openldap-technical September 2025

openldap-technical@openldap.org

10 participants
6 discussions

Request rate limiting
by BECOT Jérôme 24 Sep '25

24 Sep '25

Hello, Is there any way to limit bind query rates or any operation rate in OpenLDAP or in conjunction of another proxy ? Any advice appreciated Regards Jerome

5 5

logs on stderr don't enforce olcLogFileFormat
by David Coutadeur 18 Sep '25

18 Sep '25

Hi everyone! I don't know if this is intended or not, but when I run OpenLDAP with logs attached on stderr, like: ./slapd -h 'ldap://*:389 ldaps://*:636' -F ./slapd.d -u ldap -g ldap -d 256 the logs do not enforce olcLogFileFormat. For example: 68b6fe23.27b26379 0x7fe756a70e40 @(#) $OpenLDAP: slapd 2.6.10 (May 21 2025 22:00:00) $ instead of: Sep 02 16:21:50 hostname slapd[12345]: slapd starting Is this the expected behaviour? If so, are there any plans for having an option to set the date in stderr logs? Thanks in advance for any response! Regards, -- David Coutadeur | IAM integrator david.coutadeur(a)worteks.com +33 7 88 46 85 34 16 avenue Hoche, Paris 75008 Worteks | https://www.worteks.com

2 4

slapcat dump seems incomplete (attributes missing)
by Windl, Ulrich 15 Sep '25

15 Sep '25

Hi! After a long time I checked the database dump I had created with slapcat in OpenLDAP 2.5. I always thought that all attributes from the database were saved, but it seems some attributes related to password policy aren't: Specifically I cannot find the pwdChangedTime that is there when searching for it. I also miss the pwdHistory, but the pwdPolicySubentry attribute is there. When I compare the dump with the last one created with OpenLDAP 2.4, I see that those attributes (pwdChangedTime, pwdHistory) are still there. That makes me wonder: Is it a bug in OpenLDAP, or is it a bug in my configuration? As I understand it, ACLs should not play a role for slapcat, right? The command I'm using is "slapcat -o ldif-wrap=no -n $DBNUM -F $CONFDIR -g -l "$TMPFILE1" Module load order is: olcModuleLoad: {0}back_mdb.so olcModuleLoad: {1}syncprov.so olcModuleLoad: {2}accesslog.so olcModuleLoad: {3}ppolicy.so olcModuleLoad: {4}refint.so olcModuleLoad: {5}pw-sha2.so olcModuleLoad: {6}lastbind.so Mit freundlichen Grüßen Ulrich Windl Klinikum der Universität Regensburg IT / Infrastruktur Franz-Josef-Strauß-Allee 11 D-93053 Regensburg Tel: +49 941 944-13816 Softphone: +49 941 944-801142 FAX: +49 941 944-5882

2 2

LDAP race condition with ldap_initialize API in OpenLDAP 2.6.7
by venugopal chinnakotla 09 Sep '25

09 Sep '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP C sdk for our application client code. We are using OpenLDAP 2.6.7. As part of this migration activity,we used ldap_initialize() API for initializing and getting LDAP Handle. Our application supports multi threading. So, ldap_initialize() API will be called from multi threaded code. For example, 2 threads will call ldap_initialize() at same time/simultaneously. When 2 threads call ldap_initialize() at same time, sometimes observed a race condition during this API call. Due to this, the next api calls ldap_simple_bind_s or ldap_start_tls_s are getting failed for 2 threads and it is not recovered automatically until restarts our applications. We observed this race condition multiple times. Because of this issue, we are unable to start our application and it becomes a blocker for us to proceed further. After checking ldap_initialze() API code from openldap source code, noticed that race condition happened while initializing/setting global options. Are there any known issues with OpenLDAP when we use it in multi thread supported applications? Could you please check and provide a solution. Thank you for your help.

2 1

Need information related to multi thread support in OpenLDAP c sdk client
by venugopal chinnakotla 09 Sep '25

09 Sep '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP c sdk for our application client code. As part of this activity, replacing API one by one and also looking for constant replacement. In NSLDAP C SDK: /* * Thread function callbacks (an API extension -- * LDAP_API_FEATURE_X_THREAD_FUNCTIONS). */ #define LDAP_OPT_THREAD_FN_PTRS 0x05 /* 5 - API extension */ /* * Thread callback functions: */ typedef void *(LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_ALLOC_CALLBACK)( void ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_FREE_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_LOCK_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_UNLOCK_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_GET_ERRNO_CALLBACK)( void ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_SET_ERRNO_CALLBACK)( int e ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_GET_LDERRNO_CALLBACK)( char **matchedp, char **errmsgp, void *arg ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_SET_LDERRNO_CALLBACK)( int err, char *matched, char *errmsg, void *arg ); /* * Structure to hold thread function pointers: */ struct ldap_thread_fns { LDAP_TF_MUTEX_ALLOC_CALLBACK *ltf_mutex_alloc; LDAP_TF_MUTEX_FREE_CALLBACK *ltf_mutex_free; LDAP_TF_MUTEX_LOCK_CALLBACK *ltf_mutex_lock; LDAP_TF_MUTEX_UNLOCK_CALLBACK *ltf_mutex_unlock; LDAP_TF_GET_ERRNO_CALLBACK *ltf_get_errno; LDAP_TF_SET_ERRNO_CALLBACK *ltf_set_errno; LDAP_TF_GET_LDERRNO_CALLBACK *ltf_get_lderrno; LDAP_TF_SET_LDERRNO_CALLBACK *ltf_set_lderrno; void *ltf_lderrno_arg; }; nsldap c sdk has thread function pointers option to support multi thread functionality for client programs. In our existing code, we are using 'LDAP_OPT_THREAD_FN_PTRS' option with ldap_set_option API like "Client code usage: ldap_set_option(hLDAP, LDAP_OPT_THREAD_FN_PTRS, &tfns);". Now, we are looking for similar functionality within OpenLDAP to use it in our client program. I Went through OpenLDAP documents and source code, but to my knowledge, did not get any equivalent one. Could you please provide more details on this to achieve equivalent functionality of LDAP_OPT_THREAD_FN_PTRS with OpenLDAP? Thank you

2 1

Stale objects in mdb backend
by Matwey Kornilov 03 Sep '25

03 Sep '25

Hello, I am running OpenLDAP (slapd 2.4.49) on Ubuntu with an MDB backend configured for the suffix o=bar,dc=foo. With a help of slapcat, I have discovered stale data: several objects with the suffix dc=bar,dc=foo are physically present in the same MDB database files. These were likely created by the default Ubuntu installer before the entire configuration was manually replaced. However, /var/lib/ldap remained unnoticed at that time, and then production data were appended to this initial one. Is there a method to delete these specific dc=bar,dc=foo entries without taking the server offline and rebuilding the entire database from an LDIF export with slapcat+slapadd? ldapsearch seems to be uncapable to deal with this stale data. Thanks in advance.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2025