How can I run slapd in foreground
by Marc Roos
Afaik from the mesos executor, it wants to keep the process in
foreground, so when the task terminates, it will be detected and
restarted.
How can I run slapd in foreground?
3 years, 10 months
Building the OpenLDAP client libraries on Windows
by Olivier Hartmann
Hello,
We are having difficulties building the OpenLDAP client libraries on
Windows.
Would anyone on this list be willing to share a procedure through which they
succeeded in doing that with a recent version of OpenLDAP (2.4.47 or the
next one)?
The only thing we are after is building the OpenLDAP client libraries (not
the server).
Any help would be appreciated.
Thanks,
-Olivier
3 years, 10 months
How to change BaseDN? (OpenLDAP/slapd)
by Dominique Fuchs
Hi everyone,
I'm actually stuck trying to set up an OpenLDAP implementation on my server running debian/slapd. Based on the hostname of the server (server.foo.bar) slapd automatically sets up the base config with dc=foo,dc=bar as BaseDN. This runs fine and I can connect successfully. However, I actually want the BaseDN for the LDAP structure to rely on the subdomain ldap.foo.bar (dc=ldap,dc=foo,dc=bar). How can I accomplish this?
I already tried to fiddle around with ldapmodify/ldif-files, but the only thing I found online where descriptions of how to add a node, not how to change the root node.
This post on SO:
https://stackoverflow.com/questions/19537319/change-basedn-in-openldap
only explains how to rename an existing setup (and even there I can't imagine there isn't a more native way of changing the BaseDN).
Thanks in advance!
3 years, 10 months
Fwd: Clarification regarding global ldapoptions structure in ldap
by sachidananda sahu
Hi All,
I recently upgraded to openldap 2.4.47, it's working with single threaded
connection but with multi threaded getting problem due to global structure
of ldapoptions in init.c
-------------------------
init.c
-------------------------
*struct* ldapoptions
<http://opengrok-prd.eng.netapp.com/source/s?defs=ldapoptions&project=dev>
ldap_int_global_options
<http://opengrok-prd.eng.netapp.com/source/s?refs=ldap_int_global_options&...>
=
{ LDAP_UNINITIALIZED
<http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_UNINITIALIZED&proje...>,
LDAP_DEBUG_NONE
<http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_DEBUG_NONE&project=dev>
LDAP_LDO_NULLARG
<http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_NULLARG&project...>
LDAP_LDO_CONNECTIONLESS_NULLARG
<http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_CONNECTIONLESS_...>
LDAP_LDO_TLS_NULLARG
<http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_TLS_NULLARG&pro...>
LDAP_LDO_SASL_NULLARG
<http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_SASL_NULLARG&pr...>
LDAP_LDO_GSSAPI_NULLARG
<http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_GSSAPI_NULLARG&...>
LDAP_LDO_MUTEX_NULLARG
<http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_LDO_MUTEX_NULLARG&p...>
};
This global structure is accessed at multiple places (such as
ldap_pvt_tls_init_def_ctx
<http://opengrok-prd.eng.netapp.com/source/s?refs=ldap_pvt_tls_init_def_ct...>,
alloc_handle <http://opengrok-prd.eng.netapp.com/source/s?refs=alloc_handle&project=dev>,
ldap_int_tls_connect
<http://opengrok-prd.eng.netapp.com/source/s?refs=ldap_int_tls_connect&pro...>,
*ldap_pvt_tls_destroy
<http://opengrok-prd.eng.netapp.com/source/xref/R9.6x/third_party/open_sou...>,
ldap_ld_free*)
in tls2.c using the macro lo
<http://opengrok-prd.eng.netapp.com/source/s?defs=lo&project=dev> =
LDAP_INT_GLOBAL_OPT
<http://opengrok-prd.eng.netapp.com/source/s?defs=LDAP_INT_GLOBAL_OPT&proj...>
();
So in case of multi threaded application multiple ldap connection will be
using this global structure, for example ldo_tls_ctx of lapoptions will be
used. In one thread it can be creating a tls connection and in one it can
be destroying the connection. As it's global so it is getting corrupted.
Is openldap library thread safe completely ? Because this variable seems to
be not for this tls context variable, is there any other way of using this
context . As i can see a local variable ldo_tls_ctx exist in dap
ld->ldc->ldap_options->ldo_tls_ctx structure, but it's just got assigned
with the same address of global structure in ldap_int_tls_connect
<http://opengrok-prd.eng.netapp.com/source/s?refs=ldap_int_tls_connect&pro...>
.
So can someone share some thoughts on it ?
--
Regards,
Sachidananda Sahu
3 years, 10 months
Re: Trouble with “Connection Refused” errors and timeouts on server with high Thread Backload
by erich_2323
Hi OpenLdap folks,
I ran into an issue with OpenLdap 2.4.44 that I am having trouble finding the root cause of.
I run Openldap in syncrepl mode. I have one machine which serves as a write endpoint (let’s call it the master node), and many machines which sync from it, and serve as read-replicas.
To ensure that they are in-sync with the Master, each read-replica runs ldapsearch against the Master node every minute. It looks at the entryCSN values for a bunch of objects on the Master, and compares against its own entryCSNs for its copy of these objects. It searches a bunch of different objects, and in total takes about 3 seconds for a read replica to do this search (I have duration logging on LDAP operations enabled by merging in this patch (http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=8054;page=9). About 20 MB are transferred to each read-replica when they run this script.
NOTE: I prefer not to use the contextCSN for this sync because I only care about certain objects of the database being in-sync, and I need to know specifically which objects are in-sync vs out-of-sync.
I doubled the amount of times this script runs per read-replica. Therefore instead of each read-replica running this script once per minute, it was running it twice per minute.
Shortly thereafter, I started getting reports from someone who writes to the LDAP Master regularly that they are seeing a high amount of write operations failing with timeouts and “Connection Refused” errors. I reduced the frequency of the script back to once per minute, and the writer reported that they were no longer seeing these errors.
I assumed that this Connection Refused error was due to the fact that Openldap 2.4 uses a single thread for incoming connections (sources: https://lwn.net/Articles/755207/, https://www.openldap.org/pub/slim/OpenLDAP_Conn_Mgmt.pdf (section 3)), and the pending connection backlog on the socket was too high. Therefore the syscall is returning Connection Refused. This may be similar to the frontend contention issue described in this post: (http://www.openldap.org/lists/openldap-devel/201308/msg00003.html).
I noticed that the values for cn=Backload,cn=Threads,cn=Monitor as well as cn=Pending,cn=Threads,cn=Monitor got very high when the read-replicas were running the script twice as much. For example, Pending is usually sitting around 5-6, but during the time of high read traffic, I saw Pending count increase by over 1000 times (my graph looks very spiky, with pending threads shooting up to 1000x, then down to 10x or 100x the next minute, then back up, etc.). I understand that cn=Backload is simply Active + Pending Threads, and interestingly Active threads stayed at normal levels. I am wondering what Pending threads means exactly, and how is Pending Threads different from Read/Write Waiters? (Interestingly, Read/Write Waiters stayed at normal levels.)
I attempted to reproduce this issue by running the script concurrently from a few different clients, hoIver, I was unable to get the Pending/Backload Threads up to similar levels (this value hovered around 16, which seems healthy. I did not see it spike up to similarly high levels). I observed that the latency of the Master from the read-replica’s perspective increased quite a bit during this test, but was unable to observe Connection Refused issues.
Is my assumption about the cause of this issue (single thread for incoming connections) down the right track? Is this behavior (high Pending/Backload Threads, Connection Refused errors) a known occurrence? Are there any other metrics that I can observe which would indicate what is the cause of the Connection Refused errors? Is there a reliable way to repro this issue (without doubling the frequency of the read-replica script)?
NOTE: I have the following settings configured, which I suspect may be relevant:
olcConcurrency: 0
olcConnMaxPending: 100
olcConnMaxPendingAuth: 1000
olcGentleHUP: FALSE
olcIdleTimeout: 60
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexIntLen: 4
olcListenerThreads: 1
olcLocalSSF: 71
olcLogLevel: Stats
olcLogLevel: Sync
olcSizeLimit: unlimited
olcSockbufMaxIncoming: 262143
olcSockbufMaxIncomingAuth: 16777215
olcThreads: 16
olcToolThreads: 1
olcWriteTimeout: 0
Thanks,
Sent with [ProtonMail](https://protonmail.com) Secure Email.
3 years, 10 months
