openldap-technical

openldap-technical@openldap.org

13 participants
9906 discussions

Q: Uniqueness ofSyncRepl RIDs, replicating cn=config
by Windl, Ulrich 11 Jul '25

11 Jul '25

Hi! I always wondered about the scope within SyncRepl RIDs have to be unique: * Per database * Per server * Within all servers For a support case covering MMR replication including cn=config I got this response: "One cannot copy the config between machines. Syncrepl configuration includes the RID parameter. That RID must be UNIQUE on all servers. By copying the config, one now has two machines with the same RID." I think it's OK to do so, however. Slapd handles the situation where a server is asked to sync from itself correctly ARAIK. We have three servers, says s1 (sid=1), s2 (sid=2), and s3 (sid=3). And there are three syncrepl statements making each server to syn from each of the three servers. So effectively s1 will sync from s2 and s3, s2 will sync from s1 and s3, and s3 will sync from s1 and s2 (each server ignoring the sync from itself). The log message may be like this for s2: slapd[1811445]: conn=1001 op=2 syncprov_matchops: skipping original sid 002 Am I correct, or is the support's answer correct? Kind regards, Ulrich Windl

2 1

Openldap unable to start after upgrading from 2.4 to 2.5
by Kaya Saman 11 Jul '25

11 Jul '25

Hi all, I've just performed an upgrade on my FreeBSD servers to get them all to version 13.5 and am now in the process of updating various @ports. OpenLDAP was upgraded from the 24 version port to the 25 (or version 2.5 in real terms) but for some reason the service does not want to start. I have checked the "upgrading" information here: https://openldap.org/doc/admin25/appendix-upgrading.html and tried to read around the issue, but I can't really understand what is going on. This is the output from the ldap.log file: Jul 8 23:48:03 ldap slapd[1302]: @(#) $OpenLDAP: slapd 2.5.20 (Jul 8 2025 21:55:10) $ @ldap.FQDN:/usr/ports/net/openldap25-server/work/openldap-2.5.20/servers/slapd Jul 8 23:48:03 ldap slapd[1302]: daemon_init: <null> Jul 8 23:48:03 ldap slapd[1302]: daemon: SLAP_SOCK_INIT: dtblsize=231210 Jul 8 23:48:03 ldap slapd[1302]: daemon_init: listen on ldap:/// Jul 8 23:48:03 ldap slapd[1302]: daemon_init: 1 listeners to open... Jul 8 23:48:03 ldap slapd[1302]: daemon: listener initialized ldap:/// Jul 8 23:48:03 ldap slapd[1302]: daemon_init: 1 listeners opened Jul 8 23:48:03 ldap slapd[1302]: slapd init: initiated server. Jul 8 23:48:03 ldap slapd[1302]: slap_sasl_init: initialized! Jul 8 23:48:03 ldap slapd[1302]: mdb_back_initialize: initialize MDB backend Jul 8 23:48:03 ldap slapd[1302]: mdb_back_initialize: LMDB 0.9.33: (May 21, 2024) Jul 8 23:48:03 ldap slapd[1302]: backend_startup_one: starting "cn=config" Jul 8 23:48:03 ldap slapd[1302]: ldif_read_file: no entry file "/usr/local/etc/openldap//cn=config.ldif" Jul 8 23:48:03 ldap slapd[1302]: send_ldap_result: conn=-1 op=0 p=0 Jul 8 23:48:03 ldap slapd[1302]: send_ldap_result: err=32 matched="" text="" Jul 8 23:48:03 ldap slapd[1302]: slapd destroy: freeing system resources. Jul 8 23:48:03 ldap slapd[1302]: slapd stopped. Jul 8 23:48:03 ldap slapd[1302]: connections_destroy: nothing to destroy. Has something with the configuration file changed in the meantime, or based off this line: "ldif_read_file: no entry file "/usr/local/etc/openldap//cn=config.ldif"" is it something to do with the slapd.ldif file in the openldap directory? If need be I can post my slapd.conf file too.... any pointers would be great or at least if there was somewhere to increase the logging to say exactly what and where is wrong would be great. Many thanks. Kaya

4 6

The infamous "main: TLS init def ctx failed: -1" and a solution
by Windl, Ulrich 10 Jul '25

10 Jul '25

Hi! When trying to start slapd, I got "main: TLS init def ctx failed: -1" before slapd quit. So I got the clue that something with TLS, probably certificates is wrong. I spend half of a day to examine the certificates used, found something, fixed that, but it did not help. Eventually I found some article (https://apple.stackexchange.com/questions/107130/slapd-daemon-cant-start-tl…) explaining that starting slapd with option -d1" would provide some more reasonable error details. So I tried that, and I found "TLS: could not load client CA list (file:`',dir:`/etc/ssl/certs')." That's much more helpful than the original message, so I examined the directory. Interestingly the issue was that there wre four stale links to centificate files that did not longer exist (those were not used any more, however, because they expired several years ago). Deleting those links by calling c_rehash fixed the problem. So at the very least I'm suggesting to provide the more useful error message also in non-debug mode. I'm not saying that the better error message couldn't be improved also. Kind regards, Ulrich Windl

1 0

Advice / Rex on performance test
by BECOT Jérôme 08 Jul '25

08 Jul '25

Hi there, We want to run performance and load testing on our servers. Which tool fits the best for OpenLDAP (we are running servers behing haproxies as well).? Is there a specific tool for Openldap? Do you have any recommendation with other tools? We want to run tests through CI pipelines. Thank you

2 1

LMDB and Disk fragmentation
by hubouvie＠microsoft.com 07 Jul '25

07 Jul '25

Hi everyone, We’ve been stress‑testing an LMDB database by continually inserting and deleting records ranging from 4 KB to 5 MB. To track utilization, we rely on two independent metrics: Application index – we track the sum of the payload bytes of keys currently present. mdb_stat output – pages in use /overlay etc.... The two figures agree closely. Despite this, we repeatedly hit MDB_MAP_FULL when both metrics say the map is only ≈ 50 % occupied (on both metrics). Our tentative conclusion is heavy page fragmentation: LMDB can’t find a sufficiently large contiguous run of free pages even though half of the map is nominally free. Questions - Is it normal to lose that much effective capacity with an insert/delete workload like ours? - How far can we realistically fill the map before hitting fragmentation limits? - Are there recommended ways to mitigate or “defragment”? Any advice would be greatly appreciated! Thanks! Hugues

3 4

Proxy Protocol support for ldap client
by BECOT Jérôme 07 Jul '25

07 Jul '25

Hello, We use the proxy protocol with our openldap 2.5 servers (pldaps). I noticed that client binaries allow pldaps as protocol in the host address option starting with 2.5, but how can I add proxy headers to the request to communicate with my servers ? I think that there might be something with '-o' that I'm not aware of. Thanks for your help. Jerome

3 3

Q: sync provider: "additional info: <olcUpdateRef> must appear after syncrepl or updatedn"
by Windl, Ulrich 04 Jul '25

04 Jul '25

Hi! I tried to set up a sync provider to have a UpdateRef pointing to itself, while not pulling any changes from anywhere. The idea was that the sync consumers will copy that UpdateRef and direct updates to the provider that way. This is a MMR scenario during migration where config is synced, too. So the current scenario is like this: P1 (provider, OpenLDAP 2.4) | | V v C1 <--> C2 (consumer, OpenLDAP 2.5) I could ldapmodify the change, but when doing a" slapcat -n0" now, I get the error: 68679fc8 olcUpdateRef: value #0: <olcUpdateRef> must appear after syncrepl or updatedn 68679fc8 config error processing olcDatabase={0}config,cn=config: <olcUpdateRef> must appear after syncrepl or updatedn slapcat: bad configuration file! Adding up to three "-c" options did not help (in old OpenLDAP 2.4) Should there be an exception if UpdateRef is pointing to the local server? Kind regards, Ulrich Windl

1 0

Q: "monitor_back_register_entry("cn=Consumer 112,cn=Database 1,cn=Databases,cn=Monitor"): entry exists"
by Windl, Ulrich 04 Jul '25

04 Jul '25

Hi! For openldap-2.5 and an MMR configuration I see the message monitor_back_register_entry("cn=Consumer 112,cn=Database 1,cn=Databases,cn=Monitor"): entry exists during startup. I'm wondering what the messages actually says, and what causes it. Could it be some bug in OpenLDAP? The machine in question is real hardware (no VM) and it has a *lot* of RAM (500G) and CPUs (64). If I query the monitoring database, I see no such connection. Kind regards, Ulrich Windl

2 5

many connections in proxy setup
by Bergmann, Clemens 04 Jul '25

04 Jul '25

Hi, we have two openLDAP Servers configured with back_ldap. Each server has one non-OpenLDAP-Server as “target”. I passed a redacted copy of my configuration below. At any given time we have around 100 connections from clients to the openLDAP Server. I noticed that there are a lot more connections open from the ldap Server to the “target” Servers. Sometimes close to 1000. As this is a temporary setup I did not investigate any more. In the last days we sometimes see the following errors in log: “daemon: accept(10) failed errno=24 (Too many open files)” “connection_input: conn=1799 deferring operation: too many executing” “connection_read(446): no connection!” I suspect that this is because there are more than 1024 connections open and the OS is preventing opening more FDs. I am not sure why we have so many open connections to the “target” servers. Maybe someone can spot my config error. Thanks in advance. dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/lib/openldap/slapd.args olcIdleTimeout: 15 olcLocalSSF: 256 olcLogLevel: none olcPidFile: /var/lib/openldap/slapd.pid olcRootDSE: /etc/openldap/rootDSE.ldif olcSaslSecProps: noplain,noanonymous olcSecurity: simple_bind=256 ssf=256 tls=0 olcTLSCACertificateFile: /etc/ssl/certs/ca-bundle.crt olcTLSCertificateFile: /etc/openldap/certs/server.pem olcTLSCertificateKeyFile: /etc/openldap/certs/server.key olcTLSCipherSuite: DEFAULT:-SHA1:-CBC olcTLSDHParamFile: /etc/openldap/dhparam.pem olcTLSProtocolMin: 3.3 dn: olcDatabase={2}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {2}ldap olcAccess: redacted olcDbACLBind: bindmethod=simple binddn=cn=proxy,ou=admin,o=tu-darmstadt credentials=redacted tls_cacert=/etc/ssl/certs/ca-bundle.crt olcDbStartTLS: ldaps tls_cacert=/etc/ssl/certs/ca-bundle.crt olcDbURI: ldaps://backend-server01.example.com/ olcRootDN: cn=admin,ou=admin,o=tu-darmstadt olcSizeLimit: unlimited olcSuffix: o=tu-darmstadt olcTimeLimit: 90 Kind regards Clemens (Bergmann) -- Clemens Bergmann [er/ihm; he/him] Gruppe Nutzermanagement und Entwicklung Technische Universität Darmstadt Hochschulrechenzentrum, Alexanderstraße 2, 64283 Darmstadt Tel. +49 6151 16 71184 <http://www.hrz.tu-darmstadt.de/> http://www.hrz.tu-darmstadt.de/

3 4

Re: slapadd: could not add entry dn="cn=config" (line=1):
by Nick 03 Jul '25

03 Jul '25

I figured it out. I needed to only include the slapd.conf file in the directory, not slapd.ldif. Also generated rfc2307bis files and populated the database. Very cool! Thanks to the developers here! On Tue, Jul 1, 2025 at 7:10 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Sunday, June 29, 2025 2:49 AM -0400 Nick <atod101101(a)gmail.com> > wrote: > > > > Import the configuration database > > su root -c /usr/local/sbin/slapadd -n 0 -F /usr/local/etc/slapd.d -l > > /usr/local/etc/openldap/slapd.ldif > > What is the contents of slapd.ldif? And I assume the > /usr/local/etc/slapd.d/ directory exists and has no contents. > > --Quanah > > > >

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical