openldap-technical July 2018

openldap-technical@openldap.org

31 participants
28 discussions

Re: Replication mutli-master via DNS record ?
by Lirien Maxime 27 Jul '18

27 Jul '18

Thanks Quanah. On Thu, Jul 26, 2018 at 10:20 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Thursday, July 26, 2018 4:28 PM +0200 Lirien Maxime < > maxime.lirien(a)gmail.com> wrote: > > b) Master to multi-master >> >> Mirrormode is set to TRUE. >> Can I use only one "syncrepl" with the DNS record ldap://master.toto.fr >> Or should I set one "syncrepl" for each master ? >> > > One syncrepl to each master. > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

1 0

Replication mutli-master via DNS record ?
by Lirien Maxime 26 Jul '18

26 Jul '18

Hi all, I have 3 masters and 3 slaves. Two DNS records : - Masters are recorded under master.toto.fr - Slave are recorded under slave.toto.fr Two type of replication : a) Slave to master Slaves replicate from one of 3 master with this configuration : syncrepl rid=100 provider=ldap://master.toto.fr/ type=refreshAndPersist interval=00:00:30:00 [...] b) Master to multi-master Mirrormode is set to TRUE. Can I use only one "syncrepl" with the DNS record ldap://master.toto.fr Or should I set one "syncrepl" for each master ? I mean , in my master1 conf file can I use this : syncrepl rid=1 provider=ldap://master.toto.fr/ type=refreshAndPersist interval=00:00:30:00 [...] or syncrepl rid=12 provider=ldap://IP_master2.toto.fr/ type=refreshAndPersist interval=00:00:30:00 [...] syncrepl rid=13 provider=ldap://IP_master3.toto.fr/ type=refreshAndPersist interval=00:00:30:00 [...] Thanks guys.

2 1

ldapmodify -Y EXTERNAL failure - Confidentiality required (13)
by Mark Foster 26 Jul '18

26 Jul '18

This used to work... $ sudo ldapmodify -Y EXTERNAL -f 30logging.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Confidentiality required (13) additional info: stronger confidentiality required The log says slapd[1266]: conn=6619437 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71 This is my olcSecurity setting: olcSecurity: ssf=128 simple_bind=128 How would I fix this? It seems to be a catch-22.

3 2

Re: AW:ldap server stops responding periodically?
by John Jasen 23 Jul '18

23 Jul '18

On 07/20/2018 04:41 AM, Ulrich.Windl(a)rz.uni-regensburg.de wrote: > Hi! > > Stupid question: could it be your load-balancer that had a problem? > How does the netstat look like (sockets opened, queued data, etc.?) I do not believe it to be the load-balancer. They log loss of contact with the LDAP servers and drop them from the relay group shortly after one of these events start; and when it gets cleaned up, they're added back in. I also do not suspect network between the load balancers and the LDAP servers. During such an event, ps -efT will usually show slapd running at full thread capacity. Comparing that to threads in cn=monitor is not possible, as those ldap searches fail. Open sockets does not substantially change until after the event subsides. The servers will show 1200-2000 open sockets before an event, and drop lower when it clears up -- to quickly scale back up to pre-event levels. The queues will show data being held until the socket(s) time out. Thanks for the feedback!

2 1

Re: ldap server stops responding periodically? WAS: openldap-technical Digest, Vol 128, Issue 12
by John Jasen 21 Jul '18

21 Jul '18

On 07/21/2018 08:00 AM, openldap-technical-request(a)openldap.org wrote: > From: Ryan Tandy <ryan(a)nardis.ca> To: openldap-technical(a)openldap.org > Subject: Re: ldap server stops responding periodically? Message-ID: > <20180720185004.po4pckupxyjrrih4(a)comet.nardis.ca> Content-Type: > text/plain; charset=iso-8859-1; format=flowed On Fri, Jul 20, 2018 at > 08:39:55PM +0200, Dieter Kl?nter wrote: >> If that really is 2.4.4 > Given the mention of "CentOS7 stock RPM" I would expect this was a typo > and John is actually running 2.4.44. Yes, my apologies. I meant 2.4.44. -- John Jasen

1 0

back-ldap redirect RootDSE? RWM re-encode attributes?
by B Galliart 21 Jul '18

21 Jul '18

I am trying to use OpenLDAP slapd to proxy to multiple LDAP servers but run into some issues with how the LDAP client application is written. I wondered if anyone has any suggestions for doing either of the following with slapd: (1) Can the back-ldap suffix override the RootDSE of the OpenLDAP server so that all RootDSE requests get proxied? (2) Is there a way with the RWM or a different overlay to convert specific attributes to hex or MIME before passing it back to the LDAP client? For example, if an attribute is given to back-ldap as a BLOB, can it convert the BLOB to hex before passing it along? It would be nice to have the option to do both of the above but for my current situation being able to do just one or the other would work. Thanks

1 0

ldap server stops responding periodically?
by John Jasen 20 Jul '18

20 Jul '18

Summary: an openldap 2.4.4 (CentOS7 stock RPM) replication consumer slapd server stops responding to requests for a period of up to fifteen minutes. Environment: Two centos7 ldap servers in mirror mode, providers to 4 openldap syncrepl consumers. The systems are 2 CPU, 12 core Intel Xeon E5-2420s, and have 48GB of RAM. The four consumers are load-balanced through a FreeBSD "relayd" redirector, facing approximately six thousand clients. Problem: Periodically, one or more (or all) of the consumers will stop responding, including localhost cn=monitoring traffic and anything over the network. Note, only slapd stops responding. email out, logging in, etc, all remain unaffected. Analysis after the event starts doesn't show anything unusual in CPU usage or memory. Analysis of the ldap logs doesn't show anything unusual in number of requests, number of connects, etc until the system stops responding -- at which point, they drop to zero. I'm stumped as to a) what's causing it, and b) how to address it on the slapd side so my servers stop dozing off. Any suggestions? -- John Jasen (jjasen(a)gmail.com)

4 3

Re: ldap server stops responding periodically? WAS: openldap-technical Digest, Vol 128, Issue 11
by John Jasen 20 Jul '18

20 Jul '18

On 07/20/2018 08:00 AM, openldap-technical-request(a)openldap.org wrote: > Date: Thu, 19 Jul 2018 13:50:47 -0500 From: Andy Dorman > <adorman(a)ironicdesign.com> To: openldap-technical(a)openldap.org > Subject: Re: ldap server stops responding periodically? Message-ID: > <6ca235e9-10e6-df27-f06c-359875407a6b(a)ironicdesign.com> Content-Type: > text/plain; charset=utf-8; format=flowed > <snip> > So when this happens you can still log into the consumer and run typical > slapdump/slapcat, ldapsearch, etc. commands with no problem? or are you > only losing access via the network? I've not tried slap* commands on an afflicted consumer, nor have I tried locally through ldapi:/// Both are good ideas. Thank you. local lapsearch, etc with a URL to the listening network socket fail from localhost as well.

1 0

Where does the debugging message come from?
by Ray Lauff 16 Jul '18

16 Jul '18

Hello- I'm testing out some local mods I've made to the ldapsearch command and I have the -d 2 flag to enable debugging set. /usr/local/src/openldap/openldap-2.4.46/clients/tools/ldapsearch -h ldap-test1.test.org -p 11389 -ZZ -D cn=somecn -w somepw -b 'dc=test,dc=org' '(uid=husk)' -d 2 When I run this, I get a lot of what I need, but I noticed the following is emitted at the top. *Using CA cert /etc/openldap/cacerts/ca-bundle.crt as stipulated by environment variable $LDAPTLS_CACERT.* I was looking to see where in the openldap code this string comes from, but I can't seem to find it. (I thought a thorough 'grepping' would locate it, but it did not, nor does strings /usr/local/src/openldap/openldap-2.4.46/clients/tools/ldapsearch |grep "stipulated" ). So it's from the ssl library I assumed. Nope, didn't find it there either. Can someone point me to where it comes from please? Sorry if this is a dumb question that I should already know.

2 1

Is checkpoint required any more?
by Geoff Swan 11 Jul '18

11 Jul '18

I am running openldap-2.4.44 (source build) using lmdb backend with configuration set in slapd.conf on a Linux machine. The configuration includes dbnosync and also checkpoint settings. The kernel vm settings are flushing dirty cache pages to disc periodically, so my question is what is the reason for the checkpoint setting if the kernel is already taking care of page flushing?

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2018