openldap-technical July 2017

openldap-technical@openldap.org

29 participants
73 discussions

Re: Limiting Search Results By Group Membership
by Douglas Duckworth 21 Jul '17

21 Jul '17

Thanks. Yes, very helpful. For the group that lists our accounts I now have full DN dn: cn=admins,ou=group,dc=server,dc=domain objectClass: posixGroup objectClass: top cn: admins memberUid: uid=user,ou=accounts,dc=server,dc=domain slapd.conf: limits group/posixGroup/memberUid="cn=admins,ou=group,dc=server,dc=domain" size=unlimited time=unlimited Though I am still hitting the limit. Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690 On Wed, Jul 19, 2017 at 6:25 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Tuesday, July 18, 2017 4:32 PM -0400 Douglas Duckworth > <dod2014(a)med.cornell.edu> wrote: > > ># admins, group, ldap.server > > dn: cn=admins,dc=blah > > objectClass: posixGroup > > objectClass: top > > cn: admins > > memberUid: admin1 > > memberUid: admin2 > > > > Do you have any insight into what could be causing this behavior? I > > have not found the answer yet through extensive searching of the > > internets. > > Hi Douglas, > > The answer lies in the slapd.conf(5) man page, in the description of the > "limits" directive, specifically in this portion: > > "sets the limits for any DN listed in the values of the at attribute" > > memberUID does not contain a DN, therefore it cannot be used. Hope that > helps! > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <https://urldefense.proofpoint.com/v2/url?u=http- > 3A__www.symas.com&d=DwIFaQ&c=lb62iw4YL4RFalcE2hQUQealT9- > RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= > 91FmzFy5LT0oV9_Olhg0-lXej0TEADB8w4Tft72zqXs&s= > rnsVibsarNFQ1327v29L487KiPFGapoLz4PZ55l7Hsc&e= > > >

1 0

Re: OpenLDAP server sizing
by Quanah Gibson-Mount 21 Jul '17

21 Jul '17

--On Wednesday, July 19, 2017 7:18 PM +0000 "Edgar Sanchez Arenas (edgasanc)" <edgasanc(a)cisco.com> wrote: > > > Hello, > > > > Is there a guide to do server sizing (CPU, memory, HD) for OpenLDAP? Hi Edgar, What database backend technology do you plan on using. Do you know how much disk space your database will consume? How many anticipated clients? Anticipated read & write rate? etc. Generally, if you have slapd-mdb as your backend, then you want your RAM to be greater than the database size for optimal performance. For HD, it's generally recommended to use SSD. CPU's will depend on your anticipated read etc rates. I.e., substantially more information is necessary to really give any solid advice. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Configuring OpenLDAP with a custom schema instead of default schemas
by Jon Smark 20 Jul '17

20 Jul '17

Hi, I'm new to OpenLDAP and I'm finding it hard to perform the initial configuration (a lot of the information I find online seems to pertain only to old versions of OpenLDAP, which used a different configuration system). Anyway, I have defined a schema file with the custom attributes and object classes relevant to my domain. Starting from a fresh installation of OpenLDAP 2.4.42 running on Ubuntu 16.04, I want to configure my Slapd server to *only* consider my schema file and to ignore all the other schemas it's configured to use by default. I thought it would be as simple as removing the old /etc/ldap/slapd.d and replacing it with the output of slaptest applied to my schema file. This doesn't work, unfortunately, because slapd refuses to start afterwords. I apologize if this question seems basic, but I'm stuck on this very first step and I've been unable to find an up-to-date tutorial on how to configure a recent OpenLDAP server from scratch (ie, without all the default schemas). Thanks in advance for your kind help! Regards, Jon

6 6

Re: Limiting Search Results By Group Membership
by Quanah Gibson-Mount 19 Jul '17

19 Jul '17

--On Tuesday, July 18, 2017 4:32 PM -0400 Douglas Duckworth <dod2014(a)med.cornell.edu> wrote: ># admins, group, ldap.server > dn: cn=admins,dc=blah > objectClass: posixGroup > objectClass: top > cn: admins > memberUid: admin1 > memberUid: admin2 > > Do you have any insight into what could be causing this behavior? I > have not found the answer yet through extensive searching of the > internets. Hi Douglas, The answer lies in the slapd.conf(5) man page, in the description of the "limits" directive, specifically in this portion: "sets the limits for any DN listed in the values of the at attribute" memberUID does not contain a DN, therefore it cannot be used. Hope that helps! Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: multi-value attribute rejected
by Quanah Gibson-Mount 19 Jul '17

19 Jul '17

--On Wednesday, July 19, 2017 7:51 PM +0100 Brad <braduk1973(a)gmail.com> wrote: > > > Thanks for the replies Michael and Quanah, appreciated. > > Here's some log output showing the content of one of the failed entries: > > cACertificate;binary: 308204423082032AA00302010202010... > cACertificate;binary: 3082039C30820284A00302010202010... > > Looks like the repeated cACertificate attributes do actually have > different values. May depend on the verification routines for CACertificate binary data. Do the two CA's have the same subject line? I haven't dug into the code yet to see how it does the comparison for these values, so it could be way off base. > (Note: apologies for any duplicate messages, I'm having issues getting my > posts to register with the mailing list) The list is moderated. It may just take a bit for a moderator to approve. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

OpenLDAP server sizing
by Edgar Sanchez Arenas (edgasanc) 19 Jul '17

19 Jul '17

Hello, Is there a guide to do server sizing (CPU, memory, HD) for OpenLDAP? Thank you, Edgar Sanchez

1 0

Limiting Search Results By Group Membership
by Douglas Duckworth 18 Jul '17

18 Jul '17

Hi Everyone, I am building a new LDAP v 2.4 cluster. We do not allow anonymous binds and set "sizelimit 1" for all users except our service account used for binding. limits dn.exact="uid=important,ou=sa,dc=blah" size=unlimited time=unlimited provides the bind account unlimited results. However, for group members, I am still hitting the "sizelimit 1" when trying: limits group/posixGroup/memberUid="cn=admins,dc=blah" size=unlimited time=unlimited Our group entry in LDAP: # admins, group, ldap.server dn: cn=admins,dc=blah objectClass: posixGroup objectClass: top cn: admins memberUid: admin1 memberUid: admin2 >From reading the slapd.conf man page, it seems we're not using the default objectclass "groupOfNames," or attribute "member," however when I use the defaults, or the above which exist in our directory, I still hit "sizelimit 1." Of course using dn.exact for our individual accounts works, though I don't want to touch slapd.conf every time we hire someone. Do you have any insight into what could be causing this behavior? I have not found the answer yet through extensive searching of the internets. Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690

1 0

Re: multi-value attribute rejected
by Brad 17 Jul '17

17 Jul '17

Thanks for the replies. Here's some log output showing the content of one of the failed entries: 2017-07-13 12:00:15,864 SEVERE [com.example.ldap.LdapUtils] (113,pool-6-thread-20) Failed to add following properties to uniqueIdentifier=a18d33ebf8ecda02336b1e10d850ba56:- businessCategory: PYCJ7ERc... objectClass: certificateData objectClass: top uniqueIdentifier: a18d33ebf8ecda... cACertificate;binary: 308204423082032AA00302010202010... cACertificate;binary: 3082039C30820284A00302010202010... createDate: 20170713120015+0100 encryptedObject: 00085341414B5... Looks like the repeated cACertificate attributes do actually have different values. On 12 July 2017 at 21:09, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Monday, July 10, 2017 11:11 PM +0100 Brad <braduk1973(a)gmail.com> > wrote: > > The error seems pretty straight forward: > > Caused by: javax.naming.directory.AttributeInUseException: [LDAP: error >> code 20 - cACertificate;binary: value #0 provided more than once]; >> > > I.e., you've provided the exact same value more than once in your write > op. For example, you'd see a similar failure with: > > > dn: <blah> > changetype:modify > add: sn > sn: smith > sn: smith > > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

1 0

Re: Elliptic Curve support in 2.4 branch
by Howard Chu 14 Jul '17

14 Jul '17

Abdelkader Chelouah wrote: > Elliptic Curve support for OpenSSL was added in master branch 4 years ago > (ITS#7595). Is there any plan to backport EC support for OpenSSL in 2.4 branch ? OpenLDAP 2.4 is feature-frozen. All new features are 2.5 only. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3 2

Index Alias Attribute
by Josh Catana 14 Jul '17

14 Jul '17

I've been noticing slapd slow responsive time as my environment has been growing. Running on sles11sp3 openldap2-2.4.26-0.62.2 BDB backend. We heavily rely on aliases to different OUs to manage access to different environments, prod/dev/qa/etc. I know I should probably update the backend, but this isn't what the question is about. Looking at what it's doing it spending a lot of time with bld_idl_union in the BDB backend. Is this because it has to join aliases to actual CNs? Can I index the alias attribute and if I do would it help performance? Thanks.

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2017