August 2012 - openldap-technical

by aryan rawat

Hi All, In slapd.conf have these indexes *index objectClass eq* *index msisdn eq* *index entryCSN,entryUUID eq* When I run the same slapd.conf under MDB I can see 2 files * **data.mdb and lock.mdb* When I run the same slapd.conf under BDB (HDB) I can see files on which the index is created *entryCSN.bdb id2entry.bdb objectClass.bdb dn2id.bdb entryUUID.bdb msisdn.bdb alock* So does this means MDB does not do indexing if I am not wrong?? Please clarify the doubt?? BR's, Aryan

11 years, 1 month

3
2
0 / 0

multi-master syncrepl issue

by Chris Card

Hi All, I have a multi-master openldap setup with 2 machines replicating a directory containing about 3.5 million entries. I'm running openldap 2.4.31 on centos 6, and the directory is using the BDB backend. Although the 2 machines are configured for multi-master syncrepl replication, in practice data is only written to one of the machines (I'll call it the master), and the second machine (which I'll call the slave) only gets data written by openldap replication. Currently the contextCSN of the directory is the same from both machines, which (as I understand it) should mean that the directories are in sync, but I have written a program to compare what is in both directories which finds that there are 16 entries in the master directory not in the slave directory. I have double checked thisusing ldapsearch on both directories. I can't see any error messages in the openldap log and there doesn't appear to be any pattern connecting the entries which are missing from the slave. Most of the missing entries werein the master directory before I created the slave machine and configured replication and have not changed. The syncrepl config looks like this: dn: olcDatabase={1}bdb,cn=configolcSyncrepl: {0}rid=101 provider="ldap://<master>:389" binddn="<binddn>" bindmethod=simple credentials=<bindpw> searchbase="<prefix>" type=refreshAndPersist retry="5 5 300 5" timeout=1olcSyncrepl: {1}rid=110 provider="ldap://<slave>:389" binddn="<binddn>" bindmethod=simple credentials=<bindpw> searchbase="<prefix>" type=refreshAndPersist retry="5 5 300 5" timeout=1 Are there any known issues with openldap replication which could result in missing data? How can I force these missing entries to appear in the slave without rebuilding the whole of the slave directory and without changing the data in the master directory? Chris

11 years, 1 month

3
8
0 / 0

slapadd *very* slow: tuning advice?

by Nick Urbanik

Dear Folks, I'm upgrading a cluster of OpenLDAP servers from 2.3.43-25.el5 to 2.4.32 with BDB 4.8.30 on CentOS 5, x86_64, on HP BL460cG6 blades with two 4-core CPUs, and 12GB RAM. These are slaves, and have eleven trees on them. I have dumped and restored six of the LDAP databases in reasonable time, but the seventh is taking a long time. Here are the sizes of the slapcatted LDIF files: 320M 252M 80M 225K 246K 833K 2.6G 1.2G 24M 947M 522K It's the 2.6G LDIF file that's taking the time to slapadd: -############ 63.34% eta 02h09m elapsed 03h43m30s spd 2.7 k/s As you can see, it has slowed to a crawl. # cat DB_CONFIG set_flags DB_LOG_AUTOREMOVE set_cachesize 0 286162472 0 # egrep 'tool-threads|cachesize' /etc/openldap/slapd.conf tool-threads 8 cachesize 100000 idlcachesize 100000 cachesize 100000 idlcachesize 100000 cachesize 100000 idlcachesize 100000 cachesize 100000 idlcachesize 100000 cachesize 100000 idlcachesize 100000 cachesize 100000 idlcachesize 100000 cachesize 100000 idlcachesize 100000 cachesize 100000 idlcachesize 100000 cachesize 100000 idlcachesize 100000 cachesize 100000 idlcachesize 100000 cachesize 100000 idlcachesize 100000 On another member of the cluster, not upgraded from 2.3.43 yet, we have, for this big tree: # sudo -u ldap slapd_db_stat -d id2entry.bdb Tue Aug 21 15:15:38 2012 Local time 53162 Btree magic number 9 Btree version number Little-endian Byte order Flags 2 Minimum keys per-page 16384 Underlying database page size 3 Number of levels in the tree 4611665 Number of unique keys in the tree 4611665 Number of data items in the tree 418 Number of tree internal pages 36096 Number of bytes free in tree internal pages (99% ff) 308745 Number of tree leaf pages 871M Number of bytes free in tree leaf pages (82% ff) 0 Number of tree duplicate pages 0 Number of bytes free in tree duplicate pages (0% ff) 0 Number of tree overflow pages 0 Number of bytes free in tree overflow pages (0% ff) 0 Number of empty pages 0 Number of pages on the free list # sudo -u ldap slapd_db_stat -d dn2id.bdb Tue Aug 21 15:34:30 2012 Local time 53162 Btree magic number 9 Btree version number Little-endian Byte order duplicates, sorted duplicates Flags 2 Minimum keys per-page 4096 Underlying database page size 4 Number of levels in the tree 9227811 Number of unique keys in the tree 9263210 Number of data items in the tree 2185 Number of tree internal pages 2781648 Number of bytes free in tree internal pages (68% ff) 219185 Number of tree leaf pages 287M Number of bytes free in tree leaf pages (68% ff) 37 Number of tree duplicate pages 40214 Number of bytes free in tree duplicate pages (73% ff) 0 Number of tree overflow pages 0 Number of bytes free in tree overflow pages (0% ff) 0 Number of empty pages 0 Number of pages on the free list QUESTIONS: ========== Any suggestions on how to optimise this a little more towards slapadd? Would mdb possibly be faster than bdb? -- Nick Urbanik http://nicku.org 808-71011 nick.urbanik(a)optusnet.com.au GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24 I disclaim, therefore I am.

11 years, 1 month

3
6
0 / 0

RE: multi-master syncrepl issue

by Quanah Gibson-Mount

--On Tuesday, August 21, 2012 3:33 PM +0000 Chris Card <ctcard(a)hotmail.com> wrote: > > > >> >> --On Tuesday, August 21, 2012 2:50 PM +0000 Chris Card >> >> <ctcard(a)hotmail.com> wrote: >> >> >> >> >> Do you have sync logging enabled? >> >> >> >> >> > >> >> > Log level is set to none, so the slapd log doesn't give much help. >> >> >> >> Fix your log level. >> > olcLogLevel: sync ? >> >> Yes > I turned on sync logging for a short while, loads of stuff was written to > the log, and strangely (coincidently?) the contextCSN is now up to date. > However, the database is still missing a lot of entries (about 25000 I > think) - will syncrepl fix this automatically? Unlikely. What openldap version are you using? --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

11 years, 1 month

1
0
0 / 0

Re: I have 2 questions

by Haroon Rawat

Hi , Howard ... -------------------- It was not my intention to ask the same query again and again. My intention was the performance of MDB on search operation is too low compared to BDB at least in my case. So I thought I might be missing some other configuration parameters. Quanah .. ------------------- Thanks for the Reply. So now At least I am clear that DB_CONFIG not required in case of MDB The performance of MDB on search operation is too low compared to BDB at least in my case. *Am attaching the slap.conf if you can find out the issue..* BR's, Haroon On Tue, Aug 21, 2012 at 10:12 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Tuesday, August 21, 2012 9:37 AM +0530 Haroon Rawat < > haroonrawat(a)gmail.com> wrote: > > Hi All, >> >> I have few queries >> >> 1. How to improve the performance of MDB what all parameteres need to >> be added in slapd.conf. >> > > There are no tuning parameters for MDB. No other database backend can > touch its read performance. > > > >> 2. Does DB_CONFIG file is having any role in MDB if yes then which >> parameters need to added to increase the performance of MDB. >> > > DB_CONFIG is specific to BDB. It has nothing to do with MDB. > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- BR's, Haroon Rawat

11 years, 1 month

1
0
0 / 0

I have 2 questions

by Haroon Rawat

Hi Experts, I have 2 questions currently using MDB and openldap-2.4.30 1. Slapadd is giving error *"Unrecognized database type (mdb)" *2. Ldapadd after inserting few records successfully then it start giving an error*. * 502a4151 mdb_id2entry_put: *mdb_put failed: Cannot allocate memory(12) "* subdata=pcsprof,msisdn=9800001823,dc=msisdn,dc=c-ntdb" 502a4151 conn=1000 op=1 RESULT tag=105 err=80 text=entry store failed * Waiting for the Ans.. Thanks * -- BR's, Haroon Rawat

11 years, 1 month

3
5
0 / 0

Re: ldap (openldap) dynamic subtree combination for responses

by vlad florentino

I appreciate the answer. It's good to have a definitive answer.

11 years, 1 month

1
0
0 / 0

ldap (openldap) dynamic subtree combination for responses

by vlad florentino

LDAP Server: OpenLDAP 2.4.24 Linux Distro: Fedora 15 (I believe this question is generally about returning properties in subentries, when performing searches on a parent entry, in a way that's transparent to clients making the requests. However, I have worded my question to be based on my specific usecase.) ------------------------------ Hi, I have successfully configure the Linux sssd service to fetch user loging information from an LDAP directory service (which happens to be in the same machine). The file to configure for this lives at /etc/sssd/sssd.conf I have tested that I can create a linux user account in the LDAP directory, by creating an entry under the relevant DN. That node includes the objectClass 'posixAccount'. ou=people | - uid=1000 # This entry has the objectClass 'posixAccount' performing a: getent passwd | grep the-ldap-based-linux-username yields correct information. Now, for my problem: I'm trying to configure the LDAP directory such that credentials information is not duplicated. I would like to define the entries like so: ou=people | - uid=1000 # No possixAccount objectClass | + cn=contact-info # contact stuff ... - cn=account # contains subtrees for account related stuff. | - cn=credentials # Fields: uid, userPassword, uidNumber, gidNumber - cn=linux-account # Fields: homeDirectory, loginShell, ... - cn=windows-account # Fields: winHomeDirectory, sambaServerUrl, ... - cn=samba-account # Fields: space-quota, ... The point of what I'm trying to accomplish is that when ldap clients, such as the Linux sssd deamon, perform an account info search/fetch, they do so at the following node (not at it's subnodes): cn=account,uid=1000,ou=people And that, somehow, the OpenLDAP server would know to combine the info contained in the relevant subentries of cn=account, and return those to the client, as if those extries existed at cn=account. This would work, of course, if I were to place all the info at the cn=account node. But, that's what I'm trying to avoid. I've try a few things, which have all been unsuccessful. Is it possible to do this with OpenLDAP (or LDAP in general)? If so, how? Regards, Vlad ------------------------------ PS: A trick that I've found useful, and which can help in the final solution to the problem, is that the sssd deamon allows one to configure the name of the 'posixAccount'-like objectClass that it should use to locate account info. I noticed that I can tell it do look for a certain class, say c-linux-account, which I then define as an empty auxilary class. The daemon will successfully find entries, which contain this class. Then, if those entries contain properties named uid, userPassword, homeDirectory, etc, it will use those properties for their values. So, I can add that property to cn=account, and the deamon will find that entry correctly. I just now have to tell OpenLDAP to combine the entries below that node, and return them in the query.

11 years, 1 month

2
1
0 / 0

2.4.32: mdb stable enough?

by Karsten Heymann

Hi, I know this is difficult to answer, but is the mdb backend as it comes in 2.4.32 ready for a productive master-master setup with somewhat less tham 1mio entries? slapd-mdb(5) states it's an early release and that incompatible changes may occur, but on the other hand hdb changes disk format from time to time too. So, what are the opinions? The setup will be extensively tested, but if mdb should not be ready yet I could skip the tests and concentrate on hdb. Thanks, Karsten

11 years, 1 month

3
6
0 / 0

LDAP authentication using Radius

by JET JETASIK

I am investigating 2 factor authentication in which mostly they are radius server actually. My problem is that most of my applications relying on LDAP auth only. I am trying to figure out on how to use openldap/contrib/slapd-modules/passwd/radius.c I did compile and successfully loaded it but not sure how to configure it. This is what I put into slapd.conf to load the module: moduleload pw-radius.so config="/etc/radius.conf" Firstly I couldn't figure out what exactly is the format of /etc/radius.conf (Mandatory items: Radius server IP& Share Secret) Secondly the format of userpassword scheme, {RADIUS}XXXXYYY@ZZZ ?? --- Jetasik (JET) Manager, Transniaga(Thailand)

11 years, 1 month

5
13
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2012