openldap-technical September 2017

openldap-technical@openldap.org

54 participants
164 discussions

Start a nNew thread

Re: BDB VS HDB for openldap2.4
by rammohan ganapavarapu 06 Sep '17

06 Sep '17

What is the recommended backend db for openldap2.4 dbd or hdb? which one give better performance? Thanks, Ram

1 0

Re: hdb_search: 163 does not match filter
by Quanah Gibson-Mount 06 Sep '17

06 Sep '17

--On Wednesday, September 06, 2017 10:05 AM -0400 Bernard Fay <bernard.fay(a)gmail.com> wrote: > > Hello, > > > I see a lot of "hdb_search: x does not match filter" in the log file of > my openldap server. > > > Does someone know what it this about? Should I by worried about this? > How can I fix this if it need to be fixed? It looks like you have your log level set to "TRACE". Thus you are simply seeing hdb parse through every entry and whether or not it matches the supplied filter. It's generally a waste to have that high of a log level set unless you're tracking down a specific problem. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Fwd: REG: I thought I got the ACLs, but......
by Quanah Gibson-Mount 06 Sep '17

06 Sep '17

--On Wednesday, September 06, 2017 6:15 PM +0530 8zero2 operations <8zero2ops(a)gmail.com> wrote: > So here is my scenario I have an ou of "user" and an ou of "Administrator" > now one user from administrator branch should be able to edit anything in > user branch and the other user should only be able to read the branch > "user", also I want userPassword to be visible to only Administrator > which has write permissions. I suggest reading up on the "entry" pseudo-attribute as documented in the slapd.access(5) man page. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

hdb_search: 163 does not match filter
by Bernard Fay 06 Sep '17

06 Sep '17

Hello, I see a lot of "hdb_search: x does not match filter" in the log file of my openldap server. Does someone know what it this about? Should I by worried about this? How can I fix this if it need to be fixed? [root@ slapd]# slapd -V @(#) $OpenLDAP: slapd 2.4.40 (Mar 31 2016 15:24:52) $ mockbuild(a)worker1.bsys.centos.org: /builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/servers/slapd Thanks, Bernard

1 0

Fwd: REG: I thought I got the ACLs, but......
by 8zero2 operations 06 Sep '17

06 Sep '17

Hi, I have a ACL problem, I am not able to figure out what I am doing wrong. Or if there is something wrong in what I understood. So here is my scenario I have an ou of "user" and an ou of "Administrator" now one user from administrator branch should be able to edit anything in user branch and the other user should only be able to read the branch "user", also I want userPassword to be visible to only Administrator which has write permissions. here is my initial ACL for it {0}to attrs=userPassword by dn.exact="uid=domain.admin,ou= Administrator,dc=example,dc=com" write by anonymous auth {1}to dn.subtree="ou=user,dc=example,dc=com" attrs=entry,children by dn.exact="uid=domain.admin,ou=Administrator,dc=example,dc=com" write by dn.exact="uid=domain.auth,ou=Administrator,dc=example,dc=com" read now using above acl none of the user domain.auth or domain.admin is able read/write/search in "user" ou. Only if I add the following ACL to it. {2} to * by dn.exact="uid=domain.admin,ou=Administrator,dc=example,dc=com" write by dn.exact="uid=domain.auth,ou=Administrator,dc=example,dc=com" read everything works as i want it to work. Mail: 8zero2.in(a)gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in

1 0

Slapd.d configuration for write chaining
by Tim 06 Sep '17

06 Sep '17

Heya, In order to enable write chaining, I used the normal mechanism of using a slapd.conf file to generate the necessary slapd.d configuration that I'm now using to seed the servers that I'm building. Out of interest - why do I need the two separate overlays (shown bellow) in the final config? Trying to understand what's actually happening and can't quite make sense of why this is defined like this. dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbStartTLS: start starttls=yes olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {1}ldap olcDbURI: "ldap://*ldapserver*/" olcDbStartTLS: start starttls=yes olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindmethod=simple timeout=0 network-timeout=0 binddn="*binddn*" credentials="*cred*" keepalive=0:0:0 starttls=yes tls_cacert="/etc/openldap/certs/CA.crt" tls_reqcert=demand olcDbRebindAsUser: TRUE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 Thanks in advance, -- Tim tim(a)yetanother.net

1 0

Large scale traffic testing
by Tim 06 Sep '17

06 Sep '17

Heya, Currently working on the design for a new OpenLDAP deployment - and I'm now at the stage where I'd like to thoroughly stress test the platform in order to gain an understanding as to it's capacity and what potential bottlenecks we may hit. I've, so far, been making use of home grown python-ldap3 scripts to simulate the various kinds of interactions using many parallel synchronous requests - but as I scale this up, I'm increasingly aware that it is a very different ask to simulate simple synchronous interactions compared to a fully optimised multithreaded client with dedicated async/sync channels and associated strategies. I'm currently working with a dataset of in the region of 2,500,000 objects and looking to test throughput up to somewhere in the region of 15k/s searches alongside 1k/s modification/addition events - which is beyond what the current basic scripts are able to achieve. I'm starting to resign myself to investing some significant time into recreating a more representative and capable test suit - but I'm sure that this is a problem that most new platforms must have? So I was wondering what strategies other people have used to stress test platforms elsewhere? Thanks in advance for any suggestions -- Tim tim(a)yetanother.net

3 5

Re: When does logpurge run ?
by Quanah Gibson-Mount 05 Sep '17

05 Sep '17

--On Wednesday, September 06, 2017 1:00 AM +0000 ping-shin ching <ping_sc(a)hotmail.com> wrote: > > > I have the "logpurge <age> <interval>" information. > > > > > logpurge 2+00:00 1+00:00 > would specify that the log database should be scanned > every day > for old entries, and entries older than two days > should be > deleted. When using a log database that supports > ordered > indexing on generalizedTime attributes, specifying an eq > index > on the reqStart attribute will greatly benefit the > performance > > But when does the comparison and delete happen? 'Scanned every day' - at > what time does the scan occur? >From when the slapd process was started. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

When does logpurge run ?
by ping-shin ching 05 Sep '17

05 Sep '17

Hi Folks, When does the logpurge (for accesslog) run? Can we control the time this process runs? Regards, Ping

2 2

Re: N-Way Multi Master setup missing entries on consumers
by Quanah Gibson-Mount 04 Sep '17

04 Sep '17

--On Monday, September 04, 2017 6:52 AM +0000 ping-shin ching <ping_sc(a)hotmail.com> wrote: > I have 4 servers setup via N-Way multi master using 2.4.44. I would advise upgrading to OpenLDAP 2.4.45, as it contained specific fixes for replication with N-Way MMR and delta-syncrepl <http://www.openldap.org/software/release/changes.html> If you still see issues, then you'll need to provide logs at "stats sync" level for the providers and consumers. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2017