264 lines
9.1 KiB
XML
264 lines
9.1 KiB
XML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
||
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
||
|
<appendix>
|
||
|
<title>Troubleshooting</title>
|
||
|
|
||
|
<section>
|
||
|
<title>Reset configuration password</title>
|
||
|
|
||
|
<para>The password for the server profiles can be reset using the master
|
||
|
configuration password. Open LAM configuration -> Edit server
|
||
|
profiles ->Manage server profiles for this.</para>
|
||
|
|
||
|
<para>In case you lost your master configuration password you need to
|
||
|
manually edit the main configuration file (config.cfg) on the file
|
||
|
system.</para>
|
||
|
|
||
|
<orderedlist>
|
||
|
<listitem>
|
||
|
<para>Locate config.cfg: On DEB/RPM installations it is in
|
||
|
/usr/share/ldap-account-manager/config and for tar.bz2 in config
|
||
|
folder.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Locate the "password" entry in the file</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Replace the password hash after "password: " with your new
|
||
|
clear-text password (e.g. "secret")</para>
|
||
|
</listitem>
|
||
|
</orderedlist>
|
||
|
|
||
|
<para>After the change the line should look like this:</para>
|
||
|
|
||
|
<literallayout>password: secret</literallayout>
|
||
|
|
||
|
<para>You can now login using your new password. Set the password once
|
||
|
again via GUI in main configuration settings. This will then put again a
|
||
|
hash value in the config.cfg file.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Functional issues</title>
|
||
|
|
||
|
<para><emphasis role="bold">Size limit</emphasis></para>
|
||
|
|
||
|
<para>You will get a message like "LDAP sizelimit exceeded, not all
|
||
|
entries are shown." when you hit the LDAP search limit.</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>OpenLDAP: See the <link linkend="size_limit_exceeded">OpenLDAP
|
||
|
settings</link> to fix this.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>389 server: set nsslapd-sizelimit in cn=config (may also be
|
||
|
set per user)</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>other LDAP servers: please see your server
|
||
|
documentation</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<literallayout>
|
||
|
</literallayout>
|
||
|
|
||
|
<para><emphasis role="bold">Invalid syntax errors:</emphasis></para>
|
||
|
|
||
|
<para>If you get any strange errors like "Invalid syntax" or "Invalid DN
|
||
|
syntax" please check if your LDAP schema matches LAM's
|
||
|
requirements.</para>
|
||
|
|
||
|
<literallayout>
|
||
|
</literallayout>
|
||
|
|
||
|
<para><emphasis role="bold">Schema test:</emphasis></para>
|
||
|
|
||
|
<para>This can be done by running "Tools" -> "Tests" -> "Schema
|
||
|
test" inside LAM.</para>
|
||
|
|
||
|
<para>If there are any object classes or attributes missing you will get
|
||
|
a notice. See <link linkend="a_schema">LDAP schema files</link> for a
|
||
|
list of used schemas. You may also want to deactive unused modules in
|
||
|
your LAM server profile (tab "Modules").</para>
|
||
|
|
||
|
<screenshot>
|
||
|
<mediaobject>
|
||
|
<imageobject>
|
||
|
<imagedata fileref="images/schemaTest.png" />
|
||
|
</imageobject>
|
||
|
</mediaobject>
|
||
|
</screenshot>
|
||
|
|
||
|
<para><literallayout>
|
||
|
</literallayout><emphasis role="bold">LDAP Logging:</emphasis></para>
|
||
|
|
||
|
<para>If your schema is correct you can turn on LDAP logging to get more
|
||
|
detailed error messages from your LDAP server.</para>
|
||
|
|
||
|
<literallayout>
|
||
|
</literallayout>
|
||
|
|
||
|
<para><emphasis role="bold">OpenLDAP logging:</emphasis></para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>slapd.conf: In /etc/ldap/slapd.conf turn logging on with the
|
||
|
line "loglevel 256".</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>slapd.d: In /etc/ldap/slapd.d/cn=config.ldif please change the
|
||
|
attribute "olcLogLevel" to "Stats". Please add a line "olcLogLevel:
|
||
|
Stats" if the attribute is missing.</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<para>After changing the configuration please restart OpenLDAP. It
|
||
|
usually uses /var/log/syslog for log output.</para>
|
||
|
|
||
|
<literallayout>
|
||
|
</literallayout>
|
||
|
|
||
|
<para><emphasis role="bold">PHP logging</emphasis></para>
|
||
|
|
||
|
<para>Sometimes it can help to enable PHP logging inside LAM. You can do
|
||
|
this in the <link linkend="conf_logging">logging area</link> of LAM's
|
||
|
main configuration. Set the logging option to "all" and check if there
|
||
|
are any messages printed in your browser window. Please note that not
|
||
|
every notice message is an error but it may help to find the
|
||
|
problem.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Performance issues</title>
|
||
|
|
||
|
<para>LAM is tested to work with 10000 users with acceptable
|
||
|
performance. If you have a larger directory or slow hardware then here
|
||
|
are some points to increase performance.</para>
|
||
|
|
||
|
<literallayout>
|
||
|
</literallayout>
|
||
|
|
||
|
<para>The first step is to check if performance problems are caused by
|
||
|
the LAM web server or the LDAP server. Please check which machine
|
||
|
suffers from high system load (CPU/memory consumption).</para>
|
||
|
|
||
|
<para>High network latency may also be a problem. For large
|
||
|
installations please make sure that LAM web server and LDAP server are
|
||
|
located in the same building/server room.</para>
|
||
|
|
||
|
<para>If you run LAM on multiple nodes (DNS load balancing/hardware load
|
||
|
balancer) then also check the <link linkend="clustering">clustering
|
||
|
section</link>.</para>
|
||
|
|
||
|
<section>
|
||
|
<title>LDAP server</title>
|
||
|
|
||
|
<para><emphasis role="bold">Use indices</emphasis></para>
|
||
|
|
||
|
<para>Depending on the queries it may help to add some more indices on
|
||
|
the LDAP server. Depending on your LDAP software it may already
|
||
|
suggest indices in its log files. See <link
|
||
|
linkend="indices">here</link> for typical OpenLDAP indices.</para>
|
||
|
|
||
|
<literallayout>
|
||
|
</literallayout>
|
||
|
|
||
|
<para><emphasis role="bold">Reduce query results by splitting LDAP
|
||
|
management into multiple server profiles</emphasis></para>
|
||
|
|
||
|
<para>If you manage a very large directory then it might already be
|
||
|
separated into multiple subtrees (e.g. by country, subsidiary, ...).
|
||
|
Do not use a single LAM server profile to manage your whole directory.
|
||
|
Use different server profiles for each separated LDAP subtree where
|
||
|
possible (e.g. one for German users and one for French ones).</para>
|
||
|
|
||
|
<literallayout>
|
||
|
</literallayout>
|
||
|
|
||
|
<para><emphasis role="bold">Limit query results</emphasis></para>
|
||
|
|
||
|
<para>LAM allows to set an <ulink url="general_settings">LDAP search
|
||
|
limit</ulink> for each server profile. This will limit the number of
|
||
|
entries returned by your LDAP server. Use with caution because it can
|
||
|
cause problems (e.g. with automatic UID generation) when LAM is not
|
||
|
able to read all entries.</para>
|
||
|
|
||
|
<screenshot>
|
||
|
<mediaobject>
|
||
|
<imageobject>
|
||
|
<imagedata fileref="images/configProfiles4.png" />
|
||
|
</imageobject>
|
||
|
</mediaobject>
|
||
|
</screenshot>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>LAM web server</title>
|
||
|
|
||
|
<para><emphasis role="bold">Install a PHP
|
||
|
accelerator</emphasis></para>
|
||
|
|
||
|
<para>There are tools like <ulink
|
||
|
url="http://www.php.net/manual/en/book.apc.php">APC</ulink>/<ulink
|
||
|
url="http://php.net/manual/en/book.opcache.php">OpCache</ulink> (free)
|
||
|
or <ulink url="http://www.zend.com/en/products/server/">Zend
|
||
|
Server</ulink> (commercial) that provide caching of PHP pages to
|
||
|
improve performance. They will reduce the time for parsing the PHP
|
||
|
pages and IO load.</para>
|
||
|
|
||
|
<para>This is a simply way to enhance performance since APC/OpCache is
|
||
|
part of most Linux distributions.</para>
|
||
|
|
||
|
<para>If you use APC then make sure that it uses enough memory (e.g.
|
||
|
"apc.shm_size=128M"). You can check the memory usage with the file
|
||
|
apc.php that is shipped with APC.</para>
|
||
|
|
||
|
<screenshot>
|
||
|
<mediaobject>
|
||
|
<imageobject>
|
||
|
<imagedata fileref="images/apc.png" />
|
||
|
</imageobject>
|
||
|
</mediaobject>
|
||
|
</screenshot>
|
||
|
|
||
|
<literallayout>
|
||
|
</literallayout>
|
||
|
|
||
|
<para>OpCache statistics can be shown with <ulink
|
||
|
url="https://github.com/rlerdorf/opcache-status">opcache-status</ulink>.</para>
|
||
|
|
||
|
<screenshot>
|
||
|
<mediaobject>
|
||
|
<imageobject>
|
||
|
<imagedata fileref="images/opcache.png" />
|
||
|
</imageobject>
|
||
|
</mediaobject>
|
||
|
</screenshot>
|
||
|
|
||
|
<para><emphasis role="bold">Disable session
|
||
|
encryption</emphasis></para>
|
||
|
|
||
|
<para>LAM encrypts sensitive data in your session files. You can <link
|
||
|
linkend="sessionEncryption">disable</link> it to reduce CPU
|
||
|
load.</para>
|
||
|
|
||
|
<screenshot>
|
||
|
<mediaobject>
|
||
|
<imageobject>
|
||
|
<imagedata fileref="images/configGeneral1.png" />
|
||
|
</imageobject>
|
||
|
</mediaobject>
|
||
|
</screenshot>
|
||
|
</section>
|
||
|
</section>
|
||
|
</appendix>
|
||
|
|