openldap-technical December 2025

openldap-technical@openldap.org

9 participants
6 discussions

Transform glue object to organizationalUnit
by cyril＠stoll.info 23 Mar '26

23 Mar '26

Hi For some reason (probably after update to openldap-ltb 2.6.10, or after reload due to renewed certificate) we lost one organizationalUnit object on one of our two provider servers. However there are still two user objects that belong to this lost organzationalUnit. Therefore openldap created a glue object for the lost organizationalUnit. On the second provider server (setup as multiprovider with the first one) the organzationalUnit object is still present and all looks like it should. I have no idea why one of the providers is still ok and the other is not since they are otherwise in sync as far as I can tell. Unfortunately I did not find clear instructions on how to handle this situation. The best instructions I found are 15 years old: http://blog.mycroes.nl/2010/06/recovering-from-glue-objects-in.html I have no experience with dumping everything with slapcat, deleting the whole database directory (scary) and importing everything again and it does sound a bit brutish. So I asked some AI and it suggested to use ldapmodify to replace the glue object with an ldif like this: dn: ou=serviceusers,dc=example,dc=com changetype: modify add: objectClass objectClass: organizationalUnit - add: ou ou: serviceusers However that did not work as I got the following error message: modifying entry "ou=serviceusers,dc=example,dc=com" ldap_modify: No such object (32) matched DN: ou=serviceusers,dc=example,dc=com So my question is do I have to use the method of dumping everything with slapcat and then changeing the ldif (rewrite glue to organziationalUnit, etc.) and importing it all again? Or is there a more elegant solution to get the organizationalUnit back? Thanks already in advance for every helping suggestion/link/explanation! Best regards, Cyril

6 12

RE26 testing call (2.6.11) #1
by Quanah Gibson-Mount 12 Jan '26

12 Jan '26

This is the first testing call for OpenLDAP 2.6.11. Depending on the results, this may be the only testing call. Generally, get the code for RE26: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.6.11 Engineering Fixed slapd to use fresh timestamp for lastbind (ITS#10379) Fixed slapd delta-syncrepl to always use logDB rootdn (ITS#10360) Fixed slapd reverse lookup of proxied IPv6 addresses (ITS#10387) Fixed slapd logging (ITS#10410) Fixed slapd-ldap response when invalid secprops is configured (ITS#10392) Fixed slapd-mdb error when deleting last child of a branch (ITS#10304) Fixed slapd-mdb check for pool pause in search (ITS#10191) Fixed slapo-memberof clash with refint on subtree rename (ITS#10398) Fixed slapo-syncprov use correct rootDN for accesslog replay (ITS#10385) Minor Cleanup ITS#7901 ITS#10329 ITS#10335 ITS#10339 ITS#10343 ITS#10344 ITS#10345 ITS#10347 ITS#10348 ITS#10349 ITS#10353 ITS#10358 ITS#10359 ITS#10366 ITS#10367 ITS#10369 ITS#10370 ITS#10371 ITS#10372 ITS#10374 ITS#10375 ITS#10376 ITS#10377 ITS#10379 ITS#10380 ITS#10381 ITS#10384 ITS#10388 ITS#10390 ITS#10391 ITS#10400 ITS#10401 ITS#10408

2 3

Syncrepl problem in Vagrant environment
by Stefan Kania 09 Jan '26

09 Jan '26

Hi to all, I have a strange problem. If I install the following LDIFs in an multi provider environment, build directly on vritualBox VMs, everyting is fine: --------Schema extension -------- dn: cn=stkaPosixExtension,cn=schema,cn=config objectClass: olcSchemaConfig cn: stkaPosixExtension olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.1 NAME 'stkaPosixGroup' DESC 'advanced PosixGroup for dynamic use' SUP top AUXILIARY MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) ) olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.2 NAME 'stkaPosixAccount' DESC 'advanced PosixAccount for dynamic use' SUP posixAccount AUXILIARY MAY ( memberUID ) ) -------------------------------- ---- Overlay autogroup ------------ dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: autogroup.la dn: olcOverlay=autogroup,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcAutoGroupConfig objectClass: olcOverlayConfig olcOverlay: autogroup olcAutoGroupAttrSet: groupOfURLs memberURL memberUID ----------------------------------- dn: cn=dynposix,ou=groups,dc=example,dc=net cn: dynposix objectClass: top objectClass: groupOfURLs objectClass: stkaPosixGroup gidNumber: 4242 memberURL: ldap:///dc=example,dc=net?memberUID?sub?(title=Linuxuser) --- dynamic group ------------- --- dynamic group user ------- dn: uid=dynuser,ou=users,dc=example,dc=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: stkaPosixAccount cn: John Doe sn: Dynamo title: Linuxuser uid: dynuser gidNumber: 1000 homeDirectory: /home/dynuser uidNumber: 12345 userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$ZHN2cnZ0... memberUid: dynuser ------------------------------ I can see the user, replication of cn0config is working, even if I add new changes. No I want to do a setup with vagrant and Debian13. As soon as I try to add the overlay (the schema extension is working fine) the OpenLDAP i crashing wit the following message: ------------------------------ Dec 16 11:16:49 ldap02 slapd[3344]: syncprov_db_open: starting syncprov for suffix cn=config Dec 16 11:16:49 ldap02 slapd[3344]: conn=-1 op=0 syncprov_findcsn: mode=FIND_MAXCSN csn= Dec 16 11:16:49 ldap02 systemd[1]: symas-openldap-server.service: Main process exited, code=killed, status=11/SEGV Dec 16 11:16:49 ldap02 systemd[1]: symas-openldap-server.service: Failed with result 'signal'. ------------------------------ I have never seen this message before. Any hint where I can search for the problem? Stefan

3 4

Replication issue with OpenLdap: slapd 2.6.8 || RHEL 9 (Red Hat Enterprise Linux release 9.7)
by mridumit＠amdocs.com 06 Jan '26

06 Jan '26

Hi I am not able to replicate or facing replication issue within 2 instances where ldap is running. The error I see in logs of slapd is : slap_client_connect: URI=<provider url> DN="cn=<sample value>,dc=<sample value>,dc=<sample value>" ldap_sasl_bind_s failed (-1). Can anybody help us ? I can provide more information if required.

2 1

Migrating HA Cluster, Want to Force Full Replication
by Brendan Kearney 06 Jan '26

06 Jan '26

List members, I plan on updating my 3 node multi-primary instances and want to have a full resync done when each instance is rebuilt and rejoined to the cluster. Currently, I have both config and DIT fully replicated between all instances. When I rebuild each node, it will have all of the configs in place to be a part of the cluster. What I would like to have is all the data pushed to the newly built, but empty, instance. I have a process that is somewhat brute force, where all data is exported, stripped of entryCSN and contextCSN values, then added back to the newly built instance. This would require that the other instances be stopped or otherwise not take any updates during the transition. I would like to avoid this disruption in service, if at all possible. Is there a way to have a full resync done when a rebuilt instance that has no data rejoins a cluster? Thanks in advance, Brendan Kearney

4 10

Timeouts with ldap_search_ext_s and other APIS
by venugopal chinnakotla 11 Dec '25

11 Dec '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP C sdk for our application client code. We are using OpenLDAP 2.6.7. As part of this migration, we are facing one issue related to timeouts, that we set LDAP Handle using ldap_set_option and calling an API ldap_search_ext_s. With Mozilla NSLDAP, setting PRLDAP_OPT_IO_MAX_TIMEOUT value to zero in LDAP Handle and making ldap_search_ext_s function call. Also passing timeout value (for Ex: 30 seconds) explicitly as one on the argument. This search call is giving an error: "Timeout error." With OpenLDAP, setting LDAP_OPT_TIMEOUT value to zero in LDAP Handle and making ldap_search_ext_s function call. Also passing timeout value (Same value: 30 seconds) explicitly as one of the arguments. This search call is giving a successful result instead of Timeout error. *Note:* With OpenLDAP, setting LDAP_OPT_TIMEOUT value to zero in LDAP Handle (0 sec, 1 microseconds) and making ldap_search_ext_s function call. Also passing timeout value 30 seconds explicitly as one of the arguments. This search call is giving a successful result instead of Timeout error. *Even tried this: *With OpenLDAP, setting LDAP_OPT_NETWORK_TIMEOUT value to zero in LDAP Handle (0 sec, 1 microseconds) and making ldap_search_ext_s function call. Also passing timeout value 30 seconds explicitly as one of the arguments. This search call is giving a successful result instead of Timeout error. --Here, I think LDAP_OPT_NETWORK_TIMEOUT is applicable only for connection calls. As per our application expected behaviour, with OpenLDAP, search call should give a timeout error, but it is giving a successful result. 1. What is the difference between the implementation of nsldap and OpenLDAP for timeouts? 2. If we want to get a Timeout error in the above use case (setting LDAP_OPT_TIMEOUT to zero) , what should we change with usage of OpenLDAP timeouts and APIs? 3. Also provide me some details on how timeouts are applied for each operation like connect/bind/search calls? 4. Which timeout will take the precedence/consideration when we have different timeouts, one is in LDAP Handle LDAP_OPT_TIMEOUT and another timeout value that we pass explicitly to ldap_searh_ext_s API? a. What happens when we have LDAP_OPT_TIMEOUT (ldo_tm_api in LDAP Handle) has less value than the timeout value specified in ldap_search_ext_s API argument explicitly? b. What happens when we have LDAP_OPT_TIMEOUT (ldo_tm_api in LDAP Handle) has greater value than the timeout value specified in ldap_search_ext_s API argument explicitly? 5. How do these timeouts apply to other API calls ldap_smple_bind_s? 6. Also, can you provide an equivalent timeout in OpenLDAP for Mozilla NSLDAP timeouts? LDAP_X_OPT_CONNECT_TIMEOUT - ( We mapped LDAP_OPT_NETWORK_TIMEOUT in OpenLDA) PRLDAP_OPT_IO_MAX_TIMEOUT - (We mapped LDAP_OPT_TIMEOUT in OpenLDAP) -- Thanks, *c.venugopal*

2 2

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2025