openldap-technical March 2015

openldap-technical@openldap.org

51 participants
70 discussions

git problems
by Mattes 23 Mar '15

23 Mar '15

Hello list, while upgrading my local git checkout I just realized that the repository contains serveral files under contrib/ldapc++ that should never be put under version control: l$ git pull Updating 7a7d941..ff7c0e5 error: Your local changes to the following files would be overwritten by merge: contrib/ldapc++/Makefile.in contrib/ldapc++/configure contrib/ldapc++/examples/Makefile.in contrib/ldapc++/src/Makefile.in all these files are generated during the build process (by automake/autoconf) Can someone with commit permission please fix this? TIA Ralf Mattes

2 1

OpenLDAP permissions question
by Igor Shmukler 21 Mar '15

21 Mar '15

Hello, I have been spamming this list, looking for insights into why I cannot configure OpenLDAP to use cn=config to delete an entry inside a DIT. Sorry. Just now thought of and conducted another experiment. The results surprised me. If someone can please explain why OpenLDAP behaves this way, and whether this can be altered through configuration, it would certainly get me further on my way. When I try to delete an entry using LDAPI as below: $ sudo ldapdelete -Y external -H ldapi:/// cn=john,dc=directory,dc=com ldap_delete: Insufficient access (50) additional info: no write access to parent I do the same using domain administrator credentials and below and it works fine: $ ldapdelete -D cn=admin,dc=directory,dc=google,dc=com -W -x cn=john,dc=directory,dc=com Why LDAPI does not work? What can be done? Thank you, Igor Shmukler

8 21

Schema error: attributeType ...
by Zhang,Jun 20 Mar '15

20 Mar '15

This error with a yellow exclamation point caused nothing to be shown on the right panel of the phpldapadmin console. Schema error: attributeType "olmdburilist" inherits from "managedInfo", but attributeType "managedInfo" does not exist. OpenLDAP 2.4.23 RHEL 6 Putting phpldapadmin in debug mode, I did not find anything related to the error message. Jun

2 2

slapd does not log neither to syslog nor systemd' sjournal
by lejeczek 20 Mar '15

20 Mar '15

hi everybody on rhel 7 when I start slapd I see it is running: /usr/sbin/slapd -u ldap -h ldapi:/// ldap://192.168.2.33/ ldaps://192.168.2.33/ -s 160 and yet I don't get anything in rsyslog logs nor in systemd's journal When I stick slapd to terminal with only -d instead of -s everything is as expected. weird, right? any suggestions very appreciated.

1 1

Re: OpenLDAP permissions question
by Marc Patermann 20 Mar '15

20 Mar '15

Igor, Igor Shmukler schrieb (20.03.2015 11:21 Uhr): > Unfortunately, your email does not clear anything, FOR ME. It does not > mean you are not 100% correct. I am just slow, I guess. Sorry. do simple things first! Do more complex things later! - Configure a rootdn with rootpw for each database. Use this to authenticate to slapd und modify things. This works? Fine, go on. - Create a user entry inside your DIT. Use this entry as rootdn. This works? Fine, go on. - Map this user entry from your local unix user with olcAuthzRegexp to use with ldapi and EXTERNAL. This works? Fine, go on. - or make your first steps with ACLs and another user entry. > I don't see why/how Michael's suggestion with olcAuthzRegexp could > work. The way that could have worked - multiple remaps, different for > each database is not allowed. Read again what Michael said: "authz-regexp is a global configuration option." > The one permitted - inside config > database, as far as I understand, does not do what I need. Do you need multiple mappings? As you are one user on your system, this maps to one user in ldap with olcAuthzRegexp. As Micheal already posted: authz-regexp "gidNumber=0\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com" uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com. Marc

2 6

back-meta: dependency on ldap.conf
by Liam Gretton 20 Mar '15

20 Mar '15

OpenLDAP 2.4.40, SLES x86_64. This will seem crazy, but it looks to me that back-meta uses /etc/openldap/ldap.conf for its TLS configuration instead of the tls_options set explicitly within slapd.conf. Within my meta configuration I have the following for idassert-bind: idassert-bind bindmethod=simple binddn="cn=user,dc=example,dc=com credentials="password" flags=prescriptive tls_cacert=/etc/ssl/certs/ca.pem tls_cacertdir=/etc/ssl/certs tls_reqcert=demand None of the TLS options seem to have any effect here at all (I can put nonsensical values to the tls options here and slapd doesn't complain at all). Instead it's necessary to use /etc/openldap/ldap.conf for back-meta to bind over SSL/TLS: tls_cacert /etc/ssl/certs/ca.pem tls_cacertdir /etc/ssl/certs Any changes to ldap.conf get picked up by back-meta on a restart. This can't be right, surely? As an aside, I can't see why it's necessary to have to specify both tls_cacert (pointing at the last CA in the chain) as well as tls_cacertdir, but it is. -- Liam Gretton liam.gretton(a)le.ac.uk Systems Specialist http://www.le.ac.uk/its/ IT Services Tel: +44 (0)116 2522254 University Of Leicester, University Road Leicestershire LE1 7RH, United Kingdom

1 2

OpenLDAP freeze
by Cyril Grosjean 20 Mar '15

20 Mar '15

I've an OpenLDAP 2.4.32 server with millions of entries, which uses to serve tens of requests per second. It works as a stand-alone master server (replication is setup but the slave server is down) I noticed several times, at different times and dates, that no lines are logged in the OpenLDAP access log for a few minutes, as if it was frozen. I try to figure out what could explain that ? I checked the usual system counters (CPU, IO, Memory, free disk space, ...) as well as the running processes, but did not notice anything suspicious. Since the OpenLDAP server runs in a virtual machine, I'm currently trying to monitor the ESX hypervisor. Any idea of what could go wrong ?

2 2

FW: questions about LMDB
by Shu, Xinxin 20 Mar '15

20 Mar '15

CC technical list Cheers, xinxin -----Original Message----- From: openldap-devel [mailto:openldap-devel-bounces@openldap.org] On Behalf Of Shu, Xinxin Sent: Friday, March 20, 2015 8:50 AM To: Howard Chu; openldap-devel(a)openldap.org Subject: RE: questions about LMDB Sorry for the wrong mail list , I will forward this request to technical list Cheers, xinxin -----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Thursday, March 19, 2015 11:52 PM To: Shu, Xinxin; openldap-devel(a)openldap.org Subject: Re: questions about LMDB Shu, Xinxin wrote: > Several other questions about lmdb > > 1) does lmdb store one key-value pair in a single page? How lmdb organizes these key-value pairs in a single page > 2) if size is larger than single page size , how lmdb process this request? This list is for developers to discuss actual coding issues inside the OpenLDAP code; your questions are too elementary and don't belong here. Use the -technical list for user-oriented questions. > > Any help will be appreciated ? thanks > > Cheers, > xinxin > > -----Original Message----- > From: Shu, Xinxin > Sent: Thursday, March 19, 2015 3:49 PM > To: openldap-devel(a)openldap.org > Cc: Shu, Xinxin > Subject: questions about LMDB > > Hi list , > > Recently I read docs about lmdb , there are two sentences > 1) readers do not block writers > 2) writers do not block readers > I can understand 'readers do not block writers' , but cannot understand the second one , can someone help explain , how lmdb achieve 'writers do not block readers', below is my understandings , please correct me if anything wrong. > if the access pattern is write - read, since lmdb only support two version of data , when the write has been started but not committed , the concurrent read may read stale data since write has not been committed. > > Cheers, > xinxin > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

file descriptor setting
by Daniel Jung 20 Mar '15

20 Mar '15

Hi, Running 2.4.39 on centos 6. I set the open file limit to 200000 today as part of testing and it ran fine for a while and then an hour or so later the daemon died with no trace in the logs. I am running stats and sync at the moment. Would i need to run args to capture issue like this? Thanks

1 0

what is wrong with my permissions?
by Igor Shmukler 19 Mar '15

19 Mar '15

Hello, Sorry. I need help, again! I am trying to configure my OpenLDAP so that cn=config has full over-the-network write-access with a password.I thought at one point that I got the permissions working. It turns out, those are not working, now. Please say what I am doing wrong. Last time, I had a similar problem with policy. Michael S. saved me a bunch of time by advising to load ppolicy.ldif [with the appropriate schema]. This is obviously no indicator of any kind, yet the problem might be not in the LDIFs or ... I understood that manage is the LDIF version of full permissions. Found olcAccess syntax as "olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+" My OLC directives for ldapmodify(1) are below: dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by self write by dn="cn=config" write by * read dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}HyVltU836iL4aR0P0C6O8eHkOJt8nYGK I tried various combinations, like: olcAccess: {1}to * by dn=cn=config manage by * read The old commands are valid, yet do not result in the desired configuration. Instead, when ldapdelete(1) is invoked, I get: ldap_delete: Insufficient access (50) additional info: no write access to parent Please advise. I thank everyone on who has been reading my messages. People on this list have been extremely helpful. Sincerely, Igor Shmukler

2 9

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2015