Question about openLDAP proxy to MSAD
by Alex Samad - Yieldbroker
Hi
I am using openldap to sit in front of MS AD. So that servers in the DMZ can access information in MS AD and in openldap. My problem is that MS AD sends back referrals and using referrals = ignore fails.
Is there anything in the olcLDAPConfig that I set to stop referrals and/or set it to point back to itself
A
9 years, 9 months
Storing graph data structure with MDB_FIXEDMAP
by Aris Setyawan
Hi,
I'm new in this list.
I plan to store graph data structure (vertex and edge) in LMDB. The
"edge" data value of a record will contain a pointer which is pointing
to the address of "vertex" data value. So, I must make it sure that
data value address is not changing during operation. According to the
doc, I can use MDB_FIXEDMAP.
And from the doc:
"... the memory map will always reside at the same virtual address and
pointers used to reference data items in the database will be constant
across multiple invocations. ..."
Spesifically: "... pointers used to reference data items in the
database will be constant ..."
Is this mean that I must allocate memory to write data using mdb_put
with MDB_RESERVE flag?
9 years, 9 months
Fwd: Linux kernel performance regressions
by Howard Chu
-------- Original Message --------
Subject: Linux kernel performance regressions
Date: Wed, 11 Dec 2013 04:33:06 -0800
From: Howard Chu <hyc(a)symas.com>
To: OpenLDAP-devel(a)openldap.org <OpenLDAP-devel(a)openldap.org>
We upgraded from kernel 3.5 to 3.12.3 to update some of our benchmark numbers
and hit some major performance regressions, mainly because the kernel is
throttling processes that use too much CPU. This is definitely a kernel bug,
as the throttle mechanism belongs to the realtime scheduler and none of the
processes being affected had realtime priority when the throttle kicked in.
I've posted a query to the linux kernel mailing list but haven't gotten any
satisfactory answers yet. The same throttling behavior also occurs with
3.11.10, but there are no corresponding messages in the kernel log.
The email thread is here
http://lkml.indiana.edu/hypermail/linux/kernel/1312.1/02313.html
A patch that may be related is described here
http://lkml.org/lkml/2013/5/29/640 which explains part of the observed
behavior, but not all of it (and indeed may be a red herring, unless it has
some interaction with the realtime scheduler).
There appear to be other serious networking related regressions in 3.12 as
well. http://lkml.indiana.edu/hypermail/linux/kernel/1312.1/02588.html
I recommend staying on 3.10 for production servers until this is sorted out.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9 years, 9 months
Design for large openldap deployments
by Christian Kratzer
Hi,
I have been thinking about a scalable multi site deployment architecture for
openldap where I would like to:
- Have a small number of master servers centrally in the enterprise with MMR.
- All account provisioning would be at the central sites.
- Have multiple edge sites replicate of those masters in a star toplogy with MMR.
- Allow writes to those edge sites for the purpososes of slapo_ppolicy,
slapo_lastbind and password changes.
I would like to avoid fully meshing all servers for MMR and would prefer
a star topology where each edge site only replicates with the central site.
I would also like to avoid chaining. See my previous posts why.
Before I set this up in my lab I would like a second opinion. The customer
is asking for best practice in large deployments.
Any comments ?
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
9 years, 9 months
Multi-master replication (ldap_sasl_bind_s failed)
by Artur Nike
Hi all,
My adventure with LDAP lasts a few months, and I came to the topic of
replication,
namely multiple-master replication.
cn = config is replicated perfectly, but the schema, say, dc = example, dc
= com does not want to: (.
I have two servers slap1 and slap2
I have a standard installation
##Server slap1
whezzy debian 64bit
apt-get install-y slapd ldap-utils
added my scheme
ldapadd-Y EXTERNAL-H ldapi :///-f $ CURRENT / memberof.ldif
ldapadd-Y EXTERNAL-H ldapi :///-f $ CURRENT / refint.ldif
# Add "ldap :/ / ldap1 / in /etc/default/slapd
sed-i "/^ SLAPD_SERVICES/s/=[^]*/=\"ldap:\/\/slap1\//'/etc/default/slapd
ldapmodify-Y EXTERNAL-H ldapi :/ / /-f replica1.ldif
where replica1.ldif (replication configuration)::
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 1
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov.la
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
#only for tests
olcRootPW: 123
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://slap1/
olcServerID: 2 ldap://slap2/
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://slap1/
binddn="cn=admin,cn=config"
bindmethod=simple credentials=123
searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://slap2/
binddn="cn=admin,cn=config"
bindmethod=simple credentials=123
searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
This same scenario takes on a server slap2 (the name change slap1 -> slap2)
where replica2.ldif (replication configuration only servers slap2) :
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 2
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}syncprov.la
dn: olcDatabase={0}config,cn=config
changetype: modify
#only for tests
add: olcRootPW
olcRootPW: 123
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://slap1/
olcServerID: 2 ldap://slap2/
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://slap1/
binddn="cn=admin,cn=config"
bindmethod=simple credentials=123
searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://slap2/
binddn="cn=admin,cn=config"
bindmethod=simple credentials=123
searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
and it works , the whole configuration is replicated .
Now I want ( I'm trying to add a replication scheme . )
Adds only one server , eg slap2 :
ldapmodify - Y EXTERNAL -H ldapi :/ / / -f rep_schema.ldif
where rep_schema.ldif :
# add replica schema
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: 123
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=admin,dc=example,dc=com"
time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
-
add: olcSyncRepl
olcSyncRepl: rid=004 provider=ldap://ldap1/
binddn="cn=admin,dc=example,dc=com"
bindmethod=simple credentials="123"
searchbase="dc=example,dc=com"
starttls=no
filter="(objectclass=*)"
attrs="*,+" scope=sub
schemachecking=of
type=refreshAndPersist interval=00:00:00:10 retry="5 5 10 5"
timeout=1
olcSyncRepl: rid=005 provider=ldap://ldap2/
binddn="cn=admin,dc=example,dc=com"
bindmethod=simple credentials="123"
searchbase="dc=example,dc=com"
starttls=no
filter="(objectclass=*)"
attrs="*,+" scope=sub
schemachecking=off
type=refreshAndPersist interval=00:00:00:10 retry="5 5 10 5"
timeout=1
-
add: olcDbIndex
olcDbIndex: entryUUID eq
-
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
Configuration replicates and the end, schema does not replicate.
If you try to replicate one of the servers are in the logs I see:
Dec 15 23:44:48 slap1 slapd[4496]: do_syncrepl: rid=004 rc -1 quitting
Dec 15 23:44:48 slap1 slapd[4496]: slap_client_connect: URI=ldap://ldap2/
DN="cn=admin,dc=example,dc=com" ldap_sasl_bind_s failed (-1)
Dec 15 23:44:48 slap1 slapd[4496]: do_syncrepl: rid=005 rc -1 retrying
Dec 15 23:44:58 slap1 slapd[4496]: =>do_syncrepl rid=005
Dec 15 23:44:58 slap1 slapd[4496]: slap_client_connect: URI=ldap://ldap2/
DN="cn=admin,dc=example,dc=com" ldap_sasl_bind_s failed (-1)
Dec 15 23:44:50 slap2 slapd[4456]: do_syncrepl: rid=004 rc -1 retrying
Dec 15 23:44:54 slap2 slapd[4456]: =>do_syncrepl rid=005
Dec 15 23:44:54 slap2 slapd[4456]: slap_client_connect: URI=ldap://ldap2/
DN="cn=admin,dc=example,dc=com" ldap_sasl_bind_s failed (-1)
Dec 15 23:44:54 slap2 slapd[4456]: do_syncrepl: rid=005 rc -1 quitting
Dec 15 23:45:00 slap2 slapd[4456]: =>do_syncrepl rid=004
Dec 15 23:45:00 slap2 slapd[4456]: slap_client_connect: URI=ldap://ldap1/
DN="cn=admin,dc=example,dc=com" ldap_sasl_bind_s failed (-1)
from server slap2 to search slap1:
ldapsearch -x -D cn=admin,dc=example,dc=com-H ldap://slap1/ -b
dc=example,dc=com -w 123 (working)
from server slap1 to search slap2:
ldapsearch -x -D cn=admin,dc=example,dc=com-H ldap://slap2/ -b
dc=example,dc=com -w 123 (working)
I'm out of ideas...
user : DN="cn=admin,dc=example,dc=com" is created automatically when I
install slapd
Can anyone have any suggestions or experience with this problem.
For all, thank you in advance.
Muniek
9 years, 9 months
2.4.36 : too many open files
by Aaron Bennett
Just to clarify - subject on original post was wrong - version is 2.4.36.
From: Aaron Bennett
Sent: Tuesday, December 3, 2013 9:58 AM
To: 'openldap-technical(a)openldap.org'
Subject: 2.4.26 : too many open files
Hi,
I just ran into this yesterday on CentOS 6 / OpenLdap 2.4.36, my own build against bdb 5.1.29 and OpenSSL.
Dec 2 16:55:40 animal slapd[13735]: bdb(dc=clarku,dc=edu): /var/lib/ldap/log.0000032796: log file unreadable: Too many open files
Dec 2 16:55:40 animal slapd[13735]: bdb(dc=clarku,dc=edu): PANIC: Too many open files
Dec 2 16:55:40 animal slapd[13735]: bdb(dc=clarku,dc=edu): PANIC: fatal region error detected; run recovery
Dec 2 16:55:40 animal slapd[13735]: bdb(dc=clarku,dc=edu): PANIC: fatal region error detected; run recovery
Dec 2 16:55:40 animal slapd[13735]: null_callback : error code 0x50
I never did anything to change the default process limit, looks like it's set to 1024 in /proc/$(pidof slapd)/limits.
Is there anything I can do short of an automatic restart to prevent that from cropping up again? I have an MMR via Syncrepl setup with nothing too complicated; can't think of any reason offhand that slapd would need to have more than 1024 files open.
Best,
Aaron
---
Aaron Bennett
Manager of Systems Administration
Clark University ITS
W:508.793.7315
9 years, 9 months
Max length allowed for a password
by Rob Tanner
Hi,
We are looking at extending the allowed length of passwords we allow people to use (the theory being that a short phrase is easier to remember than a shorter, but arbitrary string of characters). But since we use our ldap server for authentication to a whole host of online tools, including several portals, I need to know the max length of the source password when doing a bind.
Thanks,
Rob
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon
ITS will never ask you for your password. Please don’t share yours with anyone!
9 years, 9 months
Re: Upgrading from Ubuntu-packaged 2.4.28 to self-built 2.4.38
by Philip Colmer
> You only responded about one
My second paragraph addressed the second suggestion. I did *try* to
edit the LDIF file and then use slapadd but it wasn't working. In
retrospect, the reason it wasn't working was because I didn't have the
correct slapadd command-line options. Therefore, I think that I didn't
need to sym-link and that slapcat/slapadd was the appropriate way to
go.
On 12 December 2013 16:54, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Thursday, December 12, 2013 4:20 PM +0000 Philip Colmer
> <philip.colmer(a)linaro.org> wrote:
>
>>> Huh? Why didn't you just use ldapmodify to modify it? Or, slapcat your
>>> cn=config db, fix it in the LDIF, and reload it?
>>
>>
>> Couldn't use ldapmodify to modify it because slapd wasn't running.
>> Couldn't use ldapmodify to modify it whilst Ubuntu version was
>> installed because that would break *that* version. Couldn't use
>> ldapmodify to modify it whilst new version was installed because new
>> version wouldn't start.
>
>
> I listed two options. The other works when slapd is offline. You only
> responded about one.
>
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Architect - Server
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
9 years, 9 months
Re: Upgrading from Ubuntu-packaged 2.4.28 to self-built 2.4.38
by Philip Colmer
> Huh? Why didn't you just use ldapmodify to modify it? Or, slapcat your cn=config db, fix it in the LDIF, and reload it?
Couldn't use ldapmodify to modify it because slapd wasn't running.
Couldn't use ldapmodify to modify it whilst Ubuntu version was
installed because that would break *that* version. Couldn't use
ldapmodify to modify it whilst new version was installed because new
version wouldn't start.
I think, in retrospect, that I was hitting two problems - the wrong
path in cn=config and the wrong command to try and build a new
cn=config from LDIF. It is possible that the correct command (which I
eventually found in another mail thread) avoids this whole issue.
On 12 December 2013 16:14, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Thursday, December 12, 2013 1:40 PM +0000 Philip Colmer
> <philip.colmer(a)linaro.org> wrote:
>
>> dn: cn=module{0}
>> objectClass: olcModuleList
>> cn: module{0}
>> olcModulePath: /usr/lib/ldap
>> olcModuleLoad: {0}back_hdb
>>
>> olcModulePath, if defined, is referenced INSTEAD OF any environment
>> variables like PATH or LD_LIBRARY_PATH.
>>
>> /usr/lib/ldap is the Ubuntu path. The new location is
>> /usr/local/libexec/ldap. Since I can't edit the ldif file, I put in a
>> symbolic link.
>
>
> Huh? Why didn't you just use ldapmodify to modify it? Or, slapcat your
> cn=config db, fix it in the LDIF, and reload it?
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Architect - Server
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
9 years, 9 months