openldap-technical July 2017

openldap-technical@openldap.org

29 participants
73 discussions

Re: Openldap freeze after sometime
by Quanah Gibson-Mount 13 Jul '17

13 Jul '17

--On Thursday, July 13, 2017 12:28 PM +0000 scn_73(a)yahoo.com wrote: > > > Hi all, > > > Openldap freeze after sometime it's restart. Ldasearch queries keep > hanging with no result. OpenLDAP version? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Index Alias Attribute
by Quanah Gibson-Mount 13 Jul '17

13 Jul '17

--On Thursday, July 13, 2017 11:35 AM -0400 Josh Catana <jcatana(a)gmail.com> wrote: > Running on sles11sp3 openldap2-2.4.26-0.62.2 > BDB backend. Hm: OpenLDAP 2.4.26 Release (2011/06/30) OpenLDAP 2.4.45 Release (2017/06/01) Getting a bit crufty there. ;) > We heavily rely on aliases to different OUs to manage access to different > environments, prod/dev/qa/etc. Expand on what you mean by aliases, please. In general, using aliases in LDAP is a bad idea. > I know I should probably update the backend, but this isn't what the > question is about. back-mdb is awful with aliases (See <http://www.openldap.org/its/index.cgi/?findid=7657>), so I'm not sure changing backends would help. You may be hitting <http://www.openldap.org/its/index.cgi/?findid=7743>, there was no further follow up on it. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Stopping pagination
by Côme Chilliet 13 Jul '17

13 Jul '17

Hello, Once a pagination server controls is set with ldap_set_option, it seems impossible to cancel pagination by sending a pagination control with 0 as pagesize. What I mean is calling ldap_set_option to set a pagination control (let’s say page size is 4), then starting a search, then calling ldap_set_option to set the pagination control with page size of 0 (and with the cookie returned by the search) Then trying to start new search will return 0 entries. From what I understood in https://www.ietf.org/rfc/rfc2696.txt I thought a page size of 0 would disable pagination but it does not seem to work. Am I missing something? Côme

2 3

Openldap freeze after sometime
by scn_73＠yahoo.com 13 Jul '17

13 Jul '17

Hi all, Openldap freeze after sometime it's restart. Ldasearch queries keep hanging with no result. Earlier this use to be because of ocks max reached. Now i see they are fine but i doubt on Lock requests not available due to conflicts. Please support me to find out the cause. slapd_db_stat -c -h . 91 Last allocated locker ID 0x7fffffff Current maximum unused locker ID 9 Number of lock modes 8000 Maximum number of locks possible 1500 Maximum number of lockers possible 12500 Maximum number of lock objects possible 21 Number of current locks 26 Maximum number of locks at any one time 91 Number of current lockers 91 Maximum number of lockers at any one time 17 Number of current lock objects 26 Maximum number of lock objects at any one time 15M Total number of locks requested (15273903) 15M Total number of locks released (15025934) 0 Total number of locks upgraded 5 Total number of locks downgraded 166706 Lock requests not available due to conflicts, for which we waited 247948 Lock requests not available due to conflicts, for which we did not wait 0 Number of deadlocks 0 Lock timeout value 0 Number of locks that have timed out 0 Transaction timeout value 0 Number of transactions that have timed out 3MB 752KB The size of the lock region 3385698 The number of region locks that required waiting (15%) - Sachin

1 0

Re: LMDB persistent snapshots
by Howard Chu 12 Jul '17

12 Jul '17

Michael Conrad wrote: > On 07/10/2017 03:28 PM, Howard Chu wrote: >> Michael Conrad wrote: >>> On 07/10/2017 12:16 PM, Howard Chu wrote: >>>> Michael Conrad wrote: >>>>> Hi, I'm scoping out my options for databases that support snapshotting. >>>>> From what I've read so far, this is a natural feature of LMDB, >>>> >>>> Not really. The persistent state only records the 2 most recent transactions. >>> >>> Hm, well so much for that idea ;-) But could you clarify what would >>> happen in a scenario like: >>> >>> Proc1: Begin Read Transaction t1 >>> Proc2: Write Transaction t2 >>> Proc2: Write transaction t3 >>> Proc3: Begin Read Transaction t4 >>> Proc2: Write Transaction t5 >>> Proc2: Write Transaction t6 >>> >>> After those steps, are process 1 and process 3 still able to continue >>> reading their data, and is all the data they see consistent with the state >>> of the database at the time they began the transaction? >> >> Yes. They each retain an in-memory copy of the DB metadata at the start of >> their transaction, and none of the pages they require can be reused by any >> write transactions. >> > > So, if I found a way to serialize the metadata being held by the transaction, > and maintain the lock on the pages, then in theory I could re-load the > transaction later to see the historic state? You would need to keep process 1 and process 3 alive, to maintain their locks. > And the downside to attempting > this would be that (assuming an idle database at the start of the read > transaction) *no* pages would get garbage collected at all for a long as the > lock was held? Correct. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: multi-value attribute rejected
by Quanah Gibson-Mount 12 Jul '17

12 Jul '17

--On Monday, July 10, 2017 11:11 PM +0100 Brad <braduk1973(a)gmail.com> wrote: The error seems pretty straight forward: > Caused by: javax.naming.directory.AttributeInUseException: [LDAP: error > code 20 - cACertificate;binary: value #0 provided more than once]; I.e., you've provided the exact same value more than once in your write op. For example, you'd see a similar failure with: dn: <blah> changetype:modify add: sn sn: smith sn: smith --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

multi-value attribute rejected
by Brad 12 Jul '17

12 Jul '17

Hi all, I'm testing some Java software which stores certificates in LDAP. Previously it has used OpenDJ/OpenDS for LDAP storage but we now have a requirement to run with OpenLDAP in Docker. Everything is working apart from a certificate import which attempts to create an LDAP entry with a repeating attribute. Here's the Java stack trace: Caused by: javax.naming.directory.AttributeInUseException: [LDAP: error code 20 - cACertificate;binary: value #0 provided more than once]; remaining name 'uniqueIdentifier=20d743cf8f62c4186365107d61d65db3' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3120) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx .java:3082) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx .java:2888) at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:423) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_bind( ComponentDirContext.java:299) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.bind( PartialCompositeDirContext.java:217) We have some other certificates which are imported without error but those only have a single "cACertificate" attribute. As I understand it, the default cardinality for attributes in OpenLDAP is MULTI-VALUE. I've checked the schema and it's not being specified as SINGLE-VALUE so I'm a bit confused as to why it's being rejected. If I could get some advice on possible causes & solutions that would be very much appreciated. I've done lots of googling and searched the list archives but so far nothing I've found seems relevant to the issue I'm seeing. Thanks, Brad.

2 1

Re: [EXTERNAL] Re: back-ldap and ldaps not working
by Quanah Gibson-Mount 12 Jul '17

12 Jul '17

--On Wednesday, July 12, 2017 12:04 PM -0700 Ryan Tandy <ryan(a)nardis.ca> wrote: > On Wed, Jul 12, 2017 at 05:57:51PM +0000, Jon C Kidder wrote: >> I then see an fopen for this file >> /appl/openldap/etc/openldap/tls/3a89cd48.0. I have no idea where this >> file name came from. > > http://www.openldap.org/doc/admin24/tls.html#TLS_CACERTDIR%20%3Cpath%3E > > https://www.openssl.org/docs/man1.1.0/apps/c_rehash.html If there is nothing in his code OR ~/.ldaprc, system ldap.conf, etc, referencing the TLS_CACERTDIR then it seems there's a bug, since it should only be trying to find the CA Cert hash if that's been set. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: [EXTERNAL] Re: back-ldap and ldaps not working
by Quanah Gibson-Mount 12 Jul '17

12 Jul '17

--On Saturday, July 08, 2017 4:53 PM +0200 Michael Ströder <michael(a)stroeder.com> wrote: > I vaguely remember there were bugs in back-ldap/back-meta ignoring TLS > options. The work-around back then was to set env var LDAPTLS_CACERT and > friends when starting slapd to let libldap pick up the TLS options from > env. > > Should be fixed in recent releases OpenLDAP though. Ha, one of the few times I failed to ask what version of OpenLDAP was being used... Jon, what OpenLDAP release are you running? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 3

Re: olcGlobal vs. olcFrontendConfig
by Howard Chu 12 Jul '17

12 Jul '17

Michael Ströder wrote: > HI! > > I have to admit that when writing a static slapd.conf I do not make any distinction > regarding global config section and frontend config section. > > So I wonder which criteria are applied to determine whether a parameter is put into > cn=config (olcGlobal) or olcDatabase={-1}frontend (olcFrontendConfig) when converting > slapd.conf to dynamic config. In OpenLDAP 2.3 most global parameters were put into olcGlobal. We moved parameters into olcFrontendConfig in OpenLDAP 2.4 whenever we found an item that might depend on a loadable module, since olcModules are processed after olcGlobal. The parser still accepts these items in olcGlobal, to retain compatibility with configs migrated from 2.3, but in freshly generated configs, the 2.4 olcGlobal will omit them. > Looking at a concrete configuration it does not make sense to me to put attribute > olcPasswordHash into olcDatabase={-1}frontend while putting > olcPasswordCryptSaltFormat into cn=config. There could even be conflicting values in both > entries. A salt format is just a plain string, so it has no particular dependencies. A hash requires actual code to implement it, and may depend on olcModule. > > Background: I'd like to determine which password hash scheme and salt format is > configured by searching in back-config. > > Ciao, Michael. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2017