--On Tuesday, April 21, 2015 1:16 PM +0200 Ulrich Windl
>>>> "fabymoscarella(a)virgilio.it" <fabymoscarella(a)virgilio.it> schrieb am
> um 11:23 in Nachricht <14cdb4a4678.fabymoscarella(a)virgilio.it>:
>> thank you for your interest. I was mistakenly sure of the field's
>> I would have liked to use the "etime" field to monitor OpenLDAP
>> dependability through my SIEM platform, by identifying long lasting
>> Could you please give me some pointers about monitoring "operations
>> completed" or any other useful parameter?
># if you configured monitoring...
># just querying "search" operations here...
> e.g. ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=operations,cn=monitor' -s
> sub '(cn=Search)' monitorOpCompleted
As Ulrich notes, simply enable the monitoring backend. I suggest reading
up on the slapd-monitor(5) man page. Btw, I've patched my openldap build
with the ITS noted, and it's working just fine, although the term is
"duration" not "etime".
Zimbra :: the leader in open source messaging and collaboration
**** Please note the new submissions address ****
The fifth International Conference on LDAP and Directory Services will be
held in the UK at the University of Edinburgh School of Informatics Forum.
Tutorials: 11th November 2015
Conference: 12th and 13th November 2015
Call for papers and tutorials
You are using LDAP in interesting projects?
You do LDAP client or server development?
You have used LDAP in a new way?
You do identity and access management on top of LDAP?
Why not share your ideas and experiences with others?
We are looking for speakers who are willing to talk about any topic
related to LDAP and identity management, including:
LDAP technology implementation (Servers, API, User interfaces etc.)
LDAP Usage (Schema, Security, Operations, Scaling, big data, etc.)
LDAP related technologies (PKI, XACML, SAML, etc.)
LDAP and Beyond (IAM, Identity Federation, Authentication on the web, etc.)
Best Practices for directory services.
Accepted talks will be grouped into tracks such as a
standards/development and deployment/administration.
Deadlines & Important Dates
Submission Deadline: 28th June
Author Notification: 10th July
Final Papers due: 10th October 2015
Tutorials: 11th November 2015
Conference: 12th-13th November 2015
Main presentations should last about 45 minutes including discussion;
we will also provide smaller slots of 15 minutes and 5 minutes for
poster presentations or lightning talks. Please tell us which duration
you prefer when proposing your talk. The talk must be in English.
The one and only way to submit your abstract (approximately 200-800 words,
accompanied by your biography of about 100-300 words) is via email to
submissions2015(a)lists.ldapcon.org. Abstracts must reach the Program Committee
by 28th June 2015. Early submission is encouraged. We already have several papers.
All abstracts will be reviewed by the program committee.
For accepted talks we expect you to submit slides and/or a paper
of approximately 2-10 pages (A4 or US Letter format, 25mm borders,
preferably LaTeX source or OpenOffice).
For 5-minute talks, a brief abstract is required. A short paper, slides or
a poster should be provided for accepted talks. We will provide display
boards for posters throughout the conference.
By submitting a paper you grant the conference organizers the
non-exclusive right to publish your paper in the conference proceedings
and on the website; you maintain the right to publish it elsewhere at
We are looking for high-quality tutorials on LDAP and related subjects,
at any level from introductory to advanced. Tutorial length can range from an
hour to a full day. Wireless Internet access will be available if required.
The purpose of the tutorials is focussed education, so they should cover
established topics and best practice rather than presenting new work.
Tutorials will be on Wednesday 11th November 2015.
The Programme Committee has an open mind about the format of the tutorial
day, but has a limited number of rooms available. Make your proposal early
and we will aim to build an attractive programme for the day.
Speakers get free access to the conference, including the social event.
If requested in advance we will provide accommodation for speakers.
Travel expenses might also be covered in special cases.
If you need this, please contact us early so we can try to arrange it.
General enquiries: enquiries(a)lists.ldapcon.org
Paper/Tutorial submissions: submissions2015(a)lists.ldapcon.org
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
thank you for your interest. I was mistakenly sure of the field's availability.
I would have liked to use the "etime" field to monitor OpenLDAP dependability through my SIEM platform, by identifying long lasting operations.
Could you please give me some pointers about monitoring "operations completed" or any other useful parameter?
Data: 21-apr-2015 8.28
A: <openldap-technical(a)openldap.org>, <fabymoscarella(a)virgilio.it>, "Quanah Gibson-Mount"<quanah(a)zimbra.com>
Ogg: Antw: Re: Elapsed Time logging
If it's enough to know the average, he could monitor "operations completed" and divide those by elapsed time...
I am binding against Active Directory with GSSAPI mech and would like to disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
char *secprops = "minssf=0,maxssf=0";
rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);
Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
Result code: -2
I am used to this with Java's SASL client where I can set SASL QOP with auth, auth-int, auth-conf.
Is that not possible with OpenLDAP along with CyrusSASL?
For what it is worth, I am on FreeBSD 9.3 with latest OpenLDAP and CyrusSASL from the ports tree.
my name is Fabiano and I'm an italian IT Security professional involved in a IAM project which comprises several OpenLDAP instances.
I'm using OpenLDAP 2.4.40 on a x86_64 Red Hat Enterprise Linux Server release 6.5 and my target is logging LDAP operations elapsed time. I configured logging through RSyslog but I can't see an "etime" field in my logfiles; below is a sample log row:
Apr 20 17:46:56 hostname slapd: conn=1019 op=0 RESULT tag=97 err=0 text=
I'm not using OLC and tried without specifying a "loglevel" parameter in my slapd.conf (default should be 256, shoulndn't it?) and later with several "loglevel" values, but no "etime" field appeared.
Could you please help and tell me what am I doing wrong?
Thank you in advice,
I set policy for user as following
# default, policies, abc.com
my question is how to check user lock status. Another question is
pwdMustChange doesn't work in linux client when user first login.
"An object or alias entry is characterized by precisely one
structural object class superclass chain which has a single
structural object class as the most subordinate object class.
This structural object class is referred to as the structural
object class of the entry."
There's a bit of ambiguity with this
"which has a single structural object class as the most subordinate
What do you mean by 'most subordinate'? Is it that there must be no
parallel entries at the same level in the hierarchy?
According to RFC 4512
An entry can belong to any subset of the set of auxiliary object
classes allowed by the DIT content rule associated with the
structural object class of the entry.
From what I understand, this means auxiliary classes do not 'augment';
the no. of attributes which are possible in an entry must be a subset of
the structural object class the entry belongs to.
As we store a lot of information in our LDAP server, we are looking to
simplify and optimize our LDAP strucutre.
Actually we have plenty OUs (like people and vpn shown hereunder) and lot
of fields are duplicate (same fields with same content in different OUs).
As this is not optimum and makes us push any change for a user into all
concerned OUs, we woul like to use aliasing to avoid duplicating entries:
This is an example of what a user would look like:
givenName: Frank Moses
This is an example of what is to be found in the vpn account of the same
user (we have home made schemas, so there are some special attributes):
As you can see fields cn, sn, mail are the same in both... We would like to
change this to make our LDAP more dynamic.
Therefore, we changed the vpn account to:
But when requesting the server with ldapsearch it seems not to work, or
maybe we just are missing someting...!
For example when requesting the cn of the vpn user we would like to have
the cn field in the "uid=1,ou=people,dc=red,dc=com" account.
ldapsearch -W -D "cn=admin,dc=red,dc=com" -x -b
# extended LDIF
# base <uid=1,ou=vpn,dc=red,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: cn
# 1, vpn, red.com
# search result
result: 0 Success
# numResponses: 2
# numEntries: 1
But no "cn" value returned...
What are we doing wrong ?
--On Thursday, April 16, 2015 8:59 PM +0000 Greg Jetter <gjetter(a)gci.com>
> I, running a openldap setup with one provider and 3 consumers , I am
> seeing intermittent problems of replication not happening "Until" the
> consumers are re started . This cures the problem. replication starts up
> and continues for a while .
> The servers have very large amount of memory , 256 gigs ..
> I configured the hdb backend 'DB_CONFIG' , to have 4 gigs of catch ,
> could this be causing the replication problem ?
> whats the optional size that keeps openldap happy ?
Zimbra :: the leader in open source messaging and collaboration