openldap-technical November 2015

openldap-technical@openldap.org

64 participants
60 discussions

OpenLDAP installation. Am I missing something?
by Sherman Lilly 18 Nov '15

18 Nov '15

I may have this totally wrong but why is there no installation documentation that tells somebody how to setup OpenLDAP the right way. After installing OpenLDAP you have no slapd.conf file so that direction is not happening. If you modify any file in the slapd.d directory, startup will complain about bad checksum. Yes I know you can regenerate the checksum and fix that but why? I can't find any where that tells you how to modify the base dn, rootdn, and root password without editing the files in the slapd.d manually. Am I missing something? I have check Google, Youtube, and other places and they all say manually edit files in slapd.d. That can't be the right way if openldap server is complaining about doing it. Sherman Lilly

4 6

Searches with dereferncing causing high CPU load.
by Mark Cairney 18 Nov '15

18 Nov '15

Hi, We're having severe performance issues for any query with alias dereferencing set to "always". Any query with this causes the CPU to spin up to 100% and if we have a number of these concurrently the machine will become unresponsive. We're using OpenLDAP 2.4.42 with the old hdb backend. We do have a large number of aliases (~63,000). Could this be the cause? Our olcMaxDerefDepth is currently set to "1" -- /**************************** Mark Cairney ITI UNIX Section Information Services University of Edinburgh Tel: 0131 650 6565 Email: Mark.Cairney(a)ed.ac.uk PGP: 0x435A9621 *******************************/ The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.

4 9

Integrate Openldap and Windows Active Directory Server
by Kaushal Shriyan 17 Nov '15

17 Nov '15

Hi, Is there a way to integrate Openldap ldap server with Windows Server Active Directory wherein AD will act as Authentication and Openldap will be setup for Authorization? Any help will be highly appreciable. Regards, Kaushal

4 4

Keeping mdb files opened while mmapped
by Shlomi Vaknin 17 Nov '15

17 Nov '15

Hey, I am using lmdb as a backend to a big database (and its awesome, thanks!). While trying to understand memory consumption of my process I came across something interesting I'd like to get an expert's opinion about. I am seeing that the "Virtual" memory is quite large, larger than I expected, and it *might* be a problem in my case, I am being hit with lots of page ins/outs (I have a 500GB RAM machines). When I lsof my process, I am seeing that each mdb file is appearing twice (I use many), eg: _ lsof -p 59709 | grep 86510580 test 59709 vaknin mem REG 8,17 625500160 86510580 /fs/test1.mdb test 59709 vaknin 239r REG 8,17 625500160 86510580 /fs/test1.mdb I know that after mmaping a file, it is not needed to be kept open, and it seems it is in lmdb. I then tried to see if this actually uses memory, and I used memstat for this: _ memstat -p 59709 -w | grep 86510580 1221680k(1221680k): [08:11]:86510580 59709 >From this it seems that the file is indeed using twice as much (virtual) memory as it should.. 2*625500160 ≈ 1221680000 (this test was repeated for many different files, all have a factor of ≈2) I know this might simply be an artifact and might not actually be a contributing reason for my swap ins/outs, but I wanted to hear what do you think about it? Why does lmdb keep the file handles open? By the way the swap ins/outs are happening later in the process, after querying lmdb and processing its results. Thanks!

2 1

LMDB file size, again
by Christian Sell 16 Nov '15

16 Nov '15

Hello, following up to my previous question regarding file size, I would like to ask about the recommended approach: 1. set a low file size initially, watch for MDB_MAP_FULL return codes and increase the file/map size stepwise as needed 2. choose a large file size and reduce the size by doing a mdb_copy when the application shuts down or maybe a combination of the two? How does SQLightning handle this (2. doesn't sound practical)? thanks, Christian

4 11

looking for example config olc for totp module.
by René van Dorst 15 Nov '15

15 Nov '15

Hi, I am looking a olc config example for totp module. I like to try TOTP module. But I don't get it to work. Because I am not sure how to load it and set it up. Also I don't no what to except once it loaded. I using Ubuntu Wily 64-bit server which used on-line configuration (OLC). Compiled it from git. Used tag OPENLDAP_REL_ENG_2_4_42 and cherry-pick the totp directory from HEAD. ./configure --prefix=/usr/local/openldap --enable-overlays=yes --enable-ldap --enable-spasswd --enable-modules Also compiled the totp module in the directory self and installed. ls -al /usr/local/libexec/openldap -rw-r--r-- 1 root root 93234 Nov 13 22:51 pw-sha2.a -rw-r--r-- 1 root root 928 Nov 13 22:51 pw-sha2.la lrwxrwxrwx 1 root root 16 Nov 13 22:51 pw-sha2.so -> pw-sha2.so.0.0.0 lrwxrwxrwx 1 root root 16 Nov 13 22:51 pw-sha2.so.0 -> pw-sha2.so.0.0.0 -rwxr-xr-x 1 root root 72512 Nov 13 22:51 pw-sha2.so.0.0.0 -rw-r--r-- 1 root root 102352 Nov 13 22:50 pw-totp.a -rw-r--r-- 1 root root 928 Nov 13 22:50 pw-totp.la lrwxrwxrwx 1 root root 16 Nov 13 22:50 pw-totp.so -> pw-totp.so.0.0.0 lrwxrwxrwx 1 root root 16 Nov 13 22:50 pw-totp.so.0 -> pw-totp.so.0.0.0 -rwxr-xr-x 1 root root 69696 Nov 13 22:50 pw-totp.so.0.0.0 I modfied the config file /etc/ldap/slapd.d/cn\=config/cn\=module\{0\}.ldif. Which look like this. dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb structuralObjectClass: olcModuleList entryUUID: 628d5926-2244-1034-90e2-d7e1d71167a8 creatorsName: cn=config createTimestamp: 20141227184617Z entryCSN: 20141227184617.050515Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20141227184617Z dn: cn=module objectClass: olcModuleList cn: module olcModulePath: /usr/local/libexec/openldap olcModuleLoad: pw-totp dn: olcOverlay=totp,olcDatabase=hdb,cn=config olcOverlay: totp I can run it with /usr/local/openldap/libexec/slapd -u openldap -g openldap -F /etc/ldap/slapd.d -d config. Again I don't know what to expect if the modules is load. Who can help me futher. Greats, René van Dorst.

3 2

Syncrepl Error : critical extension is not recognized
by David Gabriel 13 Nov '15

13 Nov '15

Dears, I am new in OpenLDAP world ! I want to use syncrepl in order to synchronize my consumer which is a Python application. I configured the server side based on this tutorial <http://www.openldap.org/doc/admin24/replication.html>, I restart my server but I get the following error when I run my python application <https://github.com/rbarrois/python-ldap/blob/master/Demo/pyasn1/syncrepl.py> : 'info': 'critical extension is not recognized', 'desc': 'Critical extension is unavailable' NB: I didn't consider the "Set up the consumer slapd" section because I am relying on the python consumer application <https://github.com/rbarrois/python-ldap/blob/master/Demo/pyasn1/syncrepl.py> . Please tell me what shall I do ? Any help from your side is welcome ? Thanks in advance. Regards

1 0

startup failed
by BÖSCH Christian 11 Nov '15

11 Nov '15

Hi, I set up an openldap server with all desired configs (cn=config, mmr, etc etc) as node 1. Then I start it up, which is quite slow (I think it waits on node 2 which is not available yet). Then I add an empty base tree: dn: dc=example,dc=net objectClass: dcObject objectClass: organization o: ORG1 o: ORG2 dc: example dn: cn=admin,dc=example,dc=net objectClass: organizationalRole cn: LDAP Admin cn: admin dn: o=org1,dc=example,dc=net o: ORG1 objectClass: organization objectClass: top dn: o=org2,dc=example,dc=net o: ORG2 objectClass: organization objectClass: top After that restarting slapd always fails. That’s in debug log: Nov 11 08:35:00 openldap1 slapd[27812]: slapd startup: initiated. Nov 11 08:35:00 openldap1 slapd[27812]: backend_startup_one: starting "cn=config" Nov 11 08:35:00 openldap1 slapd[27812]: config_back_db_open Nov 11 08:35:00 openldap1 slapd[27812]: backend_startup_one: starting "dc=example,dc=net" Nov 11 08:35:00 openldap1 slapd[27812]: mdb_db_open: database "dc=example,dc=net": dbenv_open(/var/db/openldap-data). Nov 11 08:35:00 openldap1 slapd[27812]: => mdb_search Nov 11 08:35:00 openldap1 slapd[27812]: mdb_dn2entry("dc=example,dc=net") Nov 11 08:35:00 openldap1 slapd[27812]: => mdb_dn2id("dc=example,dc=net") Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_dn2id: got id=0x1 Nov 11 08:35:00 openldap1 slapd[27812]: => mdb_entry_decode: Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_entry_decode Nov 11 08:35:00 openldap1 slapd[27812]: search_candidates: base="dc=example,dc=net" (0x00000001) scope=2 Nov 11 08:35:00 openldap1 slapd[27812]: => mdb_equality_candidates (objectClass) Nov 11 08:35:00 openldap1 slapd[27812]: => key_read Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_index_read: failed (-30798) Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_equality_candidates: id=0, first=0, last=0 Nov 11 08:35:00 openldap1 slapd[27812]: => mdb_equality_candidates (objectClass) Nov 11 08:35:00 openldap1 slapd[27812]: => key_read Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_index_read: failed (-30798) Nov 11 08:35:00 openldap1 slapd[27812]: <= mdb_equality_candidates: id=0, first=0, last=0 Nov 11 08:35:00 openldap1 slapd[27812]: mdb_search_candidates: id=0 first=0 last=0 Nov 11 08:35:00 openldap1 slapd[27812]: mdb_search: no candidates Nov 11 08:35:00 openldap1 slapd[27812]: send_ldap_result: conn=-1 op=0 p=0 Does anybody see the problem? King regards, Chris

3 4

Re: RE24 testing call #3 (2.4.43) LMDB RE0.9 testing call #3 (0.9.17)
by Howard Chu 11 Nov '15

11 Nov '15

Volker Lendecke wrote: > On Wed, Nov 11, 2015 at 09:49:49AM +0000, Howard Chu wrote: >> Volker Lendecke wrote: >>> On Wed, Nov 11, 2015 at 12:09:51AM +0000, Howard Chu wrote: >>>> Unfortunately, PTHREAD_MUTEX_ROBUST_NP is an enum, not a macro, so >>>> #ifdef won't work to detect it. >>>> >>>> The attached patch should work. Please report back; I won't merge it >>>> unless we know it actually helps. >>> >>> Not sure you're aware, but there's RHEL5 (and thus Centos5 I >>> believe) versions where glibc announces robust mutexes but >>> the kernel is buggy: They are just not robust. tdb has a >>> runtime check for this. Are you interested? >> >> Sure, post a link to more info. >> >> I found this since you mentioned it. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=628608 >> >> But it only affects a mutex that was locked in a process that >> subsequently forks a child. The LMDB docs already say explicitly >> that a process must not fork with an open LMDB environment so this >> particular issue doesn't affect us. > > Nope, this was properly ordered. Fork, then lock, then > exit, and the subsequent locker did not get EOWNERDEAD. Not > sure about the exact behavior anymore though. > > https://git.samba.org/?p=samba.git;a=blob;f=lib/tdb/common/mutex.c;h=fae43d… > > has the tdb_runtime_check_for_robust_mutexes that verifies > we're in a sane environment. Thanks. I still see your test doing a fork after init'ing the mutex. That's the condition that triggered the above bug - not the timing of the actual mutex_lock. This was fixed in June 2011, glibc 2.15. And as before, it doesn't affect LMDB. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: RE24 testing call #3 (2.4.43) LMDB RE0.9 testing call #3 (0.9.17)
by Howard Chu 11 Nov '15

11 Nov '15

Volker Lendecke wrote: > On Wed, Nov 11, 2015 at 12:09:51AM +0000, Howard Chu wrote: >> Unfortunately, PTHREAD_MUTEX_ROBUST_NP is an enum, not a macro, so >> #ifdef won't work to detect it. >> >> The attached patch should work. Please report back; I won't merge it >> unless we know it actually helps. > > Not sure you're aware, but there's RHEL5 (and thus Centos5 I > believe) versions where glibc announces robust mutexes but > the kernel is buggy: They are just not robust. tdb has a > runtime check for this. Are you interested? Sure, post a link to more info. I found this since you mentioned it. https://bugzilla.redhat.com/show_bug.cgi?id=628608 But it only affects a mutex that was locked in a process that subsequently forks a child. The LMDB docs already say explicitly that a process must not fork with an open LMDB environment so this particular issue doesn't affect us. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2015