Re: R: Antw: Re: Elapsed Time logging
by Quanah Gibson-Mount
--On Tuesday, April 21, 2015 1:16 PM +0200 Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
>>>> "fabymoscarella(a)virgilio.it" <fabymoscarella(a)virgilio.it> schrieb am
>>>> 21.04.2015
> um 11:23 in Nachricht <14cdb4a4678.fabymoscarella(a)virgilio.it>:
>> Hi,
>> thank you for your interest. I was mistakenly sure of the field's
>> availability.
>>
>> I would have liked to use the "etime" field to monitor OpenLDAP
>> dependability through my SIEM platform, by identifying long lasting
>> operations.
>> Could you please give me some pointers about monitoring "operations
>> completed" or any other useful parameter?
>
># if you configured monitoring...
># just querying "search" operations here...
> e.g. ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=operations,cn=monitor' -s
> sub '(cn=Search)' monitorOpCompleted
As Ulrich notes, simply enable the monitoring backend. I suggest reading
up on the slapd-monitor(5) man page. Btw, I've patched my openldap build
with the ITS noted, and it's working just fine, although the term is
"duration" not "etime".
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8 years, 7 months
LDAPCon 2015
by Andrew Findlay
LDAPCon 2015
============
**** Please note the new submissions address ****
The fifth International Conference on LDAP and Directory Services will be
held in the UK at the University of Edinburgh School of Informatics Forum.
Tutorials: 11th November 2015
Conference: 12th and 13th November 2015
Call for papers and tutorials
=============================
Topics
You are using LDAP in interesting projects?
You do LDAP client or server development?
You have used LDAP in a new way?
You do identity and access management on top of LDAP?
Why not share your ideas and experiences with others?
We are looking for speakers who are willing to talk about any topic
related to LDAP and identity management, including:
LDAP technology implementation (Servers, API, User interfaces etc.)
LDAP Usage (Schema, Security, Operations, Scaling, big data, etc.)
LDAP related technologies (PKI, XACML, SAML, etc.)
LDAP and Beyond (IAM, Identity Federation, Authentication on the web, etc.)
Best Practices for directory services.
Accepted talks will be grouped into tracks such as a
standards/development and deployment/administration.
Deadlines & Important Dates
Submission Deadline: 28th June
Author Notification: 10th July
Final Papers due: 10th October 2015
Tutorials: 11th November 2015
Conference: 12th-13th November 2015
Talk Submissions
Main presentations should last about 45 minutes including discussion;
we will also provide smaller slots of 15 minutes and 5 minutes for
poster presentations or lightning talks. Please tell us which duration
you prefer when proposing your talk. The talk must be in English.
The one and only way to submit your abstract (approximately 200-800 words,
accompanied by your biography of about 100-300 words) is via email to
submissions2015(a)lists.ldapcon.org. Abstracts must reach the Program Committee
by 28th June 2015. Early submission is encouraged. We already have several papers.
All abstracts will be reviewed by the program committee.
For accepted talks we expect you to submit slides and/or a paper
of approximately 2-10 pages (A4 or US Letter format, 25mm borders,
preferably LaTeX source or OpenOffice).
For 5-minute talks, a brief abstract is required. A short paper, slides or
a poster should be provided for accepted talks. We will provide display
boards for posters throughout the conference.
By submitting a paper you grant the conference organizers the
non-exclusive right to publish your paper in the conference proceedings
and on the website; you maintain the right to publish it elsewhere at
your discretion.
Tutorial Submissions
We are looking for high-quality tutorials on LDAP and related subjects,
at any level from introductory to advanced. Tutorial length can range from an
hour to a full day. Wireless Internet access will be available if required.
The purpose of the tutorials is focussed education, so they should cover
established topics and best practice rather than presenting new work.
Tutorials will be on Wednesday 11th November 2015.
The Programme Committee has an open mind about the format of the tutorial
day, but has a limited number of rooms available. Make your proposal early
and we will aim to build an attractive programme for the day.
Expenses
Speakers get free access to the conference, including the social event.
If requested in advance we will provide accommodation for speakers.
Travel expenses might also be covered in special cases.
If you need this, please contact us early so we can try to arrange it.
Website
http://ldapcon.org/2015/
Contacts
General enquiries: enquiries(a)lists.ldapcon.org
Paper/Tutorial submissions: submissions2015(a)lists.ldapcon.org
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
8 years, 7 months
R: Antw: Re: Elapsed Time logging
by fabymoscarella@virgilio.it
Hi,
thank you for your interest. I was mistakenly sure of the field's availability.
I would have liked to use the "etime" field to monitor OpenLDAP dependability through my SIEM platform, by identifying long lasting operations.
Could you please give me some pointers about monitoring "operations completed" or any other useful parameter?
Regards,
Fabiano
----Messaggio originale----
Da: Ulrich.Windl(a)rz.uni-regensburg.de
Data: 21-apr-2015 8.28
A: <openldap-technical(a)openldap.org>, <fabymoscarella(a)virgilio.it>, "Quanah Gibson-Mount"<quanah(a)zimbra.com>
Ogg: Antw: Re: Elapsed Time logging
If it's enough to know the average, he could monitor "operations completed" and divide those by elapsed time...
8 years, 7 months
How to disable SSF (integrity) on GSSAPI mech?
by Osipov, Michael
Hi folks,
I am binding against Active Directory with GSSAPI mech and would like to disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails:
char *secprops = "minssf=0,maxssf=0";
rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);
with:
Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error)
Result code: -2
I am used to this with Java's SASL client where I can set SASL QOP with auth, auth-int, auth-conf.
Is that not possible with OpenLDAP along with CyrusSASL?
For what it is worth, I am on FreeBSD 9.3 with latest OpenLDAP and CyrusSASL from the ports tree.
Regards,
Michael
8 years, 7 months
Elapsed Time logging
by fabymoscarella@virgilio.it
Hi everyone,
my name is Fabiano and I'm an italian IT Security professional involved in a IAM project which comprises several OpenLDAP instances.
I'm using OpenLDAP 2.4.40 on a x86_64 Red Hat Enterprise Linux Server release 6.5 and my target is logging LDAP operations elapsed time. I configured logging through RSyslog but I can't see an "etime" field in my logfiles; below is a sample log row:
Apr 20 17:46:56 hostname slapd[9884]: conn=1019 op=0 RESULT tag=97 err=0 text=
I'm not using OLC and tried without specifying a "loglevel" parameter in my slapd.conf (default should be 256, shoulndn't it?) and later with several "loglevel" values, but no "etime" field appeared.
Could you please help and tell me what am I doing wrong?
Thank you in advice,
Fabiano Moscarella
8 years, 7 months
how to check user lock status
by rockwang
Hi, all
I set policy for user as following
# default, policies, abc.com
dn: cn=default,ou=policies,dc=abc,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
my question is how to check user lock status. Another question is
pwdMustChange doesn't work in linux client when user first login.
Rock.wang
8 years, 7 months
Structural object class rules
by dE
"An object or alias entry is characterized by precisely one
structural object class superclass chain which has a single
structural object class as the most subordinate object class.
This structural object class is referred to as the structural
object class of the entry."
There's a bit of ambiguity with this
"which has a single structural object class as the most subordinate
object class"
What do you mean by 'most subordinate'? Is it that there must be no
parallel entries at the same level in the hierarchy?
8 years, 7 months
Auxiliary object class practically of no use?
by dE
According to RFC 4512
An entry can belong to any subset of the set of auxiliary object
classes allowed by the DIT content rule associated with the
structural object class of the entry.
From what I understand, this means auxiliary classes do not 'augment';
the no. of attributes which are possible in an entry must be a subset of
the structural object class the entry belongs to.
8 years, 7 months
Help: LDAP using alias to reference value of another attribute
by Poul Etto
Hi,
As we store a lot of information in our LDAP server, we are looking to
simplify and optimize our LDAP strucutre.
Actually we have plenty OUs (like people and vpn shown hereunder) and lot
of fields are duplicate (same fields with same content in different OUs).
As this is not optimum and makes us push any change for a user into all
concerned OUs, we woul like to use aliasing to avoid duplicating entries:
This is an example of what a user would look like:
dn: uid=1,ou=people,dc=red,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: extensibleObject
cn: Frank
sn: Moses
givenName: Frank Moses
mail: frank.moses(a)red.com
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid: 1
This is an example of what is to be found in the vpn account of the same
user (we have home made schemas, so there are some special attributes):
dn: uid=1,ou=vpn,dc=red,dc=com
objectClass: top
objectClass: openvpn
objectClass: extensibleObject
uid: 1
cn: Frank
sn: Moses
userUid: 1
vpnEnabled: TRUE
mail: frank.moses(a)red.com
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
As you can see fields cn, sn, mail are the same in both... We would like to
change this to make our LDAP more dynamic.
Therefore, we changed the vpn account to:
dn: uid=1,ou=vpn,dc=red,dc=com
objectClass: top
objectClass: openvpn
objectClass: extensibleObject
objectClass: alias
uid: 1
aliasedObjectName: uid=1,ou=people,dc=red,dc=com
userUid: 1
vpnEnabled: TRUE
But when requesting the server with ldapsearch it seems not to work, or
maybe we just are missing someting...!
For example when requesting the cn of the vpn user we would like to have
the cn field in the "uid=1,ou=people,dc=red,dc=com" account.
Our search:
ldapsearch -W -D "cn=admin,dc=red,dc=com" -x -b
'uid=1,ou=vpn,dc=red,dc=com' cn
Gives:
# extended LDIF
#
# LDAPv3
# base <uid=1,ou=vpn,dc=red,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: cn
#
# 1, vpn, red.com
dn: uid=1,ou=vpn,dc=red,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
But no "cn" value returned...
What are we doing wrong ?
Thank you,
Best regards,
ZP
8 years, 7 months
Re: catch size and performance
by Quanah Gibson-Mount
--On Thursday, April 16, 2015 8:59 PM +0000 Greg Jetter <gjetter(a)gci.com>
wrote:
> Hello:
>
> I, running a openldap setup with one provider and 3 consumers , I am
> seeing intermittent problems of replication not happening "Until" the
> consumers are re started . This cures the problem. replication starts up
> and continues for a while .
>
> The servers have very large amount of memory , 256 gigs ..
>
> I configured the hdb backend 'DB_CONFIG' , to have 4 gigs of catch ,
> could this be causing the replication problem ?
>
> whats the optional size that keeps openldap happy ?
OpenLDAP version?
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8 years, 7 months