openldap-technical May 2015

openldap-technical@openldap.org

47 participants
42 discussions

ppolicy and ACL question
by Harmandeep Kaur 13 May '15

13 May '15

Hello folks, I have a quick query, I'm using openldap with ppolicy. I'm using following ACL just to test things right, I came across the issue, for which I'm unable to find appropriate answers: ACL used: --- access to * by * manage --- 1. How to restrict ldappasswd command to clear the pwdReset flag to user's entry ? 2. Can some other users (member of group) can work rootdn (bypass ppolicy like rootdn but it should apply to their account itself) ? 3. Other question is about ACL is "What's the difference between ACL "write" and "manage" access" write =wrscdx needed to modify/rename manage =mwrscdx needed to manage I'm not able to determine what access "manage" gives over and above "write" access. I didn't find much info at openldap.org access-control section. Thank you. Regards,

2 1

Subject: Re: Fast key range iteration
by James Rouzier 13 May '15

13 May '15

Here is a faster to do way to do what you want. Just get the last key of your range and while iterating compare the data pointer of the last key to see if you reach the end instead of the it's content. As long as you are in the same transaction the data pointer of the last key should never change. (Someone correct me if I am wrong). Here is a quick example of what I mean. MDB_cursor *cursor; MDB_val first_key, key, data; MDB_val last_key1, last_key2, last_data; int rc; //Get the last key rc = mdb_cursor_get (cursor, &last_key1, &last_data, MDB_SET_RANGE); //If the current position is not equal move back one spot if (rc == MDB_SUCCESS && mdb_cmp (mdb_cursor_txn (cursor), mdb_cursor_dbi (cursor), &last_key1, &last_key2)) { rc = mdb_cursor_get (cursor, &last_key1, &last_data, MDB_PREV); } //This means that nothing is equal or greater than the last key or the last key is at the first position if (rc) { last_data.mv_data = NULL; } //Get the first key rc = mdb_cursor_get (cursor, &first_key, &data, MDB_SET_RANGE); if(rc == MDB_SUCCESS) { do { } while (mdb_cursor_get (cursor, &key, &data, MDB_NEXT) == MDB_SUCCESS && data.mv_data != last_data.mv_data); } > Hi all! > Is there a way to iterate with all key-value pairs in LMDB database, where all keys is in specified range? > I'm trying to use mdb_cursor_get() with MDB_SET_RANGE to search first pair. > Then I see only one way - use mdb_cursor_get() with MDB_NEXT and compare key by memcmp(). > But it seems absolutely not effective. > > Is there another solution for my task? > > Thanks!

3 3

Re: insert utf-8 data with c api (solved)
by yvan vander sanden 13 May '15

13 May '15

Just found out what was wrong. The code was also propagating the displayName value to gecos. We used gecos as an extra copy of displayName because of one client application which only did work with gecos. The error wasn't noticed before because now for the first time we had a user with an umlaut in his name. We could just remove gecos from the directory altogether because the program in question isn't in use any more. But isn't a gecos value supposed to hold a full name? It being unable to hold an utf8 value seems somehow wrong, no? Regards, yvan -- ==- yvan vander sanden -== * composer, programmer * >>> http://mutecode.com -* MUTE software development* >>> http://attr-x.net - *online interactive soundscape* >>> http://code.google.com/p/yse-soundengine/ - *advanced 3D sound engine* >>> http://youngmusic.org - *personal website* >>> http://www.matrix-new-music.be/componist/vander-sanden-yvan-1972 - *bio @ matrix* <http://youngmusic.org>

2 1

MMR (delta-syncrepl): CPU at 100% after replication
by Liam Gretton 12 May '15

12 May '15

I'm building a new setup with the latest OpenLDAP built from source, using mdb, MMR delta-syncrepl over TLS. I'm using very recent sources, I have two hosts and I'm finding that once the secondary host has synchronised with the first (this takes about 10 minutes for around 40000 entries), slapd on each of the peers remains at close to 100%. Replication is working though. The sync logs at this point on the first system in the set (where the original data was slapadded) is showing the following entries endlessly: 554fbe2c do_syncrep2: rid=002 CSN too old, ignoring 20131221210532.737643Z#000000#001#000000 (reqStart=20150509214300.000163Z,cn=log) contextCSN on both systems looks good. ldap1 is serverID 1, rid 1; ldap2 is serverID 2, rid 2. I guess the SID 0 comes from the original data that was imported into ldap1. # ldap1search -s base contextCSN dn: dc=example,dc=com contextCSN: 20150511090001.208713Z#000000#000#000000 contextCSN: 20150511091334.137305Z#000000#001#000000 # ldap2search -s base contextCSN dn: dc=example,dc=com contextCSN: 20150511090001.208713Z#000000#000#000000 contextCSN: 20150511091334.137305Z#000000#001#000000 On ldap2 the stats log shows very many corresponding searches of the log DB: 5550763e conn=1000 op=11653 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" 5550763e conn=1000 op=11653 SRCH attr=* + 5550763e conn=1000 op=11653 SEARCH RESULT tag=101 err=0 nentries=0 text= 5550763e conn=1000 op=11654 SRCH base="cn=log" scope=2 deref=0 filter="(&(objectClass=auditWriteObject)(reqResult=0))" 5550763e conn=1000 op=11654 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN 5550763e conn=1000 op=11655 ABANDON msg=11655 Both systems have the host name specified in the -h option to slapd. Clocks are synchronised, DNS is working etc. I can't get to the bottom of this at all. No doubt I've made an error in my MMR config. Does anyone have a clue as to why this could be happening? I'd be very grateful for any ideas. Here's (most of) the slapd.conf file, which is identical on both. I must admit I'm not sure whether the serverID settings are global or per-database. Moving them into the mdb section doesn't change the behaviour though. # Server IDs for replication serverID 1 ldap://ldap1 serverID 2 ldap://ldap2 ############################################################# # # Access log database configuration # # This is also used for delta-syncrepl replication # # See slapd-accesslog(5) for details # ############################################################# database mdb maxsize 209715200 suffix cn=log directory /db/ldap/accesslog rootdn cn=log rootpw secret index entryCSN eq index objectClass eq index reqEnd eq index reqResult eq index reqStart eq overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE limits dn.exact="cn=replication,ou=special users,dc=example,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited # Replication user can read (not write) everything access to * by dn.exact="cn=replication,ou=special users,dc=example,dc=com" read by * none break ############################################################# # # Database configuration # # see slapd-mdb(5) for details # ############################################################# database mdb monitoring on suffix dc=example,dc=com directory /db/ldap/example rootdn "cn=administrator,ou=special users,dc=example,dc=com" maxsize 209715200 # Default password hashing scheme password-hash {SSHA} # memberOf overlay provides reverse-lookups of group membership overlay memberof # sssvlv overlay provides server-side sorting # Used mainly to allow easy sorting of uidNumber/gidNumber values overlay sssvlv sssvlv-max 4 sssvlv-maxkeys 5 sssvlv-maxperconn 4 # unique overlay provides attribute uniqueness # We use this to enforce unique uidNumber/gidNumber values overlay unique unique_uri ldap:///ou=people,dc=example,dc=com?uidNumber?one? unique_uri ldap:///ou=group,dc=example,dc=com?gidNumber?one? ### CONSUMER configuration syncrepl rid=1 provider=ldap://ldap1 type=refreshAndPersist bindmethod=simple binddn="cn=replication,ou=special users,dc=example,dc=com" credentials=password syncdata=accesslog interval=00:00:00:10 retry="20 10 60 10 120 +" timeout=1 logbase="cn=log" searchbase="dc=example,dc=com" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" sizelimit=unlimited timelimit=unlimited schemachecking=on starttls=yes syncrepl rid=2 provider=ldap://ldap2 type=refreshAndPersist bindmethod=simple binddn="cn=replication,ou=special users,dc=example,dc=com" credentials=password syncdata=accesslog interval=00:00:00:10 retry="20 10 60 10 120 +" timeout=2 logbase="cn=log" searchbase="dc=example,dc=com" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" sizelimit=unlimited timelimit=unlimited schemachecking=on starttls=yes ### PROVIDER configuration overlay syncprov syncprov-checkpoint 5 5 syncprov-sessionlog 50 mirrormode on # Access log - used for delta-syncrepl too overlay accesslog logdb cn=log logops writes logold (objectClass=*) logsuccess TRUE logpurge 28+00:00 1+00:00 # Allow unlimited access for replication user limits dn.exact="cn=replication,ou=special users,dc=example,dc=com" size=unlimited time=unlimited -- Liam Gretton liam.gretton(a)le.ac.uk Systems Specialist http://www.le.ac.uk/its/ IT Services Tel: +44 (0)116 2522254 University Of Leicester, University Road Leicestershire LE1 7RH, United Kingdom

2 4

TLS failing?
by Albert Braden 11 May '15

11 May '15

I'm setting up new LDAP servers with replication, and I configured TLS, but I see this in my log: May 11 14:29:07 nyprldap1 slapd[8867]: conn=2572 op=1 BIND dn="cn=manager,dc=about,dc=com" method=128 May 11 14:29:07 nyprldap1 slapd[8867]: conn=2572 op=1 BIND dn="cn=manager,dc=about,dc=com" mech=SIMPLE ssf=0 Does this mean that TLS is failing and it is falling back to ssf=0? I think my master is configured to not allow unencrypted connections: disallow bind_anon require bind security simple_bind=128 Albert Braden About.com Systems Operations 1500 Broadway 6th Floor New York, NY 10036 desk: 212-204-1448 | mobile: 917-480-1090 aim:albertatabout

2 4

Initial Replication is not working
by Gokulnath Arjunan 11 May '15

11 May '15

Hi, I have setup replication on openldap. Ldap startup is fine but I am not seeing it is getting replicated. Find the logs below. Please advice what needs to be changed. Master log: May 10 00:02:00 ldap slapd[12811]: conn=1031 fd=17 ACCEPT from IP=<IP>:49249 (IP=0.0.0.0:389) May 10 00:02:00 ldap slapd[12811]: conn=1031 op=0 BIND dn="cn=admin,dc=******,dc=com" method=128 May 10 00:02:00 ldap slapd[12811]: conn=1031 op=0 BIND dn="cn=admin,dc=******,dc=com" mech=SIMPLE ssf=0 May 10 00:02:00 ldap slapd[12811]: conn=1031 op=0 RESULT tag=97 err=0 text= May 10 00:02:00 ldap slapd[12811]: conn=1031 op=1 SRCH base="dc=*******,dc=com" scope=2 deref=0 filter="(objectClass=*)" May 10 00:02:00 ldap slapd[12811]: conn=1031 op=1 SRCH attr=* + May 10 00:02:00 ldap slapd[12811]: send_search_entry: conn 1031 ber write failed. May 10 00:02:00 ldap slapd[12811]: conn=1031 fd=17 closed (connection lost on write) May 10 00:02:45 ldap slapd[12811]: do_syncrep2: rid=002 LDAP_RES_SEARCH_RESULT (32) No such object May 10 00:02:45 ldap slapd[12811]: do_syncrep2: rid=002 (32) No such object May 10 00:02:45 ldap slapd[12811]: do_syncrepl: rid=002 rc -2 retrying Slave Log: May 10 00:02:00 TGAPPSRV07 slapd[40811]: findbase failed! 32 May 10 00:02:00 TGAPPSRV07 slapd[40811]: conn=1031 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= May 10 00:02:00 TGAPPSRV07 slapd[40811]: do_syncrep2: rid=002 LDAP_RES_SEARCH_RESULT (32) No such object May 10 00:02:00 TGAPPSRV07 slapd[40811]: do_syncrep2: rid=002 (32) No such object May 10 00:02:00 TGAPPSRV07 slapd[40811]: do_syncrepl: rid=002 rc -2 retrying May 10 00:02:00 TGAPPSRV07 slapd[40811]: conn=1031 op=2 UNBIND May 10 00:02:00 TGAPPSRV07 slapd[40811]: conn=1031 fd=20 closed May 10 00:02:00 TGAPPSRV07 slapd[40811]: syncrepl_message_to_entry: rid=001 mods check (objectClass: value #2 invalid per syntax) May 10 00:02:00 TGAPPSRV07 slapd[40811]: do_syncrepl: rid=001 rc 21 retrying Thanks Gokul

2 1

insert utf-8 data with c api
by yvan vander sanden 09 May '15

09 May '15

Hello. I have trouble inserting data in openldap when it contains utf8 characters. My code works as long as only ascii characters are present, but when a name has an accent or umlaut in it, the modify operation fails with an operations error. Even reading a string with such a character from an existing entry and pushing the same string back to ldap with ldap_modify_ext_s gives me this error. And while debugging I can see that the string in question really contains the correct uft8 values. Are there perhaps any options that have to be enabled? The only one I am using now is: int version = LDAP_VERSION3; ldap_set_option(_server, LDAP_OPT_PROTOCOL_VERSION, &version); Regards, yvan vander sanden -- ==- yvan vander sanden -== * composer, programmer * >>> http://mutecode.com -* MUTE software development* >>> http://attr-x.net - *online interactive soundscape* >>> http://code.google.com/p/yse-soundengine/ - *advanced 3D sound engine* >>> http://youngmusic.org - *personal website* >>> http://www.matrix-new-music.be/componist/vander-sanden-yvan-1972 - *bio @ matrix* <http://youngmusic.org>

1 0

Data is not getting replicated correctly in multimaster configuration
by Gurjot Kaur 08 May '15

08 May '15

Hi, I have configured two instances of LDAP in multimaster mode. I am creating 100 members and wait for 5 seconds and then deleting those 100 members. In case of creation the data is getting replicated correctly. But in deletion, all the 100 members are getting deleted from primary, but not from secondary server. As a result the data is inconsistent in both the instances. Please give any suggestion. Thanks and Regards, Gurjot Kaur Sofware Engineer gurjot.kaur(a)aricent.com [http://static.johnmcneilstudio.com/aricent/email_signature/aricent-footer-e…] "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."

5 13

large write amplification
by Shu, Xinxin 07 May '15

07 May '15

Hi list, Recently I run micro tests on LMDB on DC3700 (200GB), I use bench code https://github.com/hyc/leveldb/tree/benches , I tested fillrandsync mode and collected iostat data, found that write amplification is large For fillrandsync case: IOPS : 1020 ops/sec Iostat data shows that w/s on that SSD is 8093, and avgqu-sz is ~ 1, await time is about 0.16 ms, so the write amplification is ~8, which is large to me, can someone help explain why write amplification is so large? thanks Cheers, xinxin

3 7

olcAuthzRegexp not matching
by Brendan Kearney 06 May '15

06 May '15

i am trying to get kerberos id <--> ldap object mapping down for dovecot, and seem to have hit a wall. i have the kerberos service principal created and a keytab populated. i can successfully kinit using the keytab and get a TGT for the imap/test.bpk2.com(a)BPK2.COM id. when i run ldapwhoami i get: SASL/GSSAPI authentication started SASL username: imap/test.bpk2.com(a)BPK2.COM SASL SSF: 56 SASL data security layer installed. dn:uid=imap/test.bpk2.com,ou=domainusers,ou=users,dc=bpk2,dc=com the olcAuthzRegexp i am trying to use is not matching and the mapping falls through to the regular user mappings. i have tried all the permutations i can thing of in the RegEx, but cannot get the match to occur. as a reference, i looked at the matching i do for the computer accounts, and there is nothing obviously wrong. olcAuthzRegexp attempts: {2}uid=imap\/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com {2}uid=imap\/(.*),cn=bpk2.com,cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com {2}uid=imap\/(.*),cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com {2}uid=imap\/(.*),cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com klist output: Ticket cache: KEYRING:persistent:0:0 Default principal: imap/test.bpk2.com(a)BPK2.COM Valid starting Expires Service principal 05/06/2015 11:42:08 05/07/2015 11:40:16 ldap/server2.bpk2.com(a)BPK2.COM renew until 05/13/2015 11:40:16 05/06/2015 11:40:16 05/07/2015 11:40:16 ldap/server1.bpk2.com(a)BPK2.COM renew until 05/13/2015 11:40:16 05/06/2015 11:40:16 05/07/2015 11:40:16 krbtgt/BPK2.COM(a)BPK2.COM renew until 05/13/2015 11:40:16 how do i find what i am doing wrong? note the below olcAuthzRegexp works to map hosts to computer accounts: {0}uid=host\/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth cn=$1,ou=Computers,dc=bpk2,dc=com thanks, brendan

3 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2015