Replication mutli-master via DNS record ?
by Lirien Maxime
Hi all,
I have 3 masters and 3 slaves.
Two DNS records :
- Masters are recorded under master.toto.fr
- Slave are recorded under slave.toto.fr
Two type of replication :
a) Slave to master
Slaves replicate from one of 3 master with this configuration :
syncrepl rid=100
provider=ldap://master.toto.fr/
type=refreshAndPersist
interval=00:00:30:00
[...]
b) Master to multi-master
Mirrormode is set to TRUE.
Can I use only one "syncrepl" with the DNS record ldap://master.toto.fr
Or should I set one "syncrepl" for each master ?
I mean , in my master1 conf file can I use this :
syncrepl rid=1
provider=ldap://master.toto.fr/
type=refreshAndPersist
interval=00:00:30:00
[...]
or
syncrepl rid=12
provider=ldap://IP_master2.toto.fr/
type=refreshAndPersist
interval=00:00:30:00
[...]
syncrepl rid=13
provider=ldap://IP_master3.toto.fr/
type=refreshAndPersist
interval=00:00:30:00
[...]
Thanks guys.
2 years, 8 months
ldapmodify -Y EXTERNAL failure - Confidentiality required (13)
by Mark Foster
This used to work...
$ sudo ldapmodify -Y EXTERNAL -f 30logging.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Confidentiality required (13)
additional info: stronger confidentiality required
The log says
slapd[1266]: conn=6619437 op=0
BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
mech=EXTERNAL sasl_ssf=0 ssf=71
This is my olcSecurity setting:
olcSecurity: ssf=128 simple_bind=128
How would I fix this? It seems to be a catch-22.
2 years, 8 months
Re: AW:ldap server stops responding periodically?
by John Jasen
On 07/20/2018 04:41 AM, Ulrich.Windl(a)rz.uni-regensburg.de wrote:
> Hi!
>
> Stupid question: could it be your load-balancer that had a problem?
> How does the netstat look like (sockets opened, queued data, etc.?)
I do not believe it to be the load-balancer. They log loss of contact
with the LDAP servers and drop them from the relay group shortly after
one of these events start; and when it gets cleaned up, they're added
back in. I also do not suspect network between the load balancers and
the LDAP servers.
During such an event, ps -efT will usually show slapd running at full
thread capacity. Comparing that to threads in cn=monitor is not
possible, as those ldap searches fail.
Open sockets does not substantially change until after the event
subsides. The servers will show 1200-2000 open sockets before an event,
and drop lower when it clears up -- to quickly scale back up to
pre-event levels.
The queues will show data being held until the socket(s) time out.
Thanks for the feedback!
2 years, 8 months
Re: ldap server stops responding periodically? WAS: openldap-technical Digest, Vol 128, Issue 12
by John Jasen
On 07/21/2018 08:00 AM, openldap-technical-request(a)openldap.org wrote:
> From: Ryan Tandy <ryan(a)nardis.ca> To: openldap-technical(a)openldap.org
> Subject: Re: ldap server stops responding periodically? Message-ID:
> <20180720185004.po4pckupxyjrrih4(a)comet.nardis.ca> Content-Type:
> text/plain; charset=iso-8859-1; format=flowed On Fri, Jul 20, 2018 at
> 08:39:55PM +0200, Dieter Kl?nter wrote:
>> If that really is 2.4.4
> Given the mention of "CentOS7 stock RPM" I would expect this was a typo
> and John is actually running 2.4.44.
Yes, my apologies. I meant 2.4.44.
-- John Jasen
2 years, 8 months
back-ldap redirect RootDSE? RWM re-encode attributes?
by B Galliart
I am trying to use OpenLDAP slapd to proxy to multiple LDAP servers but run
into some issues with how the LDAP client application is written. I
wondered if anyone has any suggestions for doing either of the following
with slapd:
(1) Can the back-ldap suffix override the RootDSE of the OpenLDAP server so
that all RootDSE requests get proxied?
(2) Is there a way with the RWM or a different overlay to convert specific
attributes to hex or MIME before passing it back to the LDAP client? For
example, if an attribute is given to back-ldap as a BLOB, can it convert
the BLOB to hex before passing it along?
It would be nice to have the option to do both of the above but for my
current situation being able to do just one or the other would work.
Thanks
2 years, 8 months
ldap server stops responding periodically?
by John Jasen
Summary: an openldap 2.4.4 (CentOS7 stock RPM) replication consumer
slapd server stops responding to requests for a period of up to fifteen
minutes.
Environment:
Two centos7 ldap servers in mirror mode, providers to 4 openldap
syncrepl consumers. The systems are 2 CPU, 12 core Intel Xeon E5-2420s,
and have 48GB of RAM.
The four consumers are load-balanced through a FreeBSD "relayd"
redirector, facing approximately six thousand clients.
Problem:
Periodically, one or more (or all) of the consumers will stop
responding, including localhost cn=monitoring traffic and anything over
the network. Note, only slapd stops responding. email out, logging in,
etc, all remain unaffected. Analysis after the event starts doesn't show
anything unusual in CPU usage or memory. Analysis of the ldap logs
doesn't show anything unusual in number of requests, number of connects,
etc until the system stops responding -- at which point, they drop to zero.
I'm stumped as to a) what's causing it, and b) how to address it on the
slapd side so my servers stop dozing off.
Any suggestions?
-- John Jasen (jjasen(a)gmail.com)
2 years, 8 months
Re: ldap server stops responding periodically? WAS: openldap-technical Digest, Vol 128, Issue 11
by John Jasen
On 07/20/2018 08:00 AM, openldap-technical-request(a)openldap.org wrote:
> Date: Thu, 19 Jul 2018 13:50:47 -0500 From: Andy Dorman
> <adorman(a)ironicdesign.com> To: openldap-technical(a)openldap.org
> Subject: Re: ldap server stops responding periodically? Message-ID:
> <6ca235e9-10e6-df27-f06c-359875407a6b(a)ironicdesign.com> Content-Type:
> text/plain; charset=utf-8; format=flowed
> <snip>
> So when this happens you can still log into the consumer and run typical
> slapdump/slapcat, ldapsearch, etc. commands with no problem? or are you
> only losing access via the network?
I've not tried slap* commands on an afflicted consumer, nor have I tried
locally through ldapi:///
Both are good ideas. Thank you.
local lapsearch, etc with a URL to the listening network socket fail
from localhost as well.
2 years, 8 months
Where does the debugging message come from?
by Ray Lauff
Hello-
I'm testing out some local mods I've made to the ldapsearch command and I
have the -d 2 flag to enable debugging set.
/usr/local/src/openldap/openldap-2.4.46/clients/tools/ldapsearch -h
ldap-test1.test.org -p 11389 -ZZ -D cn=somecn -w somepw -b 'dc=test,dc=org'
'(uid=husk)' -d 2
When I run this, I get a lot of what I need, but I noticed the following is
emitted at the top.
*Using CA cert /etc/openldap/cacerts/ca-bundle.crt as stipulated by
environment variable $LDAPTLS_CACERT.*
I was looking to see where in the openldap code this string comes from, but
I can't seem to find it. (I thought a thorough 'grepping' would locate it,
but it did not, nor does
strings
/usr/local/src/openldap/openldap-2.4.46/clients/tools/ldapsearch |grep
"stipulated"
). So it's from the ssl library I assumed. Nope, didn't find it there
either.
Can someone point me to where it comes from please? Sorry if this is a
dumb question that I should already know.
2 years, 8 months
Is checkpoint required any more?
by Geoff Swan
I am running openldap-2.4.44 (source build) using lmdb backend with
configuration set in slapd.conf on a Linux machine.
The configuration includes dbnosync and also checkpoint settings.
The kernel vm settings are flushing dirty cache pages to disc
periodically, so my question is what is the reason for the checkpoint
setting if the kernel is already taking care of page flushing?
2 years, 9 months
OpenSLP anyone?
by Michael Ströder
HI!
Is anybody here using OpenSLP with OpenLDAP libs to locate LDAP
directory servers?
I never used it and I only vaguely remember that Novell eDirectory
instances was announced via SLP. But I don't know of any clients
supporting that and therefore I wonder whether Linux distros should
package libldap with SLP support.
Ciao, Michael.
2 years, 9 months
