slapd: The reverse of "authz-regexp": From Bind-DN to SASL authentication: Is it possible?
by Alexandros Vellis
The slapd.conf option "authz-regexp", according to man page is...:
Used by the authentication framework to convert simple
user names, such as provided by SASL subsystem, to an
LDAP DN used for authorization purposes.
I am searching how to do the exact reverse thing, and I haven't found
an option for it. Specifically, I would like to convert the LDAP dn
provided in a simple LDAP bind, to an authentication token (userid,
realm, password) that would be passed to the SASL subsystem for the
purposes of authentication. The SASL subsystem would then be
responsible to do the authentication, just as if SASL authentication
('-Y') were used.
Am I correct in assuming that this functionality currently does not
exist?
Alexandros Vellis
15 years, 7 months
Disaster recovery question wrt replication
by Steven Harms (stharms)
Hi all,
New LDAP implementor here.
I'm trying to document disaster recovery steps.
Assuming a single master and 3 replicas.
[Q1]: Is this an acceptable architecture? In the master's slapd.conf I
define 3 replica statements, and on the 3 replica servers I use this
master as the updateref.
If all the replicas fail and the master survives, I'm trying to figure
out how to restore service.
1. Establish replacement replicas
2. (master) slapcat -l /resync.ldif. Copy to each replica.
3. (each replica) slapadd -l /resync.ldif
Now here's the sticky part. The slurpd.replog has entries that were
destined for the replicas. Now that I've sync'd via slapadd, these are
not necessary.
How can I clean out the replog back-queue to a pristine start?
I suppose, more generally, I'm asking: How do a start replication all
over. What files can / should I delete. Which should I not under any
circumstance touch?
Steven
15 years, 7 months
Problem when using 'accesslog' and 'refint' overlays in combination
by Alina Dubrovska
Hi,
I'm trying to configure access logging in my OpenLDAP server (version is
2.3.27) using slapo-accesslog overlay.
In slapd.conf I have configured accesslog database according to manual:
database bdb
suffix "cn=accesslog"
rootdn "cn=root,cn=accesslog"
rootpw accesslog
index reqStart eq
database bdb
suffix "dc=main_domain,dc=com"
checkpoint 1024 5
cachesize 10000
rootdn "cn=Administrator,dc=main_domain,dc=com"
overlay accesslog
logdb "cn=accesslog"
logops writes
logold (objectclass=person)
In previous version of slapd.conf there was also slapo-refint overlay
enabled to support 'uniqueMember' attribute update after member entry is
renamed or deleted:
overlay refint
refint_attributes uniqueMember
After turning on access logging I inspect the following problem:
I create 2 users (objectclass=person) and a group
(objectclass=groupOfUniqueNames), then I add both users to that group. Next
I'm trying to rename (or delete) one of the member users and... LDAP hangs
up with no response. When I connect once again, then I see that action was
performed (user is renamed or deleted, but old member reference is present
in group attributes). However, I'm not able to modify directory (that is to
add some new entry) LDAP hangs up on any attempt and only OpenLDAP restart
helps.
Last note is that this problem appears only when both accesslog and refint
are enabled. Separately they are working as expected.
Does anybody have an idea about the reason of such problem?
Thanks in advance,
Alina.
15 years, 7 months
RE: A "which version" question
by Lesley Walker
Dave Horsfall wrote:
> And I see 2.3.31 is now STABLE...
Which solved my problem, really. :-)
Thanks, whoever did that. I have 2.3.31 up and running on a test server,
and will deploy during the quiet time next week.
I do like happy endings!
--
Lesley Walker
Linux Systems Administrator
Opus International Consultants Ltd
Email lesley.walker(a)opus.co.nz
Tel +64 4 471 7002, Fax +64 4 473 3017
http://www.opus.co.nz
Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343
Wellington, New Zealand
15 years, 7 months
two different rootdn
by Rudy Setiawan
Hi there,
I need to add another rootdn in the same ldap server.
The goal is to separate two organizations ldap authentication.
let's say i have these two rootdn's: (in the file slapd.conf)
database dbd
suffix "dc=companya,dc=com"
rootdn "cn=CompanyAManager,dc=companya,dc=com"
rootpw {SSHA}as98dyasdhasiduhasiudhashdas
directory /var/lib/ldap/companya
database dbd
suffix "dc=companyb,dc=com"
rootdn "cn=CompanyBManager,dc=companyb,dc=com"
rootpw {SSHA}aoshdsadhsaodasdhasdhasih
directory /var/lib/ldap/companyb
Any pointers or advise are really appreciated :)
Thank you all.
Regards,
Rudy Setiawan
--
+++++++++
Booo
15 years, 7 months
pdf version of documentation, including manuals
by Douglas B. Jones
Is there a pdf version of the manuals that are
up to date. I see the admin. guide, but it is dated
last 2005. I am really interested if there was a
document or series of documents that had "everything"
in pdf format. When I try to download all the web pages
within acrobat, it fails (acrobat has a feature to read
the web pages and convert them, but I am trying to avoid
doing that one page at a time). Thanks for any help!
15 years, 7 months
A "which version" question
by Lesley Walker
Hi all,
First of all, I'll mention that I've read the information on the download
page about "stable" vs "release" and I understand the difference. I've also
read the FAQ-o-matic entries on the topic.
I'm working towards upgrading our OpenLDAP software (currently 2.3.24).
Since we are utterly dependant on OpenLDAP for many things, policy is to go
with "stable".
However, I noticed a few days ago that somebody said in another thread:
>
> Look into syncrepl (make sure to upgrade to 2.3.30 first)
Are there problems with syncrepl in 2.3.27? Our plan is to move from slurpd
to syncrepl with this upgrade. Perhaps the comment was simply made in the
spirit of generally keeping up to date, but if there is a potential issue
we'd like to know about it.
We operate a single master with about 80 identical replicas and some local
schema additions, and have about 8000-9000 records. There's nothing
particularly special or fancy about any of it as far as I'm aware. All
running on Debian 3.1 except the master which is still 3.0 (upgrading RSN).
Thanks in advance for any insights.
Lesley W
--
Lesley Walker
Linux Systems Administrator
Opus International Consultants Ltd
Email lesley.walker(a)opus.co.nz
Tel +64 4 471 7002, Fax +64 4 473 3017
http://www.opus.co.nz
Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343
Wellington, New Zealand
15 years, 7 months
combining loglevel sync and 256
by Daniel Eckstein
Dear listmember,
Ive set up a master/5 replica solution using openldap and syncrepl.
Everything is working as expected.
Regarding logging theres one question left, I was not able to find an
answer.
Ive configured ldap to use syslog to write its logfiles. Is it possible
to combine loglevel 256 and loglevel sync?
Because either Iam able to see every bind/connection/search activity, or
all the synchronisation stuff which is
going on.
Thanks alot in advance!
Best regards,
Daniel
15 years, 7 months
Question RE: User-only config directives
by Sean Myers
I've been doing some searching on this to no avail, so I have a question
regarding these two posts:
http://www.openldap.org/lists/openldap-software/200603/msg00037.html
http://www.openldap.org/lists/openldap-software/200603/msg00039.html
As an administrator, I have difficulty understanding why I am unable to
be as specific as possible in ldap.conf in defining how my clients are
to access my directory. In the second link above, I can understand the
reasoning behind generally having SASL_MECH be user-only, but in my case
I would appreciate the ability to throw some sort of overriding
directive in ldap.conf to allow the user-only options in ldap.conf.
While I could just as easily modify libraries/libldap/init.c to suit my
needs or otherwise work around this, I was thinking that this might be
of some use to other LDAP admins.
--
Sean Myers
American Research Institute
15 years, 7 months
No result for SSOXType=3
by Nicolas Lorin
Hello,
I have OpenLDAP v2.2.29 with a local schema.
When I launch a search request with filter SSOXType=3 I get no result but it
exist.
Here my part of schema and ldap contenance :
Schema line :
attributeType ( 1.3.6.1.4.1.11454.1.5.8 NAME 'SSOXType' SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Avencis' )
And ldap (in ldif) :
version: 1
dn: SSOXName=SSOXSecrets,ou=SSOX,dc=avencis,dc=com
objectClass: SSOXConfiguration
SSOXComment:: U1NPWCBTZWNyZXRz
SSOXCVersion: 1
SSOXName: SSOXSecrets
SSOXParameter:: no communicated values
SSOXParameter:: no communicated values
SSOXParameter:: no communicated values
SSOXParameter:: no communicated values
SSOXType: 3
Thanks for your answer.
PS : Sorry if my English isn't very good, I'm French.
--
LORIN Nicolas
n.lorin(a)free.fr
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=androw95220%40...
15 years, 7 months
