openldap-technical January 2013

openldap-technical@openldap.org

71 participants
131 discussions

Re: Replication not working
by anil beniwal 16 Jan '13

16 Jan '13

My Bad Going forward, what would be my strategy, to enable delta sync repl with one master is already running with 200G mdb db. What i understand is 1.enable accesslog overlay on master server configure accesslog start the master 2. Take backup with mdb_copyand restore it on other master servers. 3. Enable accesslog configure to new consumers(work as providers as well) Can you have a look, if i am wrong some where or any suggestion. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema2/channelIdentifier.schema include /etc/openldap/schema2/platform.schema include /etc/openldap/schema2/extendedProfileKey.schema include /etc/openldap/schema2/extendedProfileValue.schema include /etc/openldap/schema2/behaviorKey.schema include /etc/openldap/schema2/behaviorValue.schema include /etc/openldap/schema2/questionAnswer.schema include /etc/openldap/schema2/extendedTop.schema include /etc/openldap/schema2/counter.schema serverid 1 TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/mmam01.crt TLSCertificateKeyFile /etc/openldap/cacerts/mmam01.key TLSVerifyClient never pidfile /var/run/slapd.pid argsfile /var/run/slapd.args loglevel sync stats idletimeout 30 writetimeout 30 modulepath /etc/openldap/lib64/openldap moduleload back_mdb.la moduleload ppolicy.la moduleload unique.la moduleload syncprov.la database mdb suffix "dc=example,dc=com" directory /openldap/var/data access to attrs=userPassword by self write by anonymous auth by * break access to * by group/groupOfUniqueNames/uniqueMember.exact="cn=PWrite,ou=bGroup,dc=example,dc=com" manage by group/groupOfUniqueNames/uniqueMember.exact="cn=PRead,ou=bGroup,dc=example,dc=com" read by * break access to * by self write by anonymous auth by * read rootdn "cn=Manager,dc=example,dc=com" rootpw {SSHA}dXDESQeFjSoa/A1HfJ2TAzYf4DrSYWY index mail,uid,postalCode,smail,channelType,channelValue,answer,behavName,objectclass,type eq index givenName,sn,city,cn,extName sub index displayName approx index entryCSN,entryUUID eq checkpoint 128 15 maxsize 274877906944 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 #accesslog db configuration database mdb suffix cn=log rootdn "cn=Manager,cn=log" rootpw xxxxxx directory /apps/accesslog index reqStart,objectclass,entryCSN,reqResult eq overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE overlay accesslog logdb cn=log logops writes logpurge 7+00:00 2+00:00 logsuccess TRUE syncrepl rid=111 provider=ldap://sjam01.com binddn="cn=Manager,dc=example,dc=com" bindmethod=simple credentials=0m2013 tls_cacert=/etc/openldap/cacerts/cacert.pem searchbase="dc=example,dc=com" type=refreshAndPersist retry="5 5 60 +" network-timeout=10 timeout=10 syncdata=accesslog logbase="cn=log" logfilter="(&(objectclass=auditWriteObject)(reqResult=0))" syncrepl rid=222 provider=ldap://mmam04.com binddn="cn=Manager,dc=example,dc=com" bindmethod=simple credentials=0m2013 tls_cacert=/etc/openldap/cacerts/cacert.pem searchbase="dc=example,dc=com" type=refreshAndPersist retry="5 5 60 +" network-timeout=10 timeout=10 syncdata=accesslog logbase="cn=log" logfilter="(&(objectclass=auditWriteObject)(reqResult=0))" mirrormode true overlay unique unique_attributes mail overlay ppolicy ppolicy_default "cn=default,ou=pwdPolicy,dc=example,dc=com" ppolicy_use_lockout On Thu, Jan 17, 2013 at 1:51 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Thursday, January 17, 2013 1:48 AM +0530 anil beniwal < > beni.anil(a)gmail.com> wrote: > > >> If i can't use multi master with refreshandpersist then why its given at >> all. >> i was able to get replication working with same configuration in other >> testing environment, but with very less users 1m only. >> > > I don't understand your statement/question. Delta-Syncrepl MMR uses > refresh and persist, and it is the best option to use for replication in > OpenLDAP. Particularly with multi-master replication. > > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- Thanks&Regards Anil Beniwal +919891695048

2 1

Access questions
by Ori Bani 16 Jan '13

16 Jan '13

Hello, I think I understand that default access for everything that does not have any access rule is to allow read permission to everyone. All other entries (that have some form of access rules) will have a default of "access to * by * none" applied. I'd like instead to have all defaults be no access. I have a directory that will be used for internal email processes and also have a certain amount of public/anonymous access (but only to chosen attributes). Due to the public/anonymous component, I'd like to have default access rules be as restrictive as possible. Does it make sense to (do people commonly) set a global access of "access to * by * none" and then open access up for individual databases as desired? I'm thinking a global rule: access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none Then each database will have to explicitly open access only as much as needed. The following would be in the database that uses the suffix for dc=example,dc=com Passwords for auth only, only admin can change passwords: access to attrs=userPassword by dn.base="cn=Manager,dc=example,dc=com" write by anonymous auth by * none Attributes needed by email delivery software only visible to the entry itself: access to attrs=mailMessageStore,homeDirectory,uidNumber,gidNumber by dn.base="cn=Manager,dc=example,dc=com" write by self read by * none Publicly available attributes defined explicitly: access to attrs=mail,jpegPhoto by dn.base="cn=Manager,dc=example,dc=com" write by * read Nothing else can be seen by anyone except the admin: access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none In this scenario, cn is used to identify entries when searching but as you see, that attribute is forbidden to anonymous. Is that a problem or is it OK to allow query against cn while still disallowing cn in the results? I guess I'd also add this within this database's context, but I have to do it above the other rules I just listed? access to dn.base="cn=Manager,dc=example,dc=com" by peername.ip=127.0.0.1 auth by peername.ip=192.168.0.0%255.255.255.0 auth by * none Any tips much appreciated.

2 6

Re: Replication not working
by anil beniwal 16 Jan '13

16 Jan '13

If i can't use multi master with refreshandpersist then why its given at all. i was able to get replication working with same configuration in other testing environment, but with very less users 1m only. I am having all this running in production, but replication is not working. What should be my strategy to add new consumer, where my provider is running with mdb db size of 200G in production. i don't want to mess with configuration changes on master or with minimum changes. Any other suggestions are all welcome. On Wed, Jan 16, 2013 at 12:46 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Tuesday, January 15, 2013 6:53 PM +0000 Chris Card < > ctcard(a)hotmail.com> wrote: > > This second problem doesn't happen consistently, but because I don't >> understand why it happens or how to fix it consistently, I can't go ahead >> with the production upgrade to delta-syncrepl, which is very frustrating. >> We are currently running openldap 2.4.31, but I do plan to see if 2.4.33 >> or RE24 behaves better. However, looking at the openldap sources I >> haven't spotted any fixes which look likely to help. >> Any ideas? >> > > I take it you are replicating cn=config then? I never do that, so hard > for me to comment on issues that may arise by doing that. > > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- Thanks&Regards Anil Beniwal +919891695048

2 1

Using policy overlay
by rodrigo tavares 16 Jan '13

16 Jan '13

Hello ! I´m with troubles, in trying to load policy overlay,it is /usr/lib/ldap/ppolicy.so. Then I put overlay ppolicy in slapd.conf. So, restart openldap. But is com error: Jan 16 16:08:12 defensoria slapd[14010]: @(#) $OpenLDAP: slapd 2.4.23 (Jun 16 2011 02:53:39) $#012#011buildd@murphy:/build/buildd-openldap_2.4.23-7.2-i386-Y1mwvF/openldap-2.4.23/debian/build/servers/slapd Jan 16 16:08:12 defensoria slapd[14010]: overlay "ppolicy" not found Jan 16 16:08:12 defensoria slapd[14010]: slapd stopped. Jan 16 16:08:12 defensoria slapd[14010]: connections_destroy: nothing to destroy. Anybody Can to help me ? Thanks ! Rodrigo Faria

2 3

Re: uninstall?
by Ori Bani 15 Jan '13

15 Jan '13

>> Is there a make rule for uninstallation? "make uninstall" doesn't do >> the trick... >> >> If there's not, is there any recommended way to handle removing >> OpenLDAP that was installed from source? > > > Use --prefix so you install everything into the path you want? Otherwise, > no, no particularly easy way to uninstall. Hmmm, OK thank you.

1 0

uninstall?
by Ori Bani 15 Jan '13

15 Jan '13

Hi, Is there a make rule for uninstallation? "make uninstall" doesn't do the trick... If there's not, is there any recommended way to handle removing OpenLDAP that was installed from source? Thank you!

2 1

Permissions, users, startup when install from source
by Ori Bani 15 Jan '13

15 Jan '13

Hi, If compiling and installing from source, I don't see any information in the manual about how to auto-start the software and about process/file/directory permissions and ownership. I'm still searching the Faq-O-Matic (which is a little frustrating). Taking a step back, I'd love to install from yum on RHEL/CentOS and let it be taken care of in a trusted manner. But we require better password hashing than SHA1, so we are required to compile by hand using the passwd/sha2 contributed module (little surprised this isn't accepted into the core project, but I'm sure there are reasons). Maybe I can find this in a third-party repo somewhere? After installation, what is commonly done in this regard? Create user/group "ldap" with no login shell and chown ldap:ldap on /usr/local/var/openldap-data? Is that all? Then what do people use for auto-starting the software (presumably with -u ldap -g ldap) in a RedHat environment? Thanks for the work that you do, thanks for the great software.

2 1

Re: slapd crashes with ch_realloc of X bytes failed
by Meike Stone 15 Jan '13

15 Jan '13

> > Yes, that would significantly increase memory usage. I have only ever done > the *second* modification (BDB_IDL_LOGN) to fix the IDL issues. I've run > that way for years. How much have you increased the BDB_IDL_LOGN -> 2^17 or more, would be interesting for me, because we are nearly reach this size too. > Try dropping the modification to LDAP_PVT_THREAD_STACK_SIZE. It has never > been necessary for any of my customers, many of whom have DBs with 6 to 10 > million entries. Ok, thanks, I'll do this and check. Thanks Mike

2 1

Fwd: adding support to mdb
by Friedrich Locke 15 Jan '13

15 Jan '13

Dear gentleman/madam, as you may be aware i am having hard times trying to get qmail+ldap working on my OpenBSD 5.2 amd64. While after installation OLDAP works 100% (I am using BDB as backend). When i start qmail, every query sent by qmail to the OLDAP server increases memory up to a point OLDAP needs to be restarted. I emailed misc(a)openbsd.org. I got responses. Here i pass them to the OLDAP developer: After some advice from Mr. Quanah, i gave up BDB and would like to give MDB a try. Here is what i got from the misc(a)openbsd.org I believe the OLDAP developer should know: ---------- Forwarded message ---------- From: Stuart Henderson <stu(a)spacehopper.org> Date: Mon, Jan 14, 2013 at 8:47 PM Subject: Re: adding support to mdb To: Friedrich Locke <friedrich.locke(a)gmail.com> Cc: ports(a)openbsd.org On 2013/01/14 19:18, Friedrich Locke wrote: > Hi folks, > > this is my first message to this list. I am writing because i am in need to > use openldap from ports. > Initially i tried openldap with support to BDB, but it is buggy. > I was suggest to try mdb, but openldap's Makefile have the --disable-mdb > instruction. > > Since i do need to get a directory service and have no knownledge on > openldap internals, i come to you > in order to suggest how could i help in order to get mdb supported by > OpenBSD Ports OpenLDAP. > > Thank you a lot for your time and cooperation. > > Best regards, > > Fried. So this is a memory-mapped database; there have been problems with these in the past (e.g. in Cyrus imapd and Dovecot) but I am not sure of all the details. The port diff is easy enough but I would really like some advice from someone who is knowledgeable about the mmap issues as to whether or not it's safe to use this on OpenBSD. A bit more info from slides at http://www.openldap.org/pub/hyc/mdm-slides.pdf :- -- -- -- -- -- * Uses a read-only memory map * Protects the database structure from corruption due to stray writes in memory * Any attempts to write to the map will cause a SEGV, allowing immediate identification of software bugs * There's no point in making the pages writable anyway, since only existing pages may be written. Growing the database requires file ops (write, ftruncate) so for uniformity, file ops are also used for updates. -- -- -- -- -- I *think* the problems were only with mmap writes, if this is correct then they seem to be sidestepping the problems by doing this. BTW I'm using OpenLDAP 2.4 with BDB here and haven't noticed issues however it is not under extreme load..

2 1

Fwd: adding support to mdb
by Friedrich Locke 15 Jan '13

15 Jan '13

This one too. []s ---------- Forwarded message ---------- From: Stuart Henderson <stu(a)spacehopper.org> Date: Tue, Jan 15, 2013 at 6:41 AM Subject: Re: adding support to mdb To: Friedrich Locke <friedrich.locke(a)gmail.com> On 2013/01/14 21:31, Friedrich Locke wrote: > Hi! > > people from openldap group have already migrated to mdb. > Why OpenBSD has such problems. On other OSes, things work nicely. > BTW, no offense, i do like obsd, but things like make me upset. I suspect that the MDB code probably requires something from the OS that OpenBSD doesn't have (coherent buffer and page caches - http://utcc.utoronto.ca/~cks/space/blog/unix/UnifiedCacheMmap) If I'm correct then it will appear to work, but with a risk of database corruption. For this reason I won't enable this in the OpenLDAP port unless someone who knows the area well is satisfied that it's safe. Some other database code which likes to use mmap (e.g. cyrus skiplist) takes into account the various types of cache behaviour and has options to avoid using mmap. It doesn't appear that MDB has this yet.

1 0

← Newer
1
...
5
6
7
8
9
10
11
...
14
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2013