December 2015 - openldap-technical

RE: lmdb Handle Leak with VL32 on Windows

by Jeremiah Morrill

Submitted (seems like #8342). Apologies for not doing this before. I will go through ITS with reports in the future. -Jer From: Howard Chu<mailto:hyc@symas.com> Sent: Monday, December 28, 2015 12:12 AM To: Jeremiah Morrill<mailto:Jeremiah.Morrill@econnect.tv>; openldap-technical(a)openldap.org<mailto:openldap-technical@openldap.org> Subject: Re: lmdb Handle Leak with VL32 on Windows Jeremiah Morrill wrote: > I noticed what I believe may be a handle leak against the latest (commit > 7b9928c) on github, with the MDB_VL32 on Windows. After some poking around, > it seems to be the file mapping handle, env->me_fmh. I threw it to a > CloseHandle in the env_close0(…) and it seemed to resolve it. Please submit this to the ITS. > > Here’s a quick diff: > > diff --git a/src/lmdb.c b/src/mdb.c > > index a564d40..190c860 100644 > > --- a/src/mdb.c > > +++ b/src/mdb.c > > @@ -5350,6 +5350,7 @@ mdb_env_close0(MDB_env *env, int excl) > > } > > #ifdef MDB_VL32 > > #ifdef _WIN32 > > + if (env->me_fmh) CloseHandle(env->me_fmh); > > if (env->me_rpmutex) CloseHandle(env->me_rpmutex); > > #else > > pthread_mutex_destroy(&env->me_rpmutex); > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

5 years, 3 months

1
0
0 / 0

Can't open env with required mapsize on windows .

by Mohammed Muneer

I can env_set_mapsize(env, 1 GB) without any problems in linux. But on windows, it is a different story Machine 1) Windows 64 only opens with upto 10 MB (apporx) Machine 2 Windows 64 only opens with upto 500 MB (apporx) Machine 3) Virtual box Windows 64 running on linux works with 1 GB Q1) So why is this happening. Am I doing anything wrong. Q2) And setting env_set_mapsize before calling open is not enough. I need to set env_set_mapsize(env, 0) just before beginning a write transaction inorder to insert something or otherwise the application indefinitely hangs on the second insert transaction. Both the above questions concerns just Windows. Everything is fine with linux.

5 years, 3 months

2
2
0 / 0

lmdb Handle Leak with VL32 on Windows

by Jeremiah Morrill

I noticed what I believe may be a handle leak against the latest (commit 7b9928c) on github, with the MDB_VL32 on Windows. After some poking around, it seems to be the file mapping handle, env->me_fmh. I threw it to a CloseHandle in the env_close0(…) and it seemed to resolve it. Here’s a quick diff: diff --git a/src/lmdb.c b/src/mdb.c index a564d40..190c860 100644 --- a/src/mdb.c +++ b/src/mdb.c @@ -5350,6 +5350,7 @@ mdb_env_close0(MDB_env *env, int excl) } #ifdef MDB_VL32 #ifdef _WIN32 + if (env->me_fmh) CloseHandle(env->me_fmh); if (env->me_rpmutex) CloseHandle(env->me_rpmutex); #else pthread_mutex_destroy(&env->me_rpmutex);

5 years, 3 months

2
1
0 / 0

Authenticating clients

by bluethundr＠gmail.com

Hey guys, I've recently disabled anonymous binds and required TLS on my OpenLDAP sever in order to log in. Back when I was testing and anonymous binds were enabled and TLS was off I could get LDAP accounts to login to the servers. And using a simple tool like "authconfig-tui" under CentOS was all I needed to use to set that up. Where can I find the docs to configure a client server to allow LDAP account logins with anonymous binds disabled and TLS required on the OpenLDAP server? I need to do this for both Red Hat/CentOS machines and Ubuntu clients as well. I've been googling and haven't found anything helpful for both types. Thanks, Tim Sent from my iPhone

5 years, 3 months

2
1
0 / 0

users don't get prompt to change password (pwdMustChange attribute)

by Rajagopal Rc

Hello, I am trying to force user to change their password at first logon and on password reset. OS RHEL7 Openldap version 2.4.39-7.el7_1.x86_64 I have tried the following 1) I have set the pwdMustChange attribute to TRUE in ppolicy, but when user logon to client at first time or after resetting password, it just allow suer to logon without prompting to change the password, 2) I have set the pwdReset attribute to TRUE in user attribute for particular user, this doesn't allow user to login at all and keep prompting for password without allowing to login. Also i red in blogs this is not correct way, but couldn't find more information on this. is there any way to force users to change their password at first logon and after resetting password by admin. ? Current ppolicy Thanks & Regards Raj =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 years, 3 months

1
0
0 / 0

Issue while changing user password by self

by Rajagopal Rc

Hello, I am trying to allow users to change their own passwords OS RHEL7 Openldap version 2.4.39-7.el7_1.x86_64 ACL in slapd.conf disallow bind_anon access to attrs=userPassword by self write by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * auth access to * by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * break access to * by dn="cn=Manager,dc=rnd,dc=com" by users read by self write by * auth from client machine 'user5' is trying to change own password and getting following error $ ldappasswd -H ldaps://ldapdev.rnd.com:636 -x -D "cn=user 5,ou=people,dc=rnd,dc=com" -W -A -S Old password: Re-enter old password: New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50) Additional info: User alteration of password is not allowed This error looks like issue with permissions, yet i have already allowed access to attrs=userPassword by self write in slapd.conf, please let me know if there is any thing wrong in above ACL and why i am getting this error Thanks & Regards Raj =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 years, 3 months

4
6
0 / 0

Segmentation fault (core dumped) on ldapmodify

by Tim Dunphy

Hey guys, I have these options set for SSL in my cn=config setup: [root@ldap1:~] #ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config|grep ssl SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 olcTLSCACertificateFile: /etc/ssl/certs/ldap-ca-cert.pem olcTLSCertificateFile: /etc/ssl/certs/ldap-server.crt olcTLSCertificateKeyFile: /etc/ssl/certs/ldap-server.key And I want to change the settings to the contents of this ldif file: [root@ldap1:~] #cat addcerts.ldif dn: cn=config changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/pki/CA/certs/ca.crt - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ldap/ssl/ldap1.example.com.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap1.example.com.key But when I try to do that I get an error: [root@ldap1:~] #ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 Segmentation fault (core dumped) I wonder if I could be running low on memory: [root@ldap1:~] #free -m total used free shared buffers cached Mem: 992 815 177 10 140 445 -/+ buffers/cache: 229 762 Swap: 0 0 0 Could this be causing the error? How can I make this change without encountering the segmentation fault? Thanks, Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

5 years, 3 months

3
4
0 / 0

pwdChangedTime Undefined Attribute

by Borresen, John - 0444 - MITLL

All, The "ppolicy" overlay has been loaded to my bdb. The cn=default,ou=pwpolicies,dc=group,dc=ldap has been defined. The pwdPolicySubentry operational attribute was added to uid=jdoe,ou=Users,dc=group,dc=ldap, as well. Now, trying to add the pwdChangedTime attribute to the jdoe UID. Ran "ldapadd" from the command-line: # ldapmodify -d 4 -x -W -H ldap://ldapsrvr.group.ldap -D cn=ldapadmin,dc=group,dc=ldap Enter LDAP Password: ############ dn: uid=jdoe,ou=Users,dc=group,dc=ldap changetype: add add: pwdChangedTime pwdChangedTime: 201512231458Z adding new entry "uid=jdoe,ou=Users,dc=group,dc=ldap" ldap_add: Undefined attribute type (17) additional info: add: attribute type undefined >From my reading, this should be an Operational Attribute that isn't constrained or defined by an ObjectClass. Thanks for the help in advance. Btw, I am running OpenLDAP 2.4.40. John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Humanitarian Assistance and Disaster Relief (HADR) Systems 244 Wood St Lexington, MA 02420 Email: <mailto:john.borresen@ll.mit.edu> john.borresen(a)ll.mit.edu

5 years, 3 months

2
4
0 / 0

LMDB many dup fixed size elements

by Simon Majou

Hello, I want to allow users to create tables with dup fixed size. A solution would be to create named databases, but that would make potentially a lot of tables (for instance millions), and doesn't seem ok cf the comment on function mdb_env_set_maxdbs. Another solution would be to create one DB for each fixed size and insert the users and their tables inside. Would it be better ? -- Best regards, Simon

5 years, 3 months

1
0
0 / 0

openldap newbie - olcAccess ACL configuration

by Gary Spencer

Hi, I have deployed a new OpenLDAP server (RHEL 7.1 / openldap-2.4) and have read Matt Butcher's 'Mastering ...' book and the OpenLDAP-Admin-Guide but I'm continuing to struggle to find the information I need to satisfactorily configure using the dynamic way of working instead of using the legacy slapd.conf method. (Any reference to administering ldap using dynamic method would be appreciated) I have OpenLDAP basically configured to answer queries using the Manager object, but I want to remove current privileges and have just two accounts in the system ou - one with read only to the users ou and all objects therein, and one with the equivalent of Manager rights to the users OU that I can give to my devs to create their own users. I would retain the Manager account for full access, but would just like to give out the readonly and readwrite accounts in system OU permissions to users OU, and remove users permissions to anything but themselves. My intention is to delete the existing olcAccess rules and implement a new set, but I can't get rid of the old rules as it's not letting me. When I try 'ldapmodify -x -W -H "ldap://HOSTNAME" -D "cn=Manager,dc=SUBDOMAIN,dc=DOMAIN,dc=TLD" -f acl_delete_file.ldif' I receive :- 'modifying entry "olcDatabase={2}hdb,cn=config" ldap_modify: Insufficient access (50)' The delete ldif looks like this :- # {2}hdb, config dn: olcDatabase={2}hdb,cn=config delete: olcAccess I am using the default hdb database. I understood 'Manager' had full access to everything regardless, can anyone shed any light on why this request would be refused ? Gary Spencer Infrastructure Project Engineer [http://www.sis.tv/contentAsset/raw-data/369d823c-5153-4089-a9b6-4d868930a...]<http://www.sis.tv/contact/streaming-from-sis.html> ********************************************************************** Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307 The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system. **********************************************************************

5 years, 3 months

2
1
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2015