Category Archives: OpenLDAP

Linux #17 : OpenLDAP Installation Guide

OpenLDAP은 Lightweight Directory Access Protocal로 Windows의 Active Directory와 같은 Linux의 인증관리 시스템입니다. 이 시스템을 이용하여 Unix Based Authentication과는 별도록 Account를 통합 관리 할 수 있습니다.

OpenLDAP 공식 Page :

2011년 현재(3월 기준) 2.4.23의 stable version을 받을 수 있고, OpenLDAP을 설치하기 위해서는 아래와 같은 Application을 추가로 설치를 해 주시면 됩니다.
필자는 Source Version을 통해서 설치를 하였기 때문에 RPM을 이용한 설치 방법에 대해서는 기술하지 않도록 하겠습니다.

OpenLDAP 설치 전 필요한 Source들은 Berkeley DB, Crypt Library, GNUTLS Library, OpenSSL입니다. 현재 Version은 각기 다를 수 있고 System상에 설치된 Version들을 그대로 활용 할 수도 있습니다.

Install Berkeley DB
Berkely DB for Oracle :

Installed Version : db-4.6.21
# cd build_unix/
# ../dist/configure --prefix=/usr
# make;make install

Install CRYPT Library
libcrypt :

Installed Version : libcrypt-1.4.4
# ./configure
# make;make install

Install GNUTLS
gnutls :

Installed Version : gnutls-2.6.3
# ./configure
# make; make install

Install openssl
openssl :

Installed Version : openssl-0.9.8.h
# ./configure --prefix=/usr shared
# make;make install

Install openLDAP Server

Installed Version : openldap-2.4.19
# ./configure --prefix=/usr/local/openldap --sysconfdir=/etc --localstatedir=/var --without-kerberos --without-cyrus-sasl --with-tls=openssl --enable-syslog --disable-ipv6 --enable-lastmod --enable-crypt --enable-ppolicy --enable-syncrepl
# make depend;make
# make install

현재 안정적인 Version인 2.4.23에 대해서도 install을 진행 해 보았고, 문제없이 설치되는 것을 확인 했습니다.
설치 후 OpenLDAP을 위한 Group과 User Account를 만들어 주고 관련 작업들을 진행합니다.

# /usr/sbin/groupadd -g 55 ldap
# /usr/sbin/useradd -u 55 -g 55 -d /usr/local/openldap -M -s /bin/false -c "openLDAP User" ldap
# mkdir /var/run/openldap;chown ldap:ldap /var/run/openldap
# mkdir /var/log/ldap:chown ldap:ldap /var/log/ldap
# mv /var/openldap-data /var/lib/ldap
# mkdir /var/lib/ldap/[Domain Name]
# cp /var/lib/ldap/DB_CONFIG.example /var/lib/ldap/[Domain Name]/DB_CONFIG
# chown -R ldap:ldap /var/lib/ldap
# chown -R ldap:ldap /etc/openldap

OpenLDAP Server가 설치 되었습니다. 다음 내용은 Linux #18 : OpenLDAP Configuration Guide 입니다. 빠른 시일 내에 올리도록 하겠습니다.


Linux #10 : LDAP Server is down and then we can’t access all servers is using ldap authentication.

Now using NSS_LDAP for LDAP Client. /etc/ldap.conf is being controlled NSS_LDAP.
NSS_LDAP has reconnect policy, default policy is hard_open(alias hard).

It means ..

# Reconnect policy:
# hard_open: reconnect to DSA with exponential backoff if
# opening connection failed
# hard_init: reconnect to DSA with exponential backoff if
# initializing connection failed
# hard: alias for hard_open
# soft: return immediately on server failure
#bind_policy hard

hard_open mode is reconnecting the ldap server is down or problem, again and again.
because the result that this situation looks same hang up the server, we can’t access it and takes a long time to access it.
account by ldap and root account, too.

soft mode is return immediately on server failure.
If LDAP server is down, return message immediately. “Permission denied, please try again.”
and we can access for root account immediately when LDAP is down.

Linux #9 : could not search LDAP server – Server is unavailable

nss_ldap: could not search LDAP server - Server is unavailable

You can see this message when the LDAP server is down or bad performance.
if the LDAP server is down, you can solve this issue only the LDAP restart.
but, if it caused by bad performance, you should check about connection counts of LDAP.

Local Account(In Base Authentication) is describing their account from LDAP server when nss_swich of the server is configured for LDAP system and the account is trying to use any processes or tasks, jobs.

Sometimes it caused by increasing sessions and decreasing performance of LDAP system.

You can ignore accounts to access to LDAP when the accounts is working their processes or tasks, jobs.

You can reduce a lot of session from local account adding as below the option

nss_initgroups_ignoreusers This option directs thenss_ldapimplementation of initgroups(3)
to return NSS_STATUS_NOTFOUND if called with a listed users as its argument.

$ more /etc/ldap.conf
... Add below a line
nss_initgroups_ignoreusers root,nagios,nrpe,www,rancid,oracle,mysql,ntp,postfix,daemon,named

Linux #1 : Performance tuning of OpenLDAP #1

1. Tune buffer cache size of Berkely DB

The buffer cache becomes a typical tuning point of MySQL (InnoDB storage engine) and PostgreSQL open source database or even any other commercial databases. Only if some database is working with data, it should avoid the disk I/O and deployment data in memory for faster to get some data is persisted on the files and index. This setting is preferred.

Even in the Berkeley DB library as incoperated  into the program, it can maintain the data in the buffer cache frequently like database to act as an independent process. It can configure the buffer cache size on DB_CONFIG file with Berkeley DB files. When the openLDAP starts, the directory information such as entries, indexes is cached.

There are two ways to tune for the buffer cache size.

a) The buffer cache size necessary to load the database via slapadd in optimal time
b) The buffer cache size necessary to have a high performing running slapd once the data is loaded

For (a), the optimal cachesize is the size of the entire database, If you already have the database loaded, this is simply

# cd /usr/local/var/openldap-data
# du -ch *.bdb
68K     cn.bdb
64K     dn2id.bdb
12K     entryCSN.bdb
20K     entryUUID.bdb
12K     gidNumber.bdb
308K    id2entry.bdb
8.0K    loginShell.bdb
28K     memberUid.bdb
28K     objectClass.bdb
8.0K    ou.bdb
8.0K    sn.bdb
40K     uid.bdb
8.0K    uidNumber.bdb
8.0K    uniqueMember.bdb
620K    total

in the directory containing the OpenLDAP (default path : /usr/local/var/openldap-data) data.

For (b), the optimal buffer cache is just the size of the id2entry.bdb file, plus about 10% for growth.

For example,

# cd /usr/local/openldap/var/openldap-data
set_cachesize 0 268435456 1
It will be provided 0.25 GBytes buffer logically and composed one cached area
set_cachesize gbytes bytes ncache
   gbytes : cache size by Gbytes
   bytes : cache size by Bytes
   ncache : a mount of cached files

Re-mapping buffer size by new configuration

# cd /usr/local/openldap/var
# /etc/init.d/slapd stop
# rm -rf __db.*
# /etc/init.d/slapd start
#  lsof __db.003
slapd   1405 ldap mem    REG  253,3 335552512 24445661 __db.003

 2. Tune log buffer size of Berkeley DB

The log buffer is area that is used to comfirm update or caused by its log buffer space becomes full before writing occurs to the transaction log file, if update request to the Berkeley DB.

For example,

# cd /usr/local/openldap/var/openldap-data
set_lg_bsize 2097152
By default, or if the value is set to 0, a size of 32K is used
set_lg_bsize lg_bsize
   lg_bsize : Set the size of the in-memory log buffer, in bytes.
set_lg_regionmax 262144
By default, or if the value is set to 0, the base region size is 60KB
The log region is used to store filenames, and so may need to be increased in size
if a large number of files will be opened and registered with the specified
Berkeley DB environment's log manager.
set_lg_regionmax size
  size : Set the size of the underlying logging subsystem region, in bytes

Re-mapping log buffer size by new configuration

# cd /usr/local/openldap/var
# /etc/init.d/slapd stop
# rm -rf __db.*
# /etc/init.d/slapd start
#  lsof __db.004
slapd   1405 ldap mem    REG  253,3 2359296 24445662 __db.004

 Additional information : Log file limits of Berkeley DB by Reference Guide

Log filenames and sizes impose a limit on how long databases may be used in a Berkeley DB database environment. It is quite unlikely that an application will reach this limit; however, if the limit is reached, the Berkeley DB environment’s databases must be dumped and reloaded.

The log filename consists of log. followed by 10 digits, with a maximum of 2,000,000,000 log files. Consider an application performing 6000 transactions per second for 24 hours a day, logged into 10MB log files, in which each transaction is logging approximately 500 bytes of data. The following calculation:

(10 * 2^20 * 2000000000) / (6000 * 500 * 365 * 60 * 60 * 24) = ~221

indicates that the system will run out of log filenames in roughly 221 years.

There is no way to reset the log filename space in Berkeley DB. If your application is reaching the end of its log filename space, you must do the following:

  1. Archive your databases as if to prepare for catastrophic failure
    (see db_archive for more information).
  2. Dump and reload all your databases (see db_dump and db_load for more information).
  3. Remove all of the log files from the database environment. Note: This is the only situation in which all the log files are removed from an environment; in all other cases, at least a single log file is retained.
  4. Restart your application.