OpenLDAP 2.4.44 under RHEL 7.1
I'm using back-ldap to proxy a back-mdb instance with 1K users. The
relevant part of the proxy configuration is
I'm using slamd for doing performance tests. According to the back-ldap man
page, sessions that explicitly Bind to the back-ldap database always create
their own private connection to the remote LDAP server. The private
connections are closed after the remote LDAP server idletimeout (15mn), but
remain stuck in a CLOSE_WAIT status. Moreover, it seems that the private
connections are not reused for further BIND with the same user since the
available file descriptors (8192) on remote server are quickly exhausted
(only 1K users). Using the parameter
improves the situation (the number of connections open on the remote server
and the proxy are more or less identical), but slapd logs show errors
2016-05-23T11:18:50.100499+02:00 proxy-ldap slapd-proxy_ldap:
conn=1419 op=7201 ldap_back_retry: retrying URI="ldap://
2016-05-23T11:18:50.100542+02:00 proxy-ldap slapd-proxy_ldap:
conn=1419 op=7201 RESULT tag=97 err=52 text=Proxy operation retry failed
The encountred problem seems to be related to ITS#4387 (
and ITS#4420 (
I would like to introduce another product/tool that is based on LMDB and might
be useful to some. Enter "LightningObjects", the High Performance embedded C++
Object Storage solution. LO is a template based mapping layer that turns LMDB
(or any other key/value store that can be adapted to the internal abstract
storage API) into a transactional C++ object store. Code is available at
https://github.com/gsvitec/lightning-objects. Currently in alpha state, but used
in a large commercial project already. I look forward to anyone's comments.
I am running into an issue with changing olcPasswordHash to SSHA512,
in cn=config . OpenLDAP appears not to load the pw-sha2 module from
contrib, until after it reads cn=config, causing slaptest to fail.
This looks to have already been reported in ITS 7802, however the
ticket is closed and I don't see any obvious resolution to the issue.
Hello everyone,We're migrating our LDAP servers to new RHEL 7. Previously we had RHEL 5.2 and Openldap logging was working just fine with the following config using syslog.·
Set up OpenLDAP logging:
root user) mkdir /var/log/openldap
root user) chmod 755 /var/log/openldap
root user) touch /var/log/openldap/openldap.log
root user) vi /etc/syslog.conf
the line “Local6.* /var/log/openldap/openldap.log”
root user) kill –HUP <process ID of syslogd>
The new servers have rsyslog instead of syslog and I did the same procedures in rsyslog.conf file, set olcloglevel as sync stats same as in the old server and restarted rsyslog with systemctl restart rsyslog.service .The openldap.log file is empty. I have tried local4 too and same result. My rsyslog.conf file looks like this . Can someone please help me with this? Any help is appreciated.
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imklog # provides kernel logging support (previously done by rklogd)$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception$ModLoad imudp$UDPServerRun 514
# Provides TCP syslog reception$ModLoad imtcp$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,# not useful and an extreme performance hit#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.# Logging much else clutters up the screen.#kern.* /dev/console
# Log anything (except mail) of level info or higher.# Don't log private authentication messages!*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.authpriv.* /var/log/secure
# Log all the mail messages in one place.mail.* -/var/log/maillogdaemon.* /var/log/daemon.logkern.* /var/log/kern.logsyslog.* /var/log/syslog
# Log cron stuffcron.* /var/log/cron
# Everybody gets emergency messages*.emerg *
# Save news errors of level crit and higher in a special file.uucp,news.crit /var/log/spooler
# Save boot messages also to boot.loglocal7.* /var/log/boot.log
#OpenLDAP logginglocal6.* /var/log/openldap/openldap.log
# ### begin forwarding rule #### The statement between the begin ... end define a SINGLE forwarding# rule. They belong together, do NOT split them. If you create multiple# forwarding rules, duplicate the whole block!# Remote Logging (we use TCP for reliable delivery)## An on-disk queue is created for this action. If the remote host is# down, messages are spooled to disk and sent when it is up again.#$WorkDirectory /var/lib/rsyslog # where to place spool files#$ActionQueueFileName fwdRule1 # unique name prefix for spool files#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown#$ActionQueueType LinkedList # run asynchronously#$ActionResumeRetryCount -1 # infinite retries if host is down# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional#*.* @@remote-host:514# ### end of the forwarding rule ###
## Nessus/CIS compliance items## Send everything to Unix syslog host## Following setting is per Chris Humphrey 6/19/2013*.err;kern.notice;auth.notice;auth.crit;daemon.notice @siem-unix.abc.com## Send httpd logs to Apache syslog host - requires additional apache configdaemon.notice @@SIEM-apache.abc.comauth,user.* /var/log/messages
# A template to for higher precision timestamps + severity logging$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
I have to modify the schema used by Mac OS X to access LDAP.
What I am trying to do get slapd to fail starting, but I do not get a
single error message:
May 12 13:08:33 ldap slapd: @(#) $OpenLDAP: slapd 2.4.41 (Aug 27 2015 15:14:47) $ firstname.lastname@example.org:/usr/ports/net/openldap24-server/work/openldap-2.4.41/servers/slapd
May 12 13:08:33 ldap slapd: DIGEST-MD5 common mech free
May 12 13:08:33 ldap slapd: slapd stopped.
May 12 13:08:33 ldap slapd: connections_destroy: nothing to destroy.
May 12 13:08:33 ldap on: /usr/local/etc/rc.d/slapd: WARNING: failed to
I cannot diagnose much out of that; what can I do to get some proper
On Monday I had a major issue, my root CA (for all my encryption)
expired, so my LDAP server number 1 became inaccessible.
I have a server number 2, running from another root certificate, that
did not expire and that was properly replicating from the server
number 1, using:
provider=ldaps://ldap server 1/
retry="60 10 300 +"
But since I updated the root certificate on server 1, I cannot get the
I can still ldapsearch from server 2 to server 1.
In the log of server 1 I see a proper connection, but I don't know how
to further debug the replication.
I use Kerberos/GSSAPI for authentication, and I recently locked down my
ldap servers with "require authc". With Kerberos tickets, I used to be
able to just enter
on the command line. Now I have to do
ldapsearch -Y GSSAPI
I assume this is because ldapsearch has to do a nonauthenticated bind to
find out about the SASL auth mechanisms (by looking for
supportedSASLMechanisms), and that fails now. So it would be great if I
had a way of setting the default SASL auth mechanism on a machine for
all users. However,
tells me that the setting for SASL_MECH is a per user setting only. Is
there any other way to achieve this, or am I doing the wrong thing by
requiring authc? Thanks,