openldap-technical March 2017

openldap-technical@openldap.org

33 participants
56 discussions

"Dynamic" authentication passthrough?
by Curtiss Howard 31 Mar '17

31 Mar '17

Hi, I've got two Active Directory servers that are being proxied through OpenLDAP and their respective trees are being merged into one. So far, so good. Now I want to allow users to bind to the OpenLDAP server and pass the authentication through to the appropriate AD and let it do the password checking. I see a lot of documentation on using SASL for passthrough, but where I'm stuck is that this requires every user to have an account in the OpenLDAP server in order to see if the userPassword attribute is specially formatted. In my case, this isn't really a palatable solution because I'm using the OpenLDAP server with the meta backend and using it as a "live view" into the data contained in the ADs. Other applications can talk directly to the ADs and in order to do the SASL approach there'd have to be some syncing from the ADs to the OpenLDAP server every time a user is created/deleted. I would think that surely there must be some way to pass through the authentication in a more obvious manner -- i.e., if the user doesn't exist locally, try to bind against each proxied server in succession. But I can't seem to find a way to do this, all references point to the SASL approach. Is there a way to do this? Thanks in advance.

2 1

Multiple olcDbIndex for the same attribute
by PenguinWhispererThe . 31 Mar '17

31 Mar '17

Hello, I'm wondering what happens when you add multiple indexes for the same attribute with the same keyword occuring in each of them but with a different set. So for example: olcDbIndex: objectClass pres,eq olcDbIndex: objectClass eq Is this the same as if you'd only have: olcDbIndex: objectClass pres,eq ? Or does it really make a difference? I've checked http://www.openldap.org/doc/admin24/slapdconf2.html but I couldn't find an answer to this. Thanks in advance!

1 0

Re: Import data from hdb to bdb
by Jai Bheemsen Rao Dhanwada 30 Mar '17

30 Mar '17

Hello Quanah, Thanks for the Info. this helps :) On Thu, Mar 30, 2017 at 2:48 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Thursday, March 30, 2017 3:38 PM -0700 Jai Bheemsen Rao Dhanwada < > jaibheemsen(a)gmail.com> wrote: > > >> Hello, >> >> >> We have N way master openldap replication with hdb backend for the data. >> Now we would like to slapcat the data from this cluster and slapadd to >> another cluster which is backed by bdb. >> > > Both back-hdb and back-bdb (which both use BDB underneath) are deprecated > backends. You should not be using either one. Instead, examine migrating > to back-mdb, which is backed by LMDB: <https://en.wikipedia.org/wiki > /Lightning_Memory-Mapped_Database> > > Regardless, LDIF exports are usable regardless of backend (bdb, hdb, mdb). > The "DIF" stands for "Data Interchange Format". You might be best served > by first learning more about LDIF: <https://en.wikipedia.org/wiki > /LDAP_Data_Interchange_Format> > > --Quanah > > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

1 0

Re: Import data from hdb to bdb
by Quanah Gibson-Mount 30 Mar '17

30 Mar '17

--On Thursday, March 30, 2017 3:38 PM -0700 Jai Bheemsen Rao Dhanwada <jaibheemsen(a)gmail.com> wrote: > > Hello, > > > We have N way master openldap replication with hdb backend for the data. > Now we would like to slapcat the data from this cluster and slapadd to > another cluster which is backed by bdb. Both back-hdb and back-bdb (which both use BDB underneath) are deprecated backends. You should not be using either one. Instead, examine migrating to back-mdb, which is backed by LMDB: <https://en.wikipedia.org/wiki/Lightning_Memory-Mapped_Database> Regardless, LDIF exports are usable regardless of backend (bdb, hdb, mdb). The "DIF" stands for "Data Interchange Format". You might be best served by first learning more about LDIF: <https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format> --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Import data from hdb to bdb
by Jai Bheemsen Rao Dhanwada 30 Mar '17

30 Mar '17

Hello, We have N way master openldap replication with hdb backend for the data. Now we would like to slapcat the data from this cluster and slapadd to another cluster which is backed by bdb. Any idea does this work as I am trying to slapcat from hdb and slapadd to bdb? if anyone has done this, please share some details.

1 0

Parallel traversal
by Gabriel Tanase 30 Mar '17

30 Mar '17

Assuming I have an LMDB database: to traverse all data in a table I open a cursor and go over each element in a loop using MDB_NEXT or MDB_NEXT_DUP : :mdb_cursor_get (cur, &_entry.first, &_entry.second, MDB_NEXT_DUP); How can one traverse the data in an LMDB table using multiple threads for a faster overall traversal? I am assuming a read only transaction and I would like each thread to work on distinct entries; Like if there are 100 [key, value] and I use 4 threads, thread zero will work on first 25 elements, thread one will work on the next 25 and so on. 25 doesn't have to be exactly 25 but ideally the partitioned should be balanced. A simple solution I designed is to read all keys into a vector first and then subsequently parallelize with each thread working on a subset of key from this vector. Each thread will traverse a subset of keys, and for each key we find the corresponding [key, value] and work on the value. Is there an alternative ? Thx, Gabriel

1 0

Re: LDAP Replication settings
by Quanah Gibson-Mount 29 Mar '17

29 Mar '17

--On Wednesday, March 29, 2017 7:39 PM +0200 Ondřej Kuzník <ondra(a)mistotebe.net> wrote: > On the other hand, AFAIK syncprov knows what clients are in the > persistent search state at any moment, so it might be able to export > that under cn=monitor. Not that anyone has implemented this monitoring > yet or even sure how useful that would be... Yes, but you can pull that information out of syslog if you have stats logging enabled. But I think (hard to know for sure) they are asking for a way to know /all/ possibly replicas (currently connected or not). You used to be able to do that with slurpd back in OpenLDAP 2.3 and prior. Simply not possible with syncrepl if it's not set up using back-ldap to push out to the clients. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: LDAP Replication settings
by Quanah Gibson-Mount 29 Mar '17

29 Mar '17

--On Tuesday, March 28, 2017 5:39 PM -0700 Jai Bheemsen Rao Dhanwada <jaibheemsen(a)gmail.com> wrote: > > I am using OLC configuration for LDAP setup > > > On Tue, Mar 28, 2017 at 4:21 PM, Jai Bheemsen Rao Dhanwada > <jaibheemsen(a)gmail.com> wrote: > > > Hello, > > > I have multi master replication with 4 LDAP servers. Is there a > ldapsearch query to get all the replica servers? Not quite sure what you mean by your question. Since replication configuration is most often done on the client (replica) side, the master doesn't have any knowledge you can query about what its replicas are. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: SV: 100.000 pr. second: "connection_read(64): no connection" from slapd
by Quanah Gibson-Mount 29 Mar '17

29 Mar '17

--On Wednesday, March 29, 2017 3:37 PM +0000 Ole Nomann Thomsen <ole.nomann(a)stil.dk> wrote: > [Side note, do I answer this directly to you, or to the list? I choose > directly for now ] The list. > Thanks for your answer > > I use -d because I run slapd under deamontools > (https://cr.yp.to/daemontools/faq/create.html) and multilog > (https://cr.yp.to/daemontools/multilog.html) that are both suited for > servers that run in the foreground. So the "not in the background" thing > is intentional. I realize that I might be misusing the -d facility > somewhat, but it has been working fine until now. Reworking the setup to > use backgrounding and syslog is really not an option at this time. > > I use bdb backend database. I'd strongly advise not using back-bdb. > I agree that I have lots of clients that disconnect without closing. > Could this somehow provoke the error? It seems to be cycling in this > line: > > /* get (locked) connection */ > c = connection_get( s ); > > if( c == NULL ) { > Debug( LDAP_DEBUG_ANY, > "connection_read(%ld): no connection!\n", > (long) s, 0, 0 ); > > return -1; > } > > > > > 2017-03-06 13:56:23.140091500 58bd5c77 connection_read(64): no connection! > 2017-03-06 13:56:23.140093500 58bd5c77 connection_read(64): no connection! > 2017-03-06 13:56:23.140095500 58bd5c77 connection_read(64): no connection! > 2017-03-06 13:56:23.140097500 58bd5c77 connection_read(64): no connection! > > Once in every 2 microseconds - that suggest som kind of unintended loop > to me. No, you simply have clients that have disconnected before slapd could finish sending them results. Given that you clearly have broken clients, I'd suggest you see about setting the (olc)writetimeout parameter documented in slapd.conf(5)/slapd-config(5) and see if it alleviates the issue you are facing. --Quanah > Regards > Ole Nomann Thomsen > Seniorkonsulent > > Undervisningsministeriet > Styrelsen for It og Læring > Center for Digitale Overgange og it-styring > > Telefon: 3587 8889 > Direkte: +45 35 87 85 35 > > ole.nomann(a)stil.dk > www.stil.dk > > > >> -----Oprindelig meddelelse----- >> Fra: Quanah Gibson-Mount [mailto:quanah@symas.com] >> Sendt: 23. marts 2017 19:42 >> Til: Ole Nomann Thomsen; 'openldap-technical(a)openldap.org' >> Emne: Re: 100.000 pr. second: "connection_read(64): no connection" from >> slapd >> >> --On Thursday, March 23, 2017 2:37 PM +0000 Ole Nomann Thomsen >> <ole.nomann(a)stil.dk> wrote: >> >> > >> > >> > Hi all, >> > >> > >> > >> > my slapd (@(#) $OpenLDAP: slapd 2.4.44 (Feb 9 2017 13:38:13) $) has >> > developed a tendency to become unresponsive for 10-30 minutes at a >> time. >> > >> > I run it with -dStats,Sync which gets me a fair amount of debugging >> > info. This I pipe thru multilog to get the timestamps below. >> >> Why are you using -d? This prevents slapd from forking. It is better to >> set the loglevel to be stats+sync, and push out data to syslog. >> >> > 2017-03-10 14:39:08.686058500 58c2ac7c slapd shutdown: waiting for >> > 3643059 operations/tasks to finish >> >> You need to determine why tasks are not finishing and instead are >> remaining unfinished. What databse backend are you using? I would note >> that it would appear that you have clients disconnecting w/o waiting for >> the server to respond (thus the no connection messages). >> >> --Quanah >> >> -- >> >> Quanah Gibson-Mount >> Product Architect >> Symas Corporation >> Packaged, certified, and supported LDAP solutions powered by OpenLDAP: >> <http://www.symas.com> > -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

LDAP Replication settings
by Jai Bheemsen Rao Dhanwada 28 Mar '17

28 Mar '17

Hello, I have multi master replication with 4 LDAP servers. Is there a ldapsearch query to get all the replica servers? I am using LDAP 2.4.43

1 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2017