Experimenting with 2.5.4 I wonder what are reasonable values for
applying multival to attribute 'member' in group entries.
I guess this depends on length of member DN values. Is there a clear way
to calculate this? Or how to find out the effect of current settings.
P.S.: Yes, I know I have to reload the database when adding multival
Hi, there was an idea to use OpenLDAP as an address book for mail.
Tell me the idea of how to make it so that there are two groups. The members of one see all of them (i.e. the general address book) and only the admin edits them. The members of the other are only seen and edited by the owner (i.e. the personal address book)
When installing openldap with database mdb, root entry cannot be deleted.
Tested on systems:
OS Linux Debian 10, slapd 2.4.57+dfsg-2
Arch Linux, openldap 2.4.58-1
Oracle Linux 8, openldap 2.4.58 (from source)
The root entry was created by the command:
ldapadd -x -D 'cn=admin,dc=example,dc=org' -f root_entry.ldif
Content of the root_entry.ldif file:
description: Example directory
description: Directory Manager
Trying to delete the root entry:
ldapdelete -x -r 'dc=example,dc=org' -D 'cn=admin,dc=example,dc=org' -w admin
Output - ldap_delete: No such object (32)
How can I delete the root entry and create a new one with other structural objectclasses?
This is a testing call for OpenLDAP 2.5 Release Candidate (OpenLDAP 2.5.4)
Depending on the results, this may be the only testing call.
Generally, get the code for RE25:
Extract, configure, and build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Note that there are new features in 2.5, so please examine the options
available with configure carefully. Some examples:
The new load balancer, which can either be built as a module for slapd
(--enable-balancer=mod) or as a standalone server (--enable-balancer=yes)
The libargon2 password module (--enable-argon2).
Systemd notification support (--with-systemd=yes).
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
i need to open my LDAP-Directory to a public available Server.
What is the best secure way to connect my LDAP-Server to my Public server?
I thought about a proxy to my Firewall there I could specify requests to my LDAP-Server, or is there a better or an official way to do this?
there will be a big Open Source event in Paris in november. I am part of
the program commitee and would like to know if some of you would be
interested to submit talks: https://sessionize.com/opensource-experience/
You can reach me directly if you have some questions on the subject.
Clément Oudot | Identity Solutions Manager
Worteks | https://www.worteks.com
Hello LDAP users and maintainers,
libraries/libldap/init.c has this code which bypasses read all LDAP
config env vars when the exe loadlig libldap is running in setuid mode.
This is causing problems for one of our customers who routinely run our
product Linux executables (which load our libldap) in setuid mode for
Since we have the source, we can and may change this code.
In our case, customer wants to set env var LDAPCONF to point at a
non-default conf file but is unable to do so. In fact this code bypasses
almost all ways an alternate config file can be read.
Even $HOME/ldap.conf is not read.
My question here is should this code be considered a bug and changed to
be less restrictive? I fully appreciate there should be restrictions
when in setuid mode but the current code seems too restrictive.
689 #ifdef HAVE_GETEUID
690 if ( geteuid() != getuid() )
691 goto done;
GemTalk Systems LLC
Noticing a difference in behavior of locating config file at the time of startup between 2.4.48 and 2.4.58.
The 2.4.48 is a ubuntu supplied package while 2.4.58 is compiled with following options.
./configure --prefix=/opt/openldap \
When started the slaps in debug mode, I see the following for 2.4.48
6077b590 backend_startup_one: starting "cn=config"
6077b590 ldif_read_file: read entry file: "/etc/ldap/slapd.d/cn=config.ldif”
Essentially, looking for “cn=config”. However, after replacing the binaries with compiled version for 2.4.58,
6077b37d could not stat config file "/etc/ldap/slapd.d/slapd.conf": No such file or directory (2)
I clearly notice that existing configuration file(s) are not considered with 2.4.58. Wondering what is the difference and how can I use the existing configuration files.
>> >> Do you have a lot of large groups that you frequently update?
>> > Yes we have several groups with ~40k users from which we frequently
>> > add/remove users based on upstream user provisioning workflows.
>> Are you replacing the entire group when you do that, or only
>> adding/deleting specific users?
>> Either way, for 2.4 you definitely want to use sortvals. Likely what you
>> need is OpenLDAP 2.5's multival feature as well.
We incrementally insert users and group memberships instead of
replacing the entire group every time.
This mailing list helped me discover that "sortvals member" improved
performance of single record inserts, but didn't help the overall
Why do excess free pages in MDB impact performance when inserting new data?
On Fri, Apr 16, 2021 at 11:05 AM Quanah Gibson-Mount <quanah(a)symas.com> wrote:
> --On Friday, April 16, 2021 12:01 PM -0700 Zetan Drableg
> <zetan.drableg(a)gmail.com> wrote:
> >> Do you have a lot of large groups that you frequently update?
> > Yes we have several groups with ~40k users from which we frequently
> > add/remove users based on upstream user provisioning workflows.
> Are you replacing the entire group when you do that, or only
> adding/deleting specific users?
> Either way, for 2.4 you definitely want to use sortvals. Likely what you
> need is OpenLDAP 2.5's multival feature as well.
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> >> When I write LDIFs to one node like delete user or remove user from
> >> group, we see spikes in authentication latency metrics (what's normally
> >> .2 - .5 second response time goes up to 15-30 seconds) across all nodes
> >> in the cluster at the same time.
> > I ran mdb_copy -c to compact the LDAP databases. The size went from
> > 2.9G to 140M and the latency problem during inserts went away.
> > I've noticed the LDAP data.mdb is growing about 25M per day. What
> > accounts for the growth of free pages?
> Do you have a lot of large groups that you frequently update?
Yes we have several groups with ~40k users from which we frequently
add/remove users based on upstream user provisioning workflows.