openldap-technical December 2017

openldap-technical@openldap.org

22 participants
22 discussions

Database limit(s)
by Ervin Hegedüs 17 Dec '17

17 Dec '17

Hi there, I'ld like to ask, is there any hard or soft limit in database? I mean, how many object canbe stored in the DB? Or how many children object could under a parent? I've read the docs about the limits ( http://www.openldap.org/doc/admin24/limits.html), but there are only the sizelimit and timelimit (which aren't affected me now). In other words, which parameters do I check before I start to design a database (LDAP/non-LDAP (eg. OS) parameters)? Thanks, a.

2 1

Re: LMBD - If passing NULL to data parameter is legal in mdb_cursor_get()
by Howard Chu 16 Dec '17

16 Dec '17

Kaho Ng wrote: > Hi, > > When reading the documentation of lmdb, I wonder if the behavior in regards > to passing NULL as data parameter to mdb_cursor_get() is subject to changes. No. Unless there's an obvious bug, or the documentation specifically says "subject to change", existing behavior will not change. > When reading the source code of the library, I found that for some of the > operations, if NULL is passed as data parameter EINVAL will be returned, and > for the other operations passing will lead to different behavior > (for instance, MDB_SET). > > I am not sure if the behavior of future versions of lmdb will stay in > line with the > current version. Or is it generally illegal to pass NULL as data parameter? > > Could you give me some hints on that? Thank you. Ask yourself why you would ever pass NULL in each case and what that would mean. This is basic logic. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: slapd segfault in openldap 2.4.45
by Scott Koch 16 Dec '17

16 Dec '17

Correction, my openldap version is 2.4.45(typo'ed in previous post). On Wed, Dec 13, 2017 at 11:23 AM Scott Koch <scottkoch(a)gmail.com> wrote: > This is an RPM of openldap I built from the latest upstream source. This > slapd server is running on RHEL 7.4 x86_64. > > Error message: > 2017-12-13T00:13:34.944152-05:00 ldap1.example.com kernel: slapd[983]: > segfault at 766f6730 ip 00007f0272e2549b sp 00007f02017f55b8 error 4 in > libc-2.17.so[7f0272ce8000+1b8000] > > We have seen 15 or so instances of this issue and in all cases the last > LDAP operations follow the same pattern where there is an ABANDON and > UNBIND, then there is a SRCH operation. See log output below of full > connection for the client that performs the last operation. > > Let me know if there is any other information I can provide to help > troubleshoot this problem. > > Thanks in advance for the help! > -Scott > > 2017-12-13T00:13:03.560693-05:00 ldap1.example.com slapd[26514]: > conn=873638 fd=105 ACCEPT from IP=10.0.4.37:48520 (IP=0.0.0.0:389) > > 2017-12-13T00:13:03.560869-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=0 EXT oid=1.3.6.1.4.1.1466.20037 > > 2017-12-13T00:13:03.561012-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=0 STARTTLS > > 2017-12-13T00:13:03.561211-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=0 RESULT oid= err=0 text= > > 2017-12-13T00:13:03.569367-05:00 ldap1.example.com slapd[26514]: > conn=873638 fd=105 TLS established tls_ssf=256 ssf=256 > > 2017-12-13T00:13:03.569853-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" > > 2017-12-13T00:13:03.570014-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=1 SRCH attr=* altServer namingContexts supportedControl > supportedExtension supportedFeatures supportedLDAPVersion > supportedSASLMechanisms domainControllerFunctionality defaultNamingContext > lastUSN highestCommittedUSN > > 2017-12-13T00:13:03.570215-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= > > 2017-12-13T00:13:03.571953-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 > filter="(&(?objectClass=sudoRole)(|(!(?sudoHost=*))(?sudoHost=ALL)(?sudoHost= > node1713.example.com)(?sudoHost=node1713)(?sudoHost=10.0.4.37)(?sudoHost= > 10.134.0.0/18)(?sudoHost=ffff::ffff:ffff:fff:ffff)(?sudoHost=fe80::/64)(?sudoHost=+*)(|(?sudoHost=*\5C*)(?sudoHost=*?*)(?sudoHost=*\2A*)(?sudoHost=*[*]*))) > <http://10.134.0.0/18)(?sudoHost=ffff::ffff:ffff:fff:ffff)(?sudoHost=fe80::/…> > )" > > 2017-12-13T00:13:03.572214-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=2 SRCH attr=objectClass cn sudoCommand sudoHost sudoUser > sudoOption sudoRunAs sudoRunAsUser sudoRunAsGroup sudoNotBefore > sudoNotAfter sudoOrder modifyTimestamp > > 2017-12-13T00:13:03.573488-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= > > 2017-12-13T00:13:34.943439-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=4 ABANDON msg=4 > > 2017-12-13T00:13:34.943694-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=3 SRCH base="dc=example,dc=com" scope=2 deref=0 > filter="(&(uid=ntp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" > > 2017-12-13T00:13:34.943885-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=5 UNBIND > > 2017-12-13T00:13:34.944092-05:00 ldap1.example.com slapd[26514]: > conn=873638 op=3 SRCH attr=objectClass uid userPassword uidNumber gidNumber > gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp > modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning > shadowInactive shadowExpire shadowFlag krbLastPwdChange > krbPasswordExpiration pwdAttribute authorizedService accountExpires > userAccountControl nsAccountLock host loginDisabled loginExpirationTime > loginAllowedTimeMap sshPublicKey mail >

2 1

Re: Database limit(s)
by Howard Chu 16 Dec '17

16 Dec '17

Ervin Hegedüs wrote: > Hi there, > > I'ld like to ask, is there any hard or soft limit in database? No. > I mean, how > many object canbe stored in the DB? Or how many children object could under a > parent? > > I've read the docs about the limits > (http://www.openldap.org/doc/admin24/limits.html), but there are only the > sizelimit and timelimit (which aren't affected me now). > > In other words, which parameters do I check before I start to design a > database (LDAP/non-LDAP (eg. OS) parameters)? > > Thanks, > > > a. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Openldap Password Reset Portal
by Douglas Duckworth 15 Dec '17

15 Dec '17

Hi I am looking for password reset portal where users can reset their credentials. We already have a legacy app written in php but it needs to be retired. I came across PWM which lists a number of schema changes that are required before it can work with openldap. https://github.com/pwm-project/pwm/wiki/General-Directory-Setup I have a few questions: 1) Has anyone used PWM and if so can you describe how stable it operates? I find the documentation lacking though it seems there's not a ton of issues on their Github site. 2) Has anyone found other solutions besides PWM that do the same thing?

3 3

PHP-LDAP added EXOP support with PHP 7.2
by Côme Chilliet 12 Dec '17

12 Dec '17

Hello, Some people on IRC thought this was worth mentioning here. PHP 7.2.0 was released a few weeks ago: https://secure.php.net/archive/2017.php#id2017-11-30-1 It adds support for LDAP EXOP in the ldap module, here are the new functions: https://secure.php.net/manual/en/function.ldap-exop.php https://secure.php.net/manual/en/function.ldap-parse-exop.php https://secure.php.net/manual/en/function.ldap-exop-passwd.php https://secure.php.net/manual/en/function.ldap-exop-whoami.php Note that support for LDAP controls is in the git branch for PHP 7.3. Do not hesitate to have a look and give feedback about this, it’s way easier to change things before first release as PHP have a strong backward compatibility policy. Côme

1 0

ldap_sasl_interactive_bind_s: Can't contact LDAP server
by Turbo Fredriksson 05 Dec '17

05 Dec '17

[I’ve posted this on the OpenStack list as well, but maybe someone here knows more] I’m setting up (Open)LDAP (v2.4.40) on my old Newton installation, with the LDAP servers behind a HAProxy LB. I’m trying to have one at a time enabled to see if I can get them working individually before I try them as a whole/group.. I tried all day yesterday, and I could do the initial connection, but not get any results: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) I see the connection in syslog on the LDAP server, but don’t get any results back. Now, first thing I did this morning was to just run the exact same command (kinit && ldapwhoami) that I did last night. AND IT WORKED!! No idea why! It shouldn’t have. Glad it did, but since I can’t explain WHY it worked, it’s annoying!! :) So I then disabled that (working) LDAP server in the LB member list and enabled the second. And now that is experiencing the same problem as the first yesterday… I didn’t change anything else - last thing I did before I went to bed last night was try the ldapwhoami command -> “can’t contact ldap server”. And the very first thing I did this morning was kdestroy my ticket, get a new one and then run ldapwhoami. I’ve run with multiple types of debugging, but there’s nothing obvious that I can see, either from ‘-d -1’ or with KRB5_TRACE set). So … “something” internally in OS changed. Any suggestions to what or how to debug this? What is ldap_sasl_interactive_bind_s() actually doing? Why does the ldap_bind() earlier seem to work, but not the SASL bind? See http://bayour.com/misc/ldapwhoami_output.txt <http://bayour.com/misc/ldapwhoami_output.txt> for full output from KRB5_TRACE=/dev/stdout ldapwhoami -YGSSAPI -H ldaps://ldap.bayour.net -d -1 and while this is happening, this is the output from slapd in the logs (running with “loglevel sync stats): Nov 19 12:42:40 admin-auth-ldap-31 slapd[26613]: conn=1015 fd=29 ACCEPT from IP=10.0.17.34:53451 (IP=10.0.17.31:636) Nov 19 12:42:40 admin-auth-ldap-31 slapd[26613]: conn=1015 fd=29 TLS established tls_ssf=256 ssf=256 Nov 19 12:42:40 admin-auth-ldap-31 slapd[26613]: conn=1015 op=0 BIND dn="" method=163 Nov 19 12:43:09 admin-auth-ldap-31 slapd[26613]: conn=1013 fd=22 closed (connection lost) With ‘loglevel -1’ (and filtering out 'daemon: epoll: listen|daemon: activity on’ because it ends up filling the screen), I get: Nov 19 12:49:28 admin-auth-ldap-31 slapd[27043]: Nov 19 12:49:28 admin-auth-ldap-31 slapd[27043]: slap_listener_activate(12): Nov 19 12:49:28 admin-auth-ldap-31 slapd[27043]: >>> slap_listener(ldaps://admin-auth-ldap-31.bayour.net:636/) Nov 19 12:49:28 admin-auth-ldap-31 slapd[27043]: daemon: listen=12, new connection on 25 Nov 19 12:49:29 admin-auth-ldap-31 slapd[27043]: Nov 19 12:49:33 admin-auth-ldap-31 slapd[27043]: daemon: added 25r (active) listener=(nil) Nov 19 12:49:33 admin-auth-ldap-31 slapd[27043]: conn=1001 fd=25 ACCEPT from IP=10.0.17.34:54740 (IP=10.0.17.31:636) Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: 25r Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: daemon: read active on 25 Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: connection_get(25) Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: connection_get(25): got connid=1001 Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: connection_read(25): checking for input on id=1001 Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: 25r Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: daemon: read active on 25 Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: connection_get(25) Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: connection_get(25): got connid=1001 Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: connection_read(25): checking for input on id=1001 Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: connection_read(25): unable to get TLS client DN, error=49 id=1001 Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: conn=1001 fd=25 TLS established tls_ssf=256 ssf=256 Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: 25r Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: daemon: read active on 25 Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: connection_get(25) Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: connection_get(25): got connid=1001 Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: connection_read(25): checking for input on id=1001 Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: op tag 0x60, time 1511095776 Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: conn=1001 op=0 do_bind Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: >>> dnPrettyNormal: <> Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: <<< dnPrettyNormal: <>, <> Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: conn=1001 op=0 BIND dn="" method=163 Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: do_bind: dn () SASL mech GSSAPI Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: ==> sasl_bind: dn="" mech=GSSAPI datalen=617 Nov 19 12:49:37 admin-auth-ldap-31 slapd[27043]: Nov 19 12:49:54 admin-auth-ldap-31 slapd[27043]: Nov 19 12:49:55 admin-auth-ldap-31 slapd[27043]: Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: 25r Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: daemon: read active on 25 Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_get(25) Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_get(25): got connid=1001 Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_read(25): checking for input on id=1001 Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: ber_get_next on fd 25 failed errno=0 (Success) Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_read(25): input error=-2 id=1001, closing. Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_closing: readying conn=1001 sd=25 for close Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_close: deferring conn=1001 sd=25 Nov 19 12:50:27 admin-auth-ldap-31 slapd[27043]: Nov 19 12:50:28 admin-auth-ldap-31 slapd[27043]: So nothing obvious that I can see. Which is reasonable, because “eventually” it worked on the previous LDAP server, so can’t be a slapd problem. But I was hoping someone that have tried this on OS or behind a HAProxy setup might be able to shed some light on this. PS. I’ve done the exact same thing at work, in AWS and there it works just fine. So I’m fairly certain it’s something with OS/HAProxy, but I don’t know how to debug that bit..

4 9

Re:ldap_sasl_interactive_bind_s: Can't contact LDAP server
by Quanah Gibson-Mount 05 Dec '17

05 Dec '17

--On Sunday, December 03, 2017 12:44 PM -0800 Bill MacAllister <bill(a)ca-zephyr.org> wrote: > This is not a new problem. I am pretty sure I filed a bug report about > this years ago when I worked at Stanford, but I could not find it. I've filed <https://github.com/cyrusimap/cyrus-sasl/issues/494> --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: [LMDB] Large transactions
by Howard Chu 05 Dec '17

05 Dec '17

Jürgen Baier wrote: > Hi, > > I have a question about LMDB (I hope this is the right mailing list for such a > question). > > I'm running a benchmark (which is similar to my intended use case) which does > not behave as I hoped. I store 1 billion key/value pairs in a single LMDB > database. _In a single transaction._ The keys are MD5 hash codes from random > data (16 bytes) and the value is the string "test". > The documentation about mdb_page_spill says (as far as I understand) that this > function is called to prevent MDB_TXN_FULL situations. Does this mean that my > transaction is simply too large to be handled efficiently by LMDB? Yes. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3 2

slapd-crash in web directory?
by Dave Horsfall 02 Dec '17

02 Dec '17

Not a problem as such, but I happened to notice this in my Apache log: 164.132.162.164 - - [03/Dec/2017:11:57:00 +1100] "GET /slapd-crash/ HTTP/1.1" 404 210 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)" AhrefsBot, for the uninitiated, is a web spider that tends to ignore such bothersome conventions as "content=noindex" and "robots.txt" etc, but anyway... Is it common practice to store SLAPD coredumps where every man and his dog can retrieve them? Note that I am not suggesting that OpenLDAP does this (but somebody obviously is), but I'm curious to know how widespread this silly practice is. -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2017