Re: OpenLDAP 2.5.7 dies
by kevin martin
I'll try that. I have narrowed it down to the ppm.so from
slapd-modules/ppm. I removed ppm.so from /usr/local/libexec/openldap,
restarted slapd, ran the command that killed it prior and it didn't die,
stopped slapd, recompiled ppm and installed the new ppm.so in
libexec/openldap, restarted slapd and reran the password change and boom,
down went Frazier!
---
Regards,
Kevin Martin
On Fri, Aug 27, 2021 at 11:30 AM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Friday, August 27, 2021 11:44 AM -0500 kevin martin <ktmdms(a)gmail.com>
>
> wrote:
>
> >
> >
> > 41720 sendto(3, "<165>Aug 27 15:36:40 slapd[41718]: ppm: entry
> > uid=kmart,ou=people,dc=lecpq,dc=com", 87, MSG_NOSIGNAL, NULL, 0) = 87
> > 41720 getpid() = 41718
> > 41720 sendto(3, "<165>Aug 27 15:36:40 slapd[41718]: ppm: Reading
> > pwdCheckModuleArg attribute", 75, MSG_NOSIGNAL, NULL, 0) = 75
> > 41720 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8}
> ---
> > 41718 <... futex resumed>) = ?
> > 41720 +++ killed by SIGSEGV +++
> > 41719 <... epoll_wait resumed> <unfinished ...>) = ?
> > 41719 +++ killed by SIGSEGV +++
> > 41718 +++ killed by SIGSEGV +++
> >
> >
> >
> >
> > still now coredump file. I'll try changing the kernel.core_pattern and
> > see if we get something somewhere.
>
>
> Coredumps are often useless because they lose key information. You want
> to
> get a trace under gdb while the process is executing.
>
> Start slapd
>
> gdb /path/to/slapd PID
> (gdb) cont
>
> execute the command that crashes slapd
>
> at the gdb prompt:
>
> gdb thr apply all bt full
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 3 months
openSUSE/SLE users, migrate to back-mdb now!
by Michael Ströder
HI!
This is an important note to those who run OpenLDAP slapd based on
openSUSE or SLE packages, especially Tumbleweed:
If you're still using OpenLDAP 2.4 or earlier with back-bdb or back-hdb
then migrate to back-mdb now because OpenLDAP 2.5 packages won't support
these backends anymore!
Disclaimer:
I'm writing as a package maintainer who only updates package "openldap2"
in openSUSE Factory/Tumbleweed. I have no official role in openSUSE
project nor SUSE.
Background:
As you might already know OpenLDAP 2.5 builds by default have no more
support for backends back-hdb and back-bdb based on Berkeley-DB.
Furthermore using Berkeley-DB in general is deprecated.
I've received a request to update the openSUSE package "openldap2" and
its sub-packages to OpenLDAP release 2.5.7 also removing back-bdb and
back-hdb [1]. I'd love to accept this update request really soon because
I also want to have the new features in libldap. So the update will hit
openSUSE Tumbleweed really soon.
While this change will *not* affect your deployments based on packages
from SLE or openSUSE Leap 15.3 or earlier you should prepare your
installation for possible future updates by migrating to back-mdb now.
And always use slapcat to backup your database(s) and practice restoring
your databases to be prepared for any desaster.
Ciao, Michael.
[1] https://build.opensuse.org/request/show/914040
2 years, 3 months
How to determine olcDbMaxSize
by Dave Macias
Hello,
Playing around with moving from 2.4.59 hdb to 2.5.7 mdb.
According to the admin page, one of the changes is adding olcDbMaxSize.
Noticed that the default on 2.5.7 is: (1GB)
olcDbMaxSize: 1073741824
My db does not come close to that but was curious how one can determine
what the db size is currently ?
Do you ls -h the /var/symas/openldap-data/data.mdb file ?
Thank you,
Dave
2 years, 3 months
OpenLDAP 2.5.7 dies
by kevin martin
Aug 27 14:25:38 newldap0.mgt.ch3.bmi slapd[38335]: ppm: Reading
pwdCheckModuleArg attribute
Aug 27 14:25:38 newldap0.mgt.ch3.bmi systemd[1]: slapd.service: Main
process exited, code=killed, status=11/SEGV
Aug 27 14:25:38 newldap0.mgt.ch3.bmi systemd[1]: slapd.service: Failed with
result 'signal'.
is this a known issue? Oracle Linux 8. what can I do to help determine
what occurred?
---
Regards,
Kevin Martin
2 years, 3 months
OT: Net:LDAPapi / LDAPS-Support?
by A. Schulze
Hello,
I took over a service using the Perl NET::LDAPapi. Now I fail to establish an LDAPS connection.
Does anybody know if that's even supported and if so, how I've to setup that?
Andreas
2 years, 3 months
Re: /usr/local/etc/openldap/slapd.conf: line 39: <password-hash> scheme not available ({SHA512})
by kevin martin
ah, yes, I see. I made a bad assumption that, when doing a "make" in the
password module, that it would make everything there and under it,
including subdirectories. going into sha2 under password and doing a make
works fine. my bad.
---
Regards,
Kevin Martin
On Thu, Aug 26, 2021 at 11:41 AM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Thursday, August 26, 2021 12:38 PM -0500 kevin martin
> <ktmdms(a)gmail.com> wrote:
>
> >
> >
> > so I sb able to take the pw-sha2 module that I compiled for RHEL7 and
> > simply move it over to RHEL8? Ugh, so ugly that we can't remake the
> > module on RHEL8 (is it unsupported?) due to missing dependencies...
>
> The pw-sha2 module has no dependencies on any radius libraries.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 3 months
Re: 2.5.7 for RHEL8 - Question
by Dave Macias
Thank you!
On Wed, Aug 25, 2021 at 3:08 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Wednesday, August 25, 2021 3:57 PM -0400 Dave Macias
> <davama(a)gmail.com> wrote:
>
> >
> > Awesome!
> >
> > So then, if it's already shipped, why dont I see the schema files for
> > ppolicy?
> > Would have thought to find it here: /opt/symas/etc/openldap/schema
>
> I strongly advise reading the OpenLDAP 2.5 admin guide section on
> upgrading, specifically:
>
> <
> https://www.openldap.org/doc/admin25/appendix-upgrading.html#ppolicy%20ov...
> >
>
> which directly answers your question.
>
> Regards,
> Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 3 months
Re: /usr/local/etc/openldap/slapd.conf: line 39: <password-hash> scheme not available ({SHA512})
by kevin martin
so I sb able to take the pw-sha2 module that I compiled for RHEL7 and
simply move it over to RHEL8? Ugh, so ugly that we can't remake the module
on RHEL8 (is it unsupported?) due to missing dependencies...
---
Regards,
Kevin Martin
On Thu, Aug 26, 2021 at 11:35 AM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Thursday, August 26, 2021 12:32 PM -0500 kevin martin
> <ktmdms(a)gmail.com> wrote:
>
> >
> >
> > pw-ssha? I had a pw-sha2 module loaded but not pw-ssha. and the
> > password module won't compile at this time because there's no
> > radius-devel package for RHEL 8 that I can find in any repos.
>
> Sorry, pw-sha2 module. ;)
>
> If you have it instantiated and things aren't working, it would appear
> it's
> not actually loading as desired. But it's worked fine for me with
> existing
> 2.4 -> 2.5 configuration migrations, so this would be something different
> on your end.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 3 months
Re: /usr/local/etc/openldap/slapd.conf: line 39: <password-hash> scheme not available ({SHA512})
by kevin martin
pw-ssha? I had a pw-sha2 module loaded but not pw-ssha. and the password
module won't compile at this time because there's no radius-devel package
for RHEL 8 that I can find in any repos.
---
Regards,
Kevin Martin
On Thu, Aug 26, 2021 at 11:09 AM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Thursday, August 26, 2021 11:55 AM -0500 kevin martin
> <ktmdms(a)gmail.com> wrote:
>
> >
> >
> > while trying to convert from a slapd.conf file to a cn=config style,
> > slaptest displays the error as shown in the subject line. openldap 2.4
> > supported "password-hash {SHA512}" in the slapd.conf, is this simply an
> > issue of password-hash not being able to be converted or is that
> > *particular* password-hash line unsupported in the latest 2.5 (building
> > from source)?
>
> It has always required that the pw-ssha contrib module exist and be loaded
> in the configuration. 2.5 is no different than 2.4 in this.
>
> Regards,
> Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
2 years, 3 months
