Server :: Controlling Memory/number Of Processes For LDAP Users?
Jun 29, 2009
I know of /etc/security/limits.conf and that can be used to limit all sorts of good things, but I haven't found anything that talks about using this when the users come from LDAP. Would I be able to do something like
@"Domain Users" soft nproc 25
@"Domain Users" hard nproc 40
where Domain Users is the group all users belong to in our system.
I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.
This is the common part:
Code:
AuthType Basic AuthBasicProvider ldap anon Order allow,deny Allow from all
This part by itself works for the LDAP authentication:
Anonymous guest Anonymous_VerifyEmail Off Anonymous_MustGiveEmail Off Anonymous_LogEmail on Require valid-user
But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?
In the past I found some great help on this forum, so here goes. Bare with me because it's a long story. I'll try to be as complete as possible. I've installed and configured OpenLdap on a virtual machine with ip 192.168.39.134. I've added 2 users via LAM. In the ou WikiUsers and the domain is wiki.local.
I've then created another host with ip 192.168.39.133 with mediawiki installed on it. Then I added the extension LDAPAuthenthication. In the LdapAuthentication file I added this code (only the last paragraph is mine, I added the others to show it's location in the script):
I know I'm close because I can't register any new users or accounts on the mediawiki site. Although I could before I added the LDAP service. This is indeed all just to test and get to know how LDAP works. That's why it's all virtual in VMWare. I did not really configure anything on the LDAP, i just installed it and chose a domain (wiki.local).
That would seem like an elementary feature to be able to enable only a few system applications access to the Internet. That would prevent trojans to download your HD for examples. I looked around and played with iptables but I couldn't not find anything that do the job. I loaded the xt_owner kernel for iptables but the --cmd-owner command is lacking. That was my holy grail but could not get --cmd-owner to work. iptables -I OUTPUT -m owner --cmd-owner "firefox" -j LOG --log-prefix "Testing " How can I protect my machine against the enemy within.
I'm running several SHOUTcast server instances and a WowzaMediaServer instance on a CentOS machine. I'm experiencing a memory leak problem, but I can't figure out which processes are eating memory.
TOP command reports as follows:
[Code]...
Something misterious to me (I'm still a Linux newbie) is that TOP reports a total of 7.5GB used ram but very small percentage for single process (0-1%). Memory consumption starts at 1GB/8GB after reboot and in three days running gradually increases up to 8GB. I'm practising with Linux, but I still miss a lot to understand what's happening on my system. For instance, are there linux kernel logs saved somewhere that I can look at?
I try to write a script which would kill processes of users who are not logged in. My approach is to find out what users are logged in and then kill processes of all nonsystem users who fail the test of being logged. I use `w` for finding all logged in users, but apparently there are users on the list which `w` gives me who own absolutely no process in the output of `ps aux`. How do I log off those users, since killing their processes wont work (since they own no processes)?
how to add users to groups with ldap? Further, could someone point me towards some good command-line management tools? Creating each dn manually is going to get old real fast...
I have configured ldap on Debian5 and samba on another machine, all servers are running ok, but when i try to add users, it gives me an errror that "unknown user"
"Merging" may not be quite the right word but that is the desired end result.
Scenario: many Solaris 10 servers, each with various local users. We want to set up LDAP for all for all of them. LDAP server is set up, procedure for getting other servers to use it for user authentication is documented and tested. The question is how to handle users that are in LDAP who also exist as a local user on a given machine.
It appears that the usernames on both sides follow a convention and therefore match but obviously the userids will not match. Local user joe has userid 1234, LDAP user joe has userid 56789.
The way I see it we'll have to:
1. move local user joe's home directory to the path that LDAP user joe will want
2. change local user joe's userid to that of LDAP user joe
3. change joe's files' owner to his new userid
4. remove local user joe
5. finally configure LDAP
Is this a rational procedure? Is there a more effective method? I'm not looking forward to this as there are many servers and each of them have a different set of local users, each with different userids which will have to be handled manually and individually therefore not even scriptable much.
I did useradd -g users ldaptest and tried logging in remotely but the client always says no such user. what do I have to do to update the users that LDAP sees?
I currently have an LDAP database on my Suse 10.2 server for managing authentication and controlling emails for my Cyrus email server. I use this setup to provide email functionality to my web and email hosting clients, as well as DNS functionality, and it uses the default LDAP database that was setup when OpenLDAP was initially configured. Email support is working wonderfully, I might add. I also tested and verified the use of an email lookup directory in two different email clients (Outlook and Evolution) so that I can tell one of my clients how to lookup the email address of users who are setup in the LDAP server, and it works beautifully.
However, I'd also like to be able to allow my clients to build a shared contact database that can also be used in their email clients so that they can share them among all of their users. Ideally, I would need to be able to allow each client to have their own database of shared contacts, and I assume this would be done by creating a new LDAP database for each client company (i.e. group of users) that can contain the list of shared contacts for any of that client's users. When they configure their email client directory settings, they would enter the base path to their database in order to retrieve their shared contact database entries.
In my web searches, I've found plenty of CRM solutions on the web that claim to provide this type of functionality, but I believe that OpenLDAP contains everything I need to make this work without adding another layer of software to the server solution. (I subscribe to the "Keep it Simple, Stupid!" approach whenever possible.) Essentially, I need to have People entries in a client's LDAP database that are NOT email users on the system. The fields in the standard people schema are all the fields they would need - as long as I can figure out how best to add these non-user entries in the LDAP database. Are there any potential difficulties in creating additional LDAP databases expressly for this purpose?
Are there any tricks to adding contact entries into a client's LDAP database without them also being current email users on the server, so that those entries can be retrieved through an Email Client directory lookup? I will also want to provide an easy method for my client users to add new entries to their LDAP contact database, most likely through a web interface for them that could then issue LDAP commands on the server based on the input fields for the new contact. (I don't believe this is possible from within the email client itself.) Is there any reason this could not be done with the proper configuration? What should I be aware of as I setup this contact management web interface? Is there a better way for non-technical client users to manage this list of shared contacts?
I installed and configured LDAP server and client on RHEL5 successfully. Problem is that when I add more than one user on server and clients, It shows error 'invalid user'.When I run the command:-#chown -R user:users /home/user, It shows error 'invalid user'. by step for adding and modifying more users in ldap servers.
How to disable the LDAP Users automatically with the specified time duration. For this any configuration file required or else a script need to be written.
I have a setup of squid3 with ntlm authen and I use squidGuard 1.5 to filter my web traffic. My squid3 is authenticating users properly and parsing all rules. The problem is with squidguard which doesn't seem to filter out users. below is my squidguard config.
I've compiled openssh-5.4p1 on RHEL 4.8 with Openssl 0.9.8m + pam It works perfect without pam (pam-0.77-66), both with password and public key auth. Whith pam enabled and LDAP (openldap-2.4.21, from scratch) something strange happens: system users: I can do ssh with both password and public key LDAP users: public key works for remote users, still I cannot do ssh with just password. I'm trying a custom PAM configuration, because the default one (even with authconfig + LDAP ) blocks ssh even with system users.
In researching current ldap issue (not being able to do anything but log in) it seems that there are no concepts of privileges, roles, etc. that could be assigned to a user in LDAP.
I've only seen fields that deal with name, organization, etc., not with application-specific access control.
I have to assign certain access privileges to users authenticated via LDAP server based on the privilege level mentoned in the LDAP server. How to attain this.
So, I have mail server ( posfix ) and ldap server, they works fine. I can add/delete users from posfix, and they can send / receive mails to/from any address. At same time my ldap server works fine, I have also users in it, my "simple" question would be...if I have user "test1" in ldap, what I have to do to connect--enable that user to send mails ?
I found from command 'top' that 8GB memory are used. However, using command 'ps' with some options to grep the running processes and then summing up the memory used by the running processes are less than 2 GB. Where has the used memory gone ?
I`am just trying to connect Samba with ldap to make it simpler for the users to log in. We have already attached squid, so by that we thought it would be easy to do the same with samba. I think we did something wrong with the ldap config for the os with is btw:
Quote: SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 1 We added Quote: ldap admin dn = cn=xxx,o=xxx
I am trying to deploy Kerberos and LDAP so users will be able to login in to a server on the edge of the LAN, and afterwards be able to establish a SSH connection to all the computers in that LAN without the need to type any passwords, and without the need for me to manage SSH keys [beside the SSH keys on the login server] and local user accounts.
1. When i create the users in OpenLDAP i use a template that i created by reading documentation from the Internet. In the template one piece of information that is neede is the UID. Is there any clever way the keep track of the numbers so i do not assign the same UID to two users, besides using a pen and paper?
2. For the users to be able to establish SSH connections between the computers, the host is going to be added to the keytab like this: ktadd host/client.example.com Is is possible to replace client with something genric so i do not need to mange these keytab files between the hosts?
3. Users will be logging on the the server on the edge of LAN by using SSH keys. How can i configure the setup so the users will recieve a ticket automatically when the logon without executing kinit and without entering a password, just by having a valid SSH key?
4. krb5kdc is running on all the network interfaces in the server i want it to only run on eth1, how can this be done?
I am looking for ideas for getting windows users into an ldap server. I am currently running a Linux server for my department and need to create an LDAP server which mirrors the username/password information for all of us as they are stored in the windows server here. I have the openldap server up and running on Ubuntu 8.04 and it works great; I now need to find some way to import user info into this from windows. I've seen discussions of using ldifde.exe to export the AD users into an ldif file. Is this the simplest way to go about it?
Our Linux server is currently providing us with much needed services using apache, and apache is authenticating using LDAP to our windows server (Using our windows username / password is required functionality). This windows server has some problem which causes it to delay for inordinate amounts of time between authentication requests and responses. The situation is such that this problem will not be addressed by IT staff. However, I have control over the Linux server so I am looking to just mirror the windows server on an LDAP server of my own. I could get away with updating the passwords in the Linux server.
Just installed openldap server on a VM CentOS called 'ldapsrv', it works fine, ldapsearch returns all ldap information.
Installed openldap client on another VM CentOS called 'ldapclient1', configured it with most basic configuration, no ssl/tls etc. but ldapsearch returns error:
I would like to do the following: Create a banner for any user logging in through ssh which warns him/her about the number of processors being used already by other users (or conversely the number of free processors). For example, if a user logged in he would then see a message like: Warning! 7 out of 8 processors are in use.I already figured out how to do a banner and with ps -e -o pcpu I can get all processes' %CPU usage. I think I would like to count the number of processes which have more than 90% CPU usage and output this number ("7" in the example) in the banner
Optimum number of processes for procesor In Linux based os are there a optimum number of process for a processor that gives 'maximum performance' for system(or process range depend on cpu speed,cache etc...)? By 'maximum performance' I mean better performance?
we have a weird problem with our opensuse 11.2 server installation.
We want to set up a LDAP Server using the Yast-LDAP Server configuriation tool.
This indeed already worked weeks ago until....this week. Maybe some updates??!
I do not know what happend exactly. The server just does not want to start again and throws following error:
Starting ldap-serverstartproc: exit status of parent of /usr/lib/openldap/slapd: 1 failed
This happend after a little check of the configuration, but without a change, with Yast. Google delivered only "reinstall your box"-answers.
So.. i did that. And now the "mystical" part: The SAME ERROR occurs with a fresh vanilla system with a brand new and simple configuration (certificats, database, pw...the first Yast config dialog...). I did not change the way i set it up.
I remember, when i did this the first time with 11.2 on that machine, when no problems occured...everything was running out of the box (except the "use commen server certificate" option...).
I'm in the process of writing a program that is a server- it will accept connections and stuff, and spawn a child process for each. However, i've run into a small problem. I do NOT want to bother with keeping track of the processes unless i need to. So, i set SA_NOCLDWAIT (#ifdef) on a SIG_IGN to the SIGCHLD handler through sigaction interface. The standard says that it the kernel will then keep track of reaping zombie processes for me (a HUGE plus). However, upon receiving a SIGINT signal, i want to stop the server from accepting new connections (done), and then wait for there to be no new connections. I was thinking of just putting a loop like so:
However, I'm not *sure* that this will work, especially with SIGCHLD still ignored. So how can i tell if there are still child processes? I can't find any call like int getnumchld(pid_t proc); (i wish). Plus it would be inefficient to spin on that function anyway. OTOH, i would rather *NOT* have to do the same thing in a loop with a system("ps |...>file"); read(file); etc. either. Is there a way i can portably implement this feature (I was hoping i could run it on linux and the major BSDs, at least).
TO SUM IT UP:
How can i tell if a process has no child processes if i've SIG_IGN'd SA_NOCLDWAIT'd the SIGCHLD? Is there a _reasonably_ portable way to do so? I *don't* want to manually wait for EVERY process. Maybe only those still active at the time of SIGTERM, but that requires keeping track of the number of connections and whether those have terminated...
EDIT: Does anyone know if the above code *would* work, even with SIGCHLD ignored and the kernel cleaning up zombies *for* me? I checked the manpage and it doesn't say much.
EDIT1: Note that all of the processes are in the same process group and session. SO i can find them through this as well. Perhaps even setting the uid/gid and finding all processes run by that group?
EDIT2: i have an idea if the above isn't feasible. If there is no "elegant" way to do it, i could reduce the complexity by sending a SIGUSR1 to the whole process group. Each process would then set a flag telling it to send a SIGUSR1 in reply and send a SIGUSR2 when it is done executing. Then i could keep a count of signals. Maybe that would be *easier*. Or perhaps a count of all child processes and just a termination signal to decrement the counter.
I'm trying to get the end result to have the same format as this as well:
1 bin 2 daemon 67 erozner
[code]....
Where the numbers are the number of processes being run by the user (the name right next to it).if I input the command egrep myFile into the terminal, it should look for every line with the letter x in myFile, right?
The following code is for monitoring the memory used by apache processes. But I got a problem that the data I got by this script is much larger than the physical memory. It was said that there are some libraries used simultaneously by many processes, so the data I got has some double counted part. Because apache has many httpd processes.
Anyone have an idea of getting the multi-processes memory used?
I recently built a new server, running 64 bit Slackware 13.0 with the following specs:
MSI 785GTM-E45 AMD Phenom II X2 550 2GB DDR2 Onboard video from AMD 785G chipset 2x 80GB IDE system drives using software RAID with 2GB swap partition
I only include these because I'm not convinced my problem is not hardware related at some level. Basically, when I first start up the system, the memory usage is anywhere from 60 to 200MB. Then it starts to gradually climb until there is only 12-15MB free. This can take anywhere from a few hours to a few days.
The only thing I really use this for is to serve Samba shares and the occasional SSH login. I've set up Samba shares to be accessed by my Windows machines as well as a Mac. Initially I just explored the network if I wanted to see the share from these machines, but that was too slow and unreliable (the server would not always show up in Windows), so now I automatically mount the share as a network drive at startup (from Windows). So I don't know if this would have anything to do with the steadily increasing memory usage. These systems are not on/connected all the time, but the memory usage seems to rise anyway.
When I run top, it reports that nearly all of the physical memory has been consumed (after a while of uptime), but none of the swap space has even been touched. This is a typical output of the first several lines, sorted by swap size:
I can't be sure, but I believe the message just repeated itself before this part. MS-7549 is one of the components of the mainboard (MSI), maybe the northbridge or something (it seems to be associated with more than one model), so I thought for sure this meant a hardware problem, maybe with the storage controller or memory. But Memtest86 passes for more than a day without any errors, and I loaded Windows on one of the disks and ran it as hard as I could with prime95 and nothing so much as flinched. So I've got to think this is some kind of issue with linux and/or how it is handling my hardware configuration.