a few MDB questions
by Brent Bice
I'm trying out the mdb backend before converting several of our LDAP
servers to it and have a few questions I haven't found answers to yet.
Firstly, I found when I spun up an instance using MDB that I
couldn't have more than 1000 leaf nodes. It appears when I tried to
create the 1001st leaf node, one of the earlier nodes disappeared. Is
this a known limitation or just a config option I don't see in the
slapd-mdb man page? Right now my config just contains:
database mdb
masxize 2147483648
suffix "dc=mysuffix,dc=com"
rootdn "cn=Manager,dc=sgi,dc=com"
rootpw myrootpw
directory /data/ldap/instance-v1.4/var/openldap-data
[... a bunch of indexes ...]
checkpoint 1024000 60
The total size of the DB was only 412 megs so far and each of three
branches in the DB appeared to be limited at 1000 leaf nodes so I don't
think I was just hitting a maxsize limit.
Which leads me to the 2nd question... The maxsize option (according
to what I've read) is the maximum size of the database in bytes. But it
looks to me like the biggest value I can specify is 4G - the biggest
value for an unsigned long. Would this be cuz the system I'm testing on
is a 32bit version of linux? (unsigned long is only 4 bytes whereas on
a 64 bit OS unsigned longs are 8 bytes)
I can just switch to a 64 bit system, easy-peasy. But I'm not sure
why I seem to be limited to 1000 leaf nodes.
Brent
10 years
schema extension trouble
by Horatiu Nimigean
Greetings,
I have an $OpenLDAP: slapd 2.4.23 on centos 6.4 installed and i need to
extend the schema to fit my setup.
all i need is to add to my users in ou People a simple boolean attribute
named vpnStatus that i want to be the basis upon which users are given
vpn access or not.
i created /etc/openldap/schema/local.schema containing
> attributetype ( 1.2.3.4.5.6.7.000.1
> NAME 'accountStatus'
> DESC 'boolean - defines if user has access to vpn'
> EQUALITY booleanMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
> SINGLE-VALUE )
the OID is random picked.
i restarted slapd without error but i can't find this attribute
anywhere. i have apache directory studio used for editing and lam as a
web gui and i can't find it there either.
i'm a bit confused.
then i tried to export this attribute as ldif (using apache ds) and
import it using cli tools:
>
> ldapadd -x -W -h 127.0.0.1 -D "cn=Manager,dc=example,dc=com" -f
> /tmp/vpnSchema.ldif
>
> Enter LDAP Password:
> adding new entry "cn=vpnSchema, ou=schema"
> ldap_add: Invalid syntax (21)
> additional info: objectclass: value #0 invalid per syntax
what do i need to do ?
10 years
Error message with memberof overlay
by Sylvain
Hi !
In my logs, I saw lot of lines like this (we have a poor script which
refresh the base with delete/add primitives) :
memberof_value_modify DN="uid=v6971,ou=people,dc=xxx,dc=com" delete
memberOf="cn=VAC,ou=groups,dc=xxx,dc=com" failed err=16
I can reproduce the problem with a small LDIF :
# 1st part
dn: uid=V6971,ou=people,dc=xxx,dc=com
changetype: delete
dn: uid=V6971,ou=people,dc=xxx,dc=com
changetype: add
objectClass...
# 2nd part
dn: cn=VAC,ou=groups,dc=xxx,dc=com
changetype: delete
dn: cn=VAC,ou=groups,dc=xxx,dc=com
changetype: add
objectClass...
In the logs (shown below), we saw that problem occurs only on the delete of
cn=VAC but if I reduce the LDIF to that (2nd part), I have no more the
problem !? I don't understand...
Here the logs with all the LDIF :
Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 fd=32 ACCEPT from IP=
192.168.0.1:48049 (IP=0.0.0.0:389)
Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=0 BIND
dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" method=128
Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=0 BIND
dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" mech=SIMPLE ssf=0
Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=0 RESULT tag=97 err=0
text=
--> Aug 30 12:01:42 ldap1 slapd[1229]: conn=363692 op=1 DEL
dn="cn=VAC,ou=groups,dc=xxx,dc=com"
--> Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=1:
memberof_value_modify DN="uid=v6971,ou=people,dc=xxx,dc=com" delete
memberOf="cn=VAC,ou=groups,dc=xxx,dc=com" failed err=16
Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=1 RESULT tag=107 err=0
text=
Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=2 ADD
dn="cn=VAC,ou=groups,dc=xxx,dc=com"
Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=2 RESULT tag=105 err=0
text=
Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=3 DEL
dn="uid=V6971,ou=people,dc=xxx,dc=com"
Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=3 RESULT tag=107 err=0
text=
Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=4 ADD
dn="uid=V6971,ou=people,dc=xxx,dc=com"
Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=4 RESULT tag=105 err=0
text=
Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 op=5 UNBIND
Aug 30 12:01:43 ldap1 slapd[1229]: conn=363692 fd=32 closed
And here the logs with only the 2nd part of LDIF :
Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 fd=107 ACCEPT from IP=
192.168.0.1:43599 (IP=0.0.0.0:389)
Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=0 BIND
dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" method=128
Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=0 BIND
dn="cn=portail,ou=ldapusers,dc=xxx,dc=com" mech=SIMPLE ssf=0
Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=0 RESULT tag=97 err=0
text=
--> Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=1 DEL
dn="cn=VAC,ou=groups,dc=xxx,dc=com"
Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=1 RESULT tag=107 err=0
text=
Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=2 ADD
dn="cn=VAC,ou=groups,dc=xxx,dc=com"
Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=2 RESULT tag=105 err=0
text=
Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 op=3 UNBIND
Aug 30 12:06:22 ldap1 slapd[1229]: conn=364437 fd=107 closed
For information, here the configuration of memberOf overlay :
dn: olcOverlay={0}memberof, olcDatabase={1}hdb, cn=config
olcMemberOfMemberAD: member
olcMemberOfRefInt: FALSE
olcOverlay: memberof
olcMemberOfDangling: ignore
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcMemberOfMemberOfAD: memberOf
olcMemberOfGroupOC: groupOfNames
We run OpenLDAP 2.4.31 replicated onto another host on Debian Wheezy.
Do you have an idea on the problem ?
Thanks,
Sylvain
10 years
Re : Re: (ITS#7676) OpenLDAP 2.4.36 slapd crash with "assertion failed" message
by "POISSON Frédéric"
Hello all,
Thanks first for the patch, i have applied it on my own build of 2.4.36 but i have now a strange behavior, the slapd do not crash but it refused operations.
First here is the diff after applying the patch :
$ diff ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c ../BUILD/openldap-2.4.36/servers/slapd/bconfig.c.orig
3795d3794
< slap_tls_ctx = NULL;
3804,3808d3802
< } else {
< if ( rc == LDAP_NOT_SUPPORTED )
< rc = LDAP_UNWILLING_TO_PERFORM;
< else
< rc = LDAP_OTHER;
Now when i only add or replace only attribute olcTLSRandFile on cn=config i have :
ldap_modify: Server is unwilling to perform (53)
When i replace following values in this order with 4 actions/operations or with a single action/operation it works :
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /usr/products/openldap/etc/openldap-single/tls/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /usr/products/openldap/etc/openldap-single/tls/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /usr/products/openldap/etc/openldap-single/tls/key.pem
-
replace: olcTLSRandFile
olcTLSRandFile: /dev/random
But it don't works with only olcTLSRandfile if i do an add or replace first, why ?
What do you need for investigation ?
Regards,
PS: Sorry this is my second post for a better reading...
--
Frederic Poisson
10 years
Cannot bind with 2.4.35
by Olivier Nicole
Hi,
I have a small program that I wrote some time back. It authenticates
against an LDAP server.
Linked with the library provided with OpenLDAP 2.3.40 it works fine, but
when I tried to upgrade to 2.4.35, it would not bind anymore.
The LDAP server (on a different machine) has not changed, the version of
my program with the old library is still working fine.
I am getting the error: Can't contact LDAP server
I am useing self signed CA.
The program is below.
Thank you in advance,
Olivier
i=ldap_initialize(&ldap, "ldaps://ldap.x.y.z/");
if (i != LDAP_SUCCESS) {
ERROR;
}
i=ldap_set_option(ldap, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
if (i!=LDAP_OPT_SUCCESS) {
ERROR;
}
i=ldap_set_option(ldap, LDAP_OPT_RESTART, LDAP_OPT_ON);
if (i!=LDAP_OPT_SUCCESS) {
ERROR;
}
res=LDAP_VERSION3;
i=ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &res);
if (i!=LDAP_OPT_SUCCESS) {
ERROR;
}
/* DN containts the dn and passwd contains the password, they are
correct */
i=ldap_bind_s(ldap, DN, passwd, LDAP_AUTH_SIMPLE);
if (i != LDAP_SUCCESS) {
if (i==49) {
/* bad user or password */
}
else if (i==53) {
/* empty password */
}
else {
/* print ldap_err2string(i) */
/* this is where I get the error */
}
}
--
10 years
Extending schema problem.
by Mónico Briseño
Hi all. I'm new using openldap. I googled all info related with it. I
decided to extend a ldap schema. but it didn't work. The error message is
the following:
adding new entry "cn=Gerald W. Cummings,ou=people,dc=example,dc=com"
ldap_add: Undefined attribute type (17)
additional info: businessName: attribute type undefined
I had that error with the following files:
#new object schema
objectClass ( 1.3.6.1.4.1.4203.666.1.100
NAME 'YoLinuxPerson'
DESC 'X-Person'
SUP inetOrgPerson
STRUCTURAL
MAY ( personStatus $ preferredEmail $ mail2 $
businessName $ xmozillanickname $
birthdate $ c )
)
#new attributes
# New attribute definitions:
attributetype ( 1.3.6.1.4.1.4203.666.1.90
NAME 'personStatus'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( 1.3.6.1.4.1.4203.666.1.91
NAME 'preferredEmail'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( 1.3.6.1.4.1.4203.666.1.93
NAME 'businessName'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
attributetype ( 1.3.6.1.4.1.4203.666.1.94
NAME 'xmozillanickname'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
#attributetype ( 1.3.6.1.4.1.4203.666.1.95 NAME 'birthdate' SUP name )
Both files are inside of the schema folder with the same right that other
files to run ldpap deamon without problem.
ldap.conf file
#Global section
##Include the minimum schema required.
include /usr/local/etc/openldap/schema/core.schema
##Added to support the inetOrgPerson object.
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inteorgperson.schema
#testing schemas
include /usr/local/etc/openldap/schema/new-object.schema
include /usr/local/etc/openldap/schema/new-attributes.schema
What did I wrong?
TIA
--
M.S. José M. Briseño Cortés
Universidad de Guadalajara
Instructional Technologist Univ. Houston
Moodle Teacher Certificate
NTCM, IACEP, iNACOL, ACM member
10 years
Replicate part of cn=config in Multi-Master mode
by Yann Bordenave
Hello,
I am running a Multi-master system with 3 nodes, replicating both main
database and configuration database.
I want to be able to have local configuration on every single node of my
system.
Is there a way to replicate just a part of cn=config database and still
be able to modify the other part. As far I as understand, the filter
option in syncrepl allows us to replicate a subtree but will I be able
to replicate multiple subtrees with one filter ?
Thanks for your answers.
--
Yann Bordenave - Intern, R&E Infrastructure
Smartjog S.A.S. - http://www.smartjog.com - Groupe TDF
27 Bd Hippolyte Marques, 94200 Ivry sur Seine, France
Cell : +33.6.68.86.81.61
10 years
Limit value count of multivalued attribute?
by Ole
Hi,
i'm searching a solution to limit the number of values for multivalued
attributes. For example, my users can wirte multivalued "mail". But
they should set only 20 mailaddress in max, not 20.000.
Is there a way to do this with overlays?
Regards Ole
10 years