openldap-technical February 2022

openldap-technical@openldap.org

30 participants
36 discussions

intermittent memberOf performance issues
by Paul B. Henson 04 Feb '22

04 Feb '22

I've run into another problem with the memberOf implementation on my 2.5 servers. After I sorted out the proper configuration, queries requesting memberOf were very performant: Feb 4 13:26:44 ldap-01 slapd[1207]: conn=23393 op=1 SRCH base="ou=user,dc=cpp,dc=edu" scope=2 deref=3 filter="(&(objectClass=person)(calstateEduPersonEmplID=013522522))" Feb 4 13:26:44 ldap-01 slapd[1207]: conn=23393 op=1 SRCH attr=memberOf Feb 4 13:26:44 ldap-01 slapd[1207]: conn=23393 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000015 etime=0.191860 nentries=1 text= However, intermittently the server gets into a state where the exact same query takes over 30 seconds: Feb 4 08:05:11 ldap-01 slapd[1425456]: conn=40797 op=1 SRCH base="ou=user,dc=cpp,dc=edu" scope=2 deref=3 filter="(&(objectClass=person)(calstateEduPersonEmplID=015559557))" Feb 4 08:05:11 ldap-01 slapd[1425456]: conn=40797 op=1 SRCH attr=memberOf Feb 4 08:05:50 ldap-01 slapd[1425456]: conn=40797 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000019 etime=39.435523 nentries=1 text= When this occurs, the only way to resolve the issue that I have found is to reboot the server. Simply restarting slapd results in the same degraded performance on these queries. Normally there is very low read I/O load on the servers during operation, probably averaging less than 1M/s, peaking up to maybe 20-30M/s for just an instant occasionally. When the memberOf query performance is degraded, there is a very high read I/O load on the server, continuously about 200-300M/s. Any thoughts on this? It seems like for some reason the server gets into a state where it is not using the cache or memory map for doing the search required to construct the memberOf results? But instead is doing a full disk read of the entire database? It's also weird that restarting the service is not resolve this, but rebooting the server does. I'm not intimately familiar with the internals of lmdb, is there some state that persists with the environment or memory map in between service runs that is only cleared by a reboot? I initially thought I might have had a theory on it, relating to an unrelated bug in RHEL 8.5 that broke the "needs-rebooting" command resulting in servers not properly rebooting after kernel/library updates. The most recent occurrence of this issue started up after such an update without the required reboot, but upon reviewing historic occurrences it has occurred at times that don't meet that criteria, so I find myself clueless again as to what's going on. Any advice on how to fix or do further debugging on this issue much appreciated, thanks…

1 0

Fwd: [Issue 9795] New: Remove memberof overlay
by patrick+openldap.org＠laimbock.com 03 Feb '22

03 Feb '22

Hi Quanah, Has the memberof overlay been replaced with something else? I couldn't find anything in overlays/README and the roadmap. Best, Patrick -------- Forwarded Message -------- Subject: [Issue 9795] New: Remove memberof overlay Date: Wed, 02 Feb 2022 20:02:51 +0000 From: openldap-its(a)openldap.org To: openldap-bugs(a)openldap.org https://bugs.openldap.org/show_bug.cgi?id=9795 Issue ID: 9795 Summary: Remove memberof overlay Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs(a)openldap.org Reporter: quanah(a)openldap.org Target Milestone: --- The memberof overlay was deprecated with the release of OpenLDAP 2.5. It should be removed prior for the next minor release (i.e., 2.7) -- You are receiving this mail because: You are on the CC list for the issue.

2 2

2.6 MMR 4-way with one master different flavor of linux
by Dave Macias 02 Feb '22

02 Feb '22

Hello, Hope everyone is doing well. Our current environment: 3-way MMR (syncrepl) with centos 7 using v2.6 We want to add a 4th master but with Rocky Linux 8. Why rocky? because eventually we will migrate the 3 masters to rocky linux too. But that will take some time… Any concerns with mixing linux flavor but using same openldap version? Dont do it? Any input is appreciated. Thank you, Dave

3 6

[LMDB] mdb_env_set_mapsize and read transactions
by Ken Wenzel 31 Jan '22

31 Jan '22

Hello, I like to implement an autogrow functionality for LMDB. The documentation for mdb_env_set_mapsize says that no transactions should be active when using this function. When looking at the code I can see that the function only checks if there is an active WRITE transaction and in this case it returns an error. Is it possible to reuse existing READ transactions or even associated cursors after mdb_env_set_mapsize has been called? Thank you and best regards, Ken

3 4

Minor typo in slapo-ppolicy
by Ulrich Windl 31 Jan '22

31 Jan '22

Hi! I just discovered a minor typo in my version of the slapo-ppolicy manual page (possibly it's fixed alrerady): The manual page lists "pwdGraceAuthnLimit", but the attribute returned by slapcat is "pwdGraceAuthNLimit" (different case for 'N') The name from the schema also is "pwdGraceAuthNLimit". Regards, Ulrich

2 1

Question regarding password dictionary rule in OpenLDAP
by Alan Andrea 31 Jan '22

31 Jan '22

I have a question regarding password rules that are enforced when a user changes their password in OpenLDAP. We have a need to implement a dictionary rule whereby words and phrases in a dictionary are not allowed in a users password. I am not able to see currently where such functionality exists in OpenLDAP and am wondering if there are any extensions to OPenLDAP that were developed to support this or if it would be required to write code to support this feature? Thanks,Alan

3 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2022