openldap-technical October 2023

openldap-technical@openldap.org

30 participants
28 discussions

Replication issue during performance test with MMR configuration and LastBind enabled
by Ziani Meheni 10 Oct '23

10 Oct '23

Hello, we are working on a project and we've come across a problem with the replication after performance testing : *Configuration :* RHEL 8.6 OpenLDAP 2.5.14 *MMR-delta *configuration on multiple servers attached 300,000 users configured and used for tests *olcLastBind: TRUE* Use of SLAMD (performance shooting) *Problem description:* We are currently running performance and resilience tests on our infrastructure using the SLAMD tool configured to perform BINDs on a defined range of accounts. We use a load balancer (VIP) to poll all of our servers equally. (but it is possible to do performance tests directly on each of the directories) With our current infrastructure and *LastBind enabled*, we're able to perform 300 BIND/s without any replication delays. Beyond that, we start to generate delays. However, when we run performance tests that exceed our write capacity, our replication between servers can randomly create an incident with directories being unable to catch up with their replication delay. The directories update their contextCSNs, but extremely slowly (like freezing). From then on, it's impossible for the directories to catch again. (even with no incoming traffic) A restart of the instance is required to perform a full refresh and solve the incident. We have enabled synchronization logs and have no error or refresh logs to indicate a problem ( we can provide you with logs if necessary). We suspect a write collision or a replication conflict We've already run several tests. For example, when we run a performance test on a single live server, we don't reproduce the problem. Anothers examples: if we define different accounts ranges for each server with SALMD, we don't reproduce the problem either. If we use only one account for the range, we don't reproduce the problem either. *Symptoms :* One or more directories can no longer be replicated normally after performance testing ends. No apparent error logs. Need a restart of instances to solve the problem. *How to reproduce the problem:* Have at least two servers in MMR mode Set LastBind to TRUE Perform a SLAMD shot from a LoadBalancer in bandwidth mode OR start multiple SLAMD test on same time for each server with the same account range. Exceed the maximum write capacity of the servers. *SLAMD configuration :* authrate.sh --hostname ${HOSTNAME} --port ${PORTSSL} \ --useSSL --trustStorePath ${CACERTJKS} \ --trustStorePassword ${CACERTJKSPW} --bindDN "${BINDDN}" \ --bindPassword ${BINDPW} --baseDN "${BASEDN}" \ --filter "(uid=[${RANGE}])" --credentials ${USERPW} \ --warmUpIntervals ${WARMUP} \ --numThreads ${NTHREADS} ${ARGS}

2 1

export certificate and key
by Stefan Kania 05 Oct '23

05 Oct '23

Hi to all, I have autoca running with my own CA. And I can create certificates and keys for users and hosts. But now I would like to use the certificate and key for radius 802.1x authentication so I need to export the certificate and the key. I know how to convert a DER certificate to a pem certificate. But before I can convert the key and the certificate I need to export it. So how can I do that? Another question: Is there any default password in the key or is it without any password? Stefan

3 6

Re: error while setting password policy
by Quanah Gibson-Mount 04 Oct '23

04 Oct '23

--On Tuesday, October 3, 2023 11:57 PM -0400 Jignesh Patel <jignesh(a)icare.com> wrote: > > We are using LDAP version 2.5.16 . > > > when we try to set policy > we are getting this error olcAttributeTypes: value #0 olcAttributeTypes: > Duplicate attributeType: > "1.3.6.1.4.1.42.2.27.8.1.1" slapadd: could not add entry > The .ldif file is as attached. > > > And if we don't import than we are getting pException: [LDAP result > code 17 - undefinedAttributeType] pwdAttribute: attribute type undefined I suggest carefully reading the release notes for OpenLDAP 2.5, specifically around the changes to ppolicy since the 2.4 series. --Quanah

3 2

Configuring custom port 10389 for openldap-servers
by Kaushal Shriyan 04 Oct '23

04 Oct '23

Hi, I am running the openldap server on Red Hat Enterprise Linux release 8.8 (Ootpa) # rpm -qa | grep -i ldap sssd-ldap-2.8.2-3.el8_8.x86_64 symas-openldap-servers-2.4.59-1.el8.x86_64 openldap-2.4.46-18.el8.x86_64 symas-openldap-2.4.59-1.el8.x86_64 symas-openldap-clients-2.4.59-1.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) # Port 389 is the default port. Can it be configured for custom port 10389 for example? Please guide me. Thanks in advance. Best Regards, Kaushal

2 1

Group ACLs
by Emmanuel Seyman 04 Oct '23

04 Oct '23

Hello, all. I have an instance of OpenLDAP in which I use groups to manage access controls, similar to the way the FAQ and admin guide describe it. My DIT layout: uid=userildr1,ou=people,o=gdAA,dc=example,dc=com uid=userildr2,ou=people,o=gdAA,dc=example,dc=com ... cn=readINT,ou=groups,o=gdAA,dc=example,dc=com cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com ... ou=people,o=INT,dc=example,dc=com ... ou=groups,o=INT,dc=example,dc=com Outside of the DIT, my slapd.conf file (yes, I know) contains: access to dn.sub="o=INT,dc=example,dc=com" by self write by group/groupOfUniqueNames/uniqueMember="cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=readINT,ou=groups,o=gdAA,dc=example,dc=com" read The uid=userildr1,ou=people,o=gdAA,dc=example,dc=com entry is in the readINT group yet seems unable to run a search. I get an error 50 ("Operations are restricted to bind/unbind/abandon/StartTLS/modify password") and cannot figure out why this is happening. If anyone can tell me what's going on, I would appreciate it. I'm seeing "config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context" in the log files but this looks harmless. This is OpenLDAP 2.5.14 running on RHEL 8, with the LTB packages. Logs and the configuration file are available if necessary. Emmanuel

2 1

Re: setup two DNs on one single Openldap server running on Red Hat Enterprise Linux release 8.8 (Ootpa)
by Kaushal Shriyan 04 Oct '23

04 Oct '23

On Tue, Oct 3, 2023 at 11:45 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Monday, October 2, 2023 2:26 PM +0530 Kaushal Shriyan > <kaushalshriyan(a)gmail.com> wrote: > > > Is there a way to set up two DN's in OpenLDAP server? > > > > > > dn: cn=admin,dc=corporate,dc=mydomain,dc=com > > > > dn: cn=admin,dc=checker,dc=mydomain,dc=com > > This is trivial to create as 2 different entries in your > dc=mydomain,dc=com > database. There's no need for them to be rootdns, you can simply give > them > manage access to whatever they need to control. > > --Quanah > Thanks Quanah for the email response. Much appreciated. I am not sure if I completely understand it. Do I need to have the below format as explained by you to create as 2 different entries in your dc=mydomain,dc=com? dn: cn=admin,ou=*corporate*,dc=mydomain,dc=com dn: cn=admin,ou=*checker*,dc=mydomain,dc=com Please guide me. Thanks in advance. Best Regards, Kaushal

1 0

setup two DNs on one single Openldap server running on Red Hat Enterprise Linux release 8.8 (Ootpa)
by Kaushal Shriyan 04 Oct '23

04 Oct '23

Hi, I am running the openldap server on Red Hat Enterprise Linux release 8.8 (Ootpa) # rpm -qa | grep -i ldap sssd-ldap-2.8.2-3.el8_8.x86_64 symas-openldap-servers-2.4.59-1.el8.x86_64 openldap-2.4.46-18.el8.x86_64 symas-openldap-2.4.59-1.el8.x86_64 symas-openldap-clients-2.4.59-1.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) # Is there a way to set up two DN's in OpenLDAP server? dn: cn=admin,dc=corporate,dc=mydomain,dc=com dn: cn=admin,dc=checker,dc=mydomain,dc=com Please guide me. Thanks in advance. Best Regards, Kaushal

6 13

reset openldap root and cn=admin password
by Kaushal Shriyan 02 Oct '23

02 Oct '23

Hi, Is there a way to reset both openldap root and cn=admin password? Please guide me. Thanks in Advance. Best Regards, Kaushal

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2023