OpenLDAP installation. Am I missing something?
by Sherman Lilly
I may have this totally wrong but why is there no installation documentation that tells somebody how to setup OpenLDAP the right way. After installing OpenLDAP you have no slapd.conf file so that direction is not happening. If you modify any file in the slapd.d directory, startup will complain about bad checksum. Yes I know you can regenerate the checksum and fix that but why? I can't find any where that tells you how to modify the base dn, rootdn, and root password without editing the files in the slapd.d manually. Am I missing something? I have check Google, Youtube, and other places and they all say manually edit files in slapd.d. That can't be the right way if openldap server is complaining about doing it.
Sherman Lilly
7 years, 4 months
Searches with dereferncing causing high CPU load.
by Mark Cairney
Hi,
We're having severe performance issues for any query with alias
dereferencing set to "always".
Any query with this causes the CPU to spin up to 100% and if we have a
number of these concurrently the machine will become unresponsive.
We're using OpenLDAP 2.4.42 with the old hdb backend.
We do have a large number of aliases (~63,000). Could this be the cause?
Our olcMaxDerefDepth is currently set to "1"
--
/****************************
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email: Mark.Cairney(a)ed.ac.uk
PGP: 0x435A9621
*******************************/
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
7 years, 4 months
Integrate Openldap and Windows Active Directory Server
by Kaushal Shriyan
Hi,
Is there a way to integrate Openldap ldap server with Windows Server Active
Directory wherein AD will act as Authentication and Openldap will be setup
for Authorization?
Any help will be highly appreciable.
Regards,
Kaushal
7 years, 4 months
Keeping mdb files opened while mmapped
by Shlomi Vaknin
Hey,
I am using lmdb as a backend to a big database (and its awesome, thanks!).
While trying to understand memory consumption of my process I came across
something interesting I'd like to get an expert's opinion about.
I am seeing that the "Virtual" memory is quite large, larger than I
expected, and it *might* be a problem in my case, I am being hit with lots
of page ins/outs (I have a 500GB RAM machines).
When I lsof my process, I am seeing that each mdb file is appearing twice
(I use many), eg:
_ lsof -p 59709 | grep 86510580
test 59709 vaknin mem REG 8,17 625500160 86510580
/fs/test1.mdb
test 59709 vaknin 239r REG 8,17 625500160 86510580
/fs/test1.mdb
I know that after mmaping a file, it is not needed to be kept open, and it
seems it is in lmdb. I then tried to see if this actually uses memory, and
I used memstat for this:
_ memstat -p 59709 -w | grep 86510580
1221680k(1221680k): [08:11]:86510580 59709
>From this it seems that the file is indeed using twice as much (virtual)
memory as it should.. 2*625500160 ≈ 1221680000
(this test was repeated for many different files, all have a factor of ≈2)
I know this might simply be an artifact and might not actually be a
contributing reason for my swap ins/outs, but I wanted to hear what do you
think about it? Why does lmdb keep the file handles open?
By the way the swap ins/outs are happening later in the process, after
querying lmdb and processing its results.
Thanks!
7 years, 4 months
LMDB file size, again
by Christian Sell
Hello,
following up to my previous question regarding file size, I would like to ask
about the recommended approach:
1. set a low file size initially, watch for MDB_MAP_FULL return codes and
increase the file/map size stepwise as needed
2. choose a large file size and reduce the size by doing a mdb_copy when the
application shuts down
or maybe a combination of the two? How does SQLightning handle this (2. doesn't
sound practical)?
thanks,
Christian
7 years, 4 months
looking for example config olc for totp module.
by René van Dorst
Hi,
I am looking a olc config example for totp module.
I like to try TOTP module.
But I don't get it to work. Because I am not sure how to load it and
set it up.
Also I don't no what to except once it loaded.
I using Ubuntu Wily 64-bit server which used on-line configuration (OLC).
Compiled it from git. Used tag OPENLDAP_REL_ENG_2_4_42 and cherry-pick
the totp directory from HEAD.
./configure --prefix=/usr/local/openldap --enable-overlays=yes
--enable-ldap --enable-spasswd --enable-modules
Also compiled the totp module in the directory self and installed.
ls -al /usr/local/libexec/openldap
-rw-r--r-- 1 root root 93234 Nov 13 22:51 pw-sha2.a
-rw-r--r-- 1 root root 928 Nov 13 22:51 pw-sha2.la
lrwxrwxrwx 1 root root 16 Nov 13 22:51 pw-sha2.so -> pw-sha2.so.0.0.0
lrwxrwxrwx 1 root root 16 Nov 13 22:51 pw-sha2.so.0 -> pw-sha2.so.0.0.0
-rwxr-xr-x 1 root root 72512 Nov 13 22:51 pw-sha2.so.0.0.0
-rw-r--r-- 1 root root 102352 Nov 13 22:50 pw-totp.a
-rw-r--r-- 1 root root 928 Nov 13 22:50 pw-totp.la
lrwxrwxrwx 1 root root 16 Nov 13 22:50 pw-totp.so -> pw-totp.so.0.0.0
lrwxrwxrwx 1 root root 16 Nov 13 22:50 pw-totp.so.0 -> pw-totp.so.0.0.0
-rwxr-xr-x 1 root root 69696 Nov 13 22:50 pw-totp.so.0.0.0
I modfied the config file /etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif.
Which look like this.
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
structuralObjectClass: olcModuleList
entryUUID: 628d5926-2244-1034-90e2-d7e1d71167a8
creatorsName: cn=config
createTimestamp: 20141227184617Z
entryCSN: 20141227184617.050515Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20141227184617Z
dn: cn=module
objectClass: olcModuleList
cn: module
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: pw-totp
dn: olcOverlay=totp,olcDatabase=hdb,cn=config
olcOverlay: totp
I can run it with /usr/local/openldap/libexec/slapd -u openldap -g
openldap -F /etc/ldap/slapd.d -d config.
Again I don't know what to expect if the modules is load.
Who can help me futher.
Greats,
René van Dorst.
7 years, 4 months
startup failed
by BÖSCH Christian
Hi,
I set up an openldap server with all desired configs (cn=config, mmr, etc etc) as node 1.
Then I start it up, which is quite slow (I think it waits on node 2 which is not available yet).
Then I add an empty base tree:
dn: dc=example,dc=net
objectClass: dcObject
objectClass: organization
o: ORG1
o: ORG2
dc: example
dn: cn=admin,dc=example,dc=net
objectClass: organizationalRole
cn: LDAP Admin
cn: admin
dn: o=org1,dc=example,dc=net
o: ORG1
objectClass: organization
objectClass: top
dn: o=org2,dc=example,dc=net
o: ORG2
objectClass: organization
objectClass: top
After that restarting slapd always fails. That’s in debug log:
Nov 11 08:35:00 openldap1 slapd[27812]: slapd startup: initiated.
Nov 11 08:35:00 openldap1 slapd[27812]: backend_startup_one: starting "cn=config"
Nov 11 08:35:00 openldap1 slapd[27812]: config_back_db_open
Nov 11 08:35:00 openldap1 slapd[27812]: backend_startup_one: starting "dc=example,dc=net"
Nov 11 08:35:00 openldap1 slapd[27812]: mdb_db_open: database "dc=example,dc=net": dbenv_open(/var/db/openldap-data).
Nov 11 08:35:00 openldap1 slapd[27812]: => mdb_search
Nov 11 08:35:00 openldap1 slapd[27812]: mdb_dn2entry("dc=example,dc=net")
Nov 11 08:35:00 openldap1 slapd[27812]: => mdb_dn2id("dc=example,dc=net")
Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_dn2id: got id=0x1
Nov 11 08:35:00 openldap1 slapd[27812]: => mdb_entry_decode:
Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_entry_decode
Nov 11 08:35:00 openldap1 slapd[27812]: search_candidates: base="dc=example,dc=net" (0x00000001) scope=2
Nov 11 08:35:00 openldap1 slapd[27812]: => mdb_equality_candidates (objectClass)
Nov 11 08:35:00 openldap1 slapd[27812]: => key_read
Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_index_read: failed (-30798)
Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_equality_candidates: id=0, first=0, last=0
Nov 11 08:35:00 openldap1 slapd[27812]: => mdb_equality_candidates (objectClass)
Nov 11 08:35:00 openldap1 slapd[27812]: => key_read
Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_index_read: failed (-30798)
Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_equality_candidates: id=0, first=0, last=0
Nov 11 08:35:00 openldap1 slapd[27812]: mdb_search_candidates: id=0 first=0 last=0
Nov 11 08:35:00 openldap1 slapd[27812]: mdb_search: no candidates
Nov 11 08:35:00 openldap1 slapd[27812]: send_ldap_result: conn=-1 op=0 p=0
Does anybody see the problem?
King regards,
Chris
7 years, 4 months
Re: RE24 testing call #3 (2.4.43) LMDB RE0.9 testing call #3 (0.9.17)
by Howard Chu
Volker Lendecke wrote:
> On Wed, Nov 11, 2015 at 09:49:49AM +0000, Howard Chu wrote:
>> Volker Lendecke wrote:
>>> On Wed, Nov 11, 2015 at 12:09:51AM +0000, Howard Chu wrote:
>>>> Unfortunately, PTHREAD_MUTEX_ROBUST_NP is an enum, not a macro, so
>>>> #ifdef won't work to detect it.
>>>>
>>>> The attached patch should work. Please report back; I won't merge it
>>>> unless we know it actually helps.
>>>
>>> Not sure you're aware, but there's RHEL5 (and thus Centos5 I
>>> believe) versions where glibc announces robust mutexes but
>>> the kernel is buggy: They are just not robust. tdb has a
>>> runtime check for this. Are you interested?
>>
>> Sure, post a link to more info.
>>
>> I found this since you mentioned it.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=628608
>>
>> But it only affects a mutex that was locked in a process that
>> subsequently forks a child. The LMDB docs already say explicitly
>> that a process must not fork with an open LMDB environment so this
>> particular issue doesn't affect us.
>
> Nope, this was properly ordered. Fork, then lock, then
> exit, and the subsequent locker did not get EOWNERDEAD. Not
> sure about the exact behavior anymore though.
>
> https://git.samba.org/?p=samba.git;a=blob;f=lib/tdb/common/mutex.c;h=fae4...
>
> has the tdb_runtime_check_for_robust_mutexes that verifies
> we're in a sane environment.
Thanks. I still see your test doing a fork after init'ing the mutex. That's
the condition that triggered the above bug - not the timing of the actual
mutex_lock. This was fixed in June 2011, glibc 2.15. And as before, it doesn't
affect LMDB.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7 years, 4 months
Re: RE24 testing call #3 (2.4.43) LMDB RE0.9 testing call #3 (0.9.17)
by Howard Chu
Volker Lendecke wrote:
> On Wed, Nov 11, 2015 at 12:09:51AM +0000, Howard Chu wrote:
>> Unfortunately, PTHREAD_MUTEX_ROBUST_NP is an enum, not a macro, so
>> #ifdef won't work to detect it.
>>
>> The attached patch should work. Please report back; I won't merge it
>> unless we know it actually helps.
>
> Not sure you're aware, but there's RHEL5 (and thus Centos5 I
> believe) versions where glibc announces robust mutexes but
> the kernel is buggy: They are just not robust. tdb has a
> runtime check for this. Are you interested?
Sure, post a link to more info.
I found this since you mentioned it.
https://bugzilla.redhat.com/show_bug.cgi?id=628608
But it only affects a mutex that was locked in a process that subsequently
forks a child. The LMDB docs already say explicitly that a process must not
fork with an open LMDB environment so this particular issue doesn't affect us.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7 years, 4 months
