openldap-technical

openldap-technical@openldap.org

9868 discussions

basedn vs binddn
by Kaushal Shriyan 08 Sep '15

08 Sep '15

Hi, I am currently referring to http://www.openldap.org/doc/admin24/ I have still not understood the difference between basedn and binddn. I will appreciate if somebody can help me understand with some examples. Regards, Kaushal

2 1

ldapsearch blocks forever
by Oliver Kowalke 08 Sep '15

08 Sep '15

After inspecting the source files of ldapsearch I encountered that ldap_result() is called with tv.tv_sec = -1. As a result ldap_result() will block forever (poll() is invoked with -1) in some cases. If for instance the MTU is no big enough (likely in the context of IPv6 and tunnels), the data will not arrive and ldapsearch will 'hang'. I'd like to ask what was the intention to call ldap_result() with tv.tv_sec = -1 even if a timelimit (option -l) was applied at command line. thx, Oliver

2 1

uniqueness constraint violated when using ldapadd -M
by Geert Hendrickx 07 Sep '15

07 Sep '15

Hi, I noticed uniqueness constraints enforced by the slapo-unique overlay can be bypassed when using the manage DSA IT control (ldapadd -M). Using the following simple constraint: overlay unique unique_uri ldap:///?mail?sub I get: $ ldapadd -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret dn: cn=test1,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test1 sn: test1 mail: test(a)my-domain.com adding new entry "cn=test1,dc=my-domain,dc=com" dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: test(a)my-domain.com <===== duplicate, violates uniqueness constraint adding new entry "cn=test2,dc=my-domain,dc=com" ldap_add: Constraint violation (19) additional info: some attributes not unique <===== ok, as expected Retrying with -M $ ldapadd -M -x -h localhost -D cn=Manager,dc=my-domain,dc=com -w secret dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: test(a)my-domain.com <===== duplicate, violates uniqueness constraint adding new entry "cn=test2,dc=my-domain,dc=com" <===== but it is accepted? $ ldapsearch -x -h localhost -b dc=my-domain,dc=com mail=test(a)my-domain.com # extended LDIF # # LDAPv3 # base <dc=my-domain,dc=com> with scope subtree # filter: mail=test(a)my-domain.com # requesting: ALL # # test1, my-domain.com dn: cn=test1,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test1 sn: test1 mail: test(a)my-domain.com # test2, my-domain.com dn: cn=test2,dc=my-domain,dc=com objectClass: inetOrgPerson cn: test2 sn: test2 mail: test(a)my-domain.com # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 The uniqueness constraint has been violated when using -M, while it was correctly enforced without -M. Feature or bug? Geert -- geert.hendrickx.be :: geert(a)hendrickx.be :: PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages!

3 6

From: Suneet Shah
by Suneet Shah 05 Sep '15

05 Sep '15

Good evening openldap http://asiannewsdaily.com/status.php?anyone=ba9vs7n2xapcf3t openldapsuneetshah2000(a)gmail.com

1 0

ldapsearch and kerberos keytab
by l＠avc.su 04 Sep '15

04 Sep '15

Hi all. I've got CentOS 6.5 server enrolled in an AD domain. There's a script which should connect to AD and get some info with ldapsearch. We were using simple bind with username and password, but I wonder if there is any way to do queries and being authenticated by GSSAPI without the need of password entering? Maybe, I somehow can use system krb5.keytab and do queries from the name of the server (host/pc@DOMAIN credentials)? Or I should create separate keytab and specify it in ldapsearch? But I haven't found this option. Moreover, I know that kerberos tickets could expire and I should re-enter pass to obtain new one. How can I do that? Thank you in advance.

3 2

Openldap replication memory leak
by Angel L. Mateo 04 Sep '15

04 Sep '15

Hello, I have running an old openldap 2.4.21 servers farm replicating information between them for some years without any problem. Now I'm deploying a new server running with ubuntu 14.04 and I have configure in it a refreshOnly replication against one of the old servers (so I could have information synchronized during all my migration process). I have attached the database and its replication overlay config. The problem I'm having is that while slapd is running in this new server, its memory usage is continuously growing and after a few hours it eats all the memory of the server. I have also attached the graphic of the swap usage in the server (what it's actually drawn is the free swap) where you can see that after a while (while slapd is eating ram memory) swap usage is increasing. Peaks in this graph are produced where slapd is restarted (because its used memory are freed) I have tried with slapd 2.4.31 package distributed with ubuntu and also with version 2.4.40 (installed from ttp://ppa.launchpad.net/rtandy/openldap-backports/ubuntu/) with the same behaviour. Any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337

1 0

Change userPassword
by Chuck Theobald 03 Sep '15

03 Sep '15

I am finding it impossible to set user passwords to the form {SASL}name(a)ad.domain.my ldapmodify can delete userPassword, and can add it again but ends of setting it to a hash despite trying password-hash {CLEARTEXT} and password-hash {SASL} in slapd.conf. And no, I am not using slapd.d. Every post I find taunts me with things like "oh, set the userpassword to {SASL}<blah(a)blah.com> and it will Just Work". This simple step eludes me. I am seriously missing some thing quit easy. Any help appreciated. -- Chuck Theobald System Administrator The Robert and Beverly Lewis Center for Neuroimaging University of Oregon P: 541-346-0343 F: 541-346-0345

4 5

Alias dereferencing and performance
by Karol Chrapek 03 Sep '15

03 Sep '15

Hi, I have a question about the alias dereferencing and mdb performance. I installed from source ldap 2.4.42 with mdb support. In our current directory we have 367 007 objects and 42262 aliases. During the test I observed that the MDB is slower than the HDB during search with aliases dereferencing. I performed test search in small scope (11115 objects where 6991 is aliases to other part of structure) with filter objectClass=User and dereferencing aliases set to always. I see that query to HDB take about 20s and query to MDB about 29s. On both server the load are low. Are in ldap configuration any option than can tune the alias dereferencing or we should redesign the structure to reduce number of aliases? *Karol*

2 2

Permission management with LDAP
by Fischer, Johannes 03 Sep '15

03 Sep '15

Hi again, I didn’t want to do a thread high jacking so here a second mail with a complete other question If I’have a structure like: User - Role Role - User - Permission Permission - Role Now I want to get the authorization for some permission, So I have the information which user and which Permission. Now I need to match the list. The way it already work: Get all Roles for a Permission Search in the user for the Role If found Authorization Else no Therefore I need at least two requests to the LDAP server My Question: Is it possible to send only the DN of a Permissions and tell the Server, that he/she need to extract the Role attributes and check in the DN of a user for those Roles? Can I Implement an overlay on the Server to manage this task or is it senseless to think about such a task for the server? Greetings John -- Johannes Fischer Wissenschaftlicher Angestellter Fraunhofer-Institut für Produktionstechnik und Automatisierung IPA Kompetenzzentrum Digitale Werkzeuge in der Produktion Nobelstraße 12 │ 70569 Stuttgart Telefon +49 711 970-1217 johannes.fischer(a)ipa.fraunhofer.de<mailto:johannes.fischer@ipa.fraunhofer.de> www.ipa.fraunhofer.de<http://www.ipa.fraunhofer.de/> [cid:image002.png@01D0E168.63E7FA20]

4 10

AW: Send Success with first found entry
by Fischer, Johannes 03 Sep '15

03 Sep '15

Hi Dieter, just thank you for your help. Now I'm able to learn the syntax of the logfile, step by step. Again, Thank you Greetings John -----Ursprüngliche Nachricht----- Von: Dieter Klünter [mailto:dieter@dkluenter.de] Gesendet: Mittwoch, 2. September 2015 21:55 An: Fischer, Johannes Betreff: Re: Send Success with first found entry Am Wed, 2 Sep 2015 13:49:13 +0000 schrieb "Fischer, Johannes" <johannes.fischer(a)ipa.fraunhofer.de>: > Hi again, > > > > Here the logfile from a search process. There are a few lines in the log that gives some hints. > > The Server find the right entry, but then search till all entries are > touched…. > > Any ideas? If you read the logs you will find some lines with ---- 55e6fd47 => bdb_equality_candidates (objectClass) 55e6fd47 => key_read 55e6fd47 bdb_idl_fetch_key: [b49d1940] 55e6fd47 <= bdb_index_read: failed (-30988) ---- this leads to the assumption that the objectClass index is corrupted, try to reindex (slapindex) this index database. ---- 55e6fd47 => bdb_equality_candidates (o) 55e6fd47 <= bdb_equality_candidates: (o) not indexed ---- this is an indication that some filter attributes are not indexed. ---- 55e6fd47 <= bdb_filter_candidates: id=-1 first=1 last=130485 55e6fd47 => bdb_filter_candidates 55e6fd47 EQUALITY ---- I presume thast most of this filter candidates are not indexed. [...] My advise, index all relevant filter attributes. There is no need to index any attribute but only filter attributes. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical