openldap-technical May 2012

openldap-technical@openldap.org

76 participants
101 discussions

2-node MMR w/ delta-syncrepl setup, out of sync, best way to resync?
by Brandon Hume 10 May '12

10 May '12

I have a new MMR setup, "kil-ds-3" and "kil-ds-4". I turns out that I was missing syncprov on the cn=accesslog tree, which the guys on IRC helped me out with correcting (thanks again, JoBbZ!). But even though I corrected that, and syncrepl is working great now, kil-ds-4 is not discovering and replicating the ~15k changes made on kil-ds-3 while syncing was broken, even when restarting the server. Howard pointed me at the -c command line argument for slapd, and I've given it a try with "slapd -c rid=002", as well as "slapd -c rid=002,sin=2,csn=0", and neither one causes the server to do a full resync, although the manpage says "-c rid=002" should be sufficient. Do the rules for that change in a mirrormode setup? Is the only real fix an "/etc/init.d/ldapd stop && rm -f ${DBDIR}/* && /etc/init.d/ldapd start"? *Somewhat* related to that... we have an "updater" process that runs through the directory and changes departmental affiliations, organizational affiliations, entitlements, and so on. Most of the time only a few dozen records get touched, but of course about three times a year new students come in, more graduate, and so on... and on those landmark days I might see tens of thousands of entries getting updated in about 30 minutes. With that kind of situation, what kind of value should I keep for olcSpSessionLog (syncprov-sessionlog)? If, for example, I had one side of the mirror down during this update process, would I lose any replication or performance if the sessionlog overflowed (olcSpSessionLog = 10000, and 25k changes are made)? I'm assuming the recovering node would simply fall back to a "present phase" synchronization and syncing'll just take a bit longer, and even then that will only happen if > 10k entries are *deleted* as opposed to modified. Am I understanding the process correctly?

2 2

RE: openldap to AD proxy
by Alex Samad - Yieldbroker 09 May '12

09 May '12

Still haven't been able to get this working. And can't find any way to turn on any debugging for ldap backend. If anyone has done this if they could provide some feed back. A -----Original Message----- From: Alex Samad - Yieldbroker Sent: Friday, 4 May 2012 2:32 PM To: 'openldap-technical(a)openldap.org' Subject: openldap to AD proxy Hi I am still struggling with the my openldap to AD proxy connection. I have successfully connected such that I can do search when I bind to openldap with an AD dn, but I want to be able to do anon search and I want anon to map through to a dn I have created in AD which has read only rights. dn: olcDatabase={3}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {3}ldap olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * read olcReadOnly: TRUE olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth olcSizeLimit: 500 olcSuffix: dc=xyz,dc=com olcDburi: "ldap://ldap. xyz.com " olcDbRebindAsUser: TRUE olcDbChaseReferrals: TRUE olcdbaclbind: bindmethod=simple binddn="CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" credentials=":)" starttls=no olcDbIDAssertBind: bindmethod=none binddn="CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" credentials=":)" starttls=no I have a subordinate db at ou=external, DC= xyz,DC=com I can do a ldapsearch -x -D " CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" -b " DC= xyz,DC=com" -w :) what I can't do is ldapsearch -x -b " DC= xyz,DC=com" I am thinking I want to map anon request through to the readonly DN. But still leave it such that when people bind to openldap as themselves they bind to AD as themselves How would I do that ? Thanks Alex

1 0

Re: slapadd hanging initializing mdb backend
by Mark 09 May '12

09 May '12

On Wed, May 2, 2012 at 3:37 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Monday, April 30, 2012 10:37 AM -0500 Mark <mah042(a)gmail.com> wrote: > > When I try to slapadd initial data into an empty mdb backend, the slapadd >> hangs: >> >> $ /tmp/openldap-2.4.31/sbin/**slapadd -w -S 1 -c -F >> /tmp/openldap-2.4.31/etc/**slapd.d -b dc=example,dc=com -l >> /tmp/openldap-2.4.31/etc/**initdb.ldif >> _#################### 100.00% eta none elapsed >> none fast! >> (does not return to a shell prompt. I have to INT it.) >> > > Caused by using -w, ITS#7225, currently fixed in git master. > Did you mean ITS#7255 ?

2 1

Lock table is out of available locks
by Marc Patermann 09 May '12

09 May '12

Hi, while extending an object by adding a lot of maildrop values, slapd refused to MOD with err 80: May 4 15:31:57 rzhs720 slapd[27004]: conn=1007 op=3 MOD dn="ou=infogroup,ou=foo" May 4 15:31:57 rzhs720 slapd[27004]: conn=1007 op=3 MOD attr=objectClass ou cn mail member maildrop May 4 15:31:57 rzhs720 slapd[27004]: slap_queue_csn: queing 0x7fd30c0c20f0 20120504133157.956217Z#000000#000#000000 May 4 15:31:57 rzhs720 slapd[27004]: bdb(ou=foo): Lock table is out of available locks May 4 15:31:57 rzhs720 slapd[27004]: => bdb_idl_insert_key: c_put id failed: Cannot allocate memory (12) May 4 15:31:57 rzhs720 slapd[27004]: conn=1007 op=3: attribute "maildrop" index add failure Adding the object with less maildrop entries is not a problem. # db_stat -c -h /var/lib/ldap/main-data/ 1834 Last allocated locker ID 0x7fffffff Current maximum unused locker ID 9 Number of lock modes 1000 Maximum number of locks possible 1000 Maximum number of lockers possible 1000 Maximum number of lock objects possible 7 Number of current locks 1000 Maximum number of locks at any one time 131 Number of current lockers 196 Maximum number of lockers at any one time 8 Number of current lock objects 611 Maximum number of lock objects at any one time 447M Total number of locks requested (447627426) 447M Total number of locks released (447627285) 0 Total number of locks upgraded 550 Total number of locks downgraded 17M Lock requests not available due to conflicts, for which we waited (17614104) 0 Lock requests not available due to conflicts, for which we did not wait 0 Number of deadlocks 0 Lock timeout value 0 Number of locks that have timed out 0 Transaction timeout value 0 Number of transactions that have timed out 544KB The size of the lock region 70M The number of region locks that required waiting (9%) -rw------- 1 ldap ldap 14M May 4 16:16 mail.bdb -rw------- 1 ldap ldap 9.0M May 4 16:16 maildrop.bdb # db_stat -m 2GB Total cache size 1 Number of caches 2GB Pool individual cache size 0 Maximum memory-mapped file size 0 Maximum open file descriptors 0 Maximum sequential buffer writes 0 Sleep after writing maximum sequential buffers 0 Requested pages mapped into the process' address space 511M Requested pages found in the cache (99%) 40787 Requested pages not found in the cache 14 Pages created in the cache 40787 Pages read into the cache 20862 Pages written from the cache to the backing file 0 Clean pages forced from the cache 0 Dirty pages forced from the cache 0 Dirty pages written by trickle-sync thread 40801 Current total page count 40801 Current clean page count 0 Current dirty page count 262147 Number of hash buckets used for page location 510M Total number of times hash chains searched for a page (510897500) 2 The longest hash chain searched for a page 564M Total number of hash chain entries checked for page (564617346) 1375049 The number of hash bucket locks that required waiting (0%) 364335 The maximum number of times any hash bucket lock was waited for (0%) 7486 The number of region locks that required waiting (12%) 0 The number of buffers frozen 0 The number of buffers thawed 0 The number of frozen buffers freed 49931 The number of page allocations 0 The number of hash buckets examined during allocations 0 The maximum number of hash buckets examined for an allocation 0 The number of pages examined during allocations 0 The max number of pages examined for an allocation 18790 Threads waited on page I/O Pool File: ou.bdb 4096 Page size 0 Requested pages mapped into the process' address space 8568 Requested pages found in the cache (99%) 30 Requested pages not found in the cache 0 Pages created in the cache 30 Pages read into the cache 579 Pages written from the cache to the backing file Pool File: givenName.bdb 4096 Page size 0 Requested pages mapped into the process' address space 9744 Requested pages found in the cache (92%) 811 Requested pages not found in the cache 0 Pages created in the cache 811 Pages read into the cache 508 Pages written from the cache to the backing file Pool File: mail.bdb 4096 Page size 0 Requested pages mapped into the process' address space 82597 Requested pages found in the cache (96%) 2802 Requested pages not found in the cache 1 Pages created in the cache 2802 Pages read into the cache 3687 Pages written from the cache to the backing file Pool File: uidNumber.bdb 4096 Page size 0 Requested pages mapped into the process' address space 911 Requested pages found in the cache (93%) 63 Requested pages not found in the cache 0 Pages created in the cache 63 Pages read into the cache 134 Pages written from the cache to the backing file Pool File: relativeDomainName.bdb 4096 Page size 0 Requested pages mapped into the process' address space 31932 Requested pages found in the cache (98%) 605 Requested pages not found in the cache 0 Pages created in the cache 605 Pages read into the cache 1890 Pages written from the cache to the backing file Pool File: cn.bdb 4096 Page size 0 Requested pages mapped into the process' address space 51546 Requested pages found in the cache (95%) 2683 Requested pages not found in the cache 2 Pages created in the cache 2683 Pages read into the cache 3198 Pages written from the cache to the backing file Pool File: maildrop.bdb 4096 Page size 0 Requested pages mapped into the process' address space 3908380 Requested pages found in the cache (99%) 2291 Requested pages not found in the cache 0 Pages created in the cache 2291 Pages read into the cache 3938 Pages written from the cache to the backing file Pool File: gidNumber.bdb 4096 Page size 0 Requested pages mapped into the process' address space 1097 Requested pages found in the cache (92%) 89 Requested pages not found in the cache 0 Pages created in the cache 89 Pages read into the cache 172 Pages written from the cache to the backing file Pool File: version.bdb 4096 Page size 0 Requested pages mapped into the process' address space 1744 Requested pages found in the cache (97%) 41 Requested pages not found in the cache 0 Pages created in the cache 41 Pages read into the cache 76 Pages written from the cache to the backing file Pool File: zoneName.bdb 4096 Page size 0 Requested pages mapped into the process' address space 3370 Requested pages found in the cache (99%) 30 Requested pages not found in the cache 0 Pages created in the cache 30 Pages read into the cache 131 Pages written from the cache to the backing file Pool File: entryCSN.bdb 4096 Page size 0 Requested pages mapped into the process' address space 83520 Requested pages found in the cache (99%) 306 Requested pages not found in the cache 0 Pages created in the cache 306 Pages read into the cache 1015 Pages written from the cache to the backing file Pool File: sn.bdb 4096 Page size 0 Requested pages mapped into the process' address space 10019 Requested pages found in the cache (92%) 765 Requested pages not found in the cache 0 Pages created in the cache 765 Pages read into the cache 643 Pages written from the cache to the backing file Pool File: objectClass.bdb 4096 Page size 0 Requested pages mapped into the process' address space 115341 Requested pages found in the cache (99%) 321 Requested pages not found in the cache 0 Pages created in the cache 321 Pages read into the cache 826 Pages written from the cache to the backing file Pool File: uid.bdb 4096 Page size 0 Requested pages mapped into the process' address space 2273 Requested pages found in the cache (91%) 216 Requested pages not found in the cache 0 Pages created in the cache 216 Pages read into the cache 171 Pages written from the cache to the backing file Pool File: id2entry.bdb 16384 Page size 0 Requested pages mapped into the process' address space 499M Requested pages found in the cache (99%) 17796 Requested pages not found in the cache 11 Pages created in the cache 17796 Pages read into the cache 1463 Pages written from the cache to the backing file Pool File: entryUUID.bdb 4096 Page size 0 Requested pages mapped into the process' address space 2183 Requested pages found in the cache (87%) 317 Requested pages not found in the cache 0 Pages created in the cache 317 Pages read into the cache 415 Pages written from the cache to the backing file Pool File: dn2id.bdb 4096 Page size 0 Requested pages mapped into the process' address space 7462379 Requested pages found in the cache (99%) 11621 Requested pages not found in the cache 0 Pages created in the cache 11621 Pages read into the cache 2016 Pages written from the cache to the backing file # ps -eLf | grep slapd | wc -l 19 Can anyone tell me what happens here and what to do about it? Marc

2 5

RE: pwdPolicySubentry & replication user
by Michael Starling 08 May '12

08 May '12

I also have no issues if I run syncrepl with a provider and consumer. Only mirror mode. Perhaps I'll try downgrading openLDAP. Thanks. Mike Date: Tue, 8 May 2012 16:54:25 -0400 From: brooksct(a)hbcs.org To: mlstarling31(a)hotmail.com CC: openldap-technical(a)openldap.org Subject: RE: pwdPolicySubentry & replication user I run that version without issues, but my infrastructure is still using good old reliable low-bandwidth slurpd, which is no longer supported. I don’t think syncrepl is sufficiently reliable yet, although others disagree. --Charlie From: Michael Starling [mailto:mlstarling31@hotmail.com] Sent: 2012 May 08 4:20 PM To: quanah(a)zimbra.com Cc: openldap Subject: RE: pwdPolicySubentry & replication user Re: Take the issue to Redhat Easier said than done. The policy is what it is but I didn't think it would do any harm to see if anyone has run into this issue. > Date: Tue, 8 May 2012 12:22:58 -0700 > From: quanah(a)zimbra.com > To: mlstarling31(a)hotmail.com > CC: openldap-technical(a)openldap.org > Subject: RE: pwdPolicySubentry & replication user > > --On Tuesday, May 08, 2012 3:07 PM -0400 Michael Starling > <mlstarling31(a)hotmail.com> wrote: > > > > > Unfortunately I have no choice as this is the latest available in the > > RHEL tree and my company won't allow us to deviate and compile. > > Then you will need to take issues to RedHat since your company has an > utterly broken policy. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration ------------------ CONFIDENTIALITY NOTICE --------------- This message, including any attachments, is for the sole use of the intended recipient(s) and may contain privileged confidential information protected by law. Any unauthorized review, use, disclosure or distribution of this message is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this message. ------------------ CONFIDENTIALITY NOTICE ---------------

1 1

Questions about getting membership of a user
by ctosgh 08 May '12

08 May '12

Hi,All With openldap 2.4.x which supports memberOf overlay. I can get group info with only one search with following configs. <1> [root@/jacky/var]$cat user.ldif dn: cn=jacky,ou=users,dc=jacky,dc=com objectClass: organizationalPerson cn: jacky sn: sun userPassword: 11111111 [root@/jacky/var]$cat JackyGroup.ldif dn: cn=JackyGroup,ou=groups,dc=jacky,dc=com objectClass: groupOfNames cn: JackyGroup member: cn=jacky,ou=users,dc=jacky,dc=com <2> memberOf overlay is configured correctly <3> [root@/jacky/var]$ldapsearch -x -D "cn=root,dc=jacky,dc=com" -b "dc=jacky,dc=com" -H "ldap://x.x.x.x:389" -w xxx -s sub "(cn=jacky)" memberOf # extended LDIF # # LDAPv3 # base <dc=jacky,dc=com> with scope subtree # filter: (cn=jacky) # requesting: memberOf # # jacky, users, jacky.com dn: cn=jacky,ou=users,dc=jacky,dc=com memberOf: cn=JackyGroup,ou=groups,dc=jacky,dc=com [This is what I want] # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 My questions are here: A1: With openldap 2.4.x, if posixAccount is used to manage users, then attribute 'gidNumber' which is a number will represent user's membership. With this case, is it possible that I can get group info(DN format as above) of a user entry by ONLY one search? A2: With older openldap whihc does NOT support memberOf overlay: <1> If organizationalPerson is used to manage users, is it possible that I can get group info(DN format) of a user entry by ONLY one search? <2> If posixAccount is used to manage users, is it possible that I can get group info(DN format) of a user entry by ONLY one search?Any reply is appreciated~TIA Thanks, Jacky

1 1

pwdPolicySubentry & replication user
by Michael Starling 08 May '12

08 May '12

Consider the following password policy entry to disable password expiration. dn: cn=noexpire,ou=policies,dc=umlott,dc=lott cn: noexpire objectClass: pwdPolicy objectClass: person objectClass: top sn: Password Policy pwdAttribute: UserPassword pwdMaxAge: 0 pwdLockout: FALSE description: Non-Expiring password policy for service accounts. =============================================== The following LDIF attaches this policy to the 3 users below: dn: cn=ldapmgr,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott dn: cn=bind,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott dn: cn=replicator,ou=Service,dc=umlott,dc=lott changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=noexpire,ou=policies,dc=umlott,dc=lott This all works well and good when setting up my first LDAP server, however when I setup another LDAP server in mirror mode to the first server the pwdPolicySubentry attribute doesn't carry over to the the second node and I start to see this in the slapd logs: ppolicy_bind: Setting warning for password expiry for cn=replicator,ou=service,dc=umlott,dc=lott = 0 seconds What's interesting is that the other two accounts that have the noexpire policy attached carry over the pwdPolicySubentry attribute just fine to the second node. Any insight would be greatly appreciated. Mike

3 6

acl filter problem
by Dorit 08 May '12

08 May '12

2 4

Memory consumption when increasing BDB_IDL_LOGN
by Meike Stone 07 May '12

07 May '12

Hello, how does the memory usage increase if I increase the BDB_IDL_LOGN? I tried to discover and understand this by searching in the mailing list (Is there is a good guide to understand all of this?). After a search, each returned up ID from bdb is located in one slot in the IDL list. On a x86_64 system, each slot is 8Byte. Each search stack in each thread (threads in slapd.conf) gets his own IDL slots. The default value for the threads are 16. With 16 bit BDB_IDL_LOGN (default) on x86_64 with default threads, we need 64k*8*16 = 1024KB memory? If I increase the BDB_IDL_LOGN to 20 we need 512k*8*16 = 8MB? 1) Are my assumptions above correct? 2) How do I increase LDAP_PVT_THREAD_STACK_SIZE? In my tests I used "4 * 1024 * 1024 * sizeof(void *)" and all tests where running well. 3) Are there other variables to increase before compiling? 4) Here we talk about 8MB memory, did I miss something, that is not the problem today or are there other things I did not catch (other caches in memory e.g. cachesize, dncachesize, idlcachesize or shared memory ...)? 5) What is the amount overall I have to expect for memory consumption? I understand, that after adding and deleting entires, the IDs "sparse out" for one index and we loose precision (if we have after search more IDs than BDB_IDL_LOGN), because using ranges. This Problem will increase as older the database becomes. But if I increase the BDB_IDL_LOGN to my needed size (max expected returned IDs from during search a indexed attibute), the problem with "getting older" is not important for me? Thanks a lot, Meike

2 2

Cached user info?
by Braden McDaniel 07 May '12

07 May '12

I found it necessary to change the GID of a POSIX group defined in LDAP. But when I log in with a user that is a member of this group, I find that the user's group membership still reflects the old GID. At this point, I've tried removing the user from the group, and adding it back--it still comes up with the old GID when logged in (or, specifically, typing "groups" at the command prompt lists a group associated with the old GID), even though I can't see *anything* referencing the old GID in the LDAP database. I am stumped. Anyone have ideas about what might be going on here? -- Braden McDaniel <braden(a)endoframe.com>

4 8

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2012