openldap-technical September 2013

openldap-technical@openldap.org

72 participants
78 discussions

Building LMDB for Windows 64bits
by Alain 29 Sep '13

29 Sep '13

I am not an expert at this, so I might be doing things incorrectly. I used Mingw x86_64 to build LMDB (just changed the CC in the Makefile). I had an issue with srandom and random in the test programs and switch to rand instead. Now I can build successfully and make test runs mtest successfully. Now if I try one of the other mtest[2-5] or mtest itself, I get sporadic segmentation fault. If I wait long enough it will always work, but running the programs in a kind of loop guarantees a seg fault error. I wanted to try running with gdb but it seems that it doesn't ship with cygwin for Mingw. Using standard gdb gives me a 193 error. Again this is getting past my expertise here. Has anyone successfully build LMDB for Windows and can help here. Cheers, Alain

3 4

Re: Re: Slapd permission issues
by Gary Slopsema 28 Sep '13

28 Sep '13

> I guess AppArmor is blocking you. If I'm right, dmesg(1) will show some > audit messages that confirm it. Look at /etc/apparmor.d/usr.sbin.slapd > for the rules it follows. You are correct. > You could work around AppArmor, either by copying or hard-linking > /usr/sbin/slapd somewhere else and running it from there, This works perfectly. Thanks very much!

1 0

Changing domain name
by Jukka Tuominen 28 Sep '13

28 Sep '13

Hi all, I'm in the process of changing the domain name of a kerberos/openafs/openldap server on ubuntu 10.04 LTS. ldap provides the user metadata such as homedir location, user and group id, etc. The server itself remains the same as well as the IP number. Actually I cloned it, so I can still access the old, working instance (only one server running at any time, since the IP is the same). I followed instructions telling to 1) export the old data... slapcat -v -l ldap.diff 2) replace the old domain instances with the new ones using gedit 3) remove the old data rm -rf /var/lib/ldap/* 4) import the updated data back slapadd -l new-ldap.diff 5) and restore dir permissions chown -R openldap:openldap /var/lib/ldap/* However, whereas the export went seemingly fine, importing and manipulating the new data required to point the specific slapd.conf file. E.g. slapadd or slapindex without -f /etc/ldap/slapd.conf would raise an error: Available database(s) do not allow [action]. Basic commands like id, ldapsearch -x or slapcat return empty content without errors. All the /etc/ .confs have been updated, and should point to the new domain name. Any idea what could cause this and how to fix it? br, jukka

2 3

Re: Synchronous or asynchronous replication
by Stephan Fabel 27 Sep '13

27 Sep '13

On Friday, September 27, 2013 11:07:48 PM Quanah Gibson-Mount wrote: > Again, you need to run a current release if you want to do MMR. Period. No > amount of tuning the DB is going to fix this particular problem. If building debs is the issue, Symas offers supported ones. Just sayin'... -Stephan

1 0

Synchronous or asynchronous replication
by espeake＠oreillyauto.com 27 Sep '13

27 Sep '13

We have a 3 node N-Way Multi master set running 2.4.31. I have been looking and trying to find a way to have asynchronous replication because synchronous replication is not required and we believe is actually slowing us down. I read in one article that by default n-way multi-master was doing asynchronous replication. But then another article kind of mucked that up. I ran through all of my db files with db_stat to get the internal pages and page size to be sure that my DB_Config was set with a large enough paging space and from my calculations it has more than enough. Not enough to cache the entire db, but enough. So how can I be sure that we are using asynchronous replication with the n-way mulri master configuration. Thank you, Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

2 5

Password Policy Overlay Logging
by Fuhs, David 27 Sep '13

27 Sep '13

We implemented the password policy overlay for the purpose of enabling automatic account lockouts after a certain number of failed binds during a certain time span. Testing shows it works as expected, however it does no logging no matter what loglevel I set. Management would like to know how often automated lockouts are occurring, on which accounts, and where the connections are coming from (i.e., normal connection logging records the IP address). Is there any way to make this happen without having to directly query the underlying database (do you have an example query for that?) or run a cron job every minute to search on an attribute (pwdAccountLockedTime) that rarely shows up in a user record (such a search maxes out CPU)? If this is not possible currently, is there some way to make this an enhancement request for a future release? Any suggestions appreciated. Thanks. David

1 0

Slapd permission issues
by Gary Slopsema 27 Sep '13

27 Sep '13

Hello, I'm trying to run slapd as a non-root user and am having difficulties. As part of a test suite for a library I'm working on, I'd like to automate starting and stopping slapd with various configs, with relatively-pathed config files, etc. I'm having an issue running slapd with a custom config "slapd.conf" that's not located at /etc/ldap/slapd.conf. Example: ==================== vagrant@lucid64:~/slapd$ pwd /home/vagrant/slapd vagrant@lucid64:~/slapd$ ls -l total 8 drwxr-xr-x 2 vagrant vagrant 4096 2013-09-27 21:14 schema -rw-r--r-- 1 vagrant vagrant 440 2013-09-27 21:15 slapd.conf vagrant@lucid64:~/slapd$ sudo slapd -h ldap://localhost:10000 -d 2048 -f slapd.conf @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $ buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd could not open config file "slapd.conf": Permission denied (13) slapd stopped. connections_destroy: nothing to destroy. ==================== The problem is with the "Permission denied": why can't slapd read slapd.conf? But if I copy the same slapd.conf to /etc/ldap, I get ==================== vagrant@lucid64:~/slapd$ ls -l /etc/ldap/ total 20 -rw-r--r-- 1 root root 245 2011-12-19 17:19 ldap.conf drwxr-xr-x 2 root root 4096 2011-12-19 17:19 sasl2 drwxr-xr-x 2 root root 4096 2013-09-27 20:26 schema -rw-r--r-- 1 root root 440 2013-09-27 21:21 slapd.conf drwxr-x--- 3 openldap openldap 4096 2013-09-27 20:26 slapd.d vagrant@lucid64:~/slapd$ sudo slapd -h ldap://localhost:10000 -d 2048 -f /etc/ldap/slapd.conf @(#) $OpenLDAP: slapd 2.4.21 (Dec 19 2011 15:40:04) $ buildd@allspice:/build/buildd/openldap-2.4.21/debian/build/servers/slapd could not stat config file "./core.schema": No such file or directory (2) slapd stopped. connections_destroy: nothing to destroy. ==================== which doesn't run (I have relative schema directives in the config file) but at least slapd can read the file. Note that using an absolute path in the first example has the same result; feeding in a non-existent file gives a different error ("could not stat"). Also, I'm using sudo above just to ease things along; eventually it'll run as a normal user. I'm running Ubuntu Lucid 64-bit. Am I missing something obvious? Thanks, Gary

2 1

cn=config chaining
by Jancewicz, Russell 26 Sep '13

26 Sep '13

Hello, I have been trying to configure my slave ldap servers to send changes to the master servers. >From what I have been able to understand from previous mailing lists and various google searches I need to configure and olcUpdateref on the salve and then add the chaining overlay (I think it should be on the olcDatabase{-1}frontend database from everything I have read however slaptest using openldap-2.4.36 slapd-chain2.conf as the seed generates the overlay atop of the declared database…) Everything I have been trying results in a failure: ldap_modify: Server is unwilling to perform (53) additional info: operation restricted I cannot for the life of me figure out what needs to be done to enable this. Any help would be appreciated, my ldifs are included below. -Russell J. Jancewicz University of Connecticut dn: olcDatabase={1}mdb,cn=config … olcUpdateref: ldap://master.example.com … dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainCacheURI: FALSE olcChainMaxReferralDepth: 1 olcChainReturnError: FALSE dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: ldap olcDbURI: "ldap://master.example.com" olcDbStartTLS: start starttls=no olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0 network-timeout=0 binddn="cn=admin,dc=example,dc=com" credentials="<SECRET>" keepalive=0:0:0 olcDbIDAssertAuthzFrom: * olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0

3 6

Other system use port 636 connect LDAP Server Error
by Tian Zhiying 26 Sep '13

26 Sep '13

Hi In ldap server(localhost) , I execute the below command , it ok. # ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W But in other linux system is not ok, below is the error info: # ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W ldap_bind: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed LDAP Server is Centos 5.8 64 OS, iptables serverice is closed state. What is the cause? You have any Suggestions? Thanks. Tian Zhiying

5 7

contextCSN values and MMR
by Michael Ströder 26 Sep '13

26 Sep '13

HI! Are contextCSN values on all replicas really in sync if changes were correctly replicated? I've implemented a monitoring check used with normal MMR setup (OpenLDAP 2.4.35, own build on Debian Squeeze) which also checks the contextCSN values on all replicas compared by server-id. Sometimes we observe, even in isolated tests, that contextCSN values for a certain server-id differ for quite a while (up to hours) even though the changes coming from that server were definitely replicated to all other replicas. After a while the contextCSN values get suddenly updated. Unfortunately this does not always happen. Any hint is highly appreciated. Ciao, Michael.

4 19

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2013