openldap-technical April 2017

openldap-technical@openldap.org

27 participants
45 discussions

lmdb
by Patrick Hawley 13 Apr '17

13 Apr '17

I've been puzzled by lmdb's free list use. In some experiments, I've been seeing that it sometimes grabs pages from the end instead of using free list pages. This means that the number of pages used tends to grow until it uses them all. I've tried increasing the map size (to even quite a large value), and ensuring that write transactions are not held open long but that doesn't seem to help. I've tried with subdatabases and without subdatabases. It does appear to increase faster when overflow pages are used, but even without overflow pages the effect occurs. I can see in the code some places where it might choose not to use the free list, but I haven't been able to identify a problem in the code. Wondering whether anyone else has observed this also. The library otherwise looks quite useful and performant. Using lmdb via python (0.92). Thanks. Patrick

1 0

Info Attribute
by Tom Jay 12 Apr '17

12 Apr '17

Hello, I'm trying to add the 'info' attribute to an entry and am getting the following: ldap_modify: Object class violation (65) additional info: attribute 'info' not allowed If you look at the Cosine schema, the info attribute is defined, but with no object class (pilotObject has been commented out). If I try and add the 'top' object class, this is successful, but still prevents me from adding the info attribute. Currently, the only object class assigned to the entry is inetOrgPerson. Has anyone got any idea why this may be the case? Thanks. Tom

2 1

OpenLDAP + MySQL BackEnd
by Alexandre Vilarinho 10 Apr '17

10 Apr '17

Hello all, Recently I've donwload the OpenLDAP 2.4.44 and enable mysql as followed. apt-get install libssl-dev libdb-dev unixodbc-dev time wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.26.tgz tar xvfz openldap-*.tgz cd openldap-* ./configure --enable-sql make depend make make install apt-get install mysql-server libmyodbc # put mysql root password and confirm password that you want mysql -u root -p # put mysql root password CREATE USER 'openldap'@'localhost' IDENTIFIED BY 'yourpassword'; CREATE DATABASE IF NOT EXISTS openldap; GRANT ALL PRIVILEGES ON openldap.* TO 'openldap'@'localhost'; FLUSH PRIVILEGES; exit edit /etc/odbc.ini [openldap] Description = Example for OpenLDAP's back-sql Driver = MySQL Trace = No Database = openldap Servername = localhost UserName = openldap Password = yourpassword ReadOnly = No RowVersioning = No ShowSystemTables = No ShowOidColumn = No FakeOidIndex = No ConnSettings = SOCKET = /var/run/mysqld/mysqld.sock /etc/odbcinst.ini [MySQL] Description = ODBC for MySQL Driver = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc.soo FileUsage = 1 cd servers/slapd/back-sql/rdbms_depend/mysql/ mysql -u openldap -p openldap < backsql_create.sql mysql -u openldap -p openldap < testdb_create.sql mysql -u openldap -p openldap < testdb_data.sql mysql -u openldap -p openldap < testdb_metadata.sql /usr/local/etc/openldap/slapd.conf # $OpenLDAP$ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/slapd.pid argsfile /usr/local/var/slapd.args ####################################################################### # sql database definitions ####################################################################### database sql suffix "dc=example,dc=com" rootdn "cn=root,dc=example,dc=com" rootpw rootpassword dbname openldap dbuser openldap dbpasswd yourpassword subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)" insentry_stmt "INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval) VALUES (?,?,?,?)" has_ldapinfo_dn_ru no When I execute the following command /usr/local/libexec/slapd -d 1 I receive the following information 58eba756 backsql_db_open(): entry deletion SQL statement not specified (use "renentry_stmt" directive in slapd.conf)58eba756 backsql_db_open(): setting "UPDATE ldap_entries SET dn=?,parent=?,keyval=? WHERE id=?" by default58eba756 backsql_db_open(): objclasses deletion SQL statement not specified (use "delobjclasses_stmt" directive in slapd.conf)58eba756 backsql_db_open(): setting "DELETE FROM ldap_entry_objclasses WHERE entry_id=?" by default58eba756 ==>backsql_get_db_conn()58eba756 ==>backsql_open_db_handle()Floating point exception (core dumped) Apparently there is no error. When I execute the following command ldapsearch -x -D cn=root,dc=example,dc=com -w rootpassword -s sub -b "dc=example,dc=com" "(objectClass=*)" I receive the following error root@DNS-TESTE:~# ldapsearch -x -D cn=root,dc=example,dc=com -w teste -s sub -b "dc=example,dc=com" "(objectClass=*)"ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Apparently after the installation of the ldap, the sldap demon wasn't created. I'm doing something wrong? Is there another way to configure LDAP to support MySQL? Regards Alex

2 1

Re: Is there directory schema for storing information on States and Corporations?
by John Lewis 09 Apr '17

09 Apr '17

On Fri, 2017-04-07 at 11:29 +1200, Kevin Buckley wrote: > Apologies for replying out of the thread but I had binned the > original one, and then had the thoughts ! > > If you post my content (assuming you want to reply!), in to the > thread then I'll get to see the thread continue, when that messgae > appears. I'm putting this back on the list. > > John Lewis <oflameo2(a)gmail.com> wrote: > > > I am bouncing around a couple of projects that involve collecting and > > storing information about Corporations and States. > > > > Is there a already existing schema that will kind of fit this data in > > general? Of hand, the closest one I can think of is inetOrgPerson is the > > closest thing, but it is probably a stretch. > > > > The kind of data is going to be like taking the the top of of > > Corporations and State's inetOrgPerson data and stuffing it under one > > tree and bundling public data with it such as contracts a company have with a state on record. > Have you considered using a domain component (dc=,dc=) based tree, > using dot-us as the root, and the two-letter states sub-domains below it > > dc=ca,dc=us > > and then putting your corporation in below that, for example > > o=mycorp,dc=ca,dc=us > > for the Californian content, in which you "pretend" that the > Californian "branch" > of your Corporation actually "owns" the mycorp,ca.us domain name? > > I take the point made by other respondents about not replying on geographical > info, however a number of corporations do make use of country-based domain > names, for operationsin various theatres, so there is a kind of > precedent, within > the dc= approach. That is what I am thinking about doing. I can probably get away with just using an ou because it is not necessarily a new directory/database. Alternatively I could just make the whole thing flat and put an entry in to describe where it is to be filtered later but I think I like the former better.

1 0

Re: OT: Security management/distribution in "The Cloud" (Was: Dogtag CA with OpenLDAP?)
by Howard Chu 08 Apr '17

08 Apr '17

Turbo Fredriksson wrote: > On 28 Mar 2017, at 11:22, Howard Chu <hyc(a)symas.com> wrote: > >> We had a module for OpenLDAP 2.0, way back when. It hasn't been maintained in years. > > Ok, I see :(. What did that do exactly? Name? I've dug it up and gotten it working again. http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2b920eca… Basically it's an overlay that generates certificates for users and servers residing in the directory. A single Search request across the entire directory can trigger generation of certs for every relevant entry. > > > > Sorry for the OT (although it’s _slightly_ relevant to OpenLDAP I guess). > > But how do people handle secrets (key/value, certificates etc) in a cloud > environment? With bare metal, you usually don’t spinup/down machines > that often, so distributing stuff like that is “easy”. But with the cloud and > “resources are cattle, not pets”, how to do that there!? > > This have been racking my brain (and several of my friends and colleagues) > for months now! > > > I’m using OpenLDAP and MIT Kerberos V for users and passwords, but > I’m not sure how I could (if I should) utilise that to keep “secrets”. > > > I’ve looked at Hashicorp Vault, but that’s extremely immature and not any > where near ready a “production” environment (not to mention that it lacks > very important functions etc). > > > Dogtag is apparently good enough (although huge - might not need all that > functionality), but maintaining an additional LDAP/KerberosV setup is seriously > unappealing! > > But what else is there? > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Is there directory schema for storing information on States and Corporations?
by John Lewis 06 Apr '17

06 Apr '17

I am bouncing around a couple of projects that involve collecting and storing information about Corporations and States. Is there a already existing schema that will kind of fit this data in general? Of hand, the closest one I can think of is inetOrgPerson is the closest thing, but it is probably a stretch. The kind of data is going to be like taking the the top of of Corporations and State's inetOrgPerson data and stuffing it under one tree and bundling public data with it such as contracts a company have with a state on record.

2 2

Dogtag CA with OpenLDAP?
by Turbo Fredriksson 06 Apr '17

06 Apr '17

I’m trying to implement Dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page) with my existing OpenLDAP/MIT Kerberos V installation (that’s been running for years). But it’s failing because of: [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: confirmMappings: Checking other subtrees using database Domain.TLD-CA. [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: populateDB: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: Error in populating database: Failed to check database mapping: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config Dogtag is only (officially) supporting 389ds, but installing (and maintaining!) another LDAP/Krb5 server(s) on the network just seems … “wrong”! :) The code looks like: https://github.com/dogtagpki/pki/blob/DOGTAG_10_2_6_BRANCH/base/server/cms/… Basically, it looks for “nssldap-backend=Domain.TLD-CA” below “cn=mapping tree,cn=config” (which don’t exists in OpenLDAP of course). Is there any “389ds compatibility module” or possibly a DN rewrite hack I could use for this? I’ve never used “389ds” before, so I’m unsure what that object is supposed to look like, or what “cn=mapping tree” is for exactly..

4 5

Re: [Spam]No olcRootPW in olcDatabase=\{0\}config.ldif
by Quanah Gibson-Mount 05 Apr '17

05 Apr '17

--On Monday, April 03, 2017 7:01 PM +0200 huret deffgok <kadafax(a)gmail.com> wrote: > > > Hi Sami, > > Yes there is a olcRootDN (and its password) for the mdb database. But if > I understand correctly the olcRootDN is valid only for its database. > Anyway this olcRootDN and associated password don't work with the config > database. As for the ACL, again but maybe I'm wrong, from the > documentation it seems that the RootDN is always allowed whatever are the > ACLs. And I can't change them neither as I bump in the same problem as > for the login level :( How to access cn=config may vary depending on if you're using vendor provided packages (RH, Debian, etc). As noted in the slapd.conf(5) man page, the default olcRootDN is "cn=config" unless otherwise specified. If you are not using your own build of OpenLDAP, I would advise reading the documentation that came with your specific distribution. Hope that helps. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: slapo-dds and MMR
by Quanah Gibson-Mount 04 Apr '17

04 Apr '17

--On Tuesday, April 04, 2017 4:20 PM +0200 Michael Ströder <michael(a)stroeder.com> wrote: > HI! > > Reading section REPLICATION of slapo-dds(5) makes me wonder whether > somebody already tried to use slapo-dds with multi-master replication of > dynamicObject entries. > > Any thoughts on this? There are some open ITSes I've come across relating to slapo-dds and various issues as I clean up the ITS incoming queue. You might want to look there. ;) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Multiple olcDbIndex for the same attribute
by Quanah Gibson-Mount 04 Apr '17

04 Apr '17

--On Tuesday, April 04, 2017 10:19 AM +0200 "PenguinWhispererThe ." <th3penguinwhisperer(a)gmail.com> wrote: > > > > > Thanks for the response Quanah. > >> I'm not really sure it's the job of the admin guide or the man pages to >> cover all the multitudes of ways in which one can misconfigure the >> server, or what the results of such a misconfiguration will be. > So the above configuration is a misconfiguration? It just might be handy > to have an idea how the indexes work. That might give an idea if this > actually invalid, keeps 2 indexes or doesn't make a difference. > > The openldap server seems to take the ldif so therefor I don't see it as > invalid. If it already exists openldap does throw an error. Question is > if the above has a negative impact on the openldap service. > > I understand man pages and documentation can't cover all. That's why I'm > asking here to perhaps have someone who has internal knowledge about this. Please keep replies on the list. I would say that configuring multiple duplicate indicies for the same attribute is a configuration error. Your example shows "eq" being configured for objectClass twice, once coupled with pres. I would /hope/ that would end up as pres,eq only. What it does end up as, I've no idea. It should be fairly trivial to discover via slapadd and using mdb_stat (if using back-mdb) to see the size of the generated indices in both cases. Then you'd have an exact answer. If the resulting index sub-db is the same for objectClass with either configuration, then the extra "eq" is ignored, etc. I would probably try with something like "sub, eq" rather than "pres, eq" for testing purposes. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2017