Re: [EXT] Re: Is there any easy way to decode openldap logs
by chandan jain
More server behind load balancer means more distribution of traffic and
less load on a single node .Sudden spike in traffic won't choke the setup.
Regards
Chandan
On Fri, Mar 12, 2021, 00:18 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>
>
> --On Friday, March 12, 2021 12:12 AM +0530 chandan jain
> <chandandevops(a)gmail.com> wrote:
>
> >
> > Quanah, I am already having this setup, but business wants to horizontal
> > scale the setup.
>
> If you only have a single application using LDAP, how does horizontal
> scaling help in any way?
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 2 months
Re: [EXT] Re: Is there any easy way to decode openldap logs
by chandan jain
Quanah, I am already having this setup, but business wants to horizontal
scale the setup.
As far as I understood, horizontal scaling is for reads replicas only, as
writes would go to single node with sticky session.
Your earlier solution was perfect for my use case, its just that I am
confused at how to bifurcate read and write connections. Shall I use two
separate connection string from single application for read and write
traffic to same set of servers with different pools.
Regards
Chandan
On Thu, Mar 11, 2021, 21:30 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>
>
> --On Thursday, March 11, 2021 10:56 AM +0530 chandan jain
> <chandandevops(a)gmail.com> wrote:
>
> >
> >
> > OK, but if I put a single connection string, how below setup suggested by
> > quanah will work.
> >
> >
> > I have a single application which read as well as write to ldap.
>
> If you have only a single application using LDAP, just set up two nodes
> with sticky failover and a single pool, since nothing else is using LDAP.
> As has been said repeatedly, in general, an application that does writes
> should use the same connection for reads.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 2 months
Re: Re: [EXT] Re: Is there any easy way to decode openldap logs
by chandan jain
Understood quanah, but I have a single app which performs both read and
write. App is using single connection string for binding with ldap. So
shall I use two separate connection string, one for read and one for write
in the application code ?
Also, as per the configuration setup suggested by you, how the replication
need to be setup, I mean mirror mode across write pool members and another
mirroring for read pool members from one of write pool member.
Regards
Chandan
On Wed, Mar 10, 2021, 21:41 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>
>
> --On Wednesday, March 10, 2021 6:43 PM +0530 chandan jain
> <chandandevops(a)gmail.com> wrote:
>
> >
> >
> > A load-balancer that is not doing round-robin (but some other policy,
> > like response time or throughput) probably would be OK
> >
> >
> >
> > OK agreed with you, but above loadbalancer config doesn't solve problem
> > of horizontal scaling and load balancing.
> >
> >
> > In other words, is it possible to achieve a horizontally scalable, highly
> > available and load balanced setup.
>
> You set up two pools in the load balancer
>
> Pool 1 -> For apps that only do reads, and handles load distribution in
> whatever method you feel best. Example DNS: ldap.example.com
>
> Pool 2 -> For apps that write directly. Sticky session to a single
> provider unless it goes offline. Example DNS: ldap-provider.example.com
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 2 months
Re: Is there any easy way to decode openldap logs
by chandan jain
Thanks quanah for detailed explanation you have sorted the confusion.
I have last doubt that read and write bifurcation for ldap connection
string is to be handled in application code . It has nothing to do on the
ldap end. I mean I need to define ldap.example.com
<http://ldap-read.example.com> as connection string for reads and
ldap-provider.example.com for writes in the application code.
Regards
On Wed, Mar 10, 2021, 23:19 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>
>
> --On Wednesday, March 10, 2021 10:38 PM +0530 chandan jain
> <chandandevops(a)gmail.com> wrote:
>
> >
> >
> > Understood quanah, but I have a single app which performs both read and
> > write. App is using single connection string for binding with ldap. So
> > shall I use two separate connection string, one for read and one for
> > write in the application code ?
>
> If you look closely at my response, I noted that apps that do writes
> should
> use the same pool for reads. This is generally due to the fact most apps
> I've run across do a read after write and may hit problems if the change
> is
> not there (i.e., due to replication delays).
>
> > Also, as per the configuration setup suggested by you, how the
> > replication need to be setup, I mean mirror mode across write pool
> > members and another mirroring for read pool members from one of write
> > pool member.
>
> I don't understand this question. There's a single set of servers, say A,
> B, C, D. There are two pools configured in the load balancer. The first
> pool uses a sticky setting, and always points to a single server for write
> ops (say A) unless its down, at which point it will fail over to the first
> available server (say B). The second pool is for reads, and does whatever
> algorithm you think best (say round robin), and bounces between A, B, C, D.
>
> What replication mechanism is in use has nothing to do with the load
> balancer configuration. I would generally advise using delta-syncrepl
> between nodes A, B, C D, all of which connect directly to one another and
> don't interact directly with the load balancer at all.
>
> Regards,
> Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 2 months
Re: Is there any easy way to decode openldap logs
by chandan jain
Thanks,
Mirror mode configuration cannot be horizontal scaled what I understood as
writes are going to one of the node, and other act as an active standby.
I want 2 or more nodes behind a load balancer which can share read/write
load. A kind of active active setup.
Regards
Chandan Jain
On Mon, Mar 8, 2021, 23:44 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>
>
> --On Sunday, March 7, 2021 8:39 PM +0530 chandan jain
> <chandandevops(a)gmail.com> wrote:
>
> >
> >
> > Thanks, Quanah
> >
> >
> > Is it possible to direct upgrade from 2.4.32 to latest version.
>
> If you (temporarily) stick with the same backend, and in this case, if
> that
> same backend is linked to the exact same version of BDB, yes. I.e.,
> compile the back-bdb/hdb backends against the same version of BDB,
> upgrade,
> and then migrate to back-mdb.
>
> > Also, can we horizontal scale a 2 node mirror mode setup? I am confused
> > after seeing suggestions on different sites.
>
> I don't understand the question here. Mirror mode is just a configuration
> of MMR with a load balancer in front.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 2 months
IdP in OpenLDAP
by Yeo Wee Tat (NCS)
Hi all
May I know how to setup openLDAP as IdP in RedHat Entrepise 7.8 ? Any steps or documentations ?
Thanks
2 years, 2 months
Re: Is there any easy way to decode openldap logs
by chandan jain
OK, but how to spread out read traffic.
I mean how I can bifurcate read and write go to different nodes. I mean how
application decide which node to write and which node to read from.
Regards
Chandan
On Wed, Mar 10, 2021, 00:02 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>
>
> --On Tuesday, March 9, 2021 3:28 PM +0530 chandan jain
> <chandandevops(a)gmail.com> wrote:
>
> >
> >
> > Thanks,
> >
> >
> > Mirror mode configuration cannot be horizontal scaled what I understood
> > as writes are going to one of the node, and other act as an active
> > standby.
> >
> >
> > I want 2 or more nodes behind a load balancer which can share read/write
> > load. A kind of active active setup.
>
> The point of mirror mode is that only one server in the pool gets writes.
> You can horizontally scale that as much as you want, whether there are 2
> servers in the pool or 5000. I.e., as long as write traffic only goes to
> one of those servers, you have mirror mode.
>
> Generally I would advise against distributing write traffic (i.e., do
> exactly what mirror mode does, direct all write traffic to a single active
> node unless it goes down and fail over is necessary). Spread out read
> traffic as desired.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 2 months
Re: Is there any easy way to decode openldap logs
by chandan jain
Thanks, Quanah
Is it possible to direct upgrade from 2.4.32 to latest version.
Also, can we horizontal scale a 2 node mirror mode setup? I am confused
after seeing suggestions on different sites.
Regards
Chandan Jain
On Fri, Mar 5, 2021, 00:28 Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>
>
> --On Thursday, March 4, 2021 11:49 PM +0530 chandan jain
> <chandandevops(a)gmail.com> wrote:
>
> >
> > It is openldap-2.4.32, i don't see any mdb support option while
> > compiling .
> > It is compiled with below options:
> >
> >
> > tar -xzf db-5.3.21.tar.gz
> > tar -zxf openldap-2.4.32.tgz
> > cd db-5.3.21
> > cd build_unix/
> > ../dist/configure --enable-compat185 --enable-dbm --disable-static
> > --enable-cxx && make && make install
> > db_verify -V
> > cd ../..
> > cd openldap-2.4.32
> > ./configure --prefix=/usr/local/OpenLDAP --with-tls=no
> > --enable-modules=yes --enable-overlays=yes --enable-ppolicy=yes && make
> > depend && make && make install
>
> 2.4.32 is over 8 years old. As I said, use a current release (2.4.57).
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 2 months
opinions on schema-checking
by A. Schulze
Hello,
I'm running a LDAP provider and multiple LDAP consumer and like to ask
for your opinions to such a setup:
While writing data to the LDAP provider, schema-checking is enforced.
Currently also the LDAP consumer enforce schema checking.
Q: does it make sense to enforce schema checking on a LDAP consumer, too?
What pros and cons do you see?
Thanks!
Andreas
2 years, 2 months
ldap_modify: Other (e.g., implementation specific) error (80)
by Stefan Bauer
Hi,
the internet is full of "tips" to solve the above problem. I'm pulling my
hairs and can not find the real issue since days. any help is greatly
appreciated.
--------- enable_ssl.ldiff ---------------
dn: cn=config
changetype: modify
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/key.key
dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert.pem
--------- enable_ssl.ldiff ---------------
# ls -alh /etc/ldap/cert.pem /etc/ldap/key.key
-rwxrwxrwx 1 root root 1,1K Mär 1 21:43 /etc/ldap/cert.pem
-rwxrwxrwx 1 root root 1,7K Mär 1 21:21 /etc/ldap/key.key
# openssl rsa -noout -modulus -in /etc/ldap/key.key | openssl md5
(stdin)= 45b4165df200817a20857fb453acd33e
# openssl x509 -noout -modulus -in /etc/ldap/cert.pem | openssl md5
(stdin)= 45b4165df200817a20857fb453acd33e
# head -n2 /etc/ldap/cert.pem
-----BEGIN CERTIFICATE-----
MIIFmDCCBICgAwIBAgIQBFMR6HMGTGjQIjSj4sQX+TANBgkqhkiG9w0BAQsFADBu
# head -n2 /etc/ldap/key.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvrDddMwXoy10diqDpqd45jaC8HiGKz7KC5X3W0ZLvCshylu0
ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v
# ldapmodify -Y EXTERNAL -H ldapi:/// -f enable_ssl.ldif -v
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add olcTLSCertificateKeyFile:
/etc/ldap/key.key
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
I can however modify other values like *olcLogLevel* without problems.
Debian 10 latest:
2.4.47+dfsg-3+deb10u6
# slapd -VVV
@(#) $OpenLDAP: slapd (Feb 14 2021 18:32:34) $
Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org>
Included static backends:
config
ldif
Stefan.
2 years, 3 months
