syncrepl, version compatibility, partial sync
by Ryan Lovett
Are there any known syncrepl compatibility issues between different 2.4.x
versions? We have a master slapd running 2.4.9 and a consumer running
2.4.21 and are having a syncrepl problem and only some of the data is being
synced. The consumer slapd logs messsages of the form:
entries have identical CSN ou=something,dc=something
20120614015145.546743Z#000000#000#000000
and
syncrepl_entry: rid=200 entry unchanged, ignored (ou=other,dc=something)
syncrepl_message_to_entry: rid=200 mods check (objectClass: value #8
invalid per syntax)
do_syncrepl: rid=200 rc 21 retrying (9 retries left)
In searching for similar reports we came across various solutions such as
making sure the provider URI in the consumer's slapd.conf matches the
server's URI at launch. The server was listening on ldap:/// and the
consumer was set to connect to ldap://server.name/ though we modified the
server to only listen on ldap://server.name/.
We also tried stopping both consumer and master, flushing the databases on
both, slapadding data back into the master, then starting both instances.
The log messages return however just with updated CSN stamps. The consumer
is never able to pull down the full data even with refreshAndPersist with
sensible retry intervals.
Thanks for your time,
Ryan
8 years, 9 months
loglevel expected performance impact
by Berend De Schouwer
I'm running some 2.4.23 servers, and I've encountered some slowdown on
loglevel other than 0. Even 256 (stats; recommended) impacts about a 4x
slowdown on queries. Logging is to syslog.
Running ldapsearch slows from 0.005-0.010 seconds to about 0.030-0.040
seconds; and that includes loading the binary. That's from localhost to
remove potential DNS lookups.
I stumbled across this when logging was wrong, and the slowdown was
100x.
I'm aware that 2.4.23 isn't the latest version. I'm also quite happy,
for now, to run loglevel 0.
I'm wondering if this is the expected behaviour, given that it's the
recommended configuration. Or should I go dig to find the slowdown?
(I did check the indexes, and db_stats, etc. All seems fine.)
I apologise for the disclaimer,
Berend
CONFIDENTIALITY NOTICE
The contents of and attachments to this e-mail are intended for the addressee only, and may contain the confidential information of Argility (Proprietary) Limited and/or its subsidiaries. Any review, use or dissemination thereof by anyone other than the intended addressee is prohibited.
If you are not the intended addressee please notify the writer immediately and destroy the e-mail. Argility (Proprietary) Limited and its subsidiaries distance themselves from and accept no liability for unauthorised use of their e-mail facilities or e-mails sent other than strictly for business purposes.
8 years, 9 months
OLC Configuration on RHEL6
by Roger Martinez
Greetings all,
I've only just recently learned about configuring and using LDAP using
slapd.conf configuration. Recently, however, I have been asked to
configure LDAP on a server running Red Hat Enterprise Linux 6. I've run
into a few problems.
First of all, when I try to connect via LDAP Browser/Editor to view the
cn=config list, it connects but gives me Error 32 - No Such Object. The
following is the the cfg file that Ldap Browser/Editor uses to connect to
the session:
#################################
# #
# LDAP Browser v2.8 config file #
# #
# cn=config all attributes #
# #
#################################
host=[my server's IP address]
port=389
sslport=636
basedn=cn=config
version=3
managerdn=cn=Manager,cn=config
managerlogin=no
autoconnect=no
leafindicatortype=int
leafindicator=numsubordinates
managereferrals=no
supportsmovetree=no
derefaliases=never
sorttree=ascending
ldap.attributes.list=* +
The managerdn i got from the olcRootDN line in olcDatabase={2}bdb.ldif
file. And the rest i got from zytrax.com online book (
http://www.zytrax.com/books/ldap/ch14/cn=config.cfg )
My question is, is there any other configuration or any other additional
steps that I need to take after yum install in order to make this LDAP
server functional? What have I missed? Any help will be much appreciated!
Thank you.
--
Roger Martinez
Intern
incNETWORKS, inc.
8 years, 10 months
attrs=@objectClassName affects objectClass attribute
by Nick Milas
I am facing the following problem (with v2.4.31 on CentOS 5.8).
I am using a - recently added - custom schema with one AUX objectclass
and 3 optional attrs; I am trying to use an ACL of the form:
access to dn.subtree="ou=people,dc=example,dc=com"
attrs=@entryAccessEntities
by
group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read
but strangely this ALSO changes the privileges for the objectClass
attribute of the entry!
If I list the attrs of that object class instead, there is no problem:
access to dn.subtree="ou=people,dc=example,dc=com"
attrs=writeAccessEntities,readAccessEntities,searchAccessEntities
by
group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read
Now, the ACL works correctly, and it does not affect the entry
objectClass attribute.
Surprisingly, this does not happen with other object classes. If I use,
for example:
access to dn.subtree="ou=people,dc=example,dc=com" attrs=@eduPerson
by
group/groupOfNames/member.exact="cn=Admins,ou=groups,dc=example,dc=com" read
then, it correctly assigns privileges to only the attrs of eduPerson
object class (also an AUX class with only optional attrs), without
affecting the entry objectclass attribute.
Does anyone have an idea what is happening? Am I doing anything wrong?
Any help will be appreciated.
For reference I include the schema below.
Note: I am using dynamic config, but I have listed schema and ACLs in
their "standard" form, for better readability.
Thanks,
Nick
=====================================================
entryaccess.schema
=====================================================
attributetype ( 1.3.6.1.4.1.39349.4.1.11
NAME 'writeAccessEntities'
DESC 'DNs of Groups which should be allowed write (full) access to
this entry'
SUP distinguishedName )
attributetype ( 1.3.6.1.4.1.39349.4.1.12
NAME 'readAccessEntities'
DESC 'DNs of Groups which should be allowed read (read-only) access
to this entry'
SUP distinguishedName )
attributetype ( 1.3.6.1.4.1.39349.4.1.13
NAME 'searchAccessEntities'
DESC 'DNs of Groups which should be allowed search (search-only)
access to this entry'
SUP distinguishedName )
objectclass ( 1.3.6.1.4.1.39349.4.2.101
NAME 'entryAccessEntities'
DESC 'Allow access to the entry, to which this class is added, to
the entities specified as the values (DNs) of this class attributes'
SUP top AUXILIARY
MAY ( writeAccessEntities $ readAccessEntities $
searchAccessEntities ) )
=====================================================
8 years, 10 months
slapd hangs - subtree insert failed: -30995
by Meike Stone
Hello,
after inserting (ADD) one object, I get following messages in the
logfile and the sapld hangs:
Jun 1 09:02:24 ldap-01 slapd[8836]: conn=633789 op=1 ADD
dn="cn=3,cn=2,cn=node,cn=1,cn=BBB,cn=AAA,cn=companies,ou=root"
Jun 1 09:02:24 ldap-01 slapd[8836]: => bdb_idl_insert_key: c_get
failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30995)
Jun 1 09:02:24 ldap-01 slapd[8836]: => bdb_dn2id_add 0x205e7e:
subtree (cn=BBB,cn=AAA,cn=companies,ou=root) insert failed: -30995
After this, I don't see any messages in the log till the staff was
initiating a stop/start:
Jun 1 09:09:29 ldap-01 slapd[8836]: daemon: shutdown requested and initiated.
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633113 fd=9 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=405426 fd=12 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633787 fd=13 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=1011 fd=14 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=1013 fd=18 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=632703 fd=33 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=632710 fd=37 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=632883 fd=39 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=632762 fd=40 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633211 fd=41 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633735 fd=45 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=632829 fd=47 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633170 fd=48 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633200 fd=50 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: conn=633788 fd=55 closed (slapd shutdown)
Jun 1 09:09:29 ldap-01 slapd[8836]: slapd shutdown: waiting for 22
operations/tasks to finish
Jun 1 09:09:42 ldap-01 slapd[20945]: @(#) $OpenLDAP: slapd 2.4.30 $
opensuse-buildservice(a)opensuse.org
Jun 1 09:09:43 ldap-01 slapd[20945]: slapd starting
After the error message at 09:02:24 the slapd did not answer any request.
I cannot recover that problem in a test environment.
The server is running in a MM environment (two masters), and the
server gets 200-1200 search request/s
Because of this high rate, we set "loglevel 0". Since we updated the
slapd to 2.4.30 (from 2.4.28) the server crashes/hangs about on times
a week.
Because of this we set loglevel 256 back again.
Would be very nice, if I can fix the problem, please help.
Thanks in advance
Meike
PS:
The slapd is a modified, self compiled version because of larger IDL
with following changes:
openldap-2.4.30/servers/slapd/back-bdb/idl.h:
-#define BDB_IDL_LOGN 16 /* DB_SIZE is 2^16, UM_SIZE is 2^17 */
+#define BDB_IDL_LOGN 17 /* DB_SIZE is 2^17, UM_SIZE is 2^18 */
openldap-2.4.30/include/ldap_pvt_thread.h:
-# define LDAP_PVT_THREAD_STACK_SIZE ( 1 * 1024 * 1024 * sizeof(void *) )
+# define LDAP_PVT_THREAD_STACK_SIZE ( 2 * 1024 * 1024 * sizeof(void *) )
All tests where running well!
8 years, 10 months
LDAP backend filtering
by Smarti9@gmx.de
Hi everybody,
I'm quite new to openldap and I'm currently trying to find a solution for the following problem:
To populate an address book I need to read users and some attributes from an Active Directory. I need to map several attributes to a new attribute name. More important is to filter on active users and skip the disabled ones. My address book application is not able to do this, it can simply query the whole AD.
My idea was to use openldap as some kind of proxy between the application and the AD. I've setup openldap with the following configuration:
database ldap
suffix "dc=xxxx,dc=local"
uri "ldap://192.168.50.1"
rebind-as-user
protocol-version 3
overlay rwm
rwm-map attribute uid samaccountname
rwm-map attribute address street
This works perfect for getting the data out of the AD and remap the attribute names.
Unfortunately I wasn't able to restrict the results to active users. The query string which does this looks like this:
"(&(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
Can anyone please point me to the right direction how I can set this as a filter towards the AD to only get back the results matching this filter?
Thanks a lot to everyone for your help!
Michael
--
NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone!
Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a
8 years, 10 months
back-sql slow searches
by Martijn van Duren
Hello,
I'm currently setting up a postgresql database which parts need to be
accesible through LDAP. The initial setup turned out great. I can bind
to my user accounts and I can dump the database through ldapsearch.
The problem I'm currently facing is that searches take to long. The
ldap_entries table currently contains 3563 entries and searching for any
attribute (even when it's part of the dn) takes about 1.25 minutes,
which seems rather long for a db backend. Looking at my postgresql logs
it appears that when a search is being done every relation gets fully
retrieved and most likely filtered in slapd. Is there a certain
configuration option I've missed to speed up the searches or is this
something I can view as a bug.
Thanks for your response.
8 years, 10 months
Migrating 2.4 issue
by Luc MAIGNAN
Hi,
I try to upgrade openldap to 2.4.
Considering the documentation on my new freshly installed server on
which I've restored the slapd.conf of a previous server, I try :
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
This gives me this issue :
bdb_db_open: database "dc=domain,dc=com":
db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
backend_startup_one (type=bdb, suffix="dc=domain,dc=com"): bi_db_open
failed! (2)
I've found on internet that I can safely ignore this, but it doesn't
really work (slapd doesn't want to start correctly after)
How can I fix it ?
Thanks for any help
Regards
8 years, 10 months
Syncrepl replication does not work always
by Efstathios Xagoraris
Hello to everyone,
I have a working OpenLDAP setup ( 2.3.43 - Centos 5.8 RPM ) with a
Master LDAP and consumers worldwide across datacenters. I also monitor
if directories from Consumers are in Sync with the master. Consumers
sometimes fail to communicate with master ldap and replicate.Syncrepl
retry interval does not work at that time. If i restart consumer LDAP
service everything works as expected,changes replicate successfully.
My consumer interval is 1 minute but when the directories are not in
sync i dont see syncrepl messages in my logs. My logs:
Jun 7 02:22:12 xxx slapd[26433]: do_syncrep2: rid 007
LDAP_RES_SEARCH_RESULT (Normal ...)
Jun 7 02:23:12 xxx slapd[26433]: do_syncrep2: rid 007
LDAP_RES_SEARCH_RESULT (Normal ...)
>From now on .. syncrepl does not appear on logs, i got only that line
Jun 7 02:27:22 xxx slapd[26433]: do_syncrep1: rid 007
ldap_sasl_bind_s failed (-1)
I restart ldap service and everything works as expected
Jun 7 17:06:40 xxx slapd[4397]: syncrepl_entry: rid 007
LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
Jun 7 17:06:40 xxx slapd[4397]: syncrepl_entry: rid 007 be_search (0)
Jun 7 17:06:42 xxx slapd[4397]: do_syncrep2: rid 007 LDAP_RES_SEARCH_RESULT
Jun 7 17:07:44 xxx slapd[4397]: do_syncrep2: rid 007 LDAP_RES_SEARCH_RESULT
Jun 7 17:08:45 xxx slapd[4397]: do_syncrep2: rid 007 LDAP_RES_SEARCH_RESULT
My consumers config:
syncrepl rid=007
provider=ldaps://master:636
bindmethod=simple
binddn="cn=xxx,dc=xxx,dc=xxx"
credentials=xxxx
searchbase="dc=xxx,dc=xxx"
scope=sub
schemachecking=on
#type=refreshAndPersist
#retry="30 20 60 +"
type=refreshOnly
interval=00:00:01:00
updateref ldaps://master
And my master config:
database bdb
suffix "dc=xxx,dc=xxx"
rootdn "cn=xxx,dc=xxx,dc=xxx"
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname,gecos,description eq,pres,sub
index uidNumber,gidNumber,uniqueMember,homeDirectory,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
loglevel 256 16384
logfile /var/log/ldap.log
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
At the same time,when my directories are not in sync,my consumer in
the same datacenter as the master is always in sync.This is fixed when
i restart ldap service on consumers.Replication works for some hours
after the restart and the interval consumers do not replicate is kind
of random. Maybe a network issue as passing through firewall to reach
consumers in other datacenters ? I have also tried changing the type
of syncrepl to refreshAndPersist and the issue still exists.
It seems this issue is similar to this (
http://www.openldap.org/lists/openldap-technical/200905/msg00024.html
) but i thought pull bashed syncrepl from refreshOnly should not be
impacted from states being dropped.
<< This sort of problem with long-lived connections is often due to
state being dropped from IP-level devices. >>
Thanks a lot everyone
8 years, 10 months
there is no schema by the directory
by Daniel Peinado Lopez
Hello,
I have installed openldap in Fedora. First I deleted the openldap
installation. (var/lib/ldap and etc/openldap)
Then I wrote:
yum reinstall openldap-client openldap-server openldap
I configured slapd.conf with my domain, the root password with slappasswd,
ldap.conf with my BASE and HOST.
I copied the DB_CONFIG.example to /var/lib/ldap.
I did my base.ldif of the structure of my LDAP and "ldapadd" everything
succesfully.
I use jXplore and Apache Directory Studio to manage my LDAP from Windows,
because it´s installed in one server.
The problem is that when I try to add users it says I have no schema.
Apache Directory Studio creates its own schema, and I can add data. But
after that schema disapears and I can't work with jXplorer.
Thank you very much
* *
Daniel Peinado López
*IANT - APPLIED NGN-TECHNOLOGIES
**Turn-Key VoIP/UC Solutions and More...
*Fon: +49 (5331) 6794 400
Fax: +49 (5331) 6794 499
Mail: daniel.peinado(a)iant.de <jan.schumacher(a)iant.de>
Web: www.iant.de <http://www.iant.de/en/startseite>
IANT is eZuce <http://www.ezuce.com/> Elite Partner for EMEA
IANT is Member of GROUPLINK <http://www.grouplink.de/>
8 years, 10 months