Re: separate sasl-secprops for different tansports
by Kurt D. Zeilenga
At 12:49 AM 10/26/2006, Hai Zaar wrote:
>Is there any way to specify sasl-secprops separately for each transport type?
>For ldapi:/// is want "sasl-secprops noanonymous,noplain",
>and "sasl-secprops noanonymous,noplain,noactive" for the rest.
no.
>The idea is to require SASL GSSAPI for everyone with only exception
>for clients connecting via ldapi (like heimdal KDC) - they need SASL
>EXTERNAL.
I note that "noactive" doesn't restrict SASL to just GSSAPI.
There are other mechanisms that meet the "noactive" criteria.
(See the Cyrus SASL docs/list.)
I would simply configure Cyrus SASL with support only for
GSSAPI and EXTERNAL (see Cyrus SASL docs/lists for help here).
Assuming you don't provide clients with means to do EXTERNAL
except by ldapi://, then you basically would get what you want.
And if you did provide means for a client to use EXTERNAL by
other means, seems you should consider allowing EXTERNAL through
these other means.
Or you could hack Cyrus SASL so that EXTERNAL is available
when "noactive" is set. (See the Cyrus SASL docs/list.)
Kurt
16 years, 11 months
Disabling Dynamic Configuration
by Ian A. Tegebo
Is there a way to turn off dynamic config support in 2.3.X? After
looking at the Admin Guide, man pages, mailing lists, and the
FAQ-O-Matic I've failed to figure out how to do it; is it possible?
I was expecting to find something like --enable-dynamic-config=no or
maybe a slapd option.
Thanks,
--
Ian Tegebo
16 years, 11 months
Logging OpenLdap queries and answer
by Karl Vondrash
Hi!
I'm using an OpenLDAP: slapd 2.2.23 server on a SuSE 9.3 Box.
I've experienced certain problems with authldaprc configuration (Courier IMAP Server,
Authentification against Openldap, reading homeDirectory and mailbox values).
Is it possible to log all the queries and answers the openldap server receives/gives?
(Server and Client are both on localhost, otherwise I would use Ethereal or tcpdump ;-()
I've tried a very high loglevel and get some information like below.
I find send_ldap_result, send_ldap_response entries, but i can't see the values of the
attributes. Therefore I have difficulties to determine what the ldap Client requested and what
the server answers.
Any hints would be useful.
Greetings K. Vondrash
Oct 25 15:38:20 linux slapd[5536]: do_search
Oct 25 15:38:20 linux slapd[5536]: >>> dnPrettyNormal: <uid=hiwi, ou=People,
dc=testdomain,dc=de>
Oct 25 15:38:20 linux slapd[5536]: <<< dnPrettyNormal:
<uid=hiwi,ou=People,dc=testdomain,dc=de>, <uid=hiwi,ou=people,dc=testdomain,dc=de>
Oct 25 15:38:20 linux slapd[5536]: SRCH "uid=hiwi, ou=People, dc=testdomain,dc=de" 0 3
Oct 25 15:38:20 linux slapd[5536]: 0 0 0
Oct 25 15:38:20 linux slapd[5536]: begin get_filter
Oct 25 15:38:20 linux slapd[5536]: PRESENT
Oct 25 15:38:20 linux slapd[5536]: end get_filter 0
Oct 25 15:38:20 linux slapd[5536]: filter: (objectClass=*)
Oct 25 15:38:20 linux slapd[5536]: attrs:
Oct 25 15:38:20 linux slapd[5536]:
Oct 25 15:38:20 linux slapd[5536]: conn=1 op=6 SRCH
base="uid=hiwi,ou=People,dc=testdomain,dc=de" scope=0 deref=3 filter="(objectClass=*)"
Oct 25 15:38:20 linux slapd[5536]: => bdb_search
Oct 25 15:38:20 linux slapd[5536]:
bdb_dn2entry("uid=hiwi,ou=people,dc=testdomain,dc=de")
Oct 25 15:38:20 linux slapd[5536]: base_candidates: base:
"uid=hiwi,ou=people,dc=testdomain,dc=de" (0x00000020)
Oct 25 15:38:20 linux slapd[5536]: => test_filter
Oct 25 15:38:20 linux slapd[5536]: PRESENT
Oct 25 15:38:20 linux slapd[5536]: => access_allowed: search access to
"uid=hiwi,ou=People,dc=testdomain,dc=de" "objectClass" requested
Oct 25 15:38:20 linux slapd[5536]: <= root access granted
Oct 25 15:38:20 linux slapd[5536]: <= test_filter 6
Oct 25 15:38:20 linux slapd[5536]: => send_search_entry:
dn="uid=hiwi,ou=People,dc=testdomain,dc=de"
Oct 25 15:38:20 linux slapd[5536]: => access_allowed: read access to
"uid=hiwi,ou=People,dc=testdomain,dc=de" "entry" requested
Oct 25 15:38:20 linux slapd[5536]: <= root access granted
..
..
Oct 25 15:38:20 linux slapd[5536]: => access_allowed: read access to
"uid=hiwi,ou=People,dc=testdomain,dc=de" "mailbox" requested
Oct 25 15:38:20 linux slapd[5536]: <= root access granted
Oct 25 15:38:20 linux slapd[5536]: conn=1 op=6 ENTRY
dn="uid=hiwi,ou=People,dc=hdgbw,dc=de"
Oct 25 15:38:20 linux slapd[5536]: <= send_search_entry
Oct 25 15:38:20 linux slapd[5536]: send_ldap_result: conn=1 op=6 p=3
Oct 25 15:38:20 linux slapd[5536]: send_ldap_result: err=0 matched="" text=""
Oct 25 15:38:20 linux slapd[5536]: send_ldap_response: msgid=7 tag=101 err=0
Oct 25 15:38:20 linux slapd[5536]: conn=1 op=6 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 25 15:51:34 linux slapd[5536]: daemon: activity on 1 descriptors
Oct 25 15:51:34 linux slapd[5536]: daemon: activity on:
16 years, 11 months
refreshAndPersit vs. ACLs
by Norbert Klasen
Hi,
we want entries to be replicated to a public slave, only if they have an
attribute worldreadable=TRUE.
So I've setup an ACL on the master which basically is like
access to * filter=(worldreadable=FALSE)
by * none
access to *
by * read
Thus, the consumer only sees entries it is allowed to replicate.
Now if an entry's worldreadable attribute is changed from TRUE to false,
this modification will not propagate to the consumer and the entry stays
visible.
However, with refreshOnly this 'lost' entry is detected and removed
(syncrepl_del_nonpresent).
--
Norbert
16 years, 11 months
Connections pool on backend-meta and backend-ldap
by Daniel Montero Motilla
Hi, I have a slapd 2.3.27 configuration proxying external directories
via backend-meta, using directives 'pseudorootdn' and 'pseudorootpw'
to authenticate against the external directories so I always connect
to slapd with meta-backend's rootDN , and I'd want to use the
connection pooling mechanism implemented on this backend, but I'm not
sure about how to accomplish it.
'Description' section of slapd-ldap man page tells that "sessions that
explicity bind to the back-ldap database always create their own
private connection to the remote LDAP server" (as I have verified
myself), and then it explains that "for sessions bound through other
mechanisms all sessions with the same DN will share the same
connection". What mechanisms is the text referring to?
Thank you in advance,
Dani.
16 years, 11 months
Fix for ITS4664 not included in 2.3.28, why?
by Michael.Heep@o2.com
Hi,
is there any particular (technical) reason why the fix for ITS4664
(dynlist memleak) has not been included in 2.3.28? I was just wondering
how big/serious that leak is, since I'm in the process of upgrading our
servers from 2.3.27 to 2.328 and I might as well include the dynlist.c
from HEAD.
Although they've been running on 2.3.27 with dynlist since its release and
we haven't experienced any memory shortages yet.
Kind regards,
Michael Heep
16 years, 11 months
proxycache and back-shell
by Denis Gaertner
Hi,
I got a question concerning the combination of the back-shell and the
proxycache overlay. I am using the shell backend for creating data out
of rdf-models. So its about transforming ldap queries to sparql queries
and the result is given back to the shell backend as a complete entry.
So I am currently not supporting the constraint of a list of attributes
to return to the server. However, having tried with some clients I found
out that the frontend is obviously doing it. So my script is sending all
the attributes of the entries to back-shell and the frontend is
eventually filtering it, so I only get the attributes I want.
But using the proxycache this way seemingly doesn't work. So two
questions:
1.Is it necessary for the backend to deliver only the attributes which
are given in the search request to make the proxy work correctly?
2. The backend is quite slow. So I'd like to make extensive use of the
proxy. What is kind of a maximum setting for it? Like caching every
attribute and a lot of queries.
Thank you
Denis
16 years, 11 months
LOG files
by Jose Manuel Lopez
Hi! log files in $LDAPDIRECTORY/var/openldap-data/log.* as
log.0000000146 ..... are very files.
My directory openldap-data is 10 GB size because every log.* file is 11M
and it's 780 files.
Thanks.
16 years, 11 months
overlay for sasl bind
by Kanika Malhotra
Hello,
I am trying to write an overlay which traps the sasl bind but listening on
LDAP_REQ_BIND (bi_op_bind) did not result in trapping any sasl binds. Has
anyone ever tried this and could give me some pointers as to where I could
look for more information.
Thanks
Kanika
16 years, 11 months
slapd issue
by Greg Martin
I'm running a non-production 2.3.27 slapd server on my home network. I
had to transfer it to another machine so I copied the conf file &
database files to the new machine. Before starting the service I edited
the slapd.conf to comment out the TLS entries since I hadn't installed
openssl & the cert yet.
When I started slapd, it immediately stopped and I received the dreaded
"main: TLS init def ctx failed: -1 " I remembered having this issue
when I was trying to get TLS running. So I ran strace (I'm running
linux 2.6.x) and finally found this:
open("/etc/ssl/myca/cacert.pem", O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
I was a bit confused and rechecked to make sure I had indeed commented
out all the lines and that slapd was referencing the correct conf file.
All was correct.
On a lark, I took a look at ldap.conf which I had copied from my old
server as well. It still had
TLS_CACERT /etc/ssl/myca/cacert.pem
TLS_REQCERT allow
As soon as I commented out those lines, slapd started and stayed running.
Can someone help me understand the relationship between slapd and the
ldap.conf file? I thought that was the client conf file.
Thanks!
\\Greg
16 years, 11 months
