Re: Syncrepl and multipe values
by Quanah Gibson-Mount
--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio
Morais <matheus_morais(a)sicredi.com.br> wrote:
>
>
>
> Issue 8559 opened.
>
>
>
> I'm trying to work on a patch but I'm not sure if the best solution is to
> fix accesslog to avoid duplicated values or if the sample LDIF (in its
> description) should result in a constraint violation. What do you think?
The accesslog should never write an operation that can't be replicated. If
the MOD is a valid LDAP operation (which I think it is), then it should be
accepted at the frontend. The issue may be more in delta-syncrepl's
handling of the write op than anything else.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 1 month
Re: Upgrade from 2.4.40 to 2.4.44
by Quanah Gibson-Mount
--On Friday, September 15, 2017 9:18 AM -0700 Ryan Tandy <ryan(a)nardis.ca>
wrote:
> IIRC slapcat doesn't work in this case, because it fails to initialize
> the ppolicy module.
>
> The linked CentOS and RHEL bugs recommend downgrading slapd to the
> previously working version and using ldapmodify.
Yeah, that's ugly :/ Another reason we really need to get slapmodify out,
and some way to execute it with an option to not load modules or similar.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 5 months
Re: slapd: null_callback : error code 0x14
by Quanah Gibson-Mount
--On Thursday, September 21, 2017 9:59 PM -0700 "Paul B. Henson"
<henson(a)acm.org> wrote:
> It seems there are updates for that group coming from rid 002
> (egeria.ldap.cpp.edu) and 003 (minerva.ldap.cpp.edu), but none from rid
> 001 (themis.ldap.cpp.edu) which is serverid 4, where the change was
> actually made?
Oh, I thought you had said you only had two masters. This could well be
ITS#8444 (ignore the ITS title, it has nothing to do with memberOf), where
there are out of sync problems with 3+ MMR nodes and delta-syncrepl when
syncprov checkpoints.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 5 months
country attribute
by richard lucassen
Hello list,
Just a newbie question: I try to create a simple addressbook in LDAP and
I just wondered why there is no country attribute in the standard
structure:
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
Just an "st" attribute, but this should not be used for a country AFAIK.
Is there an easy way to add the country or friendlyCountryName as a MAY
attribute without having to create my own objectClass?
R.
--
richard lucassen
http://contact.xaq.nl/
5 years, 5 months
What is the current OLC way to replace the nis schema with the rfc2307bis schema?
by John Lewis
What is the current OLC way to replace the nis schema with the
rfc2307bis schema?
There are hacks published, but I couldn't find a document that takes
advantage of OLC, removes the nis schema, and installs the rfc2307bis
schema. It feels like something that I would do often enough that I
would want to be able to do it one ldapmodify operation.
There is a problem. There wasn't delete support in OLC 2.4 2012 in http
://www.openldap.org/lists/openldap-technical/201204/msg00245.html.
OLC does support delete in 2.5 as of 2013 https://www.slideshare.net/ld
apcon/whats-new-in-openldap.
Since that has been established, what is the least hacky way to replace
the nis schema with the rfc2307bis schema in 2.4?
5 years, 5 months
Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by Quanah Gibson-Mount
--On Friday, September 29, 2017 2:50 PM -0700 rammohan ganapavarapu
<rammohanganap(a)gmail.com> wrote:
>
> Quanah,
>
>
> Yes that is the plan but till i moved to latest version with mdb, i have
> to live with it. Regarding upgrading to latest with mdb, how can i
> migrate from hdb to mdb with out downtime? can i add latest openldap with
> mdb as replica to existing older/hdb instance?
Yes, you can have an mdb-based server that is a replica from an existing
back-hdb server.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 5 months
Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by rammohan ganapavarapu
Quanah,
Yes that is the plan but till i moved to latest version with mdb, i have to
live with it. Regarding upgrading to latest with mdb, how can i migrate
from hdb to mdb with out downtime? can i add latest openldap with mdb as
replica to existing older/hdb instance?
Thanks for all you suggestions
Ram
On Fri, Sep 29, 2017 at 1:38 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Friday, September 29, 2017 2:31 PM -0700 rammohan ganapavarapu <
> rammohanganap(a)gmail.com> wrote:
>
>
>> Quanah,
>>
>>
>> Sorry i was searching for one attribute, i have close to 80mil entries.
>>
>
> Then these settings may be too low:
>
> cachesize 100000
> idlcachesize 300000
>
> Essentally, cachesize needs to hold your working set of data (active
> entries). So this is saying slapd will only cache 100,000 active entries.
> It will then be removing/adding entries in blocks of one (cachefree
> defaults to 1 if not set). idlcachesize generally is 3x cachesize.
>
> If your active set is > 100,000 users, then you need to increase the
> cachesize and idlcachesize parameters accordingly. You may also need to
> increase cachefree from its default of "1".
>
> Overall, you would likely be much better served to switch to back-mdb,
> where you do not have to set any of these parameters at all.
>
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
5 years, 5 months
Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
by Quanah Gibson-Mount
--On Friday, September 29, 2017 5:03 PM -0400 Robert Heller
<heller(a)deepsoft.com> wrote:
> At Fri, 29 Sep 2017 10:29:11 -0700 Quanah Gibson-Mount <quanah(a)symas.com>
> wrote:
>
>>
>> --On Friday, September 29, 2017 2:17 PM -0400 Robert Heller
>> <heller(a)deepsoft.com> wrote:
>>
>> > Signature Algorithm: sha1WithRSAEncryption
>>
>> The above is probably your problem. I believe MozNSS will no longer
>> accept SHA1 certs. This was in the link I sent you yesterday.
>> Generate a more secure cert (I.e., SHA256 or higher).
>
> I replaced the certs with SHA256 versions and it is still not working:
You need logs from SSSD detailing why it is failing to negotiate. As you
noted before, ldapsearch/ldapwhoami etc work for you. If that is still the
case now with your new certs, you will need to pursue support with RedHat,
as this clearly is not an OpenLDAP issue. Sorry I can't be of any more
help than that.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 5 months
Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by Quanah Gibson-Mount
--On Friday, September 29, 2017 2:31 PM -0700 rammohan ganapavarapu
<rammohanganap(a)gmail.com> wrote:
>
> Quanah,
>
>
> Sorry i was searching for one attribute, i have close to 80mil entries.
Then these settings may be too low:
cachesize 100000
idlcachesize 300000
Essentally, cachesize needs to hold your working set of data (active
entries). So this is saying slapd will only cache 100,000 active entries.
It will then be removing/adding entries in blocks of one (cachefree
defaults to 1 if not set). idlcachesize generally is 3x cachesize.
If your active set is > 100,000 users, then you need to increase the
cachesize and idlcachesize parameters accordingly. You may also need to
increase cachefree from its default of "1".
Overall, you would likely be much better served to switch to back-mdb,
where you do not have to set any of these parameters at all.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 5 months
Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by rammohan ganapavarapu
Quanah,
Sorry i was searching for one attribute, i have close to 80mil entries.
Thanks,
Ram
On Fri, Sep 29, 2017 at 12:19 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Friday, September 29, 2017 1:00 PM -0700 rammohan ganapavarapu <
> rammohanganap(a)gmail.com> wrote:
>
>
>> I have roughly 57077 entires, so set_cachesize in slapd.conf will take
>> highest priority than the one in DB_CONFIG file?
>>
>
> If you ever delete the DB_CONFIG file, it would be created with the
> setting from slapd.conf. Better to remove it.
>
> You say you have only 57,077 entries in your DB, yet your id2entry bdb
> file is nearly 8GB in size? That doesn't make sense unless your BDB
> database is very corrupted or you have insanely huge entries containing
> gigabytes of binary data or something.
>
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
5 years, 5 months