Re: OpenLDAP w/o bdb okay?
Henning Brauer(lists-open...@bsws.de)@2009.01.06 14:42:09 +0100: > * Toni Mueller [2009-01-06 12:25]: > > > openldap is still a piece of shit, but the ldbm backend is probably the > > > sanest one. > > > > This pattern comes up often, but almost noone suggests an alternative > > LDAP server package. > > I am not aware of any. Lack of options doesn't make openldap better. How about OpenDS? Fedora Directory Server? Both are pukable on the keyboard? Apache DS? Yeah, I know OpenDS is Java and so is ApacheDS...
Re: OpenLDAP w/o bdb okay?
* dan-openbsd-m...@ourbrains.org [2009-01-16 19:38]: > Henning Brauer(lists-open...@bsws.de)@2009.01.06 14:42:09 +0100: > > I am not aware of any. Lack of options doesn't make openldap better. > > There is an option for people who have very basic LDAP needs - tinyldap > from fefe.de. It's high quality but lacks many features at the time. fefe code is never an option. don't get me started on the quality argument... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: OpenLDAP w/o bdb okay?
Henning Brauer(lists-open...@bsws.de)@2009.01.06 14:42:09 +0100: > I am not aware of any. Lack of options doesn't make openldap better. There is an option for people who have very basic LDAP needs - tinyldap from fefe.de. It's high quality but lacks many features at the time.
Re: OpenLDAP w/o bdb okay?
On Tue, 06.01.2009 at 06:27:17 -0500, ppruett-lists wrote: > Actually a lot linux users suggest using mysql for the non relational > authentication tables > ;) I knew you've got to be kidding! -- Kind regards, --Toni++
Re: OpenLDAP w/o bdb okay?
Hi, On Tue, 06.01.2009 at 14:42:09 +0100, Henning Brauer wrote: > * Toni Mueller [2009-01-06 12:25]: > > This pattern comes up often, but almost noone suggests an alternative > > LDAP server package. > I am not aware of any. Lack of options doesn't make openldap better. agreed, but it makes bashing openldap sort of futile. -- Kind regards, --Toni++
Re: OpenLDAP w/o bdb okay?
* Toni Mueller [2009-01-06 12:25]: > > openldap is still a piece of shit, but the ldbm backend is probably the > > sanest one. > > This pattern comes up often, but almost noone suggests an alternative > LDAP server package. I am not aware of any. Lack of options doesn't make openldap better. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: OpenLDAP w/o bdb okay?
Moving this to po...@. Reply-To/MFT set, please honour it. On 2009/01/06 06:11, ppruett-lists wrote: > > Here's an untested tarball of an updated openldap port, split into > > directories for 2.3 and 2.4: http://spacehopper.org/tmp/openldap.tgz > > > > This issue has been kicked around for maybe two years, it has been on > the misc list before, > https://kerneltrap.org/mailarchive/openbsd-misc/2007/5/20/149916/thread > > I think trying the port with packages 2.3.* and 2.4.* for openldap > maybe a solution. > test port at http://spacehopper.org/tmp/openldap.tgz > > On a AMD64 dual, > So far it compiled and made the packages, after I uncommented the > subpackage for 2.4 in the Makefile. > (Did you leave # in front of 2.4 for a reason Stuart?) Yes. The most important thing at first is to know that this doesn't break 2.3. And actually now I think about it again, it's going to cause problems for the 37 depending ports, we probably need to install the libraries and headers into subdirectories and change all those ports to pick up the right ones. *Ugh*. Can anyone think of a better way I've missed?
Re: OpenLDAP w/o bdb okay?
> This pattern comes up often, but almost noone suggests an alternative > LDAP server package Actually a lot linux users suggest using mysql for the non relational authentication tables ;)
Re: OpenLDAP w/o bdb okay?
Hi, On Tue, 06.01.2009 at 01:08:27 +0100, Henning Brauer wrote: > I am using openldap with ldbm backend in an not exactly small > installation for 9 or 10 years now. I have never ever experienced a > broken database. never. my last encounter with ldbm, a few years back, drove me to bdb really fast, because my - though small - installation(s) seem to behave the opposite way. In any case, knowing how to repair a broken ldbm database would be a good thing. With bdb, there is dbX.Y_recover, which worked nicely for me when I needed it. Having said that, bdb appears to be the prerequisite for the ability to modify existing object's DNs. > openldap is still a piece of shit, but the ldbm backend is probably the > sanest one. This pattern comes up often, but almost noone suggests an alternative LDAP server package. -- Kind regards, --Toni++
Re: OpenLDAP w/o bdb okay?
> Here's an untested tarball of an updated openldap port, split into > directories for 2.3 and 2.4: http://spacehopper.org/tmp/openldap.tgz This issue has been kicked around for maybe two years, it has been on the misc list before, https://kerneltrap.org/mailarchive/openbsd-misc/2007/5/20/149916/thread I think trying the port with packages 2.3.* and 2.4.* for openldap maybe a solution. test port at http://spacehopper.org/tmp/openldap.tgz On a AMD64 dual, So far it compiled and made the packages, after I uncommented the subpackage for 2.4 in the Makefile. (Did you leave # in front of 2.4 for a reason Stuart?) BTW expected: # pkg_add openldap-server-2.4.12.tgz Can't install openldap-server-2.4.12 because of conflicts (openldap-client-2.3.43) /usr/sbin/pkg_add: openldap-server-2.4.12:Fatal error As expected php5-ldap-5.2.6 and phpldapadmin-1.1.0.5 had to be uninstalled to uninstall the openldap-client-2.3.43 Good news, the packages php5-ldap and phpldapadmin did not complain after reinstalling with openldap 2.4.12 package. Of note, the 2.4.12 package install complained about /var/openldap-data/DB_CONFIG could not be installed After some sleep, will endeavor to test on a small scale. # pkg_add ./openldap-server-2.4.12.tgz openldap-client-2.4.12: complete File /var/openldap-data/DB_CONFIG could not be installed:* | 94% No such file or directory openldap-server-2.4.12: complete --- openldap-server-2.4.12 --- To start slapd, configure it in /etc/openldap/slapd.conf then add the following line to /etc/rc.conf.local: slapd_flags="-u _openldap" and to /etc/rc.local (be sure to start it _before_ any daemon that may need it): if [ "$slapd_flags" != "NO" -a -x /usr/local/libexec/slapd ]; then install -d -o _openldap /var/run/openldap /usr/local/libexec/slapd $slapd_flags echo -n ' slapd' fi #
Re: OpenLDAP w/o bdb okay?
Henning Brauer wrote: > * Philip Guenther [2009-01-06 00:40]: >> On Mon, Jan 5, 2009 at 11:15 AM, Claudio Jeker >> wrote: >> ... >>> Any DB that needs human help after a crash is in my opinion a bad choice. >> So that would rule out the ldbm backend, no? Last I checked the libc >> btree code, a crash while writing out a page split would corrupt the >> subtree. > > I am using openldap with ldbm backend in an not exactly small > installation for 9 or 10 years now. I have never ever experienced a > broken database. never. I second that, 5+ years of ldbm backend usage without any problems. We've had poweroutages, disks running full, all sorts of mischief, but never a problem with corrupt ldbm databases. Ever. I *did* have thee times of huge trouble with bdb as a backend. Two times with unexpected halts of the system after which the slapd process would simply not be able to read the bdb files anymore and one time with a prickly problem where I needed to upgrade my database because bdb was updated on that system (not a major release mind you, 4.x to 4.newer_x). I know this is all not very scientific evidence regarding the stability and robustness of bdb, but I guess it is hard to forget the pain that came from using bdb in the couple of times I had to or did so unknowingly. Mind you, the last time I've used bdb is 4 years ago. Things might have changed these days. > trying bdb lead to disasters all over the place. but admittedly that > was many many many moons ago. > > openldap is still a piece of shit, but the ldbm backend is probably the > sanest one.
Re: OpenLDAP w/o bdb okay?
* Philip Guenther [2009-01-06 00:40]: > On Mon, Jan 5, 2009 at 11:15 AM, Claudio Jeker > wrote: > ... > > Any DB that needs human help after a crash is in my opinion a bad choice. > > So that would rule out the ldbm backend, no? Last I checked the libc > btree code, a crash while writing out a page split would corrupt the > subtree. I am using openldap with ldbm backend in an not exactly small installation for 9 or 10 years now. I have never ever experienced a broken database. never. trying bdb lead to disasters all over the place. but admittedly that was many many many moons ago. openldap is still a piece of shit, but the ldbm backend is probably the sanest one. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: OpenLDAP w/o bdb okay?
On Mon, Jan 5, 2009 at 11:15 AM, Claudio Jeker wrote: ... > Any DB that needs human help after a crash is in my opinion a bad choice. So that would rule out the ldbm backend, no? Last I checked the libc btree code, a crash while writing out a page split would corrupt the subtree. > If a servers freaks out and reboots for whatever reason I expect that the > database will recover from this event without having to recover, repair or > optimize datasets. So write-ahead-logging is ruled out because the database has to rerun the tail of the log? Then I don't think OpenLDAP has any databases that will satisfy you. Philip Guenther
Re: OpenLDAP w/o bdb okay?
On 2009-01-05, ppruett-lists wrote: > > So choices for those with older openbsd port of openldap with bdb flavor > are: > * don't upgrade ( bad choice) > * upgrade to openbsd 4.4 or current using the official port and renter > data storing in the obsolete backend ldbm (ughhh) > * Or go ahead and make a port for openldap 2.4.13 for current openbsd :( Here's an untested tarball of an updated openldap port, split into directories for 2.3 and 2.4: http://spacehopper.org/tmp/openldap.tgz Done at p2k8 but I don't run ldap myself any more and haven't had much incentive to setup a test environment. Please test and report back, I think it would be useful to get this in.
Re: OpenLDAP w/o bdb okay?
On Mon, Jan 05, 2009 at 01:46:30PM -0500, ppruett-lists wrote: >> >If your LDAP environment is anything at all like the majority I've >> seen >you will not notice any difference whatsoever (except you'll be >> free >from BDB corruption during a crash). >> > > Yep since I am not write heavy then the non bdb could be okay, > but as an afore mentioned in this thread I am concerned that The LDBM > backend is now obsolete for openldap since 2.4.12. > http://www.openldap.org/lists/openldap-software/200810/msg00154.html > And do you think that your bdb based database will work over an update? I think I had to reimport and sometimes even fixup my database un updates because something changed and the old DB was just not working anymore. Any DB that needs human help after a crash is in my opinion a bad choice. If a servers freaks out and reboots for whatever reason I expect that the database will recover from this event without having to recover, repair or optimize datasets. -- :wq Claudio
Re: OpenLDAP w/o bdb okay?
For OpenBSD 4.4 and current the flavor "bdb" is broken on openldap BROKEN=OpenLDAP 2.3 is incompatible with Berkeley DB 4.6 So, what to do? My experience is that compiling BDB and OpenLDAP yourself isn't hard, yep, I remember compiling apache back in the middle 90's For security and laziness, I have been trying to use the ports this decade tho ;) > If your LDAP use is write-heavy, or you're planning on using replication I was using openldap for the password auth for sendmail smtpauth and cyrus-imap on an older openbsd server and was looking to upgrade then saw this issue. Hmmm. The passwords don't change often, because that customer has a small mail server for just three domains but they could change if one of the hundred or so users changes their email password, but that is very infrequent. ... So we are not write heavy. However, I saw your link to the issue that lbm is removed from openldap 2.4.12... arggg.. geez I really don't like using a storage method that is not used going forward. So choices for those with older openbsd port of openldap with bdb flavor are: * don't upgrade ( bad choice) * upgrade to openbsd 4.4 or current using the official port and renter data storing in the obsolete backend ldbm (ughhh) * Or go ahead and make a port for openldap 2.4.13 for current openbsd :( Since in the above situation the ldap is not write heavy and changes little I could just use the obsolete storage method. But first I'll see how ugly it is to compile OpenLDAP 2.4.13 on current or 4.4... thanks for the input.
Re: OpenLDAP w/o bdb okay?
>If your LDAP environment is anything at all like the majority I've seen >you will not notice any difference whatsoever (except you'll be free >from BDB corruption during a crash). Yep since I am not write heavy then the non bdb could be okay, but as an afore mentioned in this thread I am concerned that The LDBM backend is now obsolete for openldap since 2.4.12. http://www.openldap.org/lists/openldap-software/200810/msg00154.html
Re: OpenLDAP w/o bdb okay?
On Mon, Jan 5, 2009 at 5:30 AM, P.Pruett wrote: > For OpenBSD 4.4 and current the flavor "bdb" is broken on openldap > BROKEN=OpenLDAP 2.3 is incompatible with Berkeley DB 4.6 > > Most past articles have strongly suggested haveing openldap use "bdb" > as its storage method. Seeing that even the current port is not ready > to implement OpenLDAP 2.4 suggests that using openldap without bdb may > not be so terrible. > > Staying with openbsd is the choice, so we have to use a non bdb openldap > on openbsd 4.4 or current for now. Having always used the bdb flavor > because literature suggested, I wonder > what problems for performance or maitenance in production will arise > by not using flavor bdb for openldap? What's your support strategy? That is, when something goes wrong, what's your plan for restoring stability and confidence that it'll work in the future? If your LDAP use is read-only or write-almost-never, then there isn't much to go wrong and "just restore from last week's backup" is probably a viable strategy. If your LDAP use is write-heavy, or you're planning on using replication, then IMHO you should be looking first to the OpenLDAP mailing lists for support for OpenLDAP. What you'll learn there is that they basically have no interest in back-ldbm. For example: http://www.openldap.org/lists/openldap-software/200810/msg00154.html I know there are people using back-ldbm successfully, but if it blows up shortly before you do a backup, what's your plan for recovering the lost changes? How confident will you be that it won't happen again the next day? The support you'll get from the OpenLDAP people will be "told you so; switch to bdb!" So, what to do? My experience is that compiling BDB and OpenLDAP yourself isn't hard, but I had to do stuff like that all the time back when I was a sysadmin and have been using BDB professionally for years, so your mileage may vary. The key thing is to figure out how you're going to support your setup. Philip Guenther
Re: OpenLDAP w/o bdb okay?
Damn, forgot to send my response to list: Message-ID: <49624a88.3020...@raapid.net> Date: Mon, 05 Jan 2009 11:59:36 -0600 From: tico User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105) MIME-Version: 1.0 To: "P.Pruett" Subject: Re: OpenLDAP w/o bdb okay? References: <49620b86.4020...@webengr.com> In-Reply-To: <49620b86.4020...@webengr.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Responses inline: P.Pruett wrote: > For OpenBSD 4.4 and current the flavor "bdb" is broken on openldap > BROKEN=OpenLDAP 2.3 is incompatible with Berkeley DB 4.6 > > Most past articles have strongly suggested haveing openldap use "bdb" > as its storage method. If by most articles, you mean "most of the Linux HOWTO articles," you'll notice that most of them are ancient now and were written by people with an almost pathological need for premature optimization and overly-complex initial installs. I've yet to encounter an LDAP environment where there a) was a disk I/O bottleneck due to locking that was solvable by BDB b) that was not more sanely solvable by scaling out to replicated slapd servers c) with or without moving the dataset onto a memory filesystem d) or sectioning the dataset into one chunk per group of servers. If you actually need any of the above, you probably know or should know way more about the bottlenecks in your LDAP environment than any of us do, much less the clueless retards writing HOWTO articles. Note that I'm *not* saying that I hate BDB, just that I haven't found what it solves in the real world, and having data in BDB means that *when* corruption occurs, it's more of a pain in the ass to recover from than an LDIF/LDBM. This has happened to me several times, and I've found that the resulting error messages have been less than verbose, and less than helpful. > Seeing that even the current port is not ready > to implement OpenLDAP 2.4 suggests that using openldap without bdb may > not be so terrible. Thank god. Now I don't have to double-check my installs to make sure they don't include BDB. > Staying with openbsd is the choice, so we have to use a non bdb openldap > on openbsd 4.4 or current for now. Having always used the bdb flavor > because literature suggested, I wonder > what problems for performance or maitenance in production will arise > by not using flavor bdb for openldap? > Run your own benchmarks using your own dataset. If your LDAP environment is anything at all like the majority I've seen you will not notice any difference whatsoever (except you'll be free from BDB corruption during a crash). Cheers -Tico
Re: OpenLDAP w/o bdb okay?
P.Pruett wrote: For OpenBSD 4.4 and current the flavor "bdb" is broken on openldap BROKEN=OpenLDAP 2.3 is incompatible with Berkeley DB 4.6 Most past articles have strongly suggested haveing openldap use "bdb" as its storage method. Seeing that even the current port is not ready to implement OpenLDAP 2.4 suggests that using openldap without bdb may not be so terrible. Staying with openbsd is the choice, so we have to use a non bdb openldap on openbsd 4.4 or current for now. Having always used the bdb flavor because literature suggested, I wonder what problems for performance or maitenance in production will arise by not using flavor bdb for openldap? I am still using openldap-server-2.3.33p1-bdb on openbsd 4.2 for the following reasons: 1) With ldbm, I was not able to do a slapcat etc. without stopping the ldap server. But with bdb, I did not experience any problems using slapcat while ldap server was running. 2) Replication worked better for me (3 slave servers using slurpd etc.) with bdb 3) syncrepl in test environment also seemed to work better with bdb (and not ldbm) All the testing was done a while ago and it is highly likely that I had made major mistakes at that time. So I will try to set up 2.3.43 on 4.4 -current and verify this. -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited E-Mail: vsan...@foretell.ca
OpenLDAP w/o bdb okay?
For OpenBSD 4.4 and current the flavor "bdb" is broken on openldap BROKEN=OpenLDAP 2.3 is incompatible with Berkeley DB 4.6 Most past articles have strongly suggested haveing openldap use "bdb" as its storage method. Seeing that even the current port is not ready to implement OpenLDAP 2.4 suggests that using openldap without bdb may not be so terrible. Staying with openbsd is the choice, so we have to use a non bdb openldap on openbsd 4.4 or current for now. Having always used the bdb flavor because literature suggested, I wonder what problems for performance or maitenance in production will arise by not using flavor bdb for openldap?