openldap-technical

openldap-technical@openldap.org

3 participants
9937 discussions

meta_back_db_open: no targets defined
by Matthew Bik 05 Dec '12

05 Dec '12

Hello, I hope this is the right forum for technical questions. If not I apologise in advance. I have been surfing for an answer for a while and was hoping that I am just missing something simple and someone can point me in the right direction. The scenario : I have several active directory domains where individual user accounts are managed. I am trying to setup slapd to use the meta backend so that my ldap server can act as a single sign on source for internal tools such as web pages, jabber, and the like. During the start of slapd it looks like I'm either missing something in my config or I have a typo that I haven't been able to find. To me, it looks like slapd won't start because I'm not giving it anything to do (no targets). I've also been using slaptest to convert a slapd.conf file since documentation on the cn=config files is a little hard to find. The Setup: - CentOS release 6.3 - openldap-2.4.23-26.el6_3.2.x86_64 - openldap-servers-2.4.23-26.el6_3.2.x86_64 The Error Log: Dec 5 08:20:56 example-host slapd[3487]: slapd startup: initiated. Dec 5 08:20:56 example-host slapd[3487]: backend_startup_one: starting "cn=config" Dec 5 08:20:56 example-host slapd[3487]: config_back_db_open Dec 5 08:20:56 example-host slapd[3487]: backend_startup_one: starting "dc=example,dc=com" Dec 5 08:20:56 example-host slapd[3487]: meta_back_db_open: no targets defined Dec 5 08:20:56 example-host slapd[3487]: backend_startup_one (type=meta, suffix="dc=example,dc=com"): bi_db_open failed! (1) Dec 5 08:20:56 example-host slapd[3487]: slapd shutdown: initiated Dec 5 08:20:56 example-host slapd[3487]: slapd destroy: freeing system resources. Dec 5 08:20:56 example-host slapd[3487]: slapd stopped. My slapd.conf: include /etc/openldap/schema/core.schema loglevel -1 modulepath /var/lib/openldap moduleload back_meta.la moduleload back_ldap.la lastmod off database config rootdn "cn=root,cn=config" rootpw "secret" database meta suffix "dc=example,dc=com" uri "ldap://dom01.example.com/dc=us,dc=example,dc=com" default-target uri "ldap://dom02.example.com/dc=eu,dc=example,dc=com"

1 0

Re: Password policy
by Mauricio Tavares 04 Dec '12

04 Dec '12

On Mon, Nov 19, 2012 at 10:46 AM, jeevan kc <jeev_biz(a)hotmail.com> wrote: > Thanks . But we have like more than 25k users on the server. Doing that individually would be tedious. Is there any other way ? > How about a script of some sorts? Something on the lines of: ask ldap for the userlist (using ldapsearch) for each user Add objectClass: pwdPolicy (using ldapmodify) done > Sent from my iPhone > > On Nov 19, 2012, at 10:42 AM, "Mauricio Tavares" <raubvogel(a)gmail.com> wrote: > >> On Mon, Nov 19, 2012 at 10:14 AM, jeevan kc <jeev_biz(a)hotmail.com> wrote: >>> Hello >>> >>> I want to enable password policy on Openldap 2.4.30(to all users. I see that >>> the ppolicy.ldif and ppolicy.schema are listed under >>> /usr/local/etc/openldap/schema but are not present on >>> /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the >>> policy.ldif to the cn=config folder ? Is there like specific procedure to do >>> that or can I add manually with ldapadd ? Also how do I enable that schema >>> to all users ? Please help. >>> >>> >>> Jeevan >> >> If you have the policy as a diff, you could add it by saying >> >> ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/ppolicy.ldif >> >> Then you need to ldapmodify each user, adding something like >> >> objectClass: pwdPolicy >> >> to each of them. >> >> This is off the top of my head, so do verify before doing exciting >> thingies to your server. ;)

4 4

Fwd: Difference between 2.4.30 and 2.3.43 in certificateMatch.
by Erwann Abalea 03 Dec '12

03 Dec '12

---------- Forwarded message ---------- From: Erwann Abalea <eabalea(a)gmail.com> Date: 2012/12/3 Subject: Re: Difference between 2.4.30 and 2.3.43 in certificateMatch. To: Mike Hulsman <mike(a)hulsman.net> 2012/12/3 Mike Hulsman <mike(a)hulsman.net> > > Quoting Erwann Abalea <eabalea(a)gmail.com>: > > 2012/12/3 Mike Hulsman <mike(a)hulsman.net> >> >> >>> Quoting Howard Chu <hyc(a)symas.com>: >>> >>> >>>> [...] >>>> >>> >> No. Read RFC4523. >>> >>>> >>>> >>> After a lot of reading and testing I still cannot get it working. >>> >>> I read RFC4523 and am now doing an ldap search of (usercertificate:** >>> certificateExactMatch:=****certificate_serial_number$** >>> >>> certificate_Issuer_DN) >>> Than I get an (?=undefined) in my logfile, so the query is not correct. >>> In my schema is 2.5.4.36 and 2.5.4.37 defined. >>> >>> When I search on >>> (usercertificate=certificate_****serial_number$certificate_**** >>> Issuer_DN) >>> >>> I see the query in the log so I asume it is ok, but in the debugging i >>> see >>> "illegal value for attributeType usercertificate" >>> >>> >> Here's what I use: >> >> 'userCertificate={ serialNumber <yourserial>, issuer "<yourIssuerDN>" }' >> >> For example: >> 'userCertificate={ serialNumber 5090, issuer "cn=passport country signing >> authority, ou=ptb, ou=dfat, o=gov, c=au" }' >> > Thanks alot for pointing me in the right direction, > > The search is working now. > Now I also noticed that I put in the serialnumber in Hex instead of > decimal. > That is what I was doing wrong :-( > You can express the serial number in hex. My example becomes '... serialNumber 0x13E2, issuer ...' OpenLDAP follows the X.520 name comparison rules for the issuer name; you can switch case, change spaces into multiple spaces, add heading/trailing spaces, etc. I hadn't looked at the code yet to understand why asking for serialNumber 0x013E2 or 05090 doesn't match my certificates. -- Erwann.

1 0

RE: deleting all entries
by jeevan kc 03 Dec '12

03 Dec '12

Thanks for the quick reply. One more question, we have a master and couple slaves on the replication topology. Do I need to remove the files of all 3 servers individually? From: turbo(a)bayour.com Subject: Re: deleting all entries Date: Mon, 3 Dec 2012 17:05:45 +0100 To: jeev_biz(a)hotmail.com On Dec 3, 2012, at 4:33 PM, jeevan kc wrote:My openldap on the server is built from the source and the DB files are located on /usr/local/var/openldap-data. Simply shut the server down and delete all files (possibly except the DB_CONFIGfile) in that directory. It's that simple. --Build a man a fire, and he will be warm for the night.Set a man on fire and he will be warm for the rest of his life.

1 0

Difference between 2.4.30 and 2.3.43 in certificateMatch.
by Mike Hulsman 03 Dec '12

03 Dec '12

Hi, I stumbled upon an difference between openldap 2.4.30 and 2.3.43. This is my configuration. X509 certificates are stored in the directory and a search is done with: (&(mail=aaa@a.b)(userCertificate:certificateMatch:=<binary certificate)) if that is a match the uid must be returned. That is working on 2.3.43 but when I try that on 2.4.30 it does not work and I start debugging I see filter="(&(mail=aaa(a)a.b)(?=undefined))" in the logfiles. The request is the same on both openldap servers, I copied the schema's and the acl's are the same. A slapcat on 2.3.43 is done and imported on 2.4.30 An ldapsearch on both servers for that user is returning the same data. Do I need some more configuration for the 2.4.30 version or am I doing something wrong. The 2.3.43 version is working properly, but I want to update to 2.4.xx for better replication. Kind regards. Mike Hulsman ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.

3 6

deleting all entries
by jeevan kc 03 Dec '12

03 Dec '12

HelloWe are deleting all the entries from the Test ldap server and migrating the production data into the test server. I believe slapcat and slapadd would come handy for the migration part. But what I am concerned now is removing the entries from the Test server. How do I delete them ? I need to empty the server but then I want to keep the current configuration and schemas. My openldap on the server is built from the source and the DB files are located on /usr/local/var/openldap-data.Any ideas would be appreciated . Thank you.

1 0

last login time
by Jignesh Patel 03 Dec '12

03 Dec '12

How to capture last login time in openLDAP? -Jignesh

5 11

Re: Index Add Failures
by Kyle Smith 03 Dec '12

03 Dec '12

Ok, I have been running 2.4.32 for some time with no issues. Yesterday, 2 different servers (both part of a 4-way MMR) produced an "index add failure" and an "index delete failure". I went back over the bdb DB_CONFIG Settings (listed below) and everything looks nominal to me. Would it just make more sense to switch from bdb to mdb instead of troubleshooting these "random" errors too much? I also noticed that the number of "deadlocks" corresponds to the number of errors that were produced. Is there correlation there? Thanks! 578 Last allocated locker ID 0x7fffffff Current maximum unused locker ID 9 Number of lock modes 3000 Maximum number of locks possible 1500 Maximum number of lockers possible 1500 Maximum number of lock objects possible 1 Number of lock object partitions 15 Number of current locks 1029 Maximum number of locks at any one time 17 Maximum number of locks in any one bucket 0 Maximum number of locks stolen by for an empty partition 0 Maximum number of locks stolen for any one partition 123 Number of current lockers 224 Maximum number of lockers at any one time 15 Number of current lock objects 526 Maximum number of lock objects at any one time 5 Maximum number of lock objects in any one bucket 0 Maximum number of objects stolen by for an empty partition 0 Maximum number of objects stolen for any one partition 3581M Total number of locks requested (3581768929) 3581M Total number of locks released (3581768869) 0 Total number of locks upgraded 77 Total number of locks downgraded 7041 Lock requests not available due to conflicts, for which we waited 43 Lock requests not available due to conflicts, for which we did not wait 2 Number of deadlocks 0 Lock timeout value 0 Number of locks that have timed out 0 Transaction timeout value 0 Number of transactions that have timed out 1MB 392KB The size of the lock region 0 The number of partition locks that required waiting (0%) 0 The maximum number of times any partition lock was waited for (0%) 0 The number of object queue operations that required waiting (0%) 577 The number of locker allocations that required waiting (0%) 32148 The number of region locks that required waiting (0%) 5 Maximum hash bucket length On Wed, Aug 29, 2012 at 12:04 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Wednesday, August 29, 2012 11:32 AM -0400 Kyle Smith < > alacer.cogitatus(a)gmail.com> wrote: > > Quanah, Thanks for the info, I have confirmed I'm hitting the lock maxes >> of 1000. And I will be upgrading to 2.4.32. I was wondering, what steps >> should be done to have the changes in DB_CONFIG take effect? >> >> >> stop slapd >> make changes to DB_CONFIG >> db_recover >> start slapd >> >> >> Will this also auto remove the log.* files? ( I plan on setting this: >> "set_flags DB_LOG_AUTOREMOVE" in DB_CONFIG) >> > > If you have checkpointing set in slapd.conf/cn=config, it should, yes. > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

4 15

Optimization help
by Pawan Kamboj 30 Nov '12

30 Nov '12

Hi, What can I do to maximize the performance of my openldap setup which running in master-slave mode using syncrepl? System has 8GM RAM and 4GB swap space Openldap-2.3.32 and DB.4.5 ---------------------------------- Total dn count is 2450000. LDIF size is 670MB using ldapsearch dbd size is : du -c -h *.bdb 69M authenticationId.bdb 227M cn.bdb 602M dn2id.bdb 27M entryCSN.bdb 24M entryUUID.bdb 2.5G id2entry.bdb 6.4M mail.bdb 4.6M objectClass.bdb 16M ou.bdb 263M sn.bdb 740M uid.bdb 4.4G total ----------------------- Portion of slapd.conf: cachesize 50000 checkpoint 4096 10 sizelimit 2500000 ------------------------- DB_CONFIG # Set the database in memory cache size. set_cachesize 2 0 1 # Set database flags. set_flags DB_TXN_NOSYNC set_lk_max_locks 2000 set_lk_max_objects 1000 set_lk_max_lockers 1000 set_txn_timeout 3000000 set_lock_timeout 3000000 set_lg_regionmax 1048576 set_lg_max 10485760 set_lg_bsize 2097152 set_lg_dir /usr/local/var/master/logs db_stat -h /usr/local/master/db -m | head -n 2 2GB Total cache size 1 Number of caches Thanks Pawan Kumar

2 1

slapo-pcache seems broken in openldap-2.4.31
by Tio Teath 30 Nov '12

30 Nov '12

I'm trying to set up slapo-pcache using cn=config, and this is my settings: dn: olcDatabase={1}ldap,cn=config objectClass: olcConfig objectClass: olcDatabaseConfig objectClass: olcLDAPConfig objectClass: top olcDatabase: {1}ldap olcRootDN: cn=admin,cn=config olcAccess: {0}to * by * read olcDbACLBind: bindmethod=simple binddn="ou=group,dc=remote" credentials="password" tls_cacert="/etc/ssl/certs/ca-certificates.crt" starttls=yes olcDbURI: ldap://remote.host olcSuffix: dc=remote dn: olcOverlay={0}pcache,olcDatabase={1}ldap,cn=config objectClass: olcPcacheConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}pcache olcPcache: hdb 10000 1 50 100 olcPcacheAttrset: 0 member olcPcacheTemplate: "(objectClass=)" 0 3600 dn: olcDatabase={0}hdb,olcOverlay={0}pcache,olcDatabase={1}ldap,cn=config objectClass: olcPcacheDatabase objectClass: olcHdbConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcDatabase: {0}hdb olcDbDirectory: /var/lib/ldap/cache olcDbIndex: objectClass eq olcDbIndex: pcacheQueryid eq But each time I'm trying to run ldapsearch -b"cn=test2,ou=group,dc=remote" '(objectClass=*)' member I'm getting QUERY NOT ANSWERABLE/QUERY NOT CACHEABLE errors in the log. Besides, it is impossible to modify attributes olcPcacheTemplate/olcPcacheAttrset: modify/add: olcPcacheTemplate: no equality matching rule Can anyone confirm that the one have managed to make slapo pcache working on 2.4.31?

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical