Re: slapd-meta

2015-11-17 Thread Quanah Gibson-Mount 
--On Tuesday, November 17, 2015 7:57 PM +0200 Fr3ddie  
wrote:



Il 10/11/2015 13:06, Fr3ddie ha scritto:

Hello to the list,


Nobody has any hint?


I suggest reading the code, because the answer is actually fairly obvious 
if you look at slapd-meta/config.c:


   "NAME 'olcMetaTargetConfig' "
   "MUST ( olcMetaSub $ olcDbURI ) "

Yet you aren't using the olcMetaTargetConfig objectClass in your entry.

--Quanah



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: slapd-meta

2015-11-17 Thread Fr3ddie 

Il 10/11/2015 13:06, Fr3ddie ha scritto:

Hello to the list,


Nobody has any hint?

Re: sasl-auxprop (and sasl/slapd.conf)

2015-11-17 Thread Dan White 

On 11/17/15 18:38 +0100, Simone Piccardi wrote:

I'm trying to understand which values I can use for the sasl-auxprop
directives and how to configure (if possible) sasl/slapd.conf.


That's a lot more painful to determine than it should be. Do:

# cat > /sasl/pluginviewer.conf << EOF

ldapdb_uri: ldapi:///
sql_select: select foo from bar
EOF


# pluginviewer -a
Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,   API version: 8
 supports store: yes

On Debian based systems, use saslpluginviewer.

To this list, add 'slapd', which is the internal auxprop plugin, and
subtract ldapdb, which should not be used within the slapd server.


I was trying to use the users created with slappasswd2 -c (as written in
the Administration guide) but no sasldb file was open by the server (I
straced out a full session). I tried to put an explicit configuration in
sasl/slapd.conf, and stracing the server I saw it was open and read, but
the configuration inside is just ignored.


The auxprop_plugin configuration parameter is ignored. Most/all other
config statements will be honored.


Reading the manpage I found it says that sasl-auxprops "Specify which
auxprop plugins to use for authentication lookups." and that the default
is use the slapd internal support.

But I did not define this one, and sasl/slapd.conf still seems to be
ignored. And no possible values for the available plugins to use as
sasl-auxprops parameter are listed.


If you wish to use the sasldb database, specify the 'sasldb' auxprop plugin
(via sasl-auxprops/olcSaslAuxprops), and maintain your authentication
database with saslpasswd2.


I could get DIGEST-MD5 authentication working putting the password inside
the server (userPassword in CLEARTEXT), so it seems that the default is
used anyway. But I'd like to have it working using using sasldb or
configuring sasl/slapd.conf to use saslauthd.


pwcheck_method is honored within sasl/slapd.conf.

--
Dan White

Re: Searches with dereferncing causing high CPU load.

2015-11-17 Thread Howard Chu 

Michael Ströder wrote:

Andrew Findlay wrote:

If this happens again, you could try stopping the server and running
slapindex rather than reloading everything.


IIRC depending on the data complete reload with slapadd can be faster than
slapindex. I vaguely remember Quanah reporting test results with back-hdb a
couple of years ago. Not sure about back-mdb nowadays though.


slapindex on back-mdb is faster than slapadd. But, for the problem being 
discussed here, slapindex is inadequate; you need a full reload with slapadd.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: Searches with dereferncing causing high CPU load.

2015-11-17 Thread Michael Ströder 
Andrew Findlay wrote:
> If this happens again, you could try stopping the server and running
> slapindex rather than reloading everything.

IIRC depending on the data complete reload with slapadd can be faster than
slapindex. I vaguely remember Quanah reporting test results with back-hdb a
couple of years ago. Not sure about back-mdb nowadays though.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Integrate Openldap and Windows Active Directory Server

2015-11-17 Thread Michael Ströder 
Howard Chu wrote:
> For simple passthru there is also the slapo-pbind overlay.

Is there any way I can limit which entries are passed through?

It would be very handy if I could specify conditions based on dn regex and/or
LDAP filter. Well, slapo-rwm and a separate backend could be used but
slapo-rwm crashes sometimes.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

sasl-auxprop (and sasl/slapd.conf)

2015-11-17 Thread Simone Piccardi 
I'm trying to understand which values I can use for the sasl-auxprop 
directives and how to configure (if possible) sasl/slapd.conf.


I was trying to use the users created with slappasswd2 -c (as written in 
the Administration guide) but no sasldb file was open by the server (I 
straced out a full session). I tried to put an explicit configuration in 
sasl/slapd.conf, and stracing the server I saw it was open and read, but 
the configuration inside is just ignored.


Reading the manpage I found it says that sasl-auxprops "Specify which 
auxprop plugins to use for authentication lookups." and that the default 
is use the slapd internal support.


But I did not define this one, and sasl/slapd.conf still seems to be 
ignored. And no possible values for the available plugins to use as 
sasl-auxprops parameter are listed.


I could get DIGEST-MD5 authentication working putting the password 
inside the server (userPassword in CLEARTEXT), so it seems that the 
default is used anyway. But I'd like to have it working using using 
sasldb or configuring sasl/slapd.conf to use saslauthd.


Regards
Simone
--
Simone Piccardi Truelite Srl
picca...@truelite.it (email/jabber) Via Monferrato, 6
Tel. +39-347-103243350142 Firenze
http://www.truelite.it  Tel. +39-055-7879597Fax. +39-055-736

Re: Problem making refint_nothing working

2015-11-17 Thread Howard Chu 

katgb wrote:

Hi all,

I tried for some days to make refint overlay work with refint_nothing filled.

The slapo-refint man page says :

refint_nothing 
   Specify an arbitrary value to be used as a placeholder when the
last value would otherwise be deleted from an attribute. This can be useful in
cases where the schema requires the existence of an attribute  for  which
   referential integrity is enforced. The attempted deletion of a
required attribute will otherwise result in an Object Class Violation, causing
the request to fail.  The string must be a valid DN.


but each time I try to delete the last member from a groupOfNames group, the
deletion is refused because of schema violation. That's ok without
refint_nothing but with the string set it should replace last member, right ?


No. The refint_nothing value only affects modifications that the refint 
overlay itself would make when trying to maintain integrity. It doesn't 
interfere with user modification requests at all.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Problem making refint_nothing working

2015-11-17 Thread katgb 

Hi all,

I tried for some days to make refint overlay work with refint_nothing 
filled.


The slapo-refint man page says :

   refint_nothing 
  Specify an arbitrary value to be used as a placeholder 
when the last value would otherwise be deleted from an attribute. This 
can be useful in cases where the schema requires the existence of an  
attribute  for  which
  referential integrity is enforced. The attempted deletion 
of a required attribute will otherwise result in an Object Class 
Violation, causing the request to fail.  The string must be a valid DN.



but each time I try to delete the last member from a groupOfNames group, 
the deletion is refused because of schema violation. That's ok without 
refint_nothing but with the string set it should replace last member, 
right ?


I tried to increase loglevel to 16383 but can't see any debug for refint 
overlay. So I'm not sure if refint is working or not. Is there another 
way to have some debug information from refint ?


I have included my configuration, ldap tree and log content below. For 
the logs, I have snipped the content to the error directly but can 
provide full log if required.


The tests are running on debian jessie 8.2 and slapd version 
2.4.40+dfsg-1.


And I know I can place the placeholder manually but doing it by hand 
each time is not what I want and, more important, I want to understand 
why the module is not worrking like it should.


I hope I have posted to the right list and if there is something missing 
please ask.


Thanks for help.




# START CONF LDIF 

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: a00e3106-20ce-1035-8943-a9586533ca5e
creatorsName: cn=config
createTimestamp: 20151116165546Z
olcLogLevel: 16383
entryCSN: 20151116173108.585343Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20151116173108Z

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}refint
olcModuleLoad: {2}memberof.la
structuralObjectClass: olcModuleList
entryUUID: a00edd9a-20ce-1035-894b-a9586533ca5e
creatorsName: cn=admin,cn=config
createTimestamp: 20151116165546Z
entryCSN: 20151116172537.271031Z#00#000#00
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20151116172537Z

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
structuralObjectClass: olcSchemaConfig
entryUUID: a00e5a96-20ce-1035-8946-a9586533ca5e
creatorsName: cn=admin,cn=config
createTimestamp: 20151116165546Z
entryCSN: 20151116165546.131180Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20151116165546Z

... schema listing skipped as they are not modified ...

dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
structuralObjectClass: olcBackendConfig
entryUUID: a00ef6cc-20ce-1035-894c-a9586533ca5e
creatorsName: cn=admin,cn=config
createTimestamp: 20151116165546Z
entryCSN: 20151116165546.135178Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20151116165546Z

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by 
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern

 al,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
structuralObjectClass: olcDatabaseConfig
entryUUID: a00e4ec0-20ce-1035-8944-a9586533ca5e
creatorsName: cn=config
createTimestamp: 20151116165546Z
entryCSN: 20151116165546.130875Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20151116165546Z

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by 
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern

 al,cn=auth manage by * break
olcRootDN: cn=admin,cn=config
structuralObjectClass: olcDatabaseConfig
entryUUID: a00e5654-20ce-1035-8945-a9586533ca5e
creatorsName: cn=config
createTimestamp: 20151116165546Z
olcRootPW:: e1NTSEF9NkdpY3VMWFhTUGpBa1IzM3UzcnkxVm1qY2N2ZVZXNHY=
entryCSN: 20151116170655.978168Z#00#000#00
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20151116170655Z

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=nodomain
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by 
anonym

 ous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=nodomain
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
st

Re: Integrate Openldap and Windows Active Directory Server

2015-11-17 Thread Howard Chu 

Clément OUDOT wrote:



2015-11-16 13:45 GMT+01:00 Kaushal Shriyan mailto:kaushalshri...@gmail.com>>:

Hi,

Is there a way to integrate Openldap ldap server with Windows Server
Active Directory wherein AD will act as Authentication and Openldap will
be setup for Authorization?


For simple passthru there is also the slapo-pbind overlay.


Any help will be highly appreciable.



Hi,

you can configure OpenLDAP to delegate authentication to AD, either trough
GSSAPI, either with SASL passwords. For the last solution, see
http://ltb-project.org/wiki/documentation/general/sasl_delegation

I also often synchronize OpenLDAP and AD thanks to LSC project, see
http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory

Clément.




--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: Searches with dereferncing causing high CPU load.

2015-11-17 Thread Mark Cairney 



On 17/11/2015 11:26, Andrew Findlay wrote:

On Tue, Nov 17, 2015 at 11:11:04AM +, Mark Cairney wrote:


Just as an update- we've managed to restore service. It turns out that
we had went over the value of 65,535 (66,291) aliases which we think was
the root cause of this behaviour suddenly starting.

It's a significant number certainly...


We're now down to "only" 41,000 :-)




Although it relates to MDB this ITS sounded very similar:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146;page=10

We started deleting as many aliases as we could but performance only
improved slightly. What appears to have fixed it was doing a slapcat of
the "pruned" data and re-loading it into the database via slapadd.
Having done this searches with deref set to always are now performing as
they were before.

If this happens again, you could try stopping the server and running
slapindex rather than reloading everything.


We did try slapindex but it had little effect. This may have been before 
we'd pruned the numbers of aliases however. It's been a fraught couple 
of days...

Ultimately we've been wanting to move away from both a) hdb and b)
aliases for a while but one of our user bases runs a web application
that requires them as it doesn't support either groups or modifying it's
search filter. Given this incident there might be a push for them to
re-evaluate this approach.

That does sound like a problematic app. There may be other ways of
solving the problem if you have to keep it though. I would tend to look
at having a separate instance of slapd to service it, and it might then
be possible to use mapping overlays to build a view of your data that it
can cope with. Does the app need to modify LDAP data or is it read-only?
We had suggested that the department run their own OpenLDAP server as a 
replica of our "main" central one and do some cleverness with 
overlays/rewrites/proxies to see a subset of the objects on our server. 
We do have a number of departments who have done this, either by taking 
a feed using a script or using syncrepl + stitching together their DIT 
using overlays/subordinate databases etc.


As far as I'm aware the application itself doesn't need to write back to 
LDAP but the Administrators need write access to create their object 
structure, add new users etc.


I think the first thing I'll do is enjoy the rest of my week off then 
look at setting up a sufficiently beefy testing VM to try and reproduce 
this behaviour with a view to submitting a proper bug report.


Thanks for your help with this.

Kind regards,
Mark



Andrew



--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: Keeping mdb files opened while mmapped

2015-11-17 Thread Hallvard Breien Furuseth 

On 12. nov. 2015 00:38, Shlomi Vaknin wrote:

When I lsof my process, I am seeing that each mdb file is appearing twice (...)
I know that after mmaping a file, it is not needed to be kept open, and it
seems it is in lmdb.


By default the mmap is read-only, LDMB uses file operations for
updates.  And it keeps an extra file descriptor with the O_DSYNC or
O_SYNC flag for writing the metapage, to avoid a sync() system call.

Unless you use MDB_WRITEMAP: Then it modifies the map directly and
omits the sync descriptor, but it still needs a descriptor if the
user calls mdb_env_set_mapsize() and on Windows for mdb_env_sync().


I know this might simply be an artifact and might not actually be a
contributing reason for my swap ins/outs, but I wanted to hear what do you
think about it?


If you've just written much of the database without MDB_WRITEMAP and
without sync'ing (i.e. not yet committed or you use MDB_NOSYNC),
then you'll have the new data cached for the filesystem and old data
in the map. But hopefully you didn't do that with half a gigabyte at
the same time as you worry about too high VM usage.

--
Hallvard

Re: Searches with dereferncing causing high CPU load.

2015-11-17 Thread Andrew Findlay 
On Tue, Nov 17, 2015 at 11:11:04AM +, Mark Cairney wrote:

> Just as an update- we've managed to restore service. It turns out that
> we had went over the value of 65,535 (66,291) aliases which we think was
> the root cause of this behaviour suddenly starting.

It's a significant number certainly...

> Although it relates to MDB this ITS sounded very similar:
> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146;page=10
> 
> We started deleting as many aliases as we could but performance only
> improved slightly. What appears to have fixed it was doing a slapcat of
> the "pruned" data and re-loading it into the database via slapadd.
> Having done this searches with deref set to always are now performing as
> they were before.

If this happens again, you could try stopping the server and running
slapindex rather than reloading everything.

> Ultimately we've been wanting to move away from both a) hdb and b)
> aliases for a while but one of our user bases runs a web application
> that requires them as it doesn't support either groups or modifying it's
> search filter. Given this incident there might be a push for them to
> re-evaluate this approach.

That does sound like a problematic app. There may be other ways of
solving the problem if you have to keep it though. I would tend to look
at having a separate instance of slapd to service it, and it might then
be possible to use mapping overlays to build a view of your data that it
can cope with. Does the app need to modify LDAP data or is it read-only?

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Searches with dereferncing causing high CPU load.

2015-11-17 Thread Mark Cairney 
Hi,

Just as an update- we've managed to restore service. It turns out that
we had went over the value of 65,535 (66,291) aliases which we think was
the root cause of this behaviour suddenly starting.

Although it relates to MDB this ITS sounded very similar:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146;page=10

We started deleting as many aliases as we could but performance only
improved slightly. What appears to have fixed it was doing a slapcat of
the "pruned" data and re-loading it into the database via slapadd.
Having done this searches with deref set to always are now performing as
they were before.

Ultimately we've been wanting to move away from both a) hdb and b)
aliases for a while but one of our user bases runs a web application
that requires them as it doesn't support either groups or modifying it's
search filter. Given this incident there might be a push for them to
re-evaluate this approach.



On 16/11/15 18:44, Mark Cairney wrote:
> Hi Andrew,
> 
> Thanks for getting back. I saw your report for mdb actually. I can
> confirm that I've got "olcDBIndex objectlass eq" set on my servers.
> 
> Everyone keeps telling me that about aliases but unfortunately we've got
> a group of users who require them to act in lieu of groups to support
> their application i.e. they have OUs filled with aliases back to user
> accounts in the main user OU.
> 
> We've started deleting old/hanging OUs and it's made a small improvement
> but it's still taking 20-30s per query rather than returning almost
> instantly like it was before.
> 
> 
> 
> On 16/11/15 18:10, Andrew Findlay wrote:
>> On Mon, Nov 16, 2015 at 03:13:11PM +, Mark Cairney wrote:
>>
>>> We're having severe performance issues for any query with alias
>>> dereferencing set to "always".
>>>
>>> Any query with this causes the CPU to spin up to 100% and if we have a
>>> number of these concurrently the machine will become unresponsive.
>>
>> I hit something similar a while ago using mdb:
>>
>> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146
>>
>>> We're using OpenLDAP 2.4.42 with the old hdb backend.
>>>
>>> We do have a large number of aliases (~63,000). Could this be the cause?
>>
>> It would be worth checking that you have indexed the objectclass attribute.
>>
>> I prefer to avoid aliases...
>>
>> Andrew
>>
> 

-- 
/

Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: mark.cair...@ed.ac.uk
PGP: 0x435A9621

***/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.



signature.asc
Description: OpenPGP digital signature

Re: Integrate Openldap and Windows Active Directory Server

2015-11-17 Thread Kaushal Shriyan 
Thanks a Lot Clement. I will go through it and ask questions here if i have
any during setup.

Regards,

Kaushal

On Tue, 17 Nov 2015 at 16:17 Clément OUDOT  wrote:

> 2015-11-16 13:45 GMT+01:00 Kaushal Shriyan :
>
>> Hi,
>>
>> Is there a way to integrate Openldap ldap server with Windows Server
>> Active Directory wherein AD will act as Authentication and Openldap will be
>> setup for Authorization?
>>
>> Any help will be highly appreciable.
>>
>
>
> Hi,
>
> you can configure OpenLDAP to delegate authentication to AD, either trough
> GSSAPI, either with SASL passwords. For the last solution, see
> http://ltb-project.org/wiki/documentation/general/sasl_delegation
>
> I also often synchronize OpenLDAP and AD thanks to LSC project, see
> http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory
>
> Clément.
>
>

Re: Integrate Openldap and Windows Active Directory Server

2015-11-17 Thread Clément OUDOT 
2015-11-16 13:45 GMT+01:00 Kaushal Shriyan :

> Hi,
>
> Is there a way to integrate Openldap ldap server with Windows Server
> Active Directory wherein AD will act as Authentication and Openldap will be
> setup for Authorization?
>
> Any help will be highly appreciable.
>


Hi,

you can configure OpenLDAP to delegate authentication to AD, either trough
GSSAPI, either with SASL passwords. For the last solution, see
http://ltb-project.org/wiki/documentation/general/sasl_delegation

I also often synchronize OpenLDAP and AD thanks to LSC project, see
http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory

Clément.