openldap-technical August 2021

openldap-technical@openldap.org

26 participants
49 discussions

Highly Available Proxies
by Wayne McNaught 12 Aug '21

12 Aug '21

I have asked this question previously and didn't get any answers, really hoping someone can help here this time around. I have configured multiple LDAPs in a Mirror-Mode configuration and fronted by OpenLDAP in proxy mode. I understand that the list contained in the DBURI attribute is used to define the backends, and all the proxies are configured with the same list. I understand that first URI in the DbURI attribute will be used unless this fails, in which case it will fall back to the second URI. It will then keep on the second one until that one fails. This seems fine for most failure cases, when all proxies recognise the same failure. If communication fails between one proxy and the one backend LDAP and doesn't affect all proxies, writes will now be directed to different backends from different proxies. Is there some way to keep the proxies in-line or recognise a failure on one proxy and force the others to change. Or is this not required?

2 1

counters in cn=Waiters,cn=Monitor?
by Michael Ströder 12 Aug '21

12 Aug '21

HI! I'm looking at a Prometheus graph of cn=Read,cn=Waiters,cn=Monitor (slapd 2.4.59). The object class is monitorCounterObject, the attribute is called monitorCounter. If it's a counter I'd expect the value to only increase. But the graph shows decreasing values!?! What's the exact meaning of this? Ciao, Michael.

3 5

Profiling ACLs
by Michael Ströder 11 Aug '21

11 Aug '21

HI! How to profile performance of different ACLs? In theory one could run slapd with debug symbols under control of a profiler for C code. But personally I don't have a clue which ACL processing entry points to examine more closely. Another approach could be to derive metrics from acl-loglevel messages. Any ideas? Ciao, Michael.

3 3

Slow LDAP query with PagedResul control and subtree scope
by thomas＠guirriec.fr 10 Aug '21

10 Aug '21

Hi all, Can someone explain me why there is a difference in behavior (especially response time for the last one) between these 4 LDAP queries ? OpenLDAP 2.4.47 Debian 10 (~300K users) The first three are quick ! : 1) Search with base dn corresponding to an user dn and scope base without PagedResult control : time ldapsearch -LLL -s sub -a always -D '<BIND_DN>' -w 'BIND_PWD' -b "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" objectclass=* mail dn: cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY> mail: user(a)org.country real 0m0.019s user 0m0.016s sys 0m0.001s Debug : Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: conn=1009 op=1 SRCH base="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=0 deref=3 filter="(objectClass=*)" Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: conn=1009 op=1 SRCH attr=mail Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => mdb_search Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: mdb_dn2entry("cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>") Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => mdb_dn2id("cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>") Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: <= mdb_dn2id: got id=0x41240 Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => mdb_entry_decode: Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: <= mdb_entry_decode Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" "entry" requested Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access granted by manage(=mwrscxd) Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: base_candidates: base: "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" (0x00041240) Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => test_filter Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: PRESENT Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" "objectClass" requested Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access granted by manage(=mwrscxd) Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: <= test_filter 6 Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => send_search_entry: conn 1009 dn="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" "entry" requested Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access granted by manage(=mwrscxd) Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: result not in cache (mail) Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" "mail" requested Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access granted by manage(=mwrscxd) Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: result was in cache (mail) Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: result was in cache (mail) Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: conn=1009 op=1 ENTRY dn="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: <= send_search_entry: conn 1009 exit. Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: conn=1009 op=1 p=3 Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: err=0 matched="" text="" Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: send_ldap_response: msgid=2 tag=101 err=0 Aug 10 10:46:36 LDAP-CACHE3-R1 slapd[23879]: conn=1009 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 2) Search with base dn corresponding to an user dn and scope subtree without PagedResult control: time ldapsearch -LLL -s sub -a always -D '<BIND_DN>' -w 'BIND_PWD' -b "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" objectclass=* mail dn: cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY> mail: user(a)org.country real 0m0.017s user 0m0.006s sys 0m0.007s Debug : Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: conn=1010 op=1 SRCH base="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)" Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: conn=1010 op=1 SRCH attr=mail Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => mdb_search Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: mdb_dn2entry("cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>") Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => mdb_dn2id("cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>") Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= mdb_dn2id: got id=0x41240 Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => mdb_entry_decode: Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= mdb_entry_decode Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" "entry" requested Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access granted by manage(=mwrscxd) Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: search_candidates: base="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" (0x00041240) scope=2 Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => mdb_filter_candidates Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: #011EQUALITY Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => mdb_equality_candidates (objectClass) Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => key_read Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: mdb_idl_fetch_key: [01872a84] Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= mdb_index_read: failed (-30798) Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= mdb_equality_candidates: id=0, first=0, last=0 Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= mdb_filter_candidates: id=0 first=0 last=0 Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => mdb_filter_candidates Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: #011PRESENT Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => mdb_presence_candidates (objectClass) Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= mdb_filter_candidates: id=-1 first=1 last=299284 Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: mdb_search_candidates: id=-1 first=1 last=299284 Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => test_filter Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: PRESENT Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" "objectClass" requested Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access granted by manage(=mwrscxd) Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= test_filter 6 Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => send_search_entry: conn 1010 dn="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" "entry" requested Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access granted by manage(=mwrscxd) Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: result not in cache (mail) Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" "mail" requested Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access granted by manage(=mwrscxd) Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: result was in cache (mail) Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: result was in cache (mail) Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: conn=1010 op=1 ENTRY dn="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: <= send_search_entry: conn 1010 exit. Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: conn=1010 op=1 p=3 Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: err=0 matched="" text="" Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: conn=1010 op=1 p=3 Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: err=0 matched="" text="" Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: send_ldap_response: msgid=2 tag=101 err=0 Aug 10 10:51:24 LDAP-CACHE3-R1 slapd[23879]: conn=1010 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 3) Search with base dn corresponding to an user dn and scope base with PagedResult control: time ldapsearch -LLL -E pr=500 -s base -a always -D '<BIND_DN>' -w 'BIND_PWD' -b "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" objectclass=* mail dn: cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY> mail: user(a)org.country # pagedresults: cookie= real 0m0.019s user 0m0.012s sys 0m0.004s Debug : Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: conn=1011 op=1 SRCH base="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)" scope=0 deref=3 filter="(objectClass=*)" Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: conn=1011 op=1 SRCH attr=mail Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => mdb_search Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: mdb_dn2entry("cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)") Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => mdb_dn2id("cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)") Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: <= mdb_dn2id: got id=0x41240 Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => mdb_entry_decode: Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: <= mdb_entry_decode Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)" "entry" requested Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access granted by manage(=mwrscxd) Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: base_candidates: base: "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)" (0x00041240) Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => test_filter Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: PRESENT Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)" "objectClass" requested Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access granted by manage(=mwrscxd) Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: <= test_filter 6 Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => send_search_entry: conn 1011 dn="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)" Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)" "entry" requested Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access granted by manage(=mwrscxd) Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: result not in cache (mail) Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)" "mail" requested Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: read access granted by manage(=mwrscxd) Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: result was in cache (mail) Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: result was in cache (mail) Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: conn=1011 op=1 ENTRY dn="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)" Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: <= send_search_entry: conn 1011 exit. Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: send_paged_response: lastid=0x00000000 nentries=1 Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: conn=1011 op=1 p=3 Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: err=0 matched="" text="" Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: send_ldap_response: msgid=2 tag=101 err=0 Aug 10 11:02:09 LDAP-CACHE3-R1 slapd[23879]: conn=1011 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 4) Search with base dn corresponding to an user dn and scope subtree with PagedResult control: time ldapsearch -LLL -E pr=500 -s base -a always -D '<BIND_DN>' -w 'BIND_PWD' -b "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" objectclass=* mail dn: cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY> mail: user(a)org.country # pagedresults: cookie= real 0m43.488s user 0m0.013s sys 0m0.000s Debug : Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: conn=1012 op=1 SRCH base="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" scope=2 deref=3 filter="(objectClass=*)" Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: conn=1012 op=1 SRCH attr=mail Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: => mdb_search Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_dn2entry("cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>") Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: => mdb_dn2id("cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>") Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: <= mdb_dn2id: got id=0x41240 Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: => mdb_entry_decode: Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: <= mdb_entry_decode Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access to "cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" "entry" requested Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: <= root access granted Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: => access_allowed: search access granted by manage(=mwrscxd) Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: search_candidates: base="cn=<USER>,ou=<UNIT>,o=<ORG>,c=<COUNTRY>" (0x00041240) scope=2 Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: => mdb_filter_candidates Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: #011EQUALITY Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: => mdb_equality_candidates (objectClass) Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: => key_read Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_idl_fetch_key: [01872a84] Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: <= mdb_index_read: failed (-30798) Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: <= mdb_equality_candidates: id=0, first=0, last=0 Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: <= mdb_filter_candidates: id=0 first=0 last=0 Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: => mdb_filter_candidates Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: #011PRESENT Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: => mdb_presence_candidates (objectClass) Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: <= mdb_filter_candidates: id=-1 first=1 last=299284 Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search_candidates: id=-1 first=1 last=299284 Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 1 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 2 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 3 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 4 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 5 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 6 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 7 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 8 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 9 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 10 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 11 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 12 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 13 scope not okay Aug 10 11:09:06 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 14 scope not okay ... Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299265 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299266 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299267 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299268 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299269 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299270 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299271 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299272 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299273 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299274 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299275 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299276 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299277 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299278 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299279 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299280 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299281 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299282 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299283 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: mdb_search: 299284 scope not okay Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: send_paged_response: lastid=0x00000000 nentries=1 Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: conn=1012 op=1 p=3 Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: err=0 matched="" text="" Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: conn=1012 op=1 p=3 Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: send_ldap_result: err=0 matched="" text="" Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: send_ldap_response: msgid=2 tag=101 err=0 Aug 10 11:09:50 LDAP-CACHE3-R1 slapd[23879]: conn=1012 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= It's as if the last request iterate over all entries matching with objectclass=*. Is this the expected behavior ? Thomas

1 0

migrate from 2.4 to 2.5, determine existing MDB format
by Michael Ströder 07 Aug '21

07 Aug '21

HI! As far as I understood the MDB disk format changed. So the MDB files have to be re-created (either by simply removing/replicating or slapcat/slapadd). Right? Now I'm wondering how to automate things (with ansible and puppet) in a truly idempotent way. Ideally I could determine whether existing MDB files were last maintained by OpenLDAP 2.4.x or whether they already have the 2.5 format. Can I find out the disk format version in any way, e.g. with python-lmdb? Ciao, Michael.

6 18

Modifying value with MDB_WRITEMAP outside of mdb_cursor_put
by mnunberg＠haskalah.org 05 Aug '21

05 Aug '21

I'm trying to plug LMDB into a system where the user first modifies the value, and only afterwards notifies me that the value has been changed. In LMDB I've been simply passing the value pointer received from mdb_cursor_get (db opened with MDB_WRITEMAP), and if the user notifies me that the value has been changed, I commit the write transaction. Is this an acceptable use pattern? It seems to work (but crashes without MDB_WRITEMAP). Only thing vaguely related I could find here was https://www.openldap.org/lists/openldap-technical/201510/msg00016.html

2 1

Modify memberOf olcAttributetype in schema
by shekhar.shrinivasan＠gmail.com 05 Aug '21

05 Aug '21

Hi, There is a specific requirement where the client needs the memberOf attribute to be returned by default. As per the current design the memberOf attribute is of type operational and thus needs to be explicitly asked for. Is there a easy way to update the schema and change the type of the attribute from Operational to userApplication so that the attribute will be returned by default ? I tried to update the schema using a ldif file but I am getting the following error:- error code 80 - olcAttributeTypes: Duplicate attributeType: 1.2.840.113556.1.2.102 Please assist with this request. My Ldif is as follows:- dn: cn=schema,cn=config changetype: modify delete: olcAttributeTypes olcAttributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' DESC 'Group that the entry belongs to' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 USAGE dSAOperation X-ORIGIN 'iPlanet Delegated Administrator' ) - add: olcAttributeTypes olcAttributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' DESC 'Group that the entry belongs to' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )

5 7

ldap utils: option dropped
by A. Schulze 04 Aug '21

04 Aug '21

Hello, in openldap-2.5.6, ldapsearch no longer understand '-h' to specify an LDAP server. '-H' must be uses now everywhere. Yes, it makes sense, but it break some things here. So I read https://www.openldap.org/doc/admin25/appendix-changes.html and https://www.openldap.org/doc/admin25/appendix-upgrading.html but did not found documentation for this change. I hoped to find also information about other potential changes to plan the 2.4 -> 2.5 migration. Are there other places I may search for documentation? Andreas

2 1

Generating a memberOf attribute for posixGroups (dynlist module)
by Eduardo Lúcio Amorim Costa 03 Aug '21

03 Aug '21

According to this post http://blog.oddbit.com/post/2013-07-22-generating-a-membero/ it is possible to use a strategy for generating a memberOf attribute for posixGroups (dynlist module). This need arose for a legacy OpenLDAP LDAP and with several applications using it. So, this seems to me the best solution to be able to use the memberOf as a filter. NOTE: Complete information about the problem here https://stackoverflow.com/questions/68583838/ldap-add-a-filter-to-an-ldap-u… ). *QUESTION:* Has anyone tested/used the procedure in the post http://blog.oddbit.com/post/2013-07-22-generating-a-membero/ ? Ie, generating a memberOf attribute for posixGroups (dynlist module)? What I have for group OU and user OU is what goes below... *GROUP* ``` cn: accessgroup gidNumber: 1004 memberUid: usera userb userc userd usere userf userg userh useri objectClass: top posixGroup ``` *USERS* ``` cn: User Letter A gecos: User Letter A gender: M gidNumber: 544 givenName: User gotoLastSystemLogin: 01.01.1970 00:00:00 homeDirectory: /home/usera loginShell: /bin/bash mail: user.letter.a(a)domain.abc.de objectClass: top person organizationalPerson inetOrgPerson gosaAccount posixAccount shadowAccount sambaSamAccount [...] uid: usera uidNumber: 1004 [...] ``` *Thanks! =D* -- *Eduardo Lúcio* Tecnologia, Desenvolvimento e Software Livre LightBase Consultoria em Software Público eduardo.lucio(a)lightbase.com.br <eduardo.lucio(a)LightBase.com.br> *+55-61-3347-1949* - http://brlight.org <eduardo.lucio(a)LightBase.com.br> - *Brasil-DF* *Software livre! Abrace essa idéia! * *"Aqueles que negam liberdade aos outros não a merecem para si mesmos."* *Abraham Lincoln*

3 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2021