Archive for 'OpenLDAP'

Debugging OpenLDAP ACLs

OpenLDAP provides a super powerful ACL syntax which allows you to control access to every nook and cranny of your directory server. When I’m testing advanced ACL configurations I have found it incredibly useful to add the “ACL” log option to the loglevel directive: loglevel ACL When this option is set slapd will show you […]

LDAP indexes

LDAP indexes are extremely useful for speeding up directory searches, and come in four flavors (there are actually more than four index types, but the following four are the most common): 1 Approximate indexes Approximate indexes are useful for speeding up seaches that look for attribute values that sound like a specific value. A good […]

Compiling openldap on Solaris hosts

Building OpenLDAP on Solaris hosts that use /opt as their software repository can sometimes be a chore. In case anyone finds this useful, here is the procedure I use: $ LD_LIBRARY_PATH=/opt/openssl/lib:/opt/BerkeleyDB/lib:/usr/sfw/lib:/usr/lib $ export LD_LIBRARY_PATH $ export LDFLAGS=”-L/opt/BerkeleyDB/lib -L/opt/openssl/lib” $ export LDFLAGS $ export CPPFLAGS=”-I/opt/BerkeleyDB/include -I/opt/openssl/include” $ export CPPFLAGS $ configure –prefix=/opt/openldap-2.3.24 –enable-bdb –with-tls –enable –monitor […]

Finding BIND failures in OpenLDAP logfiles

When OpenLDAP is configured to log connection information, a RESULT entry is written with the status (e.g., success or failure) of the last BIND: $ grep RESULT openldap.log | head -1 Dec 28 21:05:01 winnie slapd[7101]: [ID 217296 local4.debug] conn=25 op=0 RESULT tag=97 err=0 text= The “err=” string contains zero if the BIND was successful, […]

Checking for OpenLDAP unindexed searches

I was checking my openldap logfiles today, and noticed that the “cn” attribute wasn’t indexed. I found this by checking for the “index_param” string in my OpenLDAP logfiles: $ grep “index_param failed” /var/log/openldap Dec 25 13:37:19 winnie slapd[730]: [ID 635189 local4.debug] < = bdb_substring_candidates: (cn) index_param failed (18) To fix this problem, I added an […]