LMDB docs refresh?
by Arto Bendiken
Perhaps the generated Doxygen output at http://symas.com/mdb/doc/
might use a refresh for the latest LMDB release?
The docs currently published there are 11 months old, and do not
include e.g. any information on the recently-added mdb_txn_id()
function--a good function to have, by the way.
--
Arto Bendiken | @bendiken | http://ar.to
7 years, 9 months
ACL to allow all but one OU
by Olaf Hopp
Hi listers,
I have ~40 departments in several ou's and I need an ACL to allow
access for one user to all but one OU.
I do not want to forbid that ou in question and thus implicitly allowing all the others.
I want to formulate this explicitly, so I can directly see what is allowed.
Moreover the names of the ou's are very similar to each other, something like:
ou=aaaa,dc=...
ou=abaa,dc=...
ou=bbaa,dc=...
ou=bbbb,dc=...
and suppose I want to disallow access to the ou=abaa.
I ended up with two ACLs:
the first one to forbid ou=abaa:
access to dn.sub=ou=abaa,dc=.... \
attrs=entry
by dn=uid=foo,dc=.... none
by * break
and then allowing access to all ou's with
access to dn.regex=ou=[^,]+,dc=... \
attrs=....
by dn=uid=foo,dc=...
by * break
Is it possible to formulate this with just one ACL ?
I tried something like "ou=!abaa" with just the second ACL but failed.
Then I tried ou=[^a][^b][^a][^a]
but this matches also the ou=bbbb to wich the uid=foo should have access.
Thanks, Olaf
--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -
Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp(a)kit.edu
atis.informatik.kit.edu
www.kit.edu
KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft
Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.
7 years, 9 months
Replication speed and data sizing (mdb)
by Brian Wright
We are using 2.4.39. I realize there are newer versions available, but
at the time when we started our LDAP project, this was the version
available.
We are testing n-way master replication along with a large number of
records using lmdb. Here's the config:
* 8 way replication with 8 nodes (each node having 7 other connections)
* 50k records
* Inserting the records into one cluster node to replicate to all the rest
The problems obvserved:
* Some nodes are faster at replication than others. In general, the
time to complete replication is slower than expected. In my test
environment I found that 50k records can take up to 2 hours for some
nodes to complete. The fastest nodes complete in 1.5 hours. Because
these records are brand new insertions, delta based replication
wouldn't help here.
* When the replication is completed, some of the data.mdb files are
larger than others (sometimes by an order of magnitude).
We would like to understand the reason behind these two problems above.
First, the replication system seems unusually slow. Second, we need to
understand why the data.mdb file grows sometimes far larger on one node
than the rest of the nodes. For example, in our production environment,
while most nodes were around 1GB in data size, one node stored in excess
of 40GB in data.mdb. In my testing lab, my the 50k record insertion left
most nodes with a data.mdb size of 150MB. On one of the nodes, the data
size was 262MB.
Note that I've also tried alternative replication connectivity
approaches to attempt to reduce the number of connections per server,
but that did not improve replication performance or the varying data
sizes in the end.
If updating to a newer version helps resolve the above observed
problems, please let me know.
Any tuning or debugging advice here would be appreciated.
Thanks.
--
Signature
*Brian Wright*
*Sr. UNIX Systems Engineer *
901 Mariners Island Blvd Suite 200
San Mateo, CA 94404 USA
*Email *brianw(a)marketo.com <mailto:brianw@marketo.com>
*Phone *+1.650.539.3530**
*****www.marketo.com <http://www.marketo.com/>*
Marketo Logo
7 years, 9 months
Adding Members to Groups
by Aneela Saleem
Hi all,
I have used 'posixGroup' objectClass for creating groups, and
'posixAccount' object class for creating users, which uses 'gidNumber'
property to associate to a specific group (created by posixGroup).
I have to sync LDAP users/groups in Apache Ranger, that uses 'groupOfNames'
object class and 'member/memberof' property in user object. But in
'groupOfNames' objectClass we have to add members at the time of creation
of group.
Is there any way that we can add members to already created groups later on?
7 years, 9 months
Re: LDAP - Unix sync
by Mauricio Tavares
On Wed, Aug 12, 2015 at 11:31 AM, Aneela Saleem <aneela(a)platalytics.com> wrote:
> Yes ldap works. and running ssh in verbose mode gives i.e., ssh -v
> admin(a)127.0.0.1
>
> OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: identity file /root/.ssh/id_rsa type 1
> debug1: identity file /root/.ssh/id_rsa-cert type -1
> debug1: identity file /root/.ssh/id_dsa type 2
> debug1: identity file /root/.ssh/id_dsa-cert type -1
> debug1: identity file /root/.ssh/id_ecdsa type -1
> debug1: identity file /root/.ssh/id_ecdsa-cert type -1
> debug1: identity file /root/.ssh/id_ed25519 type -1
> debug1: identity file /root/.ssh/id_ed25519-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1
> Ubuntu-2ubuntu2
> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat
> 0x04000000
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5-etm(a)openssh.com none
> debug1: kex: client->server aes128-ctr hmac-md5-etm(a)openssh.com none
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ECDSA
> 8e:24:39:c6:46:e1:03:31:b9:bb:7a:d4:89:16:72:6b
> debug1: Host '127.0.0.1' is known and matches the ECDSA host key.
> debug1: Found key in /root/.ssh/known_hosts:8
> debug1: ssh_ecdsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,password
Poor ssh in the machine you are connecting to is completely
oblivious to ldap. As of now it only knows about publickey and
password. Try setting up sshd to use pam and then get ldap from there
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /root/.ssh/id_rsa
> debug1: Authentications that can continue: publickey,password
> debug1: Offering DSA public key: /root/.ssh/id_dsa
> debug1: Authentications that can continue: publickey,password
> debug1: Trying private key: /root/.ssh/id_ecdsa
> debug1: Trying private key: /root/.ssh/id_ed25519
> debug1: Next authentication method: password
> admin(a)127.0.0.1's password:
> debug1: Authentications that can continue: publickey,password
> Permission denied, please try again.
> admin(a)127.0.0.1's password:
>
>
> On Wed, Aug 12, 2015 at 7:56 PM, Mauricio Tavares <raubvogel(a)gmail.com>
> wrote:
>>
>> On Wed, Aug 12, 2015 at 10:37 AM, Aneela Saleem <aneela(a)platalytics.com>
>> wrote:
>> > Hi Aaron!
>> >
>> > Actually i'm trying to login LDAP users as local users from command
>> > line.
>> >
>> > I have followed this guide but unable to perform 'ssh'
>> >
>> I think we need more than "unable to perform 'ssh'." Have you
>> done the usual stuff like ssh in verbose mode and check the logs? Have
>> you checked that ldap works in said machine?
>>
>> > On Wed, Aug 12, 2015 at 7:23 PM, Aaron Richton
>> > <richton(a)nbcs.rutgers.edu>
>> > wrote:
>> >>
>> >> On Wed, 12 Aug 2015, Aneela Saleem wrote:
>> >>
>> >>> Hi all, Can anyone please tell me how can i pull users from LDAP
>> >>> server
>> >>> and treat them as local users? So that i can login as an ldap user and
>> >>> test
>> >>> whether particular user have permissions to particular HDFS commands
>> >>> or not.
>> >>
>> >>
>> >> I'm not sure what you're referring to by "pull." In a typical *ix
>> >> setup,
>> >> you'd configure the system name services and/or authentication services
>> >> to
>> >> include an LDAP backend.
>> >>
>> >> The precise details and options depend on the exact flavor of the
>> >> system
>> >> you're using. nss_ldap, nss-pam-ldapd, and nssov are likely candidates
>> >> on
>> >> the name service side; nss-pam-ldapd also provides a pam_ldap on the
>> >> authentication side. But again, this is somewhat system-dependent (no
>> >> NSS on
>> >> OS X/Darwin, for example).
>> >>
>> >> For nssov, see the LDAPCon paper
>> >> http://ldapcon.org/2011/downloads/cheng-paper.pdf for starters.
>> >>
>> >
>
>
7 years, 9 months
LDAP - Unix sync
by Aneela Saleem
Hi all,
Can anyone please tell me how can i pull users from LDAP server and treat
them as local users? So that i can login as an ldap user and test whether
particular user have permissions to particular HDFS commands or not.
7 years, 9 months
Is Openldap a Authorization or Authentication system?
by Kaushal Shriyan
Hi,
I am not sure if i understand the difference between Authorization and
Authentication. Does Openldap support both or it supports or configured as
Authorization or Authentication server? I will appreciate if somebody can
help me understand with some examples.
Regards,
Kaushal
7 years, 10 months
When using the rwm, openldap down
by デージーネット 大野 公 善
Hi.
When I changed configuration for openldap, openldap stopped. (Aborted)
I was carried out the following operations.
(1) I created the following environment.
---- ---- ---- ----
# ldapsearch -LLL -Y EXTERNAL -b
'olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config' -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: {0}rwm
olcRwmRewrite: {0}rwm-rewriteEngine on
olcRwmRewrite: {1}rwm-rewriteContext searchFilter
olcRwmRewrite: {2}rwm-rewriteRule "aaa" "111" ":@"
olcRwmRewrite: {3}rwm-rewriteRule "bbb" "222" ":@"
---- ---- ---- ----
(2) I created the following ldif file.
---- ---- ---- ----
dn: olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config
changetype: modify
delete: olcRwmRewrite
olcRwmRewrite: rwm-rewriteRule "aaa" "111" ":@"
-
---- ---- ---- ----
(3) I was carried out ldapmodify.
---- ---- ---- ----
# ldapmodify -Y EXTERNAL -H ldapi:/// -f down.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config"
ldap_result: Can't contact LDAP server (-1)
---- ---- ---- ----
In this case, openldap has stopped.
:
:
55c45c8b connection_get(16)
55c45c8b ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
55c45c8b SASL Canonicalize [conn=1000]:
authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
55c45c8b slap_sasl_getdn: conn 1000
id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55]
55c45c8b SASL Canonicalize [conn=1000]:
slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
55c45c8b SASL proxy authorize [conn=1000]:
authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
55c45c8b connection_get(16)
55c45c8b conn=1000 op=1 do_modify: dn
(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config)
=> ldap_bv2dn(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config,0)
<= ldap_bv2dn(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config)=0
55c45c8b conn=1000 op=1 modifications:
55c45c8b delete: olcRwmRewrite
55c45c8b one value, length 32
55c45c8b [slapd:0] unknown command ''
slapd: rwm.c:2195: rwm_cf_gen: Assertion `rc == 0' failed.
Aborted
Is this openldap BUG?
--
Regards,
Kimiyoshi Ohno
DesigNET.INC.
7 years, 10 months
Re: Manager Attribute
by mlstarling31@hotmail.com
------ Original message------From: Michael StröderDate: Thu, Aug 6, 2015 2:30 PMTo: mlstarling31@hotmail.com;openldap-technical@openldap.org;Subject:Re: Manager Attribute
mlstarling31(a)hotmail.com wrote:> could you expound on your statement below?"Think twice:> - namespace> - obsolete information, referential integrity> etc."Pretty soon free-form text fields tend to contain malformed and obsolete dataand hence are pretty unuseful.Ciao, Michael.I see. Thank you.
7 years, 10 months
