openldap-technical

openldap-technical@openldap.org

21 participants
9802 discussions

range search on Generalized Time attribute
by Marco Schirrmeister 28 Sep '12

28 Sep '12

Hi, OpenLDAP 2.4.32 and also tried with latest RE24 BDB 4.8.30 My DB_CONFIG looks like this. set_lk_detect DB_LOCK_DEFAULT set_flags DB_TXN_NOSYNC set_flags DB_LOG_AUTOREMOVE set_lg_max 10485760 set_cachesize 0 1073741824 1 set_lk_max_locks 4000 set_lk_max_lockers 4000 set_lk_max_objects 4000 set_lg_regionmax 262144 set_lg_bsize 20971520 set_lg_dir /var/lib/ldap2.4/ogilvy.com/bdb/ In our stage directory I noticed a range search is not returning anything on a specific attribute with generalizedTime syntax. On production it works fine. Here is an example command. $ ldapsearch -x -H ldaps://ds71 -D cn=manager,dc=ogilvy,dc=com -w 'secret' -b ou=people,dc=ogilvy,dc=com -LLL '(&(lastchangeDate<=20111107235959Z)(lastchangeDate>=20111107151200Z))' dn lastchangedate $ I know my entry falls in that range. $ ldapsearch -x -H ldaps://ds71 -D cn=manager,dc=ogilvy,dc=com -w 'secret' -b ou=people,dc=ogilvy,dc=com -LLL '(uid=marco.schirrm*)' lastchangedate dn: uid=marco.schirrmeister(a)ogilvy.com,ou=people,dc=ogilvy,dc=com lastchangeDate: 20111107151301Z $ The attribute is indexed. index lastchangeDate eq Schema has this. SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch I tried recreating the index, but all that did not help. Same problem exists if I use bach-hdb. I tried that same dataset with back-mdb and the search returned what I expected. So I thought it's maybe Berkeley DB bug. I then tried bdb 5.3.15 some time ago and also the latest 5.3.21. I see the same issue with this versions. I first thought it's the amount of entries that cause that issue. It's not really much, but stage has less the prod. So tried to create different test datasets to see if I can reproduce it. I was not able to reproduce it with the test datasets. The ldapsearch always returned what I wanted. I'm now a little bit lost if my DB_CONFIG settings are maybe bad. Or if it is something in Berkeley DB or OpenLDAP. Any ideas? I'm going to switch to mdb soon. But was wondering if that is something serious or not. Here is the slapd.conf. I omitted all the schema includes and index lines. include /etc/openldap2.4/slapd.access.ogilvy.conf pidfile /var/run/ldap2.4/slapd.pid argsfile /var/run/ldap2.4/slapd.args modulepath /usr/lib64/oldap24/openldap2.4 moduleload back_monitor.la moduleload accesslog.la moduleload syncprov.la moduleload auditlog.la TLSCertificateFile /etc/pki/tls/certs/ogilvy.com.crt TLSCertificateKeyFile /etc/pki/tls/private/ogilvy.com.rsa TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt loglevel stats sasl-secprops noplain,noanonymous,noactive serverID 40 ldaps://ds71.ogilvy.com database bdb suffix "dc=ogilvy,dc=com" rootdn "cn=manager,dc=ogilvy,dc=com" rootpw FooBarBaz directory /var/lib/ldap2.4/ogilvy.com limits dn.exact="cn=manager,dc=ogilvy,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited limits dn.exact="uid=replicator,ou=admin,dc=ogilvy,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited limits group/ogilvyGroup/uniqueMember="cn=svcgrp-unlimitedsearch,ou=groups,dc=ogilvy,dc=com" size.soft=unlimited size.hard=unlimited cachesize 150000 dirtyread sizelimit 90000 checkpoint 256 5 conn_max_pending_auth 2000 idlcachesize 450000 dncachesize 150000 monitoring on overlay syncprov syncprov-checkpoint 256 5 syncprov-sessionlog 5000 database config rootdn "cn=admin,cn=config" rootpw FooBarBaz include /etc/openldap2.4/slapd.access.config.conf database monitor rootdn cn=monitor rootpw FooBarBaz -- Marco

1 0

Suggestion about slapd.conf
by Net Warrior 28 Sep '12

28 Sep '12

Hi there I't been long time since I did not administer LDAP, now I have the need to do it again cuz a new proyect , reading the docs I found that lots of interesting things were included and some will be deprecated as for example slapd.conf, I need to apply some ACL, I'm familliar with the old slapd.conf style, but the documentation says slapd.conf will be deprecated sooner latter. My doubt is that it will be deprecated for the core LDAP configuration or if something will be still possible to do through it, reading the documentation ( 2.4 ) I see examples regarding the old style and do not know if that's for compatibility or not. Still I do not get familiar with the oclAccess and the new cn=something structure. Thanks for your time and support Best Regards

1 0

syncrepl failure
by manu＠netbsd.org 28 Sep '12

28 Sep '12

Hi I had a master/replicas setup that has been working for years. Recently, I discovered that a replica sometime failed to return existing entries: no error, it just returned nentries=0, for a few queries, then went back to normal. I suspected some database corruption: I killed slapd, removed the databases, restarted slapd so that it resync from master. It pulled a few hundreds of records and then got its up to date contextCSN while a lot of entries are still missing. Restarting slapd exhibit a stright failure in syncrepl: Sep 28 06:34:29 motul slapd[2901]: do_syncrepl: rid=217 rc -2 retrying How do I debug that? I had the problem with OpenLDAP-2.4.21/ db-4.7.25.3. I tried upgrading the replica to OpenLDAP-2.4.32 / db-4.8.30 but it did not change anything. Is there a chance that upgrading the master (runs 2.4.21 too) will help? During the short time syncrepl runs, logs are filled with stuff like this, I wonder if it is a related problem or not: Sep 28 03:30:16 motul slapd[269]: conn=-1 op=0 => bdb_dn2id_add dn="uid=user,ou=foo,dc=example,dc=net" ID=0x7c: put failed: DB_LOCK_DEADLOCK: Locker killed to r esolve a deadlock -30994 -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

2 2

dynlist, memberof,and authentication
by Richard Pijnenburg 28 Sep '12

28 Sep '12

Hi all, I've created a group with the dynlist overlay to create dynamic groups. Now i want to implement authentication with it but seem to be unable to search on it with nss-pam-lib or sssd. Before i start configuring all that stuff i wanted to see what search/filter string i need to make and been playing around to get the member. When i search with base the dynamic group i get all the members/ # ldapsearch -x -b 'cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com' dn: cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com objectClass: groupOfURLs cn: prod memberURL: ldap:///cn=sysadmin,ou=isp,ou=groups,dc=ispavailability,dc=com?memb er?sub? member: uid=richard,ou=people,dc=ispavailability,dc=com So i thought i'll create a search string for the cn and the member. # ldapsearch -x '(&(cn=prod)(member=uid=richard,ou=people,dc=ispavailability,dc=com))' And i get nothing.... So i thought about using the memberof overlay with it. # ldapsearch -x uid=richard memberof I get the static group trough the memberof overlay but not the dynamic group. Am i missing something or am i trying to do something that's simply not possible? Cheers. Richard

3 3

Implementing ACL, using non-local groups
by Tio Teath 27 Sep '12

27 Sep '12

Is it possible to implement ACL, using groups which are accessed via ldap-proxy, i.e. non-local groups? I've managed to setup authentication for users, which are in remote LDAP server only, but looks like remote groups are ignored in case of using 'group.exact=' statement.

2 1

(no subject)
by Tio Teath 27 Sep '12

27 Sep '12

1 0

Re: nslcd and Ubuntu 10.04
by Adam Wolfe 27 Sep '12

27 Sep '12

Many thanks, Christopher. I'm on nslcd 0.7.2 right now. Definitely a place to start. Very appreciated. Christopher Wood <christopher_wood(a)pobox.com> wrote: >http://ubuntuforums.org/showthread.php?t=1633524 > >http://lists.arthurdejong.org/nss-pam-ldapd-users/2011/msg00082.html > >My fix was to "apt-get source nslcd" on a Debian Squeeze box, then use those files to build a new deb on Ubuntu and shove the result in my repository. Presto, working nslcd on Ubuntu 10.04. > >On Wed, Sep 26, 2012 at 04:46:30PM -0400, Adam Wolfe wrote: >> I'm having trouble keeping my servers connected to our openLDAP server. >> >> All through syslog I see messages like this: >> >> Sep 26 14:06:01 hostname nslcd[930]: [2aeb87] connected to LDAP server >> [1]ldaps://ldap.domain.com/ >> Sep 26 14:07:01 hostname nslcd[930]: [aae0a3] ldap_result() failed: Can't >> contact LDAP server >> Sep 26 14:07:01 hostname nslcd[930]: [74310e] ldap_result() failed: Can't >> contact LDAP server >> Sep 26 14:07:01 hostname nslcd[930]: [aae0a3] ldap_abandon() failed to >> abandon search: Other (e.g., implementation specific) error >> Sep 26 14:07:01 hostname nslcd[930]: [b2a65f] ldap_result() failed: Can't >> contact LDAP server >> Sep 26 14:07:01 hostname nslcd[930]: [b2a65f] ldap_abandon() failed to >> abandon search: Other (e.g., implementation specific) error >> Sep 26 14:07:01 hostname nslcd[930]: [74310e] ldap_abandon() failed to >> abandon search: Other (e.g., implementation specific) error >> Sep 26 14:07:01 hostname nslcd[930]: [73c9b8] ldap_result() failed: Can't >> contact LDAP server >> Sep 26 14:07:01 hostname nslcd[930]: [73c9b8] ldap_abandon() failed to >> abandon search: Other (e.g., implementation specific) error >> Sep 26 14:07:01 hostname nslcd[930]: [73c9b8] connected to LDAP server >> [2]ldaps://ldap.domain.com/ >> >> I'm at the point where I want to start blaming the server, but this is >> happening on all the new servers I am bringing up (Ubuntu 10.04) and not >> on the older servers (8.04). >> Everything seems fine and we can sudo and su with our ldap accounts and >> then out of no where "so-and-so is not in the sudoers file". A simple "id >> user" re-establishes the connection and all is well again for a while. >> >> Has anyone else ran into this and finally, permanently made it work? >> >> References >> >> Visible links >> 1. file:///tmp/ldaps:/ldap.domain.com/ >> 2. file:///tmp/ldaps:/ldap >

2 1

LDAP URI
by Emmanuel Dreyfus 26 Sep '12

26 Sep '12

Hi When feeding a LDAP URI to ldap_url_parse(), I understand some characters may need to be escaped in filters in order to get a litteral: * => \2a ( => \28 ) => \29 \ => \5c / => \2f Reading the man page, I understand %-encoding is not mandatory, but it is of course required for ?, and obviously for %. ? -> %3F % -> %25 Are there other characters that should be %-encoded? -- Emmanuel Dreyfus manu(a)netbsd.org

6 12

Re: Ldap search that must work
by Amol Kulkarni 26 Sep '12

26 Sep '12

Hi, I had faced similar issue once - the cause was the index on the attribute was corrupt. Reindexing solved the issue. In your case, reindexing the uidnumber attribute should solve the issue. Amol. ----- Original Message ----- From: Aitor Garcia Ortega - Tempel.es Sent: 09/26/12 05:24 PM To: openldap-technical(a)openldap.org Subject: Ldap search that must work I'm feeling som kind of stupid I'm running openldap-servers-2.4.23-26.el6_3.2.x86_64 under Centos 6.3. Using ldapsearch I get this result: ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uid=aitiddnet)' > # extended LDIF > # > # LDAPv3 > # base <o=Iddover,c=Net> with scope subtree > # filter: (uid=aitiddnet) > # requesting: ALL > # > > # aitiddnet, People, Iddover, Net > dn: uid=aitiddnet,ou=People,o=Iddover,c=Net > uid: aitiddnet > cn: Aitor Garcia Ortega - Iddover.net > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: inetLocalMailRecipient > userPassword:: ************** > shadowLastChange: 14363 > shadowMax: 99999 > shadowWarning: 7 > uidNumber: 546 > gidNumber: 546 > gecos: Aitor Garcia Ortega - Iddover.net > mailLocalAddress: aitor.garcia(a)iddover.net > mailHost: localhost > homeDirectory: /home/aitiddnet > loginShell: /bin/bash > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 But this seconf ldap serch don't work # ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uidNumber=546)' > # extended LDIF > # > # LDAPv3 > # base <o=Iddover,c=Net> with scope subtree > # filter: (uidNumber=546) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success I really don't undertand. In another server with CentOS release 5.6 (Final), openldap-servers-2.3.43-12.el5_6.7 and the same database it works well... # ldapsearch -h localhost -x -b 'o=Iddover,c=Net' '(uidNumber=546)' # extended LDIF # # LDAPv3 # base <o=Iddover,c=Net> with scope subtree # filter: (uidNumber=546) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 [root@r300te1 ~]# ldapsearch -h 172.16.6.1 -x -b 'o=Iddover,c=Net' '(uidNumber=546)' # extended LDIF # # LDAPv3 # base <o=Iddover,c=Net> with scope subtree # filter: (uidNumber=546) # requesting: ALL # # aitiddnet, People, Iddover, Net dn: uid=aitiddnet,ou=People,o=Iddover,c=Net uid: aitiddnet cn: Aitor Garcia Ortega - Iddover.net objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: inetLocalMailRecipient userPassword:: ***************** shadowLastChange: 14363 shadowMax: 99999

2 1

slapd: do_syncrepl: rid=010 rc -2 retrying (4 retries left)
by Roman Rybalko 26 Sep '12

26 Sep '12

slapd[21334]: do_syncrepl: rid=010 rc -2 retrying (4 retries left) olcSyncrepl: {0}rid=010 provider=ldap://ldap binddn="cn=config" bindmethod=simple credentials=XXX searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 slapd-2.4.23 on master & slave This happens when the slave server is restarted. If make some change to cn=config, then the error disappear. I didn't find any explanation about rc -2. What this is about? -- WBR, Roman Rybalko

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical