openldap-technical January 2015

openldap-technical@openldap.org

38 participants
37 discussions

LMDB usage on windows - to much memory needed
by Frank Offermanns 30 Jan '15

30 Jan '15

Hello, we would like to change our backend from hdb to mdb. I did some initial tests and found out the following: When setting maxsize to 1.4 GB, the size of the database on the file system is about 1.4 GB. I thought I read that the maxsize has nothing to do with the actual physical size needed. (If I have only 10 MB of data my database should be about 10 MB). Even worse is the fact, that slapd.exe then needs about 1.5 GB virtual size memory. And if I use 32 Bit slapd.exe the process will crash when reaching 2 GB virtual size. (as every 32 bit process will do) Now my conclusion is, that the things described in the mdb paper are only valid for unix/linux, because windows uses another memory system. Is this correct? Or is there a way I haven't found to configure OpenLDAP on windows so that it does not need so much RAM. The size on the disk does not matter for us, but since we use only 32 bit slapd.exe the RAM does matter. Best regards, Frank

4 5

LDAPCon 2015 Call for Papers
by Andrew Findlay 30 Jan '15

30 Jan '15

LDAPCon 2015 ============ The fifth International Conference on LDAP and Directory Services will be held in the UK at the University of Edinburgh School of Informatics Forum. Tutorials: 11th November 2015 Conference: 12th and 13th November 2015 Call for papers and tutorials ============================= Topics You are using LDAP in interesting projects? You do LDAP client or server development? You have used LDAP in a new way? You do identity and access management on top of LDAP? Why not share your ideas and experiences with others? We are looking for speakers who are willing to talk about any topic related to LDAP and identity management, including: LDAP technology implementation (Servers, API, User interfaces etc.) LDAP Usage (Schema, Security, Operations, Scaling, big data, etc.) LDAP related technologies (PKI, XACML, SAML, etc.) LDAP and Beyond (IAM, Identity Federation, Authentication on the web, etc.) Best Practices for directory services. Accepted talks will be grouped into tracks such as a standards/development and deployment/administration. Deadlines & Important Dates Submission Deadline: 28th June Author Notification: 10th July Final Papers due: 10th October 2015 Tutorials: 11th November 2015 Conference: 12th-13th November 2015 Talk Submissions Main presentations should last about 45 minutes including discussion; we will also provide smaller slots of 15 minutes and 5 minutes for poster presentations or lightning talks. Please tell us which duration you prefer when proposing your talk. The talk must be in English. The one and only way to submit your abstract (approximately 200-800 words, accompanied by your biography of about 100-300 words) is via email to submissions(a)lists.ldapcon.org. Abstracts must reach the Program Committee by 28th June 2015. Early submission is encouraged. All abstracts will be reviewed by the program committee. For accepted talks we expect you to submit slides and/or a paper of approximately 2-10 pages (A4 or US Letter format, 25mm borders, preferably LaTeX source or OpenOffice). For 5-minute talks, a brief abstract is required. A short paper, slides or a poster should be provided for accepted talks. We will provide display boards for posters throughout the conference. By submitting a paper you grant the conference organizers the non-exclusive right to publish your paper in the conference proceedings and on the website; you maintain the right to publish it elsewhere at your discretion. Tutorial Submissions We are looking for high-quality tutorials on LDAP and related subjects, at any level from introductory to advanced. Tutorial length can range from an hour to a full day. Wireless Internet access will be available if required. The purpose of the tutorials is focussed education, so they should cover established topics and best practice rather than presenting new work. Tutorials will be on Wednesday 11th November 2015. The Programme Committee has an open mind about the format of the tutorial day, but has a limited number of rooms available. Make your proposal early and we will aim to build an attractive programme for the day. Expenses Speakers get free access to the conference, including the social event. If requested in advance we will provide accommodation for speakers. Travel expenses might also be covered in special cases. If you need this, please contact us early so we can try to arrange it. Website http://ldapcon.org/2015/ Contacts General enquiries: enquiries(a)lists.ldapcon.org Paper/Tutorial submissions: submissions(a)lists.ldapcon.org -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

1 0

Search with wildcard
by Alessandro Lasmar Mourao 29 Jan '15

29 Jan '15

I have the following structure in my OpenLDAP: ou = groups |_cn = system1 | | _cn = Group1 | | _cn = Group2 |_cn = system2 | _cn = Group1 | _cn = Group2 I need to perform a search and return only users who are registered on system1, regardless of the registered group. When I use the search with the filter: memberOf=cn=*,cn=system1,ou=groups nothing is returned. How do I perform this search in OpenLDAP? In search Oracle SJDS works!

3 3

Different DIT on separate database
by Maily Peng 28 Jan '15

28 Jan '15

Hello, I'd like to set up a single instance of slapd from two DIT that have been defined in separate mdb databases in order to manage more efficiently indexes. Is-it possible ? thank you ####################################################################### # mdb primary database definitions ####################################################################### backend mdb database mdb suffix "ou=users,dc=domain,dc=net" rootdn "cn=Manager,dc=domain,dc=net" envflags writemap,nometasync lastmod on rootpw directory /usr/local/var/users-data/ ####################################################################### # mdb second database definitions ####################################################################### backend mdb database mdb suffix "ou=profiles,dc=domain,dc=net" rootdn "cn=Manager,dc=domain,dc=net" envflags writemap,nometasync lastmod on rootpw directory /usr/local/var/profile-data/ -- Maï-Ly PENG Database Administrator Keyyo Communications 92-98 bd Victor Hugo 92115 Clichy - France Tél. : 01 72 38 77 87 mpeng(a)keyyo.com <mailto:mpeng@keyyo.com> www.keyyo.com <http://www.keyyo.com/>

4 3

simple authentication
by Bharath K 28 Jan '15

28 Jan '15

env.put(Context.SECURITY_PRINCIPAL,args[0]); env.put(Context.SECURITY_CREDENTIALS,args[1]); what values i have to provide for this parameters?? the code which i am trying is not doing simple authentication > dn: uid=nagios,ou=People,dc= example,dc=com > ... > userPassword:: > dn: uid=test1,ou=People,dc=example,dc=com > ... > userPassword:: > > dn: uid=test2,ou=People,dc=example,dc=com > ... > userPassword:: for above thing i have password... my problem is... it is not doing simple authentication i am expecting to be ask password on output ....but for me its not asking any password it is directly showing output it means it is not doing simple authentication

1 0

slapacl Read:Allow - ldapsearch no result
by Uli Tehrani 27 Jan '15

27 Jan '15

Hello all, i want to allow general read access for attribute sshPublicKey. I configured the following rule on top access to attrs=sshPublicKey by * read slapacl -f /etc/openldap/slapd.conf -vvv -b uid=utehrani,ou=ActiveUser,ou=PosixUser,ou=User,dc=example,dc=com sshPublicKey/read read access to sshPublicKey: ALLOWED But when i run ldapsearch. I get no such object ldapsearch -LLL -h ldap1 -x -b uid=utehrani,ou=ActiveUser,ou=PosixUser,ou=User,dc=example,dc=com sshPublicKey No such object (32) Who can helps ? I am running openldap 2.4.39-8 Thanks in advance Regards Uli Uli -- =================================== Ulrich Tehrani Am Ulrichshof 19 79189 Bad Krozingen +497633806246 u_tehrani(a)yahoo.de ===================================

3 2

OpenLDAP Replication Issue
by Tony S. Wu 26 Jan '15

26 Jan '15

We have 5 servers running OpenLDAP, 001 - 005. Server is CentOS 6.4, LDAP version is openldap-servers-2.4.23-32.el6_4.1.x86_64, current replication topology is: 001 <=> 002 001 <=> 003 001 <=> 004 001 <=> 005 001 is where the phpLDAPAdmin GUI is running on. 002 - 005 are behind a load balancer, 001 is never directly accessed from clients. I understand this makes 001 the single point of failure in terms of replication, but we would like to fix the current issues before exploring more changes. The issue we are running is intermittent failure in replication. Replication is configured as multi-way master with mirror mode, it always works from 001 to the rest, but sometimes fails the other direction. This is particularly bad when user changes password and it doesn't get replicated to back to 001, and when that happens it doesn't get replicated to the rest of the other servers. In the log we see the following error messages sometimes, but when replication fails sometimes there is no log: Error Log: Jan 21 10:56:42 001 slapd[27161]: do_syncrepl: rid=004 rc -2 retrying (4 retries left) Another issue is failure on slapd service. On each of the server we have a cronjob running that basically dumps the database using slapcat once an hour. However once every 2 weeks or so we would find slapd dead right around the same time slapcat was run. There is no obvious error in ldap log, system log, or dmesg. According to the documentation it is safe to run slapcat while slapd is running, is this not true? Below is the replication section of the configuration on 001 and 004. If someone could advise on this it would be very much appreciated. moduleload syncprov.la serverid 1 cachesize 50000 idlcachesize 50000 syncrepl rid=002 provider=ldap://002.server.com binddn="uid=replication,ou=Services,dc=server,dc=com" bindmethod=simple credentials=******** searchbase="dc=server,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes tls_reqcert=never * repeat for 003, 004, and 005 * mirrormode true overlay syncprov syncprov-checkpoint 1000 60 syncprov-sessionlog 100 index entryCSN,entryUUID eq

7 9

Re: OpenLDAP Replication Issue
by Marc Patermann 26 Jan '15

26 Jan '15

Tony, Tony S. Wu schrieb (23.01.2015 20:19 Uhr): please keep replies on the list. > We kinda did this out of necessity. This is hell of an answer! :) > Out ultimate goal is to remove > 001, move web UI to 002, and move the replication hub role to 002. > > The reason we haven't done so is because of replication issue. We > would like to at least figure out what's wrong before introducing > additional changes. You may consider moving to a 4 node MMR cluster. Or make 001 and 002 a MMR cluster, which work as provider for your 003 to 005 as read-only replicas, which sent referrals to the provider cluster or use chaining. (You may use a service address for the cluster and move phpLDAPAdmin GUI to the cluster as well.) Maybe these are more commonly used setups than your current one. Marc

1 0

LDAP ldapsearch filter: return uidNumber if person has sub ou=mail
by Leander Schäfer 25 Jan '15

25 Jan '15

I'm trying to construct a ldap filter for my Dovecot/Postfix setup which acts as the example pseudo code & result below: |return uidNumber OF objectClass=posixAccount IF they have a ou=mail AND the mailAddress in this ou=mail IS EQUAL to test(a)Mydomain.TLD || # User-1, people, Mydomain.TLD dn: uid=||User-1,ou=people,dc=MyDomain,dc=TLD uidNumber: 2110 | More specific like this while %s holds e.g.: test(a)Mydomain.TLD: |search_base = dc=Mydomain,dc=TLD query_filter = ( &(objectClass=posixAccount)(ou=mail)(mailAddress=%s) ) result_attribute = uidNumber | But obviously uidNumber is being hold by the posixAccount container one level above - and therewith it won't display what I want. Unfortunately I couldn't figure out how to get it work. My LDAP structure looks like this: => dc=MyDomain,dc=TLD ==> ou=People ===> uid=User-1 ====> uidNumber=4035 ====> ou=mail =====> mailAddress=test(a)Mydomain.TLD ===> uid=User-2 Any help would be greatly apprecitated Thanks Best Regards Leander

4 16

I am new to ldap and i dont know much about ldap simple authentication could you plz help me and give some suggestions......and below is the simple code which i tried and ther is also uid test 1&2 which i want to authenticate
by Bharath K 24 Jan '15

24 Jan '15

import java.util.Hashtable; import javax.naming.Context; import javax.naming.InitialContext; import javax.naming. NamingEnumeration; import javax.naming.NamingException; public class SimpleBindDemo { public static void main(String[] args) throws NamingException { if (args.length < 2) { System.err.println("Usage: java SimpleBindDemo <userDN> <password>"); System.exit(1); } Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://localhost:389/"); env.put(Context.SECURITY_AUTHENTICATION, "simple"); //env.put(Context.SECURITY_PRINCIPAL,"cn=Manager, ou=People,dc=example,dc=com"); //env.put(Context.SECURITY_CREDENTIALS,"ldap123"); env.put(Context.SECURITY_PRINCIPAL,args[0]); env.put(Context.SECURITY_CREDENTIALS,args[1]); try { Context ctx = new InitialContext(env); NamingEnumeration enm = ctx.list(""); while (enm.hasMore()) { System.out.println(enm.next()); } enm.close(); ctx.close(); } catch (NamingException e) { System.out.println(e.getMessage()); } } } ------------------------------------------------------------------------------------------------------------------------ -- # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com dc: example objectClass: top objectClass: domain # People, example.com dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit # Group, example.com dn: ou=Group,dc=example,dc=com ou: Group objectClass: top objectClass: organizationalUnit # nagios, People, example.com dn: uid=nagios,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: nagios sn: nagios givenName: nagios cn: nagios displayName: nagios uidNumber: 500 gidNumber: 500 userPassword:: gecos: nagios loginShell: /bin/bash homeDirectory: /home/nagios shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 0 shadowMax: 99999 shadowLastChange: 15496 # test1, People, example.com dn: uid=test1,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: test1 sn: test1 givenName: test1 cn: test1 displayName: test1 uidNumber: 501 gidNumber: 501 userPassword:: gecos: test1 loginShell: /bin/bash homeDirectory: /home/test1 shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 0 shadowMax: 99999 shadowLastChange: 16447 # test2, People, example.com dn: uid=test2,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: test2 sn: test2 givenName: test2 cn: test2 displayName: test2 uidNumber: 502 gidNumber: 502 userPassword:: gecos: test2 loginShell: /bin/bash homeDirectory: /home/test2 shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 0 shadowMax: 99999 shadowLastChange: 16447 # nagios, Group, example.com dn: cn=nagios,ou=Group,dc=example,dc=com objectClass: posixGroup cn: nagios gidNumber: 500 # test1, Group, example.com dn: cn=test1,ou=Group,dc=example,dc=com objectClass: posixGroup cn: test1 gidNumber: 501 # test2, Group, example.com dn: cn=test2,ou=Group,dc=example,dc=com objectClass: posixGroup cn: test2 gidNumber: 502 # search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2015