mdb grows to olcDbMaxsize if searched before syncrepl completes.
by Jancewicz, Russell
I am experiencing strange behavior when running an mdb database, as compared to the same system configured with hdb.
If I conduct any queries while the server is receiving its initial data the server via syncrepl it stops receiving new entries and the data.mdb file balloons to the olcDbMaxsize value.
I have tried adjusting configuration settings but regardless this continues to occur is this to be expected with mdb?
It should be noted that if I wait for the entire database to replicate I can query the database fine and the size of data.mdb does not change.
Furthermore if new changes are propagated down to the replica the issue does not arise.
Any help would be appreciated.
Please find below configuration ldifs and version information.
-Russell J. Jancewicz
University of Connecticut
Version:
@(#) $OpenLDAP: slapd 2.4.35 (Jun 17 2013 12:21:32) $
My olcDatabaseConfig:
# {1}mdb, config
dn: olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /srv/ldap/example.com
olcSuffix: dc=example,dc=com
olcRootDN: dc=example,dc=com
olcRootPW: secret
olcDbMaxsize: 4294967296
olcDbNoSync: FALSE
olcReadOnly: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: default pres,eq
olcAccess: to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * break
olcAccess: to * by * none
olcSyncrepl: rid=101 provider=ldap://replica0.ldap.example.com starttls=critical bindmethod=simple binddn="dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" type=refreshAndPersist retry="5 5 300 +"
olcSyncrepl: rid=102 provider=ldap://replica1.ldap.example.com starttls=critical bindmethod=simple binddn="dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" type=refreshAndPersist retry="5 5 300 +"
# {1}memberof, {1}hdb, config
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: top
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {0}memberof
10 years, 4 months
caseIgnoreMatch for Country String
by Maucci, Cyrille
Hello gurus,
When I have this piece of schema included in my slapd.conf file...
attributetype ( 1.3.6.1.4.1.11.11.1.1.1.1.402
NAME ( 'TestCountryString' 'TestCountryStringSyn' )
DESC 'Test Country String'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
SINGLE-VALUE )
... my 2.4.32 slapd -Tt complains with this error:
line 8 attributetype: AttributeType inappropriate matching rule: "caseIgnoreMatch".
My understanding of http://tools.ietf.org/html/rfc4517 is that caseIgnoreMatch is valid for country string:
"The caseIgnoreMatch rule compares an assertion value of the Directory
String syntax to an attribute value of a syntax (e.g., the Directory
String, Printable String, Country String, or Telephone Number syntax)
whose corresponding ASN.1 type is DirectoryString or one of its
alternative string types.
"
Could you confirm whether this is a bug in openldap or simply a misunderstanding from me ?
Thanks in advance
++Cyrille
10 years, 4 months
RE: configuring monitor database in SLES11 SP2
by Dieter Klünter
Hi,
Am Wed, 10 Jul 2013 16:09:17 +0200
schrieb "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de>:
> Hi!
>
> I wonder how to configure the monitor database with dynamic
> configuration in general ,and then specifically for SLES11 SP2
> (possibly slapd isn't configured for that, but I'm not sure). The
> docs still describe the slapd.conf-way...
first check if back-monitor is statically build in
/usr/lib/openldap/slapd -VVV
if so, slapadd
dn
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
10 years, 4 months
High load times with mdb
by Bill MacAllister
With the release of Debian 7 (wheezy) I was rebuilding a couple test
systems and was surprised to find that the load times I am seeing for
populating the mdb database with slapd have gone up dramatically. The
load for a master server that was taking about 10 minutes just took
35 minutes. The slave is worse. A normal load time is 20 minutes
and it is at 31 minutes now with an eta of about 2.5 hours. These
systems are using OpenLDAP 2.4.35.
Here are some relevent bits from the configuration.
dn: cn=config
olcToolThreads: 2
dn: olcDatabase={2}mdb,cn=config
olcDbCheckpoint: 1024 5
olcDbEnvFlags: writemap
olcDbEnvFlags: nometasync
olcDbNoSync: FALSE
olcDbMaxSize: 85899345920
The systems are Dell r610s with 16 gbyte of memory. Our database
is currently 3.2G on the master server.
I have been loading wheezy/2.4.35 databases for weeks now in
preparation upgrading the OS and installing the new version of OpenLDAP
on our production servers. This is the first time I have seen this.
I fiddled with the hardware enough to the point I don't think it is
a hardware problem. There is not really much tuning to do with mdb
and I would appreciate some suggestions for what to look at next.
Bill
--
Bill MacAllister
Infrastructure Delivery Group, Stanford University
10 years, 4 months
"No such object" error with translucent overlay and base scope search
by Steve Eckmann
We found that we get a "No such object" error from the translucent overlay when we do a search like this:
ldapsearch -x -H ldaps://localhost -LLL \
-b "cn=John Doe,ou=Users,dc=example,dc=com" -s base \
-D "cn=admin,dc=example,dc=com" -w admin \
'(&)'
if there is no entry for "cn=John Doe,ou=Users,dc=example,dc=com" in the local database, whether or not the remote entry exists. It seems like a mistake for the translucent overlay to report an error if the remote entry exists, since it only means that we haven't added any local attributes yet. Is there a way to suppress the error result when the proxied server returns an entry, so we don't have to hack around this weirdness in our client?
Thanks.
Steve
10 years, 4 months
configuring monitor database in SLES11 SP2
by Ulrich Windl
Hi!
I wonder how to configure the monitor database with dynamic configuration in general ,and then specifically for SLES11 SP2 (possibly slapd isn't configured for that, but I'm not sure). The docs still describe the slapd.conf-way...
Regards,
Ulrich
10 years, 4 months
Need Help on ACL
by pradyumna dash
Hi,
Need a help related to ACL.
I need to setup some basic ACL for LDAP,
I need Manager only should have access to the entire tree both read and
write
and only users under ou=operation can have a read only access to the tree.
Currently i dont have any ACL in the slapd.conf file.
Would be great if you can share the ACL.
Please help.
Regards,
/Pradyumna
10 years, 4 months
unable top add ppolicy_overlay.ldif
by Michael Roth
I'm using Ubuntu 12.04 server running OpenLDAP-2.4.28.
I'm following this tutorial
HERE<http://raerek.blogspot.com/2012/09/openldap-password-policy-on-ubuntu-120...>
When I get to the step to add the ppolicy_overlay.ldif
I get this error:
ldapadd -x -D "cn=admin,cn=config" -w secret -f ppolicy_overlay.ldif
adding new entry "olcOverlay={1}ppolicy,olcDatabase={1}hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: User Schema load failed for attribute "pwdAttribute".
Error code 17: attribute type undefined
What could the issue be?
future thanks!
10 years, 4 months
Mirror mode replication breaks at times.
by Pradyumna
Hi,
I have configured mirror mode replication. It's 2 node. Everything works fine but if I don't work on the server or say 30/40 mins or so and then when I try to add or delete any users or groups it don't get replicated to the other node. Am not getting any error in the logs and if I restart the slapd service it's syncs again and giving expected results. The same setup I have in the test environment and its works like a charm the only difference in this setup is that the 2 servers are hosted on 2 different DC geographically separated where as in test they are in same DC.
Am using the openldap version which comes by default with RHEL 6.3. If it would have been a version issue then I should have expected the same result in test as well? Please help.
Regards,
/Pradyumna
Sent from my iPhone
10 years, 4 months
