April 2021 - openldap-technical

Index seems to return wrong amount of candidate causing really poor search performance

by chrichardso27＠gmail.com

Hi, Considering the following assumptions; - OpenLDAP version 2.4.51 - attributes objectClass and abc are indexed based on equality - the EQUALITY of attribute abc is based on distinguishedNameMatch - The database contains roughly 2 million entries - 2 entries have defined the attribute abc with a dn value cn=foo,dc=bar and objectClass=someClass - 2 entries have defined the attribute abc with a dn value cn=bar,dc=baz and objectClass=someClass Now, the issue started with really slow search performance using objectClass=someClass & abc=cn=foo,dc=bar as filter criteria. Debugging a while seems to indicate that the objectClass filter returns roughly 2 million entries as candidates. Now, one would expect that the second filter would return only the 2 potential candidates from the abc index, or a subset of the whole database but this is not the case. The second filter also returns nearly the whole database entries as potential candidates and causes really slow query performance. Interestingly, this only occurs when attribute abc has value cn=foo,dc=bar, but for some reason for the entry having attribute abc with value cn=bar,dc=baz the query returns immediately. In both cases, the actual entries matching the search return immediately but for the problematic search "(&(objectClass=someClass)(abc=cn=foo,dc=bar))", the completion of the search takes a long time (around 15 seconds to be precise). The issue started suddenly and wasn't a degradation of query performance over time. Few things I have tried - Rebuilt the whole database again - Reindex the existing database again - Testing with bdb and mdb as backends - Increased cache sizes for bdb to hold the whole database in cache - For bdb adjust the page size of the indexes according to suggestion by db_tuner - Change the order of the filters None of these made any difference. At the moment, there does not seem to be any good options to try. Any ideas or help would be greatly appreciated!

5 months, 1 week

6
18
0 / 0

multival member ...

by Michael Ströder

HI! Experimenting with 2.5.4 I wonder what are reasonable values for applying multival to attribute 'member' in group entries. I guess this depends on length of member DN values. Is there a clear way to calculate this? Or how to find out the effect of current settings. Ciao, Michael. P.S.: Yes, I know I have to reload the database when adding multival config option.

9 months

2
1
0 / 0

Groups and accesses

by Клеусов Владимир Сергеевич

Hi, there was an idea to use OpenLDAP as an address book for mail. Tell me the idea of how to make it so that there are two groups. The members of one see all of them (i.e. the general address book) and only the admin edits them. The members of the other are only seen and edited by the owner (i.e. the personal address book)

9 months

1
0
0 / 0

Unable to delete root entry

by Николай Данилов

When installing openldap with database mdb, root entry cannot be deleted. Tested on systems: OS Linux Debian 10, slapd 2.4.57+dfsg-2 Arch Linux, openldap 2.4.58-1 Oracle Linux 8, openldap 2.4.58 (from source) The root entry was created by the command: ldapadd -x -D 'cn=admin,dc=example,dc=org' -f root_entry.ldif Content of the root_entry.ldif file: dn: dc=example,dc=org objectClass: dcObject objectClass: organization dc: example o: Example description: Example directory dn: cn=root,dc=example,dc=org objectClass: organizationalRole cn: root description: Directory Manager Trying to delete the root entry: ldapdelete -x -r 'dc=example,dc=org' -D 'cn=admin,dc=example,dc=org' -w admin Output - ldap_delete: No such object (32) How can I delete the root entry and create a new one with other structural objectclasses?

9 months

3
9
0 / 0

OpenLDAP 2.5 Release Candidate Testing (OpenLDAP 2.5.4)

by Quanah Gibson-Mount

This is a testing call for OpenLDAP 2.5 Release Candidate (OpenLDAP 2.5.4) Depending on the results, this may be the only testing call. Generally, get the code for RE25: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5...> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Note that there are new features in 2.5, so please examine the options available with configure carefully. Some examples: The new load balancer, which can either be built as a module for slapd (--enable-balancer=mod) or as a standalone server (--enable-balancer=yes) The libargon2 password module (--enable-argon2). Systemd notification support (--with-systemd=yes). Thanks! Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

9 months

6
13
0 / 0

Best way to secure LDAP to public Server

by work＠seyboldt.org

Hey, i need to open my LDAP-Directory to a public available Server. What is the best secure way to connect my LDAP-Server to my Public server? I thought about a proxy to my Firewall there I could specify requests to my LDAP-Server, or is there a better or an official way to do this? Thanks, RMs3Q

9 months, 1 week

2
3
0 / 0

[Open Source Experience] Call for Papers is open

by Clément OUDOT

Hello, there will be a big Open Source event in Paris in november. I am part of the program commitee and would like to know if some of you would be interested to submit talks: https://sessionize.com/opensource-experience/ You can reach me directly if you have some questions on the subject. Regards, -- Clément Oudot | Identity Solutions Manager clement.oudot(a)worteks.com Worteks | https://www.worteks.com

9 months, 1 week

1
0
0 / 0

Config files & env vars not read when geteuid() != getuid()

by Norm Green

Hello LDAP users and maintainers, libraries/libldap/init.c has this code which bypasses read all LDAP config env vars when the exe loadlig libldap is running in setuid mode. This is causing problems for one of our customers who routinely run our product Linux executables (which load our libldap) in setuid mode for legitimate purposes. Since we have the source, we can and may change this code. In our case, customer wants to set env var LDAPCONF to point at a non-default conf file but is unable to do so. In fact this code bypasses almost all ways an alternate config file can be read. Even $HOME/ldap.conf is not read. My question here is should this code be considered a bug and changed to be less restrictive? I fully appreciate there should be restrictions when in setuid mode but the current code seems too restrictive. init.c: 686 687 openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); 688 689 #ifdef HAVE_GETEUID 690 if ( geteuid() != getuid() ) 691 goto done; 692 #endif 693 694 openldap_ldap_init_w_userconf(LDAP_USERRC_FILE); 695 Norm Green GemTalk Systems LLC

9 months, 1 week

3
2
0 / 0

default config file

by Rallavagu Kon

Hello All, Noticing a difference in behavior of locating config file at the time of startup between 2.4.48 and 2.4.58. The 2.4.48 is a ubuntu supplied package while 2.4.58 is compiled with following options. ./configure --prefix=/opt/openldap \ --sysconfdir=/etc/ldap \ --localstatedir=/opt/openldap/var \ --libexecdir=/opt/openldap/lib \ --disable-static \ --enable-debug \ --with-tls=openssl \ --with-cyrus-sasl \ --enable-dynamic \ --enable-crypt \ --enable-spasswd \ --enable-slapd \ --enable-modules \ --enable-rlookups \ --enable-backends=mod \ --disable-ndb \ --disable-sql \ --disable-shell \ --disable-bdb \ --disable-hdb \ --enable-overlays=mod When started the slaps in debug mode, I see the following for 2.4.48 6077b590 backend_startup_one: starting "cn=config" 6077b590 ldif_read_file: read entry file: "/etc/ldap/slapd.d/cn=config.ldif” Essentially, looking for “cn=config”. However, after replacing the binaries with compiled version for 2.4.58, 6077b37d could not stat config file "/etc/ldap/slapd.d/slapd.conf": No such file or directory (2) I clearly notice that existing configuration file(s) are not considered with 2.4.58. Wondering what is the difference and how can I use the existing configuration files. Thanks

9 months, 1 week

3
3
0 / 0

Re: performance tuning for n-way and heavy client load

by Zetan Drableg

>> >> Do you have a lot of large groups that you frequently update? >> > >> > Yes we have several groups with ~40k users from which we frequently >> > add/remove users based on upstream user provisioning workflows. >> >> Are you replacing the entire group when you do that, or only >> adding/deleting specific users? >> >> Either way, for 2.4 you definitely want to use sortvals. Likely what you >> need is OpenLDAP 2.5's multival feature as well. We incrementally insert users and group memberships instead of replacing the entire group every time. This mailing list helped me discover that "sortvals member" improved performance of single record inserts, but didn't help the overall problem. Why do excess free pages in MDB impact performance when inserting new data? On Fri, Apr 16, 2021 at 11:05 AM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > --On Friday, April 16, 2021 12:01 PM -0700 Zetan Drableg > <zetan.drableg(a)gmail.com> wrote: > > >> Do you have a lot of large groups that you frequently update? > > > > Yes we have several groups with ~40k users from which we frequently > > add/remove users based on upstream user provisioning workflows. > > Are you replacing the entire group when you do that, or only > adding/deleting specific users? > > Either way, for 2.4 you definitely want to use sortvals. Likely what you > need is OpenLDAP 2.5's multival feature as well. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com>

9 months, 1 week

1
0
0 / 0

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2021