openldap-technical September 2013

openldap-technical@openldap.org

72 participants
78 discussions

configure: error: BDB/HDB: BerkeleyDB not available
by Mónico Briseño 11 Sep '13

11 Sep '13

Hi, all. I decided to install openldap release 2.4.36 from tarball file with BerkeleyDB support. According openldap documentation I downloaded and installed Berkeley DB release 6.0 I configured the configure script as follows: CPPFLAGS="-I/usr/local/BerkeleyDB.6.0/include" LDFLAGS="-L/usr/local/BerkeleyDB.6.0/lib" export CPPFLAGS LDFLAGS ./configure --enable-sql Sadly, I have the following error: configure: error: BDB/HDB: BerkeleyDB not available Any idea? How I did wrong? TIA -- M.S. José M. Briseño Cortés Universidad de Guadalajara Instructional Technologist Univ. Houston Moodle Teacher Certificate NTCM, IACEP, iNACOL, ACM member

3 2

OLC (online config error)
by pramod kulkarni 11 Sep '13

11 Sep '13

I am trying to establish online config for openLDAP on windows but I am getting this below error how to make online config 5230324d ldif_write_entry: could not put entry file for "cn=config" in place: Invalid argument 5230324d config_build_entry: build "cn=config" failed: "(null)" 5230324d backend_startup_one (type=config, suffix="cn=config"): bi_db_open failed! (-1) my slapd.conf file database config rootdn "cn=admin,cn=config" rootPw config I did slapd test slapd -T test -f slapd.conf -F slapd.d waiting for your response Regards, Pramod

2 1

ppolicy I need help
by Jacques Foucry 10 Sep '13

10 Sep '13

Hello experts, I tried to enable ppolicy on a test openldap server. As I read I first create an OU policies with the default cn # LDIF Export for cn=default,ou=policies,dc=example,dc=com # Server: My Slave LDAP Server (ldap://localhost) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on September 10, 2013 2:10 pm # Version: 1.2.0.5 version: 1 # Entry 1: cn=default,ou=policies,dc=example,dc=com dn: cn=default,ou=policies,dc=example,dc=com cn: default objectclass: top objectclass: device objectclass: pwdPolicy objectclass: pwdPolicyChecker pwdallowuserchange: TRUE pwdattribute: userPassword pwdcheckmodule: mmc-check-password.so pwdcheckquality: 0 pwdexpirewarning: 600 pwdfailurecountinterval: 0 pwdgraceauthnlimit: 5 pwdinhistory: 5 pwdlockout: TRUE pwdlockoutduration: 0 pwdmaxage: 90 pwdmaxfailure: 5 pwdminlength: 8 pwdmustchange: TRUE pwdsafemodify: FALSE and add it to my base. I also added the ppolicy schema, the module load and the overlay include /etc/ldap/schema/ppolicy.schema moduleload ppolicy.la overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout In /etc/ldap/ldap.conf I change pam_lookup_policy yes I restarted slapd and change my own client to use my test open ldap server. And it seems working. But suddenly I was not able to do a sudo, change my passwd or login in another session. I checked the log of my server and found Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 ENTRY dn="cn=jacques foucry,ou=people,dc=example,dc=com" Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques Foucry,ou=People,dc=example,dc=com" method=128 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques Foucry,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0 Sep 10 16:17:22 ldap-slave slapd[1672]: ppolicy_bind: Entry cn=Jacques Foucry,ou=People,dc=example,dc=com has an expired password: 0 grace logins Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 RESULT tag=97 err=49 text= Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND anonymous mech=implicit ssf=0 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND dn="" method=128 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 RESULT tag=97 err=0 text= So I added to my user some attributes. First the OU pwdPolicy (with userPassord as attribute) then pwdAllowUserChange, pwdGraceAuthNLimit (and put 7 on it) PwdLockout (false) pwdLockoutDuration (0) pwdMustChange (true) pwdSafeModify(true). I still have the same error. So there is something I misunderstood. Can some on explain what's wrognand how can I correct it? Thanks in advance for your help, Best regards, Jacques Foucry -- Jacques Foucry *NOVΛSPARKS * IT Manager Tel : +33 (0)1 42 68 12 61 jacques.foucry(a)novasparks.com

3 4

Perfect Forward Secrecy
by Dieter Klünter 09 Sep '13

09 Sep '13

Hi, I wonder whether openldap, if compiled with openssl-1.x, will support PFS. http://en.wikipedia.org/wiki/Perfect_forward_secrecy This issue has been discussed on several mailinglists recently. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E

6 13

Re: SyncRepl Chaining
by espeake＠oreillyauto.com 08 Sep '13

08 Sep '13

From: Quanah Gibson-Mount <quanah(a)zimbra.com> To: espeake(a)oreillyauto.com Date: 09/06/2013 10:42 AM Subject: Re: SyncRepl Chaining --On Friday, September 06, 2013 10:39 AM -0500 espeake(a)oreillyauto.com wrote: > root@tntest-ldap-3:~# ldapwhoami -d -1 -Wx -D > "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" Debug output from ldapwhoami is useless > ldap_bind: Invalid credentials (49) This error can indicate any of a number of things: a) Wrong password b) Acls block the ability to auth to the password c) The DN specified doesn't exist What you would need to provide is the debug output from *slapd* to see which of a, b, or c was the problem. --Quanah -- Here is the olcAcces from the slapcat on the database. Rule {0} should what it is using but becaus eof it not authenticating rule {2} is being applied instead. Here is the slapd debug. Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: conn=1015 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (userPassword) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: auth access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_get: [1] attr userPassword Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => acl_mask: to value by "", (=0) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat: uid=syncrepl,ou=system,dc=oreillyauto,dc=com Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat: uid=readonlyuser,ou=system,dc=oreillyauto,dc=com Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat: uid=ldapadmin,ou=system,dc=oreillyauto,dc=com Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat: uid=newuseradmin,ou=system,dc=oreillyauto,dc=com Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= check a_dn_pat: uid=passwordadmin,ou=system,dc=oreillyauto,dc=com Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= acl_mask: no more <who> clauses, returning =0 (stop) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => slap_access_allowed: auth access denied by =0 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: no more rules Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 slapd[20347]: last message repeated 3 times Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: EQUALITY Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 5 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: EQUALITY Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 5 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= acl_access_allowed: granted to database root Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (objectClass) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (objectClass) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (uid) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (description) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (pwdPolicySubentry) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (structuralObjectClass) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => test_filter Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: PRESENT Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= test_filter 6 Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access to "cn=accesslog" "children" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "structuralObjectClass" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: add access to "reqStart=20130906160125.000000Z,cn=accesslog" "entry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (entryUUID) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (creatorsName) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (createTimestamp) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (pwdHistory) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (pwdHistory) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (userPassword) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (pwdChangedTime) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (pwdFailureTime) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (pwdFailureTime) Sep 6 11:01:25 slapd[20347]: last message repeated 33 times Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (entryCSN) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryCSN" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (modifiersName) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifiersName" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (modifyTimestamp) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifyTimestamp" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (entryDN) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryDN" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (entryDN) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (subschemaSubentry) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "subschemaSubentry" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (subschemaSubentry) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (hasSubordinates) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "hasSubordinates" requested Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result was in cache (hasSubordinates) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: <= root access granted Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 11:01:25 tntest-ldap-1 slapd[20347]: => access_allowed: result not in cache (objectClass) Sep 6 11:01:25 tntest-ldap-1 rsyslogd-2177: imuxsock begins to drop messages from pid 20347 due to rate-limiting Sep 6 11:01:27 tntest-ldap-1 rsyslogd-2177: imuxsock lost 116 messages from pid 20347 due to rate-limiting Thanks, Eric This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: CA5BC600DE5.AFB93 This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

3 10

Log service time?
by Покотиленко Костик 08 Sep '13

08 Sep '13

Hi, Is there a way to log the time each operation took? I have strange CPU load (~200%) with just ~15 operations per second. SRCH is >90% of all operations. All attributed involved in search a indexed (many single attribute indexes, ~30). The point is to find which search operations a taking long time to develop a solution.

7 22

Slapd High CPU usage on Solaris 9
by Luca Polidoro 08 Sep '13

08 Sep '13

Hello, I am writing to to submit a case that has been happening in the last 2 weeks in our infrastructure. This is structured as follows: 1 provider: Solaris 9 SPARC - Sun Fire V490 - last OS patch level CPU: 4-1500 Mhz RAM: 32 GB OpenLDAP version used: Berkeley DB 2.4.23 and 4.8.30 (with database bdb) all 64-bit 18 consumer: Solaris 9 SPARC - last OS patch level with different types of features (CPU, RAM) On the following consumer products: Consumer 1: Solaris 9 SPARC - Sun Fire 480R - last OS patch level CPU: 4-900 Mhz RAM: 8 GB Consumer 2: Solaris 9 SPARC - Sun Fire 480R - last OS patch level CPU: 4-1050 Mhz RAM: 8 GB Consumer 3: Solaris 9 SPARC - Sun Fire 480R - last OS patch level CPU: 4-1050 Mhz RAM: 8 GB Consumer 4: Solaris 9 SPARC - Sun Fire V210 - last OS patch level CPU: 2-1336 Mhz RAM: 8 GB we are noticing an increase in the cpu used by the slapd process. In fact, the process is constantly between 85% and 95%, and became completely unusable and then we are forced to restart. LDAP with 1.000.000 objects. This is the consumer's slapd.conf (I have omitted parts of the ACL, includes, etc..): # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # # VERSION v2 - Digital Tru64 # allow bind_v2 Some include ... # # tuning parameters - START # ------------------------------ # conn_max_pending 1000 conn_max_pending_auth 1000 idletimeout 500 sizelimit unlimited threads 8 timelimit 500 disallow bind_anon # # tuning parameters - END # ---------------------------- # ... ####################################################################### # bdb database definitions ####################################################################### database bdb suffix "xxxxxxxxxxxx" rootdn "cn=root,ou=ldapusers,xxxxx" directory /var/openldap-2.4.23_64/var/openldap-data #####disallow limit for syncuser limits dn.children="ou=syncusers,xxxx" size=unlimited index objectClass,entryCSN,entryUUID eq index ou eq,sub,subinitial,subany,subfinal index uidOwner eq index uid eq index memberUid eq #shm_key 1100 cachesize 1000000 cachefree 10000 dncachesize 1000000 idlcachesize 1000000 searchstack 16 checkpoint 1024 10 overlay ppolicy ppolicy_default "cn=Standard,ou=Policies,xxxx" ppolicy_use_lockout ############################SYNCREPL CONF syncrepl rid=011 provider=ldap://xxxxxx type=refreshAndPersist interval=00:00:15:00 retry="15 10 120 +" searchbase="xxxxx" filter="(objectClass=*)" attrs="*,+" scope=sub schemachecking=on bindmethod=simple binddn="xxxxxx" credentials=xxxx ############################SYNCREPL CONF These are the bdb files: 420M dn2id.bdb 30M entryCSN.bdb 32M entryUUID.bdb 1,4G id2entry.bdb 18M memberUid.bdb 4,9M objectClass.bdb 5,3M ou.bdb 17M uid.bdb 17M uidOwner.bdb this is DB CONFIG: ----------------------------------------------------------- ########################################## ########################################### #set_cachesize 0 300000000 10 #set_lg_regionmax 262144 #set_lg_bsize 2097152 ########################################### ########################################### # replaces lockdetect directive #set_lk_detect DB_LOCK_EXPIRE set_lk_detect DB_LOCK_DEFAULT # uncomment if dbnosync required #AGGIUNTO TUTTO #set_flags DB_TXN_WRITE_NOSYNC ####AGGIUNTO set_flags DB_LOG_AUTOREMOVE # multiple set_flags directives allowed # sets max log size = 5M (BDB default=10M) set_lg_max 25242880 set_lg_dir /var/openldap-2.4.23_64/logs set_cachesize 2 274726912 1 # sets a database cache of 5M and # allows fragmentation # does NOT replace slapd.conf cachesize # this is a database parameter #txn_checkpoint 128 15 0 # replaces checkpoint in slap.conf # writes checkpoint if 128K written or every 15 mins # 0 = no writes - no update set_lk_max_locks 2500 set_lk_max_lockers 2500 set_lk_max_objects 2500 --------------------------------------------------- We have tried to change the number of threads bringing them to 16, we lowered the parameters idletimeout and timelimit, but without result. Appreciate your feedback. Thanks, Luca

3 4

Re: Problem pwdChangedTime
by felas 07 Sep '13

07 Sep '13

The problem is i have this LDIF file with this attribute pwdChangedTime, and because that i have a error to import this file LDIF. 2013/9/6 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Friday, September 06, 2013 9:50 PM +0200 felas <felas85(a)gmail.com> > wrote: > > > I try to add ppolicy.ldif to my schema, but no success. >> >> >> how i can do to resolve this problem? >> > > add ppolicy.ldif with success > > You need to be more detailed about how you tried to add the schema, to > start with. > > --Quanah > > > -- > > Quanah Gibson-Mount > Lead Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

RE: Antw: Re: Log service time?
by Chris Jacobs 06 Sep '13

06 Sep '13

You left off the part where I remind that he was looking for information - specifically how to get said information: "If the information Casper requested isn't available, say so. If it is, how would he get it?" As it stands now, his initial question remains unanswered, with the only guidance being "upgrade"; which lacking anything else he is running with in the blind hope it makes things faster (his actual issue, not his questions). That's really the meat of my response/addition to this conversation, and it's been simply side stepped again. -----Original Message----- From: Michael Ströder [mailto:michael@stroeder.com] Sent: Friday, September 06, 2013 2:16 PM To: Chris Jacobs Cc: openldap-technical(a)openldap.org Subject: Re: Log service time? Chris Jacobs wrote: > Michael: I cannot tell if you're being sarcastic or not, so, I'm running > with your words: I'm completely serious. > Software isn't developed in a vacuum - when truly useful, it's intended use > it to be used and it cannot be used sans distros (in any realistic > production operation; sure you can compile everything from source and > create StroderOS). Are you sarcastic here? Serious: Using packages from a Linux distribution is the normal case and works fine mostly for cases where you don't use very advanced features of a given software. If you experience certain bugs in a software packaged by your distro then build a newer distro package of that software. Yes, that's work but it's worth the effort if the component is really important for your infrastructure. This is about getting real control over important components. > While you may be blessed with using whatever software, > from whatever source you desire, with any (or no) support available, many > system administrators are under edicts and must work within the policies > and instructions of their company. Policies and instructions are always subject to controlled change process. If you don't have a change process then your policies are missing a very essential part. > SOX is a big deal at any organization that is publicly traded or works with > government entities. Be assured that I'm quite aware of what it means to run systems governed by lots of policies. > The support model of essentially "it's not the latest; go away until you update (compile it)" isn't helpful. Do you have a support contract with the OpenLDAP community? Everything here is community effort. If you insist on getting commercial-grade support model then pay people providing support (e.g. buy Symas' build for your favourite OS platform). > Quanah: "I would highly advise upgrading to a current release (2.4.36) and > switching to back-mdb." While I personally agree that Quanah should not just write "yuck" because of someone is using back-hdb (given that back-mdb is really usable just since 2.4.36) he's right in pointing out that someone should try to reproduce issues with the latest release first before asking. Ciao, Michael. This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

4 4

Problem pwdChangedTime
by felas 06 Sep '13

06 Sep '13

Hi, i have this ldif file to import, but i have this error: pwdChangedTime: attribute type undefined I try to add ppolicy.ldif to my schema, but no success. how i can do to resolve this problem?

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2013