openldap-technical January 2017

openldap-technical@openldap.org

47 participants
80 discussions

Re: Antw: How to add index for "member" of ldap groups
by Axel Birndt 27 Jan '17

27 Jan '17

Am 27.01.2017 um 08:24 schrieb Ulrich Windl: >>>> Axel Birndt <towerlexa(a)gmx.de> schrieb am 26.01.2017 um 22:17 in Nachricht > <858439a0-ab4f-cea3-f5ea-9b8f3514d08b(a)gmx.de>: >> Hi @All, >> >> i'am currently searching for a possibility to add an index in openldap >> (cn=config backend) for the "member" of groups. >> >> In my log i got the following message: >> >> > 475 admin slapd: <= bdb_equality_candidates: (member) not indexed >> >> I found, that "member" is an attribute from an ldap group. >> >> > # Entry 1: cn=bind_users,ou=admins,ou=groups,dc=company,dc=de >> > dn: cn=bind_users,ou=admins,ou=groups,dc=company,dc=de >> > cn: bind_users >> > member: cn=apachebind,ou=apache_technical,ou=users,dc=company,dc=de >> > member: cn=wordpressbind1,ou=wordpress_bind,ou=users,dc=company,dc=de >> > objectclass: groupOfNames >> > objectclass: top >> >> How could i add an index for this attribute? > > Maybe via LDIF: > dn: olcDatabase={1}hdb,cn=config > changetype: modify > add: olcDbIndex > olcDbIndex: member eq > Hi Ulrich, thanks for your hint! I could solve it with your LDIF snippet! -------------- dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: member eq ------------------ It is running fine: -------------------------- abirndt@admin:~/openldap$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f olcDbIndex_member.ldif [sudo] password for abirndt: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}hdb,cn=config" --------------------- -- Gruß/Kind regards Axel ------------------------------

1 0

Re: Difference between root and directory manager
by Quanah Gibson-Mount 27 Jan '17

27 Jan '17

--On Thursday, January 26, 2017 5:53 PM +0300 Tamer Ataol <ataoltamer(a)gmail.com> wrote: > > > > Hi, > > Can you explain the difference between root user of openldap and > directory manager? Specifically where do we use the root user and > password in openldap administration? Hi, Your question makes little sense. "root" is a unix user. It may or may not (depending on the slapd configuration) have the ability to directly manipulate data in the LDAP server. That would depend entirely on your configuration. There is no such thing as a specific "directory manager". There /may/ be a rootdn defined for the various databases, that may or may not be identical per database. There may also be access rules that allow other DNs to provide management functions. Without details on your configuration/setup, there's no way to answer your question. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Has anybody benchmarked OpenLDAP as an Object Storage Service?
by Howard Chu 26 Jan '17

26 Jan '17

John Lewis wrote: > I am wondering if anybody has benchmarked OpenLDAP as a generic network object > storage service. I know Networked Key Value Databases are getting more popular > because they seem to scale laterally better. Probably nothing recent. Back in the CORBA days it was probably a frequent event. > Most of the so called NoSQL databases use some kind of JSON over HTTPS network > transport. I like the idea of using something LDAP based because of the IETF > standardized interface lowers the risk of sudden changes to the interface > forcing a program change, kind of like how Microsoft broke Skype calls for > Blog Talk Radio. LDAP isn't a Key/Value database; it could be used as one but there would be a lot of unnecessary overhead - much like using SQL as only a Key/Value database. The value in using LDAP comes from mapping an application's higher level data model onto LDAP entries. Not just individual keys and blob values. > I know Howard Chu has been reporting a lot of awful but true things about > MongoDB over the last couple of years. > https://twitter.com/hyc_symas/status/664197817498509312 > https://twitter.com/hyc_symas/status/740339320645689344 > https://twitter.com/hyc_symas/status/817696625313349632 > > What I would really want to see is some numbers comparing OpenLDAP to > networked key value databases that are in production such as Reddit's two > table Postgres > <https://kev.inburke.com/kevin/reddits-database-has-two-tables/> or Redis or > even HBase from Hadoop. Could probably rig up a YCSB test without too much trouble. Frankly though I've got very low confidence in any java-based benchmark utility. Our experience with java-based SLAMD over the years has shown that it vastly underreports OpenLDAP's performance simply because SLAMD/java are not efficient enough to drive high enough loads at slapd. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Difference between root and directory manager
by Tamer Ataol 26 Jan '17

26 Jan '17

Hi, Can you explain the difference between root user of openldap and directory manager? Specifically where do we use the root user and password in openldap administration? Thanks.

1 0

Has anybody benchmarked OpenLDAP as an Object Storage Service?
by John Lewis 25 Jan '17

25 Jan '17

I am wondering if anybody has benchmarked OpenLDAP as a generic network object storage service. I know Networked Key Value Databases are getting more popular because they seem to scale laterally better. Most of the so called NoSQL databases use some kind of JSON over HTTPS network transport. I like the idea of using something LDAP based because of the IETF standardized interface lowers the risk of sudden changes to the interface forcing a program change, kind of like how Microsoft broke Skype calls for Blog Talk Radio. I know Howard Chu has been reporting a lot of awful but true things about MongoDB over the last couple of years. https://twitter.com/hyc_symas/status/664197817498509312 https://twitter.com/hyc_symas/status/740339320645689344 https://twitter.com/hyc_symas/status/817696625313349632 What I would really want to see is some numbers comparing OpenLDAP to networked key value databases that are in production such as Reddit's two table Postgres <https://kev.inburke.com/kevin/reddits-database-has-two-tables/> or Redis or even HBase from Hadoop.

1 0

RE: BDB Backend: How to force transaction log rotation for log archival based on db_archive
by Reiterer, Horst 25 Jan '17

25 Jan '17

Hi, > Is there a way to force a transaction log rotation to make sure that even changes that do not cause > a new transaction log to be created will get archived at regular intervals? It can be done but the scenario definitely requires code to do so. The internal function __log_newfile can be used to switch to a new log file. After a checkpoint, the old log file will become unused and eligible for archiving. Cheers, Horst

1 0

BDB Backend: How to force transaction log rotation for log archival based on db_archive
by Reiterer, Horst 24 Jan '17

24 Jan '17

Hi, I use OpenLDAP with the Berkeley DB backend and db_archive to move unused transaction logs to a backup location for the purpose of disaster recovery. The intention is to reduce the data loss window to N minutes. Consequently, I execute db_archive every N minutes. If the transaction throughput is high enough so that the maximum transaction log size causes a new transaction log to be created and database checkpoints occur that cause the old log to become unused, that strategy works as expected. If, however, the throughput is minimal, archiving would only occur once the maximum transaction log size is hit and a checkpoint frees the old log. Consequently, those changes cannot be restored because logs are not being archived. Is there a way to force a transaction log rotation to make sure that even changes that do not cause a new transaction log to be created will get archived at regular intervals? By reducing the maximum transaction log size, the situation could be improved but not resolved. All I can come up with is forcing a rotation by writing a custom appropriately sized transaction log entry using the Berkeley DB API DB_ENV->log_put() before triggering a checkpoint and calling db_archive but that still doesn't sound like a production-ready solution. Thanks in advance for any additional info on this subject! Cheers, Horst

1 0

Re: Deleting an user defined object class from openldap 2.4.40
by Quanah Gibson-Mount 24 Jan '17

24 Jan '17

--On Monday, January 23, 2017 4:35 PM +0300 Tamer Ataol <ataoltamer(a)gmail.com> wrote: > Hi, > > I used the below ldif file to add a user defined objectclass in my > openldap 2.4.40 on CentOS 7. Delete support for cn=config will be a part of the OpenLDAP 2.5 release series, as documented. You will need to slapcat your config DB, remove the offending entries, and slapadd it back. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: use proprietary password hash in "userpassword"
by Quanah Gibson-Mount 24 Jan '17

24 Jan '17

--On Tuesday, January 24, 2017 1:28 PM +0100 Meike Stone <meike.stone(a)googlemail.com> wrote: >>> I don't have to recompile the whole openldap, compiling the module is >>> sufficient? >>> >>> (1) we think about a subscription from symas ... >> >> >> Correct. Any distributor (symas included) should include a development >> package that allows the ability to rebuild a module without rebuilding >> everything. >> > > Ah, ok - it works :-D > If I use a own compiled module and I bought a gold subscription, does > Symas still give full support? Hi Meike, Most often the answer is yes. You would need to work out those details in full as part of the contractual process. You would need to recompile your module against the Symas devel package, as some of the internal structs are larger in the Symas OpenLDAP build. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: organizationIdentifier ATTRIBUTE mapping
by Quanah Gibson-Mount 24 Jan '17

24 Jan '17

--On Wednesday, January 18, 2017 10:59 AM +0000 Francesco Sordi <f_sordi_1(a)yahoo.it> wrote: > attributeType ( id-at-organizationIdentifier > NAME 'organizationIdentifier' > DESC 'X520 attribute Organization Identifier' > SUP name > EQUALITY caseIgnoreMatch > SUBSTR caseIgnoreSubstringsMatch SINGLE-VALUE ) > > > But i cannot understand which objectclass can use this attribute and how > to add an object using it. You would need to create a custom objectClass that allows this attribute. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

4 8

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2017