Dears,
Openldap version : 2.5.7
env 2 MMR 2 Replicas (test env)
I've set and olclimit for one user (dn.base) on my DB and it works fine but in order to move it on my production env, I decided to modify my olclimit by using (group/groupOfNames/member) and place this user as member of the group. This is also works fine on my test env.
I did the same config on my production env which is 4 MMR 4 Replicas and it didn't work :-(
I did a lot of checks to see if there was any difference but it was exactly the same configuration. I did some other test on replicas first by adding a new olclimit for the concerned user ( dn.base) which solved the issue. I decided to remove this newly user olclimit, the olclimit (group/groupOfNames/member) was still there, and was not my surprise, the limitation for my user was still set to unlimited as expected. I did the same on all replicas, adding concerned user, remove it and limits were OK .... very strange. As it was working on replicas, I did try the same on master but no luck, my user stay still limited to 500 entries.
Questions : Is there an order to respect in olclimit type ? why the config is working on test env and not on production one ?
Thx to advice, Jean-Luc
Dears,
Added info.
In the group used in the olcLimits, there are 2 users, and limits are unlimited for users I added before as "dn.base" but still remain blocked at 500 for the other one, so it seems the olcLimits by group/groupOfNames/member doesn't work correctly.
Can you help me as it's a blocking issue on my prod systems.
Thx, Jean-Luc.
On Thu, Mar 24, 2022 at 12:27 PM bourguijl@gmail.com wrote:
Dears,
Openldap version : 2.5.7
env 2 MMR 2 Replicas (test env)
I've set and olclimit for one user (dn.base) on my DB and it works fine but in order to move it on my production env, I decided to modify my olclimit by using (group/groupOfNames/member) and place this user as member of the group. This is also works fine on my test env.
I did the same config on my production env which is 4 MMR 4 Replicas and it didn't work :-(
I did a lot of checks to see if there was any difference but it was exactly the same configuration. I did some other test on replicas first by adding a new olclimit for the concerned user ( dn.base) which solved the issue. I decided to remove this newly user olclimit, the olclimit (group/groupOfNames/member) was still there, and was not my surprise, the limitation for my user was still set to unlimited as expected. I did the same on all replicas, adding concerned user, remove it and limits were OK .... very strange. As it was working on replicas, I did try the same on master but no luck, my user stay still limited to 500 entries.
Questions : Is there an order to respect in olclimit type ? why the config is working on test env and not on production one ?
Thx to advice, Jean-Luc
--On Monday, March 28, 2022 11:25 AM +0200 Jean-Luc Bourguignon bourguijl@gmail.com wrote:
Dears,
Added info.
In the group used in the olcLimits, there are 2 users, and limits are unlimited for users I added before as "dn.base" but still remain blocked at 500 for the other one, so it seems the olcLimits by group/groupOfNames/member doesn't work correctly.
Can you help me as it's a blocking issue on my prod systems.
Without knowing your configuration, we can't really provide an answer. Clearly something in your configuration is not what you think it is, but that's the best I can say. Particuarly since it works in your non-prod environment but not in production.
Regards, Quanah
Hello Quanah,
I’ll do some tests against my non-prod and I’ll come back to you.
Brgds, Jean-Luc
On 28 Mar 2022, at 18:56, Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Monday, March 28, 2022 11:25 AM +0200 Jean-Luc Bourguignon bourguijl@gmail.com wrote:
Dears,
Added info.
In the group used in the olcLimits, there are 2 users, and limits are unlimited for users I added before as "dn.base" but still remain blocked at 500 for the other one, so it seems the olcLimits by group/groupOfNames/member doesn't work correctly.
Can you help me as it's a blocking issue on my prod systems.
Without knowing your configuration, we can't really provide an answer. Clearly something in your configuration is not what you think it is, but that's the best I can say. Particuarly since it works in your non-prod environment but not in production.
Regards, Quanah
Hello Quanah,
Here is my configuration on both environments :
olcLimits: {1}group/groupOfNames/member="cn=Sailpoint Access,ou=Applications G roups,ou=Groups,ou=staff,o=mobistar.be" size.soft=unlimited size.hard=unlimi ted time.soft=unlimited time.hard=unlimited
and the content of the group
# Sailpoint Access, Applications Groups, Groups, staff, mobistar.be dn: cn=Sailpoint Access,ou=Applications Groups,ou=Groups,ou=staff,o= mobistar.be cn: Sailpoint Access objectClass: top objectClass: groupOfUniqueNames uniqueMember: uid=diams,ou=Test,ou=System,o=mobistar.be uniqueMember: uid=diamst,ou=Test,ou=System,o=mobistar.be
As promised I did some more tests on my non-prod env as I already did on my prod one and I've the same issue. I fact, my olcLimits works for user I moved from an olcLimits type "dn.base" to "group/groupOfNames/member" in group where it's member but it doesn't work for user added after in the group as "diamst" here above.
Let me know if you need some more details to reproduce the issue.
Thx for your help.
Brgds, Jean-Luc.
On Mon, Mar 28, 2022 at 11:56 PM Jean-Luc Bourguignon bourguijl@gmail.com wrote:
Hello Quanah,
I’ll do some tests against my non-prod and I’ll come back to you.
Brgds, Jean-Luc
On 28 Mar 2022, at 18:56, Quanah Gibson-Mount quanah@fast-mail.org
wrote:
--On Monday, March 28, 2022 11:25 AM +0200 Jean-Luc Bourguignon <
bourguijl@gmail.com> wrote:
Dears,
Added info.
In the group used in the olcLimits, there are 2 users, and limits are unlimited for users I added before as "dn.base" but still remain blocked at 500 for the other one, so it seems the olcLimits by group/groupOfNames/member doesn't work correctly.
Can you help me as it's a blocking issue on my prod systems.
Without knowing your configuration, we can't really provide an answer.
Clearly something in your configuration is not what you think it is, but that's the best I can say. Particuarly since it works in your non-prod environment but not in production.
Regards, Quanah
--On Tuesday, March 29, 2022 12:35 PM +0200 Jean-Luc Bourguignon bourguijl@gmail.com wrote:
Hello Quanah,
Here is my configuration on both environments :
olcLimits: {1}group/groupOfNames/member="cn=Sailpoint Access,ou=Applications G roups,ou=Groups,ou=staff,o=mobistar.be" size.soft=unlimited size.hard=unlimi ted time.soft=unlimited time.hard=unlimited
Minor note, you can just put: size=unlimited time=unlimited as documented in the man page this covers both soft and hard.
and the content of the group
# Sailpoint Access, Applications Groups, Groups, staff, mobistar.be dn: cn=Sailpoint Access,ou=Applications Groups,ou=Groups,ou=staff,o=mobistar.be cn: Sailpoint Access objectClass: top objectClass: groupOfUniqueNames uniqueMember: uid=diams,ou=Test,ou=System,o=mobistar.be uniqueMember: uid=diamst,ou=Test,ou=System,o=mobistar.be
Your OLC Limits says that the objectClass your group is using is "groupOfNames" and the membership attribute is "member".
but your *actual* object is using "groupOfUniqueNames" and "uniqueMember". These clearly are not compatible statements.
Generally I would suggesting using groupOfMembers/member from rfc2307bis if you need to support empty groups. Either way, the group objectClass and membership attributes need to agree with what is actually being used.
Regards, Quanah
Hello Quanah,
Thx to have pointed me some config issue I had, I’ve modified my olclimits according your advice and now, everything goes well on my both environments.
Brgds, Jean-Luc.
On 29 Mar 2022, at 18:23, Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Tuesday, March 29, 2022 12:35 PM +0200 Jean-Luc Bourguignon bourguijl@gmail.com wrote:
Hello Quanah,
Here is my configuration on both environments :
olcLimits: {1}group/groupOfNames/member="cn=Sailpoint Access,ou=Applications G roups,ou=Groups,ou=staff,o=mobistar.be" size.soft=unlimited size.hard=unlimi ted time.soft=unlimited time.hard=unlimited
Minor note, you can just put: size=unlimited time=unlimited as documented in the man page this covers both soft and hard.
and the content of the group
# Sailpoint Access, Applications Groups, Groups, staff, mobistar.be dn: cn=Sailpoint Access,ou=Applications Groups,ou=Groups,ou=staff,o=mobistar.be cn: Sailpoint Access objectClass: top objectClass: groupOfUniqueNames uniqueMember: uid=diams,ou=Test,ou=System,o=mobistar.be uniqueMember: uid=diamst,ou=Test,ou=System,o=mobistar.be
Your OLC Limits says that the objectClass your group is using is "groupOfNames" and the membership attribute is "member".
but your *actual* object is using "groupOfUniqueNames" and "uniqueMember". These clearly are not compatible statements.
Generally I would suggesting using groupOfMembers/member from rfc2307bis if you need to support empty groups. Either way, the group objectClass and membership attributes need to agree with what is actually being used.
Regards, Quanah
openldap-technical@openldap.org
-
bourguijl@gmail.com -
Jean-Luc Bourguignon
-
Quanah Gibson-Mount