Am Mi., 16. März 2022 um 21:39 Uhr schrieb Quanah Gibson-Mount
:
>
>
>
> --On Wednesday, March 16, 2022 10:23 PM +0100 Meike Stone
> wrote:
>
> >
> > We are still using the bdb backend and the latest 2.4.59 (don't ask,
> > it will be replaced soon)
Am Mi., 16. März 2022 um 21:39 Uhr schrieb Quanah Gibson-Mount
:
>
>
>
> --On Wednesday, March 16, 2022 10:23 PM +0100 Meike Stone
> wrote:
>
> >
> > We are still using the bdb backend and the latest 2.4.59 (don't ask,
> > it will be replaced soon)
Am Mi., 16. März 2022 um 19:31 Uhr schrieb Quanah Gibson-Mount
:
>
>
>
> --On Wednesday, March 16, 2022 7:59 PM +0100 Meike Stone
> wrote:
>
> > Hello,
> >
> > what is the right solution to backup a Mirromode setup?
> > I've a simple setup with two
Hello,
what is the right solution to backup a Mirromode setup?
I've a simple setup with two servers, running in mirromode and a
virtual IP is moved on "request" between the two servers (nodes). The
DNS-Name of the virtual IP is used for the client ldap requests. The
server certificate is issued to
Hello Quanah,
Thanks for clarification.
> > That confuses me a little bit.
> > All replication on openLDAP are based on syncreplication (slurpd is
> > vanished a long time ago)
> > So what kind of replication means the manual page (-> "Replica servers")?
>
> It means that you run it in a replicat
Hello,
I need the memberof Attribute on users, and I configured it with the
memberof overlay. Every thing ist working fine. I like to deploy a
second server for redundancy reason., but the manual page of the
overlay says:
" .. Replica servers should be configured with their
own instances of the me
>> I don't have to recompile the whole openldap, compiling the module is
>> sufficient?
>>
>> (1) we think about a subscription from symas ...
>
>
> Correct. Any distributor (symas included) should include a development
> package that allows the ability to rebuild a module without rebuilding
> eve
Hello,
the userPassword is a multivalued attribute.
If there are set two values with different schemes,
how will openldap handle the request?
Will only checked one password and if it is wrong,
the access will be declined or will openldap proceed to the second
password hash?
If both userPassword
2017-01-19 12:31 GMT+01:00 Howard Chu :
> Meike Stone wrote:
>>
>> Write a openldap modul like pw-sha2 is not the first choice, because
>> we need to compile the openldap after each update on our own and that
>> prevents us to use the distribution packages.
>
>
Hello dear list,
we like to migrate an a user database from SQL to LDAP and need to
take over the user passwords.
Problem is, the passwords are hashed by an known but proprietary algorithm.
Is there a possibility, to write an small external binary, that is
used by slapd to validate these passwords
sorry, wrong button ...
>> I don't know of any way currently to allow only passwordModify exops, it
>> would actually
>> allow all extended operations.
Maybe it will not work, because "UnicodePwd" is only changeable be del+add ..
Meike
Hello,
thanks for answering ...
2015-08-06 16:24 GMT+02:00 Howard Chu :
> Meike Stone wrote:
>>
>> Hello,
>>
>> it is me again regarding the ldap-backend.
>>
>> As told, I've installed a openldap as proxy in a DMZ for authentication
>> forwarding
Hello,
it is me again regarding the ldap-backend.
As told, I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy. The Proxy is used by a VPN gateway.
That all works very well. But now, I want to protect the AD from modifying.
Only password changes from t
>> Hello
>>
>>
>> I've installed a openldap as proxy in a DMZ for authentication
>> forwarding to an Active Directoy.
>> The Proxy is used by a VPN gateway.
>>
>> That all works very well, but password change from client fails with
>> following error:
>>
>> slapd[30661]: conn=1001 op=5 do_modify
>>
Hello
I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy.
The Proxy is used by a VPN gateway.
That all works very well, but password change from client fails with
following error:
slapd[30661]: conn=1001 op=5 do_modify
slapd[30661]: conn=1001 op=5 do
Hello,
2015-04-17 17:18 GMT+02:00 Meike Stone :
> Dear list,
>
>> I've configured two different databases (one ldap, one bdb) in openLDAP.
>> Is it possible, to configure separate loglevels for each database?
>
> maybe at least different logfiles?
No one who can help ?
Thanks Meike
Dear list,
> I've configured two different databases (one ldap, one bdb) in openLDAP.
> Is it possible, to configure separate loglevels for each database?
maybe at least different logfiles?
Thanks Meike
Hello,
I've configured two different databases (one ldap, one bdb) in openLDAP.
Is it possible, to configure separate loglevels for each database?
Thanks Meike
2014-02-03 Pieter Baele :
> It's a sadly a bit true.
>
> I like OpenLDAP a lot but if you don't need the *fastest* LDAP server,
> something as OpenDJ from Forgerock
> is a lot easier to configure.
>
I tried to use aliases (as defined in rfc 4512/2.6) with OpenDJ, but
it is not implemented.
So
>
> If your purpose is to test the distribution's builds,
Yes, that's is my intention.
> you can surely
> download the corresponding OpenLDAP source code, build it, replace slapd and
> slap* tools in BUILDDIR/servers/slapd with those provided by the
> distribution, and run the tests using "make te
Hello,
thanks for answer, that a great pity!
Meike
2013/6/6 Hallvard Breien Furuseth :
> Meike Stone writes:
>> is it possible and how, to run the complete test suite included in the
>> source tarball later, after installing the openldap rpm/deb package
>> independently a
2013/6/6 Howard Chu :
> Meike Stone wrote:
>>
>> Hello,
>>
>> is it possible and how, to run the complete test suite included in the
>> source tarball later, after installing the openldap rpm/deb package
>> independently and separated from the compilation?
&g
Hello,
is it possible and how, to run the complete test suite included in the
source tarball later, after installing the openldap rpm/deb package
independently and separated from the compilation?
Thanks Meike
>
> If you ever get "Permission denied" there's something wrong with
> ownership/permissions of your slapd setup or slapcat process. You should
> immediately fix it.
Yes, slapd runs under user "ldap" and I used slapcat as root,
but slapcat shouldn't change permissions or write any things?
If so, t
2013/5/30 Quanah Gibson-Mount :
> --On Thursday, May 30, 2013 11:39 AM +0200 Meike Stone
> wrote:
>
>> Hello,
>>
>>
>> is it possible to use a ldif-backup with operation attributes
>> (ldapsearch ... '+' '*') with slapadd, to save the
2013/5/30 Quanah Gibson-Mount :
> --On Thursday, May 30, 2013 8:04 PM +0200 Meike Stone
> wrote:
>
>> I want to preserve the operational attributes from the ldapsearch ldif
>> (created with '+' '*').
>> But I saw, that a ldapsearch ldif with o
2013/5/30 Quanah Gibson-Mount :
> --On Thursday, May 30, 2013 7:51 PM +0200 Meike Stone
> wrote:
>
>> 2013/5/30 Quanah Gibson-Mount :
>>>
>>> --On Thursday, May 30, 2013 11:39 AM +0200 Meike Stone
>>> wrote:
>>>
>>>> Hello,
&g
2013/5/30 Quanah Gibson-Mount :
> --On Thursday, May 30, 2013 11:39 AM +0200 Meike Stone
> wrote:
>
>> Hello,
>>
>>
>> is it possible to use a ldif-backup with operation attributes
>> (ldapsearch ... '+' '*') with slapadd, to save the
Hello,
is it possible to use a ldif-backup with operation attributes
(ldapsearch ... '+' '*') with slapadd, to save the operation
attributes, if no slapcat backup is available? Are there any concerns?
Thanks Meike
2013/5/28 Meike Stone :
>
> I ask this, because it seems to me, that the basedn does not matter in
> the search ...
In my special (real world) case, I have in the basedn 84,000 objects
but only one of this is a person with objectclass=inetOrgperson.
I have about 420,000 ob
>
> Indexing is all about making rare data easy to find. If you have an
> attribute that occurs on 99% of your entries, indexing it won't save any
> search time, and it will needlessly slow down modify time.
>
> Asking about "1,000,000" entries is meaningless on its own. It's not the raw
> number o
Hello,
because of this, does it make sense in a directory with > 1,000,000
people to index the sex?
thanks Meike
2013/5/23 Quanah Gibson-Mount :
> --On Thursday, May 23, 2013 4:40 PM + Chris Card
> wrote:
>
>> Hi all,
>>
>> I have an openldap directory with about 7 million DNs, running ope
Sorry for top posting, google web client is hiding always the message
while answering *grrr*
Meike
Hello,
had the same problem years ago and the patch worked for me. As I
understood, this special problem exist in mdb too
(http://www.openldap.org/lists/openldap-technical/201301/msg00185.html)
Thats one reason, because I did not switch till now.
Thanks Meike
2013/5/24 Howard Chu :
> Chris Card
2013/4/26 Marc Patermann :
> Meike Stone schrieb (26.04.2013 14:34 Uhr):
>
>
>>
>> Is it possible to simulate the present phase with ldapsearch, to look
>> if the provider needs so long and if, what part (entries updated or
>> unchanged entry ) needs so long?
>
>
> syncrepl really isn't intended for initial "full" loads, although it will
> work eventually (as you've seen). The preferred method for standing up an
> offline server is slapadd -q. syncrepl can then handle deltas since the LDIF
> was generated; this should complete fairly rapidly.
>
Ok, sound
Hello,
I've a problem with the speed of replication.
I've set up openldap 2.4.33 with a Master and one consumer. At the
moment the full replaction takes abaout 32hours.
No LDAP operations are made on master or consumer during this time.
(I know, i depends on Hardware too, but the two servers are
Hello Howard,
thanks for fast answer!
>> - An index slot is loosing precision if the search result for an
>> (indexed) attribute is larger than 2^16. Then the search time is going
>> to increase a lot.
>> - I can change this via BDB_IDL_LOGN.
>> - But if I have a directory, that holds 200.000 emp
Hello,
I'm sorry, but I want to ask again for clarifying.
First question:
- An index slot is loosing precision if the search result for an
(indexed) attribute is larger than 2^16. Then the search time is going
to increase a lot.
- I can change this via BDB_IDL_LOGN.
- But if I have a directory,
Hello Andrew,
>
> Dryrun won't be able to detect missing structural entries: that
> requires a database. Even an internal list of DNs is not
> enough, as the actual entries have to be available in order to
> check things like schema and content rules.
>
> To be a valid test you really have to impor
>
> a) Use a current release. That would be 2.4.33.
> b) Delta-syncrepl supports MMR in current releases
> c) The reason I suggest delta-syncrepl is because syncrepl is known to be
> problematic, particularly with MMR. If you want reliable replication, use
> delta-syncrepl.
Is it recommended in
>> -
>> ~ # slapcat -f /etc/openldap/slapd.conf >/backup.ldif; echo $?
>> 0
>>
>>
>> It seems to me, that in such case, the slapcat does not trows an error?!
>
>
> slapcat doesn't check for missing entries.
>> and if I try to add this missing node, then I get:
>> ldapadd -x -h localhost -w password -D"cn=admin,ou=root" -f test.ldif
>> adding new entry ou=a,ou=b,ou=c,ou=root
>> ldap_add: Already exists (68)
>
>
> Use slapadd to add the missing entry. For back-mdb you don't need to stop
> slapd while ru
2013/1/24 Hallvard Breien Furuseth :
> Meike Stone writes:
>> - What ist the origin for such orphaned nodes (In MMR, it happens and
>> I see a few glue records, but in my backup this one node is complete
>> missing...)?
>
> Do you check the exit code from slapcat bef
>>
>> - How can I prevent from such entires and how can I recognize them
>> without importing?
>
>
> It's easiest just to let slapadd tell you.
So I understand, I make a dry-run (slapadd -u) to test the backup?
I tried this, but got no error, only if I make a real import, then
slapadd throws the
Hello dear List,
I tried to import a slapcat backup from our production machine in a
test environment and got following message:
debld02:~ # time slapadd -w -q -f /etc/openldap/slapd.conf -l /backup.ldif
50f98421 mdb_monitor_db_open: monitoring disabled; configure monitor
database to enable
-###
> File an ITS (http://www.openldap.org/its/) with a full backtrace of all
> threads from gdb.
=> #7496
Thanks
Hello,
I play a little with the mdb on a test machine, and imported our db
from production system.
(about 1,500,000 entires, 2,5GByte ldif from slapcat)
I took the slapd source from git today, and because of segmentation
fault, I compiled slapd with debugging symbols.
My configuration is simple
>
> So my first question:
> Does mdb have limitations like bdb it have aka BDB_IDL_LOGN?
Yes. back-mdb is ~60% the same code as back-bdb/hdb, its indexing
functions are basically identical.
>>>
>>>
>>>
>>> However, I never got mdb to work successfully by modifying t
>>> So my first question:
>>> Does mdb have limitations like bdb it have aka BDB_IDL_LOGN?
>>
>>
>> Yes. back-mdb is ~60% the same code as back-bdb/hdb, its indexing
>> functions are basically identical.
>
>
> However, I never got mdb to work successfully by modifying these values.
Does this mean,
>> So my first question:
>> Does mdb have limitations like bdb it have aka BDB_IDL_LOGN?
>
>
> Yes. back-mdb is ~60% the same code as back-bdb/hdb, its indexing functions
> are basically identical.
>
Thanks for information, .. it was not that what I expected, so I think
for a lot of users with lar
Hello,
because of problems with bdb (virtual memory using and glibc) and
limitiations (IDL),
I want migrate to mdb.
So my first question:
Does mdb have limitations like bdb it have aka BDB_IDL_LOGN?
Second, I set up an small lab for tests with mdb and don't get the
slapd started
with larger mdb
> 2013/1/12 Meike Stone :
>
> What I see, that slapd had reserved "Total: 7350688K"
> (overcommitted?), but only referenced 4900700K.
> Why does slapd reserve so much memory and use it not? Because of this,
> I changed the default values for memory overcomittment
>
>
> Yes, that would significantly increase memory usage. I have only ever done
> the *second* modification (BDB_IDL_LOGN) to fix the IDL issues. I've run
> that way for years.
How much have you increased the BDB_IDL_LOGN -> 2^17 or more, would be
interesting for me, because we are nearly reach t
>>
>>> From slapd.conf/cn=config:
>>> a) cachesize setting
>>> b) idlcachesize setting
>>> c) dncachesize setting
>>
>>
>> cachesize 75
>> dncachesize 75
>> idlcachesize225
>>
>> Thanks and best regards
>
>
> Your settings here don't make a lot of s
2013/1/14 Quanah Gibson-Mount :
>
>
> Sorry, I don't have your configuration memorized. Generally, you should
> list:
Oops sorry, I used my gmail account and did not see, that the thread
in the mailing list is "broken"..
Here are all posted informations from my production system
http://www.open
Hello,
I could update both systems during my vacation to 2.4.33.
Both servers had 16GByte RAM.
The system crashed again randomly (as expected).
So we increased the memory on one server to 24 GByte RAM. No effect,
this server crashes too, sometime till 5 times a day.
I installed a test machine (
>
>> Yes, not before January 2013 ...
>> Hope after reorganization, slapd runs more stable...
>> The only thing I can do for now.
>
>
> It is highly unlikely that "reorganization" will change the overall
> footprint of the slapd database.
Yes, I see this now ... Id does not matter ...
> Your be
>
>> I'm afraid to increase the cachesize in DB_CONFIG:
>
>
> ch_realloc means the system ran out of memory. Increasing the DB_CONFIG
> cachesize will run you out of memory more quickly.
I'm sitting JUST NOW in front of the LDAP Server and slapcat/slapadd
the database to reorganize ..
(database i
I'm afraid to increase the cachesize in DB_CONFIG:
At the moment slapd uses 13146656K referenced Memory - that is a lot ...
Memoy usage:
~# free -m
total used free shared
buffers cached
Mem: 15946 15857 88 0 7
Hello Dieter,
>> My configuration:
>> == DB_CONFIG ==
>> set_cachesize 2 0 1
>> set_lg_regionmax 262144
>> set_lg_bsize 2097152
>> set_flags DB_LOG_AUTOREMOVE
>
> you have a cache of 2GB and about 1.5M entries, you should definitly
> increase the cachesize, take the
Hello,
since a short time, my slapd crashes often.
I have two servers running in MM replication.
I use openldap version 2.4.30 (for updates are only dedicated timeslots...)
The loglevel is set to 256
I see some strange messages in my log before the slapd crashes:
"ch_realloc of 986032 bytes fail
If we talk about syslog ..
SuSE (opensuse/SLES) writes local4 in /var/log/localmessages and
/var/log/messages!!
Best way here to write messages in separate file is:
part from syslog-ng.conf #
filter f_ldap { program(slapd);};
#change original lines:
filter f_local { facility(
ms are running in production, so I can't make any tests. In
our test environment are no problems seen till now.
But there the load (ldap operations) is very low ..
The configuration for larger IDL (see first posting), we running
since 2,5 years without problems by mostly the
same size of the
Hello dear list,
does anyone can help me?
Kindly regards and thanks
Meike
2012/6/1 Meike Stone :
> Hello,
>
> after inserting (ADD) one object, I get following messages in the
> logfile and the sapld hangs:
>
> Jun 1 09:02:24 ldap-01 slapd[8836]: conn=633789 op=1 ADD
>
Hello,
after inserting (ADD) one object, I get following messages in the
logfile and the sapld hangs:
Jun 1 09:02:24 ldap-01 slapd[8836]: conn=633789 op=1 ADD
dn="cn=3,cn=2,cn=node,cn=1,cn=BBB,cn=AAA,cn=companies,ou=root"
Jun 1 09:02:24 ldap-01 slapd[8836]: => bdb_idl_insert_key: c_get
failed:
Howard,
thanks for answering so fast!
>
>> After a search, each returned up ID from bdb is located in one slot in
>> the IDL list. On a x86_64 system, each slot is 8Byte. Each search
>> stack in each thread (threads in slapd.conf) gets his own IDL slots.
>> The default value for the threads are 1
Hello,
how does the memory usage increase if I increase the BDB_IDL_LOGN?
I tried to discover and understand this by searching in the mailing
list (Is there is a good guide to understand all of this?).
After a search, each returned up ID from bdb is located in one slot in
the IDL list. On a x86_
Thanks for *both* advices, that helped me a lot!
Kind regards
Meike
2012/5/4 Michael Ströder :
> Hallvard Breien Furuseth wrote:
>> On Fri, 4 May 2012 14:13:38 +0200, Meike Stone wrote:
>>> attributetype (1.3.6.1.4
>>> NAME ('InsertTime')
Hello,
I have in my own schema an attribute defined:
attributetype (1.3.6.1.4
NAME ('InsertTime')
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
)
Now I can use this and search, but it takes very long.
Hello, thanks for answer!
Is delta-syncrepl a solid option to configure in a circular
replication or should I configure better full syncrepl?
Does delta-syncrepl need more CPU and RAM?
thanks Meike!
> If you've got 5 hosts, Each host should connect to 3 other hosts for a mesh
> network wherein any node can fail and the others remain online without
> requiring every host be connected to every other host.
Ok, But what is a/the recommended replication setup?
It depends on the requirements if ava
Hello,
I have 5 different locations and want use MMR. I could configure the
replication in a chain,
but if on *in* the chain fails, the complete replication fails. So is
it a good idea to configure/organize
the replication circularly? If one of the "replication member" fails,
the replication betwe
2011/11/10 Adam Wale :
> For anyone that was interested in the fix for this, moving to shared memory
> resolved the issue.
Hello Adam,
we had the same problem and could it solve the same way. Sorry, I
haven't seen this thread..
Do you have tried to mount your partition where the data directory
> I use HAProxy to do load balancing and fail over for the LDAP service.
> And to manage the read/write problem, I put LDAP proxies that catch
> referrals and send them to the master(s).
>
Hello Clément,
I see, HA-Proxy is a TCP/HTTP-Loadbalancer. You put in front of them a
LDAP-Proxy to divide wr
2011/11/9 pradyumna dash :
> We are running mirror mode replication with Openldap with loadbalancer.
Which loadbalancer do you use? You dont separate write/modify from searches?
All LDAP traffic is "balanced between the two servers?
kindly regards
Meike
Hello,
does anywhere use loadbalancer in his OpenLDAP setup?
I have two locations (data center). In each location I want install a
OpenLDAP server who replicate with the other (MM N-Way)
Then I want install a few (depends on the load) OpenLDAP ro replicas
(replicate from the local OpenLDAP).
- I
Hello,
a second question I have. I read in the list, that OpenLDAP 2.4.27
will support delta-syncrepl based N-way MMR/Mirror mode replication
setups. That would solve my problem with a small WAN line and the MM
replication between my two LDAP-Servers.
1) Is it reliable enough, to configure this i
>>
>> I was thinking we should hold it off until OpenLDAP 2.5. But it actually is
>> working perfectly fine already; we may include it in 2.4 as an Experimental
>> feature.
>
> I'm testing back-mdb in a local environment. No problems so far. I think it
> could be added in 2.4.27 announcing it for p
Hello Howard,
Thanks for the helpful information!
All about the back-mdb sounds so good! Will the new back-mdb included
in the next release?
Is it recommended to use this backend in production environment?
Thanks for hard work on the great OpenLDAP!
Meike
2011/11/1 Howard Chu :
> Meike St
Hello,
time ago, we installed a Linux Guest with OpenLDAP (db size appox.
650MByte / ) server in a ESXi environment.
Maybe because of a read/write ratio 100:1, the hard discs where heavy
used by writing bdb backends memory mapped files.
The CPU in that Linux system had iowait (top) between 80% and
y can not handle more than one referral in
the referral object?
Thanks Meike
2011/8/9 Meike Stone :
> Hello,
>
> sorry for asking again.
>
> If I use the chaining overlay (slapo-chain), and I put more then one
> referral in the referral-object, how does the overlay behave and can
Hello,
sorry for asking again.
If I use the chaining overlay (slapo-chain), and I put more then one
referral in the referral-object, how does the overlay behave and can I
configure this?
Background is, that I want put two referrals to two LDAP-Servers
(multi master) and if one of them is missing,
83 matches
Mail list logo
