openldap-technical

openldap-technical@openldap.org

12 participants
9794 discussions

Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by Quanah Gibson-Mount 29 Sep '17

29 Sep '17

--On Friday, September 29, 2017 2:31 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > Quanah, > > > Sorry i was searching for one attribute, i have close to 80mil entries. Then these settings may be too low: cachesize 100000 idlcachesize 300000 Essentally, cachesize needs to hold your working set of data (active entries). So this is saying slapd will only cache 100,000 active entries. It will then be removing/adding entries in blocks of one (cachefree defaults to 1 if not set). idlcachesize generally is 3x cachesize. If your active set is > 100,000 users, then you need to increase the cachesize and idlcachesize parameters accordingly. You may also need to increase cachefree from its default of "1". Overall, you would likely be much better served to switch to back-mdb, where you do not have to set any of these parameters at all. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by rammohan ganapavarapu 29 Sep '17

29 Sep '17

Quanah, Sorry i was searching for one attribute, i have close to 80mil entries. Thanks, Ram On Fri, Sep 29, 2017 at 12:19 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Friday, September 29, 2017 1:00 PM -0700 rammohan ganapavarapu < > rammohanganap(a)gmail.com> wrote: > > >> I have roughly 57077 entires, so set_cachesize in slapd.conf will take >> highest priority than the one in DB_CONFIG file? >> > > If you ever delete the DB_CONFIG file, it would be created with the > setting from slapd.conf. Better to remove it. > > You say you have only 57,077 entries in your DB, yet your id2entry bdb > file is nearly 8GB in size? That doesn't make sense unless your BDB > database is very corrupted or you have insanely huge entries containing > gigabytes of binary data or something. > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

1 0

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
by Quanah Gibson-Mount 29 Sep '17

29 Sep '17

--On Thursday, September 28, 2017 5:37 PM -0400 Douglas Duckworth <dod2014(a)med.cornell.edu> wrote: > > What would you recommend as a replacement for SSSD? I am running it > across Centos 6 and 7 clients without any issue using TLS. There is nss-pam-ldapd/nslcd. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
by Quanah Gibson-Mount 29 Sep '17

29 Sep '17

--On Thursday, September 28, 2017 2:08 PM -0400 Robert Heller <heller(a)deepsoft.com> wrote: > OK, I have narrowed things down to slapd and sssd not playing nice with > each other. slapd is able to listen on ldaps (port 636) and accept SSL > connections (eg from openssl s_client and other applications using > straight SSL). slapd will also listen on ldap (port 389), but refuses > to negotiate a TLS connection on port 389. It also refuses to negotiate > TLS connection on port 636. sssd seems to *insist* on negotiating a TLS > connection on port 636 or port 389 and won't just connect using ssl to > port 636. (At least that is what I *think* is going on.) > > So, I either need to get slapd to do TLS negotiation on port 389 OR port > 636, or get sssd to NOT do TLS negotiation on port 636 and just connect > with SSL. You're using a bit of a confusing word soup. ldaps == Deprecated, non-standard way of securing connection to LDAP. Usually on port 636 startTLS == RFC standard way of securing connections to LDAP. Usually on port 389 If you are using ldaps, then you want startTLS to be disabled if you are using startTLS, then you want it enabled. Your SSD config has: ldap_id_use_start_tls = false so this would be correct with use with ldaps:/// You don't provide any error messages or other useful information, so one can only specualte what issues you may be having. I would note that most versions of openssl s_client do not support startTLS with LDAP (Thus you cannot use it to test port 389). That feature was only recently added to OpenSSL. If you want to test startTLS on port 389, your best bet is to use an ldap client utility such as ldapwhoami, like: ldapwhoami -x -ZZ -H ldap://myhost:389 -D binddn -w --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

4 5

Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by Quanah Gibson-Mount 29 Sep '17

29 Sep '17

--On Friday, September 29, 2017 1:00 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > I have roughly 57077 entires, so set_cachesize in slapd.conf will take > highest priority than the one in DB_CONFIG file? If you ever delete the DB_CONFIG file, it would be created with the setting from slapd.conf. Better to remove it. You say you have only 57,077 entries in your DB, yet your id2entry bdb file is nearly 8GB in size? That doesn't make sense unless your BDB database is very corrupted or you have insanely huge entries containing gigabytes of binary data or something. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by rammohan ganapavarapu 29 Sep '17

29 Sep '17

I have roughly 57077 entires, so set_cachesize in slapd.conf will take highest priority than the one in DB_CONFIG file? Thanks, Ram On Fri, Sep 29, 2017 at 11:47 AM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Friday, September 29, 2017 12:39 PM -0700 rammohan ganapavarapu < > rammohanganap(a)gmail.com> wrote: > > >> Quanah, >> >> >> These are the settings i have in slapd.conf >> >> grep cach /etc/openldap/slapd.conf >> cachesize 100000 >> idlcachesize 300000 >> dbconfig set_cachesize 0 2097152 0 >> > > So how many total entries are in your database? You still haven't answered > that. > > Also, your dbconfig set_cachesize parameter is disturbingly low. You > should delete it to ensure the value in your DB_CONFIG file (8 0 1 remains > honored). > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

1 0

Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by Quanah Gibson-Mount 29 Sep '17

29 Sep '17

--On Friday, September 29, 2017 12:39 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > Quanah, > > > These are the settings i have in slapd.conf > > grep cach /etc/openldap/slapd.conf > cachesize 100000 > idlcachesize 300000 > dbconfig set_cachesize 0 2097152 0 So how many total entries are in your database? You still haven't answered that. Also, your dbconfig set_cachesize parameter is disturbingly low. You should delete it to ensure the value in your DB_CONFIG file (8 0 1 remains honored). --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by rammohan ganapavarapu 29 Sep '17

29 Sep '17

Quanah, These are the settings i have in slapd.conf grep cach /etc/openldap/slapd.conf cachesize 100000 idlcachesize 300000 dbconfig set_cachesize 0 2097152 0 On Fri, Sep 29, 2017 at 9:36 AM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Friday, September 29, 2017 10:31 AM -0700 rammohan ganapavarapu < > rammohanganap(a)gmail.com> wrote: > > >> Quanah, >> >> >> Thank you, please find the below db_stat output of whole db, i think >> which has all the cache details. >> > > The settings I'm talking about all come from slapd.conf/cn=config. They > are for the back-hdb backend, not for the underlying BDB library. > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

1 0

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
by Quanah Gibson-Mount 29 Sep '17

29 Sep '17

--On Friday, September 29, 2017 11:29 AM -0700 Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Friday, September 29, 2017 2:17 PM -0400 Robert Heller > <heller(a)deepsoft.com> wrote: > >> Signature Algorithm: sha1WithRSAEncryption > > The above is probably your problem. I believe MozNSS will no longer > accept SHA1 certs. This was in the link I sent you yesterday. Generate > a more secure cert (I.e., SHA256 or higher). See also: <https://access.redhat.com/blogs/766093/posts/3050871> where SHA1 is explicitly noted as being phased out. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
by Quanah Gibson-Mount 29 Sep '17

29 Sep '17

--On Friday, September 29, 2017 2:17 PM -0400 Robert Heller <heller(a)deepsoft.com> wrote: > Signature Algorithm: sha1WithRSAEncryption The above is probably your problem. I believe MozNSS will no longer accept SHA1 certs. This was in the link I sent you yesterday. Generate a more secure cert (I.e., SHA256 or higher). --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical