June 2020 - openldap-technical

Q: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.

by Ulrich Windl

Hi! After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted. The next line logged was: slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389) (the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice) The server is one of three MM servers that all have the same configuration and the same version. The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd? Regards, Ulrich

2 years, 10 months

4
10
0 / 0

anonymize data

by Olivier -

Hi all, I have a question anonymizing data. My openldap have some confidential data inside and I would like this : if a person has a flag confidentiality set to 1 (or is in a special ou), openldap will replace or answer a different data. For example : if we request "sn" on this record , it will reply "Smith" dn: cn=Smith,ou=public,c=com confidentiality: 0 sn: Smith if we request "sn" on this record , it will reply "XXX" dn: cn=Bond,ou=public,c=com confidentiality: 1 sn: Bond I'm not sur Openldap can offer this kind of functionnality. Thanks for your help !

2 years, 10 months

5
6
0 / 0

slapd 2.4.44 Performance problems

by daniel.zuniga＠gmail.com

Hello, We are running OpenLDAP with a relatively small user base (15K users) and the server does not seem to be able to keep up with demand when there are multiple concurrent logins (20 users X 70 searches each) during user login. When users login to the server all cores in the server (8) run at 100% utilization, sometimes for as long as 20 minutes (depending on how many users are logging in concurrently). We have experimented and read and re-read the Tuning guidance but with very little success. We have tried increasing the number of available cores to slapd, but it does not use more than 8. We have also increased the number of threads from 16 to 32, but that also does not seem to have an effect nor does it seem to allow slapd to use all 16 cores (slapd seems limited to 8 cores regardless of the number of threads defined). The server has plenty of memory available and configured the db cache to use as much as in needs, but that does not seem to improve matters. Can you offer any guidance? Thanks.

2 years, 11 months

3
4
0 / 0

Re: [EXT] Re: syncrepl does not work as expected

by kumar rahul

Thank you for the pointers. I will setup delta syncrepl and test to verify if I see the issue or not. Thanks Rahul On Mon, Jun 29, 2020 at 4:02 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Monday, June 29, 2020 4:20 PM -0400 kumar rahul > <rahul2002mit(a)gmail.com> wrote: > > > Thank you for creating the bug. I have added myself as CC. Based on > > the configuration information I have provided, can you provide a set of > > guidelines to configure my setup to use delta-syncrepl. > > The admin guide already provides information the configuration bits > necessary to set up delta-syncrepl. Generally: > > a) You need a secondary DB to store the accesslog data from the accesslog > overlay. > > b) You need to reconfigure the olcSyncrepl config to make use of the > accesslog db. > > <https://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl> > > And a blog post I wrote that gives some example configs: > > < > https://mishikal.wordpress.com/2019/04/23/configuring-mmr-using-delta-syn... > > > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 years, 11 months

2
3
0 / 0

Re: [EXT] Re: syncrepl does not work as expected

by kumar rahul

Hi Quanah Thank you for creating the bug. I have added myself as CC. Based on the configuration information I have provided, can you provide a set of guidelines to configure my setup to use delta-syncrepl. Thanks Rahul On Mon, Jun 29, 2020 at 3:10 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Monday, June 29, 2020 3:59 PM -0400 kumar rahul > <rahul2002mit(a)gmail.com> wrote: > > > > > > > Hi Quanah > > > > > > Thank you for reproducing the issue. What is the course of action > > from here on? There will be an openldap release with the fix? or a patch > > will be released? Also can you share the bug # once you raise it. How > > will I get notified once the issue is fixed and is released? > > Hi Kumar, > > As was stated before, use delta-syncrepl as it avoids these types of > issues > with standard syncrepl. I'm guessing this is another variation of issue > #8125 (<https://bugs.openldap.org/show_bug.cgi?id=8125>), although I'm > initially filing a separate bug in case it is a different problem, issue > #9282 (<https://bugs.openldap.org/show_bug.cgi?id=9282>). > > You can add yourself to the CC of the issue to track its status and > resolution. > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 years, 11 months

2
1
0 / 0

Re: [EXT] Re: syncrepl does not work as expected

by kumar rahul

Hi Quanah Thank you for reproducing the issue. What is the course of action from here on? There will be an openldap release with the fix? or a patch will be released? Also can you share the bug # once you raise it. How will I get notified once the issue is fixed and is released? Thanks Rahul On Mon, Jun 29, 2020 at 2:55 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Tuesday, June 23, 2020 5:04 PM -0400 kumar rahul > <rahul2002mit(a)gmail.com> wrote: > > > Hi Quanah > > Hi Kumar, > > I was able to reproduce the issue, thanks for the report. I'll file a bug > for it. > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 years, 11 months

2
1
0 / 0

Re: [EXT] Re: syncrepl does not work as expected

by kumar rahul

Hi Quanah Please find my answers inline a) Both servers have no DB, but are using these configs [Rahul] Both servers are started with an empty database. Both servers are in Provider and consumer mode. Our application is running on both servers as well. To start with our application is active on Server A, which means data will be written to server A database.and is synced/replicated to server B b) DB is added to server A and replicated to server B [Rahul] Yes since server A has our application in active mode hence data is written on server A and replicated to server B. c) server A is stopped [Rahul] yes we reboot the server A. d) You say "data is removed", I'm not sure what this means. A single entry? Multiple entries? The entire database? [Rahul] Now our application is active on Server B. Using server B removed "a Single Entry" which was removed from server B database as well. e) S1 is restarted, and the deleted data is replicated back to both nodes. [Rahul] Yes deleted data is replicated back to both nodes. when S1 is restarted slapd is configured in provider/consumer mode but our application is still active on server B which means writes will only happen at server B and should be synced to server A. Thank you for all the help so far. I have no intention of interrupting your work. Please look at my issue based on your convenience. Let me know if you have any other questions. Thanks Rahul On Tue, Jun 23, 2020 at 3:43 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Tuesday, June 23, 2020 1:47 PM -0400 kumar rahul > <rahul2002mit(a)gmail.com> wrote: > > > Both the servers are set up as master as well as consumer so that > > sync works in both directions. So > > the sync setup is like "A -> B", > > and when A fails B is updated and the expectation is that "B -> A" should > > work because a multi master setup is already in place. Let me know based > > on the attached configuration files if my assumption is correct or not. > > > > > > Also Add data works when A fails and B is updated then sync "B -> A"works > > fine. > > > > After Delete data sync does not work when A fails and data is deleted > > from B. Once A comes back both databases have data which was deleted on > B. > > Hi, > > I'll see if I can reproduce your issue with the configs provided (Assuming > they look correct after I finish reviewing them in full), but I want to > confirm the exact steps: > > a) Both servers have no DB, but are using these configs > > b) DB is added to server A and replicated to server B > > c) server A is stopped > > d) You say "data is removed", I'm not sure what this means. A single > entry? Multiple entries? The entire database? > > e) S1 is restarted, and the deleted data is replicated back to both nodes. > > Note that I do have a paid job that keeps me busy, so this is a best > effort > when I have time available to investigate. > > Thanks, > Quanah > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 years, 11 months

2
1
0 / 0

LMDB transaction flags

by Stefano Cossu

Hello, I'd like to be able to know if a LMDB transaction is active, valid, dirty, read-only, etc. From the documentation I read that such information is in mt_flags of the mdb_txn structure, which is opaque. I don't see any function exposing mt_flags. Is there any other way to read that information?

2 years, 11 months

2
4
0 / 0

[Question]: Looking for updated ppolicy in v2.4.50

by Dave Macias

Hello, Using openldap v2.4.50 and noticed that there were some updates <https://github.com/openldap/openldap/commit/4bc54d104a9563d35f3d5fc2e69fe...> which were part of the 2.4.50 release. I installed openldap but cannot find those new attributes (pwdMaxLength, pwdStartTime, etc) > grep pwdMaxL /etc/openldap/schema/* > grep pwdStar /etc/openldap/schema/* Maybe I am missing something. Could someone please point me in the right direction? Thank you, Dave

2 years, 11 months

2
1
0 / 0

Re: [Question]: centos8 install - looking for migrationtools package

by Dave Macias

Thank you for the reply! Decided to use the centos7 versions. They worked like a charm! Regards, Dave On Fri, Jun 26, 2020 at 2:56 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Thursday, June 25, 2020 1:01 PM -0400 Dave Macias <davama(a)gmail.com> > wrote: > > > > > Hello, > > > > > > Our production env is centos7 and we were testing to see how it would > > work on centos8. > > > > > > There were no issues using the symas pkgs. Thank you for providing them! > > > > > > I was wondering if someone knew where I could find the migrationtools for > > centos8? > > I think since rhel stopped supporting openldap-servers, it would make > > sense that the migrationtools package would disappear too. > > > > > > Perhaps this is not the right place to ask, but any input is much > > appreciated. > > What you would likely need to do is look at the Fedora git repository for > the migrationtools package and port it for CentOS8 and then build it > yourself. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 years, 11 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2020