openldap-technical October 2014

openldap-technical@openldap.org

69 participants
76 discussions

Multimaster OpenLDAP - LDAP failed to start
by Arantza Serrano 23 Oct '14

23 Oct '14

Hello, I've a multimaster openldap servers. One of them is not running and when I try to start I show this error: Starting ldap...Done. Failed. /opt/zimbra/bin/ldap: line 50: kill: (4375) - No such process /opt/zimbra/bin/ldap: line 50: kill: (6219) - No such process /opt/zimbra/bin/ldap: line 50: kill: (6231) - No such process /opt/zimbra/bin/ldap: line 50: kill: (6242) - No such process /opt/zimbra/bin/ldap: line 50: kill: (6253) - No such process /opt/zimbra/bin/ldap: line 50: kill: (6264) - No such process /opt/zimbra/bin/ldap: line 50: kill: (6275) - No such process Failed to start slapd. Attempting debug start to determine error. 5446fc53 <= mdb_index_read: failed (-30798) 5446fc53 <= mdb_index_read: failed (-30798) res_errno: 0, res_error: <>, res_matched: <> res_errno: 0, res_error: <>, res_matched: <> 5446fc53 <= mdb_index_read: failed (-30798) 5446fc53 <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798) 5446fc53 <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798) slapd: ./../../../libraries/liblmdb/mdb.c:2282: mdb_txn_commit: Assertion `oldpg_txnid <= env->me_pgstate.mf_pglast' failed. What can I do to solve the problem? Thanks

2 2

Re: Seems that syncprov holds up LMDB's reclaiming while handle a syncrepl requests.
by Леонид Юрьев 23 Oct '14

23 Oct '14

I will submit the ITS with a patch. Now it is being tested. Leonid. 2014-10-20 21:30 GMT+04:00 Quanah Gibson-Mount <quanah(a)zimbra.com>: > --On Wednesday, October 15, 2014 10:47 PM +0400 Леонид Юрьев <leo(a)yuriev.ru> > wrote: > >> Under heavy load conditions with syncrepl a lot of FreeDB records is >> generated, without any other reading activity. Is really a lot, up to >> 90% of DB space, a sample is below. >> >> I assume that the bugfix of ITS#7904 does not affected for syncprov >> overlay and syncrepl. >> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7904 > > > Provide a test case that triggers the behavior. > > --Quanah > > -- > > Quanah Gibson-Mount > Server Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration

1 1

LDAP searches hang after returning results...
by Jeff Lebo 22 Oct '14

22 Oct '14

OpenLDAP server setup as pass-through to AD on the backend. When doing a traffic dump on the connection between OpenLDAP and the AD server, I see OpenLDAP make the search request, the AD server responds with the results, then it just hangs there for about 90 seconds before the OpenLDAP server sends an unbind request to AD. This is causing the external application to timeout. Any idea what is causing this?

3 7

Modifying schemas
by Côme BERNIGAUD 22 Oct '14

22 Oct '14

Hello, If I do sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=schema,cn=config" "cn=*" cn I can see in the resulsting list: # {18}applications-fd, schema, config dn: cn={18}applications-fd,cn=schema,cn=config cn: {18}applications-fd But if I use an ldif trying to modify this I get: modifying entry "cn={18}applications-fd,cn=schema,cn=config" ldap_modify: No such object (32) I can see in /etc/ldap/slapd.d/cn=config/cn=schema that the file is named cn={19}applications-fd.ldif so I tried with 19 instead of 18 in the ldif and I get: modifying entry "cn={19}applications-fd,cn=schema,cn=config" ldap_modify: No such object (32) matched DN: cn=schema,cn=config Which seems worse. I'm wondering if there is not a numbering problem with schemas due to a previous dirty delete of a schema (stopping slapd, deleting the file and starting slapd), but it still is weird that slapd would list the schema but not find it for modification. Côme

2 3

username syntax for bind/auth
by Jeff Lebo 21 Oct '14

21 Oct '14

So I've got everything working with my OpenLDAP passthrough to AD... one last thing (I think). Is there a way to make OpenLDAP accept username(a)domain.com instead of the full DN?

2 2

LDAP Replica TLS problem
by Elmopi, Stefano 21 Oct '14

21 Oct '14

Hi, I'm having trouble to run the replica LDAP with TLS, without TLS, all works !! Provider and Consumer are identical CentOS release 6.5 rpm -qa | grep ldap openldap-clients-2.4.23-34.el6_5.1.x86_64 openldap-2.4.23-34.el6_5.1.x86_64 apr-util-ldap-1.3.9-3.el6_0.1.x86_64 nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64 mod_authz_ldap-0.26-16.el6.x86_64 pam_ldap-185-11.el6.x86_64 openldap-servers-2.4.23-34.el6_5.1.x86_64 Provider config, file cn\=config.ldif olcTLSCACertificateFile: /etc/openldap/certs/ldapscert.pem olcTLSCertificateFile: /etc/openldap/certs/ldapscert.pem olcTLSCertificateKeyFile: /etc/openldap/certs/keys/ldapskey.pem olcTLSCipherSuite: TLSv1+RSA:!EXPORT:!NULL olcTLSVerifyClient: never Consumer config: olcSyncrepl: {0}rid=000 provider=ldap://ldpsoc01devpom.sociale.it starttls=yes type=refreshonly retry="5 5 300 +" searchbase="dc=example,dc=it" attrs="*,+" bindmethod=simple binddn="uid=xxxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it" credentials=xxxxxxx interval=60 and, in /etc/openldap/ldap.conf TLS_CACERT /etc/openldap/certs/ldapscert.pem TLS_REQCERT never the certificate is self-signed On the slave, if I try the following command: ldapsearch -ZZ -x -H ldap://ldpsoc01devpom -D 'uid=xxxxxxx,ou=admin_bind,ou=Utenze_Amministratori,dc=example,dc=it' -W 'objectclass=*' -v everything is ok but when I try to use TLS in replication, the process goes wrong. In the Provider log: connection_get(16) connection_get(16): got connid=1030 connection_read(16): checking for input on id=1030 connection_read(16): TLS accept failure error=-1 id=1030, closing connection_closing: readying conn=1030 sd=16 for close connection_close: conn=1030 sd=16 daemon: activity on 1 descriptor daemon: activity on: In the Consumer log: slapd[6508]: =>do_syncrepl rid=000 slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it Warning, ldap_start_tls failed (-11) slap_client_connect: URI=ldap://ldpsoc01devpom.sociale.it DN="uid=bind_replica,ou=admin_bind,ou=utenze_amministratori,dc=sociale,dc=it" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=000 rc -1 retrying (3 retries left) daemon: activity on 1 descriptor daemon: activity on: Help, I do not know where to turn !!!! Thanks Ing. Stefano Elmopi Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elmopi@sociale.it -- "Ai sensi e per gli effetti della legge sulla tutela dei dati personali (D.lgs 196/2003), le informazioni contenute nella presente @mail sono di natura riservata e destinate ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale; come tali, pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E' proibito leggere, copiare, usare o diffondere il contenuto della presente @mail senza autorizzazione. Se avete ricevuto questa @mail per errore, siete pregati di rispedire la stessa al mittente. Grazie"

4 4

POODLE SSLv3 downgrade attack
by Howard Chu 21 Oct '14

21 Oct '14

You've probably all heard about this "new" attack several times by now. Just to confirm what's already been stated - this attack only affects HTTP browsers that deliberately break the TLS handshake protocol to allow using older SSL versions. It does not affect LDAP software at all. Also, since version 2.4.14 (released February 2009), OpenLDAP has supported TLSProtocolMin slapd config and LDAP_TLS_PROTOCOL_MIN client config directives for selecting the minimum version of SSL/TLS to allow. As this feature has been available for over 5 years there is no reason for any OpenLDAP deployments to be using SSLv3 today. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

6 8

bdb_equality_candidates: (cn) not indexed
by Gremaud Cyrill 21 Oct '14

21 Oct '14

HI list ! I just have a 3-way multi-master replication with openldap for cn=config and HDB. Sometime in the log, I have this error/warning : <= bdb_equality_candidates: (cn) not indexed How can I fix it ? just add olcDbIndex cn eq ??? and my second question is why this warning occurs ? thanks a lot for your response. cyrill gremaud

2 2

Problem with chain overlay
by Elmopi, Stefano 20 Oct '14

20 Oct '14

Hi, I have a problem with the configuration of the Chain Overlay. Provider and Consumer are identical CentOS release 6.5 rpm -qa | grep ldap openldap-clients-2.4.23-34.el6_5.1.x86_64 openldap-2.4.23-34.el6_5.1.x86_64 apr-util-ldap-1.3.9-3.el6_0.1.x86_64 nss-pam-ldapd-0.7.5-18.2.el6_4.x86_64 mod_authz_ldap-0.26-16.el6.x86_64 pam_ldap-185-11.el6.x86_64 openldap-servers-2.4.23-34.el6_5.1.x86_64 On the Consumer I imported the ldif file: dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: chain olcChainCacheURI: FALSE olcChainMaxReferralDepth: 1 olcChainReturnError: FALSE and I created the file. /etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend/olcOverlay={1}chain.ldif and after that I can not understand what I do. I've read a few things on the internet but have not been able to arrive at a solution, I tried to import the ldif file: dn: olcDatabase=ldap,olcOverlay={1}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: ldap olcDbURI: "ldap://ldpsoc01devpom.sociale.it" olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0 network-timeout=0 binddn="uid=pippo,ou=admin_esercizio,ou=Utenze_Amministratori,dc=sociale,dc=it" credentials="*******" keepalive=0:0:0 olcDbIDAssertAuthzFrom: * olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE but what I try to import it, I get the following error ldapadd -d 5 -H ldap://localhost:389 -x -W -D "cn=admin,cn=config" -f chaing_entry.ldif res_errno: 32, res_error: <>, res_matched: <olcDatabase={-1}frontend,cn=config> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string ldap_add: No such object (32) matched DN: olcDatabase={-1}frontend,cn=config ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 4 ldap_free_connection: actually freed I do not know what to do !!!! My problem is that I use the Consumer ldap for authentication of some applications and if a user fails for more than 5 times the password, it should be blocked but being Consumer ldap read-only, the locking is not done !!! HELP !!! Ing. Stefano Elmopi Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elmopi@sociale.it -- "Ai sensi e per gli effetti della legge sulla tutela dei dati personali (D.lgs 196/2003), le informazioni contenute nella presente @mail sono di natura riservata e destinate ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale; come tali, pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E' proibito leggere, copiare, usare o diffondere il contenuto della presente @mail senza autorizzazione. Se avete ricevuto questa @mail per errore, siete pregati di rispedire la stessa al mittente. Grazie"

4 3

Seems that syncprov holds up LMDB's reclaiming while handle a syncrepl requests.
by Леонид Юрьев 20 Oct '14

20 Oct '14

Under heavy load conditions with syncrepl a lot of FreeDB records is generated, without any other reading activity. Is really a lot, up to 90% of DB space, a sample is below. I assume that the bugfix of ITS#7904 does not affected for syncprov overlay and syncrepl. http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7904 Which is the best way to verify this and fix? Could anybody pointed me to a code? Leonid. --- Environment Info Map address: (nil) Map size: 2000000000 Page size: 4096 Max pages: 488281 Number of pages used: 480301 Last transaction ID: 1485433 Tail transaction ID: 1485433 Max readers: 126 Number of readers used: 0 Freelist Status Tree depth: 3 Branch pages: 8 Leaf pages: 1121 Overflow pages: 1 Entries: 28991 Page Allocation Info Max pages: 488281 100% Number of pages used: 480301 98.4% Remained: 7980 1.6% Used now: 33397 6.8% Free pages: 446904 91.5% Reading: 9 0.0% Reclaimable: 446895 91.5% Available: 454875 93.2% Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 6

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2014