openldap-technical September 2018

openldap-technical@openldap.org

30 participants
24 discussions

Restarting syncrepl based provider / consumer setup trawls through whole DIT - why?
by Ole Nomann Thomsen 24 Sep '18

24 Sep '18

Hi, my problem is this: Whenever I restart a Consumer in our single-provider, multi-consumer syncrepl setup, type=refreshAndPersist (OpenLdap 2.4.45), It spends about half an hour running through the whole DIT (about 5.5 million entries), doing this for each: 2018-09-12T16:25:41.526574+02:00 nonpresent_callback: rid=001 present UUID 9b99ec5a-4cfe-1029-9a2e-80309636f032, dn ou=Authentication,o=UNI-C,c=DK I'm guessing that that the Consumer is looking up every entry to decide if it has changed. This has the unfortunate effect that the Consumer is deemed out-of-sync in the timespan (referring to the contextCSN in the root entry), even if only one entry has actually changed in the master. And it cannot be let back into the serverfarm before it is synchronized, thus making every restart of a Consumer require at least 30 mins downtime for that Consumer. If I read the docs correctly (https://www.openldap.org/doc/admin24/replication.html), there should be a synchronization cookie set after the refresh stage (and during the persist-stage). It looks to me like at least in my case, that cookie is not persistent - it seems that when the Consumer is restarted, this cookie is either lost or reset, causing the whole DIT to be read, and not just those entries, younger than the cookie. But why is it not persistent? Am a missing some obvious explanation as to why this is not possible, or have I just misconfigured something? Any hints where I should look? Is there a better way to set up replication to avoid this? Thanks - Ole N Thomsen

2 1

Trigger-like function
by Ervin Hegedüs 24 Sep '18

24 Sep '18

Hi, as I described in my previous thread[1], I have a web frontend tool, where user can modify its own password - here the password is a set of passwd attributes: userPassword, sambaNTPassword, sambaLMPassword. Is there any way that when I give access to users to modify its own password, and the user wants to modify it through LDAP(S), instead of out web frontend, the samba passwords also updated (with correct hash algorithm)? I've found that the password policy and history should handle inside of OpenLDAP, only this feature missing. I've also found slapo-shell and slapo-sock overlays, but as I interpret those mechanism, they sends the client request to an external software, so when I want to change the userPassword, the slapd send this request to the external tool, which sends a modify request to slapd, which sends the request to external tool, whcih.... Em I right? Or should I use some filter to exclude, which requests sending to external program and which not? Is there any solution for this request? Thanks, a. [1]: https://www.openldap.org/lists/openldap-technical/201809/msg00021.html

3 6

A couple of questions regarding replication and user mapping
by Karsten Heymann 21 Sep '18

21 Sep '18

Hi, I'm having a rough week as a long planned ldap migration this week went semi-bad, in that we noticed a good day after the new cluster went productive that both masters and both clients started to diverge data-wise. I'm still sorting out the details, but while troubleshooting some questions arose already. (I'm running 2.4.46+dfsg-5~bpo9+1 on debian 9 with two masters (syncrepl, mirror mode) behind a load balancer and two slaves, also behind a load balancer. I was authenticating the replication with client certificates, but had to switch back to simple bind usind rootdn/rootpw als sync credentials to rule out any acl problems causing our problems.) 1. I've read in an older debian bug report, that changing olcAuthRegexp requires a slapd restart in order to be effective. Is that still the case? If yes, could this *please* be added to the manpage and the documentation? Pretty please? 2. Is ldapwhoami supposed to also print out the result of a authz-regexp mapping? 3. The slapd.conf manpage mentions: "The replaced name can be either a DN, i.e. a string prefixed by "dn:", or an LDAP URI." Is prepending dn: really required? The examples on https://www.openldap.org/doc/admin24/sasl.html don't have it. 4. What happens when a lot of concurrent writes happen to two masters configured in mirror mode? We had a loadbalancer misconfiguration and the loadbalancers were using simple round robin to write to the masters. Can this result in diverging content on the two masters? 5. At one time we had diverging content on both masters for the same entries, probably due to a broken acl config that did not allow the sync user to see all alltributes on the other master. Is there any way to cause a "re-sync" of an entry without actually changing data on the entry? The only way I found was to use slapd -c, but And finally not a question, but a recommendation for anyone in a similiar situation: The ldifdiff-tool (https://github.com/nxadm/ldifdiff) proved extremely valuable in sorting out the mess and understanding what actually was the situation data-wise between the systems. Best regards Karsten

6 6

Password policy questions
by Ervin Hegedüs 20 Sep '18

20 Sep '18

Hi, looks like I've successfully configured the ppolicy overlay, but I have some questions. The relevant config: olcModuleLoad: {0}ppolicy structuralObjectClass: olcModuleList dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: cn=default,ou=pwpolicies,dc=hu olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE dn: cn=default,ou=pwpolicies,dc=hu cn: default objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: device pwdAllowUserChange: TRUE pwdInHistory: 5 pwdMinLength: 10 pwdAttribute: userPassword pwdCheckQuality: 0 When I change my passwd with ldappasswd, the history check works: ldappasswd -H ldaps://dev-ldap-01:636 -W -D uid=airween,ou=Users,ou=company,dc=comp,DC=hu -S New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password is in history of old passwords but I can set up new password with less than 10 characters, eg "abc". What em I missed? I've never read it, but looks like the policy has effect only when I'm changing passwd with 'ldappasswd', but when I'm using ldapmodify, then I can bypass the rules ldapmodify -H ldaps://dev-ldap-01:636 -D 'uid=airween,ou=Users,ou=company,dc=comp,dc=hu' -x -W -f file.ldif modifying entry "uid=airween,ou=Users,ou=company,dc=comp,DC=hu" [DONE WITH PREV PASSWD] Is it right? How can I validate the policy for all methods? Thanks, a.

3 4

Worse search performance on a branch than at the tree base
by Glover, Matthew 19 Sep '18

19 Sep '18

I'm having a performance problem with searches on a branch and I'm hoping someone can explain it. A search for "(uid=12345)" on basedn "dc=example,dc=com" with a subtree scope returns much more quickly than the same filter and scope on basedn "ou=People,dc=example,dc=com". To confirm this wasn't just a problem with my schema or configuration, I loaded Ubuntu 18 (slapd 2.4.45+dfsg-1ubuntu1), used ldctl to generate 100,000 inetOrgPerson records with uids from 00000 to 99999, loaded them in with ldapadd, then used ldctl to test performance of searches: Both tests were scope subtree, 20 seconds, hitting the test server as fast as possible with randomly generated filters of "(uid=<random uid from 00000 to 99999>)". basedn: dc=example,dc=com - 5455.30/sec - total: 109106 successful searches basedn: ou=People,dc=example,dc=com - 198.80/sec - total: 3976 successful searches Also, while testing against ou=People, the CPU load from slaps went through the roof. It feels rather like the index isn’t being used when the base isn’t the root. I can provide the ldif of my test users and the parameters I used for ldctl tests if desired. Thanks for any help you can offer, Matthew

2 2

groupOfMembers doesn't work with memberOf overlay
by tran dung 19 Sep '18

19 Sep '18

Hi I am using groupOfNames and memberOf overlay works fine. However, groupOfNames requires "member" attribute so in case a group doesn't have a member, I have to use a dummy user. Since groupOfMembers doesn't require "member" attribute, I replaced groupOfNames by groupOfMembers in ldif file and re-built ldap server. However, when I delete member attribute, corresponding menberOf isn't deleted. When I add member attribute, memberOf isn't added. Is this expected behavior of groupOfMembers or is something missing in memberOf overlay setting? Here is my memberOf overlay setting ------------------------------------- # Memberof overlay overlay memberof memberof-dangling drop memberof-refint true ------------------------------------- Best Regards ----------------------- Tran Dung

2 2

Insufficient acces in some cases
by Ervin Hegedüs 19 Sep '18

19 Sep '18

Hi, there is an interesting insufficient access problem... There are 3 (in dev environment 2) multimaster ldap node. There is a simple web frontend, written in PHP, where user can change its own password, or can get a link to set up a new pass if old one had lost. In some cases (some users) the user can't change the own password through PHP. When I change it from webserver with ldapmodify and a simple ldif file, it works as well. But when I try to modify the passwd through PHP, I got "Insufficient access" error, and these lines are in syslog: Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => access_allowed: search access to "uid=comp1_user1,ou=Users,ou=COMP1,dc=wificloud,dc=company,dc=hu" "objectClass" requested Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dn: [2] ou=djp,dc=wificloud,dc=company,dc=hu Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dnpat: [3] ou=(AH|Delta|Comp1|Comp2|Comp3),dc=wificloud,dc=company,dc=hu nsub: 1 Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] matched Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] attr objectClass Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => match[dn0]: 26 60 Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 1 Sep 18 17:48:13 dev-ldap-01 slapd[12125]: , Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = Sep 18 17:48:13 dev-ldap-01 slapd[12125]: w Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i Sep 18 17:48:13 dev-ldap-01 slapd[12125]: f Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: l Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d Sep 18 17:48:13 dev-ldap-01 slapd[12125]: , Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p Sep 18 17:48:13 dev-ldap-01 slapd[12125]: a Sep 18 17:48:13 dev-ldap-01 slapd[12125]: n Sep 18 17:48:13 dev-ldap-01 slapd[12125]: y Sep 18 17:48:13 dev-ldap-01 slapd[12125]: , Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = Sep 18 17:48:13 dev-ldap-01 slapd[12125]: h Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u Sep 18 17:48:13 dev-ldap-01 slapd[12125]: (I replaced names and chars, so the match[dn0] numbers are not correct). Only few users can trigger this problem (don't know why), and only through PHP. What's the problem here? Thanks, a.

2 7

Re: Re: OpenLDAP instances crashes
by Saurabh Lahoti 17 Sep '18

17 Sep '18

Hi, Tried with the clone command & received below error: Initialized empty Git repository in /usr/app/ldap/ReOpenLDAP-mobiuniquemember/ReOpenLDAP/.git/ error: while accessing https://github.com/leo-yuriev/ReOpenLDAP.git/info/refs fatal: HTTP request failed What could be wrong here from my side..? ---- *Thanks & Kind Regards,* Saurabh LAHOTI. *Ideas enlighten Innovation**!!!* Please consider the environment before printing this mail..!! On Fri, 14 Sep 2018 at 12:19, Леонид Юрьев <leo(a)yuriev.ru> wrote: > Hi, Saurbh. > > I apologize, long time did not answer, was off-line. > But there would be no problem if you did everything exactly as I wrote. > > Once again: > git clone https://github.com/leo-yuriev/ReOpenLDAP.git -b > mobiuniquemember > cd ReOpenLDAP > ./bootstrap.sh > ./configure --enable-contrib --prefix=... [other relevant options...] > make > make install > > On the other hand, building from the source requires certain competencies. > For instance, you should be known about all implicit (git, make, > autotools, gcc, binutils...) pre-requirements tools and packages/libraries, > and be able to install it. > Also you should known about `configure` and about corresponding options. > > Leonid. > > > пт, 14 сент. 2018 г. в 12:40, Saurabh Lahoti <saurabh.astronomy(a)gmail.com > >: > >> Many thanks Brian for your kind help. >> >> Tried with the command mentioned, below is the output: >> >> root@souslik # sh -x ./bootstrap.sh >> + '[' '' = --dont-cleanup ']' >> + rm -rf '/usr/app/ldap/LdapTest/*' >> + git clean -x -f -d -e tests/testrun -e releasenotes.txt >> fatal: Not a git repository (or any of the parent directories): .git >> + failure cleanup >> + echo 'Oops, cleanup failed ;(' >> Oops, cleanup failed ;( >> + exit 2 >> >> Could you please guide further on this..? >> ---- >> >> *Thanks & Kind Regards,* >> Saurabh LAHOTI. >> *Mob: +32.499.82.37.88* >> *Ideas enlighten Innovation**!!!* >> Please consider the environment before printing this mail..!! >> >> >> >> >> >> On Thu, 13 Sep 2018 at 23:56, Brian Reichert <reichert(a)numachi.com> >> wrote: >> >>> On Thu, Sep 13, 2018 at 10:12:34PM +0200, Saurabh Lahoti wrote: >>> > Dear, >>> > >>> > What does below error mean..? >>> > >>> > fatal: Not a git repository (or any of the parent directories): .git >>> > Oops, cleanup failed ;( >>> > >>> > While running bootstrap.sh, above mentioned error was interpreted. >>> >>> I think the source for 'bootstrap.sh' is here: >>> >>> https://github.com/leo-yuriev/ReOpenLDAP/blob/master/bootstrap.sh >>> >>> I only see one invocation of 'git' in that script, and I don't see >>> why that would fail. >>> >>> Try running >>> >>> sh -x ./bootstrap.sh >>> >>> That will show the commands the script is running; they may provide >>> a clue as to what command was being run, and with what arguments. >>> >>> > ---- >>> > >>> > *Thanks & Kind Regards,* >>> > Saurabh LAHOTI. >>> > *Ideas enlighten Innovation**!!!* >>> > Please consider the environment before printing this mail..!! >>> > >>> > >>> > >>> > >>> > >>> > On Thu, 30 Aug 2018 at 08:04, Ulrich Windl < >>> > Ulrich.Windl(a)rz.uni-regensburg.de> wrote: >>> > >>> > > >>> Saurabh Lahoti <saurabh.astronomy(a)gmail.com> schrieb am >>> 29.08.2018 um >>> > > 14:45 >>> > > in >>> > > Nachricht >>> > > <CAB5-Mqq2Epvoz-U_=1zNoz-JVSE9e5mu=MWemjyTEM7QuXaZDQ(a)mail.gmail.com >>> >: >>> > > > Dear Leo, >>> > > > >>> > > > We tried the steps mentioned below using the ReOpenLDAP package >>> provided >>> > > by >>> > > > you. >>> > > > >>> > > > But, we're start at the very first step while running bootstrap.sh >>> & >>> > > > encountered below errors: >>> > > > >>> > > > root@pygarg # ./bootstrap.sh >>> > > > ./bootstrap.sh: line 39: git: command not found >>> > > > Oops, cleanup failed ;( >>> > > >>> > > I wonder: How could you "git clone" without git? >>> > > >>> > > > >>> > > > >>> > > > Could you please guide us further into this..? >>> > > > >>> > > > ---- >>> > > > >>> > > > *Thanks & Kind Regards,* >>> > > > Saurabh LAHOTI. >>> > > > *Ideas enlighten Innovation**!!!* >>> > > > Please consider the environment before printing this mail..!! >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > >>> > > > On Thu, 23 Aug 2018 at 23:17, ???????????? ?????????? < >>> leo(a)yuriev.ru> wrote: >>> > > > >>> > > >> Hi, Saurabh. >>> > > >> >>> > > >> Your custom overlay "mobiuniquemember" now intergated into >>> ReOpenLDAP >>> > > >> (mobiuniquemember branch). >>> > > >> Please check it: >>> > > >> >>> > > >> git clone https://github.com/leo-yuriev/ReOpenLDAP.git -b >>> > > mobiuniquemember >>> > > >> cd ReOpenLDAP >>> > > >> ./bootstrap.sh >>> > > >> ./configure --enable-contrib [other relevan options] >>> > > >> make install >>> > > >> >>> > > >> Regards, >>> > > >> Leonid. >>> > > >> >>> > > >> >>> > > >> ????, 22 ??????. 2018 ??. ?? 18:04, ???????????? ?????????? < >>> leo(a)yuriev.ru>: >>> > > >> >>> > > >>> You could submit source code of your custom overlay to >>> > > >>> https://github.com/leo-yuriev/ReOpenLDAP, i.e. pull-request >>> into the >>> > > >>> 'devel' branch. >>> > > >>> >>> > > >>> Then I will try fix it and merge-in, in success case you will be >>> able >>> > > to >>> > > >>> build and use it with ReOpenLDAP. >>> > > >>> >>> > > >>> >>> > > >>> Regards, >>> > > >>> Leonid. >>> > > >>> >>> > > >>> ????, 22 ??????. 2018 ??., 17:37 Saurabh Lahoti < >>> saurabh.astronomy(a)gmail.com >>> > > >: >>> > > >>> >>> > > >>>> Dear, >>> > > >>>> >>> > > >>>> What is you're recommendation to fix this problem on our >>> side..? It's >>> > > >>>> been haunting our operational activities on daily basis.. ?????? >>> > > >>>> ---- >>> > > >>>> >>> > > >>>> *Thanks & Kind Regards,* >>> > > >>>> Saurabh LAHOTI. >>> > > >>>> *Mob: +32.499.82.37.88* >>> > > >>>> *Ideas enlighten Innovation**!!!* >>> > > >>>> Please consider the environment before printing this mail..!! >>> > > >>>> >>> > > >>>> >>> > > >>>> >>> > > >>>> >>> > > >>>> >>> > > >>>> On Fri, 17 Aug 2018 at 16:43, Brian Reichert < >>> reichert(a)numachi.com> >>> > > >>>> wrote: >>> > > >>>> >>> > > >>>>> On Thu, Aug 16, 2018 at 02:00:20PM +0200, Saurabh Lahoti wrote: >>> > > >>>>> > Dear, >>> > > >>>>> > >>> > > >>>>> > Today, received below error in /var/log/messages with >>> OpenLDAP >>> > > >>>>> instance >>> > > >>>>> > crashing. >>> > > >>>>> >>> > > >>>>> That looks like either: >>> > > >>>>> >>> > > >>>>> - You have a bad SIM (very unlikely) >>> > > >>>>> - You have a corrupted uniquemember.so.0.0.0 shared library. >>> > > >>>>> - You may have conflated OpenLDAP packages installed that have >>> a >>> > > >>>>> critical >>> > > >>>>> incompatibility amidst the installed binaries/libraries. >>> > > >>>>> >>> > > >>>>> It did write a core file; there are many tutorials about >>> exploring >>> > > >>>>> a core file to help understand why the segfault occurred. >>> > > >>>>> >>> > > >>>>> > >>> > > >>>>> > Aug 16 13:21:07 muledeer kernel: slapd[29253]: segfault at 0 >>> ip >>> > > >>>>> > 00007fbeddf3af09 sp 00007fb72effc480 error 4 in >>> > > >>>>> > uniquemember.so.0.0.0[7fbeddf3a000+2000] >>> > > >>>>> > Aug 16 13:21:08 muledeer abrt[24629]: Saved core dump of pid >>> 16470 >>> > > >>>>> > (/usr/app/ldap/openldap2.4.46/libexec/slapd) to >>> > > >>>>> > /var/spool/abrt/ccpp-2018-08-16-13:21:07-16470 (472973312 >>> bytes) >>> > > >>>>> > Aug 16 13:21:08 muledeer abrtd: Directory >>> > > >>>>> 'ccpp-2018-08-16-13:21:07-16470' >>> > > >>>>> > creation detected >>> > > >>>>> > Aug 16 13:21:08 muledeer abrtd: Executable >>> > > >>>>> > '/usr/app/ldap/openldap2.4.46/libexec/slapd' doesn't belong >>> to any >>> > > >>>>> package >>> > > >>>>> > and ProcessUnpackaged is set to 'no' >>> > > >>>>> > Aug 16 13:21:08 muledeer abrtd: 'post-create' on >>> > > >>>>> > '/var/spool/abrt/ccpp-2018-08-16-13:21:07-16470' exited with >>> 1 >>> > > >>>>> > Aug 16 13:21:08 muledeer abrtd: Deleting problem directory >>> > > >>>>> > '/var/spool/abrt/ccpp-2018-08-16-13:21:07-16470' >>> > > >>>>> > >>> > > >>>>> > >>> > > >>>>> > Could you please guide us in finding probable root of this >>> error..? >>> > > >>>>> > ---- >>> > > >>>>> > >>> > > >>>>> > *Thanks & Kind Regards,* >>> > > >>>>> > Saurabh LAHOTI. >>> > > >>>>> > *Ideas enlighten Innovation**!!!* >>> > > >>>>> > Please consider the environment before printing this mail..!! >>> > > >>>>> >>> > > >>>>> -- >>> > > >>>>> Brian Reichert <reichert(a)numachi.com> >>> > > >>>>> BSD admin/developer at large >>> > > >>>>> >>> > > >>>> >>> > > >>> > > >>> > > >>> > > >>> >>> -- >>> Brian Reichert <reichert(a)numachi.com> >>> BSD admin/developer at large >>> >>

1 0

Re: OpenLDAP instances crashes
by Saurabh Lahoti 14 Sep '18

14 Sep '18

Dear Leo, We tried the steps mentioned below using the ReOpenLDAP package provided by you. But, we're start at the very first step while running bootstrap.sh & encountered below errors: root@pygarg # ./bootstrap.sh ./bootstrap.sh: line 39: git: command not found Oops, cleanup failed ;( Could you please guide us further into this..? ---- *Thanks & Kind Regards,* Saurabh LAHOTI. *Ideas enlighten Innovation**!!!* Please consider the environment before printing this mail..!! On Thu, 23 Aug 2018 at 23:17, Леонид Юрьев <leo(a)yuriev.ru> wrote: > Hi, Saurabh. > > Your custom overlay "mobiuniquemember" now intergated into ReOpenLDAP > (mobiuniquemember branch). > Please check it: > > git clone https://github.com/leo-yuriev/ReOpenLDAP.git -b mobiuniquemember > cd ReOpenLDAP > ./bootstrap.sh > ./configure --enable-contrib [other relevan options] > make install > > Regards, > Leonid. > > > ср, 22 авг. 2018 г. в 18:04, Леонид Юрьев <leo(a)yuriev.ru>: > >> You could submit source code of your custom overlay to >> https://github.com/leo-yuriev/ReOpenLDAP, i.e. pull-request into the >> 'devel' branch. >> >> Then I will try fix it and merge-in, in success case you will be able to >> build and use it with ReOpenLDAP. >> >> >> Regards, >> Leonid. >> >> ср, 22 авг. 2018 г., 17:37 Saurabh Lahoti <saurabh.astronomy(a)gmail.com>: >> >>> Dear, >>> >>> What is you're recommendation to fix this problem on our side..? It's >>> been haunting our operational activities on daily basis.. 😓 >>> ---- >>> >>> *Thanks & Kind Regards,* >>> Saurabh LAHOTI. >>> *Mob: +32.499.82.37.88* >>> *Ideas enlighten Innovation**!!!* >>> Please consider the environment before printing this mail..!! >>> >>> >>> >>> >>> >>> On Fri, 17 Aug 2018 at 16:43, Brian Reichert <reichert(a)numachi.com> >>> wrote: >>> >>>> On Thu, Aug 16, 2018 at 02:00:20PM +0200, Saurabh Lahoti wrote: >>>> > Dear, >>>> > >>>> > Today, received below error in /var/log/messages with OpenLDAP >>>> instance >>>> > crashing. >>>> >>>> That looks like either: >>>> >>>> - You have a bad SIM (very unlikely) >>>> - You have a corrupted uniquemember.so.0.0.0 shared library. >>>> - You may have conflated OpenLDAP packages installed that have a >>>> critical >>>> incompatibility amidst the installed binaries/libraries. >>>> >>>> It did write a core file; there are many tutorials about exploring >>>> a core file to help understand why the segfault occurred. >>>> >>>> > >>>> > Aug 16 13:21:07 muledeer kernel: slapd[29253]: segfault at 0 ip >>>> > 00007fbeddf3af09 sp 00007fb72effc480 error 4 in >>>> > uniquemember.so.0.0.0[7fbeddf3a000+2000] >>>> > Aug 16 13:21:08 muledeer abrt[24629]: Saved core dump of pid 16470 >>>> > (/usr/app/ldap/openldap2.4.46/libexec/slapd) to >>>> > /var/spool/abrt/ccpp-2018-08-16-13:21:07-16470 (472973312 bytes) >>>> > Aug 16 13:21:08 muledeer abrtd: Directory >>>> 'ccpp-2018-08-16-13:21:07-16470' >>>> > creation detected >>>> > Aug 16 13:21:08 muledeer abrtd: Executable >>>> > '/usr/app/ldap/openldap2.4.46/libexec/slapd' doesn't belong to any >>>> package >>>> > and ProcessUnpackaged is set to 'no' >>>> > Aug 16 13:21:08 muledeer abrtd: 'post-create' on >>>> > '/var/spool/abrt/ccpp-2018-08-16-13:21:07-16470' exited with 1 >>>> > Aug 16 13:21:08 muledeer abrtd: Deleting problem directory >>>> > '/var/spool/abrt/ccpp-2018-08-16-13:21:07-16470' >>>> > >>>> > >>>> > Could you please guide us in finding probable root of this error..? >>>> > ---- >>>> > >>>> > *Thanks & Kind Regards,* >>>> > Saurabh LAHOTI. >>>> > *Ideas enlighten Innovation**!!!* >>>> > Please consider the environment before printing this mail..!! >>>> >>>> -- >>>> Brian Reichert <reichert(a)numachi.com> >>>> BSD admin/developer at large >>>> >>>

3 4

Failed to create more than 1024 LMDB environment objects
by Jeremy Chen 12 Sep '18

12 Sep '18

Hi I have been using lmdb (with java binding on Ubuntu 14.04+, or Centos 7) to manage daily data sets for a while and so far it works beautifully. Now I am trying to add multi-tenancy support with physical partitioning, but fails to create more than 1024 environments (1017 to be exact). The error msg is "Resource temporarily unavailable" (not sure if it's accurate since it's from the lmdbjni binding), and it will only generate a lock.mdb of 0 length in the failed environment. I tuned a few parameters, like reducing the map size to a few MB each, etc, but to no avail. Is this a hard limit? Or I could change something in lmdb source code to extend it? Thank you very much! Jeremy

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2018