openldap-technical December 2013

openldap-technical@openldap.org

61 participants
73 discussions

Question about openLDAP proxy to MSAD
by Alex Samad - Yieldbroker 16 Dec '13

16 Dec '13

Hi I am using openldap to sit in front of MS AD. So that servers in the DMZ can access information in MS AD and in openldap. My problem is that MS AD sends back referrals and using referrals = ignore fails. Is there anything in the olcLDAPConfig that I set to stop referrals and/or set it to point back to itself A

1 0

Storing graph data structure with MDB_FIXEDMAP
by Aris Setyawan 16 Dec '13

16 Dec '13

Hi, I'm new in this list. I plan to store graph data structure (vertex and edge) in LMDB. The "edge" data value of a record will contain a pointer which is pointing to the address of "vertex" data value. So, I must make it sure that data value address is not changing during operation. According to the doc, I can use MDB_FIXEDMAP. And from the doc: "... the memory map will always reside at the same virtual address and pointers used to reference data items in the database will be constant across multiple invocations. ..." Spesifically: "... pointers used to reference data items in the database will be constant ..." Is this mean that I must allocate memory to write data using mdb_put with MDB_RESERVE flag?

2 3

Fwd: Linux kernel performance regressions
by Howard Chu 16 Dec '13

16 Dec '13

-------- Original Message -------- Subject: Linux kernel performance regressions Date: Wed, 11 Dec 2013 04:33:06 -0800 From: Howard Chu <hyc(a)symas.com> To: OpenLDAP-devel(a)openldap.org <OpenLDAP-devel(a)openldap.org> We upgraded from kernel 3.5 to 3.12.3 to update some of our benchmark numbers and hit some major performance regressions, mainly because the kernel is throttling processes that use too much CPU. This is definitely a kernel bug, as the throttle mechanism belongs to the realtime scheduler and none of the processes being affected had realtime priority when the throttle kicked in. I've posted a query to the linux kernel mailing list but haven't gotten any satisfactory answers yet. The same throttling behavior also occurs with 3.11.10, but there are no corresponding messages in the kernel log. The email thread is here http://lkml.indiana.edu/hypermail/linux/kernel/1312.1/02313.html A patch that may be related is described here http://lkml.org/lkml/2013/5/29/640 which explains part of the observed behavior, but not all of it (and indeed may be a red herring, unless it has some interaction with the realtime scheduler). There appear to be other serious networking related regressions in 3.12 as well. http://lkml.indiana.edu/hypermail/linux/kernel/1312.1/02588.html I recommend staying on 3.10 for production servers until this is sorted out. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 3

Design for large openldap deployments
by Christian Kratzer 16 Dec '13

16 Dec '13

Hi, I have been thinking about a scalable multi site deployment architecture for openldap where I would like to: - Have a small number of master servers centrally in the enterprise with MMR. - All account provisioning would be at the central sites. - Have multiple edge sites replicate of those masters in a star toplogy with MMR. - Allow writes to those edge sites for the purpososes of slapo_ppolicy, slapo_lastbind and password changes. I would like to avoid fully meshing all servers for MMR and would prefer a star topology where each edge site only replicates with the central site. I would also like to avoid chaining. See my previous posts why. Before I set this up in my lab I would like a second opinion. The customer is asking for best practice in large deployments. Any comments ? Greetings Christian -- Christian Kratzer CK Software GmbH Email: ck(a)cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer

4 8

Multi-master replication (ldap_sasl_bind_s failed)
by Artur Nike 16 Dec '13

16 Dec '13

Hi all, My adventure with LDAP lasts a few months, and I came to the topic of replication, namely multiple-master replication. cn = config is replicated perfectly, but the schema, say, dc = example, dc = com does not want to: (. I have two servers slap1 and slap2 I have a standard installation ##Server slap1 whezzy debian 64bit apt-get install-y slapd ldap-utils added my scheme ldapadd-Y EXTERNAL-H ldapi :///-f $ CURRENT / memberof.ldif ldapadd-Y EXTERNAL-H ldapi :///-f $ CURRENT / refint.ldif # Add "ldap :/ / ldap1 / in /etc/default/slapd sed-i "/^ SLAPD_SERVICES/s/=[^]*/=\"ldap:\/\/slap1\//'/etc/default/slapd ldapmodify-Y EXTERNAL-H ldapi :/ / /-f replica1.ldif where replica1.ldif (replication configuration):: dn: cn=config changetype: modify add: olcServerID olcServerID: 1 dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {1}syncprov.la dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW #only for tests olcRootPW: 123 dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 ldap://slap1/ olcServerID: 2 ldap://slap2/ dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://slap1/ binddn="cn=admin,cn=config" bindmethod=simple credentials=123 searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://slap2/ binddn="cn=admin,cn=config" bindmethod=simple credentials=123 searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE This same scenario takes on a server slap2 (the name change slap1 -> slap2) where replica2.ldif (replication configuration only servers slap2) : dn: cn=config changetype: modify add: olcServerID olcServerID: 2 dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {1}syncprov.la dn: olcDatabase={0}config,cn=config changetype: modify #only for tests add: olcRootPW olcRootPW: 123 dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 ldap://slap1/ olcServerID: 2 ldap://slap2/ dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://slap1/ binddn="cn=admin,cn=config" bindmethod=simple credentials=123 searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://slap2/ binddn="cn=admin,cn=config" bindmethod=simple credentials=123 searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE and it works , the whole configuration is replicated . Now I want ( I'm trying to add a replication scheme . ) Adds only one server , eg slap2 : ldapmodify - Y EXTERNAL -H ldapi :/ / / -f rep_schema.ldif where rep_schema.ldif : # add replica schema dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcRootPW olcRootPW: 123 - replace: olcRootDN olcRootDN: cn=admin,dc=example,dc=com dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcLimits olcLimits: dn.exact="cn=admin,dc=example,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited - add: olcSyncRepl olcSyncRepl: rid=004 provider=ldap://ldap1/ binddn="cn=admin,dc=example,dc=com" bindmethod=simple credentials="123" searchbase="dc=example,dc=com" starttls=no filter="(objectclass=*)" attrs="*,+" scope=sub schemachecking=of type=refreshAndPersist interval=00:00:00:10 retry="5 5 10 5" timeout=1 olcSyncRepl: rid=005 provider=ldap://ldap2/ binddn="cn=admin,dc=example,dc=com" bindmethod=simple credentials="123" searchbase="dc=example,dc=com" starttls=no filter="(objectclass=*)" attrs="*,+" scope=sub schemachecking=off type=refreshAndPersist interval=00:00:00:10 retry="5 5 10 5" timeout=1 - add: olcDbIndex olcDbIndex: entryUUID eq - add: olcDbIndex olcDbIndex: entryCSN eq - add: olcMirrorMode olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov Configuration replicates and the end, schema does not replicate. If you try to replicate one of the servers are in the logs I see: Dec 15 23:44:48 slap1 slapd[4496]: do_syncrepl: rid=004 rc -1 quitting Dec 15 23:44:48 slap1 slapd[4496]: slap_client_connect: URI=ldap://ldap2/ DN="cn=admin,dc=example,dc=com" ldap_sasl_bind_s failed (-1) Dec 15 23:44:48 slap1 slapd[4496]: do_syncrepl: rid=005 rc -1 retrying Dec 15 23:44:58 slap1 slapd[4496]: =>do_syncrepl rid=005 Dec 15 23:44:58 slap1 slapd[4496]: slap_client_connect: URI=ldap://ldap2/ DN="cn=admin,dc=example,dc=com" ldap_sasl_bind_s failed (-1) Dec 15 23:44:50 slap2 slapd[4456]: do_syncrepl: rid=004 rc -1 retrying Dec 15 23:44:54 slap2 slapd[4456]: =>do_syncrepl rid=005 Dec 15 23:44:54 slap2 slapd[4456]: slap_client_connect: URI=ldap://ldap2/ DN="cn=admin,dc=example,dc=com" ldap_sasl_bind_s failed (-1) Dec 15 23:44:54 slap2 slapd[4456]: do_syncrepl: rid=005 rc -1 quitting Dec 15 23:45:00 slap2 slapd[4456]: =>do_syncrepl rid=004 Dec 15 23:45:00 slap2 slapd[4456]: slap_client_connect: URI=ldap://ldap1/ DN="cn=admin,dc=example,dc=com" ldap_sasl_bind_s failed (-1) from server slap2 to search slap1: ldapsearch -x -D cn=admin,dc=example,dc=com-H ldap://slap1/ -b dc=example,dc=com -w 123 (working) from server slap1 to search slap2: ldapsearch -x -D cn=admin,dc=example,dc=com-H ldap://slap2/ -b dc=example,dc=com -w 123 (working) I'm out of ideas... user : DN="cn=admin,dc=example,dc=com" is created automatically when I install slapd Can anyone have any suggestions or experience with this problem. For all, thank you in advance. Muniek

1 1

RE24 testing call (OpenLDAP 2.4.37)
by Quanah Gibson-Mount 15 Dec '13

15 Dec '13

If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.37 release, please do so. Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> Configure & build. Execute the test suite (via make test) after it is built. Thanks! --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

12 32

2.4.36 : too many open files
by Aaron Bennett 14 Dec '13

14 Dec '13

Just to clarify - subject on original post was wrong - version is 2.4.36. From: Aaron Bennett Sent: Tuesday, December 3, 2013 9:58 AM To: 'openldap-technical(a)openldap.org' Subject: 2.4.26 : too many open files Hi, I just ran into this yesterday on CentOS 6 / OpenLdap 2.4.36, my own build against bdb 5.1.29 and OpenSSL. Dec 2 16:55:40 animal slapd[13735]: bdb(dc=clarku,dc=edu): /var/lib/ldap/log.0000032796: log file unreadable: Too many open files Dec 2 16:55:40 animal slapd[13735]: bdb(dc=clarku,dc=edu): PANIC: Too many open files Dec 2 16:55:40 animal slapd[13735]: bdb(dc=clarku,dc=edu): PANIC: fatal region error detected; run recovery Dec 2 16:55:40 animal slapd[13735]: bdb(dc=clarku,dc=edu): PANIC: fatal region error detected; run recovery Dec 2 16:55:40 animal slapd[13735]: null_callback : error code 0x50 I never did anything to change the default process limit, looks like it's set to 1024 in /proc/$(pidof slapd)/limits. Is there anything I can do short of an automatic restart to prevent that from cropping up again? I have an MMR via Syncrepl setup with nothing too complicated; can't think of any reason offhand that slapd would need to have more than 1024 files open. Best, Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS W:508.793.7315

4 3

Max length allowed for a password
by Rob Tanner 13 Dec '13

13 Dec '13

Hi, We are looking at extending the allowed length of passwords we allow people to use (the theory being that a short phrase is easier to remember than a shorter, but arbitrary string of characters). But since we use our ldap server for authentication to a whole host of online tools, including several portals, I need to know the max length of the source password when doing a bind. Thanks, Rob Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!

4 7

Re: Upgrading from Ubuntu-packaged 2.4.28 to self-built 2.4.38
by Philip Colmer 12 Dec '13

12 Dec '13

> You only responded about one My second paragraph addressed the second suggestion. I did *try* to edit the LDIF file and then use slapadd but it wasn't working. In retrospect, the reason it wasn't working was because I didn't have the correct slapadd command-line options. Therefore, I think that I didn't need to sym-link and that slapcat/slapadd was the appropriate way to go. On 12 December 2013 16:54, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, December 12, 2013 4:20 PM +0000 Philip Colmer > <philip.colmer(a)linaro.org> wrote: > >>> Huh? Why didn't you just use ldapmodify to modify it? Or, slapcat your >>> cn=config db, fix it in the LDIF, and reload it? >> >> >> Couldn't use ldapmodify to modify it because slapd wasn't running. >> Couldn't use ldapmodify to modify it whilst Ubuntu version was >> installed because that would break *that* version. Couldn't use >> ldapmodify to modify it whilst new version was installed because new >> version wouldn't start. > > > I listed two options. The other works when slapd is offline. You only > responded about one. > > > --Quanah > > > -- > > Quanah Gibson-Mount > Architect - Server > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration

1 0

Re: Upgrading from Ubuntu-packaged 2.4.28 to self-built 2.4.38
by Philip Colmer 12 Dec '13

12 Dec '13

> Huh? Why didn't you just use ldapmodify to modify it? Or, slapcat your cn=config db, fix it in the LDIF, and reload it? Couldn't use ldapmodify to modify it because slapd wasn't running. Couldn't use ldapmodify to modify it whilst Ubuntu version was installed because that would break *that* version. Couldn't use ldapmodify to modify it whilst new version was installed because new version wouldn't start. I think, in retrospect, that I was hitting two problems - the wrong path in cn=config and the wrong command to try and build a new cn=config from LDIF. It is possible that the correct command (which I eventually found in another mail thread) avoids this whole issue. On 12 December 2013 16:14, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, December 12, 2013 1:40 PM +0000 Philip Colmer > <philip.colmer(a)linaro.org> wrote: > >> dn: cn=module{0} >> objectClass: olcModuleList >> cn: module{0} >> olcModulePath: /usr/lib/ldap >> olcModuleLoad: {0}back_hdb >> >> olcModulePath, if defined, is referenced INSTEAD OF any environment >> variables like PATH or LD_LIBRARY_PATH. >> >> /usr/lib/ldap is the Ubuntu path. The new location is >> /usr/local/libexec/ldap. Since I can't edit the ldif file, I put in a >> symbolic link. > > > Huh? Why didn't you just use ldapmodify to modify it? Or, slapcat your > cn=config db, fix it in the LDIF, and reload it? > > --Quanah > > -- > > Quanah Gibson-Mount > Architect - Server > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2013