openldap-technical

openldap-technical@openldap.org

14 participants
9796 discussions

OpenLDAP freeze
by Cyril Grosjean 20 Mar '15

20 Mar '15

I've an OpenLDAP 2.4.32 server with millions of entries, which uses to serve tens of requests per second. It works as a stand-alone master server (replication is setup but the slave server is down) I noticed several times, at different times and dates, that no lines are logged in the OpenLDAP access log for a few minutes, as if it was frozen. I try to figure out what could explain that ? I checked the usual system counters (CPU, IO, Memory, free disk space, ...) as well as the running processes, but did not notice anything suspicious. Since the OpenLDAP server runs in a virtual machine, I'm currently trying to monitor the ESX hypervisor. Any idea of what could go wrong ?

2 2

FW: questions about LMDB
by Shu, Xinxin 20 Mar '15

20 Mar '15

CC technical list Cheers, xinxin -----Original Message----- From: openldap-devel [mailto:openldap-devel-bounces@openldap.org] On Behalf Of Shu, Xinxin Sent: Friday, March 20, 2015 8:50 AM To: Howard Chu; openldap-devel(a)openldap.org Subject: RE: questions about LMDB Sorry for the wrong mail list , I will forward this request to technical list Cheers, xinxin -----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Thursday, March 19, 2015 11:52 PM To: Shu, Xinxin; openldap-devel(a)openldap.org Subject: Re: questions about LMDB Shu, Xinxin wrote: > Several other questions about lmdb > > 1) does lmdb store one key-value pair in a single page? How lmdb organizes these key-value pairs in a single page > 2) if size is larger than single page size , how lmdb process this request? This list is for developers to discuss actual coding issues inside the OpenLDAP code; your questions are too elementary and don't belong here. Use the -technical list for user-oriented questions. > > Any help will be appreciated ? thanks > > Cheers, > xinxin > > -----Original Message----- > From: Shu, Xinxin > Sent: Thursday, March 19, 2015 3:49 PM > To: openldap-devel(a)openldap.org > Cc: Shu, Xinxin > Subject: questions about LMDB > > Hi list , > > Recently I read docs about lmdb , there are two sentences > 1) readers do not block writers > 2) writers do not block readers > I can understand 'readers do not block writers' , but cannot understand the second one , can someone help explain , how lmdb achieve 'writers do not block readers', below is my understandings , please correct me if anything wrong. > if the access pattern is write - read, since lmdb only support two version of data , when the write has been started but not committed , the concurrent read may read stale data since write has not been committed. > > Cheers, > xinxin > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

file descriptor setting
by Daniel Jung 20 Mar '15

20 Mar '15

Hi, Running 2.4.39 on centos 6. I set the open file limit to 200000 today as part of testing and it ran fine for a while and then an hour or so later the daemon died with no trace in the logs. I am running stats and sync at the moment. Would i need to run args to capture issue like this? Thanks

1 0

what is wrong with my permissions?
by Igor Shmukler 19 Mar '15

19 Mar '15

Hello, Sorry. I need help, again! I am trying to configure my OpenLDAP so that cn=config has full over-the-network write-access with a password.I thought at one point that I got the permissions working. It turns out, those are not working, now. Please say what I am doing wrong. Last time, I had a similar problem with policy. Michael S. saved me a bunch of time by advising to load ppolicy.ldif [with the appropriate schema]. This is obviously no indicator of any kind, yet the problem might be not in the LDIFs or ... I understood that manage is the LDIF version of full permissions. Found olcAccess syntax as "olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+" My OLC directives for ldapmodify(1) are below: dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by self write by dn="cn=config" write by * read dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}HyVltU836iL4aR0P0C6O8eHkOJt8nYGK I tried various combinations, like: olcAccess: {1}to * by dn=cn=config manage by * read The old commands are valid, yet do not result in the desired configuration. Instead, when ldapdelete(1) is invoked, I get: ldap_delete: Insufficient access (50) additional info: no write access to parent Please advise. I thank everyone on who has been reading my messages. People on this list have been extremely helpful. Sincerely, Igor Shmukler

2 9

Are sets "production ready"?
by Tomasz Lesniewski 19 Mar '15

19 Mar '15

Hi. I would like to use sets in my openldap ACLs, but i'm worried about "Sets are considered experimental"as is written in docs (http://www.openldap.org/doc/admin24/access-control.html#Sets%20-%20Granting…) Is anybody using sets in production environment without problems? Are there any known issues with sets? Or is known when sets will be ready to use? -- Pozdrawiam/Best regards Tomasz Leśniewski

3 3

ppolicy: pwdInHistory attribute
by Esther Garcia 19 Mar '15

19 Mar '15

Hello, We have installed an openldap server 2.4.23-34 on RHEL 6.5 with ppolicy enabled. # Standard, Policies dn: cn=Standard,ou=Policies,dc=test,dc=es cn: Standard description: Standard password policy. pwdAttribute: userPassword pwdCheckQuality: 1 pwdMinLength: 8 pwdLockout: TRUE pwdMustChange: TRUE pwdAllowUserChange: TRUE objectClass: device objectClass: pwdPolicy pwdSafeModify: FALSE pwdFailureCountInterval: 3 pwdGraceAuthNLimit: 0 pwdLockoutDuration: 1200 pwdMaxFailure: 10 pwdMinAge: 10 pwdMaxAge: 31536000 pwdExpireWarning: 0 pwdInHistory: 5 All ppolicy attributtes except pwdInHistory are working. We store passwords encrypted in the directory. Is there any way to have pwdInHistory attribute working with encrypted passwords stored in the directory? Thanks! Esther

2 4

default behavior of server certificate validation
by Bin Lu 19 Mar '15

19 Mar '15

Hi, In connecting the LDAP server with LDAPs or (start)TLS, what is the default behavior of the server certificate validation? How can I disable the default behavior? Thanks, -binlu

2 2

Error while integrating OpenLDAP and Kerberos
by Verónica Ovando 19 Mar '15

19 Mar '15

I am trying to set up Kerberos with OpenLDAP backend. I followed this doc http://web.mit.edu/Kerberos/www/krb5-1.12/doc/admin/conf_ldap.htmland this https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html#kerberos-ldap-op… My |krb5.conf|file looks like this: |[libdefaults] default_realm = EXAMPLE.TEST dns_lookup_realm = false dns_lookup_kdc = false rdns = false [kdcdefaults] restrict_anonymous_to_tgt = true # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] #configuracion para mi reino EXAMPLE.TEST = { kdc = krb1.example.test:88 kdc = krb2.example.test:88 admin_server = krb1.example.test default_domain = example.test database_module = openldap_ldapconf } [domain_realm] #configuracion para mi servidor .example.test = EXAMPLE.TEST EXAMPLE.test = EXAMPLE.TEST [dbdefaults] ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=test [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=krbadmin,dc=example,dc=test" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=test" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldap://127.0.0.1 ldap_conns_per_server = 5 } [login] # krb4_convert = true # krb4_get_tickets = false [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log | I added the krbPrincipalName index: |dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: krbPrincipalName eq,pres,sub | I gave permissions to the kadmind and krb5kdc for reading a writing in the LDAP database: |dn: olcDatabase={1}hdb,cn=config replace: olcAccess olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=krbadmin,dc=example,dc=com" write by anonymous auth by self write by * none - add: olcAccess olcAccess: to dn.base="" by * read - add: olcAccess olcAccess: to * by dn="cn=krbadmin,dc=example,dc=com" write by * read | When i try to restart the krb5-admin-server I get this error: *[....] Restarting Kerberos administrative servers: kadmindkadmind: Invalid credentials while initializing, aborting failed!* Any suggestion for solving this problem? I thinks there is a missing configuration on my LDAP, but I am not sure. Thanks in advance. -- Verónica Ovando

2 1

olcAccess syntax
by Igor Shmukler 18 Mar '15

18 Mar '15

Hello, Sorry. This is repost. I was unable to figure out what is wrong my olcAccess configuration! I am trying to configure my OpenLDAP so that cn=config has full over-the-network write-access with a password.I thought at one point that I got the permissions working. It turns out, those are not working, now. Please say what I am doing wrong. Last time, I had a similar problem with policy. Michael S. saved me a bunch of time by advising to load ppolicy.ldif [with the appropriate schema]. This is obviously no indicator of any kind, yet the problem might be not in the LDIFs or ... I understood that manage is the LDIF version of full permissions. Found olcAccess syntax as "olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+" My OLC directives for ldapmodify(1) are below: dn: olcDatabase={0}config,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to * by self write by dn="cn=config" write by * read dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}HyVltU836iL4aR0P0C6O8eHkOJt8nYGK I tried various combinations, like: olcAccess: {1}to * by dn=cn=config manage by * read The command syntax is valid. Yet my configuration not result in the desired access rights. Instead, when ldapdelete(1) is invoked with -D cn=config on records inside non-config databases, I get: ldap_delete: Insufficient access (50) additional info: no write access to parent Please advise. I thank everyone on the openldap-technical who has been reading my messages. People on this list have been extremely helpful. Sorry to continue being a nag. Sincerely, Igor Shmukler

1 0

openldap MMR "read_config: no serverID / URL match found"
by Divya Vikraman 18 Mar '15

18 Mar '15

Hi, I am using openldap 2.4.39 version and trying to set up multi master replication. This is my configuration ServerID 1 "ldap://ldap1-test.com" ServerID 2 "ldap://ldap2-test.com" overlay syncprov syncprov-checkpoint 10 1 syncprov-sessionlog 100 syncrepl rid=1 provider="ldap://ldap1-test.com" binddn="uid=replication,ou=People,dc=ldap,dc=nqa,dc=test,dc=com" bindmethod=simple credentials="xyzabc" searchbase="dc=ldap,dc=nqa,dc=test,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 10 60 +" timeout=1 schemachecking=off scope=sub syncrepl rid=2 provider="ldap://ldap2-test.com" binddn="uid=replication,ou=People,dc=ldap,dc=nqa,dc=test,dc=com" bindmethod=simple credentials="xyzabc" searchbase="dc=ldap,dc=nqa,dc=test,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 10 60 +" timeout=1 schemachecking=off scope=sub MirrorMode on I have put the below entries in /etc/default/slap on server 1 SLAPD_SERVICES="ldapi:// ldap://ldap1-test.com" and server 2 SLAPD_SERVICES="ldapi:// ldap://ldap2-test.com" After this I am not able to start the service and when I do a slapd -d sync , I get the error "read_config: no serverID / URL match found" I have seen a similar issue posted in an earlier thread but could not find a solution. Thanks, Divya

3 3

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical