openldap-technical January 2020

openldap-technical@openldap.org

35 participants
45 discussions

LMDB: "non-cached" reads
by Dmitri Shubin 22 Jan '20

22 Jan '20

Hi, Our application uses LMDB and sometimes we need to perform scan of old ("cold") data. The problem here is that this data can/will remove "hot" data from page-cache. Ideally to prevent this from happening we'd like to somehow mark cursor as "streaming"/"non-temporal". But AFAICS there is no such feature currently. We're experimenting with marking pages returned by cursor with madvise(MADV_DONTNEED) and this at least prevents RSS from growing. But maybe there are some downsides of this approach? Thanks! -- ______________________________ itiviti.com <https://www.itiviti.com/> <https://www.linkedin.com/company/itiviti> Follow Itiviti on Linkedin <https://www.linkedin.com/company/10438325/> The information contained in or attached to this email is strictly confidential. If you are not the intended recipient, please notify us immediately by telephone and return the message to us. Email communications by definition contain personal information. The Itiviti group of companies is subject to European data protection regulations. Itiviti’s Privacy Notice is available at www.itiviti.com <http://www.itiviti.com/>. Itiviti expects the recipient of this email to be compliant with Itiviti’s Privacy Notice and applicable regulations. Please advise us immediately at dataprotectionteam(a)Itiviti.com if you are not compliant with these.

2 2

Re: [External] Re: Replication suddenly broken
by Prentice Bisbal 21 Jan '20

21 Jan '20

On 1/16/20 8:05 PM, Quanah Gibson-Mount wrote: > > --On Thursday, January 16, 2020 9:03 PM +0000 Prentice Bisbal > <pbisbal(a)princeton.edu> wrote: > >> One of my coworkers just noticed that replication is broken between our >> primary and secondary LDAP servers. It appears to have been broken for >> about 1 week now. Nothing has changed relative to the LDAP configuration >> on either of our servers, so this is an odd thing to suddenly happen. >> When I look at the consumer with some debugging on, I see these messages >> (/usr/sbin/slapd -d 1638 was used to get these messages): >> >> It looks like the consumer >> host/voltron-b.pppl.gov,cn=pppl.gov,cn=gssapi,cn=auth,is being rejected >> as not being authorized, but this has been working for years w/o issue. >> Any idea what has changed and how I may fix it? > > Well, the error came from cyrus-sasl rather than OpenLDAP. This would > indicate to me that the not authorized came from the KDC. Have you checked > to ensure the keys in the keytab file haven't expired inside the KDC? > That's exactly what I suspected. We're using AD for our Kerberos Client, and one of our AD admins insists that it couldn't be expired credentials. I did use a utility called msktutil to make sure the kerberos tickets in /etc/krb5.keytab were up to date, but I'm still getting that error. Any ideas on how to prove/disprove what you suggest, so I can go back to my AD admins with more information? -- Prentice

3 5

mdb_put failed: MDB_MAP_FULL
by Prentice Bisbal 21 Jan '20

21 Jan '20

I've temporarily fixed my Kerberos problem (I think) by using k5start to start slapd in debug mode: k5start -f /etc/krb5.keytab host/voltron-b.pppl.gov -- /usr/sbin/slapd -d 1634 When I do this, I no longer see the SASL auth failures, but now I'm seeing this error. Does this mean there are too many members in the group "trbatch"? mdb_id2entry_put: mdb_put failed: MDB_MAP_FULL: Environment mapsize limit reached(-30792) "cn=trbatch,ou=groups,dc=unix,dc=pppl,dc=gov" 5e27700b null_callback : error code 0x50 5e27700b syncrepl_entry: rid=001 be_modify failed (80) sasl_generic_write: want=71, written=71 -- Prentice

2 1

implementing changlog in openldap
by nomit babraa 21 Jan '20

21 Jan '20

Hi We are using open ldap (sorry don't have access to the version at the moment) and were wondering if there is any support for creating a changelog that is available at cn=changelog? We have a third party system that could use this changelog for monitoring event driven changes and I've had difficulty googling anything that sounds officially supported? Thanks for any advice. n

2 1

consistency expectations for 3 node multimaster deltasyncrepl
by Zach Hanson Hart 17 Jan '20

17 Jan '20

Hello list, TL;DR With multimaster deltasyncrepl, when the cluster is partitioned (no replication) and conflicting values are added to an entry for a single-valued attribute, after the nodes are reconnected and replication commences, is it expected for all nodes to end up with the same value for the attribute, or is it expected that they may be inconsistent? The long version: I'm following test063-delta-multimaster in a local test cluster, with 3 master nodes, and I wanted to confirm that I'm not misunderstanding before moving forward. The test test063-delta-multimaster breaks replication and does conflicting adds of a single-valued attribute (employeeNumber) with different values on the two nodes. It then restores replication, gives it a bit to replicate, and then confirms that the "filtered" ldif is the same. My confusion is about this filtering. In the test, it does $LDIFFILTER -s a < $TESTDIR/server$n.out > $TESTDIR/server$n.flt and then compares the filtered files. Does this simply sort the attributes and values, or does it strip values? Essentially, is this testing that the value of the employeeNumber is the same on both nodes, or is it simply testing that the employeeNumber is present on both nodes? Thanks! Zach

2 1

Re: two slapd processes accessing one MDB env
by Ondřej Kuzník 17 Jan '20

17 Jan '20

On Fri, Jan 17, 2020 at 11:07:01AM +0100, Ondřej Kuzník wrote: > On Thu, Jan 16, 2020 at 04:08:28PM +0100, Michael Ströder wrote: > > HI! > > > > I vaguely remember that it's possible that two slapd processes can > > access a single MDB env. > > > > Is that supported? > > Any pre-cautions needed? > > I think if you were to configure both of them as a syncrepl consumer, > that might cause some headaches? (reply to list this time) Also if either of them is a syncrepl provider, probably make sure that no other server is accepting writes to this db file, I can imagine (refreshAndPersist) scenarios that might leave you unhappy otherwise. -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

2 2

direct MDB access for counting entries from Python
by Michael Ströder 17 Jan '20

17 Jan '20

HI! In my monitoring check I'd like to indicate how many entries are in a database. Currently I'm using the no-op search control without any filtering to count the entries which is obviously a huge waste of CPU and I/O ressources for just retrieving the raw number of DB entries. Is it easily possible to access the id2e sub-DB and query number of entries? Something like mdb_stat -s id2e -e <db-path> | grep Entries but from Python with python-lmdb or a similar module. (Yes, I know subprocess module but I really hate invoking command-line tools from Python.) Ciao, Michael.

2 5

Question about OpenLDAP and rwm overlay
by Vandenburgh, Steve Y 17 Jan '20

17 Jan '20

I'm attempting to use OpenLDAP as a proxy to an Active Directory domain. Using the ldap backend, I'm able to configure the proxy and that configuration seems to be working well. But account entries are frequently moved from ou to ou in a domain and Microsoft permits the bind DN to be a userPrincipalName attribute value of the entry instead of the full DN of the account; this features avoids having to make many bind DN application configuration changes. With just the ldap backend configured, OpenLDAP rejects the userPrincipalName (UPN) bind DN as an invalid DN. To work around this error, I was trying to see if I could use the rwm overlay to detect the UPN and convert to the actual domain entry DN using an attribute map. If I use the form mail=UPN the map works as expected; however, if I only provide the UPN as the bind DN, OpenLDAP still rejects it as an invalid DN. I suspect that the rwm overlay manipulations to not take effect until after the bind DN syntax is checked. I wanted to confirm my suspicion and see if any one else has been able to get a UPN-based bind to work through OpenLDAP. For reference my slapd.conf configuration is below: ### Schema includes ########################################################### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema ## Module paths ############################################################## modulepath /usr/lib64/openldap/ moduleload rwm # Main settings ############################################################### loglevel 8 sizelimit unlimited idletimeout 600 writetimeout 30 allow bind_v2 pidfile /var/openldap/mycompany/var/slapd.pid argsfile /var/openldap/mycompany/var/slapd.args logfile /var/openldap/mycompany/logs/access TLSCertificateFile /var/openldap/mycompany/certs/Server.pem TLSCertificateKeyFile /var/openldap/mycompany/certs/Server.key TLSCACertificateFile /var/openldap/mycompany/certs/ServerCA.pem ### Rewrite rules ############################################################# # Bind with UPN instead of full DN: we first need # an ldap map that turns attributes into a DN (the # argument used when invoking the map is appended to # the URI and acts as the filter portion) overlay rwm rwm-suffixMassage "" "dc=mycompany,dc=com" rwm-rewriteMap ldap attr2dn "ldaps://mycompany.com/ou=Domain%20Users,dc=mycompany,dc=com?dn?sub" bindwhen=now version=3 binddn="CN=mybindacct,ou=Domain Users,DC=mycompany,DC=com" credentials=****** # Then we need to detect UPN DN # note that the rule in case of match stops rewriting # In case we are mapping virtual # to real naming contexts, we also need to rewrite # regular DNs, because the definition of a bindDN # rewrite context overrides the default definition. rwm-rewriteContext bindDN rwm-rewriteRule "^[^=,]+(a)mycompany.com$" "mail=$0" ":" rwm-rewriteRule "^mail=[^,]+(a)mycompany.com$" "${attr2dn($0)}" ":@" ### Database definition (Proxy to AD) ######################################### database ldap readonly yes protocol-version 3 rebind-as-user uri "ldaps://mycompany.com" suffix "dc=mycompany,dc=com" Thanks, Steve Vandenburgh This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.

6 9

Replication suddenly broken
by Prentice Bisbal 16 Jan '20

16 Jan '20

One of my coworkers just noticed that replication is broken between our primary and secondary LDAP servers. It appears to have been broken for about 1 week now. Nothing has changed relative to the LDAP configuration on either of our servers, so this is an odd thing to suddenly happen. When I look at the consumer with some debugging on, I see these messages (/usr/sbin/slapd -d 1638 was used to get these messages): It looks like the consumer host/voltron-b.pppl.gov,cn=pppl.gov,cn=gssapi,cn=auth,is being rejected as not being authorized, but this has been working for years w/o issue. Any idea what has changed and how I may fix it? ldap_write: want=22, written=22 0000: 30 14 02 01 02 60 0f 02 01 03 04 00 a3 08 04 06 0....`.......... 0010: 47 53 53 41 50 49 GSSAPI ldap_read: want=8, got=8 0000: 30 4a 02 01 02 61 45 0a 0J...aE. ldap_read: want=68, got=68 0000: 01 0e 04 00 04 1c 53 41 53 4c 28 30 29 3a 20 73 ......SASL(0): s 0010: 75 63 63 65 73 73 66 75 6c 20 72 65 73 75 6c 74 uccessful result 0020: 3a 20 87 20 05 04 05 ff 00 0c 00 00 00 00 00 00 : . ............ 0030: 3a f9 e0 c9 07 00 00 00 fd e6 0d 82 df 31 29 00 :............1). 0040: a7 27 90 6a .'.j ldap_write: want=116, written=116 0000: 30 72 02 01 03 60 6d 02 01 03 04 00 a3 66 04 06 0r...`m......f.. 0010: 47 53 53 41 50 49 04 5c 05 04 04 ff 00 0c 00 00 GSSAPI.\........ 0020: 00 00 00 00 36 3c fc 1d 04 ff ff ff 64 6e 3a 75 ....6<......dn:u 0030: 69 64 3d 68 6f 73 74 2f 76 6f 6c 74 72 6f 6e 2d id=host/voltron- 0040: 62 2e 70 70 70 6c 2e 67 6f 76 2c 63 6e 3d 70 70 b.pppl.gov,cn=pp 0050: 70 6c 2e 67 6f 76 2c 63 6e 3d 67 73 73 61 70 69 pl.gov,cn=gssapi 0060: 2c 63 6e 3d 61 75 74 68 c2 5d 9b 4a ce d9 d6 8b ,cn=auth.].J.... 0070: 23 5f b4 1d #_.. ldap_read: want=8, got=8 0000: 30 3c 02 01 03 61 37 0a 0<...a7. ldap_read: want=54, got=54 0000: 01 32 04 00 04 30 53 41 53 4c 28 2d 31 34 29 3a .2...0SASL(-14): 0010: 20 61 75 74 68 6f 72 69 7a 61 74 69 6f 6e 20 66 authorization f 0020: 61 69 6c 75 72 65 3a 20 6e 6f 74 20 61 75 74 68 ailure: not auth 0030: 6f 72 69 7a 65 64 orized 5e20cedc slap_client_connect: URI=ldap://ldap1.pppl.gov ldap_sasl_interactive_bind_s failed (50) ldap_write: want=7, written=7 0000: 30 05 02 01 04 42 00 0....B. 5e20cedc do_syncrepl: rid=001 rc 50 retrying -- Prentice

2 1

two slapd processes accessing one MDB env
by Michael Ströder 16 Jan '20

16 Jan '20

HI! I vaguely remember that it's possible that two slapd processes can access a single MDB env. Is that supported? Any pre-cautions needed? Ciao, Michael.

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2020