Craig Balfour's Blog

By the looks of it Ubuntu took a giant leap of faith with OpenLDAP in Hardy Heron! They upgraded from using a reasonably stable OpenLDAP 2.3.35 in Gutsy to 2.4.7 with lots of replication problems in Hardy. Why did they do it?! According to OpenLDAP.org the 2.3 branch is the stable release branch and 2.4 is the general release branch. OpenLDAP 2.4 seems currently be plagued by replication stability issues. Surely it makes sense to run the stable branch?! Last night I made the mistake of upgrading our syncrepl master LDAP server from Gutsy to Hardy and now it segfaults regularly. The slave has been running Hardy for some time now without any problems, so I mistakenly thought it was safe. I first thought the problems were Berkeley DB back-end data corruption issues - of which we have had many in the past - but repairing the databases, and even completely rebuilding them from LDIF backup has made no significant different to the (in)stability. The question now is: Do I upgrade to 2.4.9 (fro

Running exiqsumm a few times a day via cron is an excellent way to get a sense of what is normal for your mail queues and will help you pick up all sorts of problems. For example: Lots of mail waiting to be delivered to your local domain may indicate a local delivery problem like a broken local delivery agent (perhaps you just did a quick distribution update / upgrade and something important broke?), your mail volume has filled up, or some important, high volume user has filled up his mailbox and now his mail is just sitting on the queue? Lots of mail waiting to be delivered to domain example.com? Perhaps example.com's mail server is down, or a network problem has made them unreachable? Lots of mail waiting to go out to lots of different, perhaps suspiciously named, domains could indicate that your mail server is being used to relay spam. Here's how you use it: /usr/local/sbin/exim -bp | /usr/local/sbin/exiqsumm Exiqsumm will give you a nice tabular summary of what is sitting

I'm always on the lookout for information on advanced OpenLDAP topics, something I've found to be in short supply on the internet. By advanced I mean documentation, tutorials and howto's that go beyond just setting up a simple standalone directory or an address book and gets into doing things with all of the fancy backends and overlays available in OpenLDAP these days. I recently came across the Symas forums which have a few nice articles on advanced OpenLDAP topics: Password policies ( Managing Password Policies in the Directory ) which describes how to add password policies such as expiry, aging, minimum length, history, etc which are features considered standard in Novell E-directory and Microsoft Active Directory accounts but are lacking in the basic OpenLDAP authentication directory configuration. Unfortunately, it falls short of giving any information on whether clients such as nss_ldap and pam_ldap support this, so I will need to test this in a lab sometime. The Tra

I've decided to start a new blog. I know, my family blog has been languishing badly but I've needed a place to post the details of my more technical exploits for a while now - even if only so I can refer back to the details again later - and that blog just hasn't seemed like the right place. I've needed a new place and this is it. Let's see how this new blog works out.