Re: Openldap freeze after sometime
by Quanah Gibson-Mount
--On Thursday, July 13, 2017 12:28 PM +0000 scn_73(a)yahoo.com wrote:
>
>
> Hi all,
>
>
> Openldap freeze after sometime it's restart. Ldasearch queries keep
> hanging with no result.
OpenLDAP version?
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
Re: Index Alias Attribute
by Quanah Gibson-Mount
--On Thursday, July 13, 2017 11:35 AM -0400 Josh Catana <jcatana(a)gmail.com>
wrote:
> Running on sles11sp3 openldap2-2.4.26-0.62.2
> BDB backend.
Hm:
OpenLDAP 2.4.26 Release (2011/06/30)
OpenLDAP 2.4.45 Release (2017/06/01)
Getting a bit crufty there. ;)
> We heavily rely on aliases to different OUs to manage access to different
> environments, prod/dev/qa/etc.
Expand on what you mean by aliases, please. In general, using aliases in
LDAP is a bad idea.
> I know I should probably update the backend, but this isn't what the
> question is about.
back-mdb is awful with aliases (See
<http://www.openldap.org/its/index.cgi/?findid=7657>), so I'm not sure
changing backends would help.
You may be hitting <http://www.openldap.org/its/index.cgi/?findid=7743>,
there was no further follow up on it.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
Stopping pagination
by Côme Chilliet
Hello,
Once a pagination server controls is set with ldap_set_option, it seems impossible to cancel pagination by sending a pagination control with 0 as pagesize.
What I mean is calling ldap_set_option to set a pagination control (let’s say page size is 4),
then starting a search,
then calling ldap_set_option to set the pagination control with page size of 0 (and with the cookie returned by the search)
Then trying to start new search will return 0 entries.
From what I understood in https://www.ietf.org/rfc/rfc2696.txt I thought a page size of 0 would disable pagination but it does not seem to work.
Am I missing something?
Côme
6 years, 4 months
Openldap freeze after sometime
by scn_73@yahoo.com
Hi all,
Openldap freeze after sometime it's restart. Ldasearch queries keep hanging with no result.
Earlier this use to be because of ocks max reached. Now i see they are fine but i doubt on Lock requests not available due to conflicts. Please support me to find out the cause.
slapd_db_stat -c -h .
91 Last allocated locker ID
0x7fffffff Current maximum unused locker ID
9 Number of lock modes
8000 Maximum number of locks possible
1500 Maximum number of lockers possible
12500 Maximum number of lock objects possible
21 Number of current locks
26 Maximum number of locks at any one time
91 Number of current lockers
91 Maximum number of lockers at any one time
17 Number of current lock objects
26 Maximum number of lock objects at any one time
15M Total number of locks requested (15273903)
15M Total number of locks released (15025934)
0 Total number of locks upgraded
5 Total number of locks downgraded
166706 Lock requests not available due to conflicts, for which we waited
247948 Lock requests not available due to conflicts, for which we did not wait
0 Number of deadlocks
0 Lock timeout value
0 Number of locks that have timed out
0 Transaction timeout value
0 Number of transactions that have timed out
3MB 752KB The size of the lock region
3385698 The number of region locks that required waiting (15%)
- Sachin
6 years, 4 months
Re: LMDB persistent snapshots
by Howard Chu
Michael Conrad wrote:
> On 07/10/2017 03:28 PM, Howard Chu wrote:
>> Michael Conrad wrote:
>>> On 07/10/2017 12:16 PM, Howard Chu wrote:
>>>> Michael Conrad wrote:
>>>>> Hi, I'm scoping out my options for databases that support snapshotting.
>>>>> From what I've read so far, this is a natural feature of LMDB,
>>>>
>>>> Not really. The persistent state only records the 2 most recent transactions.
>>>
>>> Hm, well so much for that idea ;-) But could you clarify what would
>>> happen in a scenario like:
>>>
>>> Proc1: Begin Read Transaction t1
>>> Proc2: Write Transaction t2
>>> Proc2: Write transaction t3
>>> Proc3: Begin Read Transaction t4
>>> Proc2: Write Transaction t5
>>> Proc2: Write Transaction t6
>>>
>>> After those steps, are process 1 and process 3 still able to continue
>>> reading their data, and is all the data they see consistent with the state
>>> of the database at the time they began the transaction?
>>
>> Yes. They each retain an in-memory copy of the DB metadata at the start of
>> their transaction, and none of the pages they require can be reused by any
>> write transactions.
>>
>
> So, if I found a way to serialize the metadata being held by the transaction,
> and maintain the lock on the pages, then in theory I could re-load the
> transaction later to see the historic state?
You would need to keep process 1 and process 3 alive, to maintain their locks.
> And the downside to attempting
> this would be that (assuming an idle database at the start of the read
> transaction) *no* pages would get garbage collected at all for a long as the
> lock was held?
Correct.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 4 months
Re: multi-value attribute rejected
by Quanah Gibson-Mount
--On Monday, July 10, 2017 11:11 PM +0100 Brad <braduk1973(a)gmail.com> wrote:
The error seems pretty straight forward:
> Caused by: javax.naming.directory.AttributeInUseException: [LDAP: error
> code 20 - cACertificate;binary: value #0 provided more than once];
I.e., you've provided the exact same value more than once in your write op.
For example, you'd see a similar failure with:
dn: <blah>
changetype:modify
add: sn
sn: smith
sn: smith
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
multi-value attribute rejected
by Brad
Hi all,
I'm testing some Java software which stores certificates in LDAP.
Previously it has used OpenDJ/OpenDS for LDAP storage but we now have a
requirement to run with OpenLDAP in Docker.
Everything is working apart from a certificate import which attempts to
create an LDAP entry with a repeating attribute.
Here's the Java stack trace:
Caused by: javax.naming.directory.AttributeInUseException: [LDAP: error
code 20 - cACertificate;binary: value #0 provided more than once];
remaining name 'uniqueIdentifier=20d743cf8f62c4186365107d61d65db3'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3120)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx
.java:3082)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx
.java:2888)
at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:423)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_bind(
ComponentDirContext.java:299)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.bind(
PartialCompositeDirContext.java:217)
We have some other certificates which are imported without error but those
only have a single "cACertificate" attribute.
As I understand it, the default cardinality for attributes in OpenLDAP is
MULTI-VALUE. I've checked the schema and it's not being specified as
SINGLE-VALUE so I'm a bit confused as to why it's being rejected. If I
could get some advice on possible causes & solutions that would be very
much appreciated. I've done lots of googling and searched the list archives
but so far nothing I've found seems relevant to the issue I'm seeing.
Thanks,
Brad.
6 years, 4 months
Re: [EXTERNAL] Re: back-ldap and ldaps not working
by Quanah Gibson-Mount
--On Wednesday, July 12, 2017 12:04 PM -0700 Ryan Tandy <ryan(a)nardis.ca>
wrote:
> On Wed, Jul 12, 2017 at 05:57:51PM +0000, Jon C Kidder wrote:
>> I then see an fopen for this file
>> /appl/openldap/etc/openldap/tls/3a89cd48.0. I have no idea where this
>> file name came from.
>
> http://www.openldap.org/doc/admin24/tls.html#TLS_CACERTDIR%20%3Cpath%3E
>
> https://www.openssl.org/docs/man1.1.0/apps/c_rehash.html
If there is nothing in his code OR ~/.ldaprc, system ldap.conf, etc,
referencing the TLS_CACERTDIR then it seems there's a bug, since it should
only be trying to find the CA Cert hash if that's been set.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
Re: [EXTERNAL] Re: back-ldap and ldaps not working
by Quanah Gibson-Mount
--On Saturday, July 08, 2017 4:53 PM +0200 Michael Ströder
<michael(a)stroeder.com> wrote:
> I vaguely remember there were bugs in back-ldap/back-meta ignoring TLS
> options. The work-around back then was to set env var LDAPTLS_CACERT and
> friends when starting slapd to let libldap pick up the TLS options from
> env.
>
> Should be fixed in recent releases OpenLDAP though.
Ha, one of the few times I failed to ask what version of OpenLDAP was being
used...
Jon, what OpenLDAP release are you running?
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
Re: olcGlobal vs. olcFrontendConfig
by Howard Chu
Michael Ströder wrote:
> HI!
>
> I have to admit that when writing a static slapd.conf I do not make any distinction
> regarding global config section and frontend config section.
>
> So I wonder which criteria are applied to determine whether a parameter is put into
> cn=config (olcGlobal) or olcDatabase={-1}frontend (olcFrontendConfig) when converting
> slapd.conf to dynamic config.
In OpenLDAP 2.3 most global parameters were put into olcGlobal. We moved
parameters into olcFrontendConfig in OpenLDAP 2.4 whenever we found an item
that might depend on a loadable module, since olcModules are processed after
olcGlobal. The parser still accepts these items in olcGlobal, to retain
compatibility with configs migrated from 2.3, but in freshly generated
configs, the 2.4 olcGlobal will omit them.
> Looking at a concrete configuration it does not make sense to me to put attribute
> olcPasswordHash into olcDatabase={-1}frontend while putting
> olcPasswordCryptSaltFormat into cn=config. There could even be conflicting values in both
> entries.
A salt format is just a plain string, so it has no particular dependencies. A
hash requires actual code to implement it, and may depend on olcModule.
>
> Background: I'd like to determine which password hash scheme and salt format is
> configured by searching in back-config.
>
> Ciao, Michael.
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 4 months