openldap-technical

openldap-technical@openldap.org

12 participants
9961 discussions

Ldapsearch : double on certain extended attributes
by Sebastian Perkins 27 Mar '26

27 Mar '26

Hello All We are running into a very bizarre situation using opendap 2.4.57 on Debian 11 and Debian 13 openldap 2.6.10 When running ldapsearch -LLL -x -H ldap://localhost login=x.y + We get the 2 below extended attributes (and only those) in double entryDN: cn=x.y,ou=Sales,ou=IT,o=Swisscom-Eurospot entryDN: cn=x.y,ou=Sales,ou=IT,o=Swisscom-Eurospot subschemaSubentry: cn=Subschema subschemaSubentry: cn=Subschema Standard attributes are fine A slapcat of the DB is perfect, no double up on the above on any user. phpmyadmin is also OK showing the extended attributes If I slapadd the DB (into the Debian 13 stance) … it works, but I also get the above again This is how we discovered the issue as the dump script used ldapsearch, and we were getting tons of « duplicates » (hence ignored) due to the above. Thanks for any help to resolve this mystery ! Best Sebastian Sebastian Perkins Senior Systems Development Engineer weareplanet.com

2 3

Problem in adding ppolicy.la after syncprov.la
by suman＠tifrh.res.in 23 Mar '26

23 Mar '26

I have added syncprov.la and files looks like ###/etc/openldap/slapd.d/cn\=config/cn\=module\{0\}.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 8d6079cc dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap olcModuleLoad: {0}syncprov.la structuralObjectClass: olcModuleList entryUUID: 81683024-bae4-1040-8c13-b9420abdf920 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20260323091457Z entryCSN: 20260323091457.088057Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20260323091457Z Now trying to add ppolicy.la dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: ppolicy.la ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ppolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=module{0},cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcModuleLoad> handler exited with 1 Please let me know what is wrong and if someone guide me to overcome this issue. My ultimate goal to reach master-master + ppolicy,

1 0

Transform glue object to organizationalUnit
by cyril＠stoll.info 23 Mar '26

23 Mar '26

Hi For some reason (probably after update to openldap-ltb 2.6.10, or after reload due to renewed certificate) we lost one organizationalUnit object on one of our two provider servers. However there are still two user objects that belong to this lost organzationalUnit. Therefore openldap created a glue object for the lost organizationalUnit. On the second provider server (setup as multiprovider with the first one) the organzationalUnit object is still present and all looks like it should. I have no idea why one of the providers is still ok and the other is not since they are otherwise in sync as far as I can tell. Unfortunately I did not find clear instructions on how to handle this situation. The best instructions I found are 15 years old: http://blog.mycroes.nl/2010/06/recovering-from-glue-objects-in.html I have no experience with dumping everything with slapcat, deleting the whole database directory (scary) and importing everything again and it does sound a bit brutish. So I asked some AI and it suggested to use ldapmodify to replace the glue object with an ldif like this: dn: ou=serviceusers,dc=example,dc=com changetype: modify add: objectClass objectClass: organizationalUnit - add: ou ou: serviceusers However that did not work as I got the following error message: modifying entry "ou=serviceusers,dc=example,dc=com" ldap_modify: No such object (32) matched DN: ou=serviceusers,dc=example,dc=com So my question is do I have to use the method of dumping everything with slapcat and then changeing the ldif (rewrite glue to organziationalUnit, etc.) and importing it all again? Or is there a more elegant solution to get the organizationalUnit back? Thanks already in advance for every helping suggestion/link/explanation! Best regards, Cyril

6 12

Performance degrade observed with OpenLDAP 2.6.7 library
by venugopal chinnakotla 23 Mar '26

23 Mar '26

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP C sdk for our application client code. We are using OpenLDAP 2.6.7. As part of this migration, we are facing one issue related to performance degradation under load on Windows platform. In our application, we are using a single/shared connection handle to perform LDAP operation on LDAP user store servers. As part of Authentication, we are using ldap_search_ext_s call to get users and to get any user attributes from LDAP servers. We are using synchronous calls. With Mozilla NSLDAP, the same application is working well without any issues. As we are migrating to OpenLDAP, we did required changes and also we used ldap_dup() API to avoid "-4:Decoding error" issues under the load. Now, we are facing performance degradation issues under the load with OpenLDAP library Whenever we are trying to get a user attribute from the LDAP user store server where that user attribute is not available or value for user attribute is empty, we observed performance degradation with OpenLDAP library clearly around 25-30%. In case, search for user attributes with value, no degradation observed. This degradation is happening only when the user attribute is not available or the value is empty. Here are the snippet of runs output where performance degrade is showing: *With search of user attribute having value at LDAP server side:* Total Elapsed: 0:10:01 Minimum Response Time: 0:00:00.000.056 Maximum Response Time: 0:00:00.783.140 Average Response Time: 0:00:00.016.124 Total Requests: 659316 Throughput (Req/Sec): 1094.447 *With search of user attribute, not having value/does not exist at LDAP server side:* Total Elapsed: 0:10:01 Minimum Response Time: 0:00:00.000.059 Maximum Response Time: 0:00:00.218.502 Average Response Time: 0:00:00.032.788 Total Requests: 355065 Throughput (Req/Sec): 590.258 Example search calls we are using: 1. ldap_search_ext_x() for user lookup 2. ldap_search_ext_s() for user attributes for that specific user. (filter: uid=* and base: "cn=user,dc=comain,dc=com) - Where uid attribute has some value for this user at LDAP server side 3. ldap_search_ext_s() for user attributes for that specific user. (filter: Name=* and base: "cn=user,dc=comain,dc=com) - Where Name attribute is not present for that user at LDAP server side (This is causing performance degrade) With the same above steps, we did not see any performance issues with NSLDAP. If we remove step 3 from the above, no degradation is observed with the OpenLDAP library. Could you please look into this issue and provide a solution to overcome this performance degradation issue? We are completely blocked here as part of OpenLDAP migration. Note: To investigate this performance degradation with OpenLDAP, I wrote one LDAP sample code with the above 3 operations with multiple threads. I executed the sample with NSLDAP and OpenLDAP using multiple threads. In the sample runs, OpenLDAP is giving very poor performance when compared with NSLDAP. Please have a look at the sample also and provide your thoughts. Thank you in advance for your time and help

4 4

[LMDB] mdb_open throws ENOSYS in Linux container on OS X host
by stefano＠cossu.cc 20 Mar '26

20 Mar '26

Hello, I am running Docker on OS X Monterey, and starting up a vanilla alpine:latest Linux image. I only installed build-base and lmdb-dev and ran /bin/sh as root. LMDB version (Alpine): lmdb-dev-0.9.33-r0 Inside the container, I wrote this test code: /* test_open.c */ #include <stdio.h> #include "lmdb.h" #define DEFAULT_MAPSIZE 1UL<<40 int main() { int rc; MDB_env *env; rc = mdb_env_create(&env); printf ("env create: %d\n", rc); rc = mdb_env_set_maxdbs (env, 10); printf ("env set maxdbs: %d\n", rc); rc = mdb_env_set_mapsize (env, DEFAULT_MAPSIZE); printf ("env set mapsize: %d\n", rc); rc = mdb_env_open (env, "/tmp", 0, 0640); printf ("env open: %d\n", rc); mdb_env_close (env); return rc; } I compiled with `gcc test_open.c -llmdb -o test_open` and ran as root, and got this output: env create: 0 env set maxdbs: 0 env set mapsize: 0 env open: 38 The lock file was created, not the data file. This only occurs in the guest setup. On the OS X host and on a native Linux host it exits with 0. Any hints?

2 2

Does [openldap](https://openldap.org/) solve Identity or Access or the both now?
by anlex N 12 Mar '26

12 Mar '26

1. For [Identity and Access Management (IAM)](https://docs.cloud.google.com/iam/docs/overview), Does [openldap](https://openldap.org/) solve Identity or Access or the both? 2. How do you implement Identity and Access Management (IAM)? 3. Have you tried to implement [Google Cloud's Identity and Access Management (IAM)](https://docs.cloud.google.com/iam/docs/overview)? 4. Where is [Google Cloud's Identity and Access Management (IAM)](https://docs.cloud.google.com/iam/docs/overview) source code? I can not find it on `github.com`. 5. Do you use [openldap](https://openldap.org/) to implement Identity and Access Management (IAM)?

4 5

RE26 testing call (2.6.13) #1
by Quanah Gibson-Mount 24 Feb '26

24 Feb '26

his is the first testing call for OpenLDAP 2.6.13. Depending on the results, this may be the only testing call. Generally, get the code for RE26: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.6.13 Engineering Fixed liblber ber_bvreplace_x potential NULL dereference (ITS#10438) Fixed libldap heap buffer overflow in parse_whsp (ITS#10430) Fixed slap(add|modify) to not recreate config frontend (ITS#10414) Fixed slapd authzPrettyNormal function memory leak (ITS#10446) Fixed slapd memory leak in get_mra function (ITS#10445) Fixed slapd memory leak in parseAssert and parseReturnFilter functions (ITS#10450) Fixed slapd memory leak in parseReadAttrs function (ITS#10449) Fixed slapd slapd_sasl_mechs race condition (ITS#10443) Fixed slapd syncrepl to be more efficient with refresh task (ITS#10413) Fixed slapd unbind/close race condition (ITS#10258) Fixed slapd-ldap memory leak in ldap_chain_parse_ctrl function (ITS#10447) Fixed slapd-mdb always initialize pausepoll (ITS#10191) Fixed slapo-constraint to not propagate request controls to internal ops (ITS#10440) Fixed slapo-dds minttl incorrectly set in certain scenarios (ITS#10442) Fixed slapo-memberof to not propagate request controls to internal ops (ITS#10440) Fixed slapo-nestgroup to not propagate request controls to internal ops (ITS#10440) Fixed slapo-retcode to not propagate request controls to internal ops (ITS#10440) Fixed slapo-syncprov to not propagate request controls to internal ops (ITS#10440) Fixed slapo-syncprov memory leak in syncprov_parseCtrl (ITS#10448) Fixed slapo-translucent to not propagate request controls to internal ops (ITS#10440) Contrib Fixed slapo-autogroup to not propagate request controls to internal ops (ITS#10440) Minor Cleanup ITS#10427 ITS#10425 ITS#10451 --Quanah

4 4

Adding and stating syncrepl via olc
by Bastian Tweddell 19 Feb '26

19 Feb '26

Hi all, I have a question, if there is way that slapd automatically starts syncreplication after it was added to OLC. When installing a fresh slapd with olc config, it starts up with a bootstrap-olc. In the following step the bootstrap process (ansible) reconfigures mostly everything in cn=config, adding globals, ALCs, schema and the main MDB. As soon as the MDB database gets its syncrepl config, the log states it was successful: ``` Config: ** successfully added syncrepl rid=001 "ldaps://PROVIDER01.HOST" Config: ** successfully added syncrepl rid=002 "ldaps://PROVIDER02.HOST" ``` But after that the connections to the providers are not established. Even after waiting way longer then the configured timeout: ``` olcSyncrepl: {0}rid="001" provider="ldaps://PROVIDER01.HOST bind dn="DN_CONSUMER" bindmethod="simple" creden tials="SECRET" filter="(objectclass=*)" keepalive="180:9:75" retry= "20 3 60 10 300 +" schemachecking="on" searchbase="BASEDN " type="refreshAndPersist" olcSyncrepl: {1}rid="002" provider="ldaps://PROVIDER01.HOST bind dn="DN_CONSUMER" bindmethod="simple" creden tials="SECRET" filter="(objectclass=*)" keepalive="180:9:75" retry= "20 3 60 10 300 +" schemachecking="on" searchbase="BASEDN " type="refreshAndPersist" ``` I have to either restart the service or send slapd a SIGUSR1. Is there a way to configure the syncrepl via OLC so that the syncrepl process is initiated automatically when it was added? Many thanks, -- Bastian Tweddell Juelich Supercomputing Centre phone: +49 (2461) 61-6586 --------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Dr. Stephanie Bauer (stellvertretende Vorsitzende), Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers --------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------

2 8

Stupid question about accesslog, delta-syncrepl and efficiency
by Windl, Ulrich 17 Feb '26

17 Feb '26

Hi! Sorry for this stupid question: One argument for delta-syncrepl is that changing a small part of a large object is much more efficient, because pnly the changed data is logged and transferred. However with a multi-valued attributer like pwdHistory the accesslog entry contains all the unchanged values also. E.g.: … reqMod: pwdHistory:+ 20260207170142Z#1.3.6.1.4.1.1466.115.121.1.40#65#{SSHA256 }i56N/G7DutJ3OWdRXDBlSa/7CFN8XLM9X92RwUWohvQiQIEx+cVu9Q== … reqMod: modifyTimestamp:= 20260207170142Z reqOld: pwdHistory: 20240528115526Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}caF 961AUsh/ECAMdR2i/Iu+DS9Wi22z2 reqOld: pwdHistory: 20240528115715Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}RSu 8pPgFNIuDP/lBK1qylW+z5aEsr9hD reqOld: pwdHistory: 20240902115523Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}B8H FVqRKEheQWDonlsu6cyyMH4SNaQOz reqOld: pwdHistory: 20241018115412Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}9/R BrtPynf5D0cU+R1OGt+ZrdIK4mo0N reqOld: pwdHistory: 20241203075815Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}raC wwHLscnDFG0SwoH9MBbqI2CCfMlzX reqOld: pwdHistory: 20250115093324Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}iMd Qy6jvjwtQQXp5JZmAbLovyFsN1b8J reqOld: pwdHistory: 20250124090328Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}2wQ 4+aXKqOZC1w3uKULFeJ8kleum4Iy6 reqOld: pwdHistory: 20250306085113Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}aXQ 4DutidnaPGBiitGVAMv8Ebb8YMOOc reqOld: pwdHistory: 20250528131341Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}YDh Hw94sp0wdjWu9xzm4DKzpUioi5Wqf reqOld: pwdHistory: 20250822074239Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}Nog FGndg4AiHJEN59Is0JjLgFEx6TQr1 reqOld: pwdHistory: 20250924074514Z#1.3.6.1.4.1.1466.115.121.1.40#65#{SSHA256} lV7mACHa1hPG0RT7EzKM47+EzTz+xamL8+hx72FIG390xyRdnIqkwg== reqOld: pwdHistory: 20250929123923Z#1.3.6.1.4.1.1466.115.121.1.40#65#{SSHA256} kF37AmFjBZFrKeLVjQdemDTi6joE96s4FBhiSqejdSPLdosJVz2YZw== reqOld: pwdHistory: 20251118085003Z#1.3.6.1.4.1.1466.115.121.1.40#65#{SSHA256} f3eB5YSh/xdak80b/eVARKlo/f+vsbD4EbNFv/sfrpbSo2bGfNct6Q== Doesn’t that “cancel” the gain in efficiency? Kind regards, Ulrich Windl

3 4

About Translucent Overlay
by zacc_lxy 12 Feb '26

12 Feb '26

Dear openldap experts, Recently, we are trying to setup a Openldap proxy using translucent overlay. The proxy was configured successfully and we can read remote ldap contents through local proxy. Following the official instruction: https://www.openldap.org/doc/admin24/overlays.html?spm=5176.28103460.0.0.38…, we could see that for the basic attributes we fetched them from remote ldap server, whereas for the new attributes we fetched them from local mdb database. However, we met a special scenario that the instruction didn't mention, and we didn't know how to fulfill it : (1) Assuming there is a user stored in remote ldap server user.ldif dn:uid=user1,ou=People,dc=mydomain,dc=com uid:user1 cn:user1 objectClass:account objectClass:posixAccount objectClass:top objectClass:shadowAccount (2) We would like to add a new attribute in proxy (local mdb database) user_new.ldif dn:uid=user1,ou=People,dc=mydomain,dc=com changetype: modify add: objectClass objectClass: sambaSamAccount The difference was that: the objectClass consists of multiple lines, and account/posixAccount/top/shadowAccount was stored in remote, we just wanted to add a new lines for sambaSamAccount in local mdb. If I execute user_new.ldif then the user1 became that only contained objectClass: sambaSamAccount and account/posixAccount/top/shadowAccount was disappeared. Is there a way to fulfill that ? Thanks, Adrian Liu

2 1

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical