On 12/15/22 20:52, Quanah Gibson-Mount wrote:
https://bugs.openldap.org/show_bug.cgi?id=8983
That bug clearly notes it is implemented in OpenLDAP 2.5+
Hmm, as I read ITS#8983 the control encoding has been implemented in
libldap (see libraries/libldap/psearchctrl.c).
But the original
On 12/12/22 16:47, thomaswilliampritch...@gmail.com wrote:
For one particular use case we replicate a subset of the application
database, but our replication check cannot work for this use case.
Partial replication is somewhat tricky because the highest entryCSN
value seen in a replicated entry
On 11/17/22 20:26, Daniel Hoffend wrote:
Thanks for your response. I’ve opened an issue in Bugzilla with the ID 9935.
As a work-around you could exclude pwdHistory attribute from the push
replication to read-only replicas because it's used only on writeable
replicas.
Ciao, Michael.
On 10/20/22 19:05, Pascal Jakobi wrote:
R:Years ago, we created an XACML server that is RBAC profile compliant :
https://projects.ow2.org/view/authzforce/.
Question is : how do you represent roles, especially in a
security-critical context such as the one I work in. For such a matter,
On 10/20/22 12:14, Pascal Jakobi wrote:
I am looking for an RFC 5755 (attribute certificates profile) schema file.
I thought it was in pmi.schema, but it appears that no, unless I am
missing sthing.
AFAICS pmi.schema is indeed what you're looking for.
Note that RFC 5755 defines the X.509
On 10/20/22 13:33, Sander Smeenk wrote:
I'm trying to set up SyncRepl between two servers. When the SyncRepl
client connects and tries to start it logs:
| Entry (dc=example,dc=nl): object class 'organization' requires attribute 'o'
| syncrepl_null_callback : error code 0x41
| syncrepl_entry:
On 10/4/22 18:49, Quanah Gibson-Mount wrote:
This is the first testing call for OpenLDAP 2.6.4.
Build and make test seem to work on my local openSUSE Tumbleweed x86_64
with gcc 12.2.1.
I've also temporarily enabled running make test in my openSUSE/SLE
package openldap-ms:
On 10/4/22 18:50, Quanah Gibson-Mount wrote:
This is the first testing call for OpenLDAP 2.5.14.
Build and make test seem to work on openSUSE Tumbleweed x86_64 with gcc
12.2.1.
Ciao, Michael.
On 9/26/22 18:49, Benjamin Renard wrote:
I try to affect an uri constraint on an attribute that storing the DN of
another object but I don't know what I have to put on the attribute
field of the URI.
entryDN
Ciao, Michael.
On 8/22/22 18:03, Howard Chu wrote:
You can just search for all groups where member=, returning no
attributes, or returning only cn and gidNumber. Again, memberOf is
not helpful here and no other extensions are needed.
Of course slapo-memberof is not *needed* for this.
But in some specific
HI!
I have the need to search a whole sub-tree for something like collective
attributes which AFAIK slapo-collect does not support.
Now I'm wondering whether it's possible to search for the virtual
attributes generated by slapo-variant. And probably I'd like to use the
regex variant.
I've
On 7/14/22 11:14, Luca Stancapiano wrote:
Hi all, I'm triing to create a user with openldap 2.4
dn: uid=rr,ou=users,dc=my-domain,dc=com
objectClass: iNetOrgPerson
uid: ii
but it doesn't seem recognize the objectClass producing this error:
adding new entry
On 7/13/22 23:35, aRaviNd wrote:
[..] authenticate users using LDAP. Authentication was working fine but after
upgrading the LDAP server to the latest version of the OS we are getting
authentication failures below are the errors showing in the log
[..]
Jul 13 20:26:52 ldap.local slapd[18572]:
On 7/11/22 20:38, Quanah Gibson-Mount wrote:
This is the second testing call for OpenLDAP 2.5.13.
make test works on openSUSE Tumbleweed x86_64.
Ciao, Michael.
On 7/11/22 10:38, Francesco Malvezzi wrote:
I am using some pwdChangedTime range queries to warn users about
password expiration.
An example filter might be:
On 7/8/22 00:05, Quanah Gibson-Mount wrote:
A minor regression was found and fixed, so testing should be done
against 23ef018c6f321413141f26ed6e1909f85047ba76 for RE26.
Still all my tests seems to work fine.
Ciao, Michael.
On 7/7/22 21:16, Quanah Gibson-Mount wrote:
This is the first testing call for OpenLDAP 2.6.3.
make test works on openSUSE Tumbleweed x86_64 with gcc 12.1.0.
python-ldap0 tests also seem to work.
Ciao, Michael.
On 7/7/22 21:15, Quanah Gibson-Mount wrote:
This is the first testing call for OpenLDAP 2.5.13.
make test works on openSUSE Tumbleweed x86_64 with gcc 12.1.0.
Ciao, Michael.
On 6/29/22 08:24, Jeffrey Walton wrote:
Microsoft AD requires a forward slash ('/') be escaped with "\\2f".
Confer, [1, 2].
[1]
https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
[2]
HI!
Is it still highly recommended to configure slapo-syncprov on read-only
consumers?
Background:
I have a tier of read-only consumers with "lastbind on" and
slapo-ppolicy configured, but no chaining to the writeable providers
(e.g. no ppolicy_forward_updates). All providers and consumers
HI!
I'm trying to get rid of this old patch by Ralf Haferkamp:
https://build.opensuse.org/package/view_file/network:ldap/openldap2/0003-LDAPI-socket-location.dif?expand=1
Background: Today Linux distros prefer that you place temporary run-time
files in a directory like
/run/
with
On 4/29/22 19:44, spark...@foxmail.com wrote:
After install the openldap (slapd) from Debian package repository
(using the version 2.4.57+dfsg-3~bpo10+1, database created by the
dpkg configuration script provide by apt), the admin user
(cn=admin,dc=example,dc=com) in could not be found either >
On 4/27/22 18:34, Quanah Gibson-Mount wrote:
This is the second testing call for OpenLDAP 2.5.12.
make test worked on openSUSE Tumbleweed x86_64 with gcc 11.2.1.
Ciao, Michael.
On 4/27/22 18:35, Quanah Gibson-Mount wrote:
This is the second testing call for OpenLDAP 2.6.2.
make test worked on openSUSE Tumbleweed x86_64 with gcc 11.2.1.
Ciao, Michael.
On 4/5/22 20:34, Howard Chu wrote:
You're talking 1970s style config file management. There's no good
reason to force a restart of a mission-critical service just to
modify its configuration.
In the same spirit I can answer:
You're talking about a 1970s style system architecture with one
On 4/5/22 17:34, Norman Gray wrote:
I've never used slapd.conf, and I'm worried I'm missing something, or
that there's an interestingly different perspective on how to
configure openldap, which I could usefully learn about.
Don't worry about missing something magical. slapd.conf and cn=config
On 4/5/22 08:10, David Timber wrote:
I know how to import schemas with cn=config. That was never a question.
I was just complaining because it's a tedious process and I believe that
it shouldn't be like this.
I also think that cn=config should not be so complicated. And I've
looked into
On 4/1/22 10:59, Ulrich Windl wrote:
Quanah Gibson-Mount schrieb am 31.03.2022 um 17:45
There is no way to prevent a client from sending a BIND request to an
ldap:/// URI with the DN and password in the clear. Even if you set ssf=1
(server mandates encryption), the most that will happen is
HI!
Had a MDB database with a glue entry in it on all replicas in a
multi-provider setup (release 2.6.1). I could not update this entry anymore.
Is it possible to delete a glue entry via LDAP? All subordinate entries
were already removed before.
Ciao, Michael.
On 3/31/22 19:15, Quanah Gibson-Mount wrote:
I think the clear text bind issue in fact shows that LDAPS is
technically superior to startTLS when encryption is required. The
remaining issue is there's no RFC for it. I'd like to see that
addressed.
My attempt to resurrect the IETF ldapext WG
On 3/31/22 08:11, Ulrich Windl wrote:
I think the point was that you can bind even when not having started TLS before.
I don't know whether this can prevent it:
olcSecurity: ssf=0 update_ssf=128 simple_bind=64
You can prevent the bind operation to succeed but the clear-text
password was
On 3/30/22 19:28, Stefan Kania wrote:
That's what can be found in the FAQ on openldap.org:
https://www.openldap.org/faq/data/cache/605.html
I would trust this more then any rumors on any stack page ;)
But in this case it's the other way round. The text in the FAQ-O-MATIC
is outdated (and
On 3/25/22 15:40, thomaswilliampritch...@gmail.com wrote:
When it comes to, for example, sending a bind, a search, a bind
(different user), and a search, when I send those serially without
waiting for a response, are there any guarantees around getting
successful bind responses before search
On 3/25/22 17:29, beren beren wrote:
How can I prevent a user who has not authenticated from viewing ? That
is, the query ldapsearch -x -H ldap://infra-ldap.wildberries.ru
-b "dc=test,dc=com" shows everything.
Diving into ACLs this ancient resource is still helpful:
On 3/22/22 18:21, Quanah Gibson-Mount wrote:
This is the first testing call for OpenLDAP 2.6.2.
Tested git revision 475e57281bc10e56a47021895a7b926e29ac9072 on openSUSE
Tumbleweed x64_64 (gcc version 11.2.1):
- make test worked
- unit tests of my Python module ldap0 work
Ciao, Michael.
On 3/21/22 14:39, g...@unixarea.de wrote:
Honestly, I'm a bit surprised about not getting any feedback or reply
at all. And about the low traffic in this list here in general :-(
Well, my reaction would have been that I'd recommend to rethink your
synchronous approach and rather implement an
On 3/12/22 18:52, Howard Chu wrote:
Christopher Paul wrote:
But if you're swapping out the cert, you can optionally re-key at
the same time, so I think we add to the list of TLS client best
practice: re-key when you re-cert. Right? There are no great costs
to re-keying, unless I am missing
On 3/12/22 00:02, Christopher Paul wrote:
1. RFC 4519 allows userPassword to be multi-valued and it gives some
rationale which is logical, but it also seems to lack imagination.
There seem to be more possibilities for abuse by defining
attributeType this way than legitimate use
HI!
I wonder what the operational requirements are when using
syncprov-sessionlog-source cn=accesslog
instead of the in-memory session log.
E.g. what about configured logpurge?
What happens if the accesslog DB is completely deleted?
Ciao, Michael.
On 3/2/22 11:49, Francesco Malvezzi wrote:
on a consumer I spotted a zombie entry which was deleted on provider.
Which OpenLDAP version are you using?
Replication is syncrepl:
olcSyncrepl: {0}rid=003 provider=ldap://ldap-master.example.org
binddn="cn=repluser,ou=agents,dc=example,dc=org"
On 2/24/22 08:37, Ulrich Windl wrote:
As the "pam_" prefix might indicate, try "man pam_ldap" instead.
...
Features of the PADL pam_ldap
Note that there are two different pam_ldap modules out there:
1. The ancient unmaintained PADL modules which directly send LDAP
operations and
On 2/24/22 15:00, vtejaswi...@gmail.com wrote:
Doesn't your slapdcheck also rely on cn=monitor to query LDAP Server?
Yes.
Could you explain to me on a high level how slapdcheck is interacting
with LDAP Server?
Besides accessing cn=monitor it reads the currently active configuration
from a
On 2/23/22 23:45, vtejaswi...@gmail.com wrote:
It would be interesting if there were any official Prometheus
exporter to monitor LDAP metrics.
What does "official" mean for you? Does that mean vendor support you're
willing to pay for?
Anyway...
My slapdcheck also produces OpenMetrics
On 2/23/22 22:02, Felix Natter wrote:
ldappasswd(1) is the right tool for the command-line but takes a DN to
specify the user's entry.
I tried this (which would be fine as a solution):
ldappasswd -H ldap:// -x -D \
cn=ldaptestuser1,ou=users,dc=company,dc=com -W -A -S
but it does not enforce
On 2/20/22 18:14, Felix Natter wrote:
my password policies (openldap 2.5.11) are not enforced and Roland
Gruber (author of LAM (Pro)) kindly advised me that passwords must be
stored in plaintext (Hash=PLAIN) in order to be able to enforce password
minimal length, password quality etc (i.e. when
On 2/6/22 03:19, Paul B. Henson wrote:
On Sat, Feb 05, 2022 at 09:57:15AM -0300, Andreas Hasenack wrote:
openldap also has a monitor backend IIRC, have you looked into that?
Yes, historically we've used that with icinga and munin, although we're
looking to replace munin. That doesn't provide
On 2/5/22 03:27, Paul B. Henson wrote:
Does anybody know of any good tools that can rip through an openldap log
file and analyze it, creating a report of what queries are being made
and how long they are taking to process?
ldap-stats.pl tool mentioned by Dave, is indeed very useful for
On 1/19/22 00:37, Quanah Gibson-Mount wrote:
This is the first testing call for OpenLDAP 2.6.1.
make test works on openSUSE Tumbleweed with gcc version 11.2.1.
Ciao, Michael.
On 1/3/22 20:13, Stefan Kania wrote:
That's why I build my own objectClass for possixAccount and PosixGroup:
[..]
olcObjectClasses: ( 1.3.6.1.4.1.56860.1.2.2
NAME 'stkaPosixAccount'
DESC 'advanced PosixAccount for dynamic use'
SUP posixAccount
AUXILIARY
MAY ( memberUID ) )
On 1/3/22 21:39, kevin martin wrote:
yes, I'm aware of the 2.5.9 comment.
So why you're still trying with 2.5.7? It was not just a comment. It was
good advice.
is that why I can't use pwdAccountLockedTime or is it simply to get
me to the latest patched version?
You should really take
On 12/21/21 19:59, Stefan Kania wrote:
but I think that GSSAPI is not compiled in to thr symas packages.
Not true.
It is linked against heimdal libs from package symas-heimdal-libs:
# ldd /opt/symas/lib/slapd
[..]
libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x7f6d63716000)
On 12/4/21 14:36, Dave Macias wrote:
What you mean by 2.6 should be capable of dumping 2.4 dbs?
If you have 2.4 .mdb files 2.6 should be capable of exporting the
database to LDIF. It might be worth to check whether 2.6 adds the XX
chars too.
Ciao, Michael.
On 12/4/21 14:17, Dave Macias wrote:
I forgot to mention that the source of the sha512 data.ldif is from a
v2.4 environment. If that has any relevance.
So i slapcat the 2.4 data, massage it for all the new overlays we want
to use, and slapadd it to my v2.6 environment.
2.6 should be capable
On 12/2/21 09:34, Ulrich Windl wrote:
I have a question: When using ppolicy, is tthere a simple way for a
user to detect that he/she is "on grace logins", i.e. the poassword
has to be changed soon?
The LDAP client has to send the appropriate request control and handle
the response control
On 12/1/21 18:43, Quanah Gibson-Mount wrote:
If you want to use "authTimestamp", you need the fix.
If you don't want to use "authTimestamp" and pwdLastSuccess is
sufficient, you don't need the fix nor do you need to load the lastbind
contrib module.
Even if you want to set 'pwdLastSuccess'
On 12/1/21 15:34, A. Schulze wrote:
Let me explain my understanding of operating an identity-provider.
- identity-provider = OpenLDAP-Server
- service-provider = dovecot / apache/nginx for example
Well, personally I'd avoid this terminology but well..
- client= MUA / Webbrowser
On 11/29/21 19:47, Dave Macias wrote:
Was attempting to add lastbind module but get error:
Maybe you're hitting this one:
https://bugs.openldap.org/show_bug.cgi?id=9725
Ciao, Michael.
HI!
Hmm, I cannot see what I'm doing wrong here. Compiling other contrib
modules works just fine.
$ make -B -C contrib/slapd-modules/acl now
make: Entering directory
'/home/michael/src/openldap-git/re26/openldap/contrib/slapd-modules/acl'
gcc now.c -o now
now.c:28:10: fatal error:
On 11/26/21 23:34, A. Schulze wrote:
using slapo-ppolicy I could configure slapd to hash a password if
it's sent unhashed. > [..]
overlay ppolicy
ppolicy_default "cn=default,ou=ppolicies,dc=test"
ppolicy_hash_cleartext
[..]
That work and I could hash them using ARGON2.
[..]
Is it possible to
On 11/16/21 19:09, bourgu...@gmail.com wrote:
but if I do same request for my own dn DB o=.be, I get following output :
contextCSN: 2026155042.534901Z#00#001#00
contextCSN: 2026153150.449895Z#00#002#00
for me I should receive 003 & 004 ones too as they are in
HI!
Since the fix for ITS#9575 there is this misleading message even when
invoking slapcat:
/opt/openldap-ms/etc/openldap/slapd.conf: line 126: setting password
scheme in the global entry is deprecated. The server may refuse to start
if it is provided by a loadable module, please move it to
On 10/20/21 09:43, Bastian Tweddell wrote:
On 19Oct21 18:17+0200, Michael Ströder wrote:
Find below ae-slapd.service generated by Æ-DIR's ansible role.
PIDFile=/run/ae-dir/slapd/slapd.pid
still need a pidfile?
Probably not.
(I'm also following the current discussion on systemd-devel
On 10/20/21 09:31, Ulrich Windl wrote:
Wondering about "LimitNOFILE=96": Wouldn't that limit the open sockets
(connections) as well?
Sorry, I fetched the example from a memory-constrained demo server on
which I deliberately configured really low resource usage values to
provoke hitting
On 10/19/21 17:10, Quanah Gibson-Mount wrote:
--On Tuesday, October 19, 2021 1:00 AM -0700 "Paul B. Henson"
wrote:
I'm testing openldap 2.5 in preparation for migration my production
services, and I noticed that the 2.5 RPMs no longer create an ldap user
and instead run slapd as root by
On 10/7/21 13:51, Dario García Díaz-Miguel wrote:
We have a LDAP group that should be able to vi, tail and less all the
files contained inside /var/log/
Bad idea because less and vi let the user escape to shell.
We are thinking about using wildcards but it seems that the wildcards
that works
On 9/28/21 21:12, Quanah Gibson-Mount wrote:
> This is the second testing call for OpenLDAP 2.6.0 Release.
make test seems to work on openSUSE Tumbleweed.
Ciao, Michael.
On 9/28/21 17:27, Bastian Tweddell wrote:
>> Michael Ströder wrote:
>>> I'm adapting my mtail program for log-based slapd metrics for release 2.5.
>>>
>>> 2.5 introduces qtime= and etime= in RESULT lines. Great!
>>>
>>> I could easily grab h
HI!
I'm adapting my mtail program for log-based slapd metrics for release 2.5.
2.5 introduces qtime= and etime= in RESULT lines. Great!
I could easily grab histogram metrics for both but that doubles
time-series data in Prometheus.
So I wonder what's the difference? Is it worth to always look
On 9/27/21 10:40, Challa N Kumar Reddy wrote:
> <= str2entry: str2ad(olcDbMaxSize): attribute type undefined
> slapadd: could not parse entry (line=665)
The attribute type 'olcDbMaxSize' is hard-coded in back-mdb.
=> I guess you did not load back-mdb module in your config.
Ciao, Michael.
On 9/23/21 10:32, Viggo Simonsen wrote:
> I am trying to uplift a very old adaptation of OpenLDAP from 2.3.20 to
> 2.4.50.
What does "adaptation" mean?
> I first tried a one-step approach, cherry-picking my delta, based on
> 2.3.20 into 2.4.50 - but that was a daunting task, given that there is
On 9/23/21 17:36, Dave Macias wrote:
> Option -d sends messages to stderr which most times are sent to
> systemd-journald but without syslog facility applied.
>
> Thank you for the reply
> That makes sense as to why when setting rsyslog as "*.*
> /var/log/slapd/slapd.log" i would get all
On 9/23/21 16:22, Dave Macias wrote:
> If i change the service file with (-d 256):
> ExecStart=/opt/symas/lib/slapd -d 256 -h ${SLAPD_URLS} $SLAPD_OPTIONS
>
> I get at least these msgs:
> [..]
Option -d sends messages to stderr which most times are sent to
systemd-journald but without syslog
On 9/22/21 12:39, Challa N Kumar Reddy wrote:
> c. navigate to /u01/ldap and executed the command below,
> sbin/slapadd -n 0 -F /u01/ldap/etc/slapd.d -l
> /u01/ldap/etc/openldap/slapd.ldif
>
> But getting an error message issue the above command
As I've already asked you before in the ticket
On 9/21/21 14:20, Ángel L. Mateo Martínez wrote:
> I'm configuring an application using my openldap and I'm seeing
> queries I didn't know them before. The queries are like this:>
> filter="(|(objectClass=groupOfNames)(?objectClass=container)..
This indicates that the name of the object class
On 9/8/21 17:45, Quanah Gibson-Mount wrote:
>
>
> --On Wednesday, September 8, 2021 5:25 PM +0200 Ondřej Kuzník
> wrote:
>
>> On Wed, Sep 08, 2021 at 03:37:23PM +0200, Michael Ströder wrote:
>>>> The most significant difference for slapd is the ability
On 9/7/21 20:02, Quanah Gibson-Mount wrote:
>
>
> --On Tuesday, September 7, 2021 8:57 PM +0200 Michael Ströder
> wrote:
>
>> On 9/7/21 19:01, Quanah Gibson-Mount wrote:
>>> This is the first testing call for OpenLDAP 2.6.0 Release.
>>
>> FWIW: make
On 9/7/21 19:01, Quanah Gibson-Mount wrote:
> This is the first testing call for OpenLDAP 2.6.0 Release.
FWIW: make test worked on openSUSE Tumbleweed x86_64.
But what are the main differences compared to 2.5.7?
Ciao, Michael.
On 8/31/21 12:26, Howard Chu wrote:
> Michael Ströder wrote:
>> It's easy to change the config of OpenLDAP 2.5 from "overlay memberof"
>> to "overlay dynlist" and it just works. Nice. :-)
>>
>> But the existing database then still contains the 'm
On 8/31/21 12:14, Michael Ströder wrote:
> It's easy to change the config of OpenLDAP 2.5 from "overlay memberof"
> to "overlay dynlist" and it just works. Nice. :-)
>
> But the existing database then still contains the 'memberOf' attribute
> values.
>
&g
HI!
It's easy to change the config of OpenLDAP 2.5 from "overlay memberof"
to "overlay dynlist" and it just works. Nice. :-)
But the existing database then still contains the 'memberOf' attribute
values.
Ideally one should reload the database. But if anything fails:
Does it do any harm if
ges you're using
- detailed example data
In my personal experience in customer projects migrating to back-mdb is
a no-brainer.
Just do it now.
Ciao, Michael.
>>>> Michael Ströder schrieb am 25.08.2021 um 13:43 in
> Nachricht <62996401-b45d-898d-3b6b-eab38b80a...@stroeder.com&g
HI!
This is an important note to those who run OpenLDAP slapd based on
openSUSE or SLE packages, especially Tumbleweed:
If you're still using OpenLDAP 2.4 or earlier with back-bdb or back-hdb
then migrate to back-mdb now because OpenLDAP 2.5 packages won't support
these backends anymore!
On 8/25/21 12:46 PM, A. Schulze wrote:
> I took over a service using the Perl NET::LDAPapi. Now I fail to establish an
> LDAPS connection.
> Does anybody know if that's even supported and if so, how I've to setup that?
What did you try and what failed?
Below here I assume you're probably
On 8/18/21 8:09 PM, proj...@openldap.org wrote:
> OpenLDAP 2.5.7 is now available for download as detailed on our download page:
As usual you can find packages for several openSUSE/SLE versions in this
OBS project:
https://build.opensuse.org/project/show/home:stroeder:openldap25
Feedback
On 8/16/21 7:34 PM, Quanah Gibson-Mount wrote:
> This is the first testing call for OpenLDAP 2.5.7.
make test works on openSUSE Tumbleweed x86_64 (cc version 11.1.1).
python-ldap0 tests also work.
Ciao, Michael.
On 8/13/21 1:51 AM, Howard Chu wrote:
> Michael Ströder wrote:
>> HI!
>>
>> Frankly I forgot whether I asked this before:
>>
>> Let there be ACLs with dn.regex="..", attrs=foo,bar and val.regex=".."
>> in the clauses.
>>
>&g
On 8/12/21 7:46 AM, Ulrich Windl wrote:
>>>> Michael Ströder schrieb am 11.08.2021 um 15:58 in
> Nachricht <68f0b325-4ad4-7b86-d5be-a6a98aa07...@stroeder.com>:
>> HI!
>>
>> How to profile performance of different ACLs?
>>
>> In theory o
On 8/11/21 7:59 PM, Howard Chu wrote:
> Michael Ströder wrote:
>> I'm looking at a Prometheus graph of cn=Read,cn=Waiters,cn=Monitor
>> (slapd 2.4.59).
>>
>> The object class is monitorCounterObject, the attribute is called
>> monitorCounter.
>>
>> I
HI!
I'm looking at a Prometheus graph of cn=Read,cn=Waiters,cn=Monitor
(slapd 2.4.59).
The object class is monitorCounterObject, the attribute is called
monitorCounter.
If it's a counter I'd expect the value to only increase.
But the graph shows decreasing values!?!
What's the exact meaning
HI!
Frankly I forgot whether I asked this before:
Let there be ACLs with dn.regex="..", attrs=foo,bar and val.regex=".."
in the clauses.
Obviously depending on complexity of regex-pattern and length of DNs /
avals the regex checking is more expensive than equality checking of attrs=.
Can I
HI!
How to profile performance of different ACLs?
In theory one could run slapd with debug symbols under control of a
profiler for C code. But personally I don't have a clue which ACL
processing entry points to examine more closely.
Another approach could be to derive metrics from acl-loglevel
On 8/7/21 1:34 PM, Howard Chu wrote:
> Michael Ströder wrote:
>> On 8/7/21 9:58 AM, Michael Ströder wrote:
>>> On 8/7/21 12:02 AM, Quanah Gibson-Mount wrote:
>>>> With OpenLDAP 2.5.7 and later it is possible to export a 2.4
>>>> database with slapcat in al
On 8/7/21 9:58 AM, Michael Ströder wrote:
> On 8/7/21 12:02 AM, Quanah Gibson-Mount wrote:
>> With OpenLDAP 2.5.7 and later it is possible to export a 2.4
>> database with slapcat in all circumstances.
>
> This will be very helpful because downstream packagers won't
On 8/7/21 12:02 AM, Quanah Gibson-Mount wrote:
> --On Friday, August 6, 2021 11:49 PM +0100 Howard Chu
> wrote:
>> Just to be clear, the current upgrade doc is a bit paranoid. A 2.4 DB is
>> forward compatible with 2.5. But 2.5 allows you to configure new DB
>> parameters
>> that would make it
On 8/6/21 11:01 PM, Quanah Gibson-Mount wrote:
> --On Saturday, July 31, 2021 7:05 PM +0200 Michael Ströder
> wrote:
>
>> Can I find out the disk format version in any way, e.g. with python-lmdb?
>
> The id2v DB only exists in OpenLDAP 2.5 databases. However, stay tuned
On 8/2/21 11:00 AM, Ulrich Windl wrote:
>>>> Michael Ströder schrieb am 02.08.2021 um 09:57 in
> Nachricht <59abdf98-65a4-5bb4-fffb-f13849697...@stroeder.com>:
>> On 8/2/21 8:06 AM, Ulrich Windl wrote:
>>>>>> Michael Ströder schrieb am 31.07.2021 um
On 8/2/21 8:06 AM, Ulrich Windl wrote:
>>>> Michael Ströder schrieb am 31.07.2021 um 18:05 in
> Nachricht <60ec1d1e-a2be-95a2-c9c4-24ecd9b4f...@stroeder.com>:
>> As far as I understood the MDB disk format changed. So the MDB files
>> have to be re-created (eith
On 7/31/21 8:41 PM, A. Schulze wrote:
> Am 31.07.21 um 18:05 schrieb Michael Ströder:
>> As far as I understood the MDB disk format changed.
>
> I'm also start testing openldap-2.5, so could you provide a reference for
> that claim?
Section B.8 in [1] says:
"Due to
HI!
As far as I understood the MDB disk format changed. So the MDB files
have to be re-created (either by simply removing/replicating or
slapcat/slapadd). Right?
Now I'm wondering how to automate things (with ansible and puppet) in a
truly idempotent way. Ideally I could determine whether
On 7/27/21 8:31 PM, proj...@openldap.org wrote:
> OpenLDAP 2.5.6 is now available
As usual you can find packages for several openSUSE/SLE versions in this
OBS project:
https://build.opensuse.org/project/show/home:stroeder:openldap25
Feedback welcome!
Notes:
- The packages are still considered
1 - 100 of 1624 matches
Mail list logo