openldap-technical

openldap-technical@openldap.org

16 participants
9682 discussions

ldclt ldap performance testing
by Marc 27 Apr '24

27 Apr '24

I am doing some basic testing with ldap with this command. ldclt \ -a 400 \ -H ldap://x.x.x.x:xxxx \ -e bindeach,bindonly,close \ -D "uid=test,dc=me,dc=local" \ -w yyyyyy \ -n 1 I was testing this on two container test environments. Both are running with ~500MB, 1 core. 1. alpine - slapd 2.6.3, mdb still with default slapd.conf ldclt[5594]: Average rate: 12627.00/thr (1262.70/sec), total: 12627 ldclt[5594]: Average rate: 0.00/thr ( 0.00/sec), total: 0 ldclt[5594]: All threads are dead - exit. 2. alpine - slapd 2.6.6, mdb configured with acl's, ssl, modules etc. ldclt[8900]: Average rate: 1495.00/thr ( 149.50/sec), total: 1495 ldclt[8900]: Average rate: 1498.00/thr ( 149.80/sec), total: 1498 ldclt[8900]: Average rate: 1490.00/thr ( 149.00/sec), total: 1490 What should I be expecting from this? It looks like maybe slapd of 1. is not 100% with this 'threads are dead' messages. While slapd of 2. with 150 req/sec is that to be expected normal?

3 5

cache userPassword with bind
by Marc 25 Apr '24

25 Apr '24

I am testing a bit with bind's. With consecutive binds with the same test account I always get 'result not in cache'. How can I get this in cache? access_allowed: result not in cache (userPassword) 6628dba5.0659c27a 0x7ff072843b38 conn=1023 op=0 BIND dn="uid=test,dc=me,dc=local" method=128 6628dba5.0660ea46 0x7ff072843b38 => access_allowed: result not in cache (userPassword) 6628dba5.066470b9 0x7ff072843b38 => access_allowed: auth access to "uid=test,dc=me,dc=local " "userPassword" requested 6628dba5.0667703c 0x7ff072843b38 => slap_access_allowed: backend default auth access granted to "(anonymous)" 6628dba5.0668099f 0x7ff072843b38 => access_allowed: auth access granted by read(=rscxd)

3 7

Replication Questions
by BECOT Jérôme 20 Apr '24

20 Apr '24

Hello ! I have few questions regarding replication. I'm doing partial replication on plain replication by limiting the syncrepl user permissions in the ACL. It works well. Is it supported ? Would it work with a delta-sync replication ? Another thing I've been told about is about memberOf overlay. My colleague told me that replication may fail when memberOf is enabled on consumers, mainly because sometimes the group is replicated before the user and memberOf would create an entry if a search is made on the user not yet replicated. Have you some insights about this behaviour that I have not met yet ? Regards

2 1

RE26 testing call (2.6.8) #1
by Quanah Gibson-Mount 19 Apr '24

19 Apr '24

This is the first testing call for OpenLDAP 2.6.8. Depending on the results, this may be the only testing call. Generally, get the code for RE26: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.6.8 Engineering Fixed libldap exit handling with OpenSSL3 again (ITS#9952) Fixed slapd-meta with dynlist (ITS#10164) Fixed slapd-meta binds when proxying internal op (ITS#10165) Added slapo-nestgroup overlay (ITS#10161) Added slapo-memberof 'addcheck' option (ITS#10167) Fixed slapo-accesslog startup initialization (ITS#10170) Fixed slapo-dynlist with abandoned operations (ITS#10044) Build Fixed build with gcc14.x (ITS#10166) Fixed back-perl with clang15 (ITS#10177) Contrib Added slapo-alias contrib module (ITS#10104, ITS#10182) Fixed slapo-autogroup to work with slapo-dynlist (ITS#10185) Documentation Fixed slapo-memberof exattr requirements (ITS#7400) Fixed slapo-memberof is no longer deprecated (ITS#7400) Minor Cleanup ITS#10103 ITS#10171 ITS#10172 ITS#10173 ITS#10179 ITS#10186 ITS#10188 ITS#10193 Regards, Quanah

2 1

timeout and network-timeout values of zero for syncrepl in LAN replication
by Christopher Paul 17 Apr '24

17 Apr '24

Hello OpenLDAP-technical list, I'm curious about community perspectives on a specific LDAP replication timeout and network-timeout settings: Setting "timeout=0" or "network-timeout=0" within a syncrepl/olcSyncrepl definition for replication settings is not the best practice for LAN environments. These parameters, when set to zero, instruct syncrepl to wait indefinitely for connections and replication operations to conclude. Within a LAN context, establishing new connections should ideally occur in less than a second. Delays beyond a couple of seconds should kick in the retry logic. This suggests that a more fitting network-timeout range is between 1 to 5 seconds. Concerning the "timeout" parameter, the ideal range might be between 60 to 120 seconds, to handle operations exceeding a minute, but again, kicking in retry logic if they exceed two minutes. I admit that my stance on the "timeout" setting is tentative, given that search operation duration hinges more on the provider's responsiveness rather than network speed alone. This approach ensures that LDAP replication remains both responsive and resilient, without compromising on efficiency or performance. Thoughts? -- Chris Paul | Rex Consulting |https://www.rexconsulting.net

3 5

TLS init: ca md too weak
by Uwe Sauter 17 Apr '24

17 Apr '24

Hi all, one of my Rocky Linux 8 servers was updated automatically to 2.6.7 this night from the Symas repo. The install script seems to include an automated restart of the service but that failed with: main: TLS init def ctx failed: -1 error:0A00018E:SSL routines::ca md too weak As this is an internal network with a private CA the strength of the CA is of minor relevance. I think the change comes with symas-openssl-libs-3.0.8-1.el8.x86_64… Can anyone suggest a workaround (other than exchanging the CA and its issued certificates)? Thanks, Uwe

3 3

RE25 testing call (2.5.18) #1
by Quanah Gibson-Mount 16 Apr '24

16 Apr '24

his is the first testing call for OpenLDAP 2.5.18. Depending on the results, this may be the only testing call. Generally, get the code for RE25: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.5.18 Engineering Fixed libldap exit handling with OpenSSL3 again (ITS#9952) Fixed slapd-meta with dynlist (ITS#10164) Fixed slapd-meta binds when proxying internal op (ITS#10165) Fixed slapo-accesslog startup initialization (ITS#10170) Fixed slapo-dynlist with abandoned operations (ITS#10044) Build Fixed build with gcc14.x (ITS#10166) Fixed back-perl with clang15 (ITS#10177) Minor Cleanup ITS#10171 ITS#10173 ITS#10179 ITS#10186 Regards, Quanah

1 0

Used rewriteMap with different uri
by lsoulas 11 Apr '24

11 Apr '24

Hi, I want used slapo-rwm to redirect a rule in a different URI. Here my configuration : /database meta suffix "dc=lan" uri "ldaps://server1/dc=lan" / /rewriteEngine on rewriteContext default rewriteRule ".*" ".*" ":" rewriteMap ldap attr2dn "ldap://server2/dc=lan?dn?sub" rewriteContext bindDN rewriteRule ".*" "${attr2dn($0)}" ":@I"/ I d'ont really understand rewrite map. Can you explain me. According to the documentation, it seems to be feasible. Thanks -- *Loïc Soulas* *ILIWI* /(https://www.iliwi.fr)/ lsoulas(a)iliwi.fr +33(0)662 249 445 ILIWI - Audit et solutions réseau informatique

1 0

Help debugging slave slapd issues
by BECOT Jérôme 04 Apr '24

04 Apr '24

Hello, On all different OpenLDAP 2.4 and 2.5 slaves of 2.4 servers, we see a lot of deferring errors: slapd[37277]: connection_input: conn=32974 deferring operation: too many executing or slapd[37277]: connection_input: conn=32974 deferring operation: pending operations Can you give any hints about way to debug what causes these messages ? (which log level should I aim for and witch system settings should I check) I can provide more details then. Regards Jerome

6 9

Permissive Modify and mdb
by lesignor＠cirad.fr 02 Apr '24

02 Apr '24

Hi, I try to modify an entry with permissive modify control. The response is protocole error : permissiveModify control value not absent. I check with wireshark the request, and there was no value with the control, but the control was marked as critical. The problem appears with openldap 2.5.x and 2.6.x with mdb database. It is ok with openldap 2.4.x with bdb database. So is the permissive modify control supported with mdb database in openldap >= 2.5.x ? Thank for your help

2 2

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical