ppolicy and ACL question
by Harmandeep Kaur
Hello folks,
I have a quick query, I'm using openldap with ppolicy. I'm using following
ACL just to test things right, I came across the issue, for which I'm
unable to find appropriate answers:
ACL used:
---
access to * by * manage
---
1. How to restrict ldappasswd command to clear the pwdReset flag to user's
entry ?
2. Can some other users (member of group) can work rootdn (bypass ppolicy
like rootdn but it should apply to their account itself) ?
3. Other question is about ACL is "What's the difference between ACL
"write" and "manage" access"
write =wrscdx needed to modify/rename
manage =mwrscdx needed to manage
I'm not able to determine what access "manage" gives over and above "write"
access.
I didn't find much info at openldap.org access-control section.
Thank you.
Regards,
8 years, 7 months
Subject: Re: Fast key range iteration
by James Rouzier
Here is a faster to do way to do what you want.
Just get the last key of your range and while iterating compare the data
pointer of the last key to see if you reach the end instead of the it's
content.
As long as you are in the same transaction the data pointer of the last key
should never change. (Someone correct me if I am wrong).
Here is a quick example of what I mean.
MDB_cursor *cursor;
MDB_val first_key, key, data;
MDB_val last_key1, last_key2, last_data;
int rc;
//Get the last key
rc = mdb_cursor_get (cursor, &last_key1, &last_data, MDB_SET_RANGE);
//If the current position is not equal move back one spot
if (rc == MDB_SUCCESS && mdb_cmp (mdb_cursor_txn (cursor), mdb_cursor_dbi
(cursor), &last_key1, &last_key2)) {
rc = mdb_cursor_get (cursor, &last_key1, &last_data, MDB_PREV);
}
//This means that nothing is equal or greater than the last key or the
last key is at the first position
if (rc) {
last_data.mv_data = NULL;
}
//Get the first key
rc = mdb_cursor_get (cursor, &first_key, &data, MDB_SET_RANGE);
if(rc == MDB_SUCCESS) {
do {
} while (mdb_cursor_get (cursor, &key, &data, MDB_NEXT) == MDB_SUCCESS
&& data.mv_data != last_data.mv_data);
}
> Hi all!
> Is there a way to iterate with all key-value pairs in LMDB database,
where all keys is in specified range?
> I'm trying to use mdb_cursor_get() with MDB_SET_RANGE to search first
pair.
> Then I see only one way - use mdb_cursor_get() with MDB_NEXT and compare
key by memcmp().
> But it seems absolutely not effective.
>
> Is there another solution for my task?
>
> Thanks!
8 years, 7 months
MMR (delta-syncrepl): CPU at 100% after replication
by Liam Gretton
I'm building a new setup with the latest OpenLDAP built from source, using mdb, MMR delta-syncrepl over TLS. I'm using very recent sources,
I have two hosts and I'm finding that once the secondary host has synchronised with the first (this takes about 10 minutes for around 40000 entries), slapd on each of the peers remains at close to 100%. Replication is working though.
The sync logs at this point on the first system in the set (where the original data was slapadded) is showing the following entries endlessly:
554fbe2c do_syncrep2: rid=002 CSN too old, ignoring 20131221210532.737643Z#000000#001#000000 (reqStart=20150509214300.000163Z,cn=log)
contextCSN on both systems looks good. ldap1 is serverID 1, rid 1; ldap2 is serverID 2, rid 2. I guess the SID 0 comes from the original data that was imported into ldap1.
# ldap1search -s base contextCSN
dn: dc=example,dc=com
contextCSN: 20150511090001.208713Z#000000#000#000000
contextCSN: 20150511091334.137305Z#000000#001#000000
# ldap2search -s base contextCSN
dn: dc=example,dc=com
contextCSN: 20150511090001.208713Z#000000#000#000000
contextCSN: 20150511091334.137305Z#000000#001#000000
On ldap2 the stats log shows very many corresponding searches of the log DB:
5550763e conn=1000 op=11653 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
5550763e conn=1000 op=11653 SRCH attr=* +
5550763e conn=1000 op=11653 SEARCH RESULT tag=101 err=0 nentries=0 text=
5550763e conn=1000 op=11654 SRCH base="cn=log" scope=2 deref=0 filter="(&(objectClass=auditWriteObject)(reqResult=0))"
5550763e conn=1000 op=11654 SRCH attr=reqDN reqType reqMod reqNewRDN reqDeleteOldRDN reqNewSuperior entryCSN
5550763e conn=1000 op=11655 ABANDON msg=11655
Both systems have the host name specified in the -h option to slapd. Clocks are synchronised, DNS is working etc.
I can't get to the bottom of this at all. No doubt I've made an error in my MMR config. Does anyone have a clue as to why this could be happening? I'd be very grateful for any ideas.
Here's (most of) the slapd.conf file, which is identical on both. I must admit I'm not sure whether the serverID settings are global or per-database. Moving them into the mdb section doesn't change the behaviour though.
# Server IDs for replication
serverID 1 ldap://ldap1
serverID 2 ldap://ldap2
#############################################################
#
# Access log database configuration
#
# This is also used for delta-syncrepl replication
#
# See slapd-accesslog(5) for details
#
#############################################################
database mdb
maxsize 209715200
suffix cn=log
directory /db/ldap/accesslog
rootdn cn=log
rootpw secret
index entryCSN eq
index objectClass eq
index reqEnd eq
index reqResult eq
index reqStart eq
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
limits dn.exact="cn=replication,ou=special users,dc=example,dc=com"
time.soft=unlimited
time.hard=unlimited
size.soft=unlimited
size.hard=unlimited
# Replication user can read (not write) everything
access to *
by dn.exact="cn=replication,ou=special users,dc=example,dc=com" read
by * none break
#############################################################
#
# Database configuration
#
# see slapd-mdb(5) for details
#
#############################################################
database mdb
monitoring on
suffix dc=example,dc=com
directory /db/ldap/example
rootdn "cn=administrator,ou=special users,dc=example,dc=com"
maxsize 209715200
# Default password hashing scheme
password-hash {SSHA}
# memberOf overlay provides reverse-lookups of group membership
overlay memberof
# sssvlv overlay provides server-side sorting
# Used mainly to allow easy sorting of uidNumber/gidNumber values
overlay sssvlv
sssvlv-max 4
sssvlv-maxkeys 5
sssvlv-maxperconn 4
# unique overlay provides attribute uniqueness
# We use this to enforce unique uidNumber/gidNumber values
overlay unique
unique_uri ldap:///ou=people,dc=example,dc=com?uidNumber?one?
unique_uri ldap:///ou=group,dc=example,dc=com?gidNumber?one?
### CONSUMER configuration
syncrepl
rid=1
provider=ldap://ldap1
type=refreshAndPersist
bindmethod=simple
binddn="cn=replication,ou=special users,dc=example,dc=com"
credentials=password
syncdata=accesslog
interval=00:00:00:10
retry="20 10 60 10 120 +"
timeout=1
logbase="cn=log"
searchbase="dc=example,dc=com"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
sizelimit=unlimited
timelimit=unlimited
schemachecking=on
starttls=yes
syncrepl
rid=2
provider=ldap://ldap2
type=refreshAndPersist
bindmethod=simple
binddn="cn=replication,ou=special users,dc=example,dc=com"
credentials=password
syncdata=accesslog
interval=00:00:00:10
retry="20 10 60 10 120 +"
timeout=2
logbase="cn=log"
searchbase="dc=example,dc=com"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
sizelimit=unlimited
timelimit=unlimited
schemachecking=on
starttls=yes
### PROVIDER configuration
overlay syncprov
syncprov-checkpoint 5 5
syncprov-sessionlog 50
mirrormode on
# Access log - used for delta-syncrepl too
overlay accesslog
logdb cn=log
logops writes
logold (objectClass=*)
logsuccess TRUE
logpurge 28+00:00 1+00:00
# Allow unlimited access for replication user
limits
dn.exact="cn=replication,ou=special users,dc=example,dc=com"
size=unlimited
time=unlimited
--
Liam Gretton liam.gretton(a)le.ac.uk
Systems Specialist http://www.le.ac.uk/its/
IT Services Tel: +44 (0)116 2522254
University Of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
8 years, 7 months
TLS failing?
by Albert Braden
I'm setting up new LDAP servers with replication, and I configured TLS, but I see this in my log:
May 11 14:29:07 nyprldap1 slapd[8867]: conn=2572 op=1 BIND dn="cn=manager,dc=about,dc=com" method=128
May 11 14:29:07 nyprldap1 slapd[8867]: conn=2572 op=1 BIND dn="cn=manager,dc=about,dc=com" mech=SIMPLE ssf=0
Does this mean that TLS is failing and it is falling back to ssf=0? I think my master is configured to not allow unencrypted connections:
disallow bind_anon
require bind
security simple_bind=128
Albert Braden
About.com Systems Operations
1500 Broadway 6th Floor
New York, NY 10036
desk: 212-204-1448 | mobile: 917-480-1090
aim:albertatabout
8 years, 7 months
Initial Replication is not working
by Gokulnath Arjunan
Hi,
I have setup replication on openldap. Ldap startup is fine but I am not
seeing it is getting replicated. Find the logs below. Please advice what
needs to be changed.
Master log:
May 10 00:02:00 ldap slapd[12811]: conn=1031 fd=17 ACCEPT from IP=<IP>:49249
(IP=0.0.0.0:389)
May 10 00:02:00 ldap slapd[12811]: conn=1031 op=0 BIND
dn="cn=admin,dc=******,dc=com" method=128
May 10 00:02:00 ldap slapd[12811]: conn=1031 op=0 BIND
dn="cn=admin,dc=******,dc=com" mech=SIMPLE ssf=0
May 10 00:02:00 ldap slapd[12811]: conn=1031 op=0 RESULT tag=97 err=0 text=
May 10 00:02:00 ldap slapd[12811]: conn=1031 op=1 SRCH
base="dc=*******,dc=com" scope=2 deref=0 filter="(objectClass=*)"
May 10 00:02:00 ldap slapd[12811]: conn=1031 op=1 SRCH attr=* +
May 10 00:02:00 ldap slapd[12811]: send_search_entry: conn 1031 ber write
failed.
May 10 00:02:00 ldap slapd[12811]: conn=1031 fd=17 closed (connection lost
on write)
May 10 00:02:45 ldap slapd[12811]: do_syncrep2: rid=002
LDAP_RES_SEARCH_RESULT (32) No such object
May 10 00:02:45 ldap slapd[12811]: do_syncrep2: rid=002 (32) No such object
May 10 00:02:45 ldap slapd[12811]: do_syncrepl: rid=002 rc -2 retrying
Slave Log:
May 10 00:02:00 TGAPPSRV07 slapd[40811]: findbase failed! 32
May 10 00:02:00 TGAPPSRV07 slapd[40811]: conn=1031 op=1 SEARCH RESULT
tag=101 err=32 nentries=0 text=
May 10 00:02:00 TGAPPSRV07 slapd[40811]: do_syncrep2: rid=002
LDAP_RES_SEARCH_RESULT (32) No such object
May 10 00:02:00 TGAPPSRV07 slapd[40811]: do_syncrep2: rid=002 (32) No such
object
May 10 00:02:00 TGAPPSRV07 slapd[40811]: do_syncrepl: rid=002 rc -2 retrying
May 10 00:02:00 TGAPPSRV07 slapd[40811]: conn=1031 op=2 UNBIND
May 10 00:02:00 TGAPPSRV07 slapd[40811]: conn=1031 fd=20 closed
May 10 00:02:00 TGAPPSRV07 slapd[40811]: syncrepl_message_to_entry: rid=001
mods check (objectClass: value #2 invalid per syntax)
May 10 00:02:00 TGAPPSRV07 slapd[40811]: do_syncrepl: rid=001 rc 21 retrying
Thanks
Gokul
8 years, 7 months
insert utf-8 data with c api
by yvan vander sanden
Hello.
I have trouble inserting data in openldap when it contains utf8 characters.
My code works as long as only ascii characters are present, but when a name
has an accent or umlaut in it, the modify operation fails with an
operations error.
Even reading a string with such a character from an existing entry and
pushing the same string back to ldap with ldap_modify_ext_s gives me this
error. And while debugging I can see that the string in question really
contains the correct uft8 values.
Are there perhaps any options that have to be enabled? The only one I am
using now is:
int version = LDAP_VERSION3;
ldap_set_option(_server, LDAP_OPT_PROTOCOL_VERSION, &version);
Regards,
yvan vander sanden
--
==- yvan vander sanden -==
* composer, programmer *
>>> http://mutecode.com -* MUTE software development*
>>> http://attr-x.net - *online interactive soundscape*
>>> http://code.google.com/p/yse-soundengine/ - *advanced 3D sound engine*
>>> http://youngmusic.org - *personal website*
>>> http://www.matrix-new-music.be/componist/vander-sanden-yvan-1972 - *bio
@ matrix* <http://youngmusic.org>
8 years, 7 months
Data is not getting replicated correctly in multimaster configuration
by Gurjot Kaur
Hi,
I have configured two instances of LDAP in multimaster mode.
I am creating 100 members and wait for 5 seconds and then deleting those 100 members.
In case of creation the data is getting replicated correctly.
But in deletion, all the 100 members are getting deleted from primary, but not from secondary server.
As a result the data is inconsistent in both the instances.
Please give any suggestion.
Thanks and Regards,
Gurjot Kaur
Sofware Engineer
gurjot.kaur(a)aricent.com
[http://static.johnmcneilstudio.com/aricent/email_signature/aricent-footer...]
"DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."
8 years, 7 months
large write amplification
by Shu, Xinxin
Hi list,
Recently I run micro tests on LMDB on DC3700 (200GB), I use bench code https://github.com/hyc/leveldb/tree/benches , I tested fillrandsync mode and collected iostat data, found that write amplification is large
For fillrandsync case:
IOPS : 1020 ops/sec
Iostat data shows that w/s on that SSD is 8093, and avgqu-sz is ~ 1, await time is about 0.16 ms, so the write amplification is ~8, which is large to me, can someone help explain why write amplification is so large? thanks
Cheers,
xinxin
8 years, 7 months
olcAuthzRegexp not matching
by Brendan Kearney
i am trying to get kerberos id <--> ldap object mapping down for
dovecot, and seem to have hit a wall.
i have the kerberos service principal created and a keytab populated. i
can successfully kinit using the keytab and get a TGT for the
imap/test.bpk2.com(a)BPK2.COM id. when i run ldapwhoami i get:
SASL/GSSAPI authentication started
SASL username: imap/test.bpk2.com(a)BPK2.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=imap/test.bpk2.com,ou=domainusers,ou=users,dc=bpk2,dc=com
the olcAuthzRegexp i am trying to use is not matching and the mapping
falls through to the regular user mappings. i have tried all the
permutations i can thing of in the RegEx, but cannot get the match to occur.
as a reference, i looked at the matching i do for the computer accounts,
and there is nothing obviously wrong.
olcAuthzRegexp attempts:
{2}uid=imap\/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth
uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
{2}uid=imap\/(.*),cn=bpk2.com,cn=gssapi,cn=auth
uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
{2}uid=imap\/(.*),cn=gssapi,cn=auth
uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
{2}uid=imap\/(.*),cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
klist output:
Ticket cache: KEYRING:persistent:0:0
Default principal: imap/test.bpk2.com(a)BPK2.COM
Valid starting Expires Service principal
05/06/2015 11:42:08 05/07/2015 11:40:16 ldap/server2.bpk2.com(a)BPK2.COM
renew until 05/13/2015 11:40:16
05/06/2015 11:40:16 05/07/2015 11:40:16 ldap/server1.bpk2.com(a)BPK2.COM
renew until 05/13/2015 11:40:16
05/06/2015 11:40:16 05/07/2015 11:40:16 krbtgt/BPK2.COM(a)BPK2.COM
renew until 05/13/2015 11:40:16
how do i find what i am doing wrong? note the below olcAuthzRegexp
works to map hosts to computer accounts:
{0}uid=host\/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth
cn=$1,ou=Computers,dc=bpk2,dc=com
thanks,
brendan
8 years, 7 months