openldap-technical January 2020

openldap-technical@openldap.org

35 participants
45 discussions

LMDB: "non-cached" reads
by Dmitri Shubin 22 Jan '20

22 Jan '20

Hi, Our application uses LMDB and sometimes we need to perform scan of old ("cold") data. The problem here is that this data can/will remove "hot" data from page-cache. Ideally to prevent this from happening we'd like to somehow mark cursor as "streaming"/"non-temporal". But AFAICS there is no such feature currently. We're experimenting with marking pages returned by cursor with madvise(MADV_DONTNEED) and this at least prevents RSS from growing. But maybe there are some downsides of this … [View More]

2 2

Re: [External] Re: Replication suddenly broken
by Prentice Bisbal 21 Jan '20

21 Jan '20

On 1/16/20 8:05 PM, Quanah Gibson-Mount wrote: > > --On Thursday, January 16, 2020 9:03 PM +0000 Prentice Bisbal > <pbisbal(a)princeton.edu> wrote: > >> One of my coworkers just noticed that replication is broken between our >> primary and secondary LDAP servers. It appears to have been broken for >> about 1 week now. Nothing has changed relative to the LDAP configuration >> on either of our servers, so this is an odd thing to suddenly happen. >> … [View More]

3 5

mdb_put failed: MDB_MAP_FULL
by Prentice Bisbal 21 Jan '20

21 Jan '20

I've temporarily fixed my Kerberos problem (I think) by using k5start to start slapd in debug mode: k5start -f /etc/krb5.keytab host/voltron-b.pppl.gov -- /usr/sbin/slapd -d 1634 When I do this, I no longer see the SASL auth failures, but now I'm seeing this error. Does this mean there are too many members in the group "trbatch"? mdb_id2entry_put: mdb_put failed: MDB_MAP_FULL: Environment mapsize limit reached(-30792) "cn=trbatch,ou=groups,dc=unix,dc=pppl,dc=gov" 5e27700b … [View More]

2 1

implementing changlog in openldap
by nomit babraa 21 Jan '20

21 Jan '20

Hi We are using open ldap (sorry don't have access to the version at the moment) and were wondering if there is any support for creating a changelog that is available at cn=changelog? We have a third party system that could use this changelog for monitoring event driven changes and I've had difficulty googling anything that sounds officially supported? Thanks for any advice. n

2 1

consistency expectations for 3 node multimaster deltasyncrepl
by Zach Hanson Hart 17 Jan '20

17 Jan '20

Hello list, TL;DR With multimaster deltasyncrepl, when the cluster is partitioned (no replication) and conflicting values are added to an entry for a single-valued attribute, after the nodes are reconnected and replication commences, is it expected for all nodes to end up with the same value for the attribute, or is it expected that they may be inconsistent? The long version: I'm following test063-delta-multimaster in a local test cluster, with 3 master nodes, and I wanted to confirm that I'… [View More]

2 1

Re: two slapd processes accessing one MDB env
by Ondřej Kuzník 17 Jan '20

17 Jan '20

On Fri, Jan 17, 2020 at 11:07:01AM +0100, Ondřej Kuzník wrote: > On Thu, Jan 16, 2020 at 04:08:28PM +0100, Michael Ströder wrote: > > HI! > > > > I vaguely remember that it's possible that two slapd processes can > > access a single MDB env. > > > > Is that supported? > > Any pre-cautions needed? > > I think if you were to configure both of them as a syncrepl consumer, > that might cause some headaches? (reply to list this time) Also if … [View More]

2 2

direct MDB access for counting entries from Python
by Michael Ströder 17 Jan '20

17 Jan '20

HI! In my monitoring check I'd like to indicate how many entries are in a database. Currently I'm using the no-op search control without any filtering to count the entries which is obviously a huge waste of CPU and I/O ressources for just retrieving the raw number of DB entries. Is it easily possible to access the id2e sub-DB and query number of entries? Something like mdb_stat -s id2e -e <db-path> | grep Entries but from Python with python-lmdb or a similar module. (Yes, I know … [View More]

2 5

Question about OpenLDAP and rwm overlay
by Vandenburgh, Steve Y 17 Jan '20

17 Jan '20

I'm attempting to use OpenLDAP as a proxy to an Active Directory domain. Using the ldap backend, I'm able to configure the proxy and that configuration seems to be working well. But account entries are frequently moved from ou to ou in a domain and Microsoft permits the bind DN to be a userPrincipalName attribute value of the entry instead of the full DN of the account; this features avoids having to make many bind DN application configuration changes. With just the ldap backend configured, … [View More]OpenLDAP rejects the userPrincipalName (UPN) bind DN as an invalid DN. To work around this error, I was trying to see if I could use the rwm overlay to detect the UPN and convert to the actual domain entry DN using an attribute map. If I use the form mail=UPN the map works as expected; however, if I only provide the UPN as the bind DN, OpenLDAP still rejects it as an invalid DN. I suspect that the rwm overlay manipulations to not take effect until after the bind DN syntax is checked. I wanted to confirm my suspicion and see if any one else has been able to get a UPN-based bind to work through OpenLDAP. For reference my slapd.conf configuration is below: ### Schema includes ########################################################### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema ## Module paths ############################################################## modulepath /usr/lib64/openldap/ moduleload rwm # Main settings ############################################################### loglevel 8 sizelimit unlimited idletimeout 600 writetimeout 30 allow bind_v2 pidfile /var/openldap/mycompany/var/slapd.pid argsfile /var/openldap/mycompany/var/slapd.args logfile /var/openldap/mycompany/logs/access TLSCertificateFile /var/openldap/mycompany/certs/Server.pem TLSCertificateKeyFile /var/openldap/mycompany/certs/Server.key TLSCACertificateFile /var/openldap/mycompany/certs/ServerCA.pem ### Rewrite rules ############################################################# # Bind with UPN instead of full DN: we first need # an ldap map that turns attributes into a DN (the # argument used when invoking the map is appended to # the URI and acts as the filter portion) overlay rwm rwm-suffixMassage "" "dc=mycompany,dc=com" rwm-rewriteMap ldap attr2dn "ldaps://mycompany.com/ou=Domain%20Users,dc=mycompany,dc=com?dn?sub" bindwhen=now version=3 binddn="CN=mybindacct,ou=Domain Users,DC=mycompany,DC=com" credentials=****** # Then we need to detect UPN DN # note that the rule in case of match stops rewriting # In case we are mapping virtual # to real naming contexts, we also need to rewrite # regular DNs, because the definition of a bindDN # rewrite context overrides the default definition. rwm-rewriteContext bindDN rwm-rewriteRule "^[^=,]+(a)mycompany.com$" "mail=$0" ":" rwm-rewriteRule "^mail=[^,]+(a)mycompany.com$" "${attr2dn($0)}" ":@" ### Database definition (Proxy to AD) ######################################### database ldap readonly yes protocol-version 3 rebind-as-user uri "ldaps://mycompany.com" suffix "dc=mycompany,dc=com" Thanks, Steve Vandenburgh This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. [View Less]

6 9

Replication suddenly broken
by Prentice Bisbal 16 Jan '20

16 Jan '20

One of my coworkers just noticed that replication is broken between our primary and secondary LDAP servers. It appears to have been broken for about 1 week now. Nothing has changed relative to the LDAP configuration on either of our servers, so this is an odd thing to suddenly happen. When I look at the consumer with some debugging on, I see these messages (/usr/sbin/slapd -d 1638 was used to get these messages): It looks like the consumer host/voltron-b.pppl.gov,cn=pppl.gov,cn=gssapi,cn=… [View More]auth,is being rejected as not being authorized, but this has been working for years w/o issue. Any idea what has changed and how I may fix it? ldap_write: want=22, written=22 0000: 30 14 02 01 02 60 0f 02 01 03 04 00 a3 08 04 06 0....`.......... 0010: 47 53 53 41 50 49 GSSAPI ldap_read: want=8, got=8 0000: 30 4a 02 01 02 61 45 0a 0J...aE. ldap_read: want=68, got=68 0000: 01 0e 04 00 04 1c 53 41 53 4c 28 30 29 3a 20 73 ......SASL(0): s 0010: 75 63 63 65 73 73 66 75 6c 20 72 65 73 75 6c 74 uccessful result 0020: 3a 20 87 20 05 04 05 ff 00 0c 00 00 00 00 00 00 : . ............ 0030: 3a f9 e0 c9 07 00 00 00 fd e6 0d 82 df 31 29 00 :............1). 0040: a7 27 90 6a .'.j ldap_write: want=116, written=116 0000: 30 72 02 01 03 60 6d 02 01 03 04 00 a3 66 04 06 0r...`m......f.. 0010: 47 53 53 41 50 49 04 5c 05 04 04 ff 00 0c 00 00 GSSAPI.\........ 0020: 00 00 00 00 36 3c fc 1d 04 ff ff ff 64 6e 3a 75 ....6<......dn:u 0030: 69 64 3d 68 6f 73 74 2f 76 6f 6c 74 72 6f 6e 2d id=host/voltron- 0040: 62 2e 70 70 70 6c 2e 67 6f 76 2c 63 6e 3d 70 70 b.pppl.gov,cn=pp 0050: 70 6c 2e 67 6f 76 2c 63 6e 3d 67 73 73 61 70 69 pl.gov,cn=gssapi 0060: 2c 63 6e 3d 61 75 74 68 c2 5d 9b 4a ce d9 d6 8b ,cn=auth.].J.... 0070: 23 5f b4 1d #_.. ldap_read: want=8, got=8 0000: 30 3c 02 01 03 61 37 0a 0<...a7. ldap_read: want=54, got=54 0000: 01 32 04 00 04 30 53 41 53 4c 28 2d 31 34 29 3a .2...0SASL(-14): 0010: 20 61 75 74 68 6f 72 69 7a 61 74 69 6f 6e 20 66 authorization f 0020: 61 69 6c 75 72 65 3a 20 6e 6f 74 20 61 75 74 68 ailure: not auth 0030: 6f 72 69 7a 65 64 orized 5e20cedc slap_client_connect: URI=ldap://ldap1.pppl.gov ldap_sasl_interactive_bind_s failed (50) ldap_write: want=7, written=7 0000: 30 05 02 01 04 42 00 0....B. 5e20cedc do_syncrepl: rid=001 rc 50 retrying -- Prentice [View Less]

2 1

two slapd processes accessing one MDB env
by Michael Ströder 16 Jan '20

16 Jan '20

HI! I vaguely remember that it's possible that two slapd processes can access a single MDB env. Is that supported? Any pre-cautions needed? Ciao, Michael.

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2020