best practices WRT resizing a MDB backend?
by Brian Reichert
Other than this thread:
http://t23307.network-openldap-technical.opennetworks.info/lmdb-growing-t...
I don't see a discussion of changing the 'maxsize' setting after a
LMDB database has been generated.
This thread includes this response about growing the database:
http://www.openldap.org/lists/openldap-technical/201402/msg00302.html
On Windows, Linux, and FreeBSD, there's no problem increasing the mapsize
and preserving the existing data.
(I'm making a wild assumption that 'mapsize' is a typo, and 'maxsize'
was intended.)
Can 'maxsize' ever be reduced after the fact? If so, is their
guidance as to how much it can change (perhaps based on mdb_stat)?
The problem I'm trying to solve:
For my $job, we provide OpenLDAP-backed clustered appliances to
customers. The hardware doesn't vary, but the size of individual
customers' databases.
- Our strategy for adding members to the cluster involves managing
backups (compressed tarballs). Our prior use of the now-ancient
bdb backend let these backups be lightweight things to manage for
smaller customers, and larger customers would take the hit for
having big databases.
- Also, upgrading appliances means importing data from the customers'
bdb-based server.
My naive use of the LDMB backend has me assume the worst case, and
now everyone is equally punished for having a 'big' (albeit sparse)
database.
My hope was to, given awareness of either the data in an LDIF
extract, or data about the legacy bdb database itself, we could
make a more conservative guess as to a reasonable size for the mdb
backend.
Has anyone written up some strategies on these topics, or in the
position to provide any recommendation?
--
Brian Reichert <reichert(a)numachi.com>
BSD admin/developer at large
8 years, 9 months
LMDB: Compare function implementation
by Venkat Murty
Hi all,
I am inserting a non-zero length key into a database where I provide a compare function. But I am seeing that MDB_val->mv_size = 0 in the compare function. Is that possible?
More details (LMDB 0.9.11 Release):
I have a database where I want to delete all elements that have the same prefix.
void eraseElements (KeyPrefix prefix, MDB_txn *txn, MDB_dbi database)
{
MDB_val k;
k.mv_data = &prefix;
k.mv_size = sizeof (KeyPrefix);
MDB_val v;
MDB_cursor *cur;
mdb_cursor_open (txn, database, &cur);
while (! mdb_cursor_get (cur, &k, &v, MDB_SET_RANGE))
{
if (memcmp (&prefix, k.mv_data, sizeof (KeyPrefix)) != 0) break;
mdb_cursor_del (cur, 0);
k.mv_data = &prefix;
k.mv_size = sizeof (KeyPrefix);
}
mdb_cursor_close (cur);
}
Relevant stack trace
DB::compare (a, b) and b->mv_size == 0
mdb_cursor_set(mc, key, data, op=MDB_SET_RANGE, exactp=0x0) at mdb.c:5348
mdb_cursor_get(mc,key,data,op=MDB_SET_RANGE) at mdb.c:5655
eraseElements(..)
8 years, 9 months
OpenLdap Access Control
by Mehmet Sağdıç
Hello,
I installed OpenLDAP server on Ubuntu 12.04. Phpldapadmin using the
interface groups and users have added. Connection with the ftp server on the
LDAP user did running. I want to limitation of the user on openldap. I
selected one group of users are able to access privileges such as read or
write. OlcAccess tried to do in the checklist user restrictions, but did
not. Please help
8 years, 9 months
Bug ? ldap_start_tls_s successful even after removing ca certificate from ca cert dir
by SOMA SEKHAR
link to question on stackoverflow
<http://stackoverflow.com/questions/25457034/starttls-succesful-even-after...>
I'm having trouble verifying the correct behavior of my software. Here are
the steps I am performing to verify correct operation:
1. I have sample code that uses openldap library and doing a start tls
to a ldap server.
2. I have set the global option for ca cert directory and tlx context
for the first time.
3. After that I did ldap init and ldap start tls to a server. This is
succesful as expected.
4. I did an ldap_unbind_s
5. I deleted the CA cert that signed the ldap server's certificate from
the ca cert directory of the client.
6. Again did ldap_init and ldap_start_tls_s .
7. I expected this call to fail , as I have removed the ca cert. But
what I observe is that , server sends the certificate but start_tls is
returning success.
I am using openldap 2.4 with libssl.0.9.8
LDAP *ld;int desired_version=3;
if ((ld = ldap_init(<hostname>, <server_port>)) == NULL ) {
printf("ldap_init failed\n");
exit(0);}
ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL);
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,"<ca dir>");
if(ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){
printf("start tls failed.\n");
exit(0);}
...... <do bind and search>...
ldap_unbind_s(ld); ...
// DELETE the CA certificate from the ca dir. // Try to do start tls again
if ((ld = ldap_init(hostname, server_port)) == NULL ) {
printf("ldap_init failed , after deleting CA\n");
exit(0);}
// This goes fine even after deleting the CAif (ldap_start_tls_s(ld,
NULL, NULL) != LDAP_SUCCESS){
printf("start tls failed after deleting CA.\n");
exit(0);}
--
Thanks&Regards,
SomaSekhar.
8 years, 9 months
ldapi:/// without TLS; ldap:// with TLS?
by Tom
I'm running OpenLDAP 2.4 on CentOS. I'm trying to set it up so clients
can use the ldapi:/// socket without TLS, but any clients using ldap://
must use TLS.
I believe that the relevant olc variables are olcLocalSSF and
olcSecurity. I can't get it to work - either TLS is required no matter
which URI I use, or clients can connect without TLS at all.
According to the docs, if I set olcLocalSSF to 128, and olcSecurity to
ssf=128, it should work, but it's not. I can only connect without TLS if
I delete the olcSecurity attribute, which allows anyone to connect
without TLS. What am I dong wrong?
8 years, 9 months
a lot of dnMatch msgs after do_syncrep2
by Daniel Jung
openldap-2.4.39 with lmdb backend running on centos 6.4. This occurred on
one of the consumers and other consumers didnt have any issue. I was
running args,stats and sync loglevel, and I see the following in the log.
Each do_syncrep2 shows dnMatch.
The contextcsn got out of sync and I used slapd -c to resync it and it
looks ok now.
Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_delete_keys: 226c [7a441664]
Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_delete_keys: 226c
Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_delete_keys: 226c
Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_insert_keys: 226c [eebf38e5]
Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_insert_keys: 226c
Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_insert_keys: 226c
Aug 25 03:45:02 servernameslapd[16312]: send_ldap_result: err=0 matched=""
text=""
Aug 25 03:45:02 servernameslapd[16312]: mdb_modify: dc=server,dc=com
Aug 25 03:45:02 servernameslapd[16312]: mdb_modify_internal: replace
contextCSN
Aug 25 03:45:02 servernameslapd[16312]: send_ldap_result: err=0 matched=""
text=""
Aug 25 03:45:02 servernameslapd[16312]: slap_graduate_commit_csn: removing
0x7fc0185aa630 20140825014502.251709Z#000000#001#000000
Aug 25 03:45:02 servernameslapd[16312]: syncrepl_entry: rid=703 be_modify
cn=cname,ou=Group,dc=server,dc=com (0)
Aug 25 03:45:02 servernameslapd[16312]: slap_queue_csn: queing
0x7fc01859e320 20140825014502.251709Z#000000#001#000000
Aug 25 03:45:02 servernameslapd[16312]: mdb_modify: dc=server,dc=com
Aug 25 03:45:02 servernameslapd[16312]: mdb_modify_internal: replace
contextCSN
Aug 25 03:45:02 servernameslapd[16312]: send_ldap_result: err=0 matched=""
text=""
Aug 25 03:45:02 servernameslapd[16312]: slap_graduate_commit_csn: removing
0x7fc01850f060 20140825014502.251709Z#000000#001#000000
Aug 25 03:45:02 servernameslapd[16312]: connection_get(12)
Aug 25 03:45:02 servernameslapd[16312]: do_syncrep2: rid=703
cookie=rid=703,sid=001,csn=20140825014502.428281Z#000000#001#000000
Aug 25 03:45:02 servernameslapd[16312]: syncrepl_message_to_entry: rid=703
DN: cn=development,ou=somegroup,dc=server,dc=com, UUID:
a06de85e-b545-102d-9482-cde2fff247a7
Aug 25 03:45:02 servernameslapd[16312]: dnMatch -3
Aug 25 03:45:02 servernameslapd[16312]: dnMatch 1
Aug 25 03:45:02 servernameslapd[16312]: dnMatch -3
Aug 25 03:45:02 servernameslapd[16312]: dnMatch -2
<snip>
8 years, 9 months
Getting the memberof overlay to work
by Karel Vervaeke
Hi. I've followed a number of memberof tutorials/howto guides,
but I can't get it to work.
I've tried to document my best attempt yet in this github repository:
https://github.com/karel1980/openldap-memberof
There is an installation script which:
- installs slapd
- sets up a new database
- configures memberof and refint overlays
- restarts slapd
- adds groups and users
There's also a sample query which should return memberOf attributes,
but it does not.
If you can spot the error of my ways, please enlighten me.
Regards,
Karel
8 years, 9 months
Converting BDB database from 4.8 to 4.5.
by Markus Moeller
I have an openldap server using libdb-4.5, but somehow my OS had db-utils
for 4.8 and I guess I run the wrong commands as I now get the following
error when starting the server. Is there a way to "downgrade" to 4.5 ?
Unacceptable log file /var/lib/ldap/log.0000000001: unsupported log version
16
Thank you
Markus
8 years, 9 months