multival member ...
by Michael Ströder
HI!
Experimenting with 2.5.4 I wonder what are reasonable values for
applying multival to attribute 'member' in group entries.
I guess this depends on length of member DN values. Is there a clear way
to calculate this? Or how to find out the effect of current settings.
Ciao, Michael.
P.S.: Yes, I know I have to reload the database when adding multival
config option.
2 months, 3 weeks
Groups and accesses
by Клеусов Владимир Сергеевич
Hi, there was an idea to use OpenLDAP as an address book for mail.
Tell me the idea of how to make it so that there are two groups. The members of one see all of them (i.e. the general address book) and only the admin edits them. The members of the other are only seen and edited by the owner (i.e. the personal address book)
2 months, 3 weeks
Unable to delete root entry
by Николай Данилов
When installing openldap with database mdb, root entry cannot be deleted.
Tested on systems:
OS Linux Debian 10, slapd 2.4.57+dfsg-2
Arch Linux, openldap 2.4.58-1
Oracle Linux 8, openldap 2.4.58 (from source)
The root entry was created by the command:
ldapadd -x -D 'cn=admin,dc=example,dc=org' -f root_entry.ldif
Content of the root_entry.ldif file:
dn: dc=example,dc=org
objectClass: dcObject
objectClass: organization
dc: example
o: Example
description: Example directory
dn: cn=root,dc=example,dc=org
objectClass: organizationalRole
cn: root
description: Directory Manager
Trying to delete the root entry:
ldapdelete -x -r 'dc=example,dc=org' -D 'cn=admin,dc=example,dc=org' -w admin
Output - ldap_delete: No such object (32)
How can I delete the root entry and create a new one with other structural objectclasses?
2 months, 4 weeks
OpenLDAP 2.5 Release Candidate Testing (OpenLDAP 2.5.4)
by Quanah Gibson-Mount
This is a testing call for OpenLDAP 2.5 Release Candidate (OpenLDAP 2.5.4)
Depending on the results, this may be the only testing call.
Generally, get the code for RE25:
<https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5...>
Extract, configure, and build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Note that there are new features in 2.5, so please examine the options
available with configure carefully. Some examples:
The new load balancer, which can either be built as a module for slapd
(--enable-balancer=mod) or as a standalone server (--enable-balancer=yes)
The libargon2 password module (--enable-argon2).
Systemd notification support (--with-systemd=yes).
Thanks!
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
3 months
Best way to secure LDAP to public Server
by work@seyboldt.org
Hey,
i need to open my LDAP-Directory to a public available Server.
What is the best secure way to connect my LDAP-Server to my Public server?
I thought about a proxy to my Firewall there I could specify requests to my LDAP-Server, or is there a better or an official way to do this?
Thanks,
RMs3Q
3 months
Config files & env vars not read when geteuid() != getuid()
by Norm Green
Hello LDAP users and maintainers,
libraries/libldap/init.c has this code which bypasses read all LDAP
config env vars when the exe loadlig libldap is running in setuid mode.
This is causing problems for one of our customers who routinely run our
product Linux executables (which load our libldap) in setuid mode for
legitimate purposes.
Since we have the source, we can and may change this code.
In our case, customer wants to set env var LDAPCONF to point at a
non-default conf file but is unable to do so. In fact this code bypasses
almost all ways an alternate config file can be read.
Even $HOME/ldap.conf is not read.
My question here is should this code be considered a bug and changed to
be less restrictive? I fully appreciate there should be restrictions
when in setuid mode but the current code seems too restrictive.
init.c:
686
687 openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
688
689 #ifdef HAVE_GETEUID
690 if ( geteuid() != getuid() )
691 goto done;
692 #endif
693
694 openldap_ldap_init_w_userconf(LDAP_USERRC_FILE);
695
Norm Green
GemTalk Systems LLC
3 months
default config file
by Rallavagu Kon
Hello All,
Noticing a difference in behavior of locating config file at the time of startup between 2.4.48 and 2.4.58.
The 2.4.48 is a ubuntu supplied package while 2.4.58 is compiled with following options.
./configure --prefix=/opt/openldap \
--sysconfdir=/etc/ldap \
--localstatedir=/opt/openldap/var \
--libexecdir=/opt/openldap/lib \
--disable-static \
--enable-debug \
--with-tls=openssl \
--with-cyrus-sasl \
--enable-dynamic \
--enable-crypt \
--enable-spasswd \
--enable-slapd \
--enable-modules \
--enable-rlookups \
--enable-backends=mod \
--disable-ndb \
--disable-sql \
--disable-shell \
--disable-bdb \
--disable-hdb \
--enable-overlays=mod
When started the slaps in debug mode, I see the following for 2.4.48
6077b590 backend_startup_one: starting "cn=config"
6077b590 ldif_read_file: read entry file: "/etc/ldap/slapd.d/cn=config.ldif”
Essentially, looking for “cn=config”. However, after replacing the binaries with compiled version for 2.4.58,
6077b37d could not stat config file "/etc/ldap/slapd.d/slapd.conf": No such file or directory (2)
I clearly notice that existing configuration file(s) are not considered with 2.4.58. Wondering what is the difference and how can I use the existing configuration files.
Thanks
3 months, 1 week
Re: performance tuning for n-way and heavy client load
by Zetan Drableg
>> >> Do you have a lot of large groups that you frequently update?
>> >
>> > Yes we have several groups with ~40k users from which we frequently
>> > add/remove users based on upstream user provisioning workflows.
>>
>> Are you replacing the entire group when you do that, or only
>> adding/deleting specific users?
>>
>> Either way, for 2.4 you definitely want to use sortvals. Likely what you
>> need is OpenLDAP 2.5's multival feature as well.
We incrementally insert users and group memberships instead of
replacing the entire group every time.
This mailing list helped me discover that "sortvals member" improved
performance of single record inserts, but didn't help the overall
problem.
Why do excess free pages in MDB impact performance when inserting new data?
On Fri, Apr 16, 2021 at 11:05 AM Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>
> --On Friday, April 16, 2021 12:01 PM -0700 Zetan Drableg
> <zetan.drableg(a)gmail.com> wrote:
>
> >> Do you have a lot of large groups that you frequently update?
> >
> > Yes we have several groups with ~40k users from which we frequently
> > add/remove users based on upstream user provisioning workflows.
>
> Are you replacing the entire group when you do that, or only
> adding/deleting specific users?
>
> Either way, for 2.4 you definitely want to use sortvals. Likely what you
> need is OpenLDAP 2.5's multival feature as well.
>
> Regards,
> Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
3 months, 1 week
Re: performance tuning for n-way and heavy client load
by Zetan Drableg
> >> When I write LDIFs to one node like delete user or remove user from
> >> group, we see spikes in authentication latency metrics (what's normally
> >> .2 - .5 second response time goes up to 15-30 seconds) across all nodes
> >> in the cluster at the same time.
> >
> > I ran mdb_copy -c to compact the LDAP databases. The size went from
> > 2.9G to 140M and the latency problem during inserts went away.
> > I've noticed the LDAP data.mdb is growing about 25M per day. What
> > accounts for the growth of free pages?
>
> Do you have a lot of large groups that you frequently update?
Yes we have several groups with ~40k users from which we frequently
add/remove users based on upstream user provisioning workflows.
3 months, 1 week
