openldap-technical August 2020

openldap-technical@openldap.org

39 participants
43 discussions

Multiple memberOf overlays
by John C. Pfeifer 05 Aug '25

05 Aug '25

I am in the process of converting an existing LDAP infrastructure to OpenLDAP. I have a case where it would be convenient for two different objectClasses to map into the memberOf attribute. Is it possible to define two overlay configs or will they end up fighting each other over the memberOf attribute? For instance: dn: olcOverlay={5}memberofA,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {5}memberofA olcMemberOfDangling: error olcMemberOfRefInt: FALSE olcMemberOfGroupOC: objectClassA olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf dn: olcOverlay={6}memberofB,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {6}memberofB olcMemberOfDangling: error olcMemberOfRefInt: FALSE olcMemberOfGroupOC: objectClassB olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf // John Pfeifer Division of Information Technology University of Maryland, College Park

4 3

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Index seems to return wrong amount of candidate causing really poor search performance
by chrichardso27＠gmail.com 18 Aug '21

18 Aug '21

Hi, Considering the following assumptions; - OpenLDAP version 2.4.51 - attributes objectClass and abc are indexed based on equality - the EQUALITY of attribute abc is based on distinguishedNameMatch - The database contains roughly 2 million entries - 2 entries have defined the attribute abc with a dn value cn=foo,dc=bar and objectClass=someClass - 2 entries have defined the attribute abc with a dn value cn=bar,dc=baz and objectClass=someClass Now, the issue started with really slow search performance using objectClass=someClass & abc=cn=foo,dc=bar as filter criteria. Debugging a while seems to indicate that the objectClass filter returns roughly 2 million entries as candidates. Now, one would expect that the second filter would return only the 2 potential candidates from the abc index, or a subset of the whole database but this is not the case. The second filter also returns nearly the whole database entries as potential candidates and causes really slow query performance. Interestingly, this only occurs when attribute abc has value cn=foo,dc=bar, but for some reason for the entry having attribute abc with value cn=bar,dc=baz the query returns immediately. In both cases, the actual entries matching the search return immediately but for the problematic search "(&(objectClass=someClass)(abc=cn=foo,dc=bar))", the completion of the search takes a long time (around 15 seconds to be precise). The issue started suddenly and wasn't a degradation of query performance over time. Few things I have tried - Rebuilt the whole database again - Reindex the existing database again - Testing with bdb and mdb as backends - Increased cache sizes for bdb to hold the whole database in cache - For bdb adjust the page size of the indexes according to suggestion by db_tuner - Change the order of the filters None of these made any difference. At the moment, there does not seem to be any good options to try. Any ideas or help would be greatly appreciated!

6 18

HDB to MDB migration results in higher CPU usage on openldap consumers
by paul.jc＠yahoo.com 09 Nov '20

09 Nov '20

Hello, I have migrated from HDB to MDB backend and I am seeing higher CPU usage on my MDB openldap consumers. Has anyone else seen the same? Testing in my stage environment showed MDB to use less or the same amount of CPU than HDB - but now with real traffic and a large dataset I see sustained high CPU utilization. My production environment has the following specs: 6 consumer servers with 8vCPU x 16G RAM openldap version 2.4.45 Syncrepl enabled (with a single openldap provider server which is also MDB and has no issues and no high cpu). The database has ~230K users. data.mdb is about 1.8G in size. MDB database directives include: olcDbCheckpoint: 102400 10 olcDbNoSync: TRUE The rest are defaults. Indexing includes: olcDbIndex: businessCategory eq olcDbIndex: cn eq,sub olcDbIndex: description eq olcDbIndex: displayName eq,sub olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: gidNumber eq olcDbIndex: givenName eq,sub olcDbIndex: mail eq olcDbIndex: member eq olcDbIndex: memberOf eq olcDbIndex: memberUid eq olcDbIndex: objectClass pres,eq olcDbIndex: sn eq,sub olcDbIndex: uid eq,sub olcDbIndex: uidNumber eq olcDbIndex: uniqueMember eq These consumer servers are used for reads only. The initial sync with the provider is ok but once the consumers are actively handling read requests, CPU jumps to 60% usage on average. Our HDB consumers had half the resources (4vCPU and 8GB RAM) and less than half the CPU usage (average of 25% utilization). I have tested adding other MDB directives (writemap, mapasync, nordahead) but cannot get CPU utilization to come down close to what we see with the HDB backend. I have also load tested in my stage environment and was unable to reproduce (MDB generally utilized the same or less resources than HDB, but never double). There has been no change in the data or traffic between migration. We have also reverted some servers back to HDB and then back to MDB to confirm the high utilization. Has anyone else come across this with MDB and if so, were you able to alleviate CPU utilization? I can provide more details if needed. Any input welcome. Thanks! Paul

4 13

git repository build
by Nick Folino 01 Sep '20

01 Sep '20

Did a recent change break building from git? Make install is erroring off. I wiped my repo, cloned from https://github.com/openldap/openldap.git and tried a clean configure/make depend/make all went well. Make install not so well. Looks like the install is executing the tools: Making install in /home/nick/git/openldap/clients Entering subdirectory tools make[2]: Entering directory '/home/nick/git/openldap/clients/tools' ../../build/shtool mkdir -p /apps/openldap/bin libtool: install: ../../build/shtool install -c -m 755 -s ldapsearch /apps/openldap/bin/ldapsearch ldap_sasl_interactive_bind: Can't contact LDAP server (-1) libtool: install: ../../build/shtool install -c -m 755 -s ldapmodify /apps/openldap/bin/ldapmodify ldap_sasl_interactive_bind: Can't contact LDAP server (-1) libtool: install: ../../build/shtool install -c -m 755 -s ldapdelete /apps/openldap/bin/ldapdelete ldap_sasl_interactive_bind: Can't contact LDAP server (-1) libtool: install: ../../build/shtool install -c -m 755 -s ldapmodrdn /apps/openldap/bin/ldapmodrdn ldap_sasl_interactive_bind: Can't contact LDAP server (-1) libtool: install: ../../build/shtool install -c -m 755 -s ldappasswd /apps/openldap/bin/ldappasswd ldap_sasl_interactive_bind: Can't contact LDAP server (-1) libtool: install: ../../build/shtool install -c -m 755 -s ldapwhoami /apps/openldap/bin/ldapwhoami ldap_sasl_interactive_bind: Can't contact LDAP server (-1) libtool: install: ../../build/shtool install -c -m 755 -s ldapvc /apps/openldap/bin/ldapvc ldap_sasl_interactive_bind: Can't contact LDAP server (-1) libtool: install: ../../build/shtool install -c -m 755 -s ldapcompare /apps/openldap/bin/ldapcompare usage: #INST@1151854# [options] DN <attr:value|attr::b64value> where: DN Distinguished Name attr assertion attribute value assertion value b64value base64 encoding of assertion value Nick

2 4

Resyncing basic question..
by Frédéric Goudal 01 Sep '20

01 Sep '20

Hello, I’m wondering about the correct way to resync a directory in a push configuration… The setup is the following (as described in the documentation) : - on the master I have added a second suffix with the hidden property and the same suffix value. - this suffix have an ldap backend on another computer which is the real slave. I know the procedure to resynchronize two directory when the slave is in a pull configuration : get the csn of the master and restart the slave with the csn as argument. But in the push configuration : do I need to restart the slave (the backend of the second suffix ) ? Or the master which deals with the hidden suffix ? I hope my explanation are clear. Thanks in advance. f.g.

3 3

how to clean old multiple CSN ?
by Frédéric Goudal 31 Aug '20

31 Aug '20

Hello, I have an ldap master that from some reason has multiple CSN : contextCSN: 20130927152219.157851Z#000000#001#000000 contextCSN: 20131127140429.597497Z#000000#002#000000 contextCSN: 20141208130549.278599Z#000000#004#000000 contextCSN: 20200831094837.531411Z#000000#00a#000000 Some are quite old. I don’t know why they are here. Is there a way to clean the old Context CSN ? f.g.

2 1

Acl attribute access
by Marc Roos 31 Aug '20

31 Aug '20

If I have this acl: to dn="sendmailMTAKey=test(a)bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" by ssf=64 dn.exact="uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=loc al" read I can access with this ldap search: ldapsearch -LLL -W -s sub -b "sendmailMTAKey=test(a)bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaa aa,dc=local" -D "uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=local" -H ldaps://ldap.local sendmailMTAKey If I change the acl to to dn="sendmailMTAKey=test(a)bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" attrs="sendmailMTAKey" by ssf=64 dn.exact="uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=loc al" read The ldapsearch is not returning any object. How to resolve this?

3 7

Acl with variable in filter
by Marc Roos 31 Aug '20

31 Aug '20

Is it possible to have a variable VAR in an acl filter? Something like this: to dn="sendmailMTAKey=test(a)bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" filter="(sendmailMTAMapValue=VAR1) by ssf=64 dn.exact="uid=VAR1,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=local" read

1 1

user | this expansion in acl
by Marc Roos 31 Aug '20

31 Aug '20

I am not getting this page. Maybe there should be an example or so. I can use user anywhere in the acls and it will expand to the dn of the binddn of the ldapsearch request? user | this : resolves to the set { "cn=User,cn=adfasdfa,cn=asdfadfa,ou=asdfasdfas,ou=adsasdfasdf", "cn=Resource" } How can I get only 'User' and not the whole dn also not 'cn=User'? [1] https://www.openldap.org/faq/data/cache/1133.html

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2020