openldap configuration

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

openldap configuration

Francesco Varano-2
Dear all,
 i'm having some troubles configuring ldap acls with openldap server.
 
 i installed nuface and configured everything following the docs, but
i'm having some problems with ldap indexes.

 If i do not use index i find plenty of these messages
in /var/log/syslog:

slapd[2418]: <= bdb_inequality_candidates: (SrcIPStart) not indexed
slapd[2418]: <= bdb_inequality_candidates: (SrcIPEnd) not indexed
slapd[2418]: <= bdb_inequality_candidates: (DstIPStart) not indexed
slapd[2418]: <= bdb_inequality_candidates: (DstIPEnd) not indexed
slapd[2418]: <= bdb_equality_candidates: (Proto) not indexed
slapd[2418]: <= bdb_inequality_candidates: (DstPortStart) not indexed
slapd[2418]: <= bdb_inequality_candidates: (DstPortEnd) not indexed
slapd[2418]: <= bdb_equality_candidates: (InDev) not indexed
slapd[2418]: <= bdb_inequality_candidates: (SrcIPStart) not indexed
slapd[2418]: <= bdb_inequality_candidates: (SrcIPEnd) not indexed
slapd[2418]: <= bdb_inequality_candidates: (DstIPStart) not indexed
slapd[2418]: <= bdb_inequality_candidates: (DstIPEnd) not indexed
slapd[2418]: <= bdb_equality_candidates: (Proto) not indexed
slapd[2418]: <= bdb_inequality_candidates: (DstPortStart) not indexed
slapd[2418]: <= bdb_inequality_candidates: (DstPortEnd) not indexed
slapd[2418]: <= bdb_equality_candidates: (InDev) not indexed

else, if i define indexes in /etc/ldap/slapd.conf as suggested:

index OsName,OsRelease,OsVersion,AppSig,AppName pres,eq
index SrcIPStart,SrcIPEnd,DstIPStart,DstIPEnd pres,eq
index Proto,SrcPortStart,SrcPortEnd,DstPortStart,DstPortEnd pres,eq
index SrcPort,DstPort pres,eq

then alcs defined with nuface will not match.

Where am i wrong?

Thank you in advance for your help,
Best regards,
Francesco




_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: openldap configuration

Pierre Chifflier-2
On Wed, Feb 11, 2009 at 11:38:43AM +0100, Francesco Varano wrote:
> Dear all,
>  i'm having some troubles configuring ldap acls with openldap server.
>  
>  i installed nuface and configured everything following the docs, but
> i'm having some problems with ldap indexes.

Hi,

Seems you are running slapd in full debug mode (-1), which is not a good
idea for performance. I'll assume this is for debug only - if not, you
should reduce debug devel.


>
>  If i do not use index i find plenty of these messages
> in /var/log/syslog:
>
> slapd[2418]: <= bdb_inequality_candidates: (SrcIPStart) not indexed
> slapd[2418]: <= bdb_inequality_candidates: (SrcIPEnd) not indexed

Fields are not indexed. Indexes are optional, tough it may increase
performance (and require more disk, of course). You are seeing this only
because of the debug level. These warnings are harmless, unless you
experience problems with performance.

>
> else, if i define indexes in /etc/ldap/slapd.conf as suggested:
>
> index OsName,OsRelease,OsVersion,AppSig,AppName pres,eq
> index SrcIPStart,SrcIPEnd,DstIPStart,DstIPEnd pres,eq
> index Proto,SrcPortStart,SrcPortEnd,DstPortStart,DstPortEnd pres,eq
> index SrcPort,DstPort pres,eq
>
> then alcs defined with nuface will not match.

This is not normal. How did you add the indexes ? Remember that after
adding lines in slapd.conf, you must run the "slapindex" command, while
the server is stopped (this is important: without this command, entries
will not be accessible, and if you index while the server is running,
you will corrupt data and/or indexes).

HTH,
Pierre


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: openldap configuration

Francesco Varano-2
Thank you very much for your help!
just one more question: i must run "slapindex" just once or every time i
add an acl?

thank you again,
Francesco

On Wed, 2009-02-11 at 20:48 +0100, Pierre Chifflier wrote:

> On Wed, Feb 11, 2009 at 11:38:43AM +0100, Francesco Varano wrote:
> > Dear all,
> >  i'm having some troubles configuring ldap acls with openldap server.
> >  
> >  i installed nuface and configured everything following the docs, but
> > i'm having some problems with ldap indexes.
>
> Hi,
>
> Seems you are running slapd in full debug mode (-1), which is not a good
> idea for performance. I'll assume this is for debug only - if not, you
> should reduce debug devel.
>
>
> >
> >  If i do not use index i find plenty of these messages
> > in /var/log/syslog:
> >
> > slapd[2418]: <= bdb_inequality_candidates: (SrcIPStart) not indexed
> > slapd[2418]: <= bdb_inequality_candidates: (SrcIPEnd) not indexed
>
> Fields are not indexed. Indexes are optional, tough it may increase
> performance (and require more disk, of course). You are seeing this only
> because of the debug level. These warnings are harmless, unless you
> experience problems with performance.
>
> >
> > else, if i define indexes in /etc/ldap/slapd.conf as suggested:
> >
> > index OsName,OsRelease,OsVersion,AppSig,AppName pres,eq
> > index SrcIPStart,SrcIPEnd,DstIPStart,DstIPEnd pres,eq
> > index Proto,SrcPortStart,SrcPortEnd,DstPortStart,DstPortEnd pres,eq
> > index SrcPort,DstPort pres,eq
> >
> > then alcs defined with nuface will not match.
>
> This is not normal. How did you add the indexes ? Remember that after
> adding lines in slapd.conf, you must run the "slapindex" command, while
> the server is stopped (this is important: without this command, entries
> will not be accessible, and if you index while the server is running,
> you will corrupt data and/or indexes).
>
> HTH,
> Pierre



_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: openldap configuration

Pierre Chifflier-2
On Thu, Feb 12, 2009 at 09:58:22AM +0100, Francesco Varano wrote:
> Thank you very much for your help!
> just one more question: i must run "slapindex" just once or every time i
> add an acl?

No, the slapindex command is required only when you modify slapd.conf to
add an index.

Pierre


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users