openldap-technical July 2019

openldap-technical@openldap.org

29 participants
22 discussions

Intensive disk write after long-running LDAP activity terminated
by Tamás Rébeli-Szabó 22 Jul '19

22 Jul '19

Hello, we had a long-running (several days) process doing add and modify operations in OpenLDAP 2.4.41 + LMDB backend + SLES 11.3. When the process was stopped, we experienced minutes of intensive disk write by LMDB. The LMDB option dbnosync is not set. Checking git we see that there should be a transaction commit in LMDB after every LDAP add/modify operation, and the updating of on-disk contents should happen after each LDAP add/modify operation. Furthermore, at the OS level, dirty pages should be generally flushed every 5 seconds. So we wonder what could possibly cause such a significant I/O burst? Regards, tamas

2 1

Re: Error when try modify olcTLS*
by Igor Sousa 21 Jul '19

21 Jul '19

Hi Quanah, Sorry about my delay to answer you, I've been in vacation and away from PC. I understand that I should use the same name when I'll update this file to make it easy, but it is a new installation and this reason that I need modify this entries. I've tested your suggestion and delete operation has worked fine, but I've still had the same problem described previously when I've tried add new olcTLSCertificateFile or new olcTLSCertificateKeyFile or new olcTLSCACertificateFile. I don't understand the reason for that. [root@localhost ldifs]# ldapmodify -Y EXTERNAL -H ldapi:/// -f 5tls.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80) -- Igor Sousa Em sex, 28 de jun de 2019 às 21:53, Quanah Gibson-Mount <quanah(a)symas.com> escreveu: > --On Friday, June 28, 2019 7:33 PM -0300 Igor Sousa <igorvolt(a)gmail.com> > wrote: > > > dn: cn=config > > changetype: modify > > replace: olcTLSCertificateFile > > olcTLSCertificateFile: /etc/openldap/certs/ldap.local.crt > > - > > replace: olcTLSCertificateKeyFile > > olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.local.key > > - > > add: olcTLSCACertificateFile > > olcTLSCACertificateFile: /etc/openldap/certs/ca.cert.pem > > I would suggest simply using the same filenames as you had before, > negating > the need to modify the attributes at all. You're likely hitting ITS#8286 > with the replace operations. Another idea may be to change replace to a > delete+add in the same operation sequence. > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

4 10

slapd crashing
by Alex Hebra 19 Jul '19

19 Jul '19

Hi there, I've MMR running on two FreeBSD servers with OpenLDAP 2.4.47. After few days one node always crash with signal 11. The last log I got from slapd is: Jul 17 18:04:19 slapd[676]: syncprov_matchops: skipping original sid 001 When I try to restart the slapd process it eats all the ram memory, until the server become irresponsible. I have to delete the database and re-sync everything to make it works again. Is there a way to find out how can I fix this issue? Thanks.

2 4

Re: Error when try modify olcTLS*
by Igor Sousa 19 Jul '19

19 Jul '19

Hi everybody, I would like to apologize me about this email discussion, in specially to Quanah and Howard. After a ton of emails sent, specially the last Quanah email, I've finally understood my error. Due it be a beginner error, I'm very embarrassed to importune you about it. Then, I would like to apologize me with Quanah, Howard and everyone on openldap-technical(a)openldap.org list about time spent in this problem. Finally, I would like thank all involved that has helped me to solve my problem. OBS: I've removed -aes256 when I've generated server key aiming no encrypting the key. Then I've got to add all olcTLS* entries with ldapmodify and ldif file described in previous emails. -- Igor Sousa Em qui, 18 de jul de 2019 às 17:35, Quanah Gibson-Mount <quanah(a)symas.com> escreveu: > --On Thursday, July 18, 2019 1:08 PM -0700 Quanah Gibson-Mount > <quanah(a)symas.com> wrote: > > >> build@c7rpm:/home/build/git/rheldap/RHEL7_x86_64/BUILD...lapd > >> Jul 18 11:55:29 localhost.localdomain slapd[2133]: main: TLS init def > ctx > >> failed: -1 > >> Jul 18 11:55:29 localhost.localdomain slapd[2133]: Enter PEM pass > phrase: > > > > This clearly indicates your key file is password protected, which is not > > supported. > > To be clear, it's not supported to use a password protected key file and > then try and start slapd via an automated init system such as systemd. To > use a password protected key file requires that you start slapd manually > so > you can provide the password as part of the startup process so slapd can > access it. > > Regards, > Quanah > > > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

1 0

Database problems with OpenIndiana
by dieter＠dkluenter.de 17 Jul '19

17 Jul '19

Hi, I am testing OpenLDAP-2.4.44 on OpenIndiana-Hipster. I have configured two back-mdb databases.For some strange reason a data.mdb and a bdb logfile is created. openldap openldap 45441024 Juli 17 16:45 data.mdb openldap openldap 8192 Juli 17 16:57 lock.mdb root root 10485760 Juli 17 16:57 log.0000000001 After a restart slapd cannot read the data.mdb anymore. -Dieter -- Dieter Klünter | Directory Service http://sys4.de 53°37'09,95"N 10°08'02,42"E

2 3

RE24 testing call (2.4.48) LMDB RE0.9 testing call (0.9.24)
by Quanah Gibson-Mount 16 Jul '19

16 Jul '19

This is expected to be the only testing call for 2.4.48, with an anticipated release, depending on feedback, during the week of 2019/07/22. Specific to this release, it would be helpful if anyone using back-ldap or back-meta with TLS can confirm their existing configurations continue to work (Due to the changes related to ITS#8427). Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> Configure & build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.4.48 Engineering Added libldap OpenSSL Elliptic Curve support (ITS#7595) Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671) Added slapd-monitor support for slapd-mdb (ITS#7770) Fixed liblber leaks (ITS#8727) Fixed liblber with partial flush (ITS#8864) Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980) Fixed libldap ASYNC connections with Solaris 10 (ITS#8968) Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585) Fixed libldap to use AI_ADDRCONFIG when available (ITS#7326) Fixed libldap to be able to unset syncrepl TLS options (ITS#7042) Fixed libldap race condition in ldap_int_initialize (ITS#7996, ITS#8450) Fixed libldap return code in ldap_create_assertion_control_value (ITS#8674) Fixed libldap to correctly disable IPv6 when configured to do so (ITS#8754) Fixed libldap to correctly close TLS connection (ITS#8755) Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353) Fixed liblunicode case correspondance (ITS#8508) Fixed slapd with an idletimeout of less than four seconds (ITS#8952) Fixed slapd config parser variable for Windows64 (ITS#9012) Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015) Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999) Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037) Fixed slapd TLS settings on reconnection (ITS#8427) Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038) Fixed slapd to initialize SASL SSF per connection (ITS#9052) Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) Fixed slapd-ldap TLS settings on reconnection (ITS#8427) Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997) Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743) Fixed slapd-meta TLS settings on reconnection (ITS#8427) Fixed slapd-meta assertion when network interface goes down (ITS#8841) Fixed slapd-mdb fix bitshift integer overflow (ITS#8989) Fixed slapd-mdb index cleanup with cn=config (ITS#8472) Fixed slapd-mdb to improve performance with alias deref (ITS#7657) Fixed slapo-accesslog possible assert with exops (ITS#8971) Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637) Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799) Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663) Fixed slapo-memberof for group name change to itself (ITS#9000) Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349) Fixed slapo-rwm to not free original filter (ITS#8964) Fixed slapo-syncprov contextCSN generation (ITS#9015) Build Environment Fixed slapd to only link to BDB libraries with static build (ITS#8948) Fixed libldap implicit declaration with LDAP_CONNECTIONLESS (ITS#8794) Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041) Documentation General - Fixed minor typos (ITS#8764, ITS#8761) admin24 - Miscellaneous updates promoting mdb and fixing examples (ITS#9031) slapd.access(5) - Note MDB is the primary backend (ITS#8881) slapd.backends(5) - Note MDB is the recommended backend (ITS#8771) slapd-ldap(5) - Document starttls parameter (ITS#8693) Contrib Added slapo-lastbind capability to forward authTimestamp updates (ITS#7721) LMDB 0.9.24 Engineering ITS#8969 Tweak mdb_page_split ITS#8975 WIN32 fix writemap set_mapsize crash ITS#9007 Fix loose pages in WRITEMAP Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

5 13

Re: RE24 testing call (2.4.48) LMDB RE0.9 testing call (0.9.24)
by Abdelkader Chelouah 16 Jul '19

16 Jul '19

Hello, make mdb and make mdb-its, all succeded under CentOS 7. As far as concerned back-ldap, commit e224920ea5641b71bbd38604cb58bd1922537e7d (ITS#8427 Take late TLS configuration into account) has fixed the regression introduced by commit 6f623dfa1ca65698c19ccc6c058cd170e633384e (ITS#8427 Set up TLS settings on each reconnection) with my test configuration. Regard, Kader On Mon, Jul 15, 2019 at 6:18 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > This is expected to be the only testing call for 2.4.48, with an > anticipated release, depending on feedback, during the week of 2019/07/22. > > Specific to this release, it would be helpful if anyone using back-ldap or > back-meta with TLS can confirm their existing configurations continue to > work (Due to the changes related to ITS#8427). > > Generally, get the code for RE24: > > < > http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h… > > > > Configure & build. > > Execute the test suite (via make test) after it is built. Optionally, cd > tests && make its to run through the regression suite. > > Thanks! > > OpenLDAP 2.4.48 Engineering > Added libldap OpenSSL Elliptic Curve support (ITS#7595) > Added libldap Expose OpenLDAP specific interfaces via openldap.h > (ITS#8671) > Added slapd-monitor support for slapd-mdb (ITS#7770) > Fixed liblber leaks (ITS#8727) > Fixed liblber with partial flush (ITS#8864) > Fixed libldap ASYNC TLS so it works (ITS#8957,ITS#8980) > Fixed libldap ASYNC connections with Solaris 10 (ITS#8968) > Fixed libldap with SASL_NOCANON=on and ldapi connections (ITS#7585) > Fixed libldap to use AI_ADDRCONFIG when available (ITS#7326) > Fixed libldap to be able to unset syncrepl TLS options (ITS#7042) > Fixed libldap race condition in ldap_int_initialize (ITS#7996, > ITS#8450) > Fixed libldap return code in ldap_create_assertion_control_value > (ITS#8674) > Fixed libldap to correctly disable IPv6 when configured to do so > (ITS#8754) > Fixed libldap to correctly close TLS connection (ITS#8755) > Fixed libldap_r handling of deprecated OpenSSL function (ITS#8353) > Fixed liblunicode case correspondance (ITS#8508) > Fixed slapd with an idletimeout of less than four seconds (ITS#8952) > Fixed slapd config parser variable for Windows64 (ITS#9012) > Fixed slapd syncrepl fallback handling with delta-syncrepl (ITS#9015) > Fixed slapd telephoneNumberNormalize, cert DN validation (ITS#8999) > Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037) > Fixed slapd TLS settings on reconnection (ITS#8427) > Fixed slapd to restrict rootDN proxyauthz to its own databases > (ITS#9038) > Fixed slapd to initialize SASL SSF per connection (ITS#9052) > Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) > Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) > Fixed slapd-ldap TLS settings on reconnection (ITS#8427) > Fixed slapd-ldap segfault when entry result doesn't match filter > (ITS#8997) > Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743) > Fixed slapd-meta TLS settings on reconnection (ITS#8427) > Fixed slapd-meta assertion when network interface goes down (ITS#8841) > Fixed slapd-mdb fix bitshift integer overflow (ITS#8989) > Fixed slapd-mdb index cleanup with cn=config (ITS#8472) > Fixed slapd-mdb to improve performance with alias deref (ITS#7657) > Fixed slapo-accesslog possible assert with exops (ITS#8971) > Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637) > Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799) > Fixed slapo-memberof conversion from slapd.conf to cn=config (ITS#8663) > Fixed slapo-memberof for group name change to itself (ITS#9000) > Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349) > Fixed slapo-rwm to not free original filter (ITS#8964) > Fixed slapo-syncprov contextCSN generation (ITS#9015) > Build Environment > Fixed slapd to only link to BDB libraries with static build > (ITS#8948) > Fixed libldap implicit declaration with LDAP_CONNECTIONLESS > (ITS#8794) > Fixed libldap double inclusion of limits.h in cyrus.c (ITS#9041) > Documentation > General - Fixed minor typos (ITS#8764, ITS#8761) > admin24 - Miscellaneous updates promoting mdb and fixing examples > (ITS#9031) > slapd.access(5) - Note MDB is the primary backend (ITS#8881) > slapd.backends(5) - Note MDB is the recommended backend (ITS#8771) > slapd-ldap(5) - Document starttls parameter (ITS#8693) > Contrib > Added slapo-lastbind capability to forward authTimestamp updates > (ITS#7721) > > LMDB 0.9.24 Engineering > ITS#8969 Tweak mdb_page_split > ITS#8975 WIN32 fix writemap set_mapsize crash > ITS#9007 Fix loose pages in WRITEMAP > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > > >

1 0

ldap_destroy() vs. ldap_unbind()
by Edgar Fuß 15 Jul '19

15 Jul '19

Hello. I'm sorry if this is a silly question, but the only thing close to an answer I could find is from a post of Hallvard B Furuseth to this list (pre-dating the actual ldap_destroy() introduction) stating that ldap_unbind() was mis-named and should have been called ldap_destroy(). The question is whether to use ldap_destroy() or ldap_unbind(). More precisely, the question is which one is preferable in a single-threaded application that never calls ldap_dup(). >From reading the man page of ldap_dup()/ldap_destroy() and above mentioned post, I would get the impression that technichally, it doesn't matter, so I would gess ldap_unbind() to be slightly preferable because it works with pre-2.4.24 OpenLDAP. However, proposing such an adjustment (https://redmine.lighttpd.net/issues/2849 in case anyone cares[*]) was vigorously turned down stating I didn't know what I was talking about so I might be missing something. Could someone shed light on this? I'm in no way an LDAP or OpenLDAP expert, just trying to read man pages. [*] There's an error in my comment there: I wrote "2.4" where it should read "2.4.24".

2 1

Re: Switch OpenLDAP backend database from HDB to MDB
by SHarbich＠t-online.de 11 Jul '19

11 Jul '19

> You can not convert a hdb backend into a mdb backend without changing > the underlying database. slapcat(8) the hdb database into a file and > slapadd(8) the file into a mdb backend. Hello, but it works. I have made the following changes to the config.ldif file. Then I replayed the LDIF file into an empty ldap directory with slapadd: ... olcModuleLoad: {0}back_mdb dn: olcBackend={0}mdb,cn=config olcBackend: {0}mdb dn: olcDatabase={1}mdb,cn=config objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig ... Thank you in advance for your support

1 0

Re: Switch OpenLDAP backend database from HDB to MDB
by SHarbich＠t-online.de 10 Jul '19

10 Jul '19

Hello, I can not change my config.ldif file from the HDB backend to the MDB backend. I have changed the following: ... dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap -olcModuleLoad: {0}back_hdb +olcModuleLoad: {0}back_mdb olcModuleLoad: {1}dynlist.so olcModuleLoad: {2}ppolicy.la structuralObjectClass: olcModuleList entryUUID: 9495e2a6-da11-1033-97d9-c1ceaf236428 creatorsName: cn=admin,cn=config createTimestamp: 20140926214112Z entryCSN: 20170201184048.317884Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170201184048Z -dn: olcBackend={0}hdb,cn=config +dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig -olcBackend: {0}hdb +olcBackend: {0}mdb structuralObjectClass: olcBackendConfig entryUUID: 94960592-da11-1033-97da-c1ceaf236428 creatorsName: cn=admin,cn=config createTimestamp: 20140926214112Z entryCSN: 20140926214112.940239Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20140926214112Z -dn: olcDatabase={1}hdb,cn=config +dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig -objectClass: olcHdbConfig +objectClass: olcMdbConfig -olcDatabase: {1}hdb +olcDatabase: {1}mdb +olcDbMaxSize: 1073741824 olcDbDirectory: /var/lib/ldap olcSuffix: dc=harnet,dc=de olcLastMod: TRUE olcRootDN: cn=admin,dc=harnet,dc=de olcRootPW:: -olcDbCheckpoint: 512 30 -olcDbConfig: {0}set_cachesize 0 2097152 0 -olcDbConfig: {1}set_lk_max_objects 1500 -olcDbConfig: {2}set_lk_max_locks 1500 -olcDbConfig: {3}set_lk_max_lockers 1500 -structuralObjectClass: olcHdbConfig entryUUID: 94960be6-da11-1033-97db-c1ceaf236428 creatorsName: cn=admin,cn=config createTimestamp: 20140926214112Z olcAccess: {0}to dn.subtree="dc=harnet,dc=de" by dn="uid=lamdaemon,ou=users, dc=harnet,dc=de" write by * none break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to attrs=userPassword by anonymous auth by * none olcAccess: {3}to dn.base="dc=harnet,dc=de" by * read olcAccess: {4}to dn.subtree="ou=users,dc=harnet,dc=de" by dn="cn=Harbich CA Server,ou=services,dc=harnet,dc=de" write by users read by * none olcAccess: {5}to dn.subtree="ou=services,dc=harnet,dc=de" by dn="cn=Harbich CA Server,ou=services,dc=harnet,dc=de" write by users read by * none olcAccess: {6}to * by dn="cn=admin,dc=harnet,dc=de" write by * read olcDbIndex: cn pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: uid pres,eq olcDbIndex: mail pres,eq,sub olcDbIndex: dcMailAlias pres,eq olcDbIndex: givenName pres,eq,sub olcDbIndex: dcSubMailAddress pres,eq olcDbIndex: dcMailAlternateAddress pres,eq olcDbIndex: dcAccountStatus pres,eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: dhcpHWAddress eq olcDbIndex: uniqueMember eq olcDbIndex: memberUid eq olcDbIndex: objectClass eq olcDbIndex: loginShell eq olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub olcDbIndex: ou pres,eq,sub entryCSN: 20190304162152.376029Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20190304162152Z -dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config +dn: olcOverlay={0}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {0}dynlist olcDlAttrSet: {0}dcPosixSubAccount dcPosixOwnerURL structuralObjectClass: olcDynamicList entryUUID: 6f6012cc-da16-1033-84a3-8399e4f67731 creatorsName: cn=admin,cn=config createTimestamp: 20140926221557Z entryCSN: 20140926221557.994629Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20140926221557Z ... When I play back the config and data ldif file after deleting the ldap directories, I get the following error message: "root@dsme01:/tmp# slapadd -F /etc/ldap/slapd.d -n 1 -l harnet.de.ldif Database number selected via -n is out of range Must be in the range 0 to 0 (the number of configured databases)" Did I change something wrong in my config file above? Thank you in advance for your support

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2019