Multimaster OpenLDAP - LDAP failed to start
by Arantza Serrano
Hello,
I've a multimaster openldap servers. One of them is not running and when I
try to start I show this error:
Starting ldap...Done.
Failed.
/opt/zimbra/bin/ldap: line 50: kill: (4375) - No such process
/opt/zimbra/bin/ldap: line 50: kill: (6219) - No such process
/opt/zimbra/bin/ldap: line 50: kill: (6231) - No such process
/opt/zimbra/bin/ldap: line 50: kill: (6242) - No such process
/opt/zimbra/bin/ldap: line 50: kill: (6253) - No such process
/opt/zimbra/bin/ldap: line 50: kill: (6264) - No such process
/opt/zimbra/bin/ldap: line 50: kill: (6275) - No such process Failed to
start slapd. Attempting debug start to determine error.
5446fc53 <= mdb_index_read: failed (-30798)
5446fc53 <= mdb_index_read: failed (-30798)
res_errno: 0, res_error: <>, res_matched: <>
res_errno: 0, res_error: <>, res_matched: <>
5446fc53 <= mdb_index_read: failed (-30798)
5446fc53 <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair
found (-30798)
5446fc53 <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair
found (-30798)
slapd: ./../../../libraries/liblmdb/mdb.c:2282: mdb_txn_commit: Assertion
`oldpg_txnid <= env->me_pgstate.mf_pglast' failed.
What can I do to solve the problem?
Thanks
6 years, 5 months
Re: Seems that syncprov holds up LMDB's reclaiming while handle a syncrepl requests.
by Леонид Юрьев
I will submit the ITS with a patch.
Now it is being tested.
Leonid.
2014-10-20 21:30 GMT+04:00 Quanah Gibson-Mount <quanah(a)zimbra.com>:
> --On Wednesday, October 15, 2014 10:47 PM +0400 Леонид Юрьев <leo(a)yuriev.ru>
> wrote:
>
>> Under heavy load conditions with syncrepl a lot of FreeDB records is
>> generated, without any other reading activity. Is really a lot, up to
>> 90% of DB space, a sample is below.
>>
>> I assume that the bugfix of ITS#7904 does not affected for syncprov
>> overlay and syncrepl.
>> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7904
>
>
> Provide a test case that triggers the behavior.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Server Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
6 years, 5 months
LDAP searches hang after returning results...
by Jeff Lebo
OpenLDAP server setup as pass-through to AD on the backend.
When doing a traffic dump on the connection between OpenLDAP and the AD server, I see OpenLDAP make the search request, the AD server responds with the results, then it just hangs there for about 90 seconds before the OpenLDAP server sends an unbind request to AD.
This is causing the external application to timeout.
Any idea what is causing this?
6 years, 5 months
Modifying schemas
by Côme BERNIGAUD
Hello,
If I do
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=schema,cn=config"
"cn=*" cn
I can see in the resulsting list:
# {18}applications-fd, schema, config
dn: cn={18}applications-fd,cn=schema,cn=config
cn: {18}applications-fd
But if I use an ldif trying to modify this I get:
modifying entry "cn={18}applications-fd,cn=schema,cn=config"
ldap_modify: No such object (32)
I can see in /etc/ldap/slapd.d/cn=config/cn=schema that the file is
named cn={19}applications-fd.ldif so I tried with 19 instead of 18 in
the ldif and I get:
modifying entry "cn={19}applications-fd,cn=schema,cn=config"
ldap_modify: No such object (32)
matched DN: cn=schema,cn=config
Which seems worse. I'm wondering if there is not a numbering problem
with schemas due to a previous dirty delete of a schema (stopping slapd,
deleting the file and starting slapd), but it still is weird that slapd
would list the schema but not find it for modification.
Côme
6 years, 5 months
username syntax for bind/auth
by Jeff Lebo
So I've got everything working with my OpenLDAP passthrough to AD... one last thing (I think).
Is there a way to make OpenLDAP accept username(a)domain.com instead of the full DN?
6 years, 5 months
LDAP Replica TLS problem
by Elmopi, Stefano
Hi,
I'm having trouble to run the replica LDAP with TLS, without TLS, all works
!!
Provider and Consumer are identical
CentOS release 6.5
rpm -qa | grep ldap
openldap-clients-2.4.23-34.el6_5.1.x86_64
openldap-2.4.23-34.el6_5.1.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64
mod_authz_ldap-0.26-16.el6.x86_64
pam_ldap-185-11.el6.x86_64
openldap-servers-2.4.23-34.el6_5.1.x86_64
Provider config, file cn\=config.ldif
olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem
olcTLSCertificateFile: /etc/openldap/certs/ldapscert.pem
olcTLSCertificateKeyFile: /etc/openldap/certs/keys/ldapskey.pem
olcTLSCipherSuite: TLSv1+RSA:!EXPORT:!NULL
olcTLSVerifyClient: never
Consumer config:
olcSyncrepl: {0}rid=000
provider=ldap://ldpsoc01devpom.sociale.it
starttls=yes
type=refreshonly
retry="5 5 300 +"
searchbase="dc=example,dc=it"
attrs="*,+"
bindmethod=simple
binddn="uid=xxxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it"
credentials=xxxxxxx
interval=60
and, in /etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/certs/ldapscert.pem
TLS_REQCERT never
the certificate is self-signed
On the slave, if I try the following command:
ldapsearch -ZZ -x -H ldap://ldpsoc01devpom -D
'uid=xxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it' -W
'objectclass=*' -v
everything is ok but when I try to use TLS in replication, the process goes
wrong.
In the Provider log:
connection_get(16)
connection_get(16): got connid=1030
connection_read(16): checking for input on id=1030
connection_read(16): TLS accept failure error=-1 id=1030, closing
connection_closing: readying conn=1030 sd=16 for close
connection_close: conn=1030 sd=16
daemon: activity on 1 descriptor
daemon: activity on:
In the Consumer log:
slapd[6508]: =>do_syncrepl rid=000
slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it Warning,
ldap_start_tls failed (-11)
slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it
DN="uid=bind_replica,ou=admin_bind,ou=utenze_amministratori,dc=sociale,dc=it"
ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=000 rc -1 retrying (3 retries left)
daemon: activity on 1 descriptor
daemon: activity on:
Help, I do not know where to turn !!!!
Thanks
Ing. Stefano Elmopi
Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio
Via Ostiense 131/L Corpo B, 00154 Roma
cell. 3466147165
tel. 0657060500
email:stefano.elmopi@sociale.it
--
"Ai sensi e per gli effetti della legge sulla tutela dei dati personali
(D.lgs 196/2003),
le informazioni contenute nella presente @mail sono di natura riservata e
destinate
ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale;
come tali,
pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E'
proibito leggere,
copiare, usare o diffondere il contenuto della presente @mail senza
autorizzazione.
Se avete ricevuto questa @mail per errore, siete pregati di rispedire la
stessa al mittente.
Grazie"
6 years, 5 months
POODLE SSLv3 downgrade attack
by Howard Chu
You've probably all heard about this "new" attack several times by now. Just
to confirm what's already been stated - this attack only affects HTTP browsers
that deliberately break the TLS handshake protocol to allow using older SSL
versions. It does not affect LDAP software at all.
Also, since version 2.4.14 (released February 2009), OpenLDAP has supported
TLSProtocolMin slapd config and LDAP_TLS_PROTOCOL_MIN client config directives
for selecting the minimum version of SSL/TLS to allow. As this feature has
been available for over 5 years there is no reason for any OpenLDAP
deployments to be using SSLv3 today.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 5 months
bdb_equality_candidates: (cn) not indexed
by Gremaud Cyrill
HI list !
I just have a 3-way multi-master replication with openldap for cn=config and HDB. Sometime in the log, I have this error/warning :
<= bdb_equality_candidates: (cn) not indexed
How can I fix it ? just add olcDbIndex cn eq ??? and my second question is why this warning occurs ? thanks a lot for your response.
cyrill gremaud
6 years, 5 months
Problem with chain overlay
by Elmopi, Stefano
Hi,
I have a problem with the configuration of the Chain Overlay.
Provider and Consumer are identical
CentOS release 6.5
rpm -qa | grep ldap
openldap-clients-2.4.23-34.el6_5.1.x86_64
openldap-2.4.23-34.el6_5.1.x86_64
apr-util-ldap-1.3.9-3.el6_0.1.x86_64
nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64
mod_authz_ldap-0.26-16.el6.x86_64
pam_ldap-185-11.el6.x86_64
openldap-servers-2.4.23-34.el6_5.1.x86_64
On the Consumer I imported the ldif file:
dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: FALSE
and I created the file.
/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend/olcOverlay={1}chain.ldif
and after that I can not understand what I do. I've read a few things on
the internet but have not been able to arrive at a solution,
I tried to import the ldif file:
dn: olcDatabase=ldap,olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: ldap
olcDbURI: "ldap://ldpsoc01devpom.sociale.it"
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical
bindmethod=simple timeout=0 network-timeout=0
binddn="uid=pippo,ou=admin_esercizio,ou=Utenze_Amministratori,dc=sociale,dc=it"
credentials="*******" keepalive=0:0:0
olcDbIDAssertAuthzFrom: *
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
olcDbTFSupport: no
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 16
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
but what I try to import it, I get the following error
ldapadd -d 5 -H ldap://localhost:389 -x -W -D "cn=admin,cn=config" -f
chaing_entry.ldif
res_errno: 32, res_error: <>, res_matched:
<olcDatabase={-1}frontend,cn=config>
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_add: No such object (32)
matched DN: olcDatabase={-1}frontend,cn=config
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
ldap_free_connection: actually freed
I do not know what to do !!!!
My problem is that I use the Consumer ldap for authentication of some
applications
and if a user fails for more than 5 times the password, it should be
blocked but being Consumer ldap read-only, the locking is not done !!!
HELP !!!
Ing. Stefano Elmopi
Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio
Via Ostiense 131/L Corpo B, 00154 Roma
cell. 3466147165
tel. 0657060500
email:stefano.elmopi@sociale.it
--
"Ai sensi e per gli effetti della legge sulla tutela dei dati personali
(D.lgs 196/2003),
le informazioni contenute nella presente @mail sono di natura riservata e
destinate
ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale;
come tali,
pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E'
proibito leggere,
copiare, usare o diffondere il contenuto della presente @mail senza
autorizzazione.
Se avete ricevuto questa @mail per errore, siete pregati di rispedire la
stessa al mittente.
Grazie"
6 years, 5 months
Seems that syncprov holds up LMDB's reclaiming while handle a syncrepl requests.
by Леонид Юрьев
Under heavy load conditions with syncrepl a lot of FreeDB records is
generated, without any other reading activity. Is really a lot, up to
90% of DB space, a sample is below.
I assume that the bugfix of ITS#7904 does not affected for syncprov
overlay and syncrepl.
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7904
Which is the best way to verify this and fix?
Could anybody pointed me to a code?
Leonid.
---
Environment Info
Map address: (nil)
Map size: 2000000000
Page size: 4096
Max pages: 488281
Number of pages used: 480301
Last transaction ID: 1485433
Tail transaction ID: 1485433
Max readers: 126
Number of readers used: 0
Freelist Status
Tree depth: 3
Branch pages: 8
Leaf pages: 1121
Overflow pages: 1
Entries: 28991
Page Allocation Info
Max pages: 488281 100%
Number of pages used: 480301 98.4%
Remained: 7980 1.6%
Used now: 33397 6.8%
Free pages: 446904 91.5%
Reading: 9 0.0%
Reclaimable: 446895 91.5%
Available: 454875 93.2%
Status of Main DB
Tree depth: 1
Branch pages: 0
Leaf pages: 1
Overflow pages: 0
Entries: 6
6 years, 5 months
