openldap-technical

openldap-technical@openldap.org

13 participants
9794 discussions

slapd-crash in web directory?
by Dave Horsfall 03 Dec '17

03 Dec '17

Not a problem as such, but I happened to notice this in my Apache log: 164.132.162.164 - - [03/Dec/2017:11:57:00 +1100] "GET /slapd-crash/ HTTP/1.1" 404 210 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)" AhrefsBot, for the uninitiated, is a web spider that tends to ignore such bothersome conventions as "content=noindex" and "robots.txt" etc, but anyway... Is it common practice to store SLAPD coredumps where every man and his dog can retrieve them? Note that I am not suggesting that OpenLDAP does this (but somebody obviously is), but I'm curious to know how widespread this silly practice is. -- Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."

1 0

Re: [LMDB] Large transactions
by Howard Chu 02 Dec '17

02 Dec '17

Jürgen Baier wrote: > Hi, > > thanks for the answer. However, I still have a follow-up question on this > benchmark. > > When I add 1 billion key/value pairs (16 byte MD5) to the LMDB database (in a > single transaction (but I also get similar results when I add the same data in > multiple transactions)) I get the following results: > > Windows, without MDB_WRITEMAP: 46h > Windows, with MDB_WRITEMAP: 6h (!) > Linux (ext4), without MDB_WRITEMAP: 75h > Linux (ext4), with MDB_WRITEMAP: 73h > > MDB_WRITEMAP seems to have a huge impact on write performance on Windows, but > on Linux I do not see similar improvements. > > So I have two questions: > > 1) Could the the difference between Linux and Windows performance regarding > the MDB_WRITEMAP option be related to the fact that LMDB currently uses sparse > files on Linux, but not on Windows? Unlikely. > 2) Is there a way to speed up Linux? Is there a way to pre-allocate the > data.mdb on startup? Try it and see. Use the env fd with fallocate(2). > Thanks, > > Jürgen > > > On 21.11.17 21:17, Howard Chu wrote: >> Jürgen Baier wrote: >>> Hi, >>> >>> I have a question about LMDB (I hope this is the right mailing list for >>> such a question). >>> >>> I'm running a benchmark (which is similar to my intended use case) which >>> does not behave as I hoped. I store 1 billion key/value pairs in a single >>> LMDB database. _In a single transaction._ The keys are MD5 hash codes from >>> random data (16 bytes) and the value is the string "test". >> >>> The documentation about mdb_page_spill says (as far as I understand) that >>> this function is called to prevent MDB_TXN_FULL situations. Does this mean >>> that my transaction is simply too large to be handled efficiently by LMDB? >> >> Yes. >> > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Monitoring Queries
by Tim Gustafson 01 Dec '17

01 Dec '17

Hi, I was wondering if there's anything like "iftop" for OpenLDAP. I'd like to monitor all queries to given base DN, but I don't need that information written to disk anywhere. I could use the accesslog overlay, but it seems like that might generate a huge amount of log data and likely tank performance. Is there any other way? -- Tim Gustafson BSOE Computing Director tjg(a)ucsc.edu 831-459-5354 Baskin Engineering, Room 313A To request BSOE IT support, please visit https://support.soe.ucsc.edu/ or send e-mail to help(a)soe.ucsc.edu or call 831-502-7536.

1 0

Re: Openldap-ldb-2.4.44-2 - Issu with Password Management
by Raja T Nair 29 Nov '17

29 Nov '17

Thanks for the timely response, Mike/Ulrich. It was a missing configuration. I missed this line in slapd.conf: ppolicy_hash_cleartext Once that got added, things started working fine. It was a server rebuild as the old one crashed, and I used conf file from a wrong backup :( Mike: Thanks for the explanation. It helped. Btw I was just explaining my observation. Never expected slapd to do that magic :) Best Regards, Raja. On 29 November 2017 at 14:09, Ulrich Windl < Ulrich.Windl(a)rz.uni-regensburg.de> wrote: > You should at least show us the whole $entry. > > > > > Hello All, > > > > I'm using openldap-ltb-2.4.44-2 > > Using password-hash {SSHA512} > > > > We have an in-house portal which allows people to change their passwords. > > It is written in PHP. > > > > version = php 5.6 > > lib = php-ldap > > $entry['userpassword'] = $newpasswd; > > ldap_modify($conn, $userdn, $entry); > > > > $newpasswd contains new password in plain text. > > > > It seems that the server does not encrypt the plain text string sent to > it > > from the portal, it only encodes it in base64. > > > > When an encrypted string is sent (SSHA512), the server rejects based on > > password policy since no special character is present. > > > > We would want to make the first method to work. Can somebody help me with > > this? > > > > ps: ldappasswd command works perfectly and the password gets encrypted in > > SSHA512 and encoded in base64. > > > > Best Regards, > > Raja. > > > > -- > > :^) > > -- :^)

1 0

Openldap-ldb-2.4.44-2 - Issu with Password Management
by Raja T Nair 29 Nov '17

29 Nov '17

Hello All, I'm using openldap-ltb-2.4.44-2 Using password-hash {SSHA512} We have an in-house portal which allows people to change their passwords. It is written in PHP. version = php 5.6 lib = php-ldap $entry['userpassword'] = $newpasswd; ldap_modify($conn, $userdn, $entry); $newpasswd contains new password in plain text. It seems that the server does not encrypt the plain text string sent to it from the portal, it only encodes it in base64. When an encrypted string is sent (SSHA512), the server rejects based on password policy since no special character is present. We would want to make the first method to work. Can somebody help me with this? ps: ldappasswd command works perfectly and the password gets encrypted in SSHA512 and encoded in base64. Best Regards, Raja. -- :^)

4 3

Convert SSHA userPassowrd attribute to use in /etc/shadow
by tran dung 28 Nov '17

28 Nov '17

Hi I have some servers that cannot connect to LDAP server so I have to create accounts on the servers which hash password from LDAP. Is it possible? >From userPassword attribute in LDAP, I can get hashed password and salt value in hex format. How can I convert these hex format values to use in /etc/shadow? Best Regards ----------------------- Tran Dung

1 0

Too Much LDAP Log Activity?
by Douglas Duckworth 23 Nov '17

23 Nov '17

Hi Thanks to several users on this list I have our cluster up and running. The databases look good as does performance. However, logs are increasing about 1MB every few minutes. Does everyone typically send all of local4 to a file or only filter out for example warning and above? Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690

4 3

Re: Too Much LDAP Log Activity?
by Douglas Duckworth 22 Nov '17

22 Nov '17

I agree that logrotate can handle this but I guess what's the point of logging normal activity that's not actionable? On Nov 22, 2017 2:30 PM, "MJ J" <mikedotjackson(a)gmail.com> wrote: > 1mb every few minutes is inconsequential - no impact on performance or > disk space. You have logrotate to handle the disk space. > > 1gb every few minutes and you have a real problem to worry about in > terms of both performance and disk space. > > On Wed, Nov 22, 2017 at 8:35 PM, Douglas Duckworth > <dod2014(a)med.cornell.edu> wrote: > > Hi > > > > Thanks to several users on this list I have our cluster up and running. > > The databases look good as does performance. > > > > However, logs are increasing about 1MB every few minutes. > > > > Does everyone typically send all of local4 to a file or only filter out > for > > example warning and above? > > > > Thanks, > > > > Douglas Duckworth, MSc, LFCS > > HPC System Administrator > > Scientific Computing Unit > > Physiology and Biophysics > > Weill Cornell Medicine > > E: doug(a)med.cornell.edu > > O: 212-746-6305 > > F: 212-746-8690 >

1 0

Re: Too Much LDAP Log Activity?
by Douglas Duckworth 22 Nov '17

22 Nov '17

local4.* but I really would only want to see warnings. Would auth failures show up in local4.warn? On Nov 22, 2017 1:48 PM, "Frank Swasey" <Frank.Swasey(a)uvm.edu> wrote: I send all - but, what gets sent is controlled by the loglevel statement in your config - what have you set yours to? On 11/22/17, 13:36, "openldap-technical on behalf of Douglas Duckworth" < openldap-technical-bounces(a)openldap.org on behalf of dod2014(a)med.cornell.edu> wrote: Hi Thanks to several users on this list I have our cluster up and running. The databases look good as does performance. However, logs are increasing about 1MB every few minutes. Does everyone typically send all of local4 to a file or only filter out for example warning and above? Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 <(212)%20746-6305> F: 212-746-8690 <(212)%20746-8690>

1 0

Re: Antw: Re: ssf Security Question
by Quanah Gibson-Mount 22 Nov '17

22 Nov '17

--On Monday, November 20, 2017 8:43 AM +0100 Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> wrote: > Hi! > > BTW: Does anyone know the backgraound of SUSE Linux Enterprise Server > (SLES) moving from OpenLDAP to Redhat's directory server in ist next > release? Do you have a relevant link? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical