openldap-technical November 2016

openldap-technical@openldap.org

28 participants
53 discussions

"attr" Warning in slapcat
by Kilian 26 Nov '16

26 Nov '16

Hi, having a strange warning: # /usr/sbin/slapcat -b dc=foo,dc=bar,com 583422d0 /etc/ldap/slapd.d: line 1: "attr" is deprecated (and undocumented); use "attrs" instead. Then, the normal output of slapcat follows. The thing is, /etc/ldap/slapd.d is a *folder* and in the entire /etc/ldap folder, including subdirs, the string "attr" does not occur. Btw, The contents of /etc/ldap/slapd.d are: -rw------- 1 openldap openldap 2386 Jun 5 13:51 cn=config.ldif drwxr-x--- 6 openldap openldap 4096 … [View More]

3 3

Ldap not reachable/tuning
by Thomas Hummel 25 Nov '16

25 Nov '16

Hello, I'm using a simple setup on CentOS Linux release 7.2.1511 (Core)/openldap-servers-2.4.40-9 /cn=config/mdb : one provider with the syncprov overlay and 2 syncrepl consumers. The DIT itself is about 10000 dn in size (about 3000 active users). Everything works fine except that sometimes, some clients report (temporary) failure to reach the consumers (NAS servers for instance). All I see in the logs is that when this happens, the time windows loosely match a moment where log rate … [View More]

1 1

support for openssl-1.1.0c
by A. Schulze 25 Nov '16

25 Nov '16

hello, I played with git://git.openldap.org/openldap.git and wrote a patch to support compilation using openssl-1.1.0c Just created a ITS item: http://www.openldap.org/its/index.cgi/Incoming?id=8533 The patch is available here: ftp://ftp.openldap.org/incoming/andreas-schulze-161125.patch maybe some people want to review the code... Hope that helps to step further for 2.4.45 !? Andreas

1 0

Allow to pass on "undefined" filters in back-perl
by W.Siebert＠t-systems.com 25 Nov '16

25 Nov '16

Hi all, I have now the same problem, but with back-perl. We have so one kind of LDAP broker implemented. Reason is to split authentication and authorization by sending the LDAP-bind to one server(Authentication) and LDAP-search for group membership to another (Authorization). Unfortunately one of 6 authorization server is a Microsoft Active Directory, expects LDAP_MATCHING_RULE_IN_CHAIN, and so I get "Bad filter, "(?=undefined)". It is possible to implement a similar workaround as in the … [View More]back-meta bellow? I think a generally config option to deactivate the filters sanity check were very useful, not for me only. Kind regards Waldemar ------------------------------------------------------------------------------- Hi all, I had exactly the same problem last June. Pierangelo Masarati helped me understanding the problem. He even provided the code for a contrib module to solve this issue. You can search the list for the subject "back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter". I have "packed" all of it into a github repo at https://github.com/cbueche/openldap-passthru and announced it to the list on 6.6.2014. It would be nice if the maintainer take it over to the official openldap tarball within contrib/slapd-modules/mr_passthru/ so future needs are "officially" covered. I think the LDAP_MATCHING_RULE_IN_CHAIN filters will find their use for many other people. Markus: I can help you for the implementation if needed. Feel free to provide for more functionality. Regs, Charles On 23.10.14 08:17, Markus.Storm(a)t-systems.com wrote: > Hi Howard, > > have you had a chance to look into this? > We're a bit desperate over here, short of alternative solutions. > > Regards > Markus > >> -----Original Message----- >> From: Storm, Markus >> Sent: Thursday, September 18, 2014 8:44 AM >> To: 'Howard Chu'; openldap-technical(a)openldap.org >> Subject: AW: allow to pass on "undefined" filters in meta >> >>> -----Ursprüngliche Nachricht----- >>> Von: Howard Chu [mailto:hyc@symas.com] >>> Gesendet: Mittwoch, 17. September 2014 18:17 >>> An: Storm, Markus; openldap-technical(a)openldap.org >>> Betreff: Re: allow to pass on "undefined" filters in meta >>> >>> Markus.Storm(a)t-systems.com wrote: >>>> Hi >>>> I've run into a problem trying to deploy back-meta in front of an >>>> Active Directory target. >>> What is the exact filter you are trying to use? >> a filter such as >> >> (&(objectclass=user) >> (|(memberOf:1.2.840.113556.1.4.1941:=CN=GRP_AAA_ADM,OU=Groups,OU=AAA,OU=Se >> rvers,DC=lab,DC=net) >> (memberOf:1.2.840.113556.1.4.1941:=CN=GRP_BBB_ADM,OU=Groups,OU=AAA,OU=Serv >> ers,DC=lab,DC=net))) >> >> The problem is with the matching rule to be used :1.2.840.113556.1.4.1941: >> That translates into LDAP_MATCHING_RULE_IN_CHAIN which makes the server >> recursively check for nested group membership. That's a feature in AD but >> not supported in OpenLDAP (or at least not by simply specifying that matching >> rule, and to rework the query is no option). >> >>>> I believe that to resolve it, I need to get a new option implemented. >>>> I need to issue a request through a back-meta proxy . That query >>>> happens to contain a matching rule which is not implemented in >>>> OpenLDAP so slapd does not know to evaluate the query. The target >>> that >>>> the query will ultimately be passed on to (an Active Directory) does >>> know to process the query, though. >>>> OpenLDAP, however, considers the filter to be "undefined" and thus >>>> on relaying the request to the AD target, back-meta replaces a >>>> portion >>> of >>>> the original query with a "(?=undefined)" filter as documented in >>> e.g. >>>> slapd-meta manpage "noundeffilter" option. >>>> But I need the original query to be passed on. It's in fact a >>>> _valid_ LDAP request, just OpenLDAP happens to be unable to parse it. >>>> But at least in my setup, slapd does not have to do _/anything/_ >>>> about the query other than to pass it on, so I find it inacceptable >>>> that it replaces the query just because it doesn't understand it. >>>> Please, can you add an option switch to the code to allow for >>>> passing on original queries *without* replacing undefined portions ? >>>> I have not found any other solution to my problem. I tried to make >>>> OpenLDAP aware of the undefined portion by adding the matching rule >>> to >>>> the schema but I failed. Seems that would need to be planted into >>>> the code, and not being a programmer, that's not as easy as it is >>>> with expanding the schema by some new attributes. >>>> Also, while of course any parser/feature enhancement will always be >>>> appreciated, I would think that to implement the matching rule is >>> not >>>> the best way of fixing things: I believe there will always be >>>> situations where OpenLDAP cannot parse the input while another LDAP >>> server can. >>>> For a proof of concept, I hacked servers/slapd/back-meta/map.c >>> (around >>>> line 581as of 2.4.39) and but - again, I'm not a programmer - I >>> feel >>>> incapable of turning this into a full-blown patch free of side >>>> effects, also I want the modification to become available to anyone. >>>> So I'm hoping for you to implement the switch mentioned above, maybe >>>> as a third possible setting for the "noundeffilter" option. >>>> Thanks a lot in advance, >>>> best regards >>>> Markus Storm [View Less]

1 0

Sync question
by Singley, Norman 21 Nov '16

21 Nov '16

Hi folks - Just a quick question I couldn't quite find the answer to in the oldap documentation. We have a multi-master oldap with three nodes. One node is on a physical machine, and we are planning on doing a physical to virtual migration soon. All three nodes are part of a DNS round robin. We will take the physical node out of the DNS round robin, do the migration and bring the virtual back in. My question regards synchronization. We are using "refreshandpersist" for syncrepl. For the … [View More]

2 1

Can't add "same" mail attribute with different cases.
by Patrick Zacharias 21 Nov '16

21 Nov '16

3 3

Re: reusing transactions in LMDB
by Howard Chu 21 Nov '16

21 Nov '16

Tim Uckun wrote: > Hi. > > Sorry for being so dense but... > The document says > > The transaction handle is freed. It and its cursors must not be used again > after this call, except with mdb_cursor_renew(). > > > I am still very confused about reusing transactions. Keep reading. > If I commit or abort a read write transaction I can't reuse the transaction > but I can re use the cursor? In the cursor documentation it says > > Cursors that are only … [View More]

1 0

Re: Repairing a lmdb database
by Howard Chu 21 Nov '16

21 Nov '16

Tim Uckun wrote: > The language is Crystal which is still a very young language. It does not have > threading at this time so there should be no issues with mutexes. While > writing the code I never opened up a database but did repeatedly open up the > environment and if the app ran into an error while coding didn't properly > close the environment. I didn't ask about languages, I asked about OS and LMDB version. LMDB uses mutexes internally to serialize write transactions. … [View More]

2 1

Re: reusing transactions in LMDB
by Howard Chu 21 Nov '16

21 Nov '16

Tim Uckun wrote: > > > No. You can perform multiple write operations in a single transaction. > > > But once the commit has been called the next write operation has to be a newly > opened transaction right? The write transactions can't be re-opened. > http://lmdb.tech/doc/group__mdb.html#ga846fbd6f46105617ac9f4d76476f6597 -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief … [View More]

2 1

Re: reusing transactions in LMDB
by Howard Chu 21 Nov '16

21 Nov '16

Tim Uckun wrote: > Another question regarding my wrapper for lmdb. > > The comments say it's possible to reuse read only transactions but says > nothing about reusing the read write transactions. Does this mean every write > operation needs a fresh transaction? No. You can perform multiple write operations in a single transaction. > Is there any downsides to not > implementing the reuse functions for the wrapper? There is a performance gain from reusing read … [View More]

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2016