openldap-technical November 2015

openldap-technical@openldap.org

64 participants
60 discussions

LMDB data growth - overflow pages
by Christian Sell 22 Nov '15

22 Nov '15

Hello, I am trying to use LMDB to store large (huge) amounts of binary data which, for the reason of limiting memory footprint, are split into chunks. Each chunk ist stored under a separate key, made up of [collectionId, chunkId], so that I can later iterate the chunks using a LMDB cursor. Chunk size is configurable. During my tests, I encountered a strange scenario where, after inserting some 2000 chunks consisting of 512KB each, the database size had grown to a value that was roughly 135 times the calculated size of the data. I ran stat over the db and saw that there were > 12000 overflow pages vs. approx. 2000 data pages. When I reduced the chunk size to 4060 bytes, the number of overflow pages went down to 1000, and the database size went down to the expected number (I experimented with different sizes, this was the best result). I did not find any documentation that would explain this behavior, or how to deal with it. Of course it makes me worry about database bloat and the consequences. Can anyone shed light on this? thanks, Christian

1 0

Human-friendly olcAccess management
by Bogdan Rudas 22 Nov '15

22 Nov '15

Hello all, I would like to start use of olcAccess rules, are there human-friendly editor for that ACLs? I can't even use line breaks in ldif file to make my restrictions a bit more readable! I strongly dislike very long string values, one day this will cause mistake and access violation. I've tried with Apache DS, ldif import and few puppet modules, everything require huge line ACL. Any help will be welcome. -- Bogdan Rudas Head of Minsk IT Support Department Exadel Inc. http://www.exadel.com/ E-mail: brudas(a)exadel.com <mandrushkevich(a)exadel.com> Skype ID: bogdan.rudas -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.

4 3

Tuning number of entries sent during syncrepl?
by Bannister, Mark 22 Nov '15

22 Nov '15

It takes about 10 minutes to synchronise about 300,000 entries across the WAN, but the WAN isn't that slow here, I can transfer an LDIF file much faster than that over NFS. Before LDAPCon last week, I had been working on a solution to this problem, where I would get the master server to dump its contents once a day to NFS, and then replicas could build initially from that. It was taking quite a bit of work, and it was slightly annoying that I needed to jump through these hoops. Last week I was speaking with someone at LDAPCon who told me he had come across the same problem, and it turned out to be something to do with the maximum number of entries that can be transferred in one go? - although I may have misheard this, so please forgive me if details are not entirely accurate. But apparently this is tunable, and if I increase it, my 300,000 entries will replicate much much faster. Any ideas? Sorry I'm a bit sketchy on details. Thanks, Mark. ________________________________ NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies; do not disclose, use or act upon the information; and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.

2 2

Problem making refint_nothing working
by katgb 21 Nov '15

21 Nov '15

Hi all, I tried for some days to make refint overlay work with refint_nothing filled. The slapo-refint man page says : refint_nothing <string> Specify an arbitrary value to be used as a placeholder when the last value would otherwise be deleted from an attribute. This can be useful in cases where the schema requires the existence of an attribute for which referential integrity is enforced. The attempted deletion of a required attribute will otherwise result in an Object Class Violation, causing the request to fail. The string must be a valid DN. but each time I try to delete the last member from a groupOfNames group, the deletion is refused because of schema violation. That's ok without refint_nothing but with the string set it should replace last member, right ? I tried to increase loglevel to 16383 but can't see any debug for refint overlay. So I'm not sure if refint is working or not. Is there another way to have some debug information from refint ? I have included my configuration, ldap tree and log content below. For the logs, I have snipped the content to the error directly but can provide full log if required. The tests are running on debian jessie 8.2 and slapd version 2.4.40+dfsg-1. And I know I can place the placeholder manually but doing it by hand each time is not what I want and, more important, I want to understand why the module is not worrking like it should. I hope I have posted to the right list and if there is something missing please ask. Thanks for help. ######### START CONF LDIF ######## dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: a00e3106-20ce-1035-8943-a9586533ca5e creatorsName: cn=config createTimestamp: 20151116165546Z olcLogLevel: 16383 entryCSN: 20151116173108.585343Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20151116173108Z dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}refint olcModuleLoad: {2}memberof.la structuralObjectClass: olcModuleList entryUUID: a00edd9a-20ce-1035-894b-a9586533ca5e creatorsName: cn=admin,cn=config createTimestamp: 20151116165546Z entryCSN: 20151116172537.271031Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20151116172537Z dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema structuralObjectClass: olcSchemaConfig entryUUID: a00e5a96-20ce-1035-8946-a9586533ca5e creatorsName: cn=admin,cn=config createTimestamp: 20151116165546Z entryCSN: 20151116165546.131180Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20151116165546Z ... schema listing skipped as they are not modified ... dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb structuralObjectClass: olcBackendConfig entryUUID: a00ef6cc-20ce-1035-894c-a9586533ca5e creatorsName: cn=admin,cn=config createTimestamp: 20151116165546Z entryCSN: 20151116165546.135178Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20151116165546Z dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read olcSizeLimit: 500 structuralObjectClass: olcDatabaseConfig entryUUID: a00e4ec0-20ce-1035-8944-a9586533ca5e creatorsName: cn=config createTimestamp: 20151116165546Z entryCSN: 20151116165546.130875Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20151116165546Z dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by * break olcRootDN: cn=admin,cn=config structuralObjectClass: olcDatabaseConfig entryUUID: a00e5654-20ce-1035-8945-a9586533ca5e creatorsName: cn=config createTimestamp: 20151116165546Z olcRootPW:: e1NTSEF9NkdpY3VMWFhTUGpBa1IzM3UzcnkxVm1qY2N2ZVZXNHY= entryCSN: 20151116170655.978168Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20151116170655Z dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=nodomain olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym ous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=nodomain olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig entryUUID: a00efa64-20ce-1035-894d-a9586533ca5e creatorsName: cn=admin,cn=config createTimestamp: 20151116165546Z olcRootPW:: e1NTSEF9SlExdmxnN1E0a0hNTTZtanZzdEtIcHBSYjBmNHJyaGI= entryCSN: 20151116170852.768823Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20151116170852Z dn: olcOverlay={0}refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {0}refint structuralObjectClass: olcRefintConfig entryUUID: cd95de54-20d2-1035-86bf-517b01ed1806 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20151116172540Z olcRefintNothing: uid=myuser2,ou=users,dc=nodomain olcRefintAttribute: member entryCSN: 20151116174304.336010Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20151116174304Z ######### END CONF LDIF ######## ######### START DB LDIF ######## dn: dc=nodomain objectClass: top objectClass: dcObject objectClass: organization o: nodomain dc: nodomain structuralObjectClass: organization entryUUID: a01fd816-20ce-1035-8deb-e11fbfc8d840 creatorsName: cn=admin,dc=nodomain createTimestamp: 20151116165546Z entryCSN: 20151116165546.245753Z#000000#000#000000 modifiersName: cn=admin,dc=nodomain modifyTimestamp: 20151116165546Z dn: cn=admin,dc=nodomain objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9Z2doUHZPQVo2dnV5NzVSY1dFLzhhUFNGQjVZY1FXRHY= structuralObjectClass: organizationalRole entryUUID: a02629b4-20ce-1035-8dec-e11fbfc8d840 creatorsName: cn=admin,dc=nodomain createTimestamp: 20151116165546Z entryCSN: 20151116165546.287209Z#000000#000#000000 modifiersName: cn=admin,dc=nodomain modifyTimestamp: 20151116165546Z dn: ou=groups,dc=nodomain objectClass: organizationalUnit objectClass: top ou: groups structuralObjectClass: organizationalUnit entryUUID: 25ff55cc-20d1-1035-86b9-517b01ed1806 creatorsName: cn=admin,dc=nodomain createTimestamp: 20151116171349Z entryCSN: 20151116171349.840889Z#000000#000#000000 modifiersName: cn=admin,dc=nodomain modifyTimestamp: 20151116171349Z dn: ou=users,dc=nodomain objectClass: organizationalUnit objectClass: top ou: users structuralObjectClass: organizationalUnit entryUUID: 351d4e6a-20d1-1035-86ba-517b01ed1806 creatorsName: cn=admin,dc=nodomain createTimestamp: 20151116171415Z entryCSN: 20151116171415.203147Z#000000#000#000000 modifiersName: cn=admin,dc=nodomain modifyTimestamp: 20151116171415Z dn: uid=myuser1,ou=users,dc=nodomain cn: myuser1 objectClass: inetOrgPerson objectClass: top sn: myuser1 uid: myuser1 structuralObjectClass: inetOrgPerson entryUUID: bba534d4-20d1-1035-86bb-517b01ed1806 creatorsName: cn=admin,dc=nodomain createTimestamp: 20151116171800Z entryCSN: 20151116171800.908475Z#000000#000#000000 modifiersName: cn=admin,dc=nodomain modifyTimestamp: 20151116171800Z dn: uid=myuser2,ou=users,dc=nodomain cn: myuser2 objectClass: inetOrgPerson objectClass: top sn: myuser2 uid: myuser2 structuralObjectClass: inetOrgPerson entryUUID: d175bac2-20d1-1035-86bc-517b01ed1806 creatorsName: cn=admin,dc=nodomain createTimestamp: 20151116171837Z entryCSN: 20151116171837.507205Z#000000#000#000000 modifiersName: cn=admin,dc=nodomain modifyTimestamp: 20151116171837Z dn: cn=mygroup1,ou=groups,dc=nodomain cn: mygroup1 member: uid=myuser1,ou=users,dc=nodomain objectClass: groupOfNames objectClass: top structuralObjectClass: groupOfNames entryUUID: f9657978-20d1-1035-86bd-517b01ed1806 creatorsName: cn=admin,dc=nodomain createTimestamp: 20151116171944Z entryCSN: 20151116171944.509541Z#000000#000#000000 modifiersName: cn=admin,dc=nodomain modifyTimestamp: 20151116171944Z ######### END DB LDIF ######## ######### START LOG ######## ... Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: read active on 13 Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=9 active_threads=0 tvp=zero Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=10 active_threads=0 tvp=zero Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=11 active_threads=0 tvp=zero Nov 16 18:43:31 vm-rt1 slapd[15110]: connection_get(13) Nov 16 18:43:31 vm-rt1 slapd[15110]: connection_get(13): got connid=1154 Nov 16 18:43:31 vm-rt1 slapd[15110]: connection_read(13): checking for input on id=1154 Nov 16 18:43:31 vm-rt1 slapd[15110]: op tag 0x66, time 1447695811 Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 do_modify Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 do_modify: dn (cn=mygroup1,ou=groups,dc=nodomain) Nov 16 18:43:31 vm-rt1 slapd[15110]: >>> dnPrettyNormal: <cn=mygroup1,ou=groups,dc=nodomain> Nov 16 18:43:31 vm-rt1 slapd[15110]: <<< dnPrettyNormal: <cn=mygroup1,ou=groups,dc=nodomain>, <cn=mygroup1,ou=groups,dc=nodomain> Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 modifications: Nov 16 18:43:31 vm-rt1 slapd[15110]: #011replace: member Nov 16 18:43:31 vm-rt1 slapd[15110]: #011#011no values Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 MOD dn="cn=mygroup1,ou=groups,dc=nodomain" Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 MOD attr=member Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify: cn=mygroup1,ou=groups,dc=nodomain Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_dn2entry("cn=mygroup1,ou=groups,dc=nodomain") Nov 16 18:43:31 vm-rt1 slapd[15110]: => mdb_dn2id("cn=mygroup1,ou=groups,dc=nodomain") Nov 16 18:43:31 vm-rt1 slapd[15110]: <= mdb_dn2id: got id=0x7 Nov 16 18:43:31 vm-rt1 slapd[15110]: => mdb_entry_decode: Nov 16 18:43:31 vm-rt1 slapd[15110]: <= mdb_entry_decode Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify_internal: 0x00000007: cn=mygroup1,ou=groups,dc=nodomain Nov 16 18:43:31 vm-rt1 slapd[15110]: <= acl_access_allowed: granted to database root Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify_internal: replace member Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify_internal: replace entryCSN Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify_internal: replace modifiersName Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify_internal: replace modifyTimestamp Nov 16 18:43:31 vm-rt1 slapd[15110]: oc_check_required entry (cn=mygroup1,ou=groups,dc=nodomain), objectClass "groupOfNames" Nov 16 18:43:31 vm-rt1 slapd[15110]: Entry (cn=mygroup1,ou=groups,dc=nodomain): object class 'groupOfNames' requires attribute 'member' Nov 16 18:43:31 vm-rt1 slapd[15110]: entry failed schema check: object class 'groupOfNames' requires attribute 'member' Nov 16 18:43:31 vm-rt1 slapd[15110]: mdb_modify: modify failed (65) Nov 16 18:43:31 vm-rt1 slapd[15110]: send_ldap_result: conn=1154 op=4 p=3 Nov 16 18:43:31 vm-rt1 slapd[15110]: send_ldap_result: err=65 matched="" text="object class 'groupOfNames' requires attribute 'member'" Nov 16 18:43:31 vm-rt1 slapd[15110]: send_ldap_response: msgid=5 tag=103 err=65 Nov 16 18:43:31 vm-rt1 slapd[15110]: conn=1154 op=4 RESULT tag=103 err=65 text=object class 'groupOfNames' requires attribute 'member' Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: activity on 1 descriptor Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: activity on: Nov 16 18:43:31 vm-rt1 slapd[15110]: Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=9 active_threads=0 tvp=zero Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=10 active_threads=0 tvp=zero Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: epoll: listen=11 active_threads=0 tvp=zero Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: activity on 1 descriptor Nov 16 18:43:31 vm-rt1 slapd[15110]: daemon: activity on: ######### END LOG ########

4 6

Trying to set up multimaster syncrepl, error attribute 'olcTLSCertificateFile' not allowed , why?
by Betsy Schwartz 21 Nov '15

21 Nov '15

I inherited a pair of (interestingly configured) ldap servers from a previous owner and I'm trying to get them to replicate to each other (actually, starting with two new VM copies, with the goal of ending up with four masters spread over two data centers). The VM's are running RHEL6 and openldap 2.4.40. When I try to add replication using the ldif included at the bottom of this post , I get this error and then cannot restart slapd -- [root@ldap01 tmp]# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/repl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" adding new entry "olcOverlay=syncprov,olcDatabase={2}bdb,cn=config" modifying entry "olcDatabase={2}bdb,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcTLSCertificateFile' not allowed -- slapd restart error in the log is read_config: no serverID / URL match found. Check slapd -h arguments. (I assume this is coming from my three new syncprov providers which have nothing to provide?) The only reference I found to TLS anywhere was here [root@ldap01 tmp]# slapcat -s olcDatabase=\{2}bdb,cn=config |grep TLS olcTLSCertificateFile: /etc/pki/tls/certs/foobar_cert.pem olcTLSCertificateKeyFile: /etc/pki/tls/certs/foobar_key.pem Those files do not exist, never have! (I admit I tried, and failed, to delete the reference) What can I do to fix the TLS error? Where is there a TLS dependency in this picture? Thank you for any clues! [root@ldap01 tmp]# cat post.ldif olcServerID: 1 ldap://ldap02.example.com olcServerID: 2 ldap://ldap2.example.com olcServerID: 3 ldap://ldap.example.com dn: olcOverlay=syncprov,olcDatabase={2}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={2}bdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://ldap02.example.com binddn="uid=Manager,dc=example,dc=com" bindmethod=simple credentials="managerpassword" searchbase="dc=example,dc=com" type=refreshAndPersist retry="60 +" timeout=1 olcSyncRepl: rid=002 provider=ldap://ldap2.example.com binddn="uid=Manager,dc=example,dc=com" bindmethod=simple credentials="managerpassword" searchbase="dc=example,dc=com" type=refreshAndPersist retry="60 1 300 12 7200 +" timeout=1 olcSyncRepl: rid=003 provider=ldap://ldap.example.com binddn="uid=Manager,dc=example,dc=com" bindmethod=simple credentials="managerpassword" searchbase="dc=example,dc=com" type=refreshAndPersist retry="60 1 300 12 7200 +" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE thank you very much!

2 1

replicating cn=config generates LDAP_NOT_ALLOWED_ON_RDN
by Chris Cook 20 Nov '15

20 Nov '15

Openldap 2.4.31 I create my read-only ldap hosts with a stub config that contains a syncrepl statement: olcSyncrepl: {0}rid=001 provider=ldaps://ldap.savagebeast.com binddn="cn= admin,cn=config,cn=slave" bindmethod=simple credentials=$PW searchbase="cn= config,cn=slave" type=refreshAndPersist retry="60 +" timeout=3 suffixmassage= "cn=config" schemachecking=off That on first run with a –c ‘rid=001’ flag syncs the rest of the configs and associated databases from the primary servers. Leaving the config database as: # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 3c65cc7d dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config olcUpdateRef: ldaps://ldap.savagebeast.com structuralObjectClass: olcDatabaseConfig entryUUID: fee78e38-2723-1030-8342-0d5a80dcc32a creatorsName: cn=admin,cn=config createTimestamp: 20110609203711Z olcRootPW:: x== olcSyncrepl: {0}rid=001 provider=ldaps://guess-who.savagebeast.com binddn="cn= admin,cn=config,cn=slave" bindmethod=simple credentials=x searchbase ="cn=config,cn=slave" schemachecking=off type=refreshAndPersist retry="60 +" timeout=3 suffixmassage="cn=config" entryCSN: 20151119013205.450738Z#000000#000#000000 modifiersName: cn=admin,dc=savagebeast,dc=com modifyTimestamp: 20151119013205Z This works great for the first run, but subsequent changes to the cn=config,cn=slave entries on the primary servers generate a replication error on the downstream hosts. 564fc719 syncrepl_entry: rid=001 be_search (0) 564fc719 syncrepl_entry: rid=001 olcDatabase={2}hdb,cn=config 564fc719 <= acl_access_allowed: granted to database root 564fc719 send_ldap_result: conn=-1 op=0 p=3 564fc719 send_ldap_result: err=67 matched="" text="Use modrdn to change the entry name" 564fc719 null_callback : error code 0x43 564fc719 syncrepl_entry: rid=001 be_modify olcDatabase={2}hdb,cn=config (67) 564fc719 syncrepl_entry: rid=001 be_modify failed (67) Which is LDAP_NOT_ALLOWED_ON_RDN. The only change to be synced was the addition of an olcDbIndex to one of the databases. The suffix massage seems to still be in place: 564fc719 syncrepl_message_to_entry: rid=001 DN: olcDatabase={2}hdb,cn=config,cn=slave, UUID: ef2a6d04-b2cf-1033-9ca0-37a633abeda5 564fc719 ==> rewrite_context_apply [depth=1] string='olcDatabase={2}hdb,cn=config,cn=slave' 564fc719 ==> rewrite_rule_apply rule='(.*)cn=config,cn=slave$' string='olcDatabase={2}hdb,cn=config,cn=slave' [1 pass(es)] 564fc719 ==> rewrite_context_apply [depth=1] res={0,'olcDatabase={2}hdb,cn=config'} 564fc719 >>> dnPrettyNormal: <olcDatabase={2}hdb,cn=config> Any pointers on how to troubleshoot why this error is called?

1 0

Building for windows. Again.
by Kristoffer Sjögren 20 Nov '15

20 Nov '15

Hi I'm trying to build LMDB with Java/JNI bindings with Visual C++ Project Builder 9.00.30729 (vcbuild). Unfortunately, vcbuild don't ship with inttypes.h, stdint.h, or a sane ssize_t. So I searched around and found a few candidates [1] of inttypes.h and stdint.h that seems to be working for py-lmdb. However, unistd.h seems broken for windows - and the python guys use python.h instead. Any ideas where I might find a good unistd.h? Cheers, -Kristoffer [1] https://github.com/deephacks/lmdbjni/tree/master/lmdbjni-win64/headers

2 16

multi-value attribute virtual view of single attribute
by Jason Whitener 20 Nov '15

20 Nov '15

If I had a multi-valued attribute like cn: var0:value cn: var2:value cn: var3:value is there a way to expose each varX as if it were an attribute for search filter purposes? For instance, ldapsearch.....&((objectclass=person)(var0=value)) I started looking into slapo-rwm. Is that the best way to accomplish this?

5 8

ERR_employeeadd {'info': 'modifications require authentication', 'desc': 'Strong(er) authentication required'}
by Andrei Valoshyn 20 Nov '15

20 Nov '15

Hello! I have slapd 2.4.39 and python 2.6 I tried to create an user via python when I tried do that with root permission - it's OK. But when I did this with config in slapd.conf "access to * by group.exact="cn=LDAP_admins,ou=Roles,ou=Groups,dc=exadel,dc=com" write" I have an error " ERR_employeeadd {'info': 'modifications require authentication', 'desc': 'Strong(er) authentication required'} " I tried to use " l.protocol_version = ldap.VERSION{2,3} " via 389 port My function for adding ldif is : l = ldap.initialize(server) l.simple_bind(username, ldapsrvpassword) def employeeadd(): ldif = modlist.addModlist(attrs) l.add_s(dn,ldif) Will be very appreciate for any help -- With Best Wishes Andrei Valoshyn Exadel Inc. System Administrator avaloshyn(a)exadel.com -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.

2 1

sasl-auxprop (and sasl/slapd.conf)
by Simone Piccardi 18 Nov '15

18 Nov '15

I'm trying to understand which values I can use for the sasl-auxprop directives and how to configure (if possible) sasl/slapd.conf. I was trying to use the users created with slappasswd2 -c (as written in the Administration guide) but no sasldb file was open by the server (I straced out a full session). I tried to put an explicit configuration in sasl/slapd.conf, and stracing the server I saw it was open and read, but the configuration inside is just ignored. Reading the manpage I found it says that sasl-auxprops "Specify which auxprop plugins to use for authentication lookups." and that the default is use the slapd internal support. But I did not define this one, and sasl/slapd.conf still seems to be ignored. And no possible values for the available plugins to use as sasl-auxprops parameter are listed. I could get DIGEST-MD5 authentication working putting the password inside the server (userPassword in CLEARTEXT), so it seems that the default is used anyway. But I'd like to have it working using using sasldb or configuring sasl/slapd.conf to use saslauthd. Regards Simone -- Simone Piccardi Truelite Srl piccardi(a)truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-1032433 50142 Firenze http://www.truelite.it Tel. +39-055-7879597 Fax. +39-055-7333336

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2015