Re: Auxiliary object class practically of no use?
dE wrote: On 04/15/15 19:31, Howard Chu wrote: dE wrote: According to RFC 4512 An entry can belong to any subset of the set of auxiliary object classes allowed by the DIT content rule associated with the structural object class of the entry. From what I understand, this means auxiliary classes do not 'augment'; the no. of attributes which are possible in an entry must be a subset of the structural object class the entry belongs to. You have completely ignored "DIT content rule" in the quoted sentence. But it says "DIT content rule associated with the structural object class of the entry" A DIT content rule is always associated with exactly one structural object class (by having the same OID). This does not say anything about the use of auxiliary object classes within the same entry. Could you please come up with a concrete example to better explain your question. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: Structural object class rules
dE wrote: On 04/15/15 19:28, Michael Ströder wrote: dE wrote: "An object or alias entry is characterized by precisely one structural object class superclass chain which has a single structural object class as the most subordinate object class. This structural object class is referred to as the structural object class of the entry." There's a bit of ambiguity with this "which has a single structural object class as the most subordinate object class" What do you mean by 'most subordinate'? Is it that there must be no parallel entries at the same level in the hierarchy? It's always better to provide a reference to the full text of a quoted text. The hierarchy in this case is the the structural object classes hierarchy, not the directory information tree (DIT). Read in RFC 4512 about what SUP in object class description means: http://tools.ietf.org/html/rfc4512#section-4.1.1 Note that there's also an attribute type hierarchy defined with SUP. Yes, I know that. Actually the question was -- What do you mean by 'most subordinate'? Is it that there must be no parallel structural object class at the same level in the class hierarchy? Yes. Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: Help: LDAP using alias to reference value of another attribute
--On Wednesday, April 15, 2015 7:14 PM +0400 Poul Etto wrote: Hi, Thank you for your replies ! @ Quanah: What I understand of their system is that they built their own SCHEMAs... And thay put all information (attributes) in one single OU Is that it ? They extended existing schema, which is part of the whole idea with ldap and schema. And yes, then the data is in a single OU. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: How to disable SSF (integrity) on GSSAPI mech?
On 04/15/15 21:10 +, Osipov, Michael wrote: Hi folks, I am binding against Active Directory with GSSAPI mech and would like to disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails: char *secprops = "minssf=0,maxssf=0"; rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops); with: Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) Result code: -2 This error is likely produced by your Kerberos library (whichever one Cyrus is compiled against), or perhaps with the way the security properties are passed down from OpenLDAP to Cyrus to Kerberos. Setting a minssf should not be necessary. Do you also get this error with "maxssf=0"? "maxssf=1" may be a more workable option, since encryption is really what you want to turn off, not integrity. -- Dan White
RE: catch size and performance
--On Friday, April 17, 2015 8:11 PM + Greg Jetter wrote: Version: 2.4.28-1.1ubuntu4.4 I strongly advise upgrading, numerous issues in sync replication have been fixed since that release. --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: olcHidden breaks slapcat? possible bug in slapcat(8)?
Igor Shmukler wrote: Hello, I use olcHidden and set it to true in some instances. This seems to work, yet it breaks slapcat(8) as below: $ sudo slapcat -n 0 5530b282 olcRootPW: value #0: can only be set when rootdn is under suffix 5530b282 config error processing olcDatabase={2}hdb,cn=config: can only be set when rootdn is under suffix slapcat: bad configuration file! Is this a bug, or the desired behavior? Sounds like a bug. That check for valid rootDN probably should be skipped if the DB is hidden. Please submit an ITS, thanks. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: catch size and performance
--On Thursday, April 16, 2015 8:59 PM + Greg Jetter wrote: Hello: I, running a openldap setup with one provider and 3 consumers , I am seeing intermittent problems of replication not happening "Until" the consumers are re started . This cures the problem. replication starts up and continues for a while . The servers have very large amount of memory , 256 gigs .. I configured the hdb backend 'DB_CONFIG' , to have 4 gigs of catch , could this be causing the replication problem ? whats the optional size that keeps openldap happy ? OpenLDAP version? --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: catch size and performance
--On Thursday, April 16, 2015 8:59 PM + Greg Jetter wrote: Hello: I, running a openldap setup with one provider and 3 consumers , I am seeing intermittent problems of replication not happening "Until" the consumers are re started . This cures the problem. replication starts up and continues for a while . The servers have very large amount of memory , 256 gigs .. I configured the hdb backend 'DB_CONFIG' , to have 4 gigs of catch , could this be causing the replication problem ? whats the optional size that keeps openldap happy ? OpenLDAP version? -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. Zimbra :: the leader in open source messaging and collaboration
how to check user lock status
Hi, all I set policy for user as following # default, policies, abc.com dn: cn=default,ou=policies,dc=abc,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxAge: 7776002 pwdExpireWarning: 432000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 900 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE my question is how to check user lock status. Another question is pwdMustChange doesn't work in linux client when user first login. Rock.wang
Re: Auxiliary object class practically of no use?
On 04/15/15 19:31, Howard Chu wrote: dE wrote: According to RFC 4512 An entry can belong to any subset of the set of auxiliary object classes allowed by the DIT content rule associated with the structural object class of the entry. From what I understand, this means auxiliary classes do not 'augment'; the no. of attributes which are possible in an entry must be a subset of the structural object class the entry belongs to. You have completely ignored "DIT content rule" in the quoted sentence. But it says "DIT content rule associated with the structural object class of the entry"
catch size and performance
Hello: I, running a openldap setup with one provider and 3 consumers , I am seeing intermittent problems of replication not happening "Until" the consumers are re started . This cures the problem. replication starts up and continues for a while . The servers have very large amount of memory , 256 gigs .. I configured the hdb backend 'DB_CONFIG' , to have 4 gigs of catch , could this be causing the replication problem ? whats the optional size that keeps openldap happy ? thanks Greg
Re: Structural object class rules
On 04/15/15 19:28, Michael Ströder wrote: dE wrote: "An object or alias entry is characterized by precisely one structural object class superclass chain which has a single structural object class as the most subordinate object class. This structural object class is referred to as the structural object class of the entry." There's a bit of ambiguity with this "which has a single structural object class as the most subordinate object class" What do you mean by 'most subordinate'? Is it that there must be no parallel entries at the same level in the hierarchy? It's always better to provide a reference to the full text of a quoted text. The hierarchy in this case is the the structural object classes hierarchy, not the directory information tree (DIT). Read in RFC 4512 about what SUP in object class description means: http://tools.ietf.org/html/rfc4512#section-4.1.1 Note that there's also an attribute type hierarchy defined with SUP. Ciao, Michael. Yes, I know that. Actually the question was -- What do you mean by 'most subordinate'? Is it that there must be no parallel structural object class at the same level in the class hierarchy?
How to disable SSF (integrity) on GSSAPI mech?
Hi folks, I am binding against Active Directory with GSSAPI mech and would like to disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails: char *secprops = "minssf=0,maxssf=0"; rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops); with: Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) Result code: -2 I am used to this with Java's SASL client where I can set SASL QOP with auth, auth-int, auth-conf. Is that not possible with OpenLDAP along with CyrusSASL? For what it is worth, I am on FreeBSD 9.3 with latest OpenLDAP and CyrusSASL from the ports tree. Regards, Michael
Re: Fwd: 2.4.40 memory leak?
On Fri, Apr 17, 2015 at 05:43:45PM +0300, Sergey Esin wrote: It's still happening, see http://i.imgur.com/NL8ztmp.png. The only solution for us now is to reboot slapd on a regular basis. What information can I provide to help to find the reason and fix it? If you can provide a reproducible test case, and verify that it still happens with recent code from git (branch OPENLDAP_REL_ENG_2_4), you should file an ITS. http://openldap.org/its As glibc's allocator is known to suffer from fragmentation issues, I'd suggest mentioning which alternate allocators you've tried and what the results were. (Although it may still be closed with the rationale that memory fragmentation is not slapd's problem...) The symptoms of ITS#7299 are similar. It might be the same problem, or at least related. In my experience, this particular problem does not affect delta-syncrepl (changelog-based replication). Have you tried setting that up? http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl
Re: separate loglevels for different databases?
Dear list, > I've configured two different databases (one ldap, one bdb) in openLDAP. > Is it possible, to configure separate loglevels for each database? maybe at least different logfiles? Thanks Meike
Re: Fwd: 2.4.40 memory leak?
It's still happening, see http://i.imgur.com/NL8ztmp.png. The only solution for us now is to reboot slapd on a regular basis. What information can I provide to help to find the reason and fix it? -- Sergey On Mon, Mar 30, 2015 at 12:01 PM, Sergey Esin wrote: > Hi Ryan, > > Here's my config of LDAP master: > --- > # cat /etc/openldap/slapd.conf | grep -v ^# | grep -ve '^$' > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > allow bind_v2 > pidfile /var/run/openldap/slapd.pid > argsfile/var/run/openldap/slapd.args > modulepath /usr/lib64/openldap > moduleload accesslog.la > moduleload syncprov.la > TLSCACertificateFile /etc/openldap/certs/CA.pem > TLSCertificateFile /etc/openldap/certs/ldap-master.pem > TLSCertificateKeyFile /etc/openldap/certs/ldap-master.key > TLSVerifyClient allow > > [ .. some limits here .. ] > > [ .. some ACLs here .. ] > > database config > access to * > by > dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage > by * none > database monitor > > [ .. some ACLs here .. ] > > [ .. some limits here .. ] > > databasebdb > cachesize 38 > idlcachesize70 > readonlyoff > suffix "dc=domain,dc=com" > rootdn "cn=Manager,dc=domain,dc=com" > rootpw {SSHA}XX > directory /var/lib/ldap > index uid eq > index maileq > index objectClass eq > index entryCSN eq > index entryUUID eq > overlay syncprov > syncprov-checkpoint 100 10 > syncprov-sessionlog 100 > > [ .. some limits here .. ] > > loglevel sync stats stats2 shell > checkpoint 5120 10 > serverID1 > --- > > > Here's what I have on replica server: > > --- > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/inetorgperson.schema > allow bind_v2 > pidfile /var/run/openldap/slapd.pid > argsfile/var/run/openldap/slapd.args > threads 8 > [ .. some ACLs here .. ] > database config > access to * > by > dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage > by * none > database monitor > [ .. some ACLs here .. ] > databasebdb > cachesize 38 > idlcachesize70 > readonlyoff > suffix "dc=domain,dc=com" > rootdn "cn=Manager,dc=jetbrains,dc=com" > rootpw {SSHA}X > directory /var/lib/ldap > index uid eq > index maileq > index objectClass eq > index entryCSN eq > index entryUUID eq > checkpoint 5120 10 > syncrepl rid=34 > provider=ldaps://ldap-master.domain.net:636 > tls_reqcert=demand > tls_cacert=/etc/openldap/certs/CA.pem > type=refreshAndPersist > schemachecking=off > searchbase="dc=domain,dc=com" > scope=sub > bindmethod=simple > binddn="cn=repluser,ou=Accounts,dc=domain,dc=com" > credentials=XX > retry="300 +" > updateref ldaps://ldap-master.domain.net > [ .. some limits here .. ] > loglevel stats sync stats2 shell > > --- > > > I restarted slapd with "LD_PRELOAD=/usr/lib64/libtcmalloc.so.4.1.0" to use > a different memory allocator (tcmalloc) and now memory consumption is > almost flat, please see http://i.imgur.com/brIvarB.png > > I've also added "threads 8" directive into slapd.conf on LDAP master > server but have not started the slapd process to make it active. > > According to what I see from the OS (Linux) perspective, slapd is using 18 > threads: > > # ps -L -o pid= -p `pgrep slapd` | wc -l > 18 > > > > Do your logs show what kind of client activity triggered the growth? > > I have some logs but I nothing really special there. No unusual activity. > > > Regards, > Sergey > > > On Sun, Mar 29, 2015 at 10:16 AM, Ryan Tandy wrote: > >> Hi, >> >> On Thu, Mar 26, 2015 at 01:50:27PM +0300, Sergey Esin wrote: >> >>> Hi all, >>> >>> We're running OpenLDAP 2.4.40 (the latest available release) with just >>> one >>> replica server (connected via TLS) and have the following picture - >>> http://i.imgur.com/om0lMiy.png >>> >>> On the graph you can see memory consumption of the slapd process on the >>> host: in the beginngin it started without replica, then replica server >>> was >>> connected (memory consumption became around 4 Gigs) and then OOM >>> (out-of-memory) killer on linux machine just killed the process. >>> >> >> I've seen a similar thing recently. The test case I posted to ITS#8081 >> causes very high memory usage on the host. (The crash bug is unre
Re: olcHidden breaks slapcat? possible bug in slapcat(8)?
Hello Ulrich, Not to me, it does not answer the question. How do I connect olcHIdden set to TRUE throwing an error, and FALSE does not? Would you mind making the connection for me, please. Sincerely, Igor Shmukler On Fri, Apr 17, 2015 at 9:38 AM, Ulrich Windl wrote: Igor Shmukler schrieb am 17.04.2015 um 09:16 in > Nachricht > : >> Hello, >> >> I use olcHidden and set it to true in some instances. >> This seems to work, yet it breaks slapcat(8) as below: >> $ sudo slapcat -n 0 >> 5530b282 olcRootPW: value #0: can only be set when rootdn >> is under suffix >> 5530b282 config error processing olcDatabase={2}hdb,cn=config: >> can only be set when rootdn is under suffix >> slapcat: bad configuration file! > > In a message Igor sent to be before, it showed that he has a oldRootPW set, > but no olcRootDN. > I guess it answered the question, right? > >> >> Is this a bug, or the desired behavior? >> >> Sincerely, >> >> Igor Shmukler > > > >
olcHidden breaks slapcat? possible bug in slapcat(8)?
Hello, I use olcHidden and set it to true in some instances. This seems to work, yet it breaks slapcat(8) as below: $ sudo slapcat -n 0 5530b282 olcRootPW: value #0: can only be set when rootdn is under suffix 5530b282 config error processing olcDatabase={2}hdb,cn=config: can only be set when rootdn is under suffix slapcat: bad configuration file! Is this a bug, or the desired behavior? Sincerely, Igor Shmukler