openldap-technical July 2020

openldap-technical@openldap.org

29 participants
35 discussions

ldap_modify: Other (e.g., implementation specific) error (80) when adding new certificates
by Sami Ait Ali Oulahcen 14 Jul '20

14 Jul '20

Hi, I'm setting up a new instance of openldap, and I'm running into error (80) when trying to add new certificates. I've checked for the usual suspects: - certs in PEM format - file permissions along the path OK I'm using Symas' CentOS 7 repo: slapd 2.4.50 (Apr 28 2020 21:18:35) I've enabled debugging on the server (logs attached), but can't get anything out of it. Any pointers are appreciated. Regards, Sami

2 5

OpenLDAP in different directories
by Mig Ovie 08 Jul '20

08 Jul '20

Hello, I am new to OpenLDAP y would like to know whether I can install it on the /mnt. For this case, I am not allowed to install it on /etc or /usr or /var , which I believe will create many issues. Is it feasible/advisable?

3 3

Ppolicy control missing from supportedControl
by Côme Chilliet 07 Jul '20

07 Jul '20

Hello, I have ppolicy overlay correctly set up, but the ppolicy control 1.3.6.1.4.1.42.2.27.8.5.1 is not returned in supportedControl by openldap when querying the root DSE. Is this a bug or a feature? Is there something to do configuration wise to fix this? It is causing problems for PHP automated extension tests, the php-ldap module skips tests depending on whether associated controls are listed by the server or not, but ppolicy is never returned so the ppolicy test cannot run. Côme

3 4

Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul 06 Jul '20

06 Jul '20

Hi Quanah Just to be sure I manually removed the line and typed it back but still see the ERROR. Following line is causing the issue objectClass: olcAccessLogConfig I am attaching the ldif file for your reference. Thanks Rahul On Mon, Jul 6, 2020 at 2:40 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Monday, July 6, 2020 3:18 PM -0400 kumar rahul > <rahul2002mit(a)gmail.com> wrote: > > > adding new entry "olcOverlay={1}accesslog,olcDatabase={3}mdb,cn=config" > > ldap_add: Invalid syntax (21) > > additional info: objectClass: value #1 invalid per syntax > > At a guess, you have something like a space or tab after the objectClass > value. > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 3

Re: slapd 2.4.44 Performance problems
by Daniel Zuniga 06 Jul '20

06 Jul '20

Is there a reason why OpenLDAP does not seem to use more than 8 cores regardless of the number of threads it is being told to use? With 16 threads it saturates 8 cores, 16 threads and 16 cores still uses 8 cores, 32 threads and 16 cores... only 8 cores are used. On Tue, Jun 30, 2020 at 6:43 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Tuesday, June 30, 2020 10:49 PM +0000 daniel.zuniga(a)gmail.com wrote: > > > Can you offer any guidance? Thanks. > > The OpenLDAP 2.4.44 release is over 4 years old. > > You need to: > > a) Upgrade to a current release > b) Migrate off of the back-bdb/hdb backend it seems like is being used to > back-mdb. They are deprecated and have serious performance issues vs > back-mdb > (< > https://mishikal.wordpress.com/2013/05/16/openldap-a-comparison-of-back-mdb… > >). > > If you are using RHEL7 or RHEL8, my company provides a free drop-in > replacement: > > <https://repo.symas.com/sofl/> > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

5 4

Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul 06 Jul '20

06 Jul '20

Hi Quanah I re installed openldap with all the overlays Here is the slapd -VVV output. I do see accesslog part of static overlays. [HPE SmartFabric:root@SN2100-106 initial_config]#slapd -VVV @(#) $OpenLDAP: slapd 2.4.50 (Jul 6 2020 18:11:26) $ @SN2100-106:/root/smartfabric/open-ldap/initial_config/openldap-2.4.50/servers/slapd Included static overlays: accesslog auditlog collect constraint dds deref dyngroup dynlist memberof ppolicy pcache refint retcode rwm seqmod sssvlv syncprov translucent unique valsort Included static backends: config ldif monitor mdb relay ++++++++++++++++++++++++++++++++++++++++ How ever i still see following ERROR ldapmodify -x -D 'cn=config' -w <password> -f update_config.ldif adding new entry "olcDatabase={2}mdb,cn=config" adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config" adding new entry "olcOverlay={0}syncprov,olcDatabase={3}mdb,cn=config" *adding new entry "olcOverlay={1}accesslog,olcDatabase={3}mdb,cn=config"ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax* here is the section which throws the ERROR dn: olcOverlay={1}accesslog,olcDatabase={3}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {1}accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogSuccess: TRUE olcAccessLogPurge: 01+00:00 00+04:00 Thanks Rahul On Mon, Jul 6, 2020 at 1:15 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Monday, July 6, 2020 11:18 AM -0400 kumar rahul > <rahul2002mit(a)gmail.com> wrote: > > > > > > > Hi Quanah > > > > > > Here is how I am building it > > > > > > 1) Download version 2.4.50 from > > https://www.openldap.org/software/download/ > > 2) Unpack the zip files > > 3) ./configure --enable-bdb=no --enable-hdb=no --enable-ipv6=yes > > I strongly advise you to really read the output of ./configure --help. It > explicitly tells you what overlays are and are not enabled by default. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul 06 Jul '20

06 Jul '20

Hi Quanah Here is how I am building it 1) Download version 2.4.50 from https://www.openldap.org/software/download/ 2) Unpack the zip files 3) ./configure --enable-bdb=no --enable-hdb=no --enable-ipv6=yes 4) make depend 5) make 6) make test 7) su root -c 'make install' Let me know what I am missing so that accesslog modulegets included in slapd. Thanks Rahul On Fri, Jul 3, 2020 at 5:41 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Friday, July 3, 2020 4:09 PM -0400 kumar rahul > <rahul2002mit(a)gmail.com> wrote: > > > > > > > Hi Quanah > > > > > > How do I include accesslog module in slapd ? > > Depends on how you built it, since you seem to be building your own. > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul 03 Jul '20

03 Jul '20

Hi Quanah How do I include accesslog module in slapd ? Thanks Rahul On Fri, Jul 3, 2020 at 11:44 AM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Wednesday, July 1, 2020 9:36 PM -0400 kumar rahul > <rahul2002mit(a)gmail.com> wrote: > > > > > adding new entry "olcOverlay={1}accesslog,olcDatabase={3}mdb,cn=config" > > ldap_add: Invalid syntax (21) > > additional info: objectClass: value #1 invalid per syntax > > This would indicate the accesslog module is not part of your slapd binary. > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul 03 Jul '20

03 Jul '20

Hi Quanah If i comment out the module loading part then I am getting following ERROR [HPE SmartFabric:root@SN2100-106 initial_config]#ldapmodify -x -D 'cn=config' -w secret -f update_config.ldif adding new entry "olcDatabase={2}mdb,cn=config" adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config" adding new entry "olcOverlay={0}syncprov,olcDatabase={3}mdb,cn=config" adding new entry "olcOverlay={1}accesslog,olcDatabase={3}mdb,cn=config" ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax and this ERROR is for section dn: olcOverlay={1}accesslog,olcDatabase={3}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {1}accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogSuccess: TRUE olcAccessLogPurge: 01+00:00 00+04:00 Let me know what is wrong with this. Thanks Rahul On Wed, Jul 1, 2020 at 6:16 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Wednesday, July 1, 2020 6:43 PM -0400 kumar rahul > <rahul2002mit(a)gmail.com> wrote: > > > > > > > Hi Quanah > > > > > > Here is the output of slapd -VVV command. I do see accesslog as > > static overlays. > > > > > > > > What changes i need to make in below snippet > > Moduleloading is only for dynamic modules. Since you don't have a dynamic > module, you don't need to load it. > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul 02 Jul '20

02 Jul '20

Hi Quanah accesslog overlay file exists at following location /var/lib/ldap/accesslog What changes I need to make in below lines for moduleload to work dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov olcModuleLoad: accesslog Thanks Rahul On Wed, Jul 1, 2020 at 1:38 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Wednesday, July 1, 2020 11:09 AM -0400 kumar rahul > <rahul2002mit(a)gmail.com> wrote: > > > I am seeing following ERROR > > I have no idea how your slapd was built, etc. But essentially the > accesslog overlay must be loaded into slapd to be of use. It looks like > at > least some of the modules in your system are compiled statically, which is > likely why you currently do not have a module{0} section for loading > modules. You'll also have to verify where on disk the accesslog overlay > exists so that the moduleload statement pulls from the right directory. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

4 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2020