openldap-technical August 2019

openldap-technical@openldap.org

33 participants
47 discussions

Default autoconf values / building OpenLDAP 2.4.48
by Dominique Fuchs 12 Aug '19

12 Aug '19

Hi everyone, I just started building OpenLDAP 2.4.48 (stable tarball from openldap.org) and realized that there are some autoconf options regarding SLAPD configuration that do not comply with the --help documentation. Specifically: First I got errors regarding missing sql.h, then mysql_config. This led to the conclusion that autoconf tried to enable sql and ndb. However, in the documentation it says it'll default to 'no', which is why I didn't explicitly --disable-ndb and --disable-sql. When I do that, it acts as expected and configure is successful. Unfortunately I'm completely unaware how the handling of these default values is accomplished for autoconf, so I dign't have a chance to look it up myself. Thanks for any hints, Dominique

4 5

How can I run slapd in foreground
by Marc Roos 10 Aug '19

10 Aug '19

Afaik from the mesos executor, it wants to keep the process in foreground, so when the task terminates, it will be detected and restarted. How can I run slapd in foreground?

2 1

Building the OpenLDAP client libraries on Windows
by Olivier Hartmann 09 Aug '19

09 Aug '19

Hello, We are having difficulties building the OpenLDAP client libraries on Windows. Would anyone on this list be willing to share a procedure through which they succeeded in doing that with a recent version of OpenLDAP (2.4.47 or the next one)? The only thing we are after is building the OpenLDAP client libraries (not the server). Any help would be appreciated. Thanks, -Olivier

2 1

Help with LDAP Notifications
by Manojkiran Eda 08 Aug '19

08 Aug '19

1 0

How to change BaseDN? (OpenLDAP/slapd)
by Dominique Fuchs 08 Aug '19

08 Aug '19

Hi everyone, I'm actually stuck trying to set up an OpenLDAP implementation on my server running debian/slapd. Based on the hostname of the server (server.foo.bar) slapd automatically sets up the base config with dc=foo,dc=bar as BaseDN. This runs fine and I can connect successfully. However, I actually want the BaseDN for the LDAP structure to rely on the subdomain ldap.foo.bar (dc=ldap,dc=foo,dc=bar). How can I accomplish this? I already tried to fiddle around with ldapmodify/ldif-files, but the only thing I found online where descriptions of how to add a node, not how to change the root node. This post on SO: https://stackoverflow.com/questions/19537319/change-basedn-in-openldap only explains how to rename an existing setup (and even there I can't imagine there isn't a more native way of changing the BaseDN). Thanks in advance!

5 6

Fwd: Clarification regarding global ldapoptions structure in ldap
by sachidananda sahu 07 Aug '19

07 Aug '19

Hi All, I recently upgraded to openldap 2.4.47, it's working with single threaded connection but with multi threaded getting problem due to global structure of ldapoptions in init.c ------------------------- init.c ------------------------- *struct* ldapoptions <http://opengrok-prd.eng.netapp.com/source/s?defs=ldapoptions&project=dev> ldap_int_global_options <http://opengrok-prd.eng.netapp.com/source/s?refs=ldap_int_global_options&pr…> = { LDAP_UNINITIALIZED <http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_UNINITIALIZED&project…>, LDAP_DEBUG_NONE <http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_DEBUG_NONE&project=dev> LDAP_LDO_NULLARG <http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_NULLARG&project=d…> LDAP_LDO_CONNECTIONLESS_NULLARG <http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_CONNECTIONLESS_NU…> LDAP_LDO_TLS_NULLARG <http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_TLS_NULLARG&proje…> LDAP_LDO_SASL_NULLARG <http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_SASL_NULLARG&proj…> LDAP_LDO_GSSAPI_NULLARG <http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_GSSAPI_NULLARG&pr…> LDAP_LDO_MUTEX_NULLARG <http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_MUTEX_NULLARG&pro…> }; This global structure is accessed at multiple places (such as ldap_pvt_tls_init_def_ctx <http://opengrok-prd.eng.netapp.com/source/s?refs=ldap_pvt_tls_init_def_ctx&…>, alloc_handle <http://opengrok-prd.eng.netapp.com/source/s?refs=alloc_handle&project=dev>, ldap_int_tls_connect <http://opengrok-prd.eng.netapp.com/source/s?refs=ldap_int_tls_connect&proje…>, *ldap_pvt_tls_destroy <http://opengrok-prd.eng.netapp.com/source/xref/R9.6x/third_party/open_sourc…>, ldap_ld_free*) in tls2.c using the macro lo <http://opengrok-prd.eng.netapp.com/source/s?defs=lo&project=dev> = LDAP_INT_GLOBAL_OPT <http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_INT_GLOBAL_OPT&projec…> (); So in case of multi threaded application multiple ldap connection will be using this global structure, for example ldo_tls_ctx of lapoptions will be used. In one thread it can be creating a tls connection and in one it can be destroying the connection. As it's global so it is getting corrupted. Is openldap library thread safe completely ? Because this variable seems to be not for this tls context variable, is there any other way of using this context . As i can see a local variable ldo_tls_ctx exist in dap ld->ldc->ldap_options->ldo_tls_ctx structure, but it's just got assigned with the same address of global structure in ldap_int_tls_connect <http://opengrok-prd.eng.netapp.com/source/s?refs=ldap_int_tls_connect&proje…> . So can someone share some thoughts on it ? -- Regards, Sachidananda Sahu

2 8

Re: Trouble with “Connection Refused” errors and timeouts on server with high Thread Backload
by erich_2323 06 Aug '19

06 Aug '19

Hi OpenLdap folks, I ran into an issue with OpenLdap 2.4.44 that I am having trouble finding the root cause of. I run Openldap in syncrepl mode. I have one machine which serves as a write endpoint (let’s call it the master node), and many machines which sync from it, and serve as read-replicas. To ensure that they are in-sync with the Master, each read-replica runs ldapsearch against the Master node every minute. It looks at the entryCSN values for a bunch of objects on the Master, and compares against its own entryCSNs for its copy of these objects. It searches a bunch of different objects, and in total takes about 3 seconds for a read replica to do this search (I have duration logging on LDAP operations enabled by merging in this patch (http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=8054;page=9). About 20 MB are transferred to each read-replica when they run this script. NOTE: I prefer not to use the contextCSN for this sync because I only care about certain objects of the database being in-sync, and I need to know specifically which objects are in-sync vs out-of-sync. I doubled the amount of times this script runs per read-replica. Therefore instead of each read-replica running this script once per minute, it was running it twice per minute. Shortly thereafter, I started getting reports from someone who writes to the LDAP Master regularly that they are seeing a high amount of write operations failing with timeouts and “Connection Refused” errors. I reduced the frequency of the script back to once per minute, and the writer reported that they were no longer seeing these errors. I assumed that this Connection Refused error was due to the fact that Openldap 2.4 uses a single thread for incoming connections (sources: https://lwn.net/Articles/755207/, https://www.openldap.org/pub/slim/OpenLDAP_Conn_Mgmt.pdf (section 3)), and the pending connection backlog on the socket was too high. Therefore the syscall is returning Connection Refused. This may be similar to the frontend contention issue described in this post: (http://www.openldap.org/lists/openldap-devel/201308/msg00003.html). I noticed that the values for cn=Backload,cn=Threads,cn=Monitor as well as cn=Pending,cn=Threads,cn=Monitor got very high when the read-replicas were running the script twice as much. For example, Pending is usually sitting around 5-6, but during the time of high read traffic, I saw Pending count increase by over 1000 times (my graph looks very spiky, with pending threads shooting up to 1000x, then down to 10x or 100x the next minute, then back up, etc.). I understand that cn=Backload is simply Active + Pending Threads, and interestingly Active threads stayed at normal levels. I am wondering what Pending threads means exactly, and how is Pending Threads different from Read/Write Waiters? (Interestingly, Read/Write Waiters stayed at normal levels.) I attempted to reproduce this issue by running the script concurrently from a few different clients, hoIver, I was unable to get the Pending/Backload Threads up to similar levels (this value hovered around 16, which seems healthy. I did not see it spike up to similarly high levels). I observed that the latency of the Master from the read-replica’s perspective increased quite a bit during this test, but was unable to observe Connection Refused issues. Is my assumption about the cause of this issue (single thread for incoming connections) down the right track? Is this behavior (high Pending/Backload Threads, Connection Refused errors) a known occurrence? Are there any other metrics that I can observe which would indicate what is the cause of the Connection Refused errors? Is there a reliable way to repro this issue (without doubling the frequency of the read-replica script)? NOTE: I have the following settings configured, which I suspect may be relevant: olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 60 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcListenerThreads: 1 olcLocalSSF: 71 olcLogLevel: Stats olcLogLevel: Sync olcSizeLimit: unlimited olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcToolThreads: 1 olcWriteTimeout: 0 Thanks, Sent with [ProtonMail](https://protonmail.com) Secure Email.

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2019