openldap-technical April 2020

openldap-technical@openldap.org

33 participants
35 discussions

LMDB: sync'ing to disk and flash wear
by Alberto Mardegan 07 Apr '20

07 Apr '20

Hi all! I'm trying to understand the impact that a LDMB database will have on the flash wear of an embedded device. In order to minimize disk writes, I'm keeping a DB open all the time, and I'd like to have the changes written into the physical storage only when mdb_env_sync() is called (near the end of my process lifetime). I'm opening the DB with the MDB_NOSYNC | MDB_WRITEMAP | MDB_NOMETASYNC flags, and if I strace the executable I see that lmdb behaves as expected: no writes happen until … [View More]

2 1

Openldap 2.4.49 with overlays syncrepl+ppolicy+chain+ldap weird behavior
by "POISSON Frédéric" 06 Apr '20

06 Apr '20

Hello, I'm doing a OpenLDAP test with a master/slave replication configuration including ppolicy overlay. I would like to enable password change from the slave replica with chain overlay, in order to validate the ppolicy olcPPolicyForwardUpdates attribute to TRUE. I'm using LDAPS from slave to master with SASL External authentication with client certificate. The client certificate correspond to a user DN entry with "manage" rights on the master server (the same used for the replication). This … [View More]user DN has authzTo attribute in order to match the correct PROXYAUTHZ request from its dn to user DN. All of this configuration works on replica when i do first a failed authentication (err=49) on replica. The pwdFailureTime value is updated on the DN entry from replica to slave normally. I'm also able to do after some self entry update on some attribute such as password or others from replica to master. But the weird behavior is that i need to run first an failed authentication, otherwise if i try to change attribute on the slave server, it respond an err=80 "Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?". The only way to retrieve correct behavior is to restart slapd, and redo one failed authentication first. It seems that the chain overlay do not connect the master server at startup Do you have any ideas why i have this behavior ? I'm using a 2.4.49 build of openldap, and inside logs on master server i see that the slave use the same connection. Here is the LDIF change and configuration on my replica : dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainReturnError: TRUE dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbURI: ldaps://valid7-lab-ldap1.tld olcDbIDAssertBind: bindmethod=sasl saslmech=external starttls=no tls_cert="/usr/local/openldap/etc/openldap-valid7/tls/db1_rid001_cert.pem" tls_key="/usr/local/openldap/etc/openldap-valid7/tls/db1_rid001_key.pem" tls_cacert="/usr/local/openldap/etc/openldap-valid7/tls/cacert.pem" tls_reqcert=demand tls_crlcheck=none mode=self olcDbRebindAsUser: TRUE dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcUpdateRef olcUpdateRef: ldaps://valid7-lab-ldap1.tld - dn: olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config changetype: modify replace: olcPPolicyForwardUpdates olcPPolicyForwardUpdates: TRUE - Here is LDIF change on my master : dn: cn=config changetype: modify replace: olcAuthzPolicy olcAuthzPolicy: to - Thanks in advance for your reply -- Frederic Poisson [View Less]

2 1

Slapd unexpectedly shutdown
by Kevin Olbrich 06 Apr '20

06 Apr '20

Hi! I'm experiencing an issue with Slapd 2.4.49 on Debian Buster. I use Slapd as a proxy / lb with two AD nodes behind it. If I reboot one of the AD nodes, everything is fine. As soon as I reboot the seconds one (while the first is back and available), OpenLDAP shuts down immediately: Apr 06 22:03:33 ldap-lb1.ldap.example.com slapd[22140]: Stopping OpenLDAP: slapd. Apr 06 22:03:33 ldap-lb1.ldap.example.com systemd[1]: slapd.service: Succeeded. There is no traffic during this time and it … [View More]

1 0

Re: NetworkRadius CentOS pkg uses openldap-ltb which conflict with symas-openldap
by Dave Macias 02 Apr '20

02 Apr '20

On Thu, Mar 26, 2020 at 3:44 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > Try it and see? I can't find any concrete documentation one way or the > other, although it seems BuildRequires generally follows what Requires > does. You may need to ask the people who maintain RPM. > > There are other issues in the spec file, however, like: > > --with-libfreeradius-ldap-include-dir=/usr/local/openldap/include \ > --with-libfreeradius-ldap-lib-dir=/… [View More]

2 2

Multiple OpenLDAP client instances with the c library
by Lasa Martxel 02 Apr '20

02 Apr '20

Hello, I'm using the openldap c client library (2.4.45). I would like to somehow have two client instances (not necessarily simultaneously) within the same application, but I'm having issues with the second instance I create. I have not found a way to clear the global options so the new ones (different ca cerficiate, different client certificate) can be used with the second instance. With the second ldap_initialize, global options are already initialized. Same with the TLS context, it's … [View More]

2 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2020