openldap-technical June 2012

openldap-technical@openldap.org

66 participants
61 discussions

syncrepl, version compatibility, partial sync
by Ryan Lovett 14 Jun '12

14 Jun '12

Are there any known syncrepl compatibility issues between different 2.4.x versions? We have a master slapd running 2.4.9 and a consumer running 2.4.21 and are having a syncrepl problem and only some of the data is being synced. The consumer slapd logs messsages of the form: entries have identical CSN ou=something,dc=something 20120614015145.546743Z#000000#000#000000 and syncrepl_entry: rid=200 entry unchanged, ignored (ou=other,dc=something) syncrepl_message_to_entry: rid=200 mods check (objectClass: value #8 invalid per syntax) do_syncrepl: rid=200 rc 21 retrying (9 retries left) In searching for similar reports we came across various solutions such as making sure the provider URI in the consumer's slapd.conf matches the server's URI at launch. The server was listening on ldap:/// and the consumer was set to connect to ldap://server.name/ though we modified the server to only listen on ldap://server.name/. We also tried stopping both consumer and master, flushing the databases on both, slapadding data back into the master, then starting both instances. The log messages return however just with updated CSN stamps. The consumer is never able to pull down the full data even with refreshAndPersist with sensible retry intervals. Thanks for your time, Ryan

2 1

loglevel expected performance impact
by Berend De Schouwer 14 Jun '12

14 Jun '12

I'm running some 2.4.23 servers, and I've encountered some slowdown on loglevel other than 0. Even 256 (stats; recommended) impacts about a 4x slowdown on queries. Logging is to syslog. Running ldapsearch slows from 0.005-0.010 seconds to about 0.030-0.040 seconds; and that includes loading the binary. That's from localhost to remove potential DNS lookups. I stumbled across this when logging was wrong, and the slowdown was 100x. I'm aware that 2.4.23 isn't the latest version. I'm also quite happy, for now, to run loglevel 0. I'm wondering if this is the expected behaviour, given that it's the recommended configuration. Or should I go dig to find the slowdown? (I did check the indexes, and db_stats, etc. All seems fine.) I apologise for the disclaimer, Berend CONFIDENTIALITY NOTICE The contents of and attachments to this e-mail are intended for the addressee only, and may contain the confidential information of Argility (Proprietary) Limited and/or its subsidiaries. Any review, use or dissemination thereof by anyone other than the intended addressee is prohibited. If you are not the intended addressee please notify the writer immediately and destroy the e-mail. Argility (Proprietary) Limited and its subsidiaries distance themselves from and accept no liability for unauthorised use of their e-mail facilities or e-mails sent other than strictly for business purposes.

3 3

OLC Configuration on RHEL6
by Roger Martinez 12 Jun '12

12 Jun '12

Greetings all, I've only just recently learned about configuring and using LDAP using slapd.conf configuration. Recently, however, I have been asked to configure LDAP on a server running Red Hat Enterprise Linux 6. I've run into a few problems. First of all, when I try to connect via LDAP Browser/Editor to view the cn=config list, it connects but gives me Error 32 - No Such Object. The following is the the cfg file that Ldap Browser/Editor uses to connect to the session: ################################# # # # LDAP Browser v2.8 config file # # # # cn=config all attributes # # # ################################# host=[my server's IP address] port=389 sslport=636 basedn=cn=config version=3 managerdn=cn=Manager,cn=config managerlogin=no autoconnect=no leafindicatortype=int leafindicator=numsubordinates managereferrals=no supportsmovetree=no derefaliases=never sorttree=ascending ldap.attributes.list=* + The managerdn i got from the olcRootDN line in olcDatabase={2}bdb.ldif file. And the rest i got from zytrax.com online book ( http://www.zytrax.com/books/ldap/ch14/cn=config.cfg ) My question is, is there any other configuration or any other additional steps that I need to take after yum install in order to make this LDAP server functional? What have I missed? Any help will be much appreciated! Thank you. -- Roger Martinez Intern incNETWORKS, inc.

3 3

attrs=@objectClassName affects objectClass attribute
by Nick Milas 12 Jun '12

12 Jun '12

I am facing the following problem (with v2.4.31 on CentOS 5.8). I am using a - recently added - custom schema with one AUX objectclass and 3 optional attrs; I am trying to use an ACL of the form: access to dn.subtree="ou=people,dc=example,dc=com" attrs=@entryAccessEntities by group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read but strangely this ALSO changes the privileges for the objectClass attribute of the entry! If I list the attrs of that object class instead, there is no problem: access to dn.subtree="ou=people,dc=example,dc=com" attrs=writeAccessEntities,readAccessEntities,searchAccessEntities by group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read Now, the ACL works correctly, and it does not affect the entry objectClass attribute. Surprisingly, this does not happen with other object classes. If I use, for example: access to dn.subtree="ou=people,dc=example,dc=com" attrs=@eduPerson by group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read then, it correctly assigns privileges to only the attrs of eduPerson object class (also an AUX class with only optional attrs), without affecting the entry objectclass attribute. Does anyone have an idea what is happening? Am I doing anything wrong? Any help will be appreciated. For reference I include the schema below. Note: I am using dynamic config, but I have listed schema and ACLs in their "standard" form, for better readability. Thanks, Nick ===================================================== entryaccess.schema ===================================================== attributetype ( 1.3.6.1.4.1.39349.4.1.11 NAME 'writeAccessEntities' DESC 'DNs of Groups which should be allowed write (full) access to this entry' SUP distinguishedName ) attributetype ( 1.3.6.1.4.1.39349.4.1.12 NAME 'readAccessEntities' DESC 'DNs of Groups which should be allowed read (read-only) access to this entry' SUP distinguishedName ) attributetype ( 1.3.6.1.4.1.39349.4.1.13 NAME 'searchAccessEntities' DESC 'DNs of Groups which should be allowed search (search-only) access to this entry' SUP distinguishedName ) objectclass ( 1.3.6.1.4.1.39349.4.2.101 NAME 'entryAccessEntities' DESC 'Allow access to the entry, to which this class is added, to the entities specified as the values (DNs) of this class attributes' SUP top AUXILIARY MAY ( writeAccessEntities $ readAccessEntities $ searchAccessEntities ) ) =====================================================

6 13

slapd hangs - subtree insert failed: -30995
by Meike Stone 11 Jun '12

11 Jun '12

Hello, after inserting (ADD) one object, I get following messages in the logfile and the sapld hangs: Jun 1 09:02:24 ldap-01 slapd[8836]: conn=633789 op=1 ADD dn="cn=3,cn=2,cn=node,cn=1,cn=BBB,cn=AAA,cn=companies,ou=root" Jun 1 09:02:24 ldap-01 slapd[8836]: => bdb_idl_insert_key: c_get failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995) Jun 1 09:02:24 ldap-01 slapd[8836]: => bdb_dn2id_add 0x205e7e: subtree (cn=BBB,cn=AAA,cn=companies,ou=root) insert failed: -30995 After this, I don't see any messages in the log till the staff was initiating a stop/start: Jun 1 09:09:29 ldap-01 slapd[8836]: daemon: shutdown requested and initiated. Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633113 fd=9 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=405426 fd=12 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633787 fd=13 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=1011 fd=14 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=1013 fd=18 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=632703 fd=33 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=632710 fd=37 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=632883 fd=39 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=632762 fd=40 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633211 fd=41 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633735 fd=45 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=632829 fd=47 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633170 fd=48 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633200 fd=50 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633788 fd=55 closed (slapd shutdown) Jun 1 09:09:29 ldap-01 slapd[8836]: slapd shutdown: waiting for 22 operations/tasks to finish Jun 1 09:09:42 ldap-01 slapd[20945]: @(#) $OpenLDAP: slapd 2.4.30 $ opensuse-buildservice(a)opensuse.org Jun 1 09:09:43 ldap-01 slapd[20945]: slapd starting After the error message at 09:02:24 the slapd did not answer any request. I cannot recover that problem in a test environment. The server is running in a MM environment (two masters), and the server gets 200-1200 search request/s Because of this high rate, we set "loglevel 0". Since we updated the slapd to 2.4.30 (from 2.4.28) the server crashes/hangs about on times a week. Because of this we set loglevel 256 back again. Would be very nice, if I can fix the problem, please help. Thanks in advance Meike PS: The slapd is a modified, self compiled version because of larger IDL with following changes: openldap-2.4.30/servers/slapd/back-bdb/idl.h: -#define BDB_IDL_LOGN 16 /* DB_SIZE is 2^16, UM_SIZE is 2^17 */ +#define BDB_IDL_LOGN 17 /* DB_SIZE is 2^17, UM_SIZE is 2^18 */ openldap-2.4.30/include/ldap_pvt_thread.h: -# define LDAP_PVT_THREAD_STACK_SIZE ( 1 * 1024 * 1024 * sizeof(void *) ) +# define LDAP_PVT_THREAD_STACK_SIZE ( 2 * 1024 * 1024 * sizeof(void *) ) All tests where running well!

1 2

LDAP backend filtering
by Smarti9＠gmx.de 11 Jun '12

11 Jun '12

Hi everybody, I'm quite new to openldap and I'm currently trying to find a solution for the following problem: To populate an address book I need to read users and some attributes from an Active Directory. I need to map several attributes to a new attribute name. More important is to filter on active users and skip the disabled ones. My address book application is not able to do this, it can simply query the whole AD. My idea was to use openldap as some kind of proxy between the application and the AD. I've setup openldap with the following configuration: database ldap suffix "dc=xxxx,dc=local" uri "ldap://192.168.50.1" rebind-as-user protocol-version 3 overlay rwm rwm-map attribute uid samaccountname rwm-map attribute address street This works perfect for getting the data out of the AD and remap the attribute names. Unfortunately I wasn't able to restrict the results to active users. The query string which does this looks like this: "(&(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" Can anyone please point me to the right direction how I can set this as a filter towards the AD to only get back the results matching this filter? Thanks a lot to everyone for your help! Michael -- NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a

2 1

back-sql slow searches
by Martijn van Duren 08 Jun '12

08 Jun '12

Hello, I'm currently setting up a postgresql database which parts need to be accesible through LDAP. The initial setup turned out great. I can bind to my user accounts and I can dump the database through ldapsearch. The problem I'm currently facing is that searches take to long. The ldap_entries table currently contains 3563 entries and searching for any attribute (even when it's part of the dn) takes about 1.25 minutes, which seems rather long for a db backend. Looking at my postgresql logs it appears that when a search is being done every relation gets fully retrieved and most likely filtered in slapd. Is there a certain configuration option I've missed to speed up the searches or is this something I can view as a bug. Thanks for your response.

1 0

Migrating 2.4 issue
by Luc MAIGNAN 07 Jun '12

07 Jun '12

Hi, I try to upgrade openldap to 2.4. Considering the documentation on my new freshly installed server on which I've restored the slapd.conf of a previous server, I try : slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d This gives me this issue : bdb_db_open: database "dc=domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2). backend_startup_one (type=bdb, suffix="dc=domain,dc=com"): bi_db_open failed! (2) I've found on internet that I can safely ignore this, but it doesn't really work (slapd doesn't want to start correctly after) How can I fix it ? Thanks for any help Regards

2 1

Syncrepl replication does not work always
by Efstathios Xagoraris 07 Jun '12

07 Jun '12

Hello to everyone, I have a working OpenLDAP setup ( 2.3.43 - Centos 5.8 RPM ) with a Master LDAP and consumers worldwide across datacenters. I also monitor if directories from Consumers are in Sync with the master. Consumers sometimes fail to communicate with master ldap and replicate.Syncrepl retry interval does not work at that time. If i restart consumer LDAP service everything works as expected,changes replicate successfully. My consumer interval is 1 minute but when the directories are not in sync i dont see syncrepl messages in my logs. My logs: Jun 7 02:22:12 xxx slapd[26433]: do_syncrep2: rid 007 LDAP_RES_SEARCH_RESULT (Normal ...) Jun 7 02:23:12 xxx slapd[26433]: do_syncrep2: rid 007 LDAP_RES_SEARCH_RESULT (Normal ...) >From now on .. syncrepl does not appear on logs, i got only that line Jun 7 02:27:22 xxx slapd[26433]: do_syncrep1: rid 007 ldap_sasl_bind_s failed (-1) I restart ldap service and everything works as expected Jun 7 17:06:40 xxx slapd[4397]: syncrepl_entry: rid 007 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Jun 7 17:06:40 xxx slapd[4397]: syncrepl_entry: rid 007 be_search (0) Jun 7 17:06:42 xxx slapd[4397]: do_syncrep2: rid 007 LDAP_RES_SEARCH_RESULT Jun 7 17:07:44 xxx slapd[4397]: do_syncrep2: rid 007 LDAP_RES_SEARCH_RESULT Jun 7 17:08:45 xxx slapd[4397]: do_syncrep2: rid 007 LDAP_RES_SEARCH_RESULT My consumers config: syncrepl rid=007 provider=ldaps://master:636 bindmethod=simple binddn="cn=xxx,dc=xxx,dc=xxx" credentials=xxxx searchbase="dc=xxx,dc=xxx" scope=sub schemachecking=on #type=refreshAndPersist #retry="30 20 60 +" type=refreshOnly interval=00:00:01:00 updateref ldaps://master And my master config: database bdb suffix "dc=xxx,dc=xxx" rootdn "cn=xxx,dc=xxx,dc=xxx" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname,gecos,description eq,pres,sub index uidNumber,gidNumber,uniqueMember,homeDirectory,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub loglevel 256 16384 logfile /var/log/ldap.log overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 At the same time,when my directories are not in sync,my consumer in the same datacenter as the master is always in sync.This is fixed when i restart ldap service on consumers.Replication works for some hours after the restart and the interval consumers do not replicate is kind of random. Maybe a network issue as passing through firewall to reach consumers in other datacenters ? I have also tried changing the type of syncrepl to refreshAndPersist and the issue still exists. It seems this issue is similar to this ( http://www.openldap.org/lists/openldap-technical/200905/msg00024.html ) but i thought pull bashed syncrepl from refreshOnly should not be impacted from states being dropped. << This sort of problem with long-lived connections is often due to state being dropped from IP-level devices. >> Thanks a lot everyone

3 3

there is no schema by the directory
by Daniel Peinado Lopez 07 Jun '12

07 Jun '12

Hello, I have installed openldap in Fedora. First I deleted the openldap installation. (var/lib/ldap and etc/openldap) Then I wrote: yum reinstall openldap-client openldap-server openldap I configured slapd.conf with my domain, the root password with slappasswd, ldap.conf with my BASE and HOST. I copied the DB_CONFIG.example to /var/lib/ldap. I did my base.ldif of the structure of my LDAP and "ldapadd" everything succesfully. I use jXplore and Apache Directory Studio to manage my LDAP from Windows, because it´s installed in one server. The problem is that when I try to add users it says I have no schema. Apache Directory Studio creates its own schema, and I can add data. But after that schema disapears and I can't work with jXplorer. Thank you very much * * Daniel Peinado López *IANT - APPLIED NGN-TECHNOLOGIES **Turn-Key VoIP/UC Solutions and More... *Fon: +49 (5331) 6794 400 Fax: +49 (5331) 6794 499 Mail: daniel.peinado(a)iant.de <jan.schumacher(a)iant.de> Web: www.iant.de <http://www.iant.de/en/startseite> IANT is eZuce <http://www.ezuce.com/> Elite Partner for EMEA IANT is Member of GROUPLINK <http://www.grouplink.de/>

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2012