openldap-technical

openldap-technical@openldap.org

11 participants
9876 discussions

posixAccount Object creation failing in 2.4.23 with ndb backend
by Nathanael Anderson 16 Dec '10

16 Dec '10

after I include the nis schema in slapd.conf and try to create a user with the new attributes, I recieve this error: ndb_oc_create: CREATE TABLE posixAccount failed, Can't create table 'OpenLDAP.posixAccount' (errno: 157) (1005) ndb_back_add: ndb_entry_put_data failed (80) Tuple did not exist(626) This seems like a ndb backend issue. I have lots of free space in my OpenLDAP ndb backend database for more tables and rows. mysql> select * from memoryusage; +---------+--------------+---------+------------+------------+---------+ | node_id | memory_type | used | used_pages | total | total_pages | +---------+--------------+---------+------------+------------+---------+ | 3 | Data memory | 2457600 | 75 | 1073741824 | 2768 | | 3 | Index memory | 475136 | 58 | 268697600 | 32800 | | 4 | Data memory | 2457600 | 75 | 1073741824 | 32768 | | 4 | Index memory | 475136 | 58 | 268697600 | 32800 | +---------+--------------+---------+------------+------------+---------+ 4 rows in set (0.00 sec) and manual table creation works fine. mysql> create table person2 (sn varchar(128)) engine=ndbcluster; Query OK, 0 rows affected (0.06 sec) mysql> drop table person2; Query OK, 0 rows affected (0.03 sec) any idea's? Nathanael

1 0

BDB File Size...
by Rowley, Mathew 16 Dec '10

16 Dec '10

I recently deleted about 25k entries in a specific OU. Since, the memory usage of the slapd process has consistently stayed at 70%-75% cpu usage: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 29911 openldap 18 0 12.6g 10g 4.1g S 0 69.6 1003:25 slapd I have also noticed that the DB files have stayed the same size - specifically one is 4gigs: -rw------- 1 openldap openldap 4.0G Nov 30 21:18 __db.003 On a slave to this box, the file size is drastically lower: -rw------- 1 openldap openldap 321M Dec 16 05:02 __db.003 I am assuming that the reason the CPU and memory usage is so high due to trying to keep the entire directory structure in memroy. Is this normal behavior? Is there a way to purge the database files? One other thing that happened was the slaves that are syncing to this server did not update the OU described above. Any help would be great. Thanks.

2 3

enabling monitoring of database
by kibirango moses 16 Dec '10

16 Dec '10

I have installed openldap and on testing the out below is given .How can i configure monitor database ? I thought it is enabled by --enable monitor root@mailbackup:/# slaptest -v -f /etc/openldap/slapd.conf bdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded Installation command : ./configure --sysconfdir=/etc --with-cyrus-sasl --with-threads --with-tls --with-yielding-select --with-mp --enable-slapd --enable-slurpd --enable-cleartext --enable-bdb --enable-ldap --enable-monitor --enable-perl --enable-sql --enable-syslog --enable-spasswd

2 1

failing to "make test" in openldap installation
by kibirango moses 16 Dec '10

16 Dec '10

Hullo everyone I am installing Openldap but in am failing to test and below are my installation commands: env CPPFLAGS="-I/usr/local/BerkeleyDB.5.1/include -I/usr/local/ssl/include/openssl" \ LDFLAGS="-L/usr/local/BerkeleyDB.5.1/lib -L/usr/local/ssl/lib" \ ./configure --sysconfdir=/etc --with-cyrus-sasl --with-threads --with-tls --with-yielding-select --with-mp --enable-slapd --enable-slurpd --enable-cleartext --enable-bdb --enable-ldap --enable-monitor --enable-perl --enable-sql --enable-syslog --enable-spasswd make test has the following errors at the end Initiating LDAP tests for BDB... Could not locate slapd(8) make[2]: *** [bdb-yes] Error 1 make[2]: Leaving directory `/usr/local/src/openldap-2.4.23/tests' make[1]: *** [test] Error 2 make[1]: Leaving directory `/usr/local/src/openldap-2.4.23/tests' make: *** [test] Error 2 *root@mailbackup:/usr/local/src/openldap-2.4.23#* Anybody to help me go over this? Thanx

2 1

Unable to authenticate with "secondary" uids, slapd 2.4.23, centos5.5
by Chan Wilson 16 Dec '10

16 Dec '10

Hi all, I have several LDAP trees and installs (2.4.23, centos 5.5, bdb) that utilize "secondary" uids as the sites are in the process of migrating user IDs. In essence, allowing both "user" and "user.name" to authenticate as the same "user" account: dn: uid=user,ou=people,dc=example,dc=com uid: user uid: user.name This has all been working beautifully since inception with 2.4.21. However, "something changed" either at the O/S level or slapd level to break this, and I'm at a loss as to what to look at next. When doing an ldapsearch -D with the "secondary" uid, it fails, and the server-side has a return from bdb_dn2id -- "get failed: DB_NOTFOUND: No matching key/data pair found (-30988)", which implies that the BDB index file for uid doesn't contain the additional uids. Not sure how to look at that, slapd_db_dump doesn't reveal anything human-parsable. Does this ring any bells? Was it just a fluke that this worked? thanks, --Chan

2 1

problem with ldap_search _ext and ldap_result
by siva prakash 16 Dec '10

16 Dec '10

After binding the ldap server, here are my code snippets, finished = 0; rc = ldap_search_ext( ld, "testactivedirectory.com", sub_tree, "(sAMAccountName=user1)", NULL, 0, NULL, NULL, NULL, 1, &msgid ); if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "ldap_search_ext: %s \n", ldap_err2string( rc ) ); ldap_unbind( ld ); return( 1 ); } while (!finished) { rc = ldap_result( ld, msgid, LDAP_MSG_ONE, &zerotime, &res ); printf("check the search result :%d\n", rc); switch ( rc ) { case -1: fprintf( stderr, "ldap_result: %s\n", ldap_err2string( rc ) ); ldap_unbind( ld ); return( 1 ); case 0: break; case LDAP_RES_SEARCH_ENTRY: /* Get and print the DN of the entry. */ if (( dn = ldap_get_dn( ld, res )) != NULL ) { printf( "dn-> %s\n", dn ); ldap_memfree( dn ); } break; case LDAP_RES_SEARCH_RESULT: finished = 1; break; default: break; } } while running this program, i could get the intended result what the distinguished name i want, but the ldap_result in not being exit with LDAP_RES_SEARCH_RESULT option. it tooks lot of time to respond with LDAP_RES_SEARCH_RESULT, even no more entry to provide. check the search result :100 dn-> CN=user1,CN=Users,DC=testactivedirectory,DC=com (it waits in looop... it exits after a very long time) check the search result :101 i wanted to avoid this waiting time, even i have been sending entries should be limited to 1, it doesn't seems to be reflected, i have found other way of fixing this, doing two bind and two unbind option. but that is not seems a optimized manner. Let me know how to fix this problem, Thanks, LDAP Learner

1 0

openldap and kerberos integration
by Thierry Lacoste 16 Dec '10

16 Dec '10

Hello, I'm experimenting with integrating Kerberos and OpenLDAP following roughly http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT I'm using CentOS and Buchan Milne's repository (http://staff.telkomsa.net/packages/rhel5/ ) both for OpenLDAP and Heimdal. I've almost succeeded except for password integration. It seems that the smbk5pwd module provided by openldap2.4- servers-2.4.22-1.el5 in /usr/lib/openldap2.4/smbpwd.so is built without kerberos support. With "smbk5pwd-enable krb5" I have the following error: /etc/openldap2.4/slapd.conf: line 154: smbk5pwd: <smbk5pwd-enable> module "smbk5pwd-enable" only allowed when compiled with -DDO_KRB5. What is the easiest option to get a kerberos supporting smbk5pwd? BTW I'd appreciate any recommandations about providing kerberos and LDAP authentication (with the same password) in a production setting. Should I use Heimdal or MIT kerberos ? If Heimdal, is it better to use OpenLDAP as a backend for Kerberos or let Kerberos use its native backend? If OpenLDAP as a backend, is it better to use {K5KEY} as the userPassword or let smbk5pwd synchronize everything? Best regards, Thierry

4 11

Re: Re: how to analysis openldap log
by owen nirvana 16 Dec '10

16 Dec '10

> > I could not find apis for analysising log. > > > > Thanks for help! > What kind of log are you referring to? > syslog, log database or monitor database? log databasem, the files like log.000000x in /var/ldap/ gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>

2 1

how to implement default groups?
by Judd Maltin 15 Dec '10

15 Dec '10

Hi folks, how to implement default groups? I'd like to setup a "default" group entry that automatically includes the bindDN as a member. Better yet, I'd like to indicate a regex for members of the group. There's all sorts of nice things that can be done with ACLs, but they're irrelevant. And there's nothing in dynlist or other overlays that will help me. Am I barking up the wrong tree? Thanks, -judd -- Judd Maltin T: 917-882-1270 T: 888-639-4614 F: 501-694-7809 Gratitude is the end of despair and the beginning of joy.

1 0

New Attributes, ACL, and Indices
by Andy Carlson 15 Dec '10

15 Dec '10

I have recently added a few new attributes to an existing object class (this was a custom object class, not an out-of-the-box one). I also created a few olcAccess (ACL) entries to enable access to these new attributes and olcDbIndex entries to index the values of the attributes. I added all of these using the cn=config directory structure containers. It is my understanding that unless I modify schema/ldif files on the server that these changes will be lost upon server/service restart. I have the idea that these are the correct folder, but since I've never done this before I'm seeking confirmation/direction. The ACLs and Indices appear to be located in the /opt/<Server-Instance>/common/setup folder. In this folder there is an olcAccess.bdb.ldif file (which appears to hold the ACLs). There's also an LDIF file for the frontend and monitor container located within cn=config. The attributes appear to be located in the /opt/<Server-Instance>1/etc/openldap/schema.mbi folder (mbi is an identifier for our organization). In this folder there is a file named mbiUser.schema (mbiUser is the custom object class). I suspect that this is where the attributes would be stored. Again, this is a non-exhaustive listing of a few things that caught my eye. Let me know if you have any thoughts or suggestions. Thanks much, Andy Carlson Identity Administrator | Information Systems Moody Bible Institute 820 N. LaSalle Blvd., Chicago, IL 60610 312-329-4385 www.moodyministries.net<http://www.moodyministries.net> >From the Word. To Life.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical