openldap-software October 2006

openldap-software@openldap.org

91 participants
100 discussions

Re: separate sasl-secprops for different tansports
by Kurt D. Zeilenga 26 Oct '06

26 Oct '06

At 12:49 AM 10/26/2006, Hai Zaar wrote: >Is there any way to specify sasl-secprops separately for each transport type? >For ldapi:/// is want "sasl-secprops noanonymous,noplain", >and "sasl-secprops noanonymous,noplain,noactive" for the rest. no. >The idea is to require SASL GSSAPI for everyone with only exception >for clients connecting via ldapi (like heimdal KDC) - they need SASL >EXTERNAL. I note that "noactive" doesn't restrict SASL to just GSSAPI. There are other mechanisms that meet the "noactive" criteria. (See the Cyrus SASL docs/list.) I would simply configure Cyrus SASL with support only for GSSAPI and EXTERNAL (see Cyrus SASL docs/lists for help here). Assuming you don't provide clients with means to do EXTERNAL except by ldapi://, then you basically would get what you want. And if you did provide means for a client to use EXTERNAL by other means, seems you should consider allowing EXTERNAL through these other means. Or you could hack Cyrus SASL so that EXTERNAL is available when "noactive" is set. (See the Cyrus SASL docs/list.) Kurt

1 0

Disabling Dynamic Configuration
by Ian A. Tegebo 25 Oct '06

25 Oct '06

Is there a way to turn off dynamic config support in 2.3.X? After looking at the Admin Guide, man pages, mailing lists, and the FAQ-O-Matic I've failed to figure out how to do it; is it possible? I was expecting to find something like --enable-dynamic-config=no or maybe a slapd option. Thanks, -- Ian Tegebo

4 5

Logging OpenLdap queries and answer
by Karl Vondrash 25 Oct '06

25 Oct '06

Hi! I'm using an OpenLDAP: slapd 2.2.23 server on a SuSE 9.3 Box. I've experienced certain problems with authldaprc configuration (Courier IMAP Server, Authentification against Openldap, reading homeDirectory and mailbox values). Is it possible to log all the queries and answers the openldap server receives/gives? (Server and Client are both on localhost, otherwise I would use Ethereal or tcpdump ;-() I've tried a very high loglevel and get some information like below. I find send_ldap_result, send_ldap_response entries, but i can't see the values of the attributes. Therefore I have difficulties to determine what the ldap Client requested and what the server answers. Any hints would be useful. Greetings K. Vondrash Oct 25 15:38:20 linux slapd[5536]: do_search Oct 25 15:38:20 linux slapd[5536]: >>> dnPrettyNormal: <uid=hiwi, ou=People, dc=testdomain,dc=de> Oct 25 15:38:20 linux slapd[5536]: <<< dnPrettyNormal: <uid=hiwi,ou=People,dc=testdomain,dc=de>, <uid=hiwi,ou=people,dc=testdomain,dc=de> Oct 25 15:38:20 linux slapd[5536]: SRCH "uid=hiwi, ou=People, dc=testdomain,dc=de" 0 3 Oct 25 15:38:20 linux slapd[5536]: 0 0 0 Oct 25 15:38:20 linux slapd[5536]: begin get_filter Oct 25 15:38:20 linux slapd[5536]: PRESENT Oct 25 15:38:20 linux slapd[5536]: end get_filter 0 Oct 25 15:38:20 linux slapd[5536]: filter: (objectClass=*) Oct 25 15:38:20 linux slapd[5536]: attrs: Oct 25 15:38:20 linux slapd[5536]: Oct 25 15:38:20 linux slapd[5536]: conn=1 op=6 SRCH base="uid=hiwi,ou=People,dc=testdomain,dc=de" scope=0 deref=3 filter="(objectClass=*)" Oct 25 15:38:20 linux slapd[5536]: => bdb_search Oct 25 15:38:20 linux slapd[5536]: bdb_dn2entry("uid=hiwi,ou=people,dc=testdomain,dc=de") Oct 25 15:38:20 linux slapd[5536]: base_candidates: base: "uid=hiwi,ou=people,dc=testdomain,dc=de" (0x00000020) Oct 25 15:38:20 linux slapd[5536]: => test_filter Oct 25 15:38:20 linux slapd[5536]: PRESENT Oct 25 15:38:20 linux slapd[5536]: => access_allowed: search access to "uid=hiwi,ou=People,dc=testdomain,dc=de" "objectClass" requested Oct 25 15:38:20 linux slapd[5536]: <= root access granted Oct 25 15:38:20 linux slapd[5536]: <= test_filter 6 Oct 25 15:38:20 linux slapd[5536]: => send_search_entry: dn="uid=hiwi,ou=People,dc=testdomain,dc=de" Oct 25 15:38:20 linux slapd[5536]: => access_allowed: read access to "uid=hiwi,ou=People,dc=testdomain,dc=de" "entry" requested Oct 25 15:38:20 linux slapd[5536]: <= root access granted .. .. Oct 25 15:38:20 linux slapd[5536]: => access_allowed: read access to "uid=hiwi,ou=People,dc=testdomain,dc=de" "mailbox" requested Oct 25 15:38:20 linux slapd[5536]: <= root access granted Oct 25 15:38:20 linux slapd[5536]: conn=1 op=6 ENTRY dn="uid=hiwi,ou=People,dc=hdgbw,dc=de" Oct 25 15:38:20 linux slapd[5536]: <= send_search_entry Oct 25 15:38:20 linux slapd[5536]: send_ldap_result: conn=1 op=6 p=3 Oct 25 15:38:20 linux slapd[5536]: send_ldap_result: err=0 matched="" text="" Oct 25 15:38:20 linux slapd[5536]: send_ldap_response: msgid=7 tag=101 err=0 Oct 25 15:38:20 linux slapd[5536]: conn=1 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 25 15:51:34 linux slapd[5536]: daemon: activity on 1 descriptors Oct 25 15:51:34 linux slapd[5536]: daemon: activity on:

2 1

refreshAndPersit vs. ACLs
by Norbert Klasen 24 Oct '06

24 Oct '06

Hi, we want entries to be replicated to a public slave, only if they have an attribute worldreadable=TRUE. So I've setup an ACL on the master which basically is like access to * filter=(worldreadable=FALSE) by * none access to * by * read Thus, the consumer only sees entries it is allowed to replicate. Now if an entry's worldreadable attribute is changed from TRUE to false, this modification will not propagate to the consumer and the entry stays visible. However, with refreshOnly this 'lost' entry is detected and removed (syncrepl_del_nonpresent). -- Norbert

3 2

Connections pool on backend-meta and backend-ldap
by Daniel Montero Motilla 24 Oct '06

24 Oct '06

Hi, I have a slapd 2.3.27 configuration proxying external directories via backend-meta, using directives 'pseudorootdn' and 'pseudorootpw' to authenticate against the external directories so I always connect to slapd with meta-backend's rootDN , and I'd want to use the connection pooling mechanism implemented on this backend, but I'm not sure about how to accomplish it. 'Description' section of slapd-ldap man page tells that "sessions that explicity bind to the back-ldap database always create their own private connection to the remote LDAP server" (as I have verified myself), and then it explains that "for sessions bound through other mechanisms all sessions with the same DN will share the same connection". What mechanisms is the text referring to? Thank you in advance, Dani.

2 1

Fix for ITS4664 not included in 2.3.28, why?
by Michael.Heep＠o2.com 24 Oct '06

24 Oct '06

Hi, is there any particular (technical) reason why the fix for ITS4664 (dynlist memleak) has not been included in 2.3.28? I was just wondering how big/serious that leak is, since I'm in the process of upgrading our servers from 2.3.27 to 2.328 and I might as well include the dynlist.c from HEAD. Although they've been running on 2.3.27 with dynlist since its release and we haven't experienced any memory shortages yet. Kind regards, Michael Heep

2 1

proxycache and back-shell
by Denis Gaertner 23 Oct '06

23 Oct '06

Hi, I got a question concerning the combination of the back-shell and the proxycache overlay. I am using the shell backend for creating data out of rdf-models. So its about transforming ldap queries to sparql queries and the result is given back to the shell backend as a complete entry. So I am currently not supporting the constraint of a list of attributes to return to the server. However, having tried with some clients I found out that the frontend is obviously doing it. So my script is sending all the attributes of the entries to back-shell and the frontend is eventually filtering it, so I only get the attributes I want. But using the proxycache this way seemingly doesn't work. So two questions: 1.Is it necessary for the backend to deliver only the attributes which are given in the search request to make the proxy work correctly? 2. The backend is quite slow. So I'd like to make extensive use of the proxy. What is kind of a maximum setting for it? Like caching every attribute and a lot of queries. Thank you Denis

1 0

LOG files
by Jose Manuel Lopez 23 Oct '06

23 Oct '06

Hi! log files in $LDAPDIRECTORY/var/openldap-data/log.* as log.0000000146 ..... are very files. My directory openldap-data is 10 GB size because every log.* file is 11M and it's 780 files. Thanks.

3 2

overlay for sasl bind
by Kanika Malhotra 20 Oct '06

20 Oct '06

Hello, I am trying to write an overlay which traps the sasl bind but listening on LDAP_REQ_BIND (bi_op_bind) did not result in trapping any sasl binds. Has anyone ever tried this and could give me some pointers as to where I could look for more information. Thanks Kanika

2 1

slapd issue
by Greg Martin 19 Oct '06

19 Oct '06

I'm running a non-production 2.3.27 slapd server on my home network. I had to transfer it to another machine so I copied the conf file & database files to the new machine. Before starting the service I edited the slapd.conf to comment out the TLS entries since I hadn't installed openssl & the cert yet. When I started slapd, it immediately stopped and I received the dreaded "main: TLS init def ctx failed: -1 " I remembered having this issue when I was trying to get TLS running. So I ran strace (I'm running linux 2.6.x) and finally found this: open("/etc/ssl/myca/cacert.pem", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) I was a bit confused and rechecked to make sure I had indeed commented out all the lines and that slapd was referencing the correct conf file. All was correct. On a lark, I took a look at ldap.conf which I had copied from my old server as well. It still had TLS_CACERT /etc/ssl/myca/cacert.pem TLS_REQCERT allow As soon as I commented out those lines, slapd started and stayed running. Can someone help me understand the relationship between slapd and the ldap.conf file? I thought that was the client conf file. Thanks! \\Greg

2 2

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software October 2006