Fedora directory users - Mar 2009 - Total number of LDAP entries

Hi list,

can someone tell me where to find the total number of LDAP entries 
stored in FDC? I looked up in Console "Status" tab but I could not
find
the number.

If someone can give me a hint...

Thank you in advance!


Best regards,

Branimir

Branimir wrote:
> Hi list,
> 
> can someone tell me where to find the total number of LDAP entries 
> stored in FDC? I looked up in Console "Status" tab but I could
not find
> the number.
> 
> If someone can give me a hint...
> 
> Thank you in advance!
> 
Hi,

so there is no way to find the number of total LDAP entries stored in FDC?

Thanks!

Best regards,

Branimir

Branimir wrote:
> so there is no way to find the number of total LDAP entries stored in 
> FDC?
Obviously that''s a ridiculous statement. You could at the very least 
perform a search that
returns all entries and count them !

The server however does not maintain a running count itself. So one way 
or another you will
need to count the entries.

Unless...you configure a VLV index covering the target entries (e.g. all 
entries). This will
as a side-effect maintain the count, which can be retrieved with the 
appropriate VLV search.

I,m not sure, but if you perform a search that returns all entries it
will show you the number.
For example:
In the command line:

ldapsearch -LLL -x -D bindDn -W -H ldaps://ldap.example.com:636 -b
ou=users, dc=example,dc=com objectClass=*

in the ldap log you get:

conn=2853323 fd=276 ACCEPT from IP=150.214.4.136:60252 (IP=0.0.0.0:636)
conn=2853323 fd=276 TLS established tls_ssf=256 ssf=256
conn=2853323 op=0 BIND dn="cn=Manager,dc=cica,dc=es" method=128
conn=2853323 op=0 BIND dn="cn=Manager,dc=cica,dc=es" mech=SIMPLE ssf=0
conn=2853323 op=0 RESULT tag=97 err=0 textconn=2853323 op=1 SRCH
base="ou=cica,ou=users,ou=cuentas,dc=cica,dc=es"
scope=2 deref=0 filter="(objectClass=*)"
conn=2853323 op=1 SEARCH RESULT tag=101 err=0 nentries=72 text
As you can see the operation returns 72 entries.
It is not a very clean way but it is the only I could think about
Hope it would help you

Rocio

Branimir escribió:
> Branimir wrote:
>> Hi list,
>>
>> can someone tell me where to find the total number of LDAP entries
>> stored in FDC? I looked up in Console "Status" tab but I
could not
>> find the number.
>>
>> If someone can give me a hint...
>>
>> Thank you in advance!
>>
>
> Hi,
>
> so there is no way to find the number of total LDAP entries stored in
> FDC?
>
> Thanks!
>
> Best regards,
>
> Branimir
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-- 
Rocio Quirantes Rodal         
Área de Seguridad Informática
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 648 / +34 955 056 600 / FAX: +34 955 056 650
Consejería de Innovación, Ciencia y Empresa
Junta de Andalucía
--------------------------------------------------
Este mensaje esta firmado digitalmente. Para poder
reconocer la firma desde su cliente debera tener
instalado el certificado raiz de la CA del CICA en
el mismo. Puede descargarlo desde:

http://pki.cica.es/cacert/
--------------------------------------------------

David Boreham wrote:
> Branimir wrote:
>> so there is no way to find the number of total LDAP entries stored in 
>> FDC?
> Obviously that''s a ridiculous statement. You could at the very
least
> perform a search that
> returns all entries and count them !
>
> The server however does not maintain a running count itself. So one 
> way or another you will
> need to count the entries.
>
> Unless...you configure a VLV index covering the target entries (e.g. 
> all entries). This will
> as a side-effect maintain the count, which can be retrieved with the 
> appropriate VLV search.
You might also be able to extract that information from the information 
in cn=monitor or one of the cn=monitor entries under the database entries -
http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Core_Server_Configuration_Attributes_Reference.html#Configuration_Command_File_Reference-Core_Server_Configuration_Attributes_Reference-cnmonitor
and
http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Plug_in_Attributes-Database_Attributes_under_cndatabase_cnmonitor_cnldbm_database_cnplugins_cnconfig
and
http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Plug_in_Attributes-Database_Attributes_under_cnmonitor_cnNetscapeRoot_cnldbm_database_cnplugins_cnconfig

The directory server also uses the operational attribute numSubordinates 
in a container node to specify the number of entries that are direct 
children of that container node - so I suppose you could also search for 
all of these and count them up.
>
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

The search might not be a good way to do it if the number of entries
exceeded the number you have set in the size limit in the Fedora LDAP.

On Tue, Mar 10, 2009 at 10:59 AM, Rocio Quirantes
<rquirantes@cica.es>wrote:
> I,m not sure, but if you perform a search that returns all entries it
> will show you the number.
> For example:
> In the command line:
>
> ldapsearch -LLL -x -D bindDn -W -H ldaps://ldap.example.com:636 -b
> ou=users, dc=example,dc=com objectClass=*
>
> in the ldap log you get:
>
> conn=2853323 fd=276 ACCEPT from IP=150.214.4.136:60252 (IP=0.0.0.0:636)
> conn=2853323 fd=276 TLS established tls_ssf=256 ssf=256
> conn=2853323 op=0 BIND dn="cn=Manager,dc=cica,dc=es" method=128
> conn=2853323 op=0 BIND dn="cn=Manager,dc=cica,dc=es" mech=SIMPLE
ssf=0
> conn=2853323 op=0 RESULT tag=97 err=0 text> conn=2853323 op=1 SRCH
base="ou=cica,ou=users,ou=cuentas,dc=cica,dc=es"
> scope=2 deref=0 filter="(objectClass=*)"
> conn=2853323 op=1 SEARCH RESULT tag=101 err=0 nentries=72 text>
> As you can see the operation returns 72 entries.
> It is not a very clean way but it is the only I could think about
> Hope it would help you
>
> Rocio
>
> Branimir escribió:
> > Branimir wrote:
> >> Hi list,
> >>
> >> can someone tell me where to find the total number of LDAP entries
> >> stored in FDC? I looked up in Console "Status" tab but I
could not
> >> find the number.
> >>
> >> If someone can give me a hint...
> >>
> >> Thank you in advance!
> >>
> >
> > Hi,
> >
> > so there is no way to find the number of total LDAP entries stored in
> > FDC?
> >
> > Thanks!
> >
> > Best regards,
> >
> > Branimir
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
>
> --
> Rocio Quirantes Rodal
> Área de Seguridad Informática
> Centro Informático Científico de Andalucía (CICA)
> Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
> Tfno.: +34 955 056 648 / +34 955 056 600 / FAX: +34 955 056 650
> Consejería de Innovación, Ciencia y Empresa
> Junta de Andalucía
> --------------------------------------------------
> Este mensaje esta firmado digitalmente. Para poder
> reconocer la firma desde su cliente debera tener
> instalado el certificado raiz de la CA del CICA en
> el mismo. Puede descargarlo desde:
>
> http://pki.cica.es/cacert/
> --------------------------------------------------
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

Rich Megginson wrote:
> You might also be able to extract that information from the 
> information in cn=monitor or one of the cn=monitor entries under the 
> database entries -
Unless something has changed recently, there''s no entry count 
information maintained or readable via cn=monitor.
> The directory server also uses the operational attribute 
> numSubordinates in a container node to specify the number of entries 
> that are direct children of that container node - so I suppose you 
> could also search for all of these and count them up.
This would work but if the tree has many branches it''d be more
efficient
to use VLV. For a single big container it''d be fine though.

David Boreham wrote:
> Branimir wrote:
>> so there is no way to find the number of total LDAP entries stored in 
>> FDC?
> Obviously that''s a ridiculous statement. You could at the very
least
> perform a search that
> returns all entries and count them !
> 
> The server however does not maintain a running count itself. So one way 
> or another you will
> need to count the entries.
> 
> Unless...you configure a VLV index covering the target entries (e.g. all 
> entries). This will
> as a side-effect maintain the count, which can be retrieved with the 
> appropriate VLV search.
Hi David and Rocio,

David:
well, I know that I can perform search and count them. I hoped that 
there is some shell command implemented in FDS that could provide this 
number. I administer commercial LDAP solution that provides such 
command. In my case this commercial solution charges per directory entry 
so I always have to know entry count. I was hoping FDC has some kind of 
equivalent command.

Rocio:
Thank you for your effort!


Thanks!

Branimir

Branimir wrote:
> well, I know that I can perform search and count them. I hoped that 
> there is some shell command implemented in FDS that could provide this 
> number. I administer commercial LDAP solution that provides such 
> command. In my case this commercial solution charges per directory 
> entry so I always have to know entry count. I was hoping FDC has some 
> kind of equivalent command.
Pipe the search output through grep and wc to count the entries returned.

Branimir wrote:
> David Boreham wrote:
>> Branimir wrote:
>>> so there is no way to find the number of total LDAP entries stored 
>>> in FDC?
>> Obviously that''s a ridiculous statement. You could at the very
least
>> perform a search that
>> returns all entries and count them !
>>
>> The server however does not maintain a running count itself. So one 
>> way or another you will
>> need to count the entries.
>>
>> Unless...you configure a VLV index covering the target entries (e.g. 
>> all entries). This will
>> as a side-effect maintain the count, which can be retrieved with the 
>> appropriate VLV search.
>
> Hi David and Rocio,
>
> David:
> well, I know that I can perform search and count them. I hoped that 
> there is some shell command implemented in FDS that could provide this 
> number. I administer commercial LDAP solution
Which LDAP solution?
> that provides such command.
What is the command and how does it work?
> In my case this commercial solution charges per directory entry so I 
> always have to know entry count. I was hoping FDC has some kind of 
> equivalent command.
Assuming your entry cache contains every entry (that is, assuming you 
have enough RAM to cache every entry), you can query the entry cache 
count and that should be the number of entries in your directory 
server.  This is the (apparently) undocumented attribute called 
currentEntryCacheCount in the cn=monitor entry for each
database.
>
> Rocio:
> Thank you for your effort!
>
>
> Thanks!
>
> Branimir
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Rich Megginson wrote:
> Assuming your entry cache contains every entry (that is, assuming you 
> have enough RAM to cache every entry), you can query the entry cache 
> count and that should be the number of entries in your directory 
> server.  This is the (apparently) undocumented attribute called 
> currentEntryCacheCount in the cn=monitor entry for each database.
Hmm...this is a bit convoluted. You''d have to know the number of
entries
in advance, then make sure the entry cache size was configured to a 
larger number, then perform a search for all entries to force them into 
the cache, and finally read the count. Wouldn''t it be easier to just
use
the search output to count the entries ? I suppose if you had a 
gazillion entries, so many that it would take a very long time to send 
them back to a client, then it might be worthwhile. You''d need to 
concoct a search that you knew would touch every entry but would not 
return any of them (a filter that is un-indexed and doesn''t match any 
entry would do it).

On Tue, Mar 10, 2009 at 04:14:28PM +0100, Branimir
wrote:
> well, I know that I can perform search and count them. I hoped that  
> there is some shell command implemented in FDS that could provide this  
> number. I administer commercial LDAP solution that provides such  
> command. In my case this commercial solution charges per directory entry  
> so I always have to know entry count. I was hoping FDC has some kind of  
> equivalent command.
Assuming you only care about entries that get stored on disk (which is
what I''d prefer if I were a customer), you could find the id2entry
database file run ''db_stat -d'' against it, and use the number
of unique
keys and data items it returns as your count.

HTH,

Nalin

Nalin Dahyabhai wrote:
> Assuming you only care about entries that get stored on disk (which is
> what I''d prefer if I were a customer), you could find the id2entry
> database file run ''db_stat -d'' against it, and use the
number of unique
> keys and data items it returns as your count.
>   
This does essentially the same thing as a search for all entries. 
However it will potentially give the wrong number because it''ll include
deleted entries.

Rich Megginson wrote:
> Branimir wrote:
>> David Boreham wrote:
>>> Branimir wrote:
>>>> so there is no way to find the number of total LDAP entries
stored
>>>> in FDC?
>>> Obviously that''s a ridiculous statement. You could at the
very least
>>> perform a search that
>>> returns all entries and count them !
>>>
>>> The server however does not maintain a running count itself. So one
>>> way or another you will
>>> need to count the entries.
>>>
>>> Unless...you configure a VLV index covering the target entries
(e.g.
>>> all entries). This will
>>> as a side-effect maintain the count, which can be retrieved with
the
>>> appropriate VLV search.
>>
>> Hi David and Rocio,
>>
>> David:
>> well, I know that I can perform search and count them. I hoped that 
>> there is some shell command implemented in FDS that could provide this 
>> number. I administer commercial LDAP solution
> Which LDAP solution?
>> that provides such command.
> What is the command and how does it work?
Hi Rich,

please don''t be offended but I work in CA environment and I cannot 
provide that information. What I can say that this command counts number 
of entries on both master and replica servers.

Also thank you for the links.

Cheers,

Branimir

David Boreham wrote:
> Branimir wrote:
>> well, I know that I can perform search and count them. I hoped that 
>> there is some shell command implemented in FDS that could provide this 
>> number. I administer commercial LDAP solution that provides such 
>> command. In my case this commercial solution charges per directory 
>> entry so I always have to know entry count. I was hoping FDC has some 
>> kind of equivalent command.
> 
> Pipe the search output through grep and wc to count the entries returned.
> 
Thanks David. I am familiar with UNIX basics :). As I said before, I was 
hoping there is some simple command for this, nothing more.

Cheers,

Branimir

Branimir wrote:
> Rich Megginson wrote:
>> Branimir wrote:
>>> David Boreham wrote:
>>>> Branimir wrote:
>>>>> so there is no way to find the number of total LDAP entries
stored
>>>>> in FDC?
>>>> Obviously that''s a ridiculous statement. You could at
the very
>>>> least perform a search that
>>>> returns all entries and count them !
>>>>
>>>> The server however does not maintain a running count itself. So
one
>>>> way or another you will
>>>> need to count the entries.
>>>>
>>>> Unless...you configure a VLV index covering the target entries 
>>>> (e.g. all entries). This will
>>>> as a side-effect maintain the count, which can be retrieved
with
>>>> the appropriate VLV search.
>>>
>>> Hi David and Rocio,
>>>
>>> David:
>>> well, I know that I can perform search and count them. I hoped that
>>> there is some shell command implemented in FDS that could provide 
>>> this number. I administer commercial LDAP solution
>> Which LDAP solution?
>>> that provides such command.
>> What is the command and how does it work?
>
> Hi Rich,
>
> please don''t be offendedbut I work in CA environment and I cannot 
> provide that information.
Why?  Is this the CA E-Trust Directory Server?  If so, isn''t the 
information on it publicly available?  If so, why would you not be able 
to provide that information.
> What I can say that this command counts number of entries on both 
> master and replica servers.
How does it work?  Does it use LDAP?  Does it invoke some sort of remote 
shell?
>
> Also thank you for the links.
>
> Cheers,
>
> Branimir
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Rich Megginson wrote:
> Branimir wrote:
>> Rich Megginson wrote:
>>> Branimir wrote:
>>>> David Boreham wrote:
>>>>> Branimir wrote:
>>>>>> so there is no way to find the number of total LDAP
entries stored
>>>>>> in FDC?
>>>>> Obviously that''s a ridiculous statement. You could
at the very
>>>>> least perform a search that
>>>>> returns all entries and count them !
>>>>>
>>>>> The server however does not maintain a running count
itself. So one
>>>>> way or another you will
>>>>> need to count the entries.
>>>>>
>>>>> Unless...you configure a VLV index covering the target
entries
>>>>> (e.g. all entries). This will
>>>>> as a side-effect maintain the count, which can be retrieved
with
>>>>> the appropriate VLV search.
>>>>
>>>> Hi David and Rocio,
>>>>
>>>> David:
>>>> well, I know that I can perform search and count them. I hoped
that
>>>> there is some shell command implemented in FDS that could
provide
>>>> this number. I administer commercial LDAP solution
>>> Which LDAP solution?
>>>> that provides such command.
>>> What is the command and how does it work?
>>
>> Hi Rich,
>>
>> please don''t be offendedbut I work in CA environment and I
cannot
>> provide that information.
> Why?  Is this the CA E-Trust Directory Server?  If so, isn''t the 
> information on it publicly available?  If so, why would you not be able 
> to provide that information.
Sorry for misunderstanding. CA = Certificate Authority.
>> What I can say that this command counts number of entries on both 
>> master and replica servers.
> How does it work?  Does it use LDAP?  Does it invoke some sort of remote 
> shell?
It doesn''t invoke remote shell and it doesn''t use LDAP.
That''s all I can
  say.

Branimir

On Tuesday 10 March 2009 17:38:33 Branimir wrote:
> David Boreham wrote:
> > Branimir wrote:
> >> well, I know that I can perform search and count them. I hoped
that
> >> there is some shell command implemented in FDS that could provide
this
> >> number. I administer commercial LDAP solution that provides such
> >> command. In my case this commercial solution charges per directory
> >> entry so I always have to know entry count. I was hoping FDC has
some
> >> kind of equivalent command.
> >
> > Pipe the search output through grep and wc to count the entries
returned.
>
> Thanks David. I am familiar with UNIX basics :). As I said before, I was
> hoping there is some simple command for this, nothing more.
>
> Cheers,
>
> Branimir
>
Here''s an easy perl script you can run,  it will do a sub search on a
given suffex and output the total entries returned.

Ryan


#!/usr/bin/perl

use strict;
use Net::LDAP;

my $bind_dn = "cn=directory manager";
my $bind_pw = "password";
my @servers = qw(server1.com server2.com);
my $base_dn = "cn=config";

foreach my $server (@servers) {

	my $ldap = Net::LDAP->new($server, port => ''389'',
timeout=>10);
	if ( ! $ldap )
	{
			
			# return 0 here for a failed attempt
			print "failed to connect to $server\n";
			return 0;
	}
	my $msg = $ldap->bind ( $bind_dn,password => $bind_pw ,version => 3 );

	if ($msg->code) {
		# print error message here because we have access to the $msg object
		print "\t$server\t\t\tFAILURE " . $msg->code . " error text
is " . $msg->error_name . "\n";
		
		return 0;
	}
	
	$msg = $ldap->search(filter=>"objectClass=*", 
base=>$base_dn,scope => ''sub'' );
	
	print "Found " . $msg->entries . " total entries in $base_dn
on $server\n";
}

Ryan Braun [ADS] wrote:
> Here''s an easy perl script you can run,  it will do a sub search
on a given suffex and output the total entries returned.
On FDS I''d prefer to search for (hasSubordinates=TRUE) and sum up the
values of the numSubordinates attribute in the entries found.

Other LDAP server implementations have other operational attributes with
different semantics:

Siemens DirX: numAllSubordinates

Critical Path Directory Server: countImmSubordinates, countTotSubordinates

MS Active Directory: msDS-Approx-Immed-Subordinates

My web2ldap uses all these besides ''hasSubordinates'' to
determine
whether an entry found is leaf entry or not and display the number of
subordinate entries in the link popup help.

Ciao, Michael.