August 2014 - openldap-technical

best practices WRT resizing a MDB backend?

by Brian Reichert

Other than this thread: http://t23307.network-openldap-technical.opennetworks.info/lmdb-growing-t... I don't see a discussion of changing the 'maxsize' setting after a LMDB database has been generated. This thread includes this response about growing the database: http://www.openldap.org/lists/openldap-technical/201402/msg00302.html On Windows, Linux, and FreeBSD, there's no problem increasing the mapsize and preserving the existing data. (I'm making a wild assumption that 'mapsize' is a typo, and 'maxsize' was intended.) Can 'maxsize' ever be reduced after the fact? If so, is their guidance as to how much it can change (perhaps based on mdb_stat)? The problem I'm trying to solve: For my $job, we provide OpenLDAP-backed clustered appliances to customers. The hardware doesn't vary, but the size of individual customers' databases. - Our strategy for adding members to the cluster involves managing backups (compressed tarballs). Our prior use of the now-ancient bdb backend let these backups be lightweight things to manage for smaller customers, and larger customers would take the hit for having big databases. - Also, upgrading appliances means importing data from the customers' bdb-based server. My naive use of the LDMB backend has me assume the worst case, and now everyone is equally punished for having a 'big' (albeit sparse) database. My hope was to, given awareness of either the data in an LDIF extract, or data about the legacy bdb database itself, we could make a more conservative guess as to a reasonable size for the mdb backend. Has anyone written up some strategies on these topics, or in the position to provide any recommendation? -- Brian Reichert <reichert(a)numachi.com> BSD admin/developer at large

8 years, 9 months

5
11
0 / 0

LMDB: Compare function implementation

by Venkat Murty

Hi all, I am inserting a non-zero length key into a database where I provide a compare function. But I am seeing that MDB_val->mv_size = 0 in the compare function. Is that possible? More details (LMDB 0.9.11 Release): I have a database where I want to delete all elements that have the same prefix. void eraseElements (KeyPrefix prefix, MDB_txn *txn, MDB_dbi database) { MDB_val k; k.mv_data = &prefix; k.mv_size = sizeof (KeyPrefix); MDB_val v; MDB_cursor *cur; mdb_cursor_open (txn, database, &cur); while (! mdb_cursor_get (cur, &k, &v, MDB_SET_RANGE)) { if (memcmp (&prefix, k.mv_data, sizeof (KeyPrefix)) != 0) break; mdb_cursor_del (cur, 0); k.mv_data = &prefix; k.mv_size = sizeof (KeyPrefix); } mdb_cursor_close (cur); } Relevant stack trace DB::compare (a, b) and b->mv_size == 0 mdb_cursor_set(mc, key, data, op=MDB_SET_RANGE, exactp=0x0) at mdb.c:5348 mdb_cursor_get(mc,key,data,op=MDB_SET_RANGE) at mdb.c:5655 eraseElements(..)

8 years, 9 months

3
2
0 / 0

OpenLdap Access Control

by Mehmet Sağdıç

Hello, I installed OpenLDAP server on Ubuntu 12.04. Phpldapadmin using the interface groups and users have added. Connection with the ftp server on the LDAP user did running. I want to limitation of the user on openldap. I selected one group of users are able to access privileges such as read or write. OlcAccess tried to do in the checklist user restrictions, but did not. Please help

8 years, 9 months

1
0
0 / 0

From: Suneet Shah

by Suneet Shah

Hi openldap http://anon.gooffcampus.com/love.php?ugwun3106ehvfty suneetshah2000(a)gmail.com

8 years, 9 months

1
0
0 / 0

Bug ? ldap_start_tls_s successful even after removing ca certificate from ca cert dir

by SOMA SEKHAR

link to question on stackoverflow <http://stackoverflow.com/questions/25457034/starttls-succesful-even-after...> I'm having trouble verifying the correct behavior of my software. Here are the steps I am performing to verify correct operation: 1. I have sample code that uses openldap library and doing a start tls to a ldap server. 2. I have set the global option for ca cert directory and tlx context for the first time. 3. After that I did ldap init and ldap start tls to a server. This is succesful as expected. 4. I did an ldap_unbind_s 5. I deleted the CA cert that signed the ldap server's certificate from the ca cert directory of the client. 6. Again did ldap_init and ldap_start_tls_s . 7. I expected this call to fail , as I have removed the ca cert. But what I observe is that , server sends the certificate but start_tls is returning success. I am using openldap 2.4 with libssl.0.9.8 LDAP *ld;int desired_version=3; if ((ld = ldap_init(<hostname>, <server_port>)) == NULL ) { printf("ldap_init failed\n"); exit(0);} ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &desired_version); ldap_set_option(NULL, LDAP_OPT_X_TLS_CTX, NULL); ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR,"<ca dir>"); if(ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){ printf("start tls failed.\n"); exit(0);} ...... <do bind and search>... ldap_unbind_s(ld); ... // DELETE the CA certificate from the ca dir. // Try to do start tls again if ((ld = ldap_init(hostname, server_port)) == NULL ) { printf("ldap_init failed , after deleting CA\n"); exit(0);} // This goes fine even after deleting the CAif (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS){ printf("start tls failed after deleting CA.\n"); exit(0);} -- Thanks&Regards, SomaSekhar.

8 years, 9 months

1
1
0 / 0

ldapi:/// without TLS; ldap:// with TLS?

by Tom

I'm running OpenLDAP 2.4 on CentOS. I'm trying to set it up so clients can use the ldapi:/// socket without TLS, but any clients using ldap:// must use TLS. I believe that the relevant olc variables are olcLocalSSF and olcSecurity. I can't get it to work - either TLS is required no matter which URI I use, or clients can connect without TLS at all. According to the docs, if I set olcLocalSSF to 128, and olcSecurity to ssf=128, it should work, but it's not. I can only connect without TLS if I delete the olcSecurity attribute, which allows anyone to connect without TLS. What am I dong wrong?

8 years, 9 months

2
3
0 / 0

a lot of dnMatch msgs after do_syncrep2

by Daniel Jung

openldap-2.4.39 with lmdb backend running on centos 6.4. This occurred on one of the consumers and other consumers didnt have any issue. I was running args,stats and sync loglevel, and I see the following in the log. Each do_syncrep2 shows dnMatch. The contextcsn got out of sync and I used slapd -c to resync it and it looks ok now. Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_delete_keys: 226c [7a441664] Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_delete_keys: 226c Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_delete_keys: 226c Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_insert_keys: 226c [eebf38e5] Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_insert_keys: 226c Aug 25 03:45:02 servernameslapd[16312]: mdb_idl_insert_keys: 226c Aug 25 03:45:02 servernameslapd[16312]: send_ldap_result: err=0 matched="" text="" Aug 25 03:45:02 servernameslapd[16312]: mdb_modify: dc=server,dc=com Aug 25 03:45:02 servernameslapd[16312]: mdb_modify_internal: replace contextCSN Aug 25 03:45:02 servernameslapd[16312]: send_ldap_result: err=0 matched="" text="" Aug 25 03:45:02 servernameslapd[16312]: slap_graduate_commit_csn: removing 0x7fc0185aa630 20140825014502.251709Z#000000#001#000000 Aug 25 03:45:02 servernameslapd[16312]: syncrepl_entry: rid=703 be_modify cn=cname,ou=Group,dc=server,dc=com (0) Aug 25 03:45:02 servernameslapd[16312]: slap_queue_csn: queing 0x7fc01859e320 20140825014502.251709Z#000000#001#000000 Aug 25 03:45:02 servernameslapd[16312]: mdb_modify: dc=server,dc=com Aug 25 03:45:02 servernameslapd[16312]: mdb_modify_internal: replace contextCSN Aug 25 03:45:02 servernameslapd[16312]: send_ldap_result: err=0 matched="" text="" Aug 25 03:45:02 servernameslapd[16312]: slap_graduate_commit_csn: removing 0x7fc01850f060 20140825014502.251709Z#000000#001#000000 Aug 25 03:45:02 servernameslapd[16312]: connection_get(12) Aug 25 03:45:02 servernameslapd[16312]: do_syncrep2: rid=703 cookie=rid=703,sid=001,csn=20140825014502.428281Z#000000#001#000000 Aug 25 03:45:02 servernameslapd[16312]: syncrepl_message_to_entry: rid=703 DN: cn=development,ou=somegroup,dc=server,dc=com, UUID: a06de85e-b545-102d-9482-cde2fff247a7 Aug 25 03:45:02 servernameslapd[16312]: dnMatch -3 Aug 25 03:45:02 servernameslapd[16312]: dnMatch 1 Aug 25 03:45:02 servernameslapd[16312]: dnMatch -3 Aug 25 03:45:02 servernameslapd[16312]: dnMatch -2 <snip>

8 years, 9 months

1
1
0 / 0

How can I add ldap user from linux shell command line?

by Tian Zhiying

Hi All How can I add ldap user from linux shell command line? And how can I batch add ldap user from linux shell command line? Tian Zhiying

8 years, 9 months

3
2
0 / 0

Getting the memberof overlay to work

by Karel Vervaeke

Hi. I've followed a number of memberof tutorials/howto guides, but I can't get it to work. I've tried to document my best attempt yet in this github repository: https://github.com/karel1980/openldap-memberof There is an installation script which: - installs slapd - sets up a new database - configures memberof and refint overlays - restarts slapd - adds groups and users There's also a sample query which should return memberOf attributes, but it does not. If you can spot the error of my ways, please enlighten me. Regards, Karel

8 years, 9 months

1
1
0 / 0

Converting BDB database from 4.8 to 4.5.

by Markus Moeller

I have an openldap server using libdb-4.5, but somehow my OS had db-utils for 4.8 and I guess I run the wrong commands as I now get the following error when starting the server. Is there a way to "downgrade" to 4.5 ? Unacceptable log file /var/lib/ldap/log.0000000001: unsupported log version 16 Thank you Markus

8 years, 9 months

4
4
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2014