Re: slapd-meta
--On Tuesday, November 17, 2015 7:57 PM +0200 Fr3ddie wrote: Il 10/11/2015 13:06, Fr3ddie ha scritto: Hello to the list, Nobody has any hint? I suggest reading the code, because the answer is actually fairly obvious if you look at slapd-meta/config.c: "NAME 'olcMetaTargetConfig' " "MUST ( olcMetaSub $ olcDbURI ) " Yet you aren't using the olcMetaTargetConfig objectClass in your entry. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: slapd-meta
Il 10/11/2015 13:06, Fr3ddie ha scritto: Hello to the list, Nobody has any hint?
Re: sasl-auxprop (and sasl/slapd.conf)
On 11/17/15 18:38 +0100, Simone Piccardi wrote: I'm trying to understand which values I can use for the sasl-auxprop directives and how to configure (if possible) sasl/slapd.conf. That's a lot more painful to determine than it should be. Do: # cat > /sasl/pluginviewer.conf << EOF ldapdb_uri: ldapi:/// sql_select: select foo from bar EOF # pluginviewer -a Installed and properly configured auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 8 supports store: yes On Debian based systems, use saslpluginviewer. To this list, add 'slapd', which is the internal auxprop plugin, and subtract ldapdb, which should not be used within the slapd server. I was trying to use the users created with slappasswd2 -c (as written in the Administration guide) but no sasldb file was open by the server (I straced out a full session). I tried to put an explicit configuration in sasl/slapd.conf, and stracing the server I saw it was open and read, but the configuration inside is just ignored. The auxprop_plugin configuration parameter is ignored. Most/all other config statements will be honored. Reading the manpage I found it says that sasl-auxprops "Specify which auxprop plugins to use for authentication lookups." and that the default is use the slapd internal support. But I did not define this one, and sasl/slapd.conf still seems to be ignored. And no possible values for the available plugins to use as sasl-auxprops parameter are listed. If you wish to use the sasldb database, specify the 'sasldb' auxprop plugin (via sasl-auxprops/olcSaslAuxprops), and maintain your authentication database with saslpasswd2. I could get DIGEST-MD5 authentication working putting the password inside the server (userPassword in CLEARTEXT), so it seems that the default is used anyway. But I'd like to have it working using using sasldb or configuring sasl/slapd.conf to use saslauthd. pwcheck_method is honored within sasl/slapd.conf. -- Dan White
Re: Searches with dereferncing causing high CPU load.
Michael Ströder wrote: Andrew Findlay wrote: If this happens again, you could try stopping the server and running slapindex rather than reloading everything. IIRC depending on the data complete reload with slapadd can be faster than slapindex. I vaguely remember Quanah reporting test results with back-hdb a couple of years ago. Not sure about back-mdb nowadays though. slapindex on back-mdb is faster than slapadd. But, for the problem being discussed here, slapindex is inadequate; you need a full reload with slapadd. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Searches with dereferncing causing high CPU load.
Andrew Findlay wrote: > If this happens again, you could try stopping the server and running > slapindex rather than reloading everything. IIRC depending on the data complete reload with slapadd can be faster than slapindex. I vaguely remember Quanah reporting test results with back-hdb a couple of years ago. Not sure about back-mdb nowadays though. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: Integrate Openldap and Windows Active Directory Server
Howard Chu wrote: > For simple passthru there is also the slapo-pbind overlay. Is there any way I can limit which entries are passed through? It would be very handy if I could specify conditions based on dn regex and/or LDAP filter. Well, slapo-rwm and a separate backend could be used but slapo-rwm crashes sometimes. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
sasl-auxprop (and sasl/slapd.conf)
I'm trying to understand which values I can use for the sasl-auxprop directives and how to configure (if possible) sasl/slapd.conf. I was trying to use the users created with slappasswd2 -c (as written in the Administration guide) but no sasldb file was open by the server (I straced out a full session). I tried to put an explicit configuration in sasl/slapd.conf, and stracing the server I saw it was open and read, but the configuration inside is just ignored. Reading the manpage I found it says that sasl-auxprops "Specify which auxprop plugins to use for authentication lookups." and that the default is use the slapd internal support. But I did not define this one, and sasl/slapd.conf still seems to be ignored. And no possible values for the available plugins to use as sasl-auxprops parameter are listed. I could get DIGEST-MD5 authentication working putting the password inside the server (userPassword in CLEARTEXT), so it seems that the default is used anyway. But I'd like to have it working using using sasldb or configuring sasl/slapd.conf to use saslauthd. Regards Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597Fax. +39-055-736
Re: Problem making refint_nothing working
katgb wrote: Hi all, I tried for some days to make refint overlay work with refint_nothing filled. The slapo-refint man page says : refint_nothing Specify an arbitrary value to be used as a placeholder when the last value would otherwise be deleted from an attribute. This can be useful in cases where the schema requires the existence of an attribute for which referential integrity is enforced. The attempted deletion of a required attribute will otherwise result in an Object Class Violation, causing the request to fail. The string must be a valid DN. but each time I try to delete the last member from a groupOfNames group, the deletion is refused because of schema violation. That's ok without refint_nothing but with the string set it should replace last member, right ? No. The refint_nothing value only affects modifications that the refint overlay itself would make when trying to maintain integrity. It doesn't interfere with user modification requests at all. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Problem making refint_nothing working
Hi all, I tried for some days to make refint overlay work with refint_nothing filled. The slapo-refint man page says : refint_nothing Specify an arbitrary value to be used as a placeholder when the last value would otherwise be deleted from an attribute. This can be useful in cases where the schema requires the existence of an attribute for which referential integrity is enforced. The attempted deletion of a required attribute will otherwise result in an Object Class Violation, causing the request to fail. The string must be a valid DN. but each time I try to delete the last member from a groupOfNames group, the deletion is refused because of schema violation. That's ok without refint_nothing but with the string set it should replace last member, right ? I tried to increase loglevel to 16383 but can't see any debug for refint overlay. So I'm not sure if refint is working or not. Is there another way to have some debug information from refint ? I have included my configuration, ldap tree and log content below. For the logs, I have snipped the content to the error directly but can provide full log if required. The tests are running on debian jessie 8.2 and slapd version 2.4.40+dfsg-1. And I know I can place the placeholder manually but doing it by hand each time is not what I want and, more important, I want to understand why the module is not worrking like it should. I hope I have posted to the right list and if there is something missing please ask. Thanks for help. # START CONF LDIF dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: a00e3106-20ce-1035-8943-a9586533ca5e creatorsName: cn=config createTimestamp: 20151116165546Z olcLogLevel: 16383 entryCSN: 20151116173108.585343Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20151116173108Z dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}refint olcModuleLoad: {2}memberof.la structuralObjectClass: olcModuleList entryUUID: a00edd9a-20ce-1035-894b-a9586533ca5e creatorsName: cn=admin,cn=config createTimestamp: 20151116165546Z entryCSN: 20151116172537.271031Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20151116172537Z dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema structuralObjectClass: olcSchemaConfig entryUUID: a00e5a96-20ce-1035-8946-a9586533ca5e creatorsName: cn=admin,cn=config createTimestamp: 20151116165546Z entryCSN: 20151116165546.131180Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20151116165546Z ... schema listing skipped as they are not modified ... dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb structuralObjectClass: olcBackendConfig entryUUID: a00ef6cc-20ce-1035-894c-a9586533ca5e creatorsName: cn=admin,cn=config createTimestamp: 20151116165546Z entryCSN: 20151116165546.135178Z#00#000#00 modifiersName: cn=admin,cn=config modifyTimestamp: 20151116165546Z dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read olcSizeLimit: 500 structuralObjectClass: olcDatabaseConfig entryUUID: a00e4ec0-20ce-1035-8944-a9586533ca5e creatorsName: cn=config createTimestamp: 20151116165546Z entryCSN: 20151116165546.130875Z#00#000#00 modifiersName: cn=config modifyTimestamp: 20151116165546Z dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by * break olcRootDN: cn=admin,cn=config structuralObjectClass: olcDatabaseConfig entryUUID: a00e5654-20ce-1035-8945-a9586533ca5e creatorsName: cn=config createTimestamp: 20151116165546Z olcRootPW:: e1NTSEF9NkdpY3VMWFhTUGpBa1IzM3UzcnkxVm1qY2N2ZVZXNHY= entryCSN: 20151116170655.978168Z#00#000#00 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20151116170655Z dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=nodomain olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym ous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=nodomain olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824 st
Re: Integrate Openldap and Windows Active Directory Server
Clément OUDOT wrote: 2015-11-16 13:45 GMT+01:00 Kaushal Shriyan mailto:kaushalshri...@gmail.com>>: Hi, Is there a way to integrate Openldap ldap server with Windows Server Active Directory wherein AD will act as Authentication and Openldap will be setup for Authorization? For simple passthru there is also the slapo-pbind overlay. Any help will be highly appreciable. Hi, you can configure OpenLDAP to delegate authentication to AD, either trough GSSAPI, either with SASL passwords. For the last solution, see http://ltb-project.org/wiki/documentation/general/sasl_delegation I also often synchronize OpenLDAP and AD thanks to LSC project, see http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory Clément. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Searches with dereferncing causing high CPU load.
On 17/11/2015 11:26, Andrew Findlay wrote: On Tue, Nov 17, 2015 at 11:11:04AM +, Mark Cairney wrote: Just as an update- we've managed to restore service. It turns out that we had went over the value of 65,535 (66,291) aliases which we think was the root cause of this behaviour suddenly starting. It's a significant number certainly... We're now down to "only" 41,000 :-) Although it relates to MDB this ITS sounded very similar: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146;page=10 We started deleting as many aliases as we could but performance only improved slightly. What appears to have fixed it was doing a slapcat of the "pruned" data and re-loading it into the database via slapadd. Having done this searches with deref set to always are now performing as they were before. If this happens again, you could try stopping the server and running slapindex rather than reloading everything. We did try slapindex but it had little effect. This may have been before we'd pruned the numbers of aliases however. It's been a fraught couple of days... Ultimately we've been wanting to move away from both a) hdb and b) aliases for a while but one of our user bases runs a web application that requires them as it doesn't support either groups or modifying it's search filter. Given this incident there might be a push for them to re-evaluate this approach. That does sound like a problematic app. There may be other ways of solving the problem if you have to keep it though. I would tend to look at having a separate instance of slapd to service it, and it might then be possible to use mapping overlays to build a view of your data that it can cope with. Does the app need to modify LDAP data or is it read-only? We had suggested that the department run their own OpenLDAP server as a replica of our "main" central one and do some cleverness with overlays/rewrites/proxies to see a subset of the objects on our server. We do have a number of departments who have done this, either by taking a feed using a script or using syncrepl + stitching together their DIT using overlays/subordinate databases etc. As far as I'm aware the application itself doesn't need to write back to LDAP but the Administrators need write access to create their object structure, add new users etc. I think the first thing I'll do is enjoy the rest of my week off then look at setting up a sufficiently beefy testing VM to try and reproduce this behaviour with a view to submitting a proper bug report. Thanks for your help with this. Kind regards, Mark Andrew -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: Keeping mdb files opened while mmapped
On 12. nov. 2015 00:38, Shlomi Vaknin wrote: When I lsof my process, I am seeing that each mdb file is appearing twice (...) I know that after mmaping a file, it is not needed to be kept open, and it seems it is in lmdb. By default the mmap is read-only, LDMB uses file operations for updates. And it keeps an extra file descriptor with the O_DSYNC or O_SYNC flag for writing the metapage, to avoid a sync() system call. Unless you use MDB_WRITEMAP: Then it modifies the map directly and omits the sync descriptor, but it still needs a descriptor if the user calls mdb_env_set_mapsize() and on Windows for mdb_env_sync(). I know this might simply be an artifact and might not actually be a contributing reason for my swap ins/outs, but I wanted to hear what do you think about it? If you've just written much of the database without MDB_WRITEMAP and without sync'ing (i.e. not yet committed or you use MDB_NOSYNC), then you'll have the new data cached for the filesystem and old data in the map. But hopefully you didn't do that with half a gigabyte at the same time as you worry about too high VM usage. -- Hallvard
Re: Searches with dereferncing causing high CPU load.
On Tue, Nov 17, 2015 at 11:11:04AM +, Mark Cairney wrote: > Just as an update- we've managed to restore service. It turns out that > we had went over the value of 65,535 (66,291) aliases which we think was > the root cause of this behaviour suddenly starting. It's a significant number certainly... > Although it relates to MDB this ITS sounded very similar: > http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146;page=10 > > We started deleting as many aliases as we could but performance only > improved slightly. What appears to have fixed it was doing a slapcat of > the "pruned" data and re-loading it into the database via slapadd. > Having done this searches with deref set to always are now performing as > they were before. If this happens again, you could try stopping the server and running slapindex rather than reloading everything. > Ultimately we've been wanting to move away from both a) hdb and b) > aliases for a while but one of our user bases runs a web application > that requires them as it doesn't support either groups or modifying it's > search filter. Given this incident there might be a push for them to > re-evaluate this approach. That does sound like a problematic app. There may be other ways of solving the problem if you have to keep it though. I would tend to look at having a separate instance of slapd to service it, and it might then be possible to use mapping overlays to build a view of your data that it can cope with. Does the app need to modify LDAP data or is it read-only? Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---
Re: Searches with dereferncing causing high CPU load.
Hi, Just as an update- we've managed to restore service. It turns out that we had went over the value of 65,535 (66,291) aliases which we think was the root cause of this behaviour suddenly starting. Although it relates to MDB this ITS sounded very similar: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146;page=10 We started deleting as many aliases as we could but performance only improved slightly. What appears to have fixed it was doing a slapcat of the "pruned" data and re-loading it into the database via slapadd. Having done this searches with deref set to always are now performing as they were before. Ultimately we've been wanting to move away from both a) hdb and b) aliases for a while but one of our user bases runs a web application that requires them as it doesn't support either groups or modifying it's search filter. Given this incident there might be a push for them to re-evaluate this approach. On 16/11/15 18:44, Mark Cairney wrote: > Hi Andrew, > > Thanks for getting back. I saw your report for mdb actually. I can > confirm that I've got "olcDBIndex objectlass eq" set on my servers. > > Everyone keeps telling me that about aliases but unfortunately we've got > a group of users who require them to act in lieu of groups to support > their application i.e. they have OUs filled with aliases back to user > accounts in the main user OU. > > We've started deleting old/hanging OUs and it's made a small improvement > but it's still taking 20-30s per query rather than returning almost > instantly like it was before. > > > > On 16/11/15 18:10, Andrew Findlay wrote: >> On Mon, Nov 16, 2015 at 03:13:11PM +, Mark Cairney wrote: >> >>> We're having severe performance issues for any query with alias >>> dereferencing set to "always". >>> >>> Any query with this causes the CPU to spin up to 100% and if we have a >>> number of these concurrently the machine will become unresponsive. >> >> I hit something similar a while ago using mdb: >> >> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146 >> >>> We're using OpenLDAP 2.4.42 with the old hdb backend. >>> >>> We do have a large number of aliases (~63,000). Could this be the cause? >> >> It would be worth checking that you have indexed the objectclass attribute. >> >> I prefer to avoid aliases... >> >> Andrew >> > -- / Mark Cairney ITI UNIX Section Information Services University of Edinburgh Tel: 0131 650 6565 Email: mark.cair...@ed.ac.uk PGP: 0x435A9621 ***/ The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. signature.asc Description: OpenPGP digital signature
Re: Integrate Openldap and Windows Active Directory Server
Thanks a Lot Clement. I will go through it and ask questions here if i have any during setup. Regards, Kaushal On Tue, 17 Nov 2015 at 16:17 Clément OUDOT wrote: > 2015-11-16 13:45 GMT+01:00 Kaushal Shriyan : > >> Hi, >> >> Is there a way to integrate Openldap ldap server with Windows Server >> Active Directory wherein AD will act as Authentication and Openldap will be >> setup for Authorization? >> >> Any help will be highly appreciable. >> > > > Hi, > > you can configure OpenLDAP to delegate authentication to AD, either trough > GSSAPI, either with SASL passwords. For the last solution, see > http://ltb-project.org/wiki/documentation/general/sasl_delegation > > I also often synchronize OpenLDAP and AD thanks to LSC project, see > http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory > > Clément. > >
Re: Integrate Openldap and Windows Active Directory Server
2015-11-16 13:45 GMT+01:00 Kaushal Shriyan : > Hi, > > Is there a way to integrate Openldap ldap server with Windows Server > Active Directory wherein AD will act as Authentication and Openldap will be > setup for Authorization? > > Any help will be highly appreciable. > Hi, you can configure OpenLDAP to delegate authentication to AD, either trough GSSAPI, either with SASL passwords. For the last solution, see http://ltb-project.org/wiki/documentation/general/sasl_delegation I also often synchronize OpenLDAP and AD thanks to LSC project, see http://lsc-project.org/wiki/documentation/tutorial/openldaptoactivedirectory Clément.