openldap-technical

openldap-technical@openldap.org

13 participants
9906 discussions

Memory leak in 2.4.31 w/ hdb and MMR?
by Brandon Hume 25 May '12

25 May '12

I've got my two-node setup up and running, MMR w/ delta-syncrepl. Node 1 is up and running with ~340k entries in the main DIT. It consumes about 4G of VM on a Redhat AS6 box, and the data dir is around 2.3G on-disk (including __db.* and the one log.* file...), and another 100M in cn=accesslog. I'm bringing up node 2 after nuking the data dir, and letting it syncrepl from nothing. I was tracking a SIGBUS error, but that turned out to be olcLogLevel=Stats+Sync generating a huge amount of logging and filling up the disk. Fixed that, moved on. Now, it's still crashing... but that's because slapd is bloating up hugely and causing the machine to run out of VM and kill the process. I've added about 8G of temporary swap, and it's still going. slapd on node2 is 5.5G resident, and nearly 15G in size total now. On-disk the hdb is only around 1.6G, so it still has a long ways to go. Can I assume this is not the way it should be? vmstat shows a lot of swap-out but almost no swap-in, so it's not thrashing. pmap shows a large number of 64M "anon" segments. 140 of those at one point, and 157 when I checked just now. It looks a lot like a memory leak, though I can't tell offhand whether the problem is in OpenLDAP (2.4.31) or in BerkeleyDB (5.3.15). When it finishes, I'm planning on turning off delta-syncrepl and pave/rebuild again, and see if it behaves the same. I could also give mdb a shot, but since this is a mirror I'd have to rebuild both sides. Any suggestions as to where I could start looking for the source of the problem? Obviously I'm not planning on rebuilding this node on a regular basis (and certainly not all via syncrepl) but I'm concerned that over an extended period of time it'll leak memory even during normal use. I'm including my DB_CONFIG, just in case. I can supply more of the config as necessary. DB_CONFIG: set_cachesize 0 536870912 0 set_lg_regionmax 10485760 set_lg_max 104857600 set_lg_bsize 26214400 set_lk_max_locks 4096 set_lk_max_objects 4096 set_flags DB_LOG_AUTOREMOVE (If anything looks particularly stupid in here, even unrelated to the leak, I'd love the advice...)

3 7

Multi Master syncrepl issue
by Neil Mcbennett 25 May '12

25 May '12

Hello, This is my first post to this list and unfortunately I come here with a problem. I'm not new to LDAP but I am new to OpenLDAP especially the 2.4 release. I am trying to get multi master replication working and I've read the documentation several times. I did wonder if this might be a bug but I still think it's probably a misunderstanding on my part. I have 2 servers configured for multi master replcation which I will refer to as server A and B. If I start both servers I can make changes on server A which are immediately replicated to server B. However if I then start making changes to server B I don't see replication back to A. The same thing happens if I initiate replication from B, then replication to A works but not the other way around. i.e. replication only works in 1 direction which is determined by which server I make changes on first. I am using slapd.conf as I didn't want to complicate matters by introducing online config. The specific version is 2.4.31. Connectivity between the servers is working fine - I can perform LDAP operations in both directions. If someone could take a look at my config I'd much appreciate it. Thanks Neil #slapd.conf Server A (10.5.1.110) pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args include /usr/local/openldap/etc/schema/core.schema include /usr/local/openldap/etc/schema/cosine.schema include /usr/local/openldap/etc/schema/solaris.schema include /usr/local/openldap/etc/schema/inetorgperson.schema include /usr/local/openldap/etc/schema/DUAConfigProfile.schema include /usr/local/openldap/etc/schema/sudo.schema modulepath /usr/local/openldap/libexec moduleload syncprov.la access to attrs=userPassword by self write by * auth by dn="cn=ldapclient,ou=profile,dc=example,dc=com" write access to dn.base="" by * read access to * by self write by users read by anonymous read serverID 1 database hdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw {SSHA}pnqaqMcoMhnDbSRa9WAgDbhBMr/QnUGY lastmod on directory /usr/local/openldap/var/openldap-data index objectclass,uid,uidNumber,memberUid,entryCSN,entryUUID,automountKey eq index cn,sn,gn,mail eq,sub syncrepl rid=001 provider=ldap://10.7.82.3 type=refreshAndPersist searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=manager,dc=example,dc=com" credentials="secret" mirrormode TRUE overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 ####################################################### #slapd.conf server B (10.7.82.3) pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args include /usr/local/openldap/etc/schema/core.schema include /usr/local/openldap/etc/schema/cosine.schema include /usr/local/openldap/etc/schema/solaris.schema include /usr/local/openldap/etc/schema/inetorgperson.schema include /usr/local/openldap/etc/schema/DUAConfigProfile.schema include /usr/local/openldap/etc/schema/sudo.schema modulepath /usr/local/openldap/libexec moduleload syncprov.la access to attrs=userPassword by self write by * auth by dn="cn=ldapclient,ou=profile,dc=example,dc=com" write access to dn.base="" by * read access to * by self write by users read by anonymous read serverID 2 database hdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw {SSHA}pnqaqMcoMhnDbSRa9WAgDbhBMr/QnUGY lastmod on directory /usr/local/openldap/var/openldap-data index objectclass,uid,uidNumber,memberUid,entryCSN,entryUUID,automountKey eq index cn,sn,gn,mail eq,sub syncrepl rid=001 provider=ldap://10.5.1.110 type=refreshAndPersist searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=manager,dc=example,dc=com" credentials="secret" mirrormode TRUE overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 #######################################################

1 0

ACL for nssov-overlay
by Uwe Werler 24 May '12

24 May '12

Hello list, does someone know how I can define an ACL for the socket used by the nssov-overlay? I tried by socket.url="/var/run/nslcd/socket" read but it won't work. Any suggestions? Thanks in advance! Regards Uwe

2 1

slapd hangs upon performing modification of cn=config
by Patrick Hemmer 24 May '12

24 May '12

I have a database which was working fine, but now whenever I go to perform any sort of modification on the database, the modification just hangs. No error, no timeout, just sits there. However while that first modification is hung, I can perform modifications of another database (other than cn=config) and they work just fine. I can even do further searches against cn=config while the modification is still hung. Also when I run slapd in the foreground, and then send it a SIGINT, it says "slapd shutdown: waiting for X operations/tasks to finish" and never ends. I end up having to SIGKILL it. The database is part of a MMR group of servers I was building, but I shut down all the other servers to troubleshoot the issue (it makes no difference whether the other servers are up or down, and they all exhibit the same problem). Where should I start looking to figure out whats going on (the specific operation/task thats hanging)? I can run slapd in debug mode with '-1', but theres a ton of info, and I dont know whats relevant, or which debug mode I should use other than '-1'. Thanks -Patrick

3 7

Anonymous bind allowed when configured not to.
by Kyle Smith 24 May '12

24 May '12

Good Morning, I was recently made aware of a problem with my OpenLDAP 2.4.26 and 2.4.28 servers. I have configured each server to disallow anony using the below directive. ### Disable anony disallow bind_anon This works great for Softerra Ldap Administrator, and the ldapsearch command (linux). $ ldapsearch -x -H ldaps://openldap.example.com -b "ou=peoples,dc=example,dc=com" "(uid=someuser)" ldap_bind: Inappropriate authentication (48) additional info: anonymous bind disallowed However, when I use Jxplorer (http://jxplorer.org/) it not only allows the bind, but allows the search. Right now the ACL is set for "by anonymous read", but shouldn't the disallow directive even prevent the connection? I'm working on getting some debug logs, but if any one has experienced this, please let me know. Thanks. Kyle Smith

2 2

Re: size of bdb database, master vs replica
by Quanah Gibson-Mount 24 May '12

24 May '12

--On Tuesday, May 22, 2012 10:06 AM +0200 Jehan Procaccia <jehan.procaccia(a)tem-tsp.eu> wrote: > Le 21/05/2012 18:33, Quanah Gibson-Mount a écrit : > > --On Monday, May 21, 2012 3:15 PM +0200 jehan procaccia > <jehan.procaccia(a)it-sudparis.eu> wrote: > > > ok __dd.xxx files are memory mapped files, > then which is the file(s) that contains the database ? I suspect > id2entry.bdb, but why on the master the size in KB is: > 195412 id2entry.bdb > and on the slave > 32 id2entry.bdb > > > It doesn't look to me like your replica is replicating at all. Have you > done a slapcat of the two and verified they are identical? > > --Quanah > > > > Ok, then I did a slapcat on a replica and to my big surprise, before I > did the slapcat, bdb files on the replica were very small, then as soon > as I did the slapcat (while slapd is off), now they are similar in size > to the master !? > Do we need to run regularly slapcat on replicas in order to "really" > replicate ? > No. It sounds like you don't have a checkpoint directive set for your database. You should fix that. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

2 2

dn.exact vs dn.base
by Nick Milas 24 May '12

24 May '12

I was wondering whether there is any difference between dn.exact and dn.base constructs. For example, theoretically (according to the documentation) we can use either: access to dn.base="ou=system,dc=example,dc=com" by dn.exact="uid=userx,ou=people,dc=example,dc=com" write or: access to dn.exact="ou=system,dc=example,dc=com" by dn.base="uid=userx,ou=people,dc=example,dc=com" write It seems to me that the two forms are interchangeable (as used, e.g. here: http://www.openldap.org/faq/data/cache/1140.html) Can you please clarify? Thanks, Nick

3 2

Problem with localhost unauthenticated bind
by Tim Watts 24 May '12

24 May '12

Hi, I'm having a problem with a new LDAP server (slapd 2.4.23-7.2) I'd like to have root@localhost be able to perform "manage" operations on the slapd on the localhost *only* - all other ACLs would be pretty standard. The machine itself is considered secure. Ideally, I'd like to do this with a mode(600) Unix Domain Socket owned by root. How do you enable an "manage" ACL for the entire DN if and only if the access comes via the unix socket? ================ On an aside - I've tried unauthenticated localhost access - but cannot get that to work. This would be less desirable as anyone with ssh access to the server would be abloe to bypass security - but I'm still curious to know what I did wrong. My slapd.d entries are: cat /etc/ldap/slapd.d/cn\=config.ldif ======================================================================= dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 62952116-3777-1031-8e1b-bfeeb6e70114 creatorsName: cn=config createTimestamp: 20120521095922Z entryCSN: 20120521095922.839791Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20120521095922Z olcAllows: bind_anon_cred bind_anon_dn update_anon ### <<< Added this ======================================================================= cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif ======================================================================= dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=cch,dc=kcl,dc=ac,dc=uk olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by peername.regex=127\.0\.0\.1 manage ###<<< Added olcAccess: {3}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk olcRootPW:: e1NTSEF9TVFtdlA4Q2FJUjZqOEdpMytlcWd5Zk1BUWFjVmpGM1c= olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq structuralObjectClass: olcHdbConfig entryUUID: 62964ee2-3777-1031-8e25-bfeeb6e70114 creatorsName: cn=admin,cn=config createTimestamp: 20120521095922Z entryCSN: 20120521095922.847576Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20120521095922Z ======================================================================= Sorry this is a bit of a numpty question - I'm learning slapd - in a hurry(!) Many thanks in advance :) Tim -- Tim Watts Personal Email Personal website and blog: http://www.dionic.net/tim/

2 3

Issue upgrading openldap-clients from 2.4.19-15 to 2.4.23-20
by Esther Garcia 24 May '12

24 May '12

Hi all, We have an OpenLDAP server (RHEL6) running version 2.4.23-15, and we have clients in RHEL5 and RHEL6. With clients in RHEL5 works properly but I found some problems with RHEL6 clients in versions newer than 2.4.19-15. In the clients, if I try to upgrade to new versions than 2.4.19-15 then the client stops working: [root@XX ~]# rpm -qa | grep openldap openldap-2.4.19-15.el6.x86_64 openldap-clients-2.4.19-15.el6.x86_64 [root@XX ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ Enter LDAP Password: # extended LDIF # # LDAPv3 ...... [root@XX ~]# id esther uid=63004(esther) gid=50041(test) groups=50041(test) [root@XX ~]# yum upgrade openldap* ..... Updating : openldap-2.4.23-20.el6.x86_64 1/4 warning: /etc/openldap/ldap.conf created as /etc/openldap/ldap.conf.rpmnew Updating : openldap-clients-2.4.23-20.el6.x86_64 2/4 Cleanup : openldap-clients-2.4.19-15.el6.x86_64 3/4 Cleanup : openldap-2.4.19-15.el6.x86_64 4/4 Updated: openldap.x86_64 0:2.4.23-20.el6 openldap-clients.x86_64 0:2.4.23-20.el6 Complete! [root@XX ~]# service nslcd restart Stopping nslcd: [ OK ] Starting nslcd: [ OK ] [root@XX ~]# id esther id: esther: No such user [root@XX ~]# ldapsearch -x -D 'cn=authenticate, ou=System,dc=test, dc=es' '(objectclass=*)' -W -ZZ ldap_start_tls: Connect error (-11) I have the same configuration files that used with the older version. I use these configuration files: */etc/pam_ldap.conf:* base dc=test,dc=es binddn cn=authenticate,ou=System,dc=test,dc=es bindpw XXXX timelimit 120 bind_timelimit 120 idle_timelimit 3600 pam_lookup_policy yes pam_password exop nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm ssl start_tls uri ldap://ldap1-test ldap://ldap2-test tls_cacertdir /etc/openldap/cacerts pam_password md5 */etc/nslcd.conf* uid nslcd gid ldap uri ldap://ldap1-test ldap://ldap2-test base dc=test,dc=es binddn cn=authenticate,ou=System,dc=test,dc=es bindpw XXXX ssl start_tls tls_cacertdir /etc/openldap/cacerts timelimit 120 bind_timelimit 120 idle_timelimit 3600 */etc/openldap/ldap.conf:* URI ldap://ldap1-test/ ldap://ldap2-test/ BASE dc=test,dc=es TLS_CACERT /etc/openldap/cacerts/catest.crt *CAcert file:* [root@XX ~]# ls -l /etc/openldap/cacerts/catest.crt -rw-r--r--. 1 root root 1655 May 23 15:23 /etc/openldap/cacerts/catest.crt Any idea on what the issue is? Am I missing anything? Thanks in advance, Esther

2 3

Re: dn.exact vs dn.base
by Turbo Fredriksson 24 May '12

24 May '12

[sorry, should have gone to the list] On Thu, 24 May 2012 14:02:28 +0300, Nick Milas wrote: > access to dn.base="ou=system,dc=example,dc=com" > by dn.exact="uid=userx,ou=people,dc=example,dc=com" write This gives 'uid=userx,...' access to 'ou=system,...' _and everything below it_. > access to dn.exact="ou=system,dc=example,dc=com" > by dn.base="uid=userx,ou=people,dc=example,dc=com" write While this is the opposite - it gives 'uid=userx,...' and any objects below this (not much point in this exact example :) to ONLY the base object 'ou=system,...'. For example: ----- s n i p ----- access to dn.exact="" attrs=supportedSASLMechanisms,namingContexts,subschemaSubentry,objectClass,monitorContext,configContext,entry by domain.subtree="bayour.com" read by peername.ip="127\.0\.0\.1" read by peername.ip="192\.168\.69\.8" read by peername.path="/var/run/slapd/ldapi" read ----- s n i p ----- This gives almost anonymous access to certain attributes to the base DN...

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical