LDAP log lags in the ldap.log
by Daniel Jung
based on the timestamp in the ldap.log, it is about 10-15 minutes older
than current time.
I see a lot of ABANDON msgs which i suspect that there are way too many
queries (not ldap connection itself) in a connection. Also, the log shows
the constant logs of follwing as well:
connection_input: conn=321629 deferring operation: pending operations
connection_input: conn=318818 deferring operation: too many executing
Looking thru the archive that this is an issue on the client side, and I
believe that's true based on the ABANDON msgs on long lasted session ids.
I was using logging set to stats, sync . I have changed to none and the
symptom of lagging of log timestamp has disappeared and queries are working
properly again.
My question is, is there a way to safely log stats without hampering
performance to the point queries are not returing at all ?
I am using openldap-2.4.39 ( yes i should upgrade soon :( )
Thanks
7 years, 7 months
Member of nested groups of different classes
by Chris
Dear All,
some users are member of a groupOfNames (RFC2307bis Schema). This group is
member of a mailGroup (Postfix Schema). This mailGroup is member of
another mailGroup. (Nested) membership in this last group defines access
rights for an application.
My question: is the memberOf overlay able to recursively find all groups
one is member of, if they use all the same "member" attribute
(memberof.member-ad), but have different structural classes
(memberof-group-oc)?
Is there a (perl?) script that is able to find all groups one is
member-of?
- Chris
7 years, 7 months
Re: rebuilding the DIT
by Timothy Keith
On Thu, Feb 11, 2016 at 7:05 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> If you want answers, keep your replies on the list.
>
> Thanks.
>
>
>
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
> A division of Synacor, Inc
I used this slapcat, I did not specific a config database.
slapcat -v -l backup.ldif
Tim
7 years, 7 months
paged results control results in full db search?
by Geert Hendrickx
Hi,
We found an odd issue when using LDAP Admin (www.ldapadmin.org), which by
defaults uses the paged results control (RFC 2696) to limit search results.
This client initially issues an objectclass=* search with one-level scope
to list the first-level objects/trees on the LDAP DIT, which you can then
browse/expand by clicking on them.
On a large db, we noticed this initial search hits the timelimit, even
though the equivalent command line search is instant. I found the
difference is in using the paged result control:
ldapsearch -s one -E \!pr=100 objectclass=\* objectclass => slow
ldapsearch -s one objectclass=\* objectclass => fast
The slapd stats+trace logging of each is in attachment. Notice the large
number of objects being skipped with "scope not okay" in the first, where
this does not happen in the second. This slows down the search, and on a
very large db, makes it exceed the configured 60 seconds timelimit.
A third variant, setting the sizelimit explicitly, avoids the issue:
ldapsearch -s one -E \!pr=100 -z 100 objectclass=\* objectclass => fast
Is this expected behaviour?
Geert
--
geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
7 years, 7 months
Re: rebuilding the DIT
by Timothy Keith
On Thu, Feb 11, 2016 at 4:46 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Thursday, February 11, 2016 4:38 PM -0600 Timothy Keith
> <timothy.g.keith(a)gmail.com> wrote:
>
>> I don't know how to fix this. If I could reinitialize the dc=pubsys,
>> dc=com that would be okay too as there are relatively few users to
>> add.
>
>
> It's saying that you're missing a schema file for inetOrgPerson. Schema is
> stored in the config database. I.e., if your slapd is passed an option of
> -F /path/to/configdb then slapadd (and slapcat) should both also be passed
> an option to the same location.
>
> It would generally be impossible for you to be able to create entries in
> openldap that used inetorgPerson without the schema actually being present.
> So this would indicate that you're not providing the correct options to
> slapadd. You provide virtually no useful information at what you're doing,
> so it becomes rather difficult to do anything but guess at what the causes
> of your issues are.
>
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
> A division of Synacor, Inc
This is the slapadd request :
slapadd -F /etc/openldap/slapd.d -l slapcat_backup.ldif
56bd1acf The first database does not allow slapadd; using the first
available one (2)
56bd1acf bdb_db_open: warning - no DB_CONFIG file found in directory
/var/lib/ldap: (2).
Expect poor performance for suffix "dc=example,dc=com".
slapadd: line 1: database #2 (dc=example,dc=com) not configured to
hold "dc=pubsys,dc=com"; no database configured for that naming
context
_# 5.10% eta none elapsed none spd 2.7 M/s
Closing DB...
Tim
7 years, 7 months
Re: rebuilding the DIT
by Timothy Keith
On Thu, Feb 11, 2016 at 2:30 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Thursday, February 11, 2016 12:29 PM -0800 Quanah Gibson-Mount
> <quanah(a)zimbra.com> wrote:
>
>> --On Thursday, February 11, 2016 2:18 PM -0600 Timothy Keith
>> <timothy.g.keith(a)gmail.com> wrote:
>>
>>> When the slapadd loaded the backup ldif it prints :
>>>
>>> slapadd: dn="uid=tkeith,ou=Group,dc=pubsys,dc=com" (line=55): (65)
>>> unrecognized objectClass 'inetOrgPerson'
>>
>>
>> Sounds like you failed to restore your config database properly.
>
>
> Or, you failed to point slapadd at the actual config database it should be
> using for the import.
>
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
> A division of Synacor, Inc
I don't know how to fix this. If I could reinitialize the dc=pubsys,
dc=com that would be okay too as there are relatively few users to
add.
Tim
7 years, 7 months
Re: rebuilding the DIT
by Timothy Keith
On Thu, Feb 11, 2016 at 12:55 PM, Albert Braden <abraden(a)about.com> wrote:
> Do you use IRC? I've had good luck getting help on FreeNode, in #ldap and #openldap
>
> Even there, people will likely ask you to read the documentation so that you can ask intelligent questions. They're helpful, but they don't want to do your work for you. If you haven't already done so, I would read a lot of this site:
>
> http://www.openldap.org/doc/admin24/
>
> For diagnostic purposes, I recommend using ldapsearch and other command-line tools instead of a GUI client. A question likely to receive a helpful response would look something like this:
>
> I'm running OpenLDAP version X on <OS>, and when I run this command:
>
> XXX
>
> I see this error:
>
> YYY
>
> And this appears in slapd.log:
>
> ZZZ
>
> Here's the relevant section of my config:
>
> AAA
>
> -----Original Message-----
> From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Timothy Keith
> Sent: Thursday, February 11, 2016 1:35 PM
> To: openldap-technical(a)openldap.org
> Subject: Re: rebuilding the DIT
>
> On Tue, Feb 9, 2016 at 7:02 PM, Timothy Keith <timothy.g.keith(a)gmail.com> wrote:
>> I used slapcat followed by slapadd. The Perl Net::LDAP sounds useful.
>>
>> Tim
>
>
> Is there a good forum for newbie openlap questions?
>
> I saved another DIT using slapcat, then loaded using slapadd. But,
> that is now returning error code 49 : invalid credentials ( in
> JXplorer ). I'm using the rootpw password that
> is defined in /etc/openldap/ldap.conf
>
> Tim
>
I stopped the service, and then restarted slapd with the -d 1 ( debug
) and also used the -f /etc/openldap/ldap.conf. Now, it is accepting
the password for rootdn ( which I have never explicitly changed )
Tim
7 years, 7 months
Re: rebuilding the DIT
by Timothy Keith
I used slapcat followed by slapadd. The Perl Net::LDAP sounds useful.
Tim
7 years, 7 months
Re: make posixGroup auxiliary in 2.4.40
by Chris
Quanah Gibson-Mount wrote:
> --On Tuesday, February 09, 2016 10:42 PM +0100 Chris
> <chris2014(a)postbox.xyz> wrote:
>> Nevertheless, is there a way to use rfc2307bis with dynamic
>> configuration?
>
> Sure. Use slapcat to export your config DB, remove the problem schema, and
> reload with slapadd.
Ok. I thought this wasn't possible, because some attribute types are
marked as builtin in nis.schema:
# builtin
#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
# DESC 'An integer uniquely identifying a group in an administrative
domain'
# EQUALITY integerMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
- Chris
7 years, 7 months
ldap client library
by Friedrich Locke
Hi folks!
i am in need to write a small subset of ldap client library. Currently i
need
Write a function to encode a bind request
Write a function to decode a bind response
Write a function to encode a entry request (for instance: retrieve all
attributes for entry posixuser uid=sioux,ou=people,dn=x,dn=y)
Write a function to decode a entry search response
May you point me what are the messages in the ldap library RFC i shoud
implement as also the tag values for the ASN objects ?
Thanks in advance.
7 years, 7 months