openldap-technical August 2020

openldap-technical@openldap.org

39 participants
42 discussions

Symas OpenLDAP for Linux on RHEL 8 divergence
by Quanah Gibson-Mount 20 Aug '20

20 Aug '20

Hello OpenLDAP community, Due to the issues with RFC 6125 discussed in <https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/t…> and Red Hat's decision to improperly patch "support" for RFC 6125 into their Enterprise Linux 8 package of libldap <https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/t…>, Symas OpenLDAP for Linux on RHEL8 will diverge from Red Hat in this regard starting with the Symas OpenLDAP for Linux on RHEL 8 version 2.4.51-1 release. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Question: rfc2307 vs rfc2307bis with multimaster replication
by Dave Macias 20 Aug '20

20 Aug '20

I see. Well, I think for starters i will move forward with version upgrade and eventually delta-sync. Then I’ll comeback to this post. Thank you always for the awesome support!! Stay safe. -Dave On Aug 18, 2020, 6:57 PM -0400, Quanah Gibson-Mount <quanah(a)symas.com>, wrote: > > > --On Tuesday, August 18, 2020 7:42 PM -0400 Dave Macias <davama(a)gmail.com> > wrote: > > > No, using syncrepl. Should we move to delta-syncrepl? > > Due to ITS#8125 which can't be fixed until 2.5, it's essentially mandatory > if you want reliable replication in the 2.4 series. > > > I can agree with that. We are using the distro provided openldap package > > and it's pretty key to our infrastructure. So having it up to date is > > good. We have already tested this before and the migration to symas > > openldap is very easy! Thank you for that. > > > > At least with my previous questions, are they any concerns in 2.4.51? > > I had a long list of questions related to your previous questions. Without > answers to those questions, I can't say much more. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com>

1 0

Can't build openldap 2.4.44 with OpenSSL - openssl-1.1.1d
by Shaheena Kazi 20 Aug '20

20 Aug '20

Hi, I am on debian stretch. The openldap im using is 2.4.44. I am trying to compile OpenSSL - openssl-1.1.1d with openldap 2.4.44. But it fails with the below message configure: error: Could not locate TLS/SSL package. Can someone help me here ?

2 2

Enable and Disable a user account in OpenLDAP using various methods, CLI, GUI, etc.
by wbranson＠mcw.edu 19 Aug '20

19 Aug '20

Hello, My apologies if this is in the wrong place. I am getting ready to migrate from NIS to LDAP in our HPC clusters. I need to know how to disable a user account, that is not to delete it, but to temporarily disable it. My current GUI to access LDAP is Apache Directory Studio. I also have the standard command line commands, ldapmodify , etc. So I have been looking around in various places. I saw some videos on YouTube for adding users with Apache. I can do most of the tasks listed for Apache Directory Studio. However, I have not used command line other than to add, delete or modify users and searches, oh and create some lidf files. My past experiences with LDAP and IDM products are based around UNIX based systems and applications "Sun™ Java System Directory Server 5.x and 6.x" and "Sun™ Identity Manager". I have also used Active Directory on the Microsoft side. So I have a better than average understanding of things, I just need to know this specific task. So if it is possible in OpenLDAP, to disable and enable users can anyone point me to a document or a YouTube Video or any information. Thank you so much for your assistance, in advance. Sincerely Bill Branson Server Engineer II | Research Computing Center Medical College of Wisconsin 414-955-2475 | wbranson(a)mcw.edu

4 3

Disabling memberOf as a built-in
by svenj＠uic.edu 19 Aug '20

19 Aug '20

Is there a configuration flag I can use to allow me to define memberOf in the schemas, rather than having it be a 'built-in' of OpenLDAP. Thanks in advance.

2 3

Re: Question: rfc2307 vs rfc2307bis with multimaster replication
by Dave Macias 18 Aug '20

18 Aug '20

> You need to upgrade, 2.4.44 is about 4.5 years old and numerous significant > bugs have been fixed with replication since then. It's absolutely unsafe > to use 2.4.44 for MPR (also, I'm going to assume you're correctly using > delta-syncrepl). 2.4.51 is the current release, change log is here: > > <https://www.openldap.org/software/release/changes.html> Thank you for the quick reply and reference. No, using syncrepl. Should we move to delta-syncrepl? I can agree with that. We are using the distro provided openldap package and it’s pretty key to our infrastructure. So having it up to date is good. We have already tested this before and the migration to symas openldap is very easy! Thank you for that. At least with my previous questions, are they any concerns in 2.4.51?

2 1

Question: rfc2307 vs rfc2307bis with multimaster replication
by Dave Macias 18 Aug '20

18 Aug '20

Hello, Hope everyone is staying safe and healthy. Currently running 2.4.44 with n-way multi-master setup with rfc2307 schema. We have tested rfc2307bis before on our lab environment with no issues but never deployed to production. Some of the benefits I remember about this test is the cool features like “reverse group membership” and “referential integrity” which are not possible with rfc2307. My question is two part: 1. Is switching to rfc2307bis recommended? Better performance? 2. Any issues with n-way multimaster replication? Thank you always for the continued support! Regards, Dave

2 1

LMDB nosync with write order preserving filesystem
by Gábor Melis 18 Aug '20

18 Aug '20

The documentation of MDB_NOSYNC says: If the filesystem preserves write order and the MDB_WRITEMAP flag is not used, transactions exhibit ACI (atomicity, consistency, isolation) properties and only lose D (durability). In practice, what file system + options preserve write order? Asked this question elsewhere from Howard. I got the answer that ZFS should do it, and ext4 with data=ordered _may_ do it. It seems to me that ext4 with data=journal should be a very safe bet, too, would it not? Are there any other recommendations? I ran a few microbenchmarks to compare ext4 data=ordered and data=journal. With the default sync, they can do about 600 and 400 write txn/s. With nosync + an mdb_env_sync() every second, they are both at about 200k txn/s. For reference, the system can do about 5 million read txn/s. That makes me hopeful that ext4 with data=journal could be a good option. Cheers, Gábor Melis

2 2

Multi Master Replication Error - Got Search Entry Without Sync State Control
by alexander.jarrard＠pfizer.com 17 Aug '20

17 Aug '20

Hi There, We are in the middle of implementing OpenLDAP into our network. We are testing our implementation and facing the below error in our logs after a node has either been powered off or the slapd service has been stopped (and subsequently brought back online): syncprov_sendresp: cookie=rid=001,sid=001,csn=20200813144529.184309Z#000000#001#000000 do_syncrep2: rid=002 got search entry without Sync State control (dc=domain,dc=local) do_syncrepl: rid=002 rc -1 retrying syncprov_sendresp: cookie=rid=001,sid=001,csn=20200813144529.378496Z#000000#001#000000 This error is only encountered on the node that had been brought offline. Prior to this replication had/has been working without issue - as far as we can tell. Below are the configuration LDIFs we used to enable replication: dn: cn=config changetype: modify add: olcServerID olcServerID: 1 ldap://ldap1.domain.local/ olcServerID: 2 ldap://ldap2.domain.local/ dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov.la dn: olcOverlay=syncprov,olcDatabase={3}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={3}mdb,cn=config changetype:modify add: olcSyncrepl olcSyncrepl: rid=001 provider=ldap://ldap1.domain.local/ binddn="cn=manager,dc=domain,dc=local" bindmethod=simple credentials=ldap_pw searchbase="dc=domain,dc=local" type=refreshAndPersist retry="5 5 300 +" timeout=1 olcSyncrepl: rid=002 provider=ldap://ldap2.domain.local/ binddn="cn=manager,dc=domain,dc=local" bindmethod=simple credentials=ldap_pw searchbase="dc=domain,dc=local" type=refreshAndPersist retry="5 5 300 +" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE I have seen other posts about this error that mention the overlay not being properly configured, however, I don't think this is the case for us since replication does work as expected until a node is brought offline. It also seems that any changes made to online nodes are not replicated to the offline node when it is brought back online. However, any changes made after that node has been brought back online are replicated. I am sure this is probably a configuration issue but not sure where to go from here. Any help is greatly appreciated. Thanks!

4 6

Re: LDAP Tool Box packages [was: OpenLDAP 2.4.51 available, LMDB 0.9.26 available]
by Giuseppe De Marco 17 Aug '20

17 Aug '20

Bad news Quanah, I think that there would the need to have many pluggable storages with an abstract layer in between. NoSQL, SQL and others (like elastic search) are so many important storage engines nowadays, It would be awesome to have them in slapd. Replication would works only on mdb, because each storage engines would have their own Il lun 17 ago 2020, 17:37 Quanah Gibson-Mount <quanah(a)symas.com> ha scritto: > > > --On Monday, August 17, 2020 5:36 PM +0200 Clément OUDOT > <clem.oudot(a)gmail.com> wrote: > > > Is there any possibilities to have in ltb the SQL backend in future > > releases? > > I would note that back-sql is considered experimental, is extremely buggy, > and has been retired for the 2.5 release. Unless someone steps up to > maintain and fix it to a functional state, it will likely be removed > entirely at some point in the future. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > -- ------------------------------------------------------------------------------------------------------------------ Il banner è generato automaticamente dal servizio di posta elettronica dell'Università della Calabria <https://www.unical.it/portale/portaltemplates/view/view.cfm?100061>

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2020