openldap-technical February 2016

openldap-technical@openldap.org

56 participants
68 discussions

Incomplete members from dynlist group when Paged Results control is specified
by Kartik Subbarao 15 Feb '16

15 Feb '16

I'm using Google Apps Directory Sync (GADS) to synchronize group memberships from an OpenLDAP (2.4.41) directory. GADS uses the Paged Results control (1.2.840.113556.1.4.319) to retrieve results in batches of 1000. One of the searches that it does is as follows: base: ou=groups,dc=example,dc=com filter: (mail=*(a)example.com) attributes requested: member owner [and some others] There are more than 1000 groups that match, so it returns the results in batches as expected. Some of these groups are dynlist groups that have memberURL attributes set, which dynamically expand the member attribute when retrieved. For dynlist groups that show up in the first page of results, their members are properly retrieved. But after the first page, the results for dynlist groups only return a subset of the proper membership. As a result, an incomplete membership is being synced to Google for those subsequent groups, and the missing members are causing problems. To rule out GADS from being the root cause of the problem, I ran a standalone perl script to search with the Paged Results control, with the page size set to a small number of entries. Just as with GADS, after the first page of results, the entries started to return fewer members from dynlist groups than should be returned. With a page size of 1, the second dynlist group started to show fewer members (125 vs 127). My guess is that the dynlist code is somehow getting confused by the presence of the Paged Results control in the top-level search, when it does its internal searches to retrieve the individual group memberships. I wanted to ask whether this is enough detail to file an ITS, or whether more information was desired. It could take some more time to put together a generically reproducible LDIF file, so I figured I would post this now in case someone familiar with the dynlist code might recognize this and see how the presence of the Paged Results control might be interfering with its behavior. Thanks, -Kartik

1 1

LDAP log lags in the ldap.log
by Daniel Jung 12 Feb '16

12 Feb '16

based on the timestamp in the ldap.log, it is about 10-15 minutes older than current time. I see a lot of ABANDON msgs which i suspect that there are way too many queries (not ldap connection itself) in a connection. Also, the log shows the constant logs of follwing as well: connection_input: conn=321629 deferring operation: pending operations connection_input: conn=318818 deferring operation: too many executing Looking thru the archive that this is an issue on the client side, and I believe that's true based on the ABANDON msgs on long lasted session ids. I was using logging set to stats, sync . I have changed to none and the symptom of lagging of log timestamp has disappeared and queries are working properly again. My question is, is there a way to safely log stats without hampering performance to the point queries are not returing at all ? I am using openldap-2.4.39 ( yes i should upgrade soon :( ) Thanks

2 1

Member of nested groups of different classes
by Chris 12 Feb '16

12 Feb '16

Dear All, some users are member of a groupOfNames (RFC2307bis Schema). This group is member of a mailGroup (Postfix Schema). This mailGroup is member of another mailGroup. (Nested) membership in this last group defines access rights for an application. My question: is the memberOf overlay able to recursively find all groups one is member of, if they use all the same "member" attribute (memberof.member-ad), but have different structural classes (memberof-group-oc)? Is there a (perl?) script that is able to find all groups one is member-of? - Chris

2 1

Re: rebuilding the DIT
by Timothy Keith 12 Feb '16

12 Feb '16

On Thu, Feb 11, 2016 at 7:05 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > If you want answers, keep your replies on the list. > > Thanks. > > > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc I used this slapcat, I did not specific a config database. slapcat -v -l backup.ldif Tim

3 3

paged results control results in full db search?
by Geert Hendrickx 12 Feb '16

12 Feb '16

Hi, We found an odd issue when using LDAP Admin (www.ldapadmin.org), which by defaults uses the paged results control (RFC 2696) to limit search results. This client initially issues an objectclass=* search with one-level scope to list the first-level objects/trees on the LDAP DIT, which you can then browse/expand by clicking on them. On a large db, we noticed this initial search hits the timelimit, even though the equivalent command line search is instant. I found the difference is in using the paged result control: ldapsearch -s one -E \!pr=100 objectclass=\* objectclass => slow ldapsearch -s one objectclass=\* objectclass => fast The slapd stats+trace logging of each is in attachment. Notice the large number of objects being skipped with "scope not okay" in the first, where this does not happen in the second. This slows down the search, and on a very large db, makes it exceed the configured 60 seconds timelimit. A third variant, setting the sizelimit explicitly, avoids the issue: ldapsearch -s one -E \!pr=100 -z 100 objectclass=\* objectclass => fast Is this expected behaviour? Geert -- geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages!

1 0

Re: rebuilding the DIT
by Timothy Keith 11 Feb '16

11 Feb '16

On Thu, Feb 11, 2016 at 4:46 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, February 11, 2016 4:38 PM -0600 Timothy Keith > <timothy.g.keith(a)gmail.com> wrote: > >> I don't know how to fix this. If I could reinitialize the dc=pubsys, >> dc=com that would be okay too as there are relatively few users to >> add. > > > It's saying that you're missing a schema file for inetOrgPerson. Schema is > stored in the config database. I.e., if your slapd is passed an option of > -F /path/to/configdb then slapadd (and slapcat) should both also be passed > an option to the same location. > > It would generally be impossible for you to be able to create entries in > openldap that used inetorgPerson without the schema actually being present. > So this would indicate that you're not providing the correct options to > slapadd. You provide virtually no useful information at what you're doing, > so it becomes rather difficult to do anything but guess at what the causes > of your issues are. > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc This is the slapadd request : slapadd -F /etc/openldap/slapd.d -l slapcat_backup.ldif 56bd1acf The first database does not allow slapadd; using the first available one (2) 56bd1acf bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2). Expect poor performance for suffix "dc=example,dc=com". slapadd: line 1: database #2 (dc=example,dc=com) not configured to hold "dc=pubsys,dc=com"; no database configured for that naming context _# 5.10% eta none elapsed none spd 2.7 M/s Closing DB... Tim

2 1

Re: rebuilding the DIT
by Timothy Keith 11 Feb '16

11 Feb '16

On Thu, Feb 11, 2016 at 2:30 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, February 11, 2016 12:29 PM -0800 Quanah Gibson-Mount > <quanah(a)zimbra.com> wrote: > >> --On Thursday, February 11, 2016 2:18 PM -0600 Timothy Keith >> <timothy.g.keith(a)gmail.com> wrote: >> >>> When the slapadd loaded the backup ldif it prints : >>> >>> slapadd: dn="uid=tkeith,ou=Group,dc=pubsys,dc=com" (line=55): (65) >>> unrecognized objectClass 'inetOrgPerson' >> >> >> Sounds like you failed to restore your config database properly. > > > Or, you failed to point slapadd at the actual config database it should be > using for the import. > > > --Quanah > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc I don't know how to fix this. If I could reinitialize the dc=pubsys, dc=com that would be okay too as there are relatively few users to add. Tim

2 1

Re: rebuilding the DIT
by Timothy Keith 11 Feb '16

11 Feb '16

On Thu, Feb 11, 2016 at 12:55 PM, Albert Braden <abraden(a)about.com> wrote: > Do you use IRC? I've had good luck getting help on FreeNode, in #ldap and #openldap > > Even there, people will likely ask you to read the documentation so that you can ask intelligent questions. They're helpful, but they don't want to do your work for you. If you haven't already done so, I would read a lot of this site: > > http://www.openldap.org/doc/admin24/ > > For diagnostic purposes, I recommend using ldapsearch and other command-line tools instead of a GUI client. A question likely to receive a helpful response would look something like this: > > I'm running OpenLDAP version X on <OS>, and when I run this command: > > XXX > > I see this error: > > YYY > > And this appears in slapd.log: > > ZZZ > > Here's the relevant section of my config: > > AAA > > -----Original Message----- > From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Timothy Keith > Sent: Thursday, February 11, 2016 1:35 PM > To: openldap-technical(a)openldap.org > Subject: Re: rebuilding the DIT > > On Tue, Feb 9, 2016 at 7:02 PM, Timothy Keith <timothy.g.keith(a)gmail.com> wrote: >> I used slapcat followed by slapadd. The Perl Net::LDAP sounds useful. >> >> Tim > > > Is there a good forum for newbie openlap questions? > > I saved another DIT using slapcat, then loaded using slapadd. But, > that is now returning error code 49 : invalid credentials ( in > JXplorer ). I'm using the rootpw password that > is defined in /etc/openldap/ldap.conf > > Tim > I stopped the service, and then restarted slapd with the -d 1 ( debug ) and also used the -f /etc/openldap/ldap.conf. Now, it is accepting the password for rootdn ( which I have never explicitly changed ) Tim

2 3

Re: rebuilding the DIT
by Timothy Keith 11 Feb '16

11 Feb '16

I used slapcat followed by slapadd. The Perl Net::LDAP sounds useful. Tim

1 1

Re: make posixGroup auxiliary in 2.4.40
by Chris 11 Feb '16

11 Feb '16

Quanah Gibson-Mount wrote: > --On Tuesday, February 09, 2016 10:42 PM +0100 Chris > <chris2014(a)postbox.xyz> wrote: >> Nevertheless, is there a way to use rfc2307bis with dynamic >> configuration? > > Sure. Use slapcat to export your config DB, remove the problem schema, and > reload with slapadd. Ok. I thought this wasn't possible, because some attribute types are marked as builtin in nis.schema: # builtin #attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' # DESC 'An integer uniquely identifying a group in an administrative domain' # EQUALITY integerMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - Chris

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2016