Re: Auxiliary object class practically of no use?

[Michael Ströder]

dE wrote:

On 04/15/15 19:31, Howard Chu wrote:

dE wrote:

According to RFC 4512

An entry can belong to any subset of the set of auxiliary object
classes allowed by the DIT content rule associated with the
structural object class of the entry.

 From what I understand, this means auxiliary classes do not 'augment';
the no. of attributes which are possible in an entry must be a subset of
the structural object class the entry belongs to.


You have completely ignored "DIT content rule" in the quoted sentence.


But it says "DIT content rule associated with the
 structural object class of the entry"


A DIT content rule is always associated with exactly one structural object 
class (by having the same OID). This does not say anything about the use of 
auxiliary object classes within the same entry.


Could you please come up with a concrete example to better explain your 
question.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Structural object class rules

[Michael Ströder]

dE wrote:

On 04/15/15 19:28, Michael Ströder wrote:

dE wrote:

"An object or alias entry is characterized by precisely one
   structural object class superclass chain which has a single
   structural object class as the most subordinate object class.
   This structural object class is referred to as the structural
   object class of the entry."

There's a bit of ambiguity with this

"which has a single structural object class as the most subordinate object
class"

What do you mean by 'most subordinate'? Is it that there must be no parallel
entries at the same level in the hierarchy?


It's always better to provide a reference to the full text of a quoted text.

The hierarchy in this case is the the structural object classes hierarchy,
not the directory information tree (DIT). Read in RFC 4512 about what SUP in
object class description means:

http://tools.ietf.org/html/rfc4512#section-4.1.1

Note that there's also an attribute type hierarchy defined with SUP.


Yes, I know that.

Actually the question was --

What do you mean by 'most subordinate'? Is it that there must be no parallel
structural object class at the same level in the class hierarchy?


Yes.

Ciao, Michael.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Help: LDAP using alias to reference value of another attribute

[Quanah Gibson-Mount]

--On Wednesday, April 15, 2015 7:14 PM +0400 Poul Etto 
 wrote:



Hi,

Thank you for your replies !

@ Quanah:
What I understand of their system is that they built their own SCHEMAs...
And thay put all information (attributes) in one single OU
Is that it ?


They extended existing schema, which is part of the whole idea with ldap 
and schema.  And yes, then the data is in a single OU.


--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: How to disable SSF (integrity) on GSSAPI mech?

[Dan White]

On 04/15/15 21:10 +, Osipov, Michael wrote:

Hi folks,

I am binding against Active Directory with GSSAPI mech and would like to 
disable SASL integrity for debugging purposes with Wireshark. Unfortunately, 
this call fails:

char *secprops = "minssf=0,maxssf=0";
rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);

with:

Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input 
parameter could not be read (Unknown error)
Result code: -2


This error is likely produced by your Kerberos library (whichever one Cyrus
is compiled against), or perhaps with the way the security properties are
passed down from OpenLDAP to Cyrus to Kerberos.

Setting a minssf should not be necessary. Do you also get this error with
"maxssf=0"? "maxssf=1" may be a more workable option, since encryption is
really what you want to turn off, not integrity.

--
Dan White

RE: catch size and performance

[Quanah Gibson-Mount]

--On Friday, April 17, 2015 8:11 PM + Greg Jetter  
wrote:



Version: 2.4.28-1.1ubuntu4.4


I strongly advise upgrading, numerous issues in sync replication have been 
fixed since that release.


--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: olcHidden breaks slapcat? possible bug in slapcat(8)?

[Howard Chu]

Igor Shmukler wrote:

Hello,

I use olcHidden and set it to true in some instances.
This seems to work, yet it breaks slapcat(8) as below:
$ sudo slapcat -n 0
5530b282 olcRootPW: value #0:  can only be set when rootdn
is under suffix
5530b282 config error processing olcDatabase={2}hdb,cn=config:
 can only be set when rootdn is under suffix
slapcat: bad configuration file!

Is this a bug, or the desired behavior?


Sounds like a bug. That check for valid rootDN probably should be 
skipped if the DB is hidden. Please submit an ITS, thanks.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: catch size and performance

[Quanah Gibson-Mount]

--On Thursday, April 16, 2015 8:59 PM + Greg Jetter  
wrote:



Hello:

I, running a openldap setup with  one provider and 3 consumers ,  I  am
seeing intermittent problems of replication not happening  "Until" the
consumers are re started . This cures the problem. replication starts up
and continues  for a while  .

The servers have very large  amount of memory , 256 gigs ..

I configured the  hdb backend  'DB_CONFIG' , to  have  4 gigs  of catch ,
could this be causing  the replication problem ?

whats the optional  size  that  keeps openldap happy  ?


OpenLDAP version?

--Quanah



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: catch size and performance

[Quanah Gibson-Mount]

--On Thursday, April 16, 2015 8:59 PM + Greg Jetter  
wrote:



Hello:

I, running a openldap setup with  one provider and 3 consumers ,  I  am
seeing intermittent problems of replication not happening  "Until" the
consumers are re started . This cures the problem. replication starts up
and continues  for a while  .

The servers have very large  amount of memory , 256 gigs ..

I configured the  hdb backend  'DB_CONFIG' , to  have  4 gigs  of catch ,
could this be causing  the replication problem ?

whats the optional  size  that  keeps openldap happy  ?


OpenLDAP version?





--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

how to check user lock status

[rockwang]

Hi, all

 I set  policy for user as following

   

# default, policies, abc.com

dn: cn=default,ou=policies,dc=abc,dc=com

objectClass: top

objectClass: device

objectClass: pwdPolicy

cn: default

pwdAttribute: userPassword

pwdMaxAge: 7776002

pwdExpireWarning: 432000

pwdInHistory: 3

pwdCheckQuality: 1

pwdMinLength: 8

pwdMaxFailure: 5

pwdLockout: TRUE

pwdLockoutDuration: 900

pwdGraceAuthNLimit: 0

pwdFailureCountInterval: 0

pwdMustChange: TRUE

pwdAllowUserChange: TRUE

pwdSafeModify: FALSE

 

my question is how to check user lock status. Another question is
pwdMustChange doesn't work in linux client when user first login.

 

 

Rock.wang

 

Re: Auxiliary object class practically of no use?

[dE]

On 04/15/15 19:31, Howard Chu wrote:

dE wrote:

According to RFC 4512

An entry can belong to any subset of the set of auxiliary object
classes allowed by the DIT content rule associated with the
structural object class of the entry.

 From what I understand, this means auxiliary classes do not 'augment';
the no. of attributes which are possible in an entry must be a subset of
the structural object class the entry belongs to.


You have completely ignored "DIT content rule" in the quoted sentence.



But it says "DIT content rule associated with the
structural object class of the entry"

catch size and performance

[Greg Jetter]

Hello:

I, running a openldap setup with  one provider and 3 consumers ,  I  am seeing 
intermittent problems of replication not happening  "Until" the consumers are 
re started . This cures the problem.
replication starts up and continues  for a while  .

The servers have very large  amount of memory , 256 gigs .. 

I configured the  hdb backend  'DB_CONFIG' , to  have  4 gigs  of catch , could 
this be causing  the replication problem ? 

whats the optional  size  that  keeps openldap happy  ?

thanks

Greg

Re: Structural object class rules

[dE]

On 04/15/15 19:28, Michael Ströder wrote:

dE wrote:

"An object or alias entry is characterized by precisely one
   structural object class superclass chain which has a single
   structural object class as the most subordinate object class.
   This structural object class is referred to as the structural
   object class of the entry."

There's a bit of ambiguity with this

"which has a single structural object class as the most subordinate 
object class"


What do you mean by 'most subordinate'? Is it that there must be no 
parallel

entries at the same level in the hierarchy?


It's always better to provide a reference to the full text of a quoted 
text.


The hierarchy in this case is the the structural object classes 
hierarchy, not the directory information tree (DIT). Read in RFC 4512 
about what SUP in object class description means:


http://tools.ietf.org/html/rfc4512#section-4.1.1

Note that there's also an attribute type hierarchy defined with SUP.

Ciao, Michael.


Yes, I know that.

Actually the question was --

What do you mean by 'most subordinate'? Is it that there must be no 
parallel

structural object class at the same level in the class hierarchy?

How to disable SSF (integrity) on GSSAPI mech?

[Osipov, Michael]

Hi folks,

I am binding against Active Directory with GSSAPI mech and would like to 
disable SASL integrity for debugging purposes with Wireshark. Unfortunately, 
this call fails:

char *secprops = "minssf=0,maxssf=0";
rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);

with:

Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input 
parameter could not be read (Unknown error)
Result code: -2

I am used to this with Java's SASL client where I can set SASL QOP with auth, 
auth-int, auth-conf.

Is that not possible with OpenLDAP along with CyrusSASL?

For what it is worth, I am on FreeBSD 9.3 with latest OpenLDAP and CyrusSASL 
from the ports tree.

Regards,

Michael

Re: Fwd: 2.4.40 memory leak?

[Ryan Tandy]

On Fri, Apr 17, 2015 at 05:43:45PM +0300, Sergey Esin wrote:

It's still happening, see http://i.imgur.com/NL8ztmp.png. The only solution
for us now is to reboot slapd on a regular basis.

What information can I provide to help to find the reason and fix it?


If you can provide a reproducible test case, and verify that it still 
happens with recent code from git (branch OPENLDAP_REL_ENG_2_4), you 
should file an ITS.


http://openldap.org/its

As glibc's allocator is known to suffer from fragmentation issues, I'd 
suggest mentioning which alternate allocators you've tried and what the 
results were. (Although it may still be closed with the rationale that 
memory fragmentation is not slapd's problem...)


The symptoms of ITS#7299 are similar. It might be the same problem, or 
at least related.


In my experience, this particular problem does not affect delta-syncrepl 
(changelog-based replication). Have you tried setting that up?


http://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl

Re: separate loglevels for different databases?

[Meike Stone]

Dear list,

> I've configured two different databases (one ldap, one bdb) in openLDAP.
> Is it possible, to configure separate loglevels for each database?

maybe at least different logfiles?


Thanks Meike

Re: Fwd: 2.4.40 memory leak?

[Sergey Esin]

It's still happening, see http://i.imgur.com/NL8ztmp.png. The only solution
for us now is to reboot slapd on a regular basis.

What information can I provide to help to find the reason and fix it?

--
Sergey


On Mon, Mar 30, 2015 at 12:01 PM, Sergey Esin  wrote:

> Hi Ryan,
>
> Here's my config of LDAP master:
> ---
> # cat /etc/openldap/slapd.conf | grep -v ^# | grep -ve '^$'
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> allow bind_v2
> pidfile /var/run/openldap/slapd.pid
> argsfile/var/run/openldap/slapd.args
> modulepath  /usr/lib64/openldap
> moduleload accesslog.la
> moduleload syncprov.la
> TLSCACertificateFile /etc/openldap/certs/CA.pem
> TLSCertificateFile /etc/openldap/certs/ldap-master.pem
> TLSCertificateKeyFile /etc/openldap/certs/ldap-master.key
> TLSVerifyClient allow
>
> [ .. some limits here .. ]
>
> [ .. some ACLs here .. ]
>
> database config
> access to *
> by
> dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
> by * none
> database monitor
>
> [ .. some ACLs here .. ]
>
> [ .. some limits here .. ]
>
> databasebdb
> cachesize   38
> idlcachesize70
> readonlyoff
> suffix  "dc=domain,dc=com"
> rootdn  "cn=Manager,dc=domain,dc=com"
> rootpw  {SSHA}XX
> directory   /var/lib/ldap
> index   uid eq
> index   maileq
> index   objectClass eq
> index entryCSN eq
> index entryUUID eq
> overlay syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 100
>
> [ .. some limits here .. ]
>
> loglevel sync stats stats2 shell
> checkpoint 5120 10
> serverID1
> ---
>
>
> Here's what I have on replica server:
>
> ---
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/inetorgperson.schema
> allow bind_v2
> pidfile /var/run/openldap/slapd.pid
> argsfile/var/run/openldap/slapd.args
> threads 8
> [ .. some ACLs here .. ]
> database config
> access to *
> by
> dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
> by * none
> database monitor
> [ .. some ACLs here .. ]
> databasebdb
> cachesize   38
> idlcachesize70
> readonlyoff
> suffix  "dc=domain,dc=com"
> rootdn  "cn=Manager,dc=jetbrains,dc=com"
> rootpw  {SSHA}X
> directory   /var/lib/ldap
> index   uid eq
> index   maileq
> index   objectClass eq
> index entryCSN eq
> index entryUUID eq
> checkpoint 5120 10
> syncrepl rid=34
>  provider=ldaps://ldap-master.domain.net:636
>  tls_reqcert=demand
>  tls_cacert=/etc/openldap/certs/CA.pem
>  type=refreshAndPersist
>  schemachecking=off
>  searchbase="dc=domain,dc=com"
>  scope=sub
>  bindmethod=simple
>  binddn="cn=repluser,ou=Accounts,dc=domain,dc=com"
>  credentials=XX
>  retry="300 +"
> updateref ldaps://ldap-master.domain.net
> [ .. some limits here .. ]
> loglevel stats sync stats2 shell
>
> ---
>
>
> I restarted slapd with "LD_PRELOAD=/usr/lib64/libtcmalloc.so.4.1.0" to use
> a different memory allocator (tcmalloc) and now memory consumption is
> almost flat, please see http://i.imgur.com/brIvarB.png
>
> I've also added "threads 8" directive into slapd.conf on LDAP master
> server but have not started the slapd process to make it active.
>
> According to what I see from the OS (Linux) perspective, slapd is using 18
> threads:
>
> # ps -L -o pid= -p  `pgrep slapd` | wc -l
> 18
>
>
> > Do your logs show what kind of client activity triggered the growth?
>
> I have some logs but I nothing really special there. No unusual activity.
>
>
> Regards,
> Sergey
>
>
> On Sun, Mar 29, 2015 at 10:16 AM, Ryan Tandy  wrote:
>
>> Hi,
>>
>> On Thu, Mar 26, 2015 at 01:50:27PM +0300, Sergey Esin wrote:
>>
>>> Hi all,
>>>
>>> We're running OpenLDAP 2.4.40 (the latest available release) with just
>>> one
>>> replica server (connected via TLS) and have the following picture -
>>> http://i.imgur.com/om0lMiy.png
>>>
>>> On the graph you can see memory consumption of the slapd process on the
>>> host: in the beginngin it started without replica, then replica server
>>> was
>>> connected (memory consumption became around 4 Gigs) and then OOM
>>> (out-of-memory) killer on linux machine just killed the process.
>>>
>>
>> I've seen a similar thing recently. The test case I posted to ITS#8081
>> causes very high memory usage on the host. (The crash bug is unre

Re: olcHidden breaks slapcat? possible bug in slapcat(8)?

[Igor Shmukler]

Hello Ulrich,

Not to me, it does not answer the question.
How do I connect olcHIdden set to TRUE throwing an error, and FALSE
does not? Would you mind making the connection for me, please.

Sincerely,

Igor Shmukler


On Fri, Apr 17, 2015 at 9:38 AM, Ulrich Windl
 wrote:
 Igor Shmukler  schrieb am 17.04.2015 um 09:16 in
> Nachricht
> :
>> Hello,
>>
>> I use olcHidden and set it to true in some instances.
>> This seems to work, yet it breaks slapcat(8) as below:
>> $ sudo slapcat -n 0
>> 5530b282 olcRootPW: value #0:  can only be set when rootdn
>> is under suffix
>> 5530b282 config error processing olcDatabase={2}hdb,cn=config:
>>  can only be set when rootdn is under suffix
>> slapcat: bad configuration file!
>
> In a message Igor sent to be before, it showed that he has a oldRootPW set, 
> but no olcRootDN.
> I guess it answered the question, right?
>
>>
>> Is this a bug, or the desired behavior?
>>
>> Sincerely,
>>
>> Igor Shmukler
>
>
>
>

olcHidden breaks slapcat? possible bug in slapcat(8)?

[Igor Shmukler]

Hello,

I use olcHidden and set it to true in some instances.
This seems to work, yet it breaks slapcat(8) as below:
$ sudo slapcat -n 0
5530b282 olcRootPW: value #0:  can only be set when rootdn
is under suffix
5530b282 config error processing olcDatabase={2}hdb,cn=config:
 can only be set when rootdn is under suffix
slapcat: bad configuration file!

Is this a bug, or the desired behavior?

Sincerely,

Igor Shmukler