Building LMDB for Windows 64bits
by Alain
I am not an expert at this, so I might be doing things incorrectly.
I used Mingw x86_64 to build LMDB (just changed the CC in the Makefile). I
had an issue with srandom and random in the test programs and switch to
rand instead. Now I can build successfully and make test runs mtest
successfully.
Now if I try one of the other mtest[2-5] or mtest itself, I get sporadic
segmentation fault. If I wait long enough it will always work, but running
the programs in a kind of loop guarantees a seg fault error.
I wanted to try running with gdb but it seems that it doesn't ship with
cygwin for Mingw. Using standard gdb gives me a 193 error. Again this is
getting past my expertise here.
Has anyone successfully build LMDB for Windows and can help here.
Cheers,
Alain
10 years
Re: Re: Slapd permission issues
by Gary Slopsema
> I guess AppArmor is blocking you. If I'm right, dmesg(1) will show some
> audit messages that confirm it. Look at /etc/apparmor.d/usr.sbin.slapd
> for the rules it follows.
You are correct.
> You could work around AppArmor, either by copying or hard-linking
> /usr/sbin/slapd somewhere else and running it from there,
This works perfectly. Thanks very much!
10 years
Changing domain name
by Jukka Tuominen
Hi all,
I'm in the process of changing the domain name of a
kerberos/openafs/openldap server on ubuntu 10.04 LTS. ldap provides the
user metadata such as homedir location, user and group id, etc. The server
itself remains the same as well as the IP number. Actually I cloned it, so
I can still access the old, working instance (only one server running at
any time, since the IP is the same).
I followed instructions telling to
1) export the old data...
slapcat -v -l ldap.diff
2) replace the old domain instances with the new ones using gedit
3) remove the old data
rm -rf /var/lib/ldap/*
4) import the updated data back
slapadd -l new-ldap.diff
5) and restore dir permissions
chown -R openldap:openldap /var/lib/ldap/*
However, whereas the export went seemingly fine,
importing and manipulating the new data required to point the specific
slapd.conf file. E.g. slapadd or slapindex without -f /etc/ldap/slapd.conf
would raise an error:
Available database(s) do not allow [action].
Basic commands like id, ldapsearch -x or slapcat return empty content
without errors. All the /etc/ .confs have been updated, and should point
to the new domain name.
Any idea what could cause this and how to fix it?
br, jukka
10 years
Re: Synchronous or asynchronous replication
by Stephan Fabel
On Friday, September 27, 2013 11:07:48 PM Quanah Gibson-Mount wrote:
> Again, you need to run a current release if you want to do MMR. Period. No
> amount of tuning the DB is going to fix this particular problem.
If building debs is the issue, Symas offers supported ones.
Just sayin'...
-Stephan
10 years
Synchronous or asynchronous replication
by espeake@oreillyauto.com
We have a 3 node N-Way Multi master set running 2.4.31. I have been
looking and trying to find a way to have asynchronous replication because
synchronous replication is not required and we believe is actually slowing
us down. I read in one article that by default n-way multi-master was
doing asynchronous replication. But then another article kind of mucked
that up. I ran through all of my db files with db_stat to get the internal
pages and page size to be sure that my DB_Config was set with a large
enough paging space and from my calculations it has more than enough. Not
enough to cache the entire db, but enough.
So how can I be sure that we are using asynchronous replication with the
n-way mulri master configuration.
Thank you,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
10 years
Password Policy Overlay Logging
by Fuhs, David
We implemented the password policy overlay for the purpose of enabling automatic account lockouts after a certain number of failed binds during a certain time span. Testing shows it works as expected, however it does no logging no matter what loglevel I set.
Management would like to know how often automated lockouts are occurring, on which accounts, and where the connections are coming from (i.e., normal connection logging records the IP address).
Is there any way to make this happen without having to directly query the underlying database (do you have an example query for that?) or run a cron job every minute to search on an attribute (pwdAccountLockedTime) that rarely shows up in a user record (such a search maxes out CPU)?
If this is not possible currently, is there some way to make this an enhancement request for a future release?
Any suggestions appreciated.
Thanks.
David
10 years
Slapd permission issues
by Gary Slopsema
Hello,
I'm trying to run slapd as a non-root user and am having difficulties. As
part of a test suite for a library I'm working on, I'd like to automate
starting and stopping slapd with various configs, with relatively-pathed
config files, etc.
I'm having an issue running slapd with a custom config "slapd.conf" that's
not located at /etc/ldap/slapd.conf. Example:
====================
vagrant@lucid64:~/slapd$ pwd
/home/vagrant/slapd
vagrant@lucid64:~/slapd$ ls -l
total 8
drwxr-xr-x 2 vagrant vagrant 4096 2013-09-27 21:14 schema
-rw-r--r-- 1 vagrant vagrant 440 2013-09-27 21:15 slapd.conf
vagrant@lucid64:~/slapd$ sudo slapd -h ldap://localhost:10000 -d 2048 -f
slapd.conf
@(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $
buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
could not open config file "slapd.conf": Permission denied (13)
slapd stopped.
connections_destroy: nothing to destroy.
====================
The problem is with the "Permission denied": why can't slapd read
slapd.conf?
But if I copy the same slapd.conf to /etc/ldap, I get
====================
vagrant@lucid64:~/slapd$ ls -l /etc/ldap/
total 20
-rw-r--r-- 1 root root 245 2011-12-19 17:19 ldap.conf
drwxr-xr-x 2 root root 4096 2011-12-19 17:19 sasl2
drwxr-xr-x 2 root root 4096 2013-09-27 20:26 schema
-rw-r--r-- 1 root root 440 2013-09-27 21:21 slapd.conf
drwxr-x--- 3 openldap openldap 4096 2013-09-27 20:26 slapd.d
vagrant@lucid64:~/slapd$ sudo slapd -h ldap://localhost:10000 -d 2048 -f
/etc/ldap/slapd.conf
@(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $
buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd
could not stat config file "./core.schema": No such file or directory (2)
slapd stopped.
connections_destroy: nothing to destroy.
====================
which doesn't run (I have relative schema directives in the config file)
but at least slapd can read the file.
Note that using an absolute path in the first example has the same result;
feeding in a non-existent file gives a different error ("could not stat").
Also, I'm using sudo above just to ease things along; eventually it'll run
as a normal user.
I'm running Ubuntu Lucid 64-bit.
Am I missing something obvious?
Thanks,
Gary
10 years
cn=config chaining
by Jancewicz, Russell
Hello,
I have been trying to configure my slave ldap servers to send changes to the master servers.
>From what I have been able to understand from previous mailing lists and various google searches I need to configure and olcUpdateref on the salve and then add the chaining overlay (I think it should be on the olcDatabase{-1}frontend database from everything I have read however slaptest using openldap-2.4.36 slapd-chain2.conf as the seed generates the overlay atop of the declared database…)
Everything I have been trying results in a failure:
ldap_modify: Server is unwilling to perform (53)
additional info: operation restricted
I cannot for the life of me figure out what needs to be done to enable this.
Any help would be appreciated, my ldifs are included below.
-Russell J. Jancewicz
University of Connecticut
dn: olcDatabase={1}mdb,cn=config
…
olcUpdateref: ldap://master.example.com
…
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: FALSE
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: ldap
olcDbURI: "ldap://master.example.com"
olcDbStartTLS: start starttls=no
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0 network-timeout=0 binddn="cn=admin,dc=example,dc=com" credentials="<SECRET>" keepalive=0:0:0
olcDbIDAssertAuthzFrom: *
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbSessionTrackingRequest: FALSE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbOnErr: continue
olcDbKeepalive: 0:0:0
10 years
Other system use port 636 connect LDAP Server Error
by Tian Zhiying
Hi
In ldap server(localhost) , I execute the below command , it ok.
# ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W
But in other linux system is not ok, below is the error info:
# ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
LDAP Server is Centos 5.8 64 OS, iptables serverice is closed state. What is the cause?
You have any Suggestions? Thanks.
Tian Zhiying
10 years
contextCSN values and MMR
by Michael Ströder
HI!
Are contextCSN values on all replicas really in sync if changes were correctly
replicated?
I've implemented a monitoring check used with normal MMR setup (OpenLDAP
2.4.35, own build on Debian Squeeze) which also checks the contextCSN values
on all replicas compared by server-id.
Sometimes we observe, even in isolated tests, that contextCSN values for a
certain server-id differ for quite a while (up to hours) even though the
changes coming from that server were definitely replicated to all other
replicas. After a while the contextCSN values get suddenly updated.
Unfortunately this does not always happen.
Any hint is highly appreciated.
Ciao, Michael.
10 years