Re: Limiting Search Results By Group Membership
by Douglas Duckworth
Thanks. Yes, very helpful.
For the group that lists our accounts I now have full DN
dn: cn=admins,ou=group,dc=server,dc=domain
objectClass: posixGroup
objectClass: top
cn: admins
memberUid: uid=user,ou=accounts,dc=server,dc=domain
slapd.conf:
limits group/posixGroup/memberUid="cn=admins,ou=group,dc=server,dc=domain"
size=unlimited time=unlimited
Though I am still hitting the limit.
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
On Wed, Jul 19, 2017 at 6:25 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Tuesday, July 18, 2017 4:32 PM -0400 Douglas Duckworth
> <dod2014(a)med.cornell.edu> wrote:
>
> ># admins, group, ldap.server
> > dn: cn=admins,dc=blah
> > objectClass: posixGroup
> > objectClass: top
> > cn: admins
> > memberUid: admin1
> > memberUid: admin2
> >
> > Do you have any insight into what could be causing this behavior? I
> > have not found the answer yet through extensive searching of the
> > internets.
>
> Hi Douglas,
>
> The answer lies in the slapd.conf(5) man page, in the description of the
> "limits" directive, specifically in this portion:
>
> "sets the limits for any DN listed in the values of the at attribute"
>
> memberUID does not contain a DN, therefore it cannot be used. Hope that
> helps!
>
> Regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__www.symas.com&d=DwIFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-
> RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=
> 91FmzFy5LT0oV9_Olhg0-lXej0TEADB8w4Tft72zqXs&s=
> rnsVibsarNFQ1327v29L487KiPFGapoLz4PZ55l7Hsc&e= >
>
>
6 years, 4 months
Re: OpenLDAP server sizing
by Quanah Gibson-Mount
--On Wednesday, July 19, 2017 7:18 PM +0000 "Edgar Sanchez Arenas
(edgasanc)" <edgasanc(a)cisco.com> wrote:
>
>
> Hello,
>
>
>
> Is there a guide to do server sizing (CPU, memory, HD) for OpenLDAP?
Hi Edgar,
What database backend technology do you plan on using. Do you know how
much disk space your database will consume? How many anticipated clients?
Anticipated read & write rate? etc.
Generally, if you have slapd-mdb as your backend, then you want your RAM to
be greater than the database size for optimal performance. For HD, it's
generally recommended to use SSD. CPU's will depend on your anticipated
read etc rates.
I.e., substantially more information is necessary to really give any solid
advice.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
Configuring OpenLDAP with a custom schema instead of default schemas
by Jon Smark
Hi,
I'm new to OpenLDAP and I'm finding it hard to perform the initial
configuration (a lot of the information I find online seems to
pertain only to old versions of OpenLDAP, which used a different
configuration system).
Anyway, I have defined a schema file with the custom attributes
and object classes relevant to my domain. Starting from a fresh
installation of OpenLDAP 2.4.42 running on Ubuntu 16.04, I want
to configure my Slapd server to *only* consider my schema file and
to ignore all the other schemas it's configured to use by default.
I thought it would be as simple as removing the old /etc/ldap/slapd.d
and replacing it with the output of slaptest applied to my schema
file. This doesn't work, unfortunately, because slapd refuses to
start afterwords.
I apologize if this question seems basic, but I'm stuck on this very
first step and I've been unable to find an up-to-date tutorial on how
to configure a recent OpenLDAP server from scratch (ie, without all
the default schemas).
Thanks in advance for your kind help!
Regards,
Jon
6 years, 4 months
Re: Limiting Search Results By Group Membership
by Quanah Gibson-Mount
--On Tuesday, July 18, 2017 4:32 PM -0400 Douglas Duckworth
<dod2014(a)med.cornell.edu> wrote:
># admins, group, ldap.server
> dn: cn=admins,dc=blah
> objectClass: posixGroup
> objectClass: top
> cn: admins
> memberUid: admin1
> memberUid: admin2
>
> Do you have any insight into what could be causing this behavior? I
> have not found the answer yet through extensive searching of the
> internets.
Hi Douglas,
The answer lies in the slapd.conf(5) man page, in the description of the
"limits" directive, specifically in this portion:
"sets the limits for any DN listed in the values of the at attribute"
memberUID does not contain a DN, therefore it cannot be used. Hope that
helps!
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
Re: multi-value attribute rejected
by Quanah Gibson-Mount
--On Wednesday, July 19, 2017 7:51 PM +0100 Brad <braduk1973(a)gmail.com>
wrote:
>
>
> Thanks for the replies Michael and Quanah, appreciated.
>
> Here's some log output showing the content of one of the failed entries:
>
> cACertificate;binary: 308204423082032AA00302010202010...
> cACertificate;binary: 3082039C30820284A00302010202010...
>
> Looks like the repeated cACertificate attributes do actually have
> different values.
May depend on the verification routines for CACertificate binary data. Do
the two CA's have the same subject line? I haven't dug into the code yet
to see how it does the comparison for these values, so it could be way off
base.
> (Note: apologies for any duplicate messages, I'm having issues getting my
> posts to register with the mailing list)
The list is moderated. It may just take a bit for a moderator to approve.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
OpenLDAP server sizing
by Edgar Sanchez Arenas (edgasanc)
Hello,
Is there a guide to do server sizing (CPU, memory, HD) for OpenLDAP?
Thank you,
Edgar Sanchez
6 years, 4 months
Limiting Search Results By Group Membership
by Douglas Duckworth
Hi Everyone,
I am building a new LDAP v 2.4 cluster. We do not allow anonymous binds
and set "sizelimit 1" for all users except our service account used for
binding.
limits dn.exact="uid=important,ou=sa,dc=blah" size=unlimited time=unlimited
provides the bind account unlimited results.
However, for group members, I am still hitting the "sizelimit 1" when
trying:
limits group/posixGroup/memberUid="cn=admins,dc=blah" size=unlimited
time=unlimited
Our group entry in LDAP:
# admins, group, ldap.server
dn: cn=admins,dc=blah
objectClass: posixGroup
objectClass: top
cn: admins
memberUid: admin1
memberUid: admin2
>From reading the slapd.conf man page, it seems we're not using the default
objectclass "groupOfNames," or attribute "member," however when I use the
defaults, or the above which exist in our directory, I still hit "sizelimit
1." Of course using dn.exact for our individual accounts works, though I
don't want to touch slapd.conf every time we hire someone.
Do you have any insight into what could be causing this behavior? I have
not found the answer yet through extensive searching of the internets.
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
6 years, 4 months
Re: multi-value attribute rejected
by Brad
Thanks for the replies.
Here's some log output showing the content of one of the failed entries:
2017-07-13 12:00:15,864 SEVERE [com.example.ldap.LdapUtils]
(113,pool-6-thread-20) Failed to add following properties to
uniqueIdentifier=a18d33ebf8ecda02336b1e10d850ba56:-
businessCategory: PYCJ7ERc...
objectClass: certificateData
objectClass: top
uniqueIdentifier: a18d33ebf8ecda...
cACertificate;binary: 308204423082032AA00302010202010...
cACertificate;binary: 3082039C30820284A00302010202010...
createDate: 20170713120015+0100
encryptedObject: 00085341414B5...
Looks like the repeated cACertificate attributes do actually have different
values.
On 12 July 2017 at 21:09, Quanah Gibson-Mount <quanah(a)symas.com> wrote:
> --On Monday, July 10, 2017 11:11 PM +0100 Brad <braduk1973(a)gmail.com>
> wrote:
>
> The error seems pretty straight forward:
>
> Caused by: javax.naming.directory.AttributeInUseException: [LDAP: error
>> code 20 - cACertificate;binary: value #0 provided more than once];
>>
>
> I.e., you've provided the exact same value more than once in your write
> op. For example, you'd see a similar failure with:
>
>
> dn: <blah>
> changetype:modify
> add: sn
> sn: smith
> sn: smith
>
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
6 years, 4 months
Index Alias Attribute
by Josh Catana
I've been noticing slapd slow responsive time as my environment has been
growing.
Running on sles11sp3 openldap2-2.4.26-0.62.2
BDB backend.
We heavily rely on aliases to different OUs to manage access to different
environments, prod/dev/qa/etc.
I know I should probably update the backend, but this isn't what the
question is about.
Looking at what it's doing it spending a lot of time with bld_idl_union in
the BDB backend.
Is this because it has to join aliases to actual CNs?
Can I index the alias attribute and if I do would it help performance?
Thanks.
6 years, 4 months
