openldap 2.4.40 on RHEL7

2016-10-14 Thread Real, Elizabeth (392K) 
Hello,

Quick question about replication, I’m setting up an ldapclient to talk to my 
two LDAP servers which are replicating fine.

To be able to talk to both LDAP servers, do I need to scp the server 
certificate (cert.pem) from both servers into the ldapclient 
/etc/openldap/cacerts directory? I’m looking at this documentation to configure 
the ldap client using sssd: 
https://www.certdepot.net/ldap-client-configuration-authconfig/

Thank you,
Liz

Re: group membership search performance

2016-10-14 Thread Quanah Gibson-Mount 
--On Friday, October 14, 2016 1:13 PM +0200 Rébeli-Szabó Tamás 
 wrote:



Hi Quanah,

yes, it takes 5–7 seconds for each search.


I believe that's a general known issue with very large groups.  I 
personally moved to using dynamic groups via slapo-dynlist for a variety of 
reasons, performance being one.  You may want to test in a dev environment 
if your issues go away if you move to dynamic groups instead.


--Quanah


--

Quanah Gibson-Mount
Product Engineer
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Antw: syncrepl not working: "no serverID / URL match found"

2016-10-14 Thread Ulrich Windl 
>>> Daniel Spannbauer  schrieb am 13.10.2016 um 09:22 in
Nachricht
<57ff3626.1020...@marco.de>:
> Hello,
> 
> at the moment we have an server running openSuSE 11.4 (lets call in
> server2), running openldap 2.4.23.
> Configured is a replication to/from out mainoffice (running openldap
> 2.4.17, server1).
> Replication works fine.
> 
> I wan't to replace server2 with a newer one, running openldap 2.4.33 atm.
> --
> Configuration  for replication on server2:
> 
> 
> moduleload  syncprov.la
> serverID 1 "ldap://server1.mainoffice.xxx.de;
> serverID 2 "ldap://server2.branch.xxx.de;

Try to include ":389" in the ServerID; at least we have it here and it works
(even though openldap2-2.4.26-0.65.2 (SLES11 SP4)).

> 
> overlay syncprov
> syncrepl rid=001
> provider=ldap://server1.mainoffice.xxx.de:389
> binddn="cn=Administrator,dc=xxx,dc=de"
> bindmethod=simple
> credentials=somepassowrd
> searchbase=" dc=marco,dc=de"
> type=refreshAndPersist
> interval=00:00:00:10
> retry="5 5 300 +"
> timeout=1
> 
> mirrormode TRUE
> overlay syncprov
> syncprov-nopresent TRUE
> syncprov-reloadhint TRUE
> syncprov-checkpoint 1000 60
> --
> 
> This config works fine with the "old" 2.4.23, but on 2.4.33 I get the
> following error when I start it on the commandline with
> /usr/lib/openldap/slapd -h ldap:///   -f /etc/openldap/slapd.conf -u
> ldap -g ldap  -o slp=off -d 1
> 
> 57ff35cc read_config: no serverID / URL match found. Check slapd -h
> arguments.
> 
> Any hints about this?
> 
> regards
> 
> Daniel
> 
> 
> 
> -- 
> Daniel Spannbauer Systemadministration
> marco Systemanalyse und Entwicklung GmbH  Tel   +49 8333 9233-27 Fax -11
> Rechbergstr. 4-6, D 87727 Babenhausen Mobil +49 171 4033220
> http://www.marco.de/  Email d...@marco.de 
> Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München

Re: group membership search performance

2016-10-14 Thread Rébeli-Szabó Tamás 

Hi Quanah,

yes, it takes 5–7 seconds for each search.

Regards,

tamas

2016-10-13 18:37 keltezéssel, Quanah Gibson-Mount írta:
--On Wednesday, October 12, 2016 10:11 PM +0200 Rébeli-Szabó Tamás 
 wrote:



Hi,

we are on OpenLDAP 2.4.41 + MDB, Oracle Linux 6 (2.6 x86_64).

In our DIT we have around 300 groups, with tens of thousands of members
in each group. When we want to know which groups a certain user belongs
to, it takes OpenLDAP several seconds to perform such a search.

Here is a log excerpt showing that it took 6 seconds for the server to
answer:

Oct 10 15:39:38 ldap-srv1 slapd[14776]: conn=1062 op=1 SRCH
base="ou=groups,dc=tt,dc=hu" scope=1 deref=0
filter="(&(uniqueMember=uid=o10011,ou=users,dc=tt,dc=hu)(objectClass=grou 


pOfUniqueNames))"
Oct 10 15:39:44 ldap-srv1 slapd[14776]: conn=1062 op=1 SEARCH RESULT
tag=101 err=0 nentries=127 text=

We have eq indices on objectClass and uniqueMember, and the latter is
also listed after sortvals.

The machine running OpenLDAP has 2 virtual cores of Intel Xeon E5 
2637 v2

(3.5GHz). During such searches, one of the CPU cores is almost fully
loaded, but the system is not overloaded (the average load is around
0.8).  Our whole dataset is under 1 GB, and there are several gigabytes
of free RAM with no swapping.

Our expectation would be for OpenLDAP to give an answer to a group
membership question under 1 second. Is that a realistic expectation, and
if so, how should we tune OpenLDAP or what do you suggest we change?
Version 2.4.41 is more than a year old, so the question is if there is
any significant performance enhancement (an order of magnitude) possible
with this setup described above, or that's about all we can get from
OpenLDAP+MDB (or perhaps any in-memory LDAP)?


Does it always take 6 seconds to return the 127 group entries that 
match, or is that only on the first search?


--Quanah



--

Quanah Gibson-Mount
Product Engineer
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: OpenLDAP server attack surface analysis shows UDP port 63515 in unknown state

2016-10-14 Thread Sreekanth Sukumaran 
Hi All,

Thanks for all the replies, I have been in vacation and am just back.

The OpenLDAP server is not seriously patched and the port is really
strange. I will look back at the analysis once again and update.

On Sat, Oct 1, 2016 at 11:20 PM, Dieter Klünter  wrote:

> Am Fri, 30 Sep 2016 12:55:47 +0200
> schrieb Michael Ströder :
>
> > Sreekanth Sukumaran wrote:
> > >
> > > Sorry, I missed to add subject in the last mail. Resending with
> > > subject. sorry about spamming the group
> > >
> > > Hi All,
> > >
> > > OpenLDAP version : 2.4.39 on windows
> > > Tool used : Microsoft Attack surface analyzer
> > >
> > > We have been doing attack surface analysis on OpenLDAP server, and
> > > we have found that there is an UDP port 63515 associated with
> > > OpenLDAP server. (state shows "Unknown", not listening or
> > > established)
> > >
> > > Inline image 1
> > >
> > > We have not connected any clients to OpenLDAP server, so we cannot
> > > think of it as an ephemeral port at server end as well.
> > >
> > > Has anyone an idea on what this port could be for. Inputs are much
> > > appreciated.
> >
> > I really wonder what OpenLDAP builds you're running?!?
> >
> > Personally I never saw an OpenLDAP server listening on 63515/udp.
>
> Probabely Samba with CLDAP and a strange port?
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://dkluenter.de
> GPG Key ID:DA147B05
> 53°37'09,95"N
> 10°08'02,42"E
>
>


-- 
Regards,
Sreekanth
09036794524

Re: syncrepl not working: "no serverID / URL match found"

2016-10-14 Thread Daniel Spannbauer 
Hello Quanah,

> 
>> This config works fine with the "old" 2.4.23, but on 2.4.33 I get the
>> following error when I start it on the commandline with
>> /usr/lib/openldap/slapd -h ldap:///   -f /etc/openldap/slapd.conf -u
>> ldap -g ldap  -o slp=off -d 1
>>
>> 57ff35cc read_config: no serverID / URL match found. Check slapd -h
>> arguments.
> 
> Hi Daniel,
> 
> As the error message notes, there is no match between what you are
> passing to -h when slapd starts (ldap:///) and a URI in your serverID
> config (ldap://server1... ldap://server2...).
> 
> Adjust your -h option to slapd so that it can be matched against a
> server ID.
> 
> Hope that helps!
> 

Yes, with -h ldap://server2.branch.xxx.de it works, but why does it work
with this configuration at openldap 2.4.23? Was it a bug?

Regards

Daniel


-- 
Daniel Spannbauer Systemadministration
marco Systemanalyse und Entwicklung GmbH  Tel   +49 8333 9233-27 Fax -11
Rechbergstr. 4-6, D 87727 Babenhausen Mobil +49 171 4033220
http://www.marco.de/  Email d...@marco.de
Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München