2-node MMR w/ delta-syncrepl setup, out of sync, best way to resync?
by Brandon Hume
I have a new MMR setup, "kil-ds-3" and "kil-ds-4". I turns out that I
was missing syncprov on the cn=accesslog tree, which the guys on IRC
helped me out with correcting (thanks again, JoBbZ!). But even though I
corrected that, and syncrepl is working great now, kil-ds-4 is not
discovering and replicating the ~15k changes made on kil-ds-3 while
syncing was broken, even when restarting the server.
Howard pointed me at the -c command line argument for slapd, and I've
given it a try with "slapd -c rid=002", as well as "slapd -c
rid=002,sin=2,csn=0", and neither one causes the server to do a full
resync, although the manpage says "-c rid=002" should be sufficient. Do
the rules for that change in a mirrormode setup? Is the only real fix
an "/etc/init.d/ldapd stop && rm -f ${DBDIR}/* && /etc/init.d/ldapd start"?
*Somewhat* related to that... we have an "updater" process that runs
through the directory and changes departmental affiliations,
organizational affiliations, entitlements, and so on. Most of the time
only a few dozen records get touched, but of course about three times a
year new students come in, more graduate, and so on... and on those
landmark days I might see tens of thousands of entries getting updated
in about 30 minutes.
With that kind of situation, what kind of value should I keep for
olcSpSessionLog (syncprov-sessionlog)? If, for example, I had one side
of the mirror down during this update process, would I lose any
replication or performance if the sessionlog overflowed (olcSpSessionLog
= 10000, and 25k changes are made)? I'm assuming the recovering node
would simply fall back to a "present phase" synchronization and
syncing'll just take a bit longer, and even then that will only happen
if > 10k entries are *deleted* as opposed to modified. Am I
understanding the process correctly?
11 years
RE: openldap to AD proxy
by Alex Samad - Yieldbroker
Still haven't been able to get this working. And can't find any way to turn on any debugging for ldap backend.
If anyone has done this if they could provide some feed back.
A
-----Original Message-----
From: Alex Samad - Yieldbroker
Sent: Friday, 4 May 2012 2:32 PM
To: 'openldap-technical(a)openldap.org'
Subject: openldap to AD proxy
Hi
I am still struggling with the my openldap to AD proxy connection.
I have successfully connected such that I can do search when I bind to openldap with an AD dn, but I want to be able to do anon search and I want anon to map through to a dn I have created in AD which has read only rights.
dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * read
olcReadOnly: TRUE
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcSizeLimit: 500
olcSuffix: dc=xyz,dc=com
olcDburi: "ldap://ldap. xyz.com "
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcdbaclbind: bindmethod=simple binddn="CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" credentials=":)" starttls=no
olcDbIDAssertBind: bindmethod=none binddn="CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" credentials=":)" starttls=no
I have a subordinate db at ou=external, DC= xyz,DC=com
I can do a
ldapsearch -x -D " CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" -b " DC= xyz,DC=com" -w :)
what I can't do is
ldapsearch -x -b " DC= xyz,DC=com"
I am thinking I want to map anon request through to the readonly DN. But still leave it such that when people bind to openldap as themselves they bind to AD as themselves How would I do that ?
Thanks
Alex
11 years
Re: slapadd hanging initializing mdb backend
by Mark
On Wed, May 2, 2012 at 3:37 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Monday, April 30, 2012 10:37 AM -0500 Mark <mah042(a)gmail.com> wrote:
>
> When I try to slapadd initial data into an empty mdb backend, the slapadd
>> hangs:
>>
>> $ /tmp/openldap-2.4.31/sbin/**slapadd -w -S 1 -c -F
>> /tmp/openldap-2.4.31/etc/**slapd.d -b dc=example,dc=com -l
>> /tmp/openldap-2.4.31/etc/**initdb.ldif
>> _#################### 100.00% eta none elapsed
>> none fast!
>> (does not return to a shell prompt. I have to INT it.)
>>
>
> Caused by using -w, ITS#7225, currently fixed in git master.
>
Did you mean ITS#7255 ?
11 years
Lock table is out of available locks
by Marc Patermann
Hi,
while extending an object by adding a lot of maildrop values, slapd
refused to MOD with err 80:
May 4 15:31:57 rzhs720 slapd[27004]: conn=1007 op=3 MOD
dn="ou=infogroup,ou=foo"
May 4 15:31:57 rzhs720 slapd[27004]: conn=1007 op=3 MOD
attr=objectClass ou cn mail member maildrop
May 4 15:31:57 rzhs720 slapd[27004]: slap_queue_csn: queing
0x7fd30c0c20f0 20120504133157.956217Z#000000#000#000000
May 4 15:31:57 rzhs720 slapd[27004]: bdb(ou=foo): Lock table is out of
available locks
May 4 15:31:57 rzhs720 slapd[27004]: => bdb_idl_insert_key: c_put id
failed: Cannot allocate memory (12)
May 4 15:31:57 rzhs720 slapd[27004]: conn=1007 op=3: attribute
"maildrop" index add failure
Adding the object with less maildrop entries is not a problem.
# db_stat -c -h /var/lib/ldap/main-data/
1834 Last allocated locker ID
0x7fffffff Current maximum unused locker ID
9 Number of lock modes
1000 Maximum number of locks possible
1000 Maximum number of lockers possible
1000 Maximum number of lock objects possible
7 Number of current locks
1000 Maximum number of locks at any one time
131 Number of current lockers
196 Maximum number of lockers at any one time
8 Number of current lock objects
611 Maximum number of lock objects at any one time
447M Total number of locks requested (447627426)
447M Total number of locks released (447627285)
0 Total number of locks upgraded
550 Total number of locks downgraded
17M Lock requests not available due to conflicts, for which we
waited (17614104)
0 Lock requests not available due to conflicts, for which we did
not wait
0 Number of deadlocks
0 Lock timeout value
0 Number of locks that have timed out
0 Transaction timeout value
0 Number of transactions that have timed out
544KB The size of the lock region
70M The number of region locks that required waiting (9%)
-rw------- 1 ldap ldap 14M May 4 16:16 mail.bdb
-rw------- 1 ldap ldap 9.0M May 4 16:16 maildrop.bdb
# db_stat -m
2GB Total cache size
1 Number of caches
2GB Pool individual cache size
0 Maximum memory-mapped file size
0 Maximum open file descriptors
0 Maximum sequential buffer writes
0 Sleep after writing maximum sequential buffers
0 Requested pages mapped into the process' address space
511M Requested pages found in the cache (99%)
40787 Requested pages not found in the cache
14 Pages created in the cache
40787 Pages read into the cache
20862 Pages written from the cache to the backing file
0 Clean pages forced from the cache
0 Dirty pages forced from the cache
0 Dirty pages written by trickle-sync thread
40801 Current total page count
40801 Current clean page count
0 Current dirty page count
262147 Number of hash buckets used for page location
510M Total number of times hash chains searched for a page (510897500)
2 The longest hash chain searched for a page
564M Total number of hash chain entries checked for page (564617346)
1375049 The number of hash bucket locks that required waiting (0%)
364335 The maximum number of times any hash bucket lock was waited for (0%)
7486 The number of region locks that required waiting (12%)
0 The number of buffers frozen
0 The number of buffers thawed
0 The number of frozen buffers freed
49931 The number of page allocations
0 The number of hash buckets examined during allocations
0 The maximum number of hash buckets examined for an allocation
0 The number of pages examined during allocations
0 The max number of pages examined for an allocation
18790 Threads waited on page I/O
Pool File: ou.bdb
4096 Page size
0 Requested pages mapped into the process' address space
8568 Requested pages found in the cache (99%)
30 Requested pages not found in the cache
0 Pages created in the cache
30 Pages read into the cache
579 Pages written from the cache to the backing file
Pool File: givenName.bdb
4096 Page size
0 Requested pages mapped into the process' address space
9744 Requested pages found in the cache (92%)
811 Requested pages not found in the cache
0 Pages created in the cache
811 Pages read into the cache
508 Pages written from the cache to the backing file
Pool File: mail.bdb
4096 Page size
0 Requested pages mapped into the process' address space
82597 Requested pages found in the cache (96%)
2802 Requested pages not found in the cache
1 Pages created in the cache
2802 Pages read into the cache
3687 Pages written from the cache to the backing file
Pool File: uidNumber.bdb
4096 Page size
0 Requested pages mapped into the process' address space
911 Requested pages found in the cache (93%)
63 Requested pages not found in the cache
0 Pages created in the cache
63 Pages read into the cache
134 Pages written from the cache to the backing file
Pool File: relativeDomainName.bdb
4096 Page size
0 Requested pages mapped into the process' address space
31932 Requested pages found in the cache (98%)
605 Requested pages not found in the cache
0 Pages created in the cache
605 Pages read into the cache
1890 Pages written from the cache to the backing file
Pool File: cn.bdb
4096 Page size
0 Requested pages mapped into the process' address space
51546 Requested pages found in the cache (95%)
2683 Requested pages not found in the cache
2 Pages created in the cache
2683 Pages read into the cache
3198 Pages written from the cache to the backing file
Pool File: maildrop.bdb
4096 Page size
0 Requested pages mapped into the process' address space
3908380 Requested pages found in the cache (99%)
2291 Requested pages not found in the cache
0 Pages created in the cache
2291 Pages read into the cache
3938 Pages written from the cache to the backing file
Pool File: gidNumber.bdb
4096 Page size
0 Requested pages mapped into the process' address space
1097 Requested pages found in the cache (92%)
89 Requested pages not found in the cache
0 Pages created in the cache
89 Pages read into the cache
172 Pages written from the cache to the backing file
Pool File: version.bdb
4096 Page size
0 Requested pages mapped into the process' address space
1744 Requested pages found in the cache (97%)
41 Requested pages not found in the cache
0 Pages created in the cache
41 Pages read into the cache
76 Pages written from the cache to the backing file
Pool File: zoneName.bdb
4096 Page size
0 Requested pages mapped into the process' address space
3370 Requested pages found in the cache (99%)
30 Requested pages not found in the cache
0 Pages created in the cache
30 Pages read into the cache
131 Pages written from the cache to the backing file
Pool File: entryCSN.bdb
4096 Page size
0 Requested pages mapped into the process' address space
83520 Requested pages found in the cache (99%)
306 Requested pages not found in the cache
0 Pages created in the cache
306 Pages read into the cache
1015 Pages written from the cache to the backing file
Pool File: sn.bdb
4096 Page size
0 Requested pages mapped into the process' address space
10019 Requested pages found in the cache (92%)
765 Requested pages not found in the cache
0 Pages created in the cache
765 Pages read into the cache
643 Pages written from the cache to the backing file
Pool File: objectClass.bdb
4096 Page size
0 Requested pages mapped into the process' address space
115341 Requested pages found in the cache (99%)
321 Requested pages not found in the cache
0 Pages created in the cache
321 Pages read into the cache
826 Pages written from the cache to the backing file
Pool File: uid.bdb
4096 Page size
0 Requested pages mapped into the process' address space
2273 Requested pages found in the cache (91%)
216 Requested pages not found in the cache
0 Pages created in the cache
216 Pages read into the cache
171 Pages written from the cache to the backing file
Pool File: id2entry.bdb
16384 Page size
0 Requested pages mapped into the process' address space
499M Requested pages found in the cache (99%)
17796 Requested pages not found in the cache
11 Pages created in the cache
17796 Pages read into the cache
1463 Pages written from the cache to the backing file
Pool File: entryUUID.bdb
4096 Page size
0 Requested pages mapped into the process' address space
2183 Requested pages found in the cache (87%)
317 Requested pages not found in the cache
0 Pages created in the cache
317 Pages read into the cache
415 Pages written from the cache to the backing file
Pool File: dn2id.bdb
4096 Page size
0 Requested pages mapped into the process' address space
7462379 Requested pages found in the cache (99%)
11621 Requested pages not found in the cache
0 Pages created in the cache
11621 Pages read into the cache
2016 Pages written from the cache to the backing file
# ps -eLf | grep slapd | wc -l
19
Can anyone tell me what happens here and what to do about it?
Marc
11 years
RE: pwdPolicySubentry & replication user
by Michael Starling
I also have no issues if I run syncrepl with a provider and consumer. Only mirror mode. Perhaps I'll try downgrading openLDAP.
Thanks.
Mike
Date: Tue, 8 May 2012 16:54:25 -0400
From: brooksct(a)hbcs.org
To: mlstarling31(a)hotmail.com
CC: openldap-technical(a)openldap.org
Subject: RE: pwdPolicySubentry & replication user
I run that version without issues, but my infrastructure is still using good old reliable low-bandwidth slurpd, which is no longer supported.
I don’t think syncrepl is sufficiently reliable yet, although others disagree.
--Charlie
From: Michael Starling [mailto:mlstarling31@hotmail.com]
Sent: 2012 May 08 4:20 PM
To: quanah(a)zimbra.com
Cc: openldap
Subject: RE: pwdPolicySubentry & replication user
Re: Take the issue to Redhat
Easier said than done.
The policy is what it is but I didn't think it would do any harm to see if anyone has run into this issue.
> Date: Tue, 8 May 2012 12:22:58 -0700
> From: quanah(a)zimbra.com
> To: mlstarling31(a)hotmail.com
> CC: openldap-technical(a)openldap.org
> Subject: RE: pwdPolicySubentry & replication user
>
> --On Tuesday, May 08, 2012 3:07 PM -0400 Michael Starling
> <mlstarling31(a)hotmail.com> wrote:
>
> >
> > Unfortunately I have no choice as this is the latest available in the
> > RHEL tree and my company won't allow us to deviate and compile.
>
> Then you will need to take issues to RedHat since your company has an
> utterly broken policy.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
------------------ CONFIDENTIALITY NOTICE ---------------
This message, including any attachments, is for the sole use of the
intended recipient(s) and may contain privileged confidential information
protected by law. Any unauthorized review, use, disclosure or distribution
of this message is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of this message.
------------------ CONFIDENTIALITY NOTICE ---------------
11 years
Questions about getting membership of a user
by ctosgh
Hi,All
With openldap 2.4.x which supports memberOf overlay. I can get group info with only one search with following configs.
<1>
[root@/jacky/var]$cat user.ldif
dn: cn=jacky,ou=users,dc=jacky,dc=com
objectClass: organizationalPerson
cn: jacky
sn: sun
userPassword: 11111111
[root@/jacky/var]$cat JackyGroup.ldif
dn: cn=JackyGroup,ou=groups,dc=jacky,dc=com
objectClass: groupOfNames
cn: JackyGroup
member: cn=jacky,ou=users,dc=jacky,dc=com
<2>
memberOf overlay is configured correctly
<3>
[root@/jacky/var]$ldapsearch -x -D "cn=root,dc=jacky,dc=com" -b "dc=jacky,dc=com" -H "ldap://x.x.x.x:389" -w xxx -s sub "(cn=jacky)" memberOf
# extended LDIF
#
# LDAPv3
# base <dc=jacky,dc=com> with scope subtree
# filter: (cn=jacky)
# requesting: memberOf
#
# jacky, users, jacky.com
dn: cn=jacky,ou=users,dc=jacky,dc=com
memberOf: cn=JackyGroup,ou=groups,dc=jacky,dc=com [This is what I want]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
My questions are here:
A1: With openldap 2.4.x, if posixAccount is used to manage users, then attribute 'gidNumber' which is a number will represent user's membership.
With this case, is it possible that I can get group info(DN format as above) of a user entry by ONLY one search?
A2: With older openldap whihc does NOT support memberOf overlay:
<1> If organizationalPerson is used to manage users, is it possible that I can get group info(DN format) of a user entry by ONLY one search?
<2> If posixAccount is used to manage users, is it possible that I can get group info(DN format) of a user entry by ONLY one search?Any reply is appreciated~TIA
Thanks,
Jacky
11 years
pwdPolicySubentry & replication user
by Michael Starling
Consider the following password policy entry to disable password expiration.
dn: cn=noexpire,ou=policies,dc=umlott,dc=lott
cn: noexpire
objectClass: pwdPolicy
objectClass: person
objectClass: top
sn: Password Policy
pwdAttribute: UserPassword
pwdMaxAge: 0
pwdLockout: FALSE
description: Non-Expiring password policy for service accounts.
===============================================
The following LDIF attaches this policy to the 3 users below:
dn: cn=ldapmgr,ou=Service,dc=umlott,dc=lott
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
dn: cn=bind,ou=Service,dc=umlott,dc=lott
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
dn: cn=replicator,ou=Service,dc=umlott,dc=lott
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott
This all works well and good when setting up my first LDAP server, however when I setup another LDAP server in mirror mode to the first server the pwdPolicySubentry attribute doesn't carry over to the the second node and I start to see this in the slapd logs:
ppolicy_bind: Setting warning for password expiry for cn=replicator,ou=service,dc=umlott,dc=lott = 0 seconds
What's interesting is that the other two accounts that have the noexpire policy attached carry over the pwdPolicySubentry attribute just fine to the second node.
Any insight would be greatly appreciated.
Mike
11 years
Memory consumption when increasing BDB_IDL_LOGN
by Meike Stone
Hello,
how does the memory usage increase if I increase the BDB_IDL_LOGN?
I tried to discover and understand this by searching in the mailing
list (Is there is a good guide to understand all of this?).
After a search, each returned up ID from bdb is located in one slot in
the IDL list. On a x86_64 system, each slot is 8Byte. Each search
stack in each thread (threads in slapd.conf) gets his own IDL slots.
The default value for the threads are 16.
With 16 bit BDB_IDL_LOGN (default) on x86_64 with default threads, we
need 64k*8*16 = 1024KB memory?
If I increase the BDB_IDL_LOGN to 20 we need 512k*8*16 = 8MB?
1) Are my assumptions above correct?
2) How do I increase LDAP_PVT_THREAD_STACK_SIZE? In my tests I used
"4 * 1024 * 1024 * sizeof(void *)" and all tests where running well.
3) Are there other variables to increase before compiling?
4) Here we talk about 8MB memory, did I miss something, that is not
the problem today or are there other things I did not catch (other
caches in memory e.g. cachesize, dncachesize, idlcachesize or shared
memory ...)?
5) What is the amount overall I have to expect for memory consumption?
I understand, that after adding and deleting entires, the IDs "sparse
out" for one index and we loose precision (if we have after search
more IDs than BDB_IDL_LOGN), because using ranges. This Problem will
increase as older the database becomes.
But if I increase the BDB_IDL_LOGN to my needed size (max expected
returned IDs from during search a indexed attibute), the problem with
"getting older" is not important for me?
Thanks a lot,
Meike
11 years
Cached user info?
by Braden McDaniel
I found it necessary to change the GID of a POSIX group defined in LDAP.
But when I log in with a user that is a member of this group, I find
that the user's group membership still reflects the old GID.
At this point, I've tried removing the user from the group, and adding
it back--it still comes up with the old GID when logged in (or,
specifically, typing "groups" at the command prompt lists a group
associated with the old GID), even though I can't see *anything*
referencing the old GID in the LDAP database.
I am stumped. Anyone have ideas about what might be going on here?
--
Braden McDaniel <braden(a)endoframe.com>
11 years
