Re: hdb to mdb

2021-06-04 Thread Dave Macias 
One more question:
How could I best determine the size of my database in order to set a larger
size in "olcDbMaxSize" ?

> du -h /var/lib/ldap ?
or
> du -c -h /var/lib/ldap/*.bdb

thank you

On Thu, Jun 3, 2021 at 5:52 PM Dave Macias  wrote:

> Thank you very much for the kind help!
>
> Much appreciated
>
> Best,
> Dave
> On Jun 3, 2021, 5:51 PM -0400, Quanah Gibson-Mount ,
> wrote:
>
>
>
> --On Thursday, June 3, 2021 6:02 PM -0400 Dave Macias 
> wrote:
>
>
>
> So therefore i dont need to worry about back_mdb since it's already
> loaded.
> Yes?
>
>
> Right.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> 
>
>

Re: hdb to mdb

2021-06-03 Thread Dave Macias 
Thank you very much for the kind help!

Much appreciated

Best,
Dave
On Jun 3, 2021, 5:51 PM -0400, Quanah Gibson-Mount , wrote:
>
>
> --On Thursday, June 3, 2021 6:02 PM -0400 Dave Macias 
> wrote:
>
> >
> >
> > So therefore i dont need to worry about back_mdb since it's already
> > loaded.
> > Yes?
>
> Right.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
>

Re: hdb to mdb

2021-06-03 Thread Quanah Gibson-Mount 




--On Thursday, June 3, 2021 6:02 PM -0400 Dave Macias  
wrote:





So therefore i dont need to worry about back_mdb since it's already
loaded. 
Yes?


Right.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: hdb to mdb

2021-06-03 Thread Dave Macias 
So therefore i dont need to worry about back_mdb since it’s already loaded.
Yes?
On Jun 3, 2021, 4:50 PM -0400, Quanah Gibson-Mount , wrote:
>
>
> --On Thursday, June 3, 2021 5:43 PM -0400 Dave Macias 
> wrote:
>
> >
> > > slapd -VVV
> > @(#) $OpenLDAP: slapd 2.4.58 (Mar 16 2021 19:13:56) $
> > build@c7rpm:/home/build/git/rheldap/RHEL7_x86_64/BUILD/symas-openldap-2.4
> > .58/openldap-2.4.58/servers/slapd
> >
> > Included static backends:
> >     config
> >     ldif
> >     monitor
> >     bdb
> >     hdb
> >     mdb
> >
> >
> >
> > Not sure what to look for... "mdb" is that is?
>
> Yes, that indicates mdb was built statically.
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>

Re: hdb to mdb

2021-06-03 Thread Quanah Gibson-Mount 




--On Thursday, June 3, 2021 5:43 PM -0400 Dave Macias  
wrote:





slapd -VVV

@(#) $OpenLDAP: slapd 2.4.58 (Mar 16 2021 19:13:56) $
build@c7rpm:/home/build/git/rheldap/RHEL7_x86_64/BUILD/symas-openldap-2.4
.58/openldap-2.4.58/servers/slapd

Included static backends:
    config
    ldif
    monitor
    bdb
    hdb
    mdb



Not sure what to look for... "mdb" is that is?


Yes, that indicates mdb was built statically.

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Re: hdb to mdb

2021-06-03 Thread Dave Macias 
> slapd -VVV
@(#) $OpenLDAP: slapd 2.4.58 (Mar 16 2021 19:13:56) $
build@c7rpm
:/home/build/git/rheldap/RHEL7_x86_64/BUILD/symas-openldap-2.4.58/openldap-2.4.58/servers/slapd

Included static backends:
config
ldif
monitor
bdb
    hdb
    mdb

Not sure what to look for... "mdb" is that is?

On Thu, Jun 3, 2021 at 1:38 PM Dieter Klünter  wrote:

> Quanah Gibson-Mount  writes:
>
> > --On Thursday, June 3, 2021 12:49 AM -0400 Dave Macias
> >wrote:
> >
> >>
> >>
> >> Hello,
> >>
> >> Saw this link in a recent mail to this list.
> >> https://www.openldap.org/doc/admin25/appendix-upgrading.html
> >>
> >> Looks like hdb would no longer be supported.
> >> I googled a bit to see what it would take to move over to mdb and
> >> stumbled on this post.
> >>
> https://www.mail-archive.com/openldap-technical@openldap.org/msg25484.html
> >>
> >> My question is:
> >> Is it really that easy?
> >
> > yes.  Make sure that you have back_mdb moduleloaded as well if it's
> > built as a module.  You do have to export your DB via slapcat and then
> > reimport with slapadd as well.
>
> In order to check for static built-in modules run ./slapd -VVV
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E
>

Re: hdb to mdb

2021-06-03 Thread Dieter Klünter 
Quanah Gibson-Mount  writes:

> --On Thursday, June 3, 2021 12:49 AM -0400 Dave Macias
>wrote:
>
>>
>>
>> Hello,
>>
>> Saw this link in a recent mail to this list.
>> https://www.openldap.org/doc/admin25/appendix-upgrading.html
>>
>> Looks like hdb would no longer be supported.
>> I googled a bit to see what it would take to move over to mdb and
>> stumbled on this post.
>> https://www.mail-archive.com/openldap-technical@openldap.org/msg25484.html
>>
>> My question is:
>> Is it really that easy?
>
> yes.  Make sure that you have back_mdb moduleloaded as well if it's
> built as a module.  You do have to export your DB via slapcat and then
> reimport with slapadd as well.

In order to check for static built-in modules run ./slapd -VVV

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: hdb to mdb

2021-06-03 Thread Dave Macias 
Thank you for the reply


> > My question is:
> > Is it really that easy?
>
> yes.  Make sure that you have back_mdb moduleloaded as well if it's built
> as a module.  You do have to export your DB via slapcat and then reimport
> with slapadd as well.
>

I dont have back_mdb built as a module... so i'm assuming I dont need to
worry about it, yes??

Yes, slapcat/add POST hdb > mdb conversion.

Thanks!

Re: hdb to mdb

2021-06-03 Thread Quanah Gibson-Mount 




--On Thursday, June 3, 2021 12:49 AM -0400 Dave Macias  
wrote:





Hello,

Saw this link in a recent mail to this list.
https://www.openldap.org/doc/admin25/appendix-upgrading.html

Looks like hdb would no longer be supported.
I googled a bit to see what it would take to move over to mdb and
stumbled on this post.
https://www.mail-archive.com/openldap-technical@openldap.org/msg25484.html

My question is:
Is it really that easy?


yes.  Make sure that you have back_mdb moduleloaded as well if it's built 
as a module.  You do have to export your DB via slapcat and then reimport 
with slapadd as well.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

hdb to mdb

2021-06-02 Thread Dave Macias 
Hello,

Saw this link in a recent mail to this list.
https://www.openldap.org/doc/admin25/appendix-upgrading.html

Looks like hdb would no longer be supported.
I googled a bit to see what it would take to move over to mdb and stumbled on 
this post.
https://www.mail-archive.com/openldap-technical@openldap.org/msg25484.html

My question is:
Is it really that easy?
Just replace all my instances of hdb or Hdb with mdp or Mdb respectively?

Additionally add “olcDbMaxSize” to my top lavel “olcDatabase={2}hdb,cn=config” ?

Then reimport ?

Below is a much redacted slapcat of my config.
Any input is much appreciated.


Thank you,
Dave


dn: cn=config
objectClass: olcGlobal
cn: config
olcServerID: 1
structuralObjectClass: olcGlobal
creatorsName: cn=config
modifiersName: cn=config
...
...
dn: olcDatabase={2}hdb,cn=config
objectClass: olcHdbConfig
olcDatabase: {2}hdb
structuralObjectClass: olcHdbConfig
...

dn: olcOverlay={0}auditlog,olcDatabase={2}hdb,cn=config
...
dn: olcOverlay={1}ppolicy,olcDatabase={2}hdb,cn=config
...
dn: olcOverlay={2}syncprov,olcDatabase={2}hdb,cn=config
...

Re: Migrate HDB to MDB

2020-12-21 Thread Pete Ashdown 

Thank you for the help.  The cn=config portion was what was tripping me up.


On 12/20/20 3:06 PM, Quanah Gibson-Mount wrote:



--On Sunday, December 20, 2020 11:21 AM -0700 Pete Ashdown 
 wrote:



I'm looking for some assistance in converting a legacy LDAP from an HDB
backend to MDB.  I've been unable to find any resources in how this can
be executed and my attempts at using ldapmodify have failed. I'm
willing to pay consulting fees if someone is available to help, or
otherwise be educated if is documented somewhere.


Converting from HDB to MDB is fairly trivial.

a) slapcat any existing HDB backed database backends to ldif

b) If using cn=config for the database configuration, slapcat the 
config db to ldif (slapcat -n 0 -F /path/to/slapd.d -l config.ldif; mv 
/path/to/slapd.d /path/to/slapd.d.hdb; mkdir -p /path/to/slapd.d; 
chown /path/to/slapd.d appropriately)


c) Modify config.ldif to use mdb instead of hdb:

  change any instances of "hdb" to mdb"
  remove any back-hdb specific configuration items
  Add an olcdbmaxsize for back-mdb in the mdb databse configuration 
section.  Note that this is intended to be a very large value that 
should never be reached. It is not meant to be a small value that you 
guestimate is around the approximate database size


d) Import the modified config.ldif via slapadd

e) slapadd the former HDB databases

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Re: Migrate HDB to MDB

2020-12-20 Thread Quanah Gibson-Mount 




--On Sunday, December 20, 2020 11:21 AM -0700 Pete Ashdown 
 wrote:



I'm looking for some assistance in converting a legacy LDAP from an HDB
backend to MDB.  I've been unable to find any resources in how this can
be executed and my attempts at using ldapmodify have failed.  I'm
willing to pay consulting fees if someone is available to help, or
otherwise be educated if is documented somewhere.


Converting from HDB to MDB is fairly trivial.

a) slapcat any existing HDB backed database backends to ldif

b) If using cn=config for the database configuration, slapcat the config db 
to ldif (slapcat -n 0 -F /path/to/slapd.d -l config.ldif; mv 
/path/to/slapd.d /path/to/slapd.d.hdb; mkdir -p /path/to/slapd.d; chown 
/path/to/slapd.d appropriately)


c) Modify config.ldif to use mdb instead of hdb:

  change any instances of "hdb" to mdb"
  remove any back-hdb specific configuration items
  Add an olcdbmaxsize for back-mdb in the mdb databse configuration 
section.  Note that this is intended to be a very large value that should 
never be reached. It is not meant to be a small value that you guestimate 
is around the approximate database size


d) Import the modified config.ldif via slapadd

e) slapadd the former HDB databases

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

RE: Migrate HDB to MDB

2020-12-20 Thread Marc Roos 
 I think you also need a bit of help with your spam setup ;)

<<< 550-XM-RJCT22: [212.26.193.44] is prohibited from connecting to 
XMission mail <<< 550-servers due to high spam volume. See the following 
for more information:

This server is not even sending out that many mails.


-Original Message-
From: Pete Ashdown [mailto:pashd...@xmission.com] 
Sent: 20 December 2020 19:22
To: openldap-technical@openldap.org
Subject: Migrate HDB to MDB

I'm looking for some assistance in converting a legacy LDAP from an HDB 
backend to MDB.  I've been unable to find any resources in how this can 
be executed and my attempts at using ldapmodify have failed.  I'm 
willing to pay consulting fees if someone is available to help, or 
otherwise be educated if is documented somewhere.

Thanks in advance.

Migrate HDB to MDB

2020-12-20 Thread Pete Ashdown 
I'm looking for some assistance in converting a legacy LDAP from an HDB 
backend to MDB.  I've been unable to find any resources in how this can 
be executed and my attempts at using ldapmodify have failed.  I'm 
willing to pay consulting fees if someone is available to help, or 
otherwise be educated if is documented somewhere.


Thanks in advance.

Re: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-11-09 Thread paul . jc 
Hi Quanah,

Using the perf tool on my MDB consumers on a per thread basis, I have found 
that function "mdb_node_search" and "mdb_page_search_root" are a source of high 
overhead (along with a number of other MDB fuctions) which correlate to the 
high cpu utilization I am seeing.
When comparing the same to my HDB consumers by thread, the overhead for HDB 
related slapd functions is minimal.

Here is what I see on MDB: 
-
Samples: 75K of event 'cpu-clock', 4000 Hz, Event count (approx.): 6487155549 
lost: 0/0 drop: 0/0
Overhead  Shared ObjectSymbol
  29.60%  slapd[.] mdb_node_search
  15.13%  slapd[.] mdb_page_search_root
   8.98%  slapd[.] mdb_cmp_long
   8.36%  slapd[.] mdb_cursor_set
   6.21%  slapd[.] mdb_cmp_cint
   5.18%  slapd[.] mdb_page_get.isra.13


Here is what I see on HDB:
-
Samples: 7K of event 'cpu-clock', 4000 Hz, Event count (approx.): 448391573 
lost: 0/0 drop: 0/0
Overhead  Shared ObjectSymbol
   3.61%  slapd[.] 0x0010eab0
   0.55%  slapd[.] avl_find
   0.51%  slapd[.] hdb_idl_fetch_key
   0.43%  slapd[.] hdb_idl_next

Do you know if these MDB functions are expected to use that much overhead and 
if not, any chance you know what might be causing this?  

As a side note, I have also compared backtraces on the threads using gdb and 
strace and from that perspective I do not see anything outstanding (the output 
is much the same for both).

Thanks again for your input. 
Regards,
Paul.

Re: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-11-05 Thread Quanah Gibson-Mount 




--On Wednesday, November 4, 2020 11:50 PM + paul...@yahoo.com wrote:


That being said, this means I still do not have an explanation for why my
MDB consumers are using up to 4x the CPU compared to my HDB consumers.


You could certainly use something like oprofile to profile the different 
processes and see where they are spending time.  It may point to something 
useful, hard to say.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

RE: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-11-04 Thread Maucci, Cyrille 
Drilling into CPU consumption is made easier with Linux perf tool.

++Cyrille

-Original Message-
From: paul...@yahoo.com [mailto:paul...@yahoo.com] 
Sent: Thursday, November 5, 2020 12:51 AM
To: openldap-technical@openldap.org
Subject: Re: HDB to MDB migration results in higher CPU usage on openldap 
consumers

Thanks Quanah, 

Looks like I do NOT have any alias's defined - which is a good thing 
considering that would be bad DIT design as you mentioned.  

That being said, this means I still do not have an explanation for why my MDB 
consumers are using up to 4x the CPU compared to my HDB consumers. As I 
mentioned before, we are processing equivalent numbers of requests on both HDB 
and MDB. Any further suggestions you have on where to inspect next would be 
appreciated.  Planning to sift through debug logs again and compare the two. 
Regards,
Paul

Re: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-11-04 Thread paul . jc 
Thanks Quanah, 

Looks like I do NOT have any alias's defined - which is a good thing 
considering that would be bad DIT design as you mentioned.  

That being said, this means I still do not have an explanation for why my MDB 
consumers are using up to 4x the CPU compared to my HDB consumers. As I 
mentioned before, we are processing equivalent numbers of requests on both HDB 
and MDB. Any further suggestions you have on where to inspect next would be 
appreciated.  Planning to sift through debug logs again and compare the two. 
Regards,
Paul

Re: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-11-03 Thread paul . jc 
Quanah Gibson-Mount wrote:
> If you're using aliases in your LDAP DB, then yes, that'll absolutely 
> trigger issues such as this.  The use of aliases generally indicates poor 
> DIT design. ;)

Hey Quanah, understood. :) I inherited this openldap database and I'm not well 
versed in aliases. How do I verify if I actually have aliases being utilized?  
I have no ldif files in my core or custom schema config that define aliases.   
An ldapsearch on the cn=config returns default references, but that is all: 

olcAttributeTypes: ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' ) D
 ESC 'RFC4512: name of aliased object' EQUALITY distinguishedNameMatch SYNTAX 
 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )

and

olcObjectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STRU
 CTURAL MUST aliasedObjectName )

Is there something else I should search to verify usage of aliases in the DB?  

Thanks.  
Paul

Re: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-11-03 Thread Quanah Gibson-Mount 




--On Tuesday, November 3, 2020 6:51 PM + paul...@yahoo.com wrote:


Quanah Gibson-Mount wrote:

If you're using aliases in your LDAP DB, then yes, that'll absolutely
trigger issues such as this.  The use of aliases generally indicates
poor  DIT design. ;)


Hey Quanah, understood. :) I inherited this openldap database and I'm not
well versed in aliases. How do I verify if I actually have aliases being
utilized?  I have no ldif files in my core or custom schema config that
define aliases.An ldapsearch on the cn=config returns default
references, but that is all:


Hi Peter,

You would need to search your back-mdb database and see if there are any 
objects with an objectClass of "alias".  I.e.,


ldapsearch ... "(objectClass=alias") 1.1

filling in your bind details of course (I'd suggest something with full 
read access to the entire db).


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-11-02 Thread paul . jc 
Hi Quanah,
Thanks for the input!
I should mention that we load balance incoming queries so each of my consumers 
process a similar amount of requests yet my MDB consumers still have much 
higher CPU utilization. 
Bind times are also higher (15ms - some spikes up to 55ms - on MDB consumer vs 
a steady 5ms on HDB consumers on average).  
My concern about the "scope not okay" log entries references an old thread 
regarding high numbers of aliases.
For MDB, do you know if dereferencing (often with "always") with large numbers 
of aliases still causes slower search times (and in turn higher cpu 
utilization) as noted in this thread here: 

https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/thread/FHMQ7UAZZUPG3MEJK5PZCDVJXO4WDECE/#5RR35BAZXBVTIXCS7UZOTKORX65H7KFA

This thread can also be found here:
https://www.openldap.org/lists/openldap-technical/201509/msg00111.html

I am not sure if this is related or if there was any resolution to that as it 
is several years old but figured I'd would throw it out there as a possible 
cause of my issue to see what you think. Let me know. Thanks! 

Regards,
Paul

Re: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-11-02 Thread Quanah Gibson-Mount 




--On Monday, November 2, 2020 7:07 PM + paul...@yahoo.com wrote:


Hi Quanah,
Thanks for the input!
I should mention that we load balance incoming queries so each of my
consumers process a similar amount of requests yet my MDB consumers still
have much higher CPU utilization.  Bind times are also higher (15ms -
some spikes up to 55ms - on MDB consumer vs a steady 5ms on HDB consumers
on average).   My concern about the "scope not okay" log entries
references an old thread regarding high numbers of aliases. For MDB,
do you know if dereferencing (often with "always") with large numbers of
aliases still causes slower search times (and in turn higher cpu
utilization) as noted in this thread here:


If you're using aliases in your LDAP DB, then yes, that'll absolutely 
trigger issues such as this.  The use of aliases generally indicates poor 
DIT design. ;)


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-10-29 Thread Quanah Gibson-Mount 




--On Wednesday, October 28, 2020 5:34 PM + paul...@yahoo.com wrote:
Hi Paul,

A few things, after going back to your original email.

This is minor, but "pres" indices are useless unless < 50% of the database 
has an instance of the attribute "pres" is being set on.  I.e., setting 
"pres" on objectClass is always useless, since it appears on every entry.



I am not sure what causes these log entries and if these are related to
higher CPU utilization. If you have any input/suggestions on where to
look next it would be much appreciated.


That just means an entry it's examining as part of the search result to a 
query is not in scope.  You can ignore it (and that's the reason why it 
only shows up at a high debug level).


I would also note that since MDB is significantly more efficient, it can do 
more in a given time slice than HDB.  I.e., have you evaluated how many 
searches/second are being process with MDB vs HDB?  The ability to do more 
in a given time slice means that MDB does generally use more CPU than HDB 
-- but only because slapd is literally able to process more requests in a 
given interval than HDB could.   For example, in a test I did some years 
ago (2013 or so), MDB could answer approximately 3x the number of 
reads/second than HDB could (60k reads/sec vs just under 21k reads/second). 
On more modern systems, the disparity is even more pronounced.


Outside of that, without more concrete information to work with, it's hard 
to do anything other then speculate.


Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Re: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-10-28 Thread paul . jc 
Hi Quanah,
Thanks for the response.  I finally got around to upgrading and I am still in 
the same boat.
I am now running version 2.4.53.

# slapd -V
@(#) $OpenLDAP: slapd 2.4.53 (Sep 24 2020 20:30:24) $

I have implemented delta-syncrepl as suggested.
I already had stat + sync set for logging and I see nothing unusual to report - 
just lots of connections (across all consumers) and periodic syncrepl messages 
as expected.

I ran strace against slapd and didn't come up with anything that is obviously 
different between HDB and MDB consumers.

I then set olcLogLevel to "any" and got thousands of the following log entries: 
"mdb_search: scope not okay"

slapd[28595]: mdb_search: 40396 scope not okay

I am not sure what causes these log entries and if these are related to higher 
CPU utilization.
If you have any input/suggestions on where to look next it would be much 
appreciated. 

Regards,
Paul

HDB to MDB migration results in higher CPU usage on openldap consumers

2020-08-24 Thread paul . jc 
Hello,
I have migrated from HDB to MDB backend and I am seeing higher CPU usage on my 
MDB openldap consumers.  Has anyone else seen the same? 
Testing in my stage environment showed MDB to use less or the same amount of 
CPU than HDB - but now with real traffic and a large dataset I see sustained 
high CPU utilization.

My production environment has the following specs: 
6 consumer servers with 8vCPU x 16G RAM 
openldap version 2.4.45
Syncrepl enabled (with a single openldap provider server which is also MDB and 
has no issues and no high cpu).  
The database has ~230K users.
data.mdb is about 1.8G in size.

MDB database directives include: 
olcDbCheckpoint: 102400 10
olcDbNoSync: TRUE

The rest are defaults. 

Indexing includes: 
olcDbIndex: businessCategory eq
olcDbIndex: cn eq,sub
olcDbIndex: description eq
olcDbIndex: displayName eq,sub
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: gidNumber eq
olcDbIndex: givenName eq,sub
olcDbIndex: mail eq
olcDbIndex: member eq
olcDbIndex: memberOf eq
olcDbIndex: memberUid eq
olcDbIndex: objectClass pres,eq
olcDbIndex: sn eq,sub
olcDbIndex: uid eq,sub
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq

These consumer servers are used for reads only. 
The initial sync with the provider is ok but once the consumers are actively 
handling read requests, CPU jumps to 60% usage on average.
Our HDB consumers had half the resources (4vCPU and 8GB RAM) and less than half 
the CPU usage (average of 25% utilization). 

I have tested adding other MDB directives (writemap, mapasync, nordahead) but 
cannot get CPU utilization to come down close to what we see with the HDB 
backend. 
I have also load tested in my stage environment and was unable to reproduce 
(MDB generally utilized the same or less resources than HDB, but never double).
There has been no change in the data or traffic between migration.  We have 
also reverted some servers back to HDB and then back to MDB to confirm the high 
utilization. 

Has anyone else come across this with MDB and if so, were you able to alleviate 
CPU utilization?  I can provide more details if needed.  Any input welcome.

Thanks! 
Paul

Re: HDB to MDB migration results in higher CPU usage on openldap consumers

2020-08-24 Thread Quanah Gibson-Mount 




--On Monday, August 24, 2020 7:05 PM + paul...@yahoo.com wrote:


Hello,
I have migrated from HDB to MDB backend and I am seeing higher CPU usage
on my MDB openldap consumers.
openldap version 2.4.45
Syncrepl enabled (with a single openldap provider server which is also
MDB and has no issues and no high cpu).   The database has ~230K users.
data.mdb is about 1.8G in size.



a) You need to be running a current release, not something 4.5 years old.

b) You need to be using delta-syncrepl with a current release, not standard 
syncrepl


c) Do you know what the server is doing to be using a significant amount of 
CPU?  I.e., have you looked at what it's logging with stats + sync set?


The flags you're playing with generally can help in a high write 
environent, outside of that they don't do much.  I certainly wouldn't 
expect them to affect CPU usage.


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Re: Fresh install changing the hdb to mdb

2019-08-18 Thread Michael Ströder 
On 8/18/19 7:17 AM, Quanah Gibson-Mount wrote:
> --On Friday, August 16, 2019 4:23 PM -0400 Jean-Francois Malouin
>  wrote:
>> I certainly don't want to steal this thread from the original poster but
>> is this parameter re-configurable on-the-fly, while slapd is running?
> 
> If you are using cn=config for the database configuration, yes.

And even when using slapd.conf (aka static config) the maxsize parameter
value can be *increased* (not decreased!) without reimporting the
database. Of course you have to restart slapd when changing the static
config file.

Ciao, Michael.

Re: Fresh install changing the hdb to mdb

2019-08-17 Thread Quanah Gibson-Mount 




--On Friday, August 16, 2019 4:23 PM -0400 Jean-Francois Malouin 
 wrote:

I certainly don't want to steal this thread from the original poster but
is this parameter re-configurable on-the-fly, while slapd is running?


If you are using cn=config for the database configuration, yes.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: Fresh install changing the hdb to mdb

2019-08-17 Thread Jean-Francois Malouin 
* Quanah Gibson-Mount  [20190816 12:26]:
> 
> 
> --On Friday, August 16, 2019 7:07 PM +0200 Marc Roos
>  wrote:
> 
> >
> >
> >This is the default file that rhel/centos have in their slapd.d dir for
> >the database. I thought I would just remove this one and place the one
> >for mdb, seems to work, don't know about this entryUUID?
> 
> entryUUID is defined as an operational attribute in RFC4530
> ()
> 
> I would strongly advise reading the slapd-mdb(5) man page before
> proceeding any further, you're clearly not set the max size for the
> database which will likely cause you issues.  I would generally
> suggest a very large value for the maxsize.  I typically use 80GB.

I certainly don't want to steal this thread from the original poster but is
this parameter re-configurable on-the-fly, while slapd is running?

Thanks,
jf

> 
> --Quanah
> 
> 
> --
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
>

Re: Fresh install changing the hdb to mdb

2019-08-16 Thread Quanah Gibson-Mount 




--On Friday, August 16, 2019 7:07 PM +0200 Marc Roos 
 wrote:





This is the default file that rhel/centos have in their slapd.d dir for
the database. I thought I would just remove this one and place the one
for mdb, seems to work, don't know about this entryUUID?


entryUUID is defined as an operational attribute in RFC4530 
()


I would strongly advise reading the slapd-mdb(5) man page before proceeding 
any further, you're clearly not set the max size for the database which 
will likely cause you issues.  I would generally suggest a very large value 
for the maxsize.  I typically use 80GB.


--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Fresh install changing the hdb to mdb

2019-08-16 Thread Marc Roos 



This is the default file that rhel/centos have in their slapd.d dir for 
the database. I thought I would just remove this one and place the one 
for mdb, seems to work, don't know about this entryUUID? Or can I do 
this with ldapmodify? 

[@53386e4b0025 cn=config]# cat /tmp/olcDatabase\=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 4f2ac1fc
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 537b0adc-5476-1039-9bf9-1dc025e1859d
creatorsName: cn=config
createTimestamp: 20190816133433Z
entryCSN: 20190816133433.095410Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20190816133433Z

[@53386e4b0025 cn=config]# cat olcDatabase\=\{2\}mdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 b6a274bd
dn: olcDatabase={2}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcMdbConfig
entryUUID: 537b0adc-5476-1039-9bf9-1dc025e1859d
creatorsName: cn=config
createTimestamp: 20190816133433Z
entryCSN: 20190816133433.095410Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20190816133433Z

Re: Switch OpenLDAP backend database from HDB to MDB

2019-07-11 Thread sharb...@t-online.de 
> You can not convert a hdb backend into a mdb backend without changing
> the underlying database. slapcat(8) the hdb database into a file and
> slapadd(8) the file into a mdb backend.

Hello, but it works. I have made the following changes to the config.ldif file.
Then I replayed the LDIF file into an empty ldap directory with slapadd:
...
olcModuleLoad: {0}back_mdb

dn: olcBackend={0}mdb,cn=config
olcBackend: {0}mdb

dn: olcDatabase={1}mdb,cn=config
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
...

Thank you in advance for your support



Re: Switch OpenLDAP backend database from HDB to MDB

2019-07-10 Thread Dieter Klünter 
Am Wed, 10 Jul 2019 11:32:17 +0200 (CEST)
schrieb "sharb...@t-online.de" :

> Hello,
> I can not change my config.ldif file from the HDB backend to the MDB 
> backend. I have changed the following:
[...]

You can not convert a hdb backend into a mdb backend without changing
the underlying database. slapcat(8) the hdb database into a file and
slapadd(8) the file into a mdb backend.

-Dieter  

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Switch OpenLDAP backend database from HDB to MDB

2019-07-10 Thread Quanah Gibson-Mount 

--On Wednesday, July 10, 2019 12:32 PM +0200 sharb...@t-online.de wrote:


Did I change something wrong in my config file above?



Thank you in advance for your 

supportഀ਀ഀ਀䠀攀氀氀漀Ⰰഀ਀ഀ਀夀漀甀 猀栀漀甀氀搀 渀漀琀 戀攀 洀漀搀椀昀礀椀渀最 琀栀攀 挀漀渀昀椀最甀爀愀琀椀漀渀 搀椀爀攀挀琀氀礀⸀  
䤀渀猀琀攀愀搀Ⰰ 礀漀甀 猀栀漀甀氀搀 攀砀瀀漀爀琀 琀栀攀 挀渀㴀挀漀渀昀椀最 搀愀琀愀戀愀猀攀 瘀椀愀 猀氀愀瀀挀愀琀Ⰰ 洀愀欀攀 琀栀攀 
洀漀搀椀昀椀挀愀琀椀漀渀猀 琀栀攀爀攀Ⰰ���愀渀搀 琀栀攀渀 椀洀瀀漀爀琀 瘀椀愀 猀氀愀瀀愀搀搀⸀  吀栀椀猀 眀椀氀氀 愀氀氀漀眀 攀爀爀漀爀 挀栀攀挀欀椀渀最Ⰰ 攀琀挀Ⰰ 琀漀 
昀甀渀挀琀椀漀渀 琀漀 攀渀猀甀爀攀 礀漀甀✀瘀攀 洀愀搀攀 渀漀 洀椀猀琀愀欀攀猀⸀ഀ਀ഀ਀䤀✀搀 愀搀搀椀琀椀漀渀愀氀氀礀 渀漀琀攀 琀栀攀爀攀 椀猀 
渀漀 爀攀愀猀漀渀 琀漀 猀瀀攀挀椀
昀礀 漀氀挀䈀愀挀欀攀渀搀Ⰰ 䤀 眀漀甀氀搀 猀甀最最攀猀琀 爀攀洀漀瘀椀渀最 琀栀愀琀 攀渀琀爀礀 
攀渀琀椀爀攀氀礀⸀ഀ਀ഀ਀刀攀最愀爀搀猀Ⰰഀ਀儀甀愀渀愀栀ഀ਀ഀ਀ⴀⴀഀ਀ഀ਀儀甀愀渀愀栀 䜀椀戀猀漀渀ⴀ䴀漀甀渀琀ഀ਀倀爀漀搀甀挀琀 
䄀爀挀栀椀琀攀挀琀ഀ਀匀礀洀愀猀 䌀漀爀瀀漀爀愀琀椀漀渀ഀ਀倀愀挀欀愀最攀搀Ⰰ 挀攀爀琀椀昀椀�
�搀Ⰰ 愀渀搀 猀甀瀀瀀漀爀琀攀搀 䰀䐀䄀倀 猀漀氀甀琀椀漀渀猀 瀀漀眀攀爀攀搀 戀礀 伀瀀攀渀䰀䐀䄀倀㨀ഀ਀㰀栀琀琀瀀㨀⼀⼀眀眀眀⸀猀礀洀愀猀⸀挀漀洀㸀ഀ਀

Re: Switch OpenLDAP backend database from HDB to MDB

2019-07-10 Thread sharb...@t-online.de 
Hello,
I can not change my config.ldif file from the HDB backend to the MDB 
backend. I have changed the following:
...
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
-olcModuleLoad: {0}back_hdb
+olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}dynlist.so
olcModuleLoad: {2}ppolicy.la
structuralObjectClass: olcModuleList
entryUUID: 9495e2a6-da11-1033-97d9-c1ceaf236428
creatorsName: cn=admin,cn=config
createTimestamp: 20140926214112Z
entryCSN: 20170201184048.317884Z#00#000#00
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170201184048Z
 
-dn: olcBackend={0}hdb,cn=config
+dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
-olcBackend: {0}hdb
+olcBackend: {0}mdb
structuralObjectClass: olcBackendConfig
entryUUID: 94960592-da11-1033-97da-c1ceaf236428
creatorsName: cn=admin,cn=config
createTimestamp: 20140926214112Z
entryCSN: 20140926214112.940239Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20140926214112Z
 
-dn: olcDatabase={1}hdb,cn=config
+dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
-objectClass: olcHdbConfig
+objectClass: olcMdbConfig
-olcDatabase: {1}hdb
+olcDatabase: {1}mdb
+olcDbMaxSize: 1073741824
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=harnet,dc=de
olcLastMod: TRUE
olcRootDN: cn=admin,dc=harnet,dc=de
olcRootPW:: 
-olcDbCheckpoint: 512 30
-olcDbConfig: {0}set_cachesize 0 2097152 0
-olcDbConfig: {1}set_lk_max_objects 1500
-olcDbConfig: {2}set_lk_max_locks 1500
-olcDbConfig: {3}set_lk_max_lockers 1500
-structuralObjectClass: olcHdbConfig
entryUUID: 94960be6-da11-1033-97db-c1ceaf236428
creatorsName: cn=admin,cn=config
createTimestamp: 20140926214112Z
olcAccess: {0}to dn.subtree="dc=harnet,dc=de" by 
dn="uid=lamdaemon,ou=users,
dc=harnet,dc=de" write by * none break
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to attrs=userPassword by anonymous auth by * none
olcAccess: {3}to dn.base="dc=harnet,dc=de" by * read
olcAccess: {4}to dn.subtree="ou=users,dc=harnet,dc=de" by dn="cn=Harbich CA
Server,ou=services,dc=harnet,dc=de" write by users read by * none
olcAccess: {5}to dn.subtree="ou=services,dc=harnet,dc=de" by dn="cn=Harbich
CA Server,ou=services,dc=harnet,dc=de" write by users read by * none
olcAccess: {6}to * by dn="cn=admin,dc=harnet,dc=de" write by * read
olcDbIndex: cn pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: uid pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: dcMailAlias pres,eq
olcDbIndex: givenName pres,eq,sub
olcDbIndex: dcSubMailAddress pres,eq
olcDbIndex: dcMailAlternateAddress pres,eq
olcDbIndex: dcAccountStatus pres,eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: dhcpHWAddress eq
olcDbIndex: uniqueMember eq
olcDbIndex: memberUid eq
olcDbIndex: objectClass eq
olcDbIndex: loginShell eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: ou pres,eq,sub
entryCSN: 20190304162152.376029Z#00#000#00
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20190304162152Z
 
-dn: olcOverlay={0}dynlist,olcDatabase={1}hdb,cn=config
+dn: olcOverlay={0}dynlist,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {0}dynlist
olcDlAttrSet: {0}dcPosixSubAccount dcPosixOwnerURL
structuralObjectClass: olcDynamicList
entryUUID: 6f6012cc-da16-1033-84a3-8399e4f67731
creatorsName: cn=admin,cn=config
createTimestamp: 20140926221557Z
entryCSN: 20140926221557.994629Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20140926221557Z
...
 
When I play back the config and data ldif file after deleting the ldap 
directories, I get the following error message:
 
"root@dsme01:/tmp# slapadd -F /etc/ldap/slapd.d -n 1 -l harnet.de.ldif
Database number selected via -n is out of range
Must be in the range 0 to 0 (the number of configured databases)"
 
Did I change something wrong in my config file above?
 
Thank you in advance for your support


Re: Switch OpenLDAP backend database from HDB to MDB

2019-02-15 Thread sharb...@t-online.de 
Hi Ryan,
 
| Note that the database config attributes for hdb and mdb differ a little 
bit. For example you should configure olcDbMaxSize for mdb.
 
For example, how would I change the following entry in the config file?
 
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}dynlist.so
olcModuleLoad: {2}ppolicy.la
structuralObjectClass: olcModuleList
entryUUID: 9495e2a6-da11-1033-97d9-c1ceaf236428
creatorsName: cn=admin,cn=config
createTimestamp: 20140926214112Z
entryCSN: 20170201184048.317884Z#00#000#00
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170201184048Z
 
Should the change be as follows?
- - - olcModuleLoad: {0}back_hdb
+ + + olcModuleLoad: {0}back_mdb
 
dn: olcBackend={0}hdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}hdb
structuralObjectClass: olcBackendConfig
entryUUID: 94960592-da11-1033-97da-c1ceaf236428
creatorsName: cn=admin,cn=config
createTimestamp: 20140926214112Z
entryCSN: 20140926214112.940239Z#00#000#00
modifiersName: cn=admin,cn=config
modifyTimestamp: 20140926214112Z
 
 
Should the change be as follows?
- - - dn: olcBackend={0}hdb,cn=config
+ + + dn: olcBackend={0}hmdb,cn=config
 
- - - olcBackend: {0}hdb
+ + + olcBackend: {0}mdb
 
So I have everywhere the entry of hdb to mdb?
 
Thank you in advance for your support.
Greetings from Stefan Harbich


Re: Switch OpenLDAP backend database from HDB to MDB

2019-01-12 Thread Ryan Tandy 

On Fri, Jan 11, 2019 at 11:13:33PM +0100, sharb...@t-online.de wrote:

nice slapcat -n 0 > ${BACKUP_PATH}/config.ldif
nice slapcat -n 1 > ${BACKUP_PATH}/meinedomain.local.ldif
cp -rp /var/lib/ldap /var/lib/ldap.bak
cp -rp /etc/ldap/slapd.d /etc/ldap/slapd.d.bak

Modify entries in these two dates with a text editor from hdb to mdb.


You should only need to edit the config ldif. The data shouldn't need 
any changes.


Note that the database config attributes for hdb and mdb differ a little 
bit. For example you should configure olcDbMaxSize for mdb.



Stop the OpenLDAP service
sudo systemctl stop sldap.service


I would personally do that before dumping, just to make sure you don't 
miss any changes :) but slapcat while slapd is running is fine too.



Delete the directories of the LDAP tree
rm -r /var/lib/ldap /etc/ldap/slapd.d

Rebuild the LDAP database
sudo dpkg-reconfigure slapd

In the options select the database MDB and leave everything else as before.


No need to run dpkg-reconfigure. All it does is re-initialize 
/etc/ldap/slapd.d and /var/lib/ldap with the default contents; but you'd 
have to stop slapd and delete those before adding back your own anyway.


Just delete the contents out of those directories, leaving them empty, 
and with the existing ownership/permissions:


 find /etc/ldap/slapd.d /var/lib/ldap -mindepth 1 -print
 find /etc/ldap/slapd.d /var/lib/ldap -mindepth 1 -delete

then fix up your config LDIF and slapadd everything back.

If there is a mistake in your config and slapadd fails, delete the 
partial content out of slapd.d before trying again.



Then restore the LDAP tree.
sudo slapadd -F /etc/ldap/slapd.d -n 0 -l ${BACKUP_PATH}/config.ldif
sudo slapadd -F /etc/ldap/slapd.d -n 1 -l ${BACKUP_PATH}/meinedomain.local.ldif


Correct. Note that the directories /etc/ldap/slap.d and /var/lib/ldap 
should be emptied before doing this.


Hope this helps,
Ryan

Switch OpenLDAP backend database from HDB to MDB

2019-01-12 Thread sharb...@t-online.de 
Hello my dears,

I have a question about my approach. I want to migrate the backend database 
of my OpenLDAP server from HDB to MDB. I would do this as follows:

Backup my LDAP
nice slapcat -n 0 > ${BACKUP_PATH}/config.ldif
nice slapcat -n 1 > ${BACKUP_PATH}/meinedomain.local.ldif
cp -rp /var/lib/ldap /var/lib/ldap.bak
cp -rp /etc/ldap/slapd.d /etc/ldap/slapd.d.bak
 
Modify entries in these two dates with a text editor from hdb to mdb.
Stop the OpenLDAP service
sudo systemctl stop sldap.service
 
Delete the directories of the LDAP tree
rm -r /var/lib/ldap /etc/ldap/slapd.d
 
Rebuild the LDAP database
sudo dpkg-reconfigure slapd
 
In the options select the database MDB and leave everything else as before. 
Then restore the LDAP tree.
sudo slapadd -F /etc/ldap/slapd.d -n 0 -l ${BACKUP_PATH}/config.ldif
sudo slapadd -F /etc/ldap/slapd.d -n 1 -l 
${BACKUP_PATH}/meinedomain.local.ldif
 
Restart the OpenLDAP service
sudo systemctl restart slapd.service
 
That should have been my opinion. Can you think of something else I have to 
pay attention to?
 
Greetings from Stefan Harbich


Re: How to move from hdb to mdb

2016-09-22 Thread Mark Cairney 


On 22/09/16 02:21, Dan White wrote:

> 
> Consider converting in two steps - converting your database to mdb first,
> then converting to slapd-config.
> 
> 

I did things the opposite way round:

1. slapcat your data database
2. slapcat your config database
3. Modify the generated config database ldif to correspond with that of
an mdb database i.e. change the objectclass, remove any bdb-specific
configuration, add the mdb specifics (MaxSize, maxReaders etc- there's a
lot less tunables in mdb)
3. Stop slapd and move your "old" config aside
4. slapadd your new config database
5. If 4 is successful, move your data directory aside and
6. Slapadd your data ldif.
7. Go for a (short) cup of tea
8. Fire up slapd.
-- 
/

Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: mark.cair...@ed.ac.uk
PGP: 0x435A9621

***/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.



signature.asc
Description: OpenPGP digital signature

Re: How to move from hdb to mdb

2016-09-22 Thread Nikolas Stylianides 
Ok. Maybe you are right. Sometimes "Less is more".
I am moving forward to high availability and i am planning to set two ldap
servers in Mirror mode.
I have already setup a haproxy in front but i have two problems.

1. Not able to enable StartTLS (currently only SSL is functional)
2. It seems quite slower. Is this normal?







Στις Πέμ, 22 Σεπ 2016 στις 12:20 μ.μ., ο/η Dirk Kastens <
dirk.kast...@uni-osnabrueck.de> έγραψε:

> Hi,
>
> > Do you know a good policy for increamental backup? I mean i only have
> > now 1 users but in the future it will really get bigger and i hate
> > to dump the whole database
> > every night.
>
> Why not? I'm dumping our directory with 70.000 entries using slapcat
> every night in less than a minute.
>
> Dirk
>
> --
Δρ. Νικόλας Στυλιανίδης
Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών

Nikolas Stylianides, Dr.
Dr. Eng. in Electrical & Computer Engineering

Contacts
-
Mobile Tel.: +35796741315
Email: nstyliani...@leafnet.com.cy, nstyliani...@gmail.com
Skype: nicostyl

Affilication
---
LEAF NET LTD: Research & Development
Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS
Master Programme Academic Board Member


Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:

Brevity is the soul of wit - Shakespeare William (Hamlet)

Re: How to move from hdb to mdb

2016-09-22 Thread Dirk Kastens 

Hi,


Do you know a good policy for increamental backup? I mean i only have
now 1 users but in the future it will really get bigger and i hate
to dump the whole database
every night.


Why not? I'm dumping our directory with 70.000 entries using slapcat 
every night in less than a minute.


Dirk



smime.p7s
Description: S/MIME Cryptographic Signature

Re: How to move from hdb to mdb

2016-09-22 Thread Nikolas Stylianides 
Thank you Oscar.
Dan also provided a good solution. I think both of them work like a charm.
The problem for me is that i wanted to do it all in a GUI (Apache Directory
Studio) which messes up with backend and database or even object indexes.

Anyway now i managed to do that using slapxxx and old good ldapmodify.
Thank you a lot.
Do you know a good policy for increamental backup? I mean i only have now
1 users but in the future it will really get bigger and i hate to dump
the whole database
every night.


Στις Πέμ, 22 Σεπ 2016 στις 9:37 π.μ., ο/η Óscar Remírez de Ganuza
Satrústegui <oscar...@unav.es> έγραψε:

> On Tue, Sep 20, 2016 at 2:40 PM, Nikolas Stylianides <
> nstyliani...@gmail.com> wrote:
>
>>
>> Is there a howto move from hdb to mdb?
>>
>> Can i have hdb and mdb running at the same time?
>>
>
> I see no problem to have them on different servers.
> You can set a new server with mdb backend, import a dump (slapcat(8) +
> slapadd(8)) and start replicating from your actual servers.
>
> And then, after some testing, you can make the switch between servers.
>
> Regards,
>
>
> *Oscar Remírez de Ganuza Satrústegui*
> IT Services
> Universidad de Navarra
> Tel. +34 948425600 x803130
> http://www.unav.edu/web/it/
>
>
> --
Δρ. Νικόλας Στυλιανίδης
Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών

Nikolas Stylianides, Dr.
Dr. Eng. in Electrical & Computer Engineering

Contacts
-
Mobile Tel.: +35796741315
Email: nstyliani...@leafnet.com.cy, nstyliani...@gmail.com
Skype: nicostyl

Affilication
---
LEAF NET LTD: Research & Development
Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS
Master Programme Academic Board Member


Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:

Brevity is the soul of wit - Shakespeare William (Hamlet)

Re: How to move from hdb to mdb

2016-09-22 Thread Nikolas Stylianides 
Thank you Dan.
I tried to do that but it took me like forever. I am using Apache Directory
Studio and doing modifications from this tool really gave big headaches.
Is there a better tool to manage both config and the databases?

Στις Πέμ, 22 Σεπ 2016 στις 4:21 π.μ., ο/η Dan White <
dwh...@cafedemocracy.org> έγραψε:

> On 09/20/16 12:40 +, Nikolas Stylianides wrote:
> >Hi there.
> >Is there a howto move from hdb to mdb?
> >
> >What we need to do is to transfer our directory from hdb to the mdb.
> >Is there a book to learn about openldap? With the new OLC way of doing
> >things?
> >
> >Can i have hdb and mdb running at the same time?
> >
> >Currently I have done the following:
> >1. Load the Module back_mdb
> >2. Created a OlcBackend
> >3. Created a OlcDatabase
>
> See http://www.openldap.org/doc/admin24/ and slapcat(8), slapadd(8),
> slapd-mdb(5), and slapd-config.
>
> Consider converting in two steps - converting your database to mdb first,
> then converting to slapd-config.
>
-- 
Δρ. Νικόλας Στυλιανίδης
Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών

Nikolas Stylianides, Dr.
Dr. Eng. in Electrical & Computer Engineering

Contacts
-
Mobile Tel.: +35796741315
Email: nstyliani...@leafnet.com.cy, nstyliani...@gmail.com
Skype: nicostyl

Affilication
---
LEAF NET LTD: Research & Development
Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS
Master Programme Academic Board Member


Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:

Brevity is the soul of wit - Shakespeare William (Hamlet)

Re: How to move from hdb to mdb

2016-09-22 Thread Óscar Remírez de Ganuza Satrústegui 
On Tue, Sep 20, 2016 at 2:40 PM, Nikolas Stylianides <nstyliani...@gmail.com
> wrote:

>
> Is there a howto move from hdb to mdb?
>
> Can i have hdb and mdb running at the same time?
>

I see no problem to have them on different servers.
You can set a new server with mdb backend, import a dump (slapcat(8) +
slapadd(8)) and start replicating from your actual servers.

And then, after some testing, you can make the switch between servers.

Regards,


*Oscar Remírez de Ganuza Satrústegui*
IT Services
Universidad de Navarra
Tel. +34 948425600 x803130
http://www.unav.edu/web/it/

Re: How to move from hdb to mdb

2016-09-21 Thread Dan White 

On 09/20/16 12:40 +, Nikolas Stylianides wrote:

Hi there.
Is there a howto move from hdb to mdb?

What we need to do is to transfer our directory from hdb to the mdb.
Is there a book to learn about openldap? With the new OLC way of doing
things?

Can i have hdb and mdb running at the same time?

Currently I have done the following:
1. Load the Module back_mdb
2. Created a OlcBackend
3. Created a OlcDatabase


See http://www.openldap.org/doc/admin24/ and slapcat(8), slapadd(8),
slapd-mdb(5), and slapd-config.

Consider converting in two steps - converting your database to mdb first,
then converting to slapd-config.

How to move from hdb to mdb

2016-09-21 Thread Nikolas Stylianides 
Hi there.
Is there a howto move from hdb to mdb?

What we need to do is to transfer our directory from hdb to the mdb.
Is there a book to learn about openldap? With the new OLC way of doing
things?

Can i have hdb and mdb running at the same time?

Currently I have done the following:
1. Load the Module back_mdb
2. Created a OlcBackend
3. Created a OlcDatabase

Thank you in advance
-- 
Δρ. Νικόλας Στυλιανίδης
Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών

Nikolas Stylianides, Dr.
Dr. Eng. in Electrical & Computer Engineering

Contacts
-
Mobile Tel.: +35796741315
Email: nstyliani...@leafnet.com.cy, nstyliani...@gmail.com
Skype: nicostyl

Affilication
---
LEAF NET LTD: Research & Development
Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS
Master Programme Academic Board Member


Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:

Brevity is the soul of wit - Shakespeare William (Hamlet)

Re: hdb and mdb dereferencing aliases differently

2013-04-26 Thread Saša-Stjepan Bakša 
 activated connection logging and here's the proof that NSS is not the
 culprit.

 Searches initiated by NSS are identical and exactly this behavior can
 also be seen  when using ldapsearch from command line with parameters from
 the log:

 # running 'getent passwd' with hdb backend:
 Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=0 BIND
 dn=cn=itsAgent,ou=**customerAgent,dc=scom method=128
 Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=0 BIND
 dn=cn=itsAgent,ou=**customerAgent,dc=scom mech=SIMPLE ssf=0
 Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=0 RESULT tag=97
 err=0 text=
 Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=1 SRCH
 base=ou=account,dc=its,dc=**scom scope=1 deref=3 filter=(objectClass=
 **posixAccount)
 Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=1 SRCH attr=uid
 userPassword uidNumber gidNumber cn homeDirectory x-LinuxLoginShell gecos
 description objectClass
 Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=1 SEARCH RESULT
 tag=101 err=0 nentries=656 text=
 Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 fd=13 closed
 (connection lost)

 # running 'getent passwd' with mdb backend:
 Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=0 BIND
 dn=cn=itsAgent,ou=**customerAgent,dc=scom method=128
 Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=0 BIND
 dn=cn=itsAgent,ou=**customerAgent,dc=scom mech=SIMPLE ssf=0
 Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=0 RESULT tag=97
 err=0 text=
 Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=1 SRCH
 base=ou=account,dc=its,dc=**scom scope=1 deref=3 filter=(objectClass=
 **posixAccount)
 Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=1 SRCH attr=uid
 userPassword uidNumber gidNumber cn homeDirectory x-LinuxLoginShell gecos
 description objectClass
 Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=1 SEARCH RESULT
 tag=101 err=0 text=
 Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 fd=13 closed
 (connection lost)

 I suspect that aliases are not handled the same way in hdb and mdb as I
 am using aliases here and deref=3 in both searches, example:

 dn: uid=joe,ou=Account,dc=its,dc=**scom
 objectClass: alias
 objectClass: extensibleObject
 uid: joe
 aliasedObjectName: uid=joe,ou=Person,dc=its,dc=**scom
 structuralObjectClass: alias

 When using hdb, the alias is dereferenced correctly (nentries=656), when
 using mdb it seems not to be dereferenced at all (nentries=0).

 Maybe there's a parameter around for mdb which I couldn't find in the
 docs

 to prevent this, but if not I consider this as a bug.

 There is no parameter. Seems like you've found a bug, please submit the
 info to the ITS.


 Regards

 Juergen

 mich...@stroeder.com wrote:

 It would certainly help if you could examine the issue with pure LDAP
 search
 operations preferably with OpenLDAP's ldapsearch command-line tool.

 When looking at NSS results too many things can go wrong with other
 components' configuration.

 Ciao, Michael.

 juergen.spren...@swisscom.com wrote:

 Hi,

 I have running OpenDLAP 2.4.35 on  Gentoo Linux and wanted to make
 some tests with mdb.

 Slapd was running fine with hdb, no problems so far.
 Then I exported contents via slapcat and switched config to mdb.
 When slapd started using mdb no users from directory were shown by
 'getent passwd':

 ### hdb part 
 # using hdb parameters
 databasehdb
 dirtyread
 cachesize   15
 cachefree  100
 idlcachesize45
 dncachesize 10

 # slapadd from backup and run slapd with hdb backend
 /etc/init.d/unscd stop
 /etc/init.d/slapd stop
 rm /var/lib/openldap-data/*
 rm -rf /etc/openldap/slapd.d/*
 cp -p /etc/openldap/DB_CONFIG /var/lib/openldap-data/
 cp -p /etc/openldap/slapd.conf.hdb /etc/openldap/slapd.conf
 su ldap -c '/usr/sbin/slapadd -f /etc/openldap/slapd.conf -l
 odsldap-dev.ldif'
 /etc/init.d/slapd start
 /etc/init.d/unscd start
 slapcat -f /etc/openldap/slapd.conf -b dc=scom | md5sum
 # 73850f9a3f7ff9d3d1ddb7663cd046**a6  -

 getent passwd
 # all users shown, everything ok

 ### mdb part 
 # using mdb paramters
 databasemdb
 dbnosync
 maxsize 2094967296
 searchstack 64

 # slapadd from backup and run slapd with mdb backend
 /etc/init.d/unscd stop
 /etc/init.d/slapd stop
 rm /var/lib/openldap-data/*
 rm -rf /etc/openldap/slapd.d/*
 cp -p /etc/openldap/slapd.conf.mdb /etc/openldap/slapd.conf
 su ldap -c '/usr/sbin/slapadd -f /etc/openldap/slapd.conf -l
 odsldap-dev.ldif'
 /etc/init.d/slapd start
 /etc/init.d/unscd start
 slapcat -f /etc/openldap/slapd.conf -b dc=scom | md5sum
 # 73850f9a3f7ff9d3d1ddb7663cd046**a6  -

 

 getent passwd
 # no users from ldap shown

 Am I missing something  when setting up and using mdb?
 Both backends have exactly the same content, and so the results for
 searches should also be identical.

 Regards

 Jürgen Sprenger






 --
   -- Howard Chu
   CTO, Symas Corp.   http://www.symas.com
   Director, Highland Sun

hdb and mdb dereferencing aliases differently

2013-04-24 Thread Juergen.Sprenger 
Hi Michael,

NSS results must not be dependent on the backend database a directory service 
uses. 

I activated connection logging and here's the proof that NSS is not the culprit.

Searches initiated by NSS are identical and exactly this behavior can also be 
seen  when using ldapsearch from command line with parameters from the log:

# running 'getent passwd' with hdb backend:
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=0 BIND 
dn=cn=itsAgent,ou=customerAgent,dc=scom method=128
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=0 BIND 
dn=cn=itsAgent,ou=customerAgent,dc=scom mech=SIMPLE ssf=0
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=0 RESULT tag=97 err=0 
text=
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=1 SRCH 
base=ou=account,dc=its,dc=scom scope=1 deref=3 
filter=(objectClass=posixAccount)
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=1 SRCH attr=uid 
userPassword uidNumber gidNumber cn homeDirectory x-LinuxLoginShell gecos 
description objectClass
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=1 SEARCH RESULT tag=101 
err=0 nentries=656 text=
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 fd=13 closed (connection 
lost)

# running 'getent passwd' with mdb backend:
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=0 BIND 
dn=cn=itsAgent,ou=customerAgent,dc=scom method=128
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=0 BIND 
dn=cn=itsAgent,ou=customerAgent,dc=scom mech=SIMPLE ssf=0
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=0 RESULT tag=97 err=0 
text=
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=1 SRCH 
base=ou=account,dc=its,dc=scom scope=1 deref=3 
filter=(objectClass=posixAccount)
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=1 SRCH attr=uid 
userPassword uidNumber gidNumber cn homeDirectory x-LinuxLoginShell gecos 
description objectClass
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=1 SEARCH RESULT tag=101 
err=0 text=
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 fd=13 closed (connection 
lost)

I suspect that aliases are not handled the same way in hdb and mdb as I am 
using aliases here and deref=3 in both searches, example:

dn: uid=joe,ou=Account,dc=its,dc=scom
objectClass: alias
objectClass: extensibleObject
uid: joe
aliasedObjectName: uid=joe,ou=Person,dc=its,dc=scom
structuralObjectClass: alias

When using hdb, the alias is dereferenced correctly (nentries=656), when using 
mdb it seems not to be dereferenced at all (nentries=0).

Maybe there's a parameter around for mdb which I couldn't find in the docs to 
prevent this, but if not I consider this as a bug.

Regards

Juergen

mich...@stroeder.com wrote:
It would certainly help if you could examine the issue with pure LDAP search
operations preferably with OpenLDAP's ldapsearch command-line tool.

When looking at NSS results too many things can go wrong with other
components' configuration.

Ciao, Michael.

juergen.spren...@swisscom.com wrote:
 Hi,
 
 I have running OpenDLAP 2.4.35 on  Gentoo Linux and wanted to make some 
 tests with mdb.
 
 Slapd was running fine with hdb, no problems so far. 
 Then I exported contents via slapcat and switched config to mdb. 
 When slapd started using mdb no users from directory were shown by 'getent 
 passwd':
 
 ### hdb part 
 # using hdb parameters
 databasehdb
 dirtyread
 cachesize   15
 cachefree  100
 idlcachesize45
 dncachesize 10
 
 # slapadd from backup and run slapd with hdb backend
 /etc/init.d/unscd stop
 /etc/init.d/slapd stop
 rm /var/lib/openldap-data/*
 rm -rf /etc/openldap/slapd.d/*
 cp -p /etc/openldap/DB_CONFIG /var/lib/openldap-data/
 cp -p /etc/openldap/slapd.conf.hdb /etc/openldap/slapd.conf
 su ldap -c '/usr/sbin/slapadd -f /etc/openldap/slapd.conf -l 
 odsldap-dev.ldif'
 /etc/init.d/slapd start
 /etc/init.d/unscd start
 slapcat -f /etc/openldap/slapd.conf -b dc=scom | md5sum
 # 73850f9a3f7ff9d3d1ddb7663cd046a6  -
 
 getent passwd
 # all users shown, everything ok
 
 ### mdb part 
 # using mdb paramters
 databasemdb
 dbnosync
 maxsize 2094967296
 searchstack 64
 
 # slapadd from backup and run slapd with mdb backend
 /etc/init.d/unscd stop
 /etc/init.d/slapd stop
 rm /var/lib/openldap-data/*
 rm -rf /etc/openldap/slapd.d/*
 cp -p /etc/openldap/slapd.conf.mdb /etc/openldap/slapd.conf
 su ldap -c '/usr/sbin/slapadd -f /etc/openldap/slapd.conf -l 
 odsldap-dev.ldif'
 /etc/init.d/slapd start
 /etc/init.d/unscd start
 slapcat -f /etc/openldap/slapd.conf -b dc=scom | md5sum
 # 73850f9a3f7ff9d3d1ddb7663cd046a6  -
 
 getent passwd
 # no users from ldap shown
 
 Am I missing something  when setting up and using mdb? 
 Both backends have exactly the same content, and so the results for searches 
 should also be identical.
 
 Regards
 
 Jürgen Sprenger

Re: hdb and mdb dereferencing aliases differently

2013-04-24 Thread Howard Chu 

juergen.spren...@swisscom.com wrote:

Hi Michael,

NSS results must not be dependent on the backend database a directory service 
uses.

I activated connection logging and here's the proof that NSS is not the culprit.

Searches initiated by NSS are identical and exactly this behavior can also be 
seen  when using ldapsearch from command line with parameters from the log:

# running 'getent passwd' with hdb backend:
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=0 BIND 
dn=cn=itsAgent,ou=customerAgent,dc=scom method=128
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=0 BIND 
dn=cn=itsAgent,ou=customerAgent,dc=scom mech=SIMPLE ssf=0
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=0 RESULT tag=97 err=0 
text=
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=1 SRCH 
base=ou=account,dc=its,dc=scom scope=1 deref=3 
filter=(objectClass=posixAccount)
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=1 SRCH attr=uid 
userPassword uidNumber gidNumber cn homeDirectory x-LinuxLoginShell gecos 
description objectClass
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 op=1 SEARCH RESULT tag=101 
err=0 nentries=656 text=
Apr 24 09:53:54 openldap-dev slapd[19240]: conn=1000 fd=13 closed (connection 
lost)

# running 'getent passwd' with mdb backend:
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=0 BIND 
dn=cn=itsAgent,ou=customerAgent,dc=scom method=128
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=0 BIND 
dn=cn=itsAgent,ou=customerAgent,dc=scom mech=SIMPLE ssf=0
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=0 RESULT tag=97 err=0 
text=
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=1 SRCH 
base=ou=account,dc=its,dc=scom scope=1 deref=3 
filter=(objectClass=posixAccount)
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=1 SRCH attr=uid 
userPassword uidNumber gidNumber cn homeDirectory x-LinuxLoginShell gecos 
description objectClass
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 op=1 SEARCH RESULT tag=101 
err=0 text=
Apr 24 10:00:17 openldap-dev slapd[19300]: conn=1002 fd=13 closed (connection 
lost)

I suspect that aliases are not handled the same way in hdb and mdb as I am 
using aliases here and deref=3 in both searches, example:

dn: uid=joe,ou=Account,dc=its,dc=scom
objectClass: alias
objectClass: extensibleObject
uid: joe
aliasedObjectName: uid=joe,ou=Person,dc=its,dc=scom
structuralObjectClass: alias

When using hdb, the alias is dereferenced correctly (nentries=656), when using 
mdb it seems not to be dereferenced at all (nentries=0).

Maybe there's a parameter around for mdb which I couldn't find in the docs

to prevent this, but if not I consider this as a bug.

There is no parameter. Seems like you've found a bug, please submit the info 
to the ITS.


Regards

Juergen

mich...@stroeder.com wrote:

It would certainly help if you could examine the issue with pure LDAP search
operations preferably with OpenLDAP's ldapsearch command-line tool.

When looking at NSS results too many things can go wrong with other
components' configuration.

Ciao, Michael.

juergen.spren...@swisscom.com wrote:

Hi,

I have running OpenDLAP 2.4.35 on  Gentoo Linux and wanted to make some tests 
with mdb.

Slapd was running fine with hdb, no problems so far.
Then I exported contents via slapcat and switched config to mdb.
When slapd started using mdb no users from directory were shown by 'getent 
passwd':

### hdb part 
# using hdb parameters
databasehdb
dirtyread
cachesize   15
cachefree  100
idlcachesize45
dncachesize 10

# slapadd from backup and run slapd with hdb backend
/etc/init.d/unscd stop
/etc/init.d/slapd stop
rm /var/lib/openldap-data/*
rm -rf /etc/openldap/slapd.d/*
cp -p /etc/openldap/DB_CONFIG /var/lib/openldap-data/
cp -p /etc/openldap/slapd.conf.hdb /etc/openldap/slapd.conf
su ldap -c '/usr/sbin/slapadd -f /etc/openldap/slapd.conf -l odsldap-dev.ldif'
/etc/init.d/slapd start
/etc/init.d/unscd start
slapcat -f /etc/openldap/slapd.conf -b dc=scom | md5sum
# 73850f9a3f7ff9d3d1ddb7663cd046a6  -

getent passwd
# all users shown, everything ok

### mdb part 
# using mdb paramters
databasemdb
dbnosync
maxsize 2094967296
searchstack 64

# slapadd from backup and run slapd with mdb backend
/etc/init.d/unscd stop
/etc/init.d/slapd stop
rm /var/lib/openldap-data/*
rm -rf /etc/openldap/slapd.d/*
cp -p /etc/openldap/slapd.conf.mdb /etc/openldap/slapd.conf
su ldap -c '/usr/sbin/slapadd -f /etc/openldap/slapd.conf -l odsldap-dev.ldif'
/etc/init.d/slapd start
/etc/init.d/unscd start
slapcat -f /etc/openldap/slapd.conf -b dc=scom | md5sum
# 73850f9a3f7ff9d3d1ddb7663cd046a6  -



getent passwd
# no users from ldap shown

Am I missing something  when setting up and using mdb?
Both backends have exactly the same content, and so the results for searches 
should also be identical.

Regards

Jürgen Sprenger







--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director