Re: issues with equality matching and slapd death

On 9/26/18 5:02 PM, Michael Ströder wrote: Ah, you're right. But slapd should not have crashed during that operation. @Chris: Could you reproduce all that with a recent OpenLDAP release? Yes, sure. It will be a few days tho. CP

Re: issues with equality matching and slapd death

On 9/27/18 4:40 PM, Quanah Gibson-Mount wrote: --On Wednesday, September 26, 2018 3:27 PM -0400 Chris Paul wrote: One more detail: I know "replace" will work but "add" would be more convenient. Also, python-ldap does not support ldap.MOD_REPLACE apparently. Python has certainly worked

Re: issues with equality matching and slapd death

On 9/28/18 10:11 AM, Quanah Gibson-Mount wrote: If you read back on my earlier responses, you'll note I mentioned "normalization" of the values. Basic breakdown: If an attribute is defined in the schema with an EQUALITY rule, then the values get normalized. If an attribute is defined in the

Re: issues with equality matching and slapd death

On 9/27/18 6:53 PM, Quanah Gibson-Mount wrote: > > And this strategy would work just fine, because it deletes all values before doing the add.  It's essentially what the REPLACE op does anyway. > > --Quanah Well yeah it works now, after adding the EQUALITY rule to the attribute(*). Can

Re: send_ldap_response: ber write failed

On 12/27/18 6:04 AM, Howard Chu wrote: The client is closing the connection before slapd has finished sending the response. Doesn't really mean anything, besides poorly written clients on your network. 1. I've seen this a lot. I would say that over half of all client software LDAP interfaces

Re: Issues with OpenLdap using OpenTLS

I On 1/2/20 8:36 AM, Dunne, Kenneth wrote: All   I am able to connect to my home-built OpenSSL installation (from Dec-19 sources) on CentOS-7 without the TLS bind [...] TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=0 Hey Ken, is port 636 open on the

mdb_opinfo_get: err MDB_READERS_FULL: Environment maxreaders limit reached(-30790)

Hello OpenLDAP-Technical, I am running slamd tests against OpenLDAP 2.4.44 (RHEL7; client is RHEL shop so stuck for now at this version). I realize that olcThreads: 128 is probably overkill for most systems, but when I tried it, I got the captioned error. The max that olcThreads can be set to

Re: mdb_opinfo_get: err MDB_READERS_FULL: Environment maxreaders limit reached(-30790)

On 9/8/20 2:01 PM, Quanah Gibson-Mount wrote: Symas provides free, drop-in replacements for RHEL7.  Your client should be using that instead.  Spending time on OpenLDAP 2.4.44 is an utter waste of time and effort.  Alternatively, use the builds from the LTB project.  But there's zero reason

Re: "rootDN must be defined before syncrepl may be used" and rootDN, rootpw in general

On 9/17/20 8:04 AM, Quanah Gibson-Mount wrote: The rootdn does not require a password, and most deployments don't set one, Head smack! Ah... shoulda checked that. Thanks Quanah!

"rootDN must be defined before syncrepl may be used" and rootDN, rootpw in general

Salutations OpenLDAP-Technical, I am thinking of rootDN and how I'm not a big fan of it. You don't need rootDN to configure OpenLDAP (assuming you first load OLC with slapadd). You don't need it to configure OLC if you've set up access to it for admin accounts. It ends up being one shared

warning in SLAPO_PPOLICY(5) regarding ppolicy_hash_cleartext

Hello, I read the warning in SLAPO_PPOLICY(5) regarding ppolicy_hash_cleartext: "It is recommended that when this option is used that compare, search, and read access be denied to all directory users". Am I correct to presume that this means that the compare, search, read access be denied

Re: OpenLDAP 2.6.0 testing call

All tests (with "--enable-balancer") passed for: - Rocky Linux 8.4 - RedHat 8.3 - Mac OS Catalina (10.15.7) Chris Paul Rex Consulting, Inc email: chris.p...@rexconsulting.net web: http://www.rexconsulting.net phone, toll-free: +1 (888) 403-8996 ext 1 On 9/7/21

Re: Antw: [EXT] openldap ppolicy pwdAccountLockedTime

On 12/27/21 3:04 AM, Ulrich Windl wrote: I found out the hard way: When all grace logins were consumed after the user should have changed the password, the user can no longer log in (and he/she cannot change the password either). Future people reading this list may benefit from knowing

Re: DirSync support in OpenLDAP

On 11/10/21 7:49 AM, Quanah Gibson-Mount wrote: See , specifically the section entited "New replication protocols". Hi Quanah, Saw the announcement, but is there any

slapo-translucent and syncprov

Hello openldap-technical, I am wondering about slapo-translucent and syncprov. I am using it to merge RFC2307bis data with an upstream Active Directory Service. It seems to work pretty well. But I notice that the entries added do not get entryuuid or entrycsn values. I guess this sort of

secrets storage: userPassword,TLS keys best practices

Hello openldap-technical, I'm wondering what the OpenLDAP-technical World thinks about LDAP authentication secrets. A couple observations and questions: 1. RFC 4519 allows userPassword to be multi-valued and it gives some rationale which is logical, but it also seems to lack imagination.

Re: secrets storage: userPassword,TLS keys best practices

On 3/11/22 5:01 PM, Michael Ströder wrote: You cannot modify the standard schema. But you can use overlay slapo-constraint to limit the number of userPassword values to 1. Thanks. This is useful, Michael. You're speaking about TLS client certs? In theory you could use libldap linked to OpenSSL

Re: secrets storage: userPassword,TLS keys best practices

On 3/12/22 4:26 AM, Howard Chu wrote: The LDAP Password Policy spec requires userPassword to store only 1 value. But simple auth will still work for all of them if someone manually adds others right? You can generate short lifetime certs easily enough but keys tend to still be long lived.

RE: RE25 testing call #1 (OpenLDAP 2.5.13)

make test worked on RedHat 8.6 with gcc version 8.5.0 Chris Paul | Rex Consulting | https://www.rexconsulting.net

RE: RE26 testing call #1 (OpenLDAP 2.6.3)

make test works on RedHat 8.6 with gcc version 8.5.0

dirSync syncrepl_dirsync_message: unknown attributeType member;range=1-1

Hello OpenLDAP-Technical, I am testing the dirSync replication. I am trying to replicate Active Directory (Windows Server 2019) -> OpenLDAP 2.5.12 from symas-openldap-servers-2.5.12-1.el8.x86_64 RPM on RedHat 8.6. Group members are not replicating, and I am seeing this error:

RE: dirSync syncrepl_dirsync_message: unknown attributeType member;range=1-1

> No bug. Use the attributeoptions config directive to define range= as a valid > attribute option. Beautiful; works like a champ! Thanks, Howard!

OpenLDAP stats logging performance degradation

Hello OpenLDAP-Technical, Using the oldie but goodie LDAP performance testing tool, SLAMD, I've been doing performance tests. What I found was that stats logging (olcLogLevel: 256) degrades performance significantly. A pity, because it is recommended in the manual. Also, it considered very

RE: Queries regarding Openldap migration from 2.4.51 to 2.6.2

Hi Nagesh, 1. Your 2.4.x won't be supported here. 2. See slapcat and slapadd to dump and reload your DB from BDB to MDB 3. See "mdb_stat/dump/copy/load" Chris Paul | Rex Consulting | https://www.rexconsulting.net Hi Team, We are migrating openldap from 2.4.51 to 2.6.2 and we

RE: OpenLDAP stats logging performance degradation

Hi Shawn, Quanah, > I concur with Quanah. Use the 2.6 logger. My tests w/ a log level of sync > (which includes stats), showed a perf boost of approximately a factor or 2. I am playing with this now. I will let you know the results.

idea for possible RFE: universally unique connection IDs

Hello OpenLDAP-Technical, I would like to seek comments on an idea I have had for a while. Does anyone agree with me that it would be nice if connection IDs were uuids? Because when your slapd restarts, your monitoring system has no good way to track one "conn=1000" from another one (or from

RE: Slow Search?

> of 1 attribute with a scope of 1 and a base of that flat ou is taking 6.2 > seconds. Is that to be expected? Hey Brad, I have found that the response time on a flat branch relates directly and proportionally to nentries in that branch. And I am sure that this is the case with other vendor

RE: Rotating olcRootPW

> -Original Message- > From: thomaswilliampritch...@gmail.com > > Sent: Wednesday, July 12, 2023 6:34 PM > To: openldap-technical@openldap.org > Subject: Rotating olcRootPW I don't see the usefulness for a root password. Root = anonymous super user. Do you really want all your

RE: What drives CPU usage spikes?

> -Original Message- > From: Quanah Gibson-Mount > we usually have closer to 2k-3k concurrent connections. The total number of > initiated operations during the time frame was also within normal range. > There was also nothing unusual about amount of network traffic, it fit right > in >

RE: Proposal to strengthen slapd EXTERNAL authentication

> The point of a certificate-based authentication system is not to have to > implement authentication rules for each and every individual user. An LDAP > server should only trust certificates issued by a single CA; that CA should > only > be issuing certs to valid users. Ideally, the LDAP server

RE: Debugging TLS negotiation failure

> -Original Message- > From: terry.lem...@dell.com > Sent: Thursday, May 11, 2023 1:10 PM > To: openldap-technical@openldap.org > Subject: Re: Debugging TLS negotiation failure > > I'm using a self-signed server certificate, so no CA should be involved. Not > sure if that is causing the

RE: Debugging TLS negotiation failure

> -Original Message- > From: Philip Guenther > Sent: Thursday, May 11, 2023 2:06 PM > To: Christopher Paul > Cc: terry.lem...@dell.com; openldap-technical@openldap.org > Subject: RE: Debugging TLS negotiation failure > > > > Not sure if that is ca

RE: RE25 testing call (2.5.17) #1

(With the latest update) All tests pass for 2.5.17 on "Slackware 15.0 x86_64" Linux kernel 5.15.117-xen #1 SMP PREEMPT Wed Aug 9 20:22:02 PDT 2023 x86_64 Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40GHz GenuineIntel GNU/Linux Chris Paul | https://www.rexconsulting.net

Re: Transitioning from slapd.conf to slapd.d, best practices for maintaining configuration comments?

On Thu, 30 Nov 2023 at 16:06, Bastian Tweddell wrote: Please also note [1]: ``` The older style slapd.conf(5) file is still supported, but its use is deprecated and support for it will be withdrawn in a future OpenLDAP release. ``` Is this already on the roadmap

Re: timeout and network-timeout values of zero for syncrepl in LAN replication

On 4/17/2024 11:24 PM, Howard Chu wrote: timeout has nothing to do with the duration of an operation. I'm confused then. Manual page ldap.conf(5) states:    TIMEOUT   Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is

Re: timeout and network-timeout values of zero for syncrepl in LAN replication

On 4/18/2024 11:30 AM, Howard Chu wrote: An LDAP operation may have more than one response. Search operations often do, extended ops may as well. The timeout is waiting for any response, not just the operation result. Ah, that makes sense now. Thanks, Howard! -- Chris Paul | Rex Consulting

Re: How to properly monitor MDB usage

I think the question relates to the fact that "Used" pages are not always *actually* in use. But it seems that this is not a very important question. The important thing to monitor is that the percentage of used does not get close to the max. But also, note that the maxsize can be larger than

Re: how to identify users or service accounts that have write access

On 5/7/2024 2:09 PM, kalybox2...@gmail.com wrote: In openldap 2.4, how to identify users or service accounts that have write access. Can we do ldapsearch and find out? Hi Kalybox2020, I would recommend reading the documentation like the Admin guide and the on-line manuals. There's more than

Re: Configure replication without a plaintext password.

Using X.509 (sasl external) is super easy (once you figure it out, like a lot of this stuff), and is nice because you are not relying on a KDC, and no passwords need displayed in your syncrepl configs. From: brendan kearney Sent: Friday, March 8, 2024 10:09 AM

RE: Configure replication without a plaintext password.

ication without a plaintext password. > > Christopher Paul, > https://www.openldap.org/faq/data/cache/1504.html, are you talking about > this configuration?

RE: [EXTERNAL] how to migrate an openldap server to a new linux server

In several organizations where I worked without root access, I requested sudo permissions for slapcat. But to not have a shell, that makes life more difficult. Maybe you could get root to set up a cron to dump the extract using slapcat and deliver it somehow. Chris Paul |

RE: Help debugging slave slapd issues

> Those aren't errors. But a deferral is not optimal, is it? I think the question "hints about way to debug" is probably a good one. The brute force method to fix this would be to add consumers and spread out the load. Horizontal scaling is the main benefit of a replicated architecture. Chris

timeout and network-timeout values of zero for syncrepl in LAN replication

Hello OpenLDAP-technical list, I'm curious about community perspectives on a specific LDAP replication timeout and network-timeout settings: Setting "timeout=0" or "network-timeout=0" within a syncrepl/olcSyncrepl definition for replication settings is not the best practice for LAN

Re: [OpenLDAP 2.5] Accesslog size and performance issues

On 5/24/2024 12:06 PM, Quanah Gibson-Mount wrote: I would also note, that in OpenLDAP 2.6+, "standard" syncrepl is the safer replication mechanism for multi-provider environments. While in the past, I always went with delta-syncrepl, for my last roles, I've used OpenLDAP 2.6 + standard