openldap-technical

openldap-technical@openldap.org

13 participants
9794 discussions

RE24 testing call #1 (OpenLDAP 2.4.59)
by Quanah Gibson-Mount 31 May '21

31 May '21

his is the first testing call for OpenLDAP 2.4.59. Depending on the results, this may be the only testing call. Generally, get the code for RE24: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_4/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.4.59 Engineering Fixed libldap TLSv1.3 cipher suites with OpenSSL 1.1.1 (ITS#9521) Fixed libldap double free of LDAP_OPT_DEFBASE (ITS#9530) Fixed slapd syncrepl handling of add+delete on single value attr (ITS#9295) Fixed slapd-mdb cursor init check (ITS#9526) Fixed slapd-mdb deletion of context entry (ITS#9531) Fixed slapo-pcache locking during expiration (ITS#9529) Contrib Fixed slapo-autogroup to not thrash thead context (ITS#9494) Documentation ldap_modify(3) - Delete non-existent mod_next parameter (ITS#9559) Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

5 7

Configure autoca in slapd.d
by Stefan Kania 31 May '21

31 May '21

Hallo, I try to get autoca running using the configuration via slapd.d. With slapd.conf it'S working with this configuration: ------- overlay autoca caKeybits 4096 userKeybits 4096 serverKeybits 4096 ------- When I try to configure it with the following settings: --------- dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig olcserverKeybits: 4096 olccaKeybits: 4096 olcuserKeybits: 4096 --------- I'll getting: ------------- additional info: olcserverKeybits: attribute type undefined ------------- If I try to configure autoca with the default values, it works. I use OpenLDAP 2.5.4 on a Debian10 Is there any documentation, more then the manpage? Stefan

2 4

Re: RE25 testing call #1 (OpenLDAP 2.5.5)
by Nick Folino 29 May '21

29 May '21

Make test and make its successful on Fedora 34. Nick On Fri, May 28, 2021 at 5:39 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > This is the first testing call for OpenLDAP 2.5.55. Depending on the > results, this may be the only testing call. > > Generally, get the code for RE25: > > < > https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/o… > > > > Extract, configure, and build. > > Execute the test suite (via make test) after it is built. Optionally, cd > tests && make its to run through the regression suite. > > Thanks! > > OpenLDAP 2.5.5 Engineering > Added libldap LDAP_OPT_TCP_USER_TIMEOUT support (ITS#9502) > Added lloadd tcp-user-timeout support (ITS#9502) > Added slapd-asyncmeta tcp-user-timeout support (ITS#9502) > Added slapd-ldap tcp-user-timeout support (ITS#9502) > Added slapd-meta tcp-user-timeout support (ITS#9502) > Fixed incorrect control OIDs for AuthZ Identity (ITS#9542) > Fixed libldap typo in util-int.c (ITS#9541) > Fixed libldap double free of LDAP_OPT_DEFBASE (ITS#9530) > Fixed libldap better TLS1.3 cipher suite handling (ITS#9521, > ITS#9546) > Fixed lloadd multiple issues (ITS#8747) > Fixed slapd slap_op_time to avoid duplicates across restarts > (ITS#9537) > Fixed slapd typo in daemon.c (ITS#9541) > Fixed slapd slapi compilation (ITS#9544) > Fixed slapd to handle empty DN in extended filters (ITS#9551) > Fixed slapd syncrepl searches with empty base (ITS#6467) > Fixed slapd syncrepl refresh on startup (ITS#9324, ITS#9534) > Fixed slapd-asyncmeta quarantine handling (ITS#8721) > Fixed slapd-asyncmeta to have a default operations timeout > (ITS#9555) > Fixed slapd-ldap quarantine handling (ITS#8721) > Fixed slapd-mdb deletion of context entry (ITS#9531) > Fixed slapd-meta quarantine handling (ITS#8721) > Fixed slapo-accesslog to record reqNewDN for modRDN ops (ITS#9552) > Fixed slapo-pcache locking during expiration (ITS#9529) > Fixed slappw-argon2 module installation (ITS#9548) > Contrib > Update ldapc++/ldaptcl to use configure.ac (ITS#9554) > Documentation > ldap_first_attribute(3) - Document ldap_get_attribute_ber > (ITS#8820) > ldap_modify(3) - Delete non-existent mod_next parameter (ITS#9559) > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

RE25 testing call #1 (OpenLDAP 2.5.5)
by Quanah Gibson-Mount 29 May '21

29 May '21

This is the first testing call for OpenLDAP 2.5.55. Depending on the results, this may be the only testing call. Generally, get the code for RE25: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.5.5 Engineering Added libldap LDAP_OPT_TCP_USER_TIMEOUT support (ITS#9502) Added lloadd tcp-user-timeout support (ITS#9502) Added slapd-asyncmeta tcp-user-timeout support (ITS#9502) Added slapd-ldap tcp-user-timeout support (ITS#9502) Added slapd-meta tcp-user-timeout support (ITS#9502) Fixed incorrect control OIDs for AuthZ Identity (ITS#9542) Fixed libldap typo in util-int.c (ITS#9541) Fixed libldap double free of LDAP_OPT_DEFBASE (ITS#9530) Fixed libldap better TLS1.3 cipher suite handling (ITS#9521, ITS#9546) Fixed lloadd multiple issues (ITS#8747) Fixed slapd slap_op_time to avoid duplicates across restarts (ITS#9537) Fixed slapd typo in daemon.c (ITS#9541) Fixed slapd slapi compilation (ITS#9544) Fixed slapd to handle empty DN in extended filters (ITS#9551) Fixed slapd syncrepl searches with empty base (ITS#6467) Fixed slapd syncrepl refresh on startup (ITS#9324, ITS#9534) Fixed slapd-asyncmeta quarantine handling (ITS#8721) Fixed slapd-asyncmeta to have a default operations timeout (ITS#9555) Fixed slapd-ldap quarantine handling (ITS#8721) Fixed slapd-mdb deletion of context entry (ITS#9531) Fixed slapd-meta quarantine handling (ITS#8721) Fixed slapo-accesslog to record reqNewDN for modRDN ops (ITS#9552) Fixed slapo-pcache locking during expiration (ITS#9529) Fixed slappw-argon2 module installation (ITS#9548) Contrib Update ldapc++/ldaptcl to use configure.ac (ITS#9554) Documentation ldap_first_attribute(3) - Document ldap_get_attribute_ber (ITS#8820) ldap_modify(3) - Delete non-existent mod_next parameter (ITS#9559) Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Openldap trying to setup mozillaAbPersonAlpha.schema
by bob＠gunas.co.uk 29 May '21

29 May '21

I don't know if this is the best place to ask for help but I can only try please don't shoot me down. I'm new to openldap and find it hard going so any help would great. Trying to setup an Address book to work with Thunderbird. Trying to Include mozillaAbPersonAlpha.schema in to Ldap 2.4.7 on Ubuntu server 20.04.2 The steps I have taken 1) mkdir /tmp/ldapworkingdir 2) cd /tmp/ldapworkingdir/ 3) touch ldap.conf 4) echo "include /etc/ldap/schema/mozillaAbPersonAlpha.schema" > ldap.conf 5) slaptest -f ldap.conf -F . 6) the error message 60b0fc5f /etc/ldap/schema/mozillaAbPersonAlpha.schema: line 148 objectclass: AttributeType not found: "c" slaptest: bad configuration directory! I have tried look for example of how to setup Thunderbird address book but with no look. I do hope someone can help. Thanks Bob H

2 4

radlib.h: No such file or directory - passwd slapd-module
by rguichardspam＠Gmail.com 29 May '21

29 May '21

Hi, while compile passwd slapd-modules, I've got error on Radius compilation. gcc -DOPENLDAP_FD_SETSIZE=4096 -O2 -g -DSLAP_SCHEMA_EXPOSE -g -O2 -I/usr/kerberos/include -I../../../include -I../../../include -I../../../servers/slapd -c radius.c -fPIC -DPIC -o .libs/radius.o radius.c:27:20: fatal error: radlib.h: No such file or directory #include <radlib.h> I've searched which package could provide the radlib file but I didn't found it. Please confirm which package should be used .. or link to the source.. I'm on CentOS

2 1

Using the openldap c api
by matt_hannay1＠yahoo.com.au 27 May '21

27 May '21

We are in the throw of migrating to openldap however we have a problem. we currently have the 2.4 release of the client libraries. I have a problem in the mean time. we have a ldap repository that does not support TLS but only supports the SSL v1.3 standard .....yes I know about the security risks that's why we are migrating. Currently the Old Mozilla C api is in use which I have to replace. From looking at the 2.4 API docs would I be correct in saying the API does not support SSL v1.3 ? Would the Deprecated API calls get me over the line in replacing the mozilla and establishing a SSL connection, Or should I look at going to an older openldap API version? Thanks Matt

1 0

Updating schema in cn=config
by Nick Milas 19 May '21

19 May '21

Hello, We are using PowerDNS with LDAP Backend. At some point the backend schema changed so in order to upgrade we need to change the schema loaded in OpenLDAP. Unfortunately, something seems to be going wrong in the process. What I did: First, I converted the new schema to ldif by creating a dummy conf file: # cat /root/work/dnsdomain2-new.conf include /root/work/core.schema include /root/work/cosine.schema include /root/work/dnsdomain2.schema include /root/work/pdns-domaininfo.schema and then running: # slaptest -f dnsdomain2-new.conf -F dnsdomain2-new.d # slapcat -F dnsdomain2-new.d -bcn=config > dd2new-schema.ldif Then, on the actual config I exported initial config: # slapcat -n0 -F /usr/local/openldap/etc/openldap/slapd.d/ -l /root/work/ldapconf-01.ldif and edited the output (ldapconf-01.ldif) by replacing the whole dnsdomain2 section with the new one (as is in dd2new-schema.ldif file). The initial dnsdomain2 section was {10} so I renumbered the copied schema section from {2} to {10}. In the end of schema definitions section I added pdns-domaininfo definition (copied from dd2new-schema.conf), to which I gave the last number +1, which was {16} (rather than {3}, as it was in the converted file). However, when I try to load this config to a new (empty) slapd.d directory, I get: ========================================================================================== # rm -rf slapd.d # mkdir slapd.d # chown ldap:ldap slapd.d # slapadd -n0 -F ./slapd.d -l /root/work/ldapconf-01.ldif 60a2e22a olcAttributeTypes: value #2 olcAttributeTypes: Unexpected token before SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) AttributeTypeDescription = "(" whsp numericoid whsp ; AttributeType identifier [ "NAME" qdescrs ] ; name used in AttributeType [ "DESC" qdstring ] ; description [ "OBSOLETE" whsp ] [ "SUP" woid ] ; derived from this other ; AttributeType [ "EQUALITY" woid ] ; Matching Rule name [ "ORDERING" woid ] ; Matching Rule name [ "SUBSTR" woid ] ; Matching Rule name [ "SYNTAX" whsp noidlen whsp ] ; see section 4.3 [ "SINGLE-VALUE" whsp ] ; default multi-valued [ "COLLECTIVE" whsp ] ; default not collective [ "NO-USER-MODIFICATION" whsp ]; default user modifiable [ "USAGE" whsp AttributeUsage ]; default userApplications ; userApplications ; directoryOperation ; distributedOperation ; dSAOperation whsp ")" slapadd: could not add entry dn="cn={10}dnsdomain2,cn=schema,cn=config" (line=2256): _############### 76.98% eta none elapsed none spd 1001.2 k/s Closing DB... ========================================================================================== What am I doing wrong in updating the schemas in cn=config? I find the above message difficult to interpret. Note that there are numerous "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )" statements in the schema definition. I include the new dnsdomain2 section for your reference: ========================================================================================== dn: cn={10}dnsdomain2,cn=schema,cn=config objectClass: olcSchemaConfig cn: {10}dnsdomain2 olcAttributeTypes: {0}( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' DESC 'An integ er denoting time to live' EQUALITY integerMatch ORDERING integerOrderingMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' DESC 'The cl ass of a resource record' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.14 66.115.121.1.26 ) olcAttributeTypes: {2}( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord' DESC 'a we ll known service description, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {3}( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' DESC 'doma in name pointer, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5 SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {4}( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' DESC 'ho st information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5S ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {5}( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' DESC 'ma ilbox or mail list information, RFC 1035' EQUALITY caseIgnoreIA5Match SUBST R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {6}( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' DESC 'text string, RFC 1035' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrin gsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {7}( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord' DESC 'for R esponsible Person, RFC 1183' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreI A5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {8}( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' DESC 'fo r AFS Data Base location, RFC 1183' EQUALITY caseIgnoreIA5Match SUBSTR case IgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {9}( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' DESC 'Sign ature, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {10}( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' DESC 'Key , RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {11}( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord' DESC 'Ge ographical Position, RFC 1712' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {12}( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' DESC 'IP v6 address, RFC 1886' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {13}( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' DESC 'Loc ation, RFC 1876' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {14}( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' DESC 'non -existant, RFC 2535' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {15}( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' DESC 'ser vice location, RFC 2782' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {16}( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' DESC 'N aming Authority Pointer, RFC 2915' EQUALITY caseIgnoreIA5Match SUBSTR caseI gnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {17}( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' DESC 'Key Exchange Delegation, RFC 2230' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnor eIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {18}( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' DESC 'ce rtificate, RFC 2538' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substr ingsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {19}( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' DESC 'A6 R ecord Type, RFC 2874' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subst ringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {20}( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' DESC 'N on-Terminal DNS Name Redirection, RFC 2672' EQUALITY caseIgnoreIA5Match SUB STR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {21}( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord' DESC 'Lis ts of Address Prefixes, RFC 3123' EQUALITY caseIgnoreIA5Match SUBSTR caseIg noreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {22}( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' DESC 'Dele gation Signer, RFC 3658' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {23}( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord' DESC 'S SH Key Fingerprint, RFC 4255' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnore IA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {24}( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord' DESC 'SSH Key Fingerprint, RFC 4025' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {25}( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' DESC 'R RSIG, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {26}( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' DESC 'NS EC, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMat ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {27}( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord' DESC ' DNSKEY, RFC 3755' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substring sMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {28}( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord' DESC 'D HCID, RFC 4701' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {29}( 1.3.6.1.4.1.2428.20.1.50 NAME 'nSEC3Record' DESC 'N SEC record version 3, RFC 5155' EQUALITY caseIgnoreIA5Match SUBSTR caseIgno reIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {30}( 1.3.6.1.4.1.2428.20.1.51 NAME 'nSEC3PARAMRecord' DE SC 'NSEC3 parameters, RFC 5155' EQUALITY caseIgnoreIA5Match SUBSTR caseIgno reIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {31}( 1.3.6.1.4.1.2428.20.1.52 NAME 'tLSARecord' DESC 'TL SA certificate association, RFC 6698' EQUALITY caseIgnoreIA5Match SUBSTR ca seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {32}( 1.3.6.1.4.1.2428.20.1.59 NAME 'cDSRecord' DESC 'Chi ld DS, RFC7344' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsM atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {33}( 1.3.6.1.4.1.2428.20.1.60 NAME 'cDNSKeyRecord' DESC 'DNSKEY(s) the Child wants reflected in DS, RFC7344' EQUALITY caseIgnoreIA5 Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 .26 ) olcAttributeTypes: {34}( 1.3.6.1.4.1.2428.20.1.61 NAME 'openPGPKeyRecord' DE SC 'OpenPGP Key, RFC7929' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5S ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {35}( 1.3.6.1.4.1.2428.20.1.64 NAME 'SVCBRecord' DESC 'Se rvice binding, draft-ietf-dnsop-svcb-https-01' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {36}( 1.3.6.1.4.1.2428.20.1.65 NAME 'HTTPSRecord' DESC 'H TTPS service binding, draft-ietf-dnsop-svcb-https-01' EQUALITY caseIgnoreIA 5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.26 ) olcAttributeTypes: {37}( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord' DESC 'Sen der Policy Framework, RFC 4408' EQUALITY caseIgnoreIA5Match SUBSTR caseIgno reIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {38}( 1.3.6.1.4.1.2428.20.1.108 NAME 'EUI48Record' DESC ' EUI-48 address, RFC7043' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {39}( 1.3.6.1.4.1.2428.20.1.109 NAME 'EUI64Record' DESC ' EUI-64 address, RFC7043' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {40}( 1.3.6.1.4.1.2428.20.1.249 NAME 'tKeyRecord' DESC 'T ransaction Key, RFC2930' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {41}( 1.3.6.1.4.1.2428.20.1.256 NAME 'uRIRecord' DESC 'UR I, RFC7553' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {42}( 1.3.6.1.4.1.2428.20.1.257 NAME 'cAARecord' DESC 'Ce rtification Authority Restriction, RFC6844' EQUALITY caseIgnoreIA5Match SUB STR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {43}( 1.3.6.1.4.1.2428.20.1.32769 NAME 'dLVRecord' DESC ' DNSSEC Lookaside Validation, RFC4431' EQUALITY caseIgnoreIA5Match SUBSTR ca seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {44}( 1.3.6.1.4.1.2428.20.1.65226 NAME 'TYPE65226Record' DESC '' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {45}( 1.3.6.1.4.1.2428.20.1.65534 NAME 'TYPE65534Record' DESC '' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcObjectClasses: {0}( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2' SUP dNSDomain STRUCTURAL MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $ HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $ AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ APLRecord $ DSRecord $ S SHFPRecord $ IPSECKEYRecord $ RRSIGRecord $ NSECRecord $ DNSKEYRecord $ DHC IDRecord $ NSEC3Record $ NSEC3PARAMRecord $ TLSARecord $ CDSRecord $ CDNSKE YRecord $ OPENPGPKEYRecord $ SVCBRecord $ HTTPSRecord $ SPFRecord $ EUI48Re cord $ EUI64Record $ TKEYRecord $ URIRecord $ CAARecord $ DLVRecord $ TYPE6 5226Record $ TYPE65534Record ) ) structuralObjectClass: olcSchemaConfig entryUUID: 15113670-9f95-49b9-a483-b7d7bf2629ec creatorsName: cn=config createTimestamp: 20111017141815Z entryCSN: 20111017141815.387018Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20111017141815Z ========================================================================================== I even tried to keep the original entryUUID, createTimestamp, entryCSN, modifyTimestamp values (just in case), but it did not make a difference. I appreciate your help. (Note that export of the intial config was done on v2.4.56 and import of the modified config was done on a test server with 2.4.58.) If there is any additional info you may require, I will be glad to provide it. Thanks, Nick

4 12

MDB page growth
by Zetan Drableg 10 May '21

10 May '21

openldap 2.4.57 On 4/14 I ran mdb_copy -c to compact the DB and remove free pages. At that point I had 736k pages/2.9G file size. After compact the database is 41k pages and 140M. This solved my ldap request latency problem (seeing 30 second delays in simple queries when ldap updates are happening). 22 days later, we're at 244k pages and auth latency is up to 2 seconds during updates. The database is now 1G. What accounts for MDB free/unused page growth? We make lots of incremental inserts and removals (Add new user, add user to group, remove user from group, remove user). Removal actions seem to trigger the query latency. Why does a large amount of free pages impact single user removals from large groups? mdb_stat -e /opt/slapd/data Environment Info Map address: (nil) Map size: 17179869184 Page size: 4096 Max pages: 4194304 Number of pages used: 244657 Last transaction ID: 58158791 Max readers: 126 Number of readers used: 18 Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 22

5 6

How to enable argon2 module
by Francesco Malvezzi 10 May '21

10 May '21

hi everybody, my problem with argon2 is just the casus belli pointing to something I actually didn't understand in the modules setup. My configure options are: /configure --prefix=/opt/openldap --localstatedir=/var/lib/ --enable-crypt --enable-ppolicy --with-cyrus-sasl --with-tls=openssl --enable-modules --enable-mdb=yes --enable-argon2=yes --with-systemd --enable-accesslog everything compiles and builds fine. test #83 passes: >>>>> Starting test083-argon2 for mdb... running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to check that slapd is running... Adding basic structure... Testing ldapwhoami as cn=argon2,dc=example,dc=com... dn:cn=argon2,dc=example,dc=com >>>>> Test succeeded >>>>> test083-argon2 completed OK for mdb after 1 seconds. $ /opt/openldap/sbin/slappasswd -o module-load=/opt/src/openldap-2.5.4/servers/slapd/pwmods/argon2.la -h {ARGON2} -s test {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$n/QsZfaaYWA7pcQmAPrq8A$3FVBbO5zjMzUPRX+YW10yREA7xG4ben2gR08dGoPW1A Without the -o module-load switch slappasswd doesn't recognize the {ARGON2} scheme, but it looked fine to me: I believed I would need to load the module in cn=config with a content like: $ cat ~/ldif/load_argon2_module.ldif dn: cn=module{1} objectClass: olcModuleList cn: module{1} olcModulePath: /opt/openldap/libexec/openldap/ <- argon2.so is not here olcModuleLoad: {0}argon2 structuralObjectClass: olcModuleList but argon2.so is only in the src dir. Of course I didn't understand something very basic, thank you for your time, Francesco

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical