openldap-technical March 2024

openldap-technical@openldap.org

24 participants
17 discussions

Re: Replication issue during performance test with MMR configuration and LastBind enabled
by Falgon 16 Oct '24

16 Oct '24

Hello, I'm working on the same project as Meheni. Thanks for your answer, we'll try version 2.6 OpenLDAP using the lastbind-precision. However we have several questions for the current version we're using. Is this a known problem and referenced somewhere? (we haven't found it) Is it normal to find no replication error logs even in stats + sync mode? We ran some tests in sequential mode (300,000 accounts one after the other) and managed to reproduce the problem. -Denis Le mer. 11 oct. 2023 à 14:11, Quanah Gibson-Mount <quanah(a)fast-mail.org> a écrit : > > > --On Tuesday, October 10, 2023 9:30 PM +0200 Ziani Meheni > <mehani06(a)gmail.com> wrote: > > > > > > > Hello, we are working on a project and we've come across a problem with > > the replication after performance testing : > > You need to use OpenLDAP 2.6 and then set the: > > lastbind-precision > > value. I use 5 minutes. > > --Quanah >

4 8

Help debugging slave slapd issues
by BECOT Jérôme 04 Apr '24

04 Apr '24

Hello, On all different OpenLDAP 2.4 and 2.5 slaves of 2.4 servers, we see a lot of deferring errors: slapd[37277]: connection_input: conn=32974 deferring operation: too many executing or slapd[37277]: connection_input: conn=32974 deferring operation: pending operations Can you give any hints about way to debug what causes these messages ? (which log level should I aim for and witch system settings should I check) I can provide more details then. Regards Jerome

6 9

Permissive Modify and mdb
by lesignor＠cirad.fr 02 Apr '24

02 Apr '24

Hi, I try to modify an entry with permissive modify control. The response is protocole error : permissiveModify control value not absent. I check with wireshark the request, and there was no value with the control, but the control was marked as critical. The problem appears with openldap 2.5.x and 2.6.x with mdb database. It is ok with openldap 2.4.x with bdb database. So is the permissive modify control supported with mdb database in openldap >= 2.5.x ? Thank for your help

2 2

Strange search result in logs
by Frédéric Goudal 27 Mar '24

27 Mar '24

Hello, I’m trying to analyse the requests done to my ldapserver from a nas. While browsing the logs I found the following entries : Mar 27 09:35:45 ldapd2021 slapd[3670819]: conn=2910400 fd=38 ACCEPT from IP=10.220.18.3:47000 (IP=0.0.0.0:636) Mar 27 09:35:45 ldapd2021 slapd[3670819]: conn=2910400 fd=38 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.2 tls_cipher=ECDHE-RSA-AES256-GCM-SHA384 Mar 27 09:35:45 ldapd2021 slapd[3670819]: conn=2910400 op=0 BIND dn="" method=128 Mar 27 09:35:45 ldapd2021 slapd[3670819]: conn=2910400 op=0 RESULT tag=97 err=0 qtime=0.000014 etime=0.000110 text= ….. Mar 27 09:37:43 ldapd2021 slapd[3670819]: conn=2910400 op=720 SRCH base="ou=people,dc=ipb,dc=fr" scope=1 deref=0 filter="(&(objectClass=posixAccount)(gidNumber=*)) Mar 27 09:37:43 ldapd2021 slapd[3670819]: conn=2910400 op=720 SRCH attr=gidNumber Mar 27 09:37:43 ldapd2021 slapd[3670819]: conn=2910400 op=720 SEARCH RESULT tag=101 err=4 qtime=0.000007 etime=0.000224 nentries=1 text= But if I do the same seach : Mar 27 09:58:34 ldapd2021 slapd[3670819]: conn=2911004 fd=31 ACCEPT from IP=127.0.0.1:56536 (IP=0.0.0.0:636) Mar 27 09:58:34 ldapd2021 slapd[3670819]: conn=2911004 fd=31 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Mar 27 09:58:34 ldapd2021 slapd[3670819]: conn=2911004 op=0 BIND dn="" method=128 Mar 27 09:58:34 ldapd2021 slapd[3670819]: conn=2911004 op=0 RESULT tag=97 err=0 qtime=0.000008 etime=0.000040 text= Mar 27 09:58:34 ldapd2021 slapd[3670819]: conn=2911004 op=1 SRCH base="ou=people,dc=ipb,dc=fr" scope=1 deref=0 filter="(&(objectClass=posixAccount)(gidNumber=*))" Mar 27 09:58:34 ldapd2021 slapd[3670819]: conn=2911004 op=1 SRCH attr=gidNumber Mar 27 09:58:34 ldapd2021 slapd[3670819]: conn=2911004 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000011 etime=0.054003 nentries=5206 text= I have no specific ACL on the ip quering. What I see is that in the first case I have err=4, from what I have found it means size limit exceeded. Do you have an explanation of the first anwser ? Is there any param that can be in the request to cause the err=4 ? Maybe I should rise the logLevel to find the difference between the two requests ? Thanks in advance for any hint... — Frédéric Goudal Ingénieur Système, DSI Bordeaux-INP +33 556 84 23 11

3 3

how to migrate an openldap server to a new linux server
by xpzhang1971＠gmail.com 26 Mar '24

26 Mar '24

I have an openldap server I want to clone it to another linux server. However, I can't access it by login but can just run ldapsearch because this source openldap server only open port 389. Now I installed openldap-servers package to target linux server, then what? I appreciate if anybody can instruct me or direct me to useful documents.

5 14

etensibleObject vs. creating a new schema
by Uwe Sauter 26 Mar '24

26 Mar '24

Hi all, I was wondering if there is any best practice when to use extensibleObject in contrast to creating new objectClasses within a local schema. E.g. I have the need to filter the visibility of posixGroups depending on some attribute when sssd is accessing the directory. What I could do is to use an extra objectClass: extensibleObject to allow all defined attributes (e.g. host) to be used within my object. I could also create a new objectClass ( 2.25.$UUID.1.2.1 NAME 'myGroup' DESC 'Group with host attribute' SUP posixGroup AUXILIARY MAY host ) As far as I can tell using extensibleObject has the disadvantage to more or less disable the checks for correct attribute usage. Are there more positive or negative aspects to extensibleObject? I'd like to hear your thought on this. Thanks, Uwe

1 0

Logo usage
by Gloria Semme 21 Mar '24

21 Mar '24

Dear OpenLDAP Technical Team, I am reaching out to seek your guidance and permission regarding the use of the OpenLDAP logo. My team is in the process of creating a Grafana integration designed to facilitate the monitoring of OpenLDAP applications for our users. To enhance user experience and direct attention effectively, we plan to incorporate the OpenLDAP logo within the Grafana Cloud interface. Upon reviewing the available licensing information, we noted the absence of specific guidelines related to the use of the OpenLDAP logo. Given this, we wish to ensure our use aligns with your expectations and policies. Our design considerations include adjusting the logo to fit a square format to suit the dashboard's aesthetic. We are committed to respecting your branding guidelines and are open to any alternative suggestions or requirements you may have. We appreciate your support in this endeavor and look forward to your guidance. Thank you for your guidance. Best regards, -- [image: photo] *Gloria Semme* Sr. Engineering Manager Cloud Infrastructure Observability gloria.semme(a)grafana.com www.grafana.com

2 1

olcDbURI
by Bradley T Gill 15 Mar '24

15 Mar '24

Good Morning Group. I am struggling to find any documentation on this. Is there a limit to the amount of olcDbURI that can be defined for SASL? While I'm here, I might as well ask if there is a way to make it more resilient? Our servers get quarantined during pathing of AD and eventually SASL is broken until I restart OpenLDAP. Thanks! Bradley Gill

1 0

Lock conflicts?
by rzhou44＠tutamail.com 12 Mar '24

12 Mar '24

At work we have a program that actively reads/writes into LMDB file. This program uses MDB_NOLOCK (why, I'm not sure yet). Can I safely read/write to this LMDB file using my own programs or mdb_ command line tools? I worry that those (which by default use lock files) could conflict with the manual locking of the existing program and cause data corruptions. Thanks -Zhou

2 3

Configure replication without a plaintext password.
by mbalakri＠opentext.com 08 Mar '24

08 Mar '24

How to configure olcSyncrepl without a plaintext password? I tried using credentials="{SSHA256}jRlrKRCcrhYo7SqbPDc5WkoSxaHc8y/e0DPWaAnveUkQpQ7wEOWhsw==" format. Does olcSyncrepl accepts password in {SSHA256} format?

5 8

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2024