openldap-technical

openldap-technical@openldap.org

14 participants
9796 discussions

Re: With MDB Openldap seems to be pretty slower in Windows
by Vijay Kumar 01 Mar '20

01 Mar '20

Thank Quanah, for the response. Can i request to let me know what is WSLv2 you meant for? -Vijay Kumar On Fri, Feb 28, 2020 at 10:52 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Friday, February 28, 2020 8:58 AM -0800 Quanah Gibson-Mount > <quanah(a)symas.com> wrote: > > >> We have a 110 users data by performance testing, where we observed > >> slowness for windows 10 OS. > > > > This is not a topic for -devel, please post to -technical instead. > > Ugh, even worse, you double posted. DO NOT DOUBLE POST. > > I would suggest testing WSLv2. ;) > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > -- Thanks & Regards, Vijay Kumar *+91-94944 44009*

2 1

SASL domain no longer recognised
by Rick van Rein 01 Mar '20

01 Mar '20

Hello, I have a demo setup with slapd on Debian Stable, and a while back followed Debian's Switch to Buster, with slapd 2.4.47. Since about that time, slapd stopped recognising its SASL realm. This is in a dev/demo/test environment in Docker, so naming is a bit silly, but that always worked. Config and such are shown at https://github.com/arpa2/docker-demo/tree/master/demo-reservoir Using "ldapsearch -Y GSSAPI -H ldap://reservoir.arpa2:1388 -b ou=Reservoir,o=arpa2.net,ou=InternetWide" gives the message SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No key table entry found matching ldap/reservoir.arpa2@) **In this output, note the lacking realm after the @.** This appears to be a server-side issue, because the client had the realm in the klist output and that name is present in the keytab: 02/29/20 11:54:53 02/29/20 21:47:26 ldap/reservoir.arpa2(a)ARPA2.NET renew until 03/01/20 11:47:22 The configuration of the server in /etc/ldap/slapd.conf still says: sasl-host reservoir.arpa2 sasl-realm ARPA2.NET FWIW, slapd runs as /usr/sbin/slapd -d any -h "ldapi://%2ftmp%2fldap-socket ldap://:1388/" Have I missed changes to slapd? Are there log messages that I overlooked (or should selected for)? Thanks! -Rick

1 0

commit vs abort
by Sam Dave 29 Feb '20

29 Feb '20

Hi,What is the difference between mdb_txn_commit() and mdb_txn_abort() for read-only transactions? Thank you, Samuel

2 1

With MDB Openldap seems to be pretty slower in Windows
by Vijay Kumar 28 Feb '20

28 Feb '20

Hi Team, Can you please share your inputs / suggestions on performance to increase the openldap with MDB in windows slowness.? We have a 110 users data by performance testing, where we observed slowness for windows 10 OS. If there any suggestions on tuning side, please let me know. Thank you. -- Thanks & Regards, Vijay Kumar *+91-94944 44009*

2 2

Antw: [EXT] With MDB Openldap seems to be pretty slower in Windows
by Ulrich Windl 28 Feb '20

28 Feb '20

>>> Vijay Kumar <pasumarthivijaykumar(a)gmail.com> schrieb am 28.02.2020 um 07:45 in Nachricht <15622_1582872629_5E58B835_15622_1813_1_CAKgG+3fagqROY8n5q_gpUZtzK1R10PJ+N1H=Zhx Sx0-RzgrHg(a)mail.gmail.com>: > Hi Team, > > Can you please share your inputs / suggestions on performance to increase > the openldap with MDB in windows slowness.? > > We have a 110 users data by performance testing, where we observed slowness > for windows 10 OS. Actually I'm observing Windows 10 slowness all the time even without running OpenLDAP ;-) Booting alone is about five times as long as for Windows 7 and with classical hard disks it's effectively unusable. Regards, Ulrich

1 0

Re: Cannot configure TLS
by jean-christophe manciot 27 Feb '20

27 Feb '20

I have not mentioned that my let's encrypt certificate is not SAN but wildcard. On Thu, Feb 27, 2020 at 1:10 PM jean-christophe manciot <actionmystique(a)gmail.com> wrote: > > Hi everyone, > > On Ubuntu 20.04 > slapd 2.4.49+dfsg-1ubuntu1 > with /etc/ldap/tls.ldif: > -------------------------- > dn: cn=config > changetype: modify > add: olcTLSCertificateFile > olcTLSCertificateFile: /etc/ssl/domain.crt > - > add: olcTLSCertificateKeyFile > olcTLSCertificateKeyFile: /etc/ssl/domain_priv_key.pem.decrypted > - > add: olcTLSCACertificateFile > olcTLSCACertificateFile: /etc/ssl/letsencrypt_root_intermediate_bundle.pem > > - All files are readable by openldap user. > - domain.crt is in pem format > - letsencrypt_root_intermediate_bundle.pem contains isrgrootx1.pem + > letsencryptauthorityx3.pem > -------------------------- > Yet, if I run: > ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f tls.ldif > > I get in the logs: > -------------------------- > daemon: read active on 12 > daemon: epoll: listen=8 active_threads=0 tvp=zero > daemon: epoll: listen=9 active_threads=0 tvp=zero > daemon: epoll: listen=10 active_threads=0 tvp=zero > daemon: activity on 1 descriptor > conn=1001 op=1 MOD dn="cn=config" > daemon: activity on: > conn=1001 op=1 MOD attr=olcTLSCertificateFile olcTLSCertificateKeyFile > olcTLSCACertificateFile > > => access_allowed: result not in cache (olcTLSCertificateFile) > => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested > daemon: epoll: listen=8 active_threads=0 tvp=zero > => acl_get: [1] attr olcTLSCertificateFile > daemon: epoll: listen=9 active_threads=0 tvp=zero > => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested > daemon: epoll: listen=10 active_threads=0 tvp=zero > => acl_mask: to value by > "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) > <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > <= acl_mask: [1] applying manage(=mwrscxd) (stop) > <= acl_mask: [1] mask: manage(=mwrscxd) > => slap_access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: result not in cache (olcTLSCertificateKeyFile) > => access_allowed: add access to "cn=config" > "olcTLSCertificateKeyFile" requested > => acl_get: [1] attr olcTLSCertificateKeyFile > => acl_mask: access to entry "cn=config", attr > "olcTLSCertificateKeyFile" requested > => acl_mask: to value by > "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) > <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > <= acl_mask: [1] applying manage(=mwrscxd) (stop) > <= acl_mask: [1] mask: manage(=mwrscxd) > => slap_access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: result not in cache (olcTLSCACertificateFile) > => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested > => acl_get: [1] attr olcTLSCACertificateFile > => acl_mask: access to entry "cn=config", attr > "olcTLSCACertificateFile" requested > => acl_mask: to value by > "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) > <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > <= acl_mask: [1] applying manage(=mwrscxd) (stop) > <= acl_mask: [1] mask: manage(=mwrscxd) > => slap_access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: add access granted by manage(=mwrscxd) > conn=1001 op=1 RESULT tag=103 err=80 text= > daemon: activity on 1 descriptor > daemon: activity on: > 12r > -------------------------- > > What is going on? > My logging attributes are: conns filter config acl stats stats2 shell parse > Is there a way to get more explicit logging? > - > Jean-Christophe -- Jean-Christophe

1 0

ldapsearch with DN in CN
by Möller Lioh 27 Feb '20

27 Feb '20

Hi all, I am trying to do a ldapsearch against our Active Directory LDAPS like: ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)' The domain controllers have certificates generated with CNs like this: subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01, and a SAN defined as ldap.mydomain.ch. Yet, I got an error like: TLS: hostname (ldap.mydomain.ch) does not match common name in certificate (DC01). An interesting fact is that if the CN is set to the fqdn like dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with ldap.mydomain.ch as SAN). Isn't ldapsearch 2.4.44 capable of working with DN in subject (CN) or does it fail to lookup the SAN in such case? Greetings Lioh

4 4

Warnings in mdb.c generated by CodeSonar
by Christian Wendt 26 Feb '20

26 Feb '20

Dear List, I have run CodeSonar on a project using lmdb. I have downloaded lmdb-0.9.70.tar.gz. These warnings are a "Copy-Paste" error and "Use of memory after free". I would like to share the details to help find out whether these are real or false positives. The copy-paste warning is generated by code around lines 8870f in mdb.c. In the first block, csrc-> is used throughout, in the second block cdst-> is used, except in one line: /* Update the parent separators. */ if (csrc->mc_ki[csrc->mc_top] == 0) { if (csrc->mc_ki[csrc->mc_top-1] != 0) { if (IS_LEAF2(csrc->mc_pg[csrc->mc_top])) { key.mv_data = LEAF2KEY(csrc->mc_pg[csrc->mc_top], 0, key.mv_size); } else { srcnode = NODEPTR(csrc->mc_pg[csrc->mc_top], 0); key.mv_size = NODEKSZ(srcnode); key.mv_data = NODEKEY(srcnode); } DPRINTF(("update separator for source page %"Yu" to [%s]", csrc->mc_pg[csrc->mc_top]->mp_pgno, DKEY(&key))); mdb_cursor_copy(csrc, &mn); mn.mc_snum--; mn.mc_top--; /* We want mdb_rebalance to find mn when doing fixups */ WITH_CURSOR_TRACKING(mn, rc = mdb_update_key(&mn, &key)); if (rc) return rc; } if (IS_BRANCH(csrc->mc_pg[csrc->mc_top])) { MDB_val nullkey; indx_t ix = csrc->mc_ki[csrc->mc_top]; nullkey.mv_size = 0; csrc->mc_ki[csrc->mc_top] = 0; rc = mdb_update_key(csrc, &nullkey); csrc->mc_ki[csrc->mc_top] = ix; mdb_cassert(csrc, rc == MDB_SUCCESS); } } if (cdst->mc_ki[cdst->mc_top] == 0) { if (cdst->mc_ki[cdst->mc_top-1] != 0) { if (IS_LEAF2(csrc->mc_pg[csrc->mc_top])) { /* Copy-Paste Error [help] <http://codesonar.rd.skov.com:7340/install/codesonar/doc/html/CodeSonar.html…> This block of text appears to be a modified copy of the highlighted text. Did you intend to consistently change csrc to cdst, including here? */ key.mv_data = LEAF2KEY(cdst->mc_pg[cdst->mc_top], 0, key.mv_size); } else { srcnode = NODEPTR(cdst->mc_pg[cdst->mc_top], 0); key.mv_size = NODEKSZ(srcnode); key.mv_data = NODEKEY(srcnode); } DPRINTF(("update separator for destination page %"Yu" to [%s]", cdst->mc_pg[cdst->mc_top]->mp_pgno, DKEY(&key))); mdb_cursor_copy(cdst, &mn); mn.mc_snum--; mn.mc_top--; /* We want mdb_rebalance to find mn when doing fixups */ WITH_CURSOR_TRACKING(mn, rc = mdb_update_key(&mn, &key)); if (rc) return rc; } if (IS_BRANCH(cdst->mc_pg[cdst->mc_top])) { MDB_val nullkey; indx_t ix = cdst->mc_ki[cdst->mc_top]; nullkey.mv_size = 0; cdst->mc_ki[cdst->mc_top] = 0; rc = mdb_update_key(cdst, &nullkey); cdst->mc_ki[cdst->mc_top] = ix; mdb_cassert(cdst, rc == MDB_SUCCESS); } } The second error is triggered by the loop freeing loose pages at line 3451 in mdb.c: NEXT_LOOSE_PAGE(mp) would access memory that is freed before, if mp points to an overflow page with more than one page allocated. If this is never the case, then maybe mdb_page_free() should be called on mp directly? for (; mp; mp = NEXT_LOOSE_PAGE(mp)) { /* Use After Free [help] <http://codesonar.rd.skov.com:7340/install/codesonar/doc/html/CodeSonar.html…> The memory pointed to by mp was freed at mdb.c:2047 and is read from here. */ mdb_midl_xappend(txn->mt_free_pgs, mp->mp_pgno); /* must also remove from dirty list */ if (txn->mt_flags & MDB_TXN_WRITEMAP) { for (x=1; x<=dl[0].mid; x++) if (dl[x].mid == mp->mp_pgno) break; mdb_tassert(txn, x <= dl[0].mid); } else { x = mdb_mid2l_search(dl, mp->mp_pgno); mdb_tassert(txn, dl[x].mid == mp->mp_pgno); } dl[x].mptr = NULL; mdb_dpage_free(env, mp); mdb_dpage_free(MDB_env *env, MDB_page *dp) { if (!IS_OVERFLOW(dp) || dp->mp_pages == 1) { mdb_page_free(env, dp); } else { /* large pages just get freed directly */ VGMEMP_FREE(env, dp); free(dp); } } I hope you can follow these descriptions, I can provide more detail if needed. I would like to get some help figuring out how to resolve these warnings. Best regards, Christian Wendt Software developer Ext: +45 7217 5943 ______________________________________ SKOV A/S Hedelund 4, Glyngoere, 7870 Roslev, Denmark Tel.: +45 7217 5555 - Fax: +45 7217 5959 www.skov.com<http://www.skov.com/>

2 3

How to simulate slow queries?
by Andrey Brindeyev 24 Feb '20

24 Feb '20

Hello! I'm trying to debug a specific issue that is related to slow queries, so I need a way how to simulate slow LDAP server responses. It will be optimal if I can set a specific number of seconds per query shape, but a general (configured) delay is fine too. I've already tried the retcode overlay, and I think it only simulates the slow bind scenarios and not the slow query responses. Here's an excerpt from my slapd.conf: overlay retcode retcode-parent "ou=Users,dc=acme,dc=qa" #retcode-item "uid=mdb" 0x00 retcode-item "uid=mdb" 0x00 sleeptime=4 retcode-item "cn=user1" 0x00 retcode-item "cn=user2" 0x00 retcode-item "cn=user3" 0x00 retcode-item "cn=user4" 0x00 retcode-item "cn=user5" 0x00 If there's no way this can be configured using existing options in OpenLDAP, I appreciate advice wherein the source code I need to insert the sleep construct. Ideally, it should work with the retcode overlay, so that I can test the slow bind scenarios and slow query responses at the same time. Thanks, Andrey.

1 0

SSH groups
by Клеусов Владимир Сергеевич 19 Feb '20

19 Feb '20

Hi, I connected ldap linux clients to the OpenLDAP server. I need to make a certain group of users able to connect to certain computers. How do I do this ?

5 5

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical