openldap-technical February 2017

openldap-technical@openldap.org

34 participants
62 discussions

Long ldap session when ldap server failover
by Huynh Phuoc Tai 24 Feb '17

24 Feb '17

Hi, I have an issue with long ldap session when ldap server failover. [01/Dec/2016:11:34:29 +0100] conn=7187095 op=-1 msgId=-1 - fd=89 slot=89 LDAPS connection from 10.14.97.45:55287 to 113.216.102.167 [01/Dec/2016:11:34:29 +0100] conn=7187095 op=-1 msgId=-1 - SSL 128-bit AES-128; client CN=HRM3; issuer O=E,OU=eOAM,CN=jerarm003NECertCA [01/Dec/2016:11:34:29 +0100] conn=7187095 op=-1 msgId=-1 - SSL failed to map client certificate to LDAP DN (No such object) [01/Dec/2016:11:34:29 +0100] conn=… [View More]

1 0

Re: 2.4.44 + ITS 8432 patch segfault in modify_add_values
by Quanah Gibson-Mount 23 Feb '17

23 Feb '17

--On Friday, February 17, 2017 2:44 PM -0800 "Paul B. Henson" <henson(a)acm.org> wrote: > On Thu, Feb 16, 2017 at 03:53:40PM -0800, Quanah Gibson-Mount wrote: > >> It appears to be crashing while writing the change to the accesslog >> database. It's odd that the value for the attribute is NULL. Do we >> know for sure what the client doing the write op to the server is >> sending? > > The code is in perl, and looks like this: > > $entry->… [View More]

2 1

Re: Valgrind detecting memory leak on 2-way multi master setup on RHEL 6 - openldap 2.4.44
by ping-shin ching 22 Feb '17

22 Feb '17

Regarding this issue - our production servers are getting affected. Any help is greatly appreciated. Is there anything I can try? http://www.openldap.org/lists/openldap-technical/201702/msg00090.html Regards, Ping PS: I've lost some of my emails - so don't have the email chain

2 2

Re: 2.4.44 + ITS 8432 patch segfault in modify_add_values
by Quanah Gibson-Mount 21 Feb '17

21 Feb '17

--On Tuesday, February 21, 2017 1:04 PM +0000 Frank Swasey <Frank.Swasey(a)uvm.edu> wrote: > Years ago, I had code that did that and then I got a version of Net::LDAP > that sent null attributes across the wire. Even back then OpenLDAP was > upset by such behavior. I quickly updated my code to check if (in your > case) @eduPersonAffiliation had zero entries and issue a proper > $entry->delete('eduPersonAffiliation') call in that case. I've not had > any issues … [View More]

2 1

Re: syncrepl skipped entryCSN on openldap-2.4.44 on centos 6
by Quanah Gibson-Mount 21 Feb '17

21 Feb '17

--On Saturday, February 18, 2017 9:57 AM +0800 Daniel Jung <mimianddaniel(a)gmail.com> wrote: >> Do you mean contextCSNs? > No. ContextCSN is up to date. But some entries have old entryCSN compared > to the master. >> >> >>> I haven't been able to track the cause nor see anything in the log to >>> indicate the problem. However, we have had slapd become non-responsive >>> due to IO blocking on logging. Could this cause syncrepl to miss &… [View More]

1 0

Re: syncrepl skipped entryCSN on openldap-2.4.44 on centos 6
by Howard Chu 19 Feb '17

19 Feb '17

Daniel Jung wrote: > Hi Quanah, > > Speaking of logging, is openldap-3 going to support udp based logging? I saw > while back that there is improved? syslog code that we can compile in the src. > I was thinking of just adding udp into that code and test it out. I have no plans to add UDP support. Could be done, but what's the benefit? If you want to add it, feel free to submit a patch. > > > On Feb 18, 2017 09:57, "Daniel Jung" <mimianddaniel(a)gmail.com > <… [View More]

3 2

Re: syncrepl skipped entryCSN on openldap-2.4.44 on centos 6
by Daniel Jung 19 Feb '17

19 Feb '17

On Feb 18, 2017 05:41, "Quanah Gibson-Mount" <quanah(a)symas.com> wrote: > > --On Friday, February 17, 2017 5:46 PM +0800 Daniel Jung < mimianddaniel(a)gmail.com> wrote: > >> >> Hi, >> >> >> I see that some entryCSN have not been synced properly with the >> provider. >> I run multimaster setup and with several slaves and sometimes i see that >> some slaves have old entryCSNs and I am syncing them manually with -c >> … [View More]

1 1

slapo-rwm How to define order that Rewrite Contexts are processed
by Lowrie, Paul, Vodafone NZ 18 Feb '17

18 Feb '17

Hi I've been asked to configure a SLAPD/LDAP proxy with more than one LDAP Back-End. The users log into the LDAP client using their email address and the proxy uses the domain part of their UID to decide which slapd-ldap back-end to authenticate against. I have the proxy working - with two defined slapd-ldap back-ends. It's tested and works with one back-end at a time. I need rwm to process a rewrite of both the searchFilter and searchDN using a key piece of information identified the … [View More]searchFilter to decide the searchDN. Original searchDN = "ou=people,ou=my,dc=proxy,dc=com" Original searchFilter="(&(objectClass=posixAccount)(uid=john(a)domain.one.com))" Rewritten searchDN = "ou=people,ou=domain,dc=one,dc=com" Rewritten searchFilter = "(&(objectClass=posixAccount)(uid=john))" I have: dn: olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmNormalizeMapped: FALSE olcRwmRewrite: {0}rwm-rewriteEngine on # #Unix LDAP authentication requests arrive with these three components: # searchDN: OU=people,DC=my,DC=proxy,DC=com - as defined on the LDAP client # searchFilter: (&(objectClass=posixAccount)(uid=john(a)domain.one.com)) # attributes: userPassword cn gidNumber uidNumber # loginShell objectClass gecos uid homeDirectory # # {1} searchFilter Context: # {2} rewrite john(a)domain.one.com: # Strip @domain.one.com part and set &&target to OU=people,DC=domain,DC=one,DC=com # {3} rewrite jane(a)domain.two.com: # Strip @domain.two.com part and set &&target to OU=people,DC=domain,DC=two,DC=com # {4} searchDN Context: # {5} rewrite OU=people,DC=my,DC=proxy,DC=com the value already defined in &&target # olcRwmRewrite: {1}rwm-rewriteContext SearchFilter # olcRwmRewrite: {2}rwm-rewriteRule "^(.+uid=[^,]+)(a)domain.one.com(,.*)$" "${&&target(\"ou=people,dc=domain,dc=one,dc=com\")}$1$2" ":" # olcRwmRewrite: {3}rwm-rewriteRule "^(.+uid=[^,]+)(a)domain.two.com(,.*)$" "${&&target(\"ou=people,dc=domain,dc=two,dc=com\")}$1$2" ":" # olcRwmRewrite: {4}rwm-rewriteContext searchDN # olcRwmRewrite: {5}rwm-rewriteRule "OU=people,[ ]?DC=my,[ ]?DC=proxy,[ ]?DC=com " "${**target}" ":" This results in a slapd crash because searchDN wants to use the **target variable, but its not yet defined because the searchFilter Context hasn't been run yet. How do I change the order that the rwm-rewriteContexts are executed so that the context for searcFilter is run first ? Thanks Paul [View Less]

2 1

After few seconds slapd automatically closes connection. Why?
by Saša-Stjepan Bakša 18 Feb '17

18 Feb '17

After successful bind and some search actions my client is still bind to server but as I can see from trace few seconds after successful operation slapd shuts down connection. Why is that happening? Can I prevent it? We have monitoring in our software which find that as server down and lots of logs are generated. 229 1786.027248821 172.17.103.226 -> 10.50.200.191 LDAP 294 searchResEntry(49) "cn=config" 230 1786.027396894 172.17.103.226 -> 10.50.200.191 LDAP 68 searchResDone(49) success … [View More]

2 3

Re: syncrepl skipped entryCSN on openldap-2.4.44 on centos 6
by Quanah Gibson-Mount 17 Feb '17

17 Feb '17

--On Friday, February 17, 2017 5:46 PM +0800 Daniel Jung <mimianddaniel(a)gmail.com> wrote: > > Hi, > > > I see that some entryCSN have not been synced properly with the > provider. > I run multimaster setup and with several slaves and sometimes i see that > some slaves have old entryCSNs and I am syncing them manually with -c > option. Do you mean contextCSNs? > I haven't been able to track the cause nor see anything in the log to > … [View More]

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2017