openldap-technical August 2018

openldap-technical@openldap.org

27 participants
29 discussions

Q: Co-existence of OpenLDAP and 389 Directory Server?
by Ulrich Windl 24 Aug '18

24 Aug '18

Hi! As stated some time ago the SUSE Linux Enterprise Server 15 (SLES15) switched from OpenLDAP to 389 Directory Server. Trying the latter, I see that it still works with BDB (4.8), and setup is easy. It also seems to have modern features like these: \n+Entry cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config is added \n+Entry cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added However I wonder if it's possible to integrate a 389DS (ns-slapd, http://www.port389.org/) into an OpenLDAP multi-master configuration. Definitely one cannot sync the configuration section, because it's too different. For example the ACL Syntax looks like this: (targetattr="carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";) Regards, Ulrich

3 4

OpenLDAP instances crashes
by Saurabh Lahoti 23 Aug '18

23 Aug '18

Dear, Today, received below error in /var/log/messages with OpenLDAP instance crashing. Aug 16 13:21:07 muledeer kernel: slapd[29253]: segfault at 0 ip 00007fbeddf3af09 sp 00007fb72effc480 error 4 in uniquemember.so.0.0.0[7fbeddf3a000+2000] Aug 16 13:21:08 muledeer abrt[24629]: Saved core dump of pid 16470 (/usr/app/ldap/openldap2.4.46/libexec/slapd) to /var/spool/abrt/ccpp-2018-08-16-13:21:07-16470 (472973312 bytes) Aug 16 13:21:08 muledeer abrtd: Directory 'ccpp-2018-08-16-13:21:07-16470' creation detected Aug 16 13:21:08 muledeer abrtd: Executable '/usr/app/ldap/openldap2.4.46/libexec/slapd' doesn't belong to any package and ProcessUnpackaged is set to 'no' Aug 16 13:21:08 muledeer abrtd: 'post-create' on '/var/spool/abrt/ccpp-2018-08-16-13:21:07-16470' exited with 1 Aug 16 13:21:08 muledeer abrtd: Deleting problem directory '/var/spool/abrt/ccpp-2018-08-16-13:21:07-16470' Could you please guide us in finding probable root of this error..? ---- *Thanks & Kind Regards,* Saurabh LAHOTI. *Ideas enlighten Innovation**!!!* Please consider the environment before printing this mail..!!

6 13

help to get our openldap updated and replicated
by admin＠genome.arizona.edu 23 Aug '18

23 Aug '18

Hi all, I am about the 4th sysadmin for our organization, and our openldap is old, 2.4.40 system version for CentOS 6.9. Also there might have been incorrect modifications to the slapd.d files since it was really difficult to update things. The olcRootDN was set to "cn=config" somehow so I had to manually update that to the Manager account and figure out the CRC32 and everything, but at least I could make some updates now. Anyway, I would like to get our installation updated to a current version, as well as set up some sort of replication with our other server, in case one goes down then our users could still login and use our applications, or I could still add/delete users. Perhaps a multi-master config would be best? (Also maybe update the databases too since they are using bdb format? but maybe that is just unnecessary extra work) I tried to setup replication by following a guide, but was not successful and actually made things worse for our demon, so had to undo the changes for now. I guess 2.4.40 has some problems with replication anyway from what I've heard. First, to get openldap updated, would it be as simple as compiling the new version and then updating the init script /etc/init.d/slapd to point to the new binaries? I would stop slapd and get a backup of /etc/openldap and /var/lib/ldap. Then I could just leave our current config in /etc/openldap and databases in /var/lib/ldap? I've already built the new version and "make test" was successful so am ready to proceed from there with your assistance and suggestions. Thanks, -- Chandler Arizona Genomics Institute www.genome.arizona.edu

2 1

OpenLDAP Developer Day 2018
by Howard Chu 22 Aug '18

22 Aug '18

In case you missed it, we're holding an event to celebrate the 20th anniversary of the OpenLDAP Project this October in Germany. Talks are being solicited now. https://daasi.de/de/call-for-content_odd2018/ -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

OpenLDAP Developpers Day Silver Jubilee
by Peter 22 Aug '18

22 Aug '18

Dear all, something completely different: Join Us Celebrating 20 Years of OpenLDAP The community is coming together! ON:*October 8th, 2018* IN:*Tübingen, Germany* LOCATION: *Computing Center of the University of Tübingen* You are invited to join this forum, which is a great way to share and discuss your ideas, achievements and visions with the community. With this Call for Content we want to enable the community to continue the professional discourse. For this we are looking for contributions: either deployment success stories or reports on new development activities. This event brings together developers of OpenLDAP software, directory researchers and other OpenLDAP community members interested in discussing ongoing and future development efforts. If you want to participate and to present a topic, please contact odd-silverjubilee(a)daasi.de <mailto:odd-silverjubilee@daasi.de>before September 10th, 2018. Meet the team, learn and network. More info at: https://daasi.de/en/2018/08/14/5th-openldap-developer-day-2018-20-years-are… And please forward this to people connected with OpenLDAP. Cheers, Peter -- _______________________________________________________________________ Peter Gietz (CEO) DAASI International GmbH phone: +49 7071 407109-0 Europaplatz 3 Fax: +49 7071 407109-9 D-72072 Tübingen mail: peter.gietz(a)daasi.de Germany Web: www.daasi.de DAASI International GmbH, Tübingen Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175 Directory Applications for Advanced Security and Information Management _______________________________________________________________________

1 0

Re: Multiprocess LMDB transaction: resource not available
by Stefano Cossu 19 Aug '18

19 Aug '18

So, while perusing lmdb.h I saw this: > Use an MDB_env* in the process which opened it, not after fork(). That was my problem. It had nothing to do with transactions. I need to open the environment and hold a separate handle in each process. Right? Moving the mdb_env_create and mdb_env_open functions and related variables inside the get_() function got rid of the errors. In my dummy code below that is obviously terribly expensive, but my real application is running a pool of long-lived workers (HTTP server) and the cost of opening the environments only happens at server start. Thanks, Stefano On 08/19/2018 10:36 AM, Stefano Cossu wrote: > Hello, > I am writing a framework in Cython using multi-process access to an LMDB > database. I ran into a "Resource not available" error. > > I isolated the problem in the following script (this is Cython calling > the LMDB C API, so bear with the hybrid syntax): > > > import time > cimport cylmdb as lmdb # This is a Cython header mirroring lmdb.h > > import multiprocessing > import threading > > cdef: > lmdb.MDB_env *env > lmdb.MDB_dbi dbi > > > cdef void _check(int rc) except *: > if rc != lmdb.MDB_SUCCESS: > out_msg = 'LMDB Error ({}): {}'.format( > rc, lmdb.mdb_strerror(rc).decode()) > raise RuntimeError(out_msg) > > > cpdef void get_() except *: > cdef: > lmdb.MDB_txn *txn > lmdb.MDB_val key_v, data_v > > _check(lmdb.mdb_txn_begin(env, NULL, lmdb.MDB_RDONLY, &txn)) > > key_v.mv_data = b'a' > key_v.mv_size = 1 > > _check(lmdb.mdb_get(txn, dbi, &key_v, &data_v)) > print((<unsigned char *>data_v.mv_data)[:data_v.mv_size]) > time.sleep(1) > _check(lmdb.mdb_txn_commit(txn)) > print('Thread {} in process {} done.'.format( > threading.currentThread().getName(), > multiprocessing.current_process().name)) > > > def run(): > cdef: > unsigned int flags = 0 > #unsigned int flags = lmdb.MDB_NOTLS # I tried this too. > lmdb.MDB_txn *wtxn > lmdb.MDB_val key_v, data_v > > # Set up environment. > _check(lmdb.mdb_env_create(&env)) > _check(lmdb.mdb_env_set_maxreaders(env, 128)) > _check(lmdb.mdb_env_open(env, '/tmp/test_mp', flags, 0o644)) > > # Create DB. > _check(lmdb.mdb_txn_begin(env, NULL, 0, &wtxn)) > _check(lmdb.mdb_dbi_open(wtxn, NULL, lmdb.MDB_CREATE, &dbi)) > > # Write something. > key_v.mv_data = b'a' > key_v.mv_size = 1 > ts = str(time.time()).encode() > data_v.mv_data = <unsigned char *>ts > data_v.mv_size = len(ts) > _check(lmdb.mdb_put(wtxn, dbi, &key_v, &data_v, 0)) > _check(lmdb.mdb_txn_commit(wtxn)) > > > print('Multiprocess jobs:') > for i in range(5): > multiprocessing.Process(target=get_).start() > # Env should be closed only after all processes return. > #lmdb.mdb_env_close(env) > > > If I execute run(), the first process runs successfully, but apparently > it's holding on to some resources that the other processes need. > > Multiprocess jobs: > b'1534691578.4300401' > Process Process-2: > Traceback (most recent call last): > File "/usr/lib/python3.6/multiprocessing/process.py", line 258, in > _bootstrap > self.run() > File "/usr/lib/python3.6/multiprocessing/process.py", line 93, in run > self._target(*self._args, **self._kwargs) > File "lakesuperior/sandbox/threading_poc.pyx", line 23, in > lakesuperior.sandbox.threading_poc.get_ > cpdef void get_() except *: > File "lakesuperior/sandbox/threading_poc.pyx", line 28, in > lakesuperior.sandbox.threading_poc.get_ > _check(lmdb.mdb_txn_begin(env, NULL, lmdb.MDB_RDONLY, &txn)) > File "lakesuperior/sandbox/threading_poc.pyx", line 20, in > lakesuperior.sandbox.threading_poc._check > raise RuntimeError(out_msg) > RuntimeError: LMDB Error (11): Resource temporarily unavailable > Process Process-3: > Traceback (most recent call last): > File "/usr/lib/python3.6/multiprocessing/process.py", line 258, in > _bootstrap > self.run() > File "/usr/lib/python3.6/multiprocessing/process.py", line 93, in run > self._target(*self._args, **self._kwargs) > File "lakesuperior/sandbox/threading_poc.pyx", line 23, in > lakesuperior.sandbox.threading_poc.get_ > cpdef void get_() except *: > File "lakesuperior/sandbox/threading_poc.pyx", line 28, in > lakesuperior.sandbox.threading_poc.get_ > _check(lmdb.mdb_txn_begin(env, NULL, lmdb.MDB_RDONLY, &txn)) > File "lakesuperior/sandbox/threading_poc.pyx", line 20, in > lakesuperior.sandbox.threading_poc._check > raise RuntimeError(out_msg) > RuntimeError: LMDB Error (11): Resource temporarily unavailable > Process Process-4: > > Process Process-5: > Traceback (most recent call last): > File "/usr/lib/python3.6/multiprocessing/process.py", line 258, in > _bootstrap > self.run() > File "/usr/lib/python3.6/multiprocessing/process.py", line 93, in run > self._target(*self._args, **self._kwargs) > File "lakesuperior/sandbox/threading_poc.pyx", line 23, in > lakesuperior.sandbox.threading_poc.get_ > cpdef void get_() except *: > Traceback (most recent call last): > File "lakesuperior/sandbox/threading_poc.pyx", line 28, in > lakesuperior.sandbox.threading_poc.get_ > _check(lmdb.mdb_txn_begin(env, NULL, lmdb.MDB_RDONLY, &txn)) > File "lakesuperior/sandbox/threading_poc.pyx", line 20, in > lakesuperior.sandbox.threading_poc._check > raise RuntimeError(out_msg) > File "/usr/lib/python3.6/multiprocessing/process.py", line 258, in > _bootstrap > self.run() > File "/usr/lib/python3.6/multiprocessing/process.py", line 93, in run > self._target(*self._args, **self._kwargs) > File "lakesuperior/sandbox/threading_poc.pyx", line 23, in > lakesuperior.sandbox.threading_poc.get_ > cpdef void get_() except *: > RuntimeError: LMDB Error (11): Resource temporarily unavailable > File "lakesuperior/sandbox/threading_poc.pyx", line 28, in > lakesuperior.sandbox.threading_poc.get_ > _check(lmdb.mdb_txn_begin(env, NULL, lmdb.MDB_RDONLY, &txn)) > File "lakesuperior/sandbox/threading_poc.pyx", line 20, in > lakesuperior.sandbox.threading_poc._check > raise RuntimeError(out_msg) > RuntimeError: LMDB Error (11): Resource temporarily unavailable > > > If I run the same function multiple times on the same process, > everything is fine. > > Can someone point out what is wrong with this script? > > Thank you, > Stefano > > > -- exitsts .not exeunt hoall. http://stefano.cossu.cc

1 0

Re: Possible transaction issue with LMDB
by Howard Chu 17 Aug '18

17 Aug '18

William Brown wrote: > On Fri, 2018-08-17 at 07:33 +0100, Howard Chu wrote: >> William Brown wrote: >>> On Fri, 2018-08-17 at 07:06 +0100, Howard Chu wrote: >>>>> I'm quite aware that it is COW - this issue is specific to COW >>>>> trees. >>>>> Transactions must be removed in order, they can not be removed >>>>> out >>>>> of >>>>> order. It is about how pages are reclaimed for the freelist >>>> >>>> Incorrect. >>> >>> We may have to "agree to disagree" then. >> >> Pure, utter nonsense. You're simply wrong, and at this point you're >> spewing FUD. > > You know what - I made a mistake. I read "free list" when it should be > "pending free list". Which makes much more sense, but is poorly > signaled in the naming conventions. > > I also misread this comment about "incorrect". You meant "incorrect" > about the reclaiming of freelist not about the ordering. > > Instead of trying to have a constructive discussion, I believe your > responses here were quite hostile, and their "short" nature has led to > further miscommunication. My mistake was answering too quickly. I have > removed myself from the list because I really just don't want to be > involved in this style of discussion in the future. You claimed to have actual code showing a misbehavior in LMDB when the described misbehavior is impossible. That's not a misunderstanding or a mistake - that's pure fabrication. Dishonesty is absolutely not welcome. Bye. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Possible transaction issue with LMDB
by William Brown 16 Aug '18

16 Aug '18

Hi there, While doing some integration testing of LMDB I noticed that there may be an issue with out of order transaction handling. The scenario is: Open Read TXN A Open Write TXN X, and change values of the DB Commit X Open Read TXN B Open Write TXN Y, and change values of the DB Commit Y Open Read TXN C Abort/Close TXN B. At this point, because of the page touch between A -> B and B -> C, B now believes that the pages of A are the "last time" they are available as they were all subsequently copied for TXN C. The pages of A are then added to the freelists when B closes. When TXN A is read from the data may have been altered due to future writes as LMDB attempts to use previously allocated pages first. This situation is more likely to arise on large batch writes, but could manifest with smaller series of writes. This would be a silent issue, as the over-written pages may be valid, and could cause data to "silently vanish" inside of the read transaction A leading to unpredictable results. I hope that this report helps you to diagnose and resolve the issue. -- Sincerely, William

3 6

Re: [LMDB] What pointer is returned with combination of MDB_WRITEMAP and MDB_RESERVE?
by Victor Baybekov 16 Aug '18

16 Aug '18

Hello, Working with overflow pages directly via pointers outside write transactions works great and it helps that they do not move "by design" in current versions as discussed in this thread. I have two related scenarios that will give a substantial performance boost in my case. *The first one* is updating a value in-place via pointer from aborted write transaction. If I 1) use MDB_WRITEMAP, 2) from **write** transaction find a record (which is small and not in an overflow page), 3) modify a part of it's value (for duplicates this part is not used in the compare function) directly via the MDB_VAL data pointer (e.g. interlocked_increment or compare_and_swap), 4) and **abort** the transaction, then readers see the updated value via normal read transactions later. Since I do the direct updates from inside a write transaction all other writers should be locked until I exit the transaction (abort in this case), and no pages should move since the transaction is aborted. Is this correct? Does this work "by design" or "by accident" currently? *The second one* is about updating values in-place from read transactions. If I 1) use MDB_WRITEMAP, 2) open a database with MDB_INTEGERKEY (and could use a dedicated environment with a single DB if that changes the answer), 3) add values to the DB *only* using MDB_APPEND | MDB_NOOVERWRITE, 4) modify a part of a value directly via the MDB_VAL data pointer, is it possible that the page from the read transaction is replaced with a new one if there is a parallel write transaction? There is a quote from Howard on GitHub (https://github.com/lmdbjava/ benchmarks/issues/9#issuecomment-354184989): "When we do sequential inserts using MDB_APPEND, there is* no page split at all* - we just allocate a new page and fill it, sequentially." Does this mean that if there are no page splits then existing pages do not move as well, and it is "safe" to use pointers outside of write transactions as is the case with the overflow pages? In both cases I update values of a struct that indicate e.g. some lifecycle stage of an object the LMDB record refers to and stage transitions are idempotent. If a direct pointer write doesn't make to disk due to system failure subsequent readers (workers) will see an older stage and repeat stage transition. Therefore missed direct writes do not break application logic, I only care about physical corruption of the entire DB. If I update the values in-place inside read transactions and the page becomes stale this should not corrupt DB since the old page will go to the free list only after the read transaction is finished, so this "hack" should not break DB. But then missed writes will be a norm and not a special-case on OS failure. But if pages do not move, all these "soft" updates could be done in parallel and be very fast. Unfortunately I cannot answer this myself while trying to read the mbd.c file. In the second scenario I'm specifically concerned what is happening when DB becomes large and the tree needs rebalancing. At least in this case some pages need to move, but does the rebalancing replace/split existing pages? Thanks & best regards, Victor On Fri, Oct 30, 2015 at 9:26 PM, Howard Chu <hyc(a)symas.com> wrote: > Victor Baybekov wrote: > >> Thanks a lot! My proof-of-concept code works OK. >> >> I do not understand all subtle details of mmap reliability, could you >> please >> help with these two: >> >> If I write data to a pointer to an opaque blob as discussed above, and my >> process crashes before mdb_env_sync, but OS doesn't crash - will that >> data be >> secure in the mmap file? >> > > Of course. The OS owns the memory, it doesn't matter if your process > crashes. > > Also, am I correct that mdb_env_sync synchronizes all dirty pages in the >> mmap >> file as seen by a file system, regardless how they were modified - either >> via >> LMDB API or via a direct pointer writes? >> > > Yes. > > As for "you could at least set a callback to notify you that a block has >> moved" - if that is implemented, it would be nice to have a notification >> /before/ a block is moved (with old and new address, so that right after >> the >> callback it is OK to use the new address), otherwise this non-intended but >> convenient use of LMDB won't work anymore. >> > > "right after the callback it is OK to use the new address" - that's the > point of the callback, it's job is to make the new address valid. So yes, > when it returns, you use the new address. > >> >> >> Best regards, >> Victor >> >> >> >> On Sat, Oct 3, 2015 at 1:27 AM, Howard Chu <hyc(a)symas.com >> <mailto:hyc@symas.com>> wrote: >> >> Howard Chu wrote: >> >> Victor Baybekov wrote: >> >> Thank you! I understand this copy-on-write behavior, but am >> interested if I >> could control it a little. What if I use records that are >> always >> much bigger >> than a single page, e.g. 100 kb with 4kb pages, and make sure >> that >> a record is >> never updated (via LMDB means) during a lifetime of an >> environment, - is there >> any scenario that the location of such a big record could be >> changed during a >> lifetime of an environment, without updating the record? >> >> >> At this point in time, no, if you don't update a large record >> there is no >> reason that it will move. That is not to say that this won't >> change in the >> future. The documentation tells you what promises we are willing >> to make. >> Relying on any non-documented behavior is your own responsibility. >> >> >> Note that the relocation functions in LMDB are intended to accommodate >> blocks being moved around. The actual guts of that API haven't been >> implemented, but probably in 1.x we'll flesh them out. Given that >> support, >> you could at least set a callback to notify you that a block has >> moved. >> But currently, overflow pages don't move if they're not modified. >> >> >> >> >> On Fri, Oct 2, 2015 at 4:38 PM, Howard Chu <hyc(a)symas.com >> <mailto:hyc@symas.com> >> <mailto:hyc@symas.com <mailto:hyc@symas.com>>> wrote: >> >> Victor Baybekov wrote: >> >> Hi, >> >> Docs for MDB_RESERVE say that a returned pointer to >> the >> reserved >> space is >> valid "before the next update operation or the >> transaction ends." Docs >> for MDB_WRITEMAP say that it "writes directly to the >> mmap >> instead of >> using >> malloc for pages." Does combining the two options >> return >> a pointer >> directly to >> a place in a mmap >> >> >> Yes. >> >> so that this pointer could be used after a >> transaction ends >> or after the next update? >> >> >> No. >> >> Longer answer: maybe. >> >> Full answer: LMDB is copy-on-write. If you update another >> record on the >> same page, in a later transaction, the contents of that >> page >> will be >> copied to a new page and the original page will go onto >> the >> freelist. In >> that case, the pointer you got must not be used again. >> >> If you don't directly update that page and cause it to be >> copied, then you >> might get lucky and be able to use the pointer for a >> while. >> It all depends >> on what other modifications you do and how they affect >> that >> node or >> neighboring nodes. >> >> >> I have a use case where I want to somewhat abuse LMDB >> safety for >> convenience. >> If I could get a pointer to a place inside a mmap I >> could >> work with >> LMDB value >> as opaque blob or as a region inside the single big >> mmap. >> This could >> be more >> convenient than creating and opening hundreds of >> temporary memory >> mapped files >> and keeping open handles to them. For example, Aeron >> terms could be >> stored >> like this: a stream id per an LMDB db and a term id >> for a >> key in the >> db. >> >> >> Thanks! >> Victor >> >> > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >

2 2

permissions replication
by Miroslav Misek 13 Aug '18

13 Aug '18

Hi, I am setting up master-slave replication for our off-site office, so it can use authentication against ldap even with internet connectivity issues. Replication itself is working without problems. But it replicates only data and not olcAccess attributes on database. So I have to set them manually. Please is there any way to replicate those attributes too? I found only one way, and it is master-master replication of cn=config database. And it is not usable in our environment. Off-site office don`t have public ip. And it is better for me to have this ldap instance read-only. Thank you, Miroslav Misek

4 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2018