by Mark
Why does the '-S' option on slapadd to default 0 instead of the
(olc)ServerID value currently being used? (according to the manpage)
Thank you,
Mark
11 years, 6 months
ACL syntax with wildcards
by Nick Milas
Hi,
We would like to use ACL statements of the form (used for illustration
purposes):
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=xxxxx)" attrs="someAttrs"
by group.exact="cn=xxxxxAdmins,ou=Groups,dc=example,dc=com" write
by group.exact="cn=allAdmins,ou=Groups,dc=example,dc=com" read
by self read
where xxxxx is some string.
In essence, we assign people entries to various administrative groups,
depending on the value of the ou attribute of the entry.
Of course we can write many statements, one per ou value / admin group,
but it would be much more concise to use just one statement using wildcards.
Could someone please suggest if and how the above can be written
correctly, using e.g. regex?
I appreciate any suggestions.
Thanks,
Nick
11 years, 6 months
