openldap-technical

openldap-technical@openldap.org

7 participants
9965 discussions

Re: ldap bind response message
by Gustavo Rios 15 Apr '26

15 Apr '26

Thank you for your answer. Em qua., 15 de abr. de 2026 às 11:42, Emmanuel Lecharny <elecharny(a)gmail.com> escreveu: > Hi, > > the first response is a LDAP Message (0x30) of length 12 (0x0C) > [ > https://directory.apache.org/api/internal-design-guide/4.2-asn1-ldap-messag…], > > replying to message #1 (0x02 0x01 0x01), and it's a BindResponse LDAP > Message (0x61) of length 7 (0x07) > [ > https://directory.apache.org/api/internal-design-guide/4.2-asn1-ldap-messag…], > > which LDAPResult result code is 49, ie invalid credentials > [ > https://directory.apache.org/api/internal-design-guide/4.2-asn1-ldap-messag…], > > with no additional matched DN (0x04 0x00) nor diagnostic message (0x04 > 0x00) > > > On 4/14/26 13:52, Gustavo Rios wrote: > > Hi folks! > > > > i am trying to connect to my ldap server and i am having as a response of > > the bind request the following messages: > > > > /* Password: *p = "ypldapA4esupohopdV", > > * result message : 30 c 2 1 1 61 7 a 1 31 4 0 4 0 > > * > > * password : *p = "123456" > > * return : 30 c 2 1 1 61 7 a 1 0 4 0 4 0 > > */ > > > > The first attempt is when the wrong password is given, the second message > > is returned when the correct password is given. > > > > I would like to understand the bytes returned in the bind response; what > > are the last 7 bytes of message response ? > > > > May someone here help me ? > > > > Thanks alot. > > > -- In software systems the price of reliability is the pursuit of the utmost simplicity. It is a price which the very rich find most hard to pay.

1 0

ldap bind response message
by Gustavo Rios 15 Apr '26

15 Apr '26

Hi folks! i am trying to connect to my ldap server and i am having as a response of the bind request the following messages: /* Password: *p = "ypldapA4esupohopdV", * result message : 30 c 2 1 1 61 7 a 1 31 4 0 4 0 * * password : *p = "123456" * return : 30 c 2 1 1 61 7 a 1 0 4 0 4 0 */ The first attempt is when the wrong password is given, the second message is returned when the correct password is given. I would like to understand the bytes returned in the bind response; what are the last 7 bytes of message response ? May someone here help me ? Thanks alot. -- In software systems the price of reliability is the pursuit of the utmost simplicity. It is a price which the very rich find most hard to pay.

3 2

N-Way Multi-Provider with delta-syncrepl: consumer out of sync
by Hawes, David 09 Apr '26

09 Apr '26

While testing n-way multi-provider with delta-syncrepl, I stumbled upon a sequence of events that leaves a consumer out of sync. Assume two providers, provider-1, and provider-2, and a single consumer, consumer-1. They all initially have an attribute with the value 'A'. The following events cause the consumer to be out of sync: 1. Shut down provider-2, and immediately start it again. 2. Within the syncrepl retry window, modify the attribute to value 'B' on provider-2. 3. Within the syncrepl retry window, modify the attribute to value 'B' on provider-1, and then to value 'A' on provider-1. 4. Wait for provider-1 and consumer-1 to retry syncrepl against provider-2. At this point provider-1 and provider-2 will be in sync, but consumer-2 will have the value 'B'. On retry, the modify from provider-2 is written to consumer-1, even though it is older than the modifications it received from provider-1. Before I go too far down the rabbit hole (I've stopped at syncrepl.c:3271 in 2.6.13), I want to ask if n-way multi-provider with delta-syncrepl and a consumer that the providers are unaware of (no syncrepl directives to the consumer) is a valid config. Ideally I'd like to have a consumer with multimaster off to prevent writes completely, and I'd note that config has the same result. Normal syncrepl does not result in an out of sync consumer. So, is this an invalid config, or should I submit an ITS?

3 2

SSL3 alert write:fatal:unknown CA
by Emmanuel Seyman 08 Apr '26

08 Apr '26

Hello, all. I'm using the LTB packages for OpenLDAP 2.5.20 and trying to configure ldaps access. To that end, I have obtained a certificate signed by Allianz Infrastructure CA V, a sub-CA of Allianz Root CA III. https://rootca.allianz.com/en/rootca3.htm I have put: * the certificates of the two CA in /etc/openldap/certs/ldap-ca.crt * the server certificate in /etc/openldap/certs/ldap.crt * the private key in /etc/openldap/certs/ldap.key All files are owned by the 'ldap' user and are readable. Over in slapd.conf, I have configured TLSCACertificateFile, TLSCertificateFile and TLSCertificateKeyFile with the correct filenames and have restarted slapd. An "openssl s_client -connect ..." gives a verify return code of 0 (ok) but an "ldapsearch -x ... -d 1" gives me the following error: TLS trace: SSL_connect:SSLv3/TLS read server hello TLS trace: SSL_connect:TLSv1.3 read encrypted extensions TLS certificate verification: depth: 2, err: 19, subject: /C=DE/O=Allianz/CN=Allianz Root CA III, issuer: /C=DE/O=Allianz/CN=Allianz Root CA III TLS certificate verification: Error, self signed certificate in certificate chain tls_write: want=7, written=7 0000: 15 03 03 00 02 02 30 ...0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Now, it's true that Root CA III is self-signed but that's true of any root CA. Both Infra V and Root III are trusted by the system and show up when I run "trust list --filter=ca-anchors". Am I doing something wrong? Regards, Emmanuel

2 3

Ldapsearch : double on certain extended attributes
by Sebastian Perkins 07 Apr '26

07 Apr '26

Hello All We are running into a very bizarre situation using opendap 2.4.57 on Debian 11 and Debian 13 openldap 2.6.10 When running ldapsearch -LLL -x -H ldap://localhost login=x.y + We get the 2 below extended attributes (and only those) in double entryDN: cn=x.y,ou=Sales,ou=IT,o=Swisscom-Eurospot entryDN: cn=x.y,ou=Sales,ou=IT,o=Swisscom-Eurospot subschemaSubentry: cn=Subschema subschemaSubentry: cn=Subschema Standard attributes are fine A slapcat of the DB is perfect, no double up on the above on any user. phpmyadmin is also OK showing the extended attributes If I slapadd the DB (into the Debian 13 stance) … it works, but I also get the above again This is how we discovered the issue as the dump script used ldapsearch, and we were getting tons of « duplicates » (hence ignored) due to the above. Thanks for any help to resolve this mystery ! Best Sebastian Sebastian Perkins Senior Systems Development Engineer weareplanet.com

2 5

Problem in adding ppolicy.la after syncprov.la
by suman＠tifrh.res.in 29 Mar '26

29 Mar '26

I have added syncprov.la and files looks like ###/etc/openldap/slapd.d/cn\=config/cn\=module\{0\}.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 8d6079cc dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib64/openldap olcModuleLoad: {0}syncprov.la structuralObjectClass: olcModuleList entryUUID: 81683024-bae4-1040-8c13-b9420abdf920 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20260323091457Z entryCSN: 20260323091457.088057Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20260323091457Z Now trying to add ppolicy.la dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: ppolicy.la ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ppolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=module{0},cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcModuleLoad> handler exited with 1 Please let me know what is wrong and if someone guide me to overcome this issue. My ultimate goal to reach master-master + ppolicy,

2 1

Transform glue object to organizationalUnit
by cyril＠stoll.info 23 Mar '26

23 Mar '26

Hi For some reason (probably after update to openldap-ltb 2.6.10, or after reload due to renewed certificate) we lost one organizationalUnit object on one of our two provider servers. However there are still two user objects that belong to this lost organzationalUnit. Therefore openldap created a glue object for the lost organizationalUnit. On the second provider server (setup as multiprovider with the first one) the organzationalUnit object is still present and all looks like it should. I have no idea why one of the providers is still ok and the other is not since they are otherwise in sync as far as I can tell. Unfortunately I did not find clear instructions on how to handle this situation. The best instructions I found are 15 years old: http://blog.mycroes.nl/2010/06/recovering-from-glue-objects-in.html I have no experience with dumping everything with slapcat, deleting the whole database directory (scary) and importing everything again and it does sound a bit brutish. So I asked some AI and it suggested to use ldapmodify to replace the glue object with an ldif like this: dn: ou=serviceusers,dc=example,dc=com changetype: modify add: objectClass objectClass: organizationalUnit - add: ou ou: serviceusers However that did not work as I got the following error message: modifying entry "ou=serviceusers,dc=example,dc=com" ldap_modify: No such object (32) matched DN: ou=serviceusers,dc=example,dc=com So my question is do I have to use the method of dumping everything with slapcat and then changeing the ldif (rewrite glue to organziationalUnit, etc.) and importing it all again? Or is there a more elegant solution to get the organizationalUnit back? Thanks already in advance for every helping suggestion/link/explanation! Best regards, Cyril

6 12

Performance degrade observed with OpenLDAP 2.6.7 library
by venugopal chinnakotla 23 Mar '26

23 Mar '26

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP C sdk for our application client code. We are using OpenLDAP 2.6.7. As part of this migration, we are facing one issue related to performance degradation under load on Windows platform. In our application, we are using a single/shared connection handle to perform LDAP operation on LDAP user store servers. As part of Authentication, we are using ldap_search_ext_s call to get users and to get any user attributes from LDAP servers. We are using synchronous calls. With Mozilla NSLDAP, the same application is working well without any issues. As we are migrating to OpenLDAP, we did required changes and also we used ldap_dup() API to avoid "-4:Decoding error" issues under the load. Now, we are facing performance degradation issues under the load with OpenLDAP library Whenever we are trying to get a user attribute from the LDAP user store server where that user attribute is not available or value for user attribute is empty, we observed performance degradation with OpenLDAP library clearly around 25-30%. In case, search for user attributes with value, no degradation observed. This degradation is happening only when the user attribute is not available or the value is empty. Here are the snippet of runs output where performance degrade is showing: *With search of user attribute having value at LDAP server side:* Total Elapsed: 0:10:01 Minimum Response Time: 0:00:00.000.056 Maximum Response Time: 0:00:00.783.140 Average Response Time: 0:00:00.016.124 Total Requests: 659316 Throughput (Req/Sec): 1094.447 *With search of user attribute, not having value/does not exist at LDAP server side:* Total Elapsed: 0:10:01 Minimum Response Time: 0:00:00.000.059 Maximum Response Time: 0:00:00.218.502 Average Response Time: 0:00:00.032.788 Total Requests: 355065 Throughput (Req/Sec): 590.258 Example search calls we are using: 1. ldap_search_ext_x() for user lookup 2. ldap_search_ext_s() for user attributes for that specific user. (filter: uid=* and base: "cn=user,dc=comain,dc=com) - Where uid attribute has some value for this user at LDAP server side 3. ldap_search_ext_s() for user attributes for that specific user. (filter: Name=* and base: "cn=user,dc=comain,dc=com) - Where Name attribute is not present for that user at LDAP server side (This is causing performance degrade) With the same above steps, we did not see any performance issues with NSLDAP. If we remove step 3 from the above, no degradation is observed with the OpenLDAP library. Could you please look into this issue and provide a solution to overcome this performance degradation issue? We are completely blocked here as part of OpenLDAP migration. Note: To investigate this performance degradation with OpenLDAP, I wrote one LDAP sample code with the above 3 operations with multiple threads. I executed the sample with NSLDAP and OpenLDAP using multiple threads. In the sample runs, OpenLDAP is giving very poor performance when compared with NSLDAP. Please have a look at the sample also and provide your thoughts. Thank you in advance for your time and help

4 4

[LMDB] mdb_open throws ENOSYS in Linux container on OS X host
by stefano＠cossu.cc 20 Mar '26

20 Mar '26

Hello, I am running Docker on OS X Monterey, and starting up a vanilla alpine:latest Linux image. I only installed build-base and lmdb-dev and ran /bin/sh as root. LMDB version (Alpine): lmdb-dev-0.9.33-r0 Inside the container, I wrote this test code: /* test_open.c */ #include <stdio.h> #include "lmdb.h" #define DEFAULT_MAPSIZE 1UL<<40 int main() { int rc; MDB_env *env; rc = mdb_env_create(&env); printf ("env create: %d\n", rc); rc = mdb_env_set_maxdbs (env, 10); printf ("env set maxdbs: %d\n", rc); rc = mdb_env_set_mapsize (env, DEFAULT_MAPSIZE); printf ("env set mapsize: %d\n", rc); rc = mdb_env_open (env, "/tmp", 0, 0640); printf ("env open: %d\n", rc); mdb_env_close (env); return rc; } I compiled with `gcc test_open.c -llmdb -o test_open` and ran as root, and got this output: env create: 0 env set maxdbs: 0 env set mapsize: 0 env open: 38 The lock file was created, not the data file. This only occurs in the guest setup. On the OS X host and on a native Linux host it exits with 0. Any hints?

2 2

Does [openldap](https://openldap.org/) solve Identity or Access or the both now?
by anlex N 12 Mar '26

12 Mar '26

1. For [Identity and Access Management (IAM)](https://docs.cloud.google.com/iam/docs/overview), Does [openldap](https://openldap.org/) solve Identity or Access or the both? 2. How do you implement Identity and Access Management (IAM)? 3. Have you tried to implement [Google Cloud's Identity and Access Management (IAM)](https://docs.cloud.google.com/iam/docs/overview)? 4. Where is [Google Cloud's Identity and Access Management (IAM)](https://docs.cloud.google.com/iam/docs/overview) source code? I can not find it on `github.com`. 5. Do you use [openldap](https://openldap.org/) to implement Identity and Access Management (IAM)?

4 5

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical