openldap-technical September 2025

openldap-technical@openldap.org

12 participants
9 discussions

Removing AutoCA overlay, objectClass, etc
by Brendan Kearney 06 Nov '25

06 Nov '25

list members, i have a multi-provider footprint that i want to remove the AutoCA functionality from. when i loaded the overlay, i set it to disabled, per the below: dn: olcOverlay={5}autoca objectClass: olcOverlayConfig objectClass: olcAutoCAConfig objectClass: top olcOverlay: {5}autoca structuralObjectClass: olcAutoCAConfig entryUUID: 739501f2-49ad-103e-911a-3dc9b40470bf creatorsName: uid=brendan,ou=domainusers,ou=users,dc=bpk2,dc=com createTimestamp: 20240117175614Z olcAutoCADays: 3650 olcAutoCAKeybits: 2048 olcDisabled: TRUE olcAutoCAserverKeybits: 2048 olcAutoCAuserClass: inetOrgPerson olcAutoCAserverClass: device olcAutoCAserverDays: 1826 olcAutoCAuserDays: 365 olcAutoCAuserKeybits: 2048 entryCSN: 20240117192443.210024Z#000000#001#000000 modifiersName: uid=brendan,ou=domainusers,ou=users,dc=bpk2,dc=com modifyTimestamp: 20240117192443Z note, olcDisabled is set to true. it seems that something went awry and even though i didn't want the capability active, i wound up with some caCertificate and caPrivateKey objects created in the DIT. it looks like i may have added the overlay in an active state and disabled it after the caCertificate/PrivateKey objects were created. i want to clean up things and remove the AutoCA pieces until i can test them better. what process is needed to remove the objects and overlay, as replication may play a part in some of the effort? i could imagine that deleting the caCertificate and caPrivateKey objects would be relatively straight forward, but the overlay may prove a bit more complicated. i found a message on this list from some time ago, https://www.openldap.com/lists/openldap-technical/201811/msg00075.html, that says i can stop the slapd instance, remove the overlay ldif files and restart the instance, to accomplish this task. the issue that i am trying to avoid is having to take down the entire fully replicated DIT, in order to delete the overlay and not have replication recreate it because one active node "didn't get the memo". are there any insights into how i can delete overlays without having replication recreate the objects i want to remove, all while still providing at least one instance to service requests? if it clarifies things, i am running 3 slapd instances behind a load balancer and both the config DB and DIT are replicated between all nodes. if it comes to it, i could take down all instances to perform this work, but i would like to avoid it if possible. thanks in advance, brendan kearney

3 9

Use lmdb for lookup of dentries?
by stefbon＠gmail.com 03 Nov '25

03 Nov '25

Hi, I'm writing FUSE fs's, and need a method for doing lookups for of dentries and inodes. To start with dentries, a FUSE lookup uses the parent inode ino (an uint64_t) and the name. Now I've expirmented a lttle creating a key like: - first 8 bytes used by parent inode ino, left padded with zeros. - rest the name of the entry like 00000001dexample which is the directory dexample in directory with ino 1. (to make this work custom locking is required) It works, but is it a good idea to do? Or are there other methods better? S.Bon

3 5

Debian 13
by Stefan Kania 29 Sep '25

29 Sep '25

Will there be packages for Debian 13 soon, or can I use the Debian 12 packages on Debian 13? Thank you for the answer -- Stefan

2 1

Request rate limiting
by BECOT Jérôme 24 Sep '25

24 Sep '25

Hello, Is there any way to limit bind query rates or any operation rate in OpenLDAP or in conjunction of another proxy ? Any advice appreciated Regards Jerome

5 5

logs on stderr don't enforce olcLogFileFormat
by David Coutadeur 18 Sep '25

18 Sep '25

Hi everyone! I don't know if this is intended or not, but when I run OpenLDAP with logs attached on stderr, like: ./slapd -h 'ldap://*:389 ldaps://*:636' -F ./slapd.d -u ldap -g ldap -d 256 the logs do not enforce olcLogFileFormat. For example: 68b6fe23.27b26379 0x7fe756a70e40 @(#) $OpenLDAP: slapd 2.6.10 (May 21 2025 22:00:00) $ instead of: Sep 02 16:21:50 hostname slapd[12345]: slapd starting Is this the expected behaviour? If so, are there any plans for having an option to set the date in stderr logs? Thanks in advance for any response! Regards, -- David Coutadeur | IAM integrator david.coutadeur(a)worteks.com +33 7 88 46 85 34 16 avenue Hoche, Paris 75008 Worteks | https://www.worteks.com

2 4

slapcat dump seems incomplete (attributes missing)
by Windl, Ulrich 15 Sep '25

15 Sep '25

Hi! After a long time I checked the database dump I had created with slapcat in OpenLDAP 2.5. I always thought that all attributes from the database were saved, but it seems some attributes related to password policy aren't: Specifically I cannot find the pwdChangedTime that is there when searching for it. I also miss the pwdHistory, but the pwdPolicySubentry attribute is there. When I compare the dump with the last one created with OpenLDAP 2.4, I see that those attributes (pwdChangedTime, pwdHistory) are still there. That makes me wonder: Is it a bug in OpenLDAP, or is it a bug in my configuration? As I understand it, ACLs should not play a role for slapcat, right? The command I'm using is "slapcat -o ldif-wrap=no -n $DBNUM -F $CONFDIR -g -l "$TMPFILE1" Module load order is: olcModuleLoad: {0}back_mdb.so olcModuleLoad: {1}syncprov.so olcModuleLoad: {2}accesslog.so olcModuleLoad: {3}ppolicy.so olcModuleLoad: {4}refint.so olcModuleLoad: {5}pw-sha2.so olcModuleLoad: {6}lastbind.so Mit freundlichen Grüßen Ulrich Windl Klinikum der Universität Regensburg IT / Infrastruktur Franz-Josef-Strauß-Allee 11 D-93053 Regensburg Tel: +49 941 944-13816 Softphone: +49 941 944-801142 FAX: +49 941 944-5882

2 2

LDAP race condition with ldap_initialize API in OpenLDAP 2.6.7
by venugopal chinnakotla 09 Sep '25

09 Sep '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP C sdk for our application client code. We are using OpenLDAP 2.6.7. As part of this migration activity,we used ldap_initialize() API for initializing and getting LDAP Handle. Our application supports multi threading. So, ldap_initialize() API will be called from multi threaded code. For example, 2 threads will call ldap_initialize() at same time/simultaneously. When 2 threads call ldap_initialize() at same time, sometimes observed a race condition during this API call. Due to this, the next api calls ldap_simple_bind_s or ldap_start_tls_s are getting failed for 2 threads and it is not recovered automatically until restarts our applications. We observed this race condition multiple times. Because of this issue, we are unable to start our application and it becomes a blocker for us to proceed further. After checking ldap_initialze() API code from openldap source code, noticed that race condition happened while initializing/setting global options. Are there any known issues with OpenLDAP when we use it in multi thread supported applications? Could you please check and provide a solution. Thank you for your help.

2 1

Need information related to multi thread support in OpenLDAP c sdk client
by venugopal chinnakotla 09 Sep '25

09 Sep '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP c sdk for our application client code. As part of this activity, replacing API one by one and also looking for constant replacement. In NSLDAP C SDK: /* * Thread function callbacks (an API extension -- * LDAP_API_FEATURE_X_THREAD_FUNCTIONS). */ #define LDAP_OPT_THREAD_FN_PTRS 0x05 /* 5 - API extension */ /* * Thread callback functions: */ typedef void *(LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_ALLOC_CALLBACK)( void ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_FREE_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_LOCK_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_UNLOCK_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_GET_ERRNO_CALLBACK)( void ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_SET_ERRNO_CALLBACK)( int e ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_GET_LDERRNO_CALLBACK)( char **matchedp, char **errmsgp, void *arg ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_SET_LDERRNO_CALLBACK)( int err, char *matched, char *errmsg, void *arg ); /* * Structure to hold thread function pointers: */ struct ldap_thread_fns { LDAP_TF_MUTEX_ALLOC_CALLBACK *ltf_mutex_alloc; LDAP_TF_MUTEX_FREE_CALLBACK *ltf_mutex_free; LDAP_TF_MUTEX_LOCK_CALLBACK *ltf_mutex_lock; LDAP_TF_MUTEX_UNLOCK_CALLBACK *ltf_mutex_unlock; LDAP_TF_GET_ERRNO_CALLBACK *ltf_get_errno; LDAP_TF_SET_ERRNO_CALLBACK *ltf_set_errno; LDAP_TF_GET_LDERRNO_CALLBACK *ltf_get_lderrno; LDAP_TF_SET_LDERRNO_CALLBACK *ltf_set_lderrno; void *ltf_lderrno_arg; }; nsldap c sdk has thread function pointers option to support multi thread functionality for client programs. In our existing code, we are using 'LDAP_OPT_THREAD_FN_PTRS' option with ldap_set_option API like "Client code usage: ldap_set_option(hLDAP, LDAP_OPT_THREAD_FN_PTRS, &tfns);". Now, we are looking for similar functionality within OpenLDAP to use it in our client program. I Went through OpenLDAP documents and source code, but to my knowledge, did not get any equivalent one. Could you please provide more details on this to achieve equivalent functionality of LDAP_OPT_THREAD_FN_PTRS with OpenLDAP? Thank you

2 1

Stale objects in mdb backend
by Matwey Kornilov 03 Sep '25

03 Sep '25

Hello, I am running OpenLDAP (slapd 2.4.49) on Ubuntu with an MDB backend configured for the suffix o=bar,dc=foo. With a help of slapcat, I have discovered stale data: several objects with the suffix dc=bar,dc=foo are physically present in the same MDB database files. These were likely created by the default Ubuntu installer before the entire configuration was manually replaced. However, /var/lib/ldap remained unnoticed at that time, and then production data were appended to this initial one. Is there a method to delete these specific dc=bar,dc=foo entries without taking the server offline and rebuilding the entire database from an LDIF export with slapcat+slapadd? ldapsearch seems to be uncapable to deal with this stale data. Thanks in advance.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2025