Fixing slapo-nops (ITS#8759)
by manu@netbsd.org
Hello
Following ITS#8759, I am looking for ideas about how to fix slapo-nops.
This overlays suppress nilpotent operations that replace an attribute
values by the same values. The code is in
contrib/slapd-modules/nops/nops.c
The problem is that slapo-nops assumes it can free the nilpotent struct
Modifications after removing them from the list, but for instande
slapo-memberof uses struct Modifications allocated on the stack.
Not freeing in slapo-nops is not a fix, since unlinked struct
Modifications will not be freed anywhere else, and we will get a memory
leak.
Would it make sense to add a SLAP_MOD_ONSTACK flag in struct
Modification's sm_flags so that we can tell the difference? Any other
idea?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
5 years, 2 months
Syncrepl replication from multi-master OpenLDAP
by Simon ELBAZ
Hi,
I am trying to setup data and cn=config replication on a syncrepl slave
from an OpenLDAP multi-master.
The replication is fine (data and config replicate).
However, I want to override olcSyncrepl attributes on the syncrepl
replica (particularly the provider value to use an IP address reachable
from outside the multi-master LAN).
I have tried exattrs=olcSyncrepl but as mentionned in
(https://www.openldap.org/lists/openldap-technical/201508/msg00124.html),
the olcSyncrepl attribute gets wiped:
dn: olcDatabase={1}mdb,cn=config
.....
olcSyncrepl: {0}rid=006 provider=ldap://<IP address> binddn="******"
bindmethod=simple credentials="*****" searchbase="*****"
type=refreshAndPersist interval=0 0:00:00:10 retry="5 5 300 5"
timeout=1
Is there a way to achieve the overriding of olcSyncrepl attribute on the
syncrepl server ?
Thanks for your help
Simon Elbaz
5 years, 6 months
Re: openLDAP: LDAP and LDAP over TLS support at same time
by GOKUL G
Hi Quanah,
Thanks for the response.
Earlier, we tried to do a normal ldapsearch with a library compiled with
HAVE_TLS, but what we got in the wireshark trace was ldap message over SSL
without any encryption, instead of plain LDAP. So we thought it was not
possible to get plain LDAP with library compiled with HAVE_TLS.
As you said, we have missed out on something or probably misunderstood the
APIs.
I will try your suggestions.
Thanks once again for your support.
Regards,
G Gokul
On Thu, Mar 29, 2018 at 2:05 AM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Wednesday, March 28, 2018 10:29 PM +0100 Raf Czlonka <
> rczlonka(a)gmail.com> wrote:
> ^^^
>
>> Hi Quanah,
>>
>> You obviously meant 636, right[0]?
>>
>
> Heh, yes, 636. ;)
>
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
5 years, 6 months
openLDAP: LDAP and LDAP over TLS support at same time
by GOKUL G
Hi Team,
We are developing a LDAP client in our application. For this we are using
openLDAP software.
One of our requirement is to support either LDAP or LDAPS (LDAP/TLS) ,
based on the end-user input at runtime.
So, in our application we should have support for both LDAP & LDAPS APIs
and we would be calling LDAPS API (ldap_tls_start_s) based on this runtime
configuration or else normal LDAP API would be called.
ISSUE:
We are able to integrate openLDAP with our application and achieve LDAP or
LDAP/TLS requirement separately.
Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at
compile time itself its decided whether LDAP or LDAPs . And we are not able
to take this decision at run-time.
If we compile openLDAP software with HAVE_TLS and use it for normal
ldapsearch, this ldap command is seen in trace as ldap message over SSL
without any encryption. But not as normal LDAP message.
So, we understand to achieve our requirement,
we would either be required to change the macro control of TLS to run-time
control in the openLDAP code. (But we are feeling not to do this for
maintainability purpose)
(or)
Try to use 2 openLDAP libraries, one compiled with HAVE_TLS and another
without HAVE_TLS. And take care in application side to call the respective
API without causing any resolution issue.
Can you please suggest whether there is any other approach currently
available in openLDAP to support both LDAP and LDAP/TLS at the sametime.
Regards,
G Gokul
5 years, 6 months
Re: slapadd not adding some of the roleoccupent entries
by Quanah Gibson-Mount
--On Monday, March 26, 2018 9:16 AM -0700 rammohan ganapavarapu
<rammohanganap(a)gmail.com> wrote:
> When i try to import using slapadd -f hdb.ldif, some of the entries in
> sysadmin role are not getting import, not sure what should be the reason.
> Actually hdb backend to hdb backend import also same behaviour if i
> pre-create with above root schema and keep the other server in cluster
> is running. If i dont pre-create schema or if i dont keep the other
> server running in a cluster i dont see this issue.
slapadd by default outputs an error and will not continue (unless -c is
specified) when it has a problem adding an entry. You should provide the
error encountered.
I'd also note that you appear to be adding LDIF that is missing operational
attributes. That will not work well if you're running in MMR and expect
replication to work.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 6 months
OpenLDAP UTF8 values support
by Andre Rodier
Hello,
I have started a small project to build a mail server, and the
authentication / users list is based on OpenLDAP.
I want to use international characters for the "secondary" email
addresses but and OpenLDAP is complaining about it, as invalid syntax. I
use the field otherMailBox field. I found a make-shift by storing the
email address encoded in base64, but I therefore need to be sure any
client will be able to read these base64 encoded email addresses. So
far, Dovecot is fine, I am not sure yet about Postfix.
Is there any limitation in OpenLDAP that would prevent some fields to be
stored in UTF8 directly? I have noticed that the givenName and surname
are automatically encoded in base64 when containing accents, so is it a
standard practice?
Thanks for your advices.
https://github.com/progmaticltd/homebox
Kind regards,
André
5 years, 6 months
LMDB on Ramdisk (tmpfs)
by Luca Foppiano
Dear everybody,
I'm using one of your component (LMDB) via a java JNDI bindings
implementation (https://github.com/deephacks/lmdbjni <https://github.com/deephacks/lmdbjni>) and I'm having an issue
when I deploy my LMDB file on a tempfs filesystem in RAM.
The issue do not occur when the LMDB files are stored on a "normal" filesystem.
When the data is in the tempfs ramdisk all the allocated memory ends up being in
the Dirty area (it has not been written back to the Filesytem).
Here an example using the ramdisk:
7ce320000000-7cfc20000000 r--s 00000000 00:26 2459
/ramfs/nerd/data/db/db-en/entityEmbeddings/data.mdb
Size: 104857600 kB
Rss: 1255680 kB
Pss: 1255680 kB
Shared_Clean: 0 kB
Shared_Dirty: 0 kB
Private_Clean: 0 kB
Private_Dirty: 1255680 kB <---
Referenced: 1255680 kB
Anonymous: 0 kB
AnonHugePages: 0 kB
Shared_Hugetlb: 0 kB
Private_Hugetlb: 0 kB
Swap: 0 kB
SwapPss: 0 kB
KernelPageSize: 4 kB
MMUPageSize: 4 kB
Locked: 0 kB
VmFlags: rd sh mr mw me ms sd
and here an example without:
7ca4fc000000-7cbdfc000000 r--s 00000000 fd:00 11154951
/data/workspace/shared/nerd-data/db/db-en/entityEmbeddings/data.mdb
Size: 104857600 kB
Rss: 838124 kB
Pss: 838124 kB
Shared_Clean: 0 kB
Shared_Dirty: 0 kB
Private_Clean: 838124 kB <----
Private_Dirty: 0 kB
Referenced: 764872 kB
Anonymous: 0 kB
AnonHugePages: 0 kB
ShmemPmdMapped: 0 kB
Shared_Hugetlb: 0 kB
Private_Hugetlb: 0 kB
Swap: 0 kB
SwapPss: 0 kB
KernelPageSize: 4 kB
MMUPageSize: 4 kB
Locked: 0 kB
VmFlags: rd sh mr mw me ms sd
According to my understanding the memory is dirty when 1)there are open
transactions, 2) the data has not been written back to the filesystem
What I don't understand is why there is a difference between filesystem and
ramdisk?
Is there any reason? The application (listed above) is not writing on the lmdb,
but just reading (using reading transaction).
Thank you
Luca
5 years, 6 months
Re: Migrate from hdb/bdb to mdb backend.
by Quanah Gibson-Mount
--On Thursday, March 22, 2018 3:59 PM -0700 rammohan ganapavarapu
<rammohanganap(a)gmail.com> wrote:
>
> Thank you!
As an aside, I would note that OpenLDAP 2.4.46 was released today, and it
contains multiple fixes for replication. ;)
Fixed slapd syncrepl deadlock when updating cookie (ITS#8752)
Fixed slapd syncrepl callback to always be last in the stack (ITS#8752)
Fixed slapd CSN queue processing (ITS#8801)
Fixed slapo-accesslog cleanup to only occur on failed operations (ITS#8752)
(delta-sync specific)
Fixed slapo-syncprov memory leak with delete operations (ITS#8690)
Fixed slapo-syncprov to not clear pending operation when checkpointing
(ITS#8444)
Fixed slapo-syncprov to correctly record contextCSN values in the accesslog
(ITS#8100) (delta-sync specific)
Fixed slapo-syncprov not to log checkpoints to accesslog db (ITS#8607)
(delta-sync specific)
Fixed slapo-syncprov to process changes from this SID on REFRESH (ITS#8800)
Fixed slapo-syncprov session log parsing to not block other operations
(ITS#8486)
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 6 months
Re: Migrate from hdb/bdb to mdb backend.
by Quanah Gibson-Mount
--On Thursday, March 22, 2018 3:50 PM -0700 rammohan ganapavarapu
<rammohanganap(a)gmail.com> wrote:
>
> Quanah,
>
>
> Rest of the config looks OK right? also i can replicate from hdb/bdb to
> mdb as i described in previous email right? I am using
> openldap-servers-2.4.44-5.el7.x86_64
Replication is a function of protocol, so yes, you can replicate from
hdb/bdb to mdb.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 6 months
Re: Migrate from hdb/bdb to mdb backend.
by Quanah Gibson-Mount
--On Thursday, March 22, 2018 3:12 PM -0700 rammohan ganapavarapu
<rammohanganap(a)gmail.com> wrote:
> olcSyncrepl: {0}rid=1 provider=ldap://ldapservertest01:10389/
> binddn="cn=manager,dc=example,dc=com" bindmethod=simple
> credentials=dontshare searchbase="dc=example,dc=com" attrs="*,+"
> type=refreshAndPersist retry="5 +" timeout=0 keepalive=5:5:5
> network-timeout=0 starttls=no filter="(objectclass=*)" scope=sub
> schemachecking=off
> olcSyncrepl: {1}rid=2 provider=ldap://ldapservertest02:10389/
> binddn="cn=manager,dc=example,dc=com" bindmethod=simple
> credentials=dontshare searchbase="dc=example,dc=com" attrs="*,+"
> type=refreshAndPersist retry="5 +" timeout=0 keepalive=5:5:5
> network-timeout=0 starttls=no filter="(objectclass=*)" scope=sub
> schemachecking=off
> olcSyncrepl: {2}rid=3 provider=ldap://ldapservertest03:10389/
> binddn="cn=manager,dc=example,dc=com" bindmethod=simple
> credentials=dontshare searchbase="dc=example,dc=com" attrs="*,+"
> type=refreshAndPersist retry="5 +" timeout=0 keepalive=5:5:5
> network-timeout=0 starttls=no filter="(objectclass=*)" scope=sub
> schemachecking=off
> olcSyncrepl: {3}rid=4 provider=ldap://ldapservertest04:10389/
> binddn="cn=manager,dc=example,dc=com" bindmethod=simple
> credentials=dontshare searchbase="dc=example,dc=com" attrs="*,+"
> type=refreshAndPersist retry="5 +" timeout=0 keepalive=5:5:5
> network-timeout=0 starttls=no filter="(objectclass=*)" scope=sub
> schemachecking=off
Remove the pointer back to itself on each server, so they stop trying to
replicate from themselves, or use a URL with the serverID.
Also, what version of OpenLDAP are you using?
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 6 months
