openldap-software December 2006

openldap-software@openldap.org

60 participants
65 discussions

slapd: The reverse of "authz-regexp": From Bind-DN to SASL authentication: Is it possible?
by Alexandros Vellis 24 Dec '06

24 Dec '06

The slapd.conf option "authz-regexp", according to man page is...: Used by the authentication framework to convert simple user names, such as provided by SASL subsystem, to an LDAP DN used for authorization purposes. I am searching how to do the exact reverse thing, and I haven't found an option for it. Specifically, I would like to convert the LDAP dn provided in a simple LDAP bind, to an authentication token (userid, realm, password) that would be passed to the SASL subsystem for the purposes of authentication. The SASL subsystem would then be responsible to do the authentication, just as if SASL authentication ('-Y') were used. Am I correct in assuming that this functionality currently does not exist? Alexandros Vellis

3 2

Disaster recovery question wrt replication
by Steven Harms (stharms) 22 Dec '06

22 Dec '06

Hi all, New LDAP implementor here. I'm trying to document disaster recovery steps. Assuming a single master and 3 replicas. [Q1]: Is this an acceptable architecture? In the master's slapd.conf I define 3 replica statements, and on the 3 replica servers I use this master as the updateref. If all the replicas fail and the master survives, I'm trying to figure out how to restore service. 1. Establish replacement replicas 2. (master) slapcat -l /resync.ldif. Copy to each replica. 3. (each replica) slapadd -l /resync.ldif Now here's the sticky part. The slurpd.replog has entries that were destined for the replicas. Now that I've sync'd via slapadd, these are not necessary. How can I clean out the replog back-queue to a pristine start? I suppose, more generally, I'm asking: How do a start replication all over. What files can / should I delete. Which should I not under any circumstance touch? Steven

9 11

Problem when using 'accesslog' and 'refint' overlays in combination
by Alina Dubrovska 22 Dec '06

22 Dec '06

Hi, I'm trying to configure access logging in my OpenLDAP server (version is 2.3.27) using slapo-accesslog overlay. In slapd.conf I have configured accesslog database according to manual: database bdb suffix "cn=accesslog" rootdn "cn=root,cn=accesslog" rootpw accesslog index reqStart eq database bdb suffix "dc=main_domain,dc=com" checkpoint 1024 5 cachesize 10000 rootdn "cn=Administrator,dc=main_domain,dc=com" overlay accesslog logdb "cn=accesslog" logops writes logold (objectclass=person) In previous version of slapd.conf there was also slapo-refint overlay enabled to support 'uniqueMember' attribute update after member entry is renamed or deleted: overlay refint refint_attributes uniqueMember After turning on access logging I inspect the following problem: I create 2 users (objectclass=person) and a group (objectclass=groupOfUniqueNames), then I add both users to that group. Next I'm trying to rename (or delete) one of the member users and... LDAP hangs up with no response. When I connect once again, then I see that action was performed (user is renamed or deleted, but old member reference is present in group attributes). However, I'm not able to modify directory (that is to add some new entry) LDAP hangs up on any attempt and only OpenLDAP restart helps. Last note is that this problem appears only when both accesslog and refint are enabled. Separately they are working as expected. Does anybody have an idea about the reason of such problem? Thanks in advance, Alina.

1 0

RE: A "which version" question
by Lesley Walker 21 Dec '06

21 Dec '06

Dave Horsfall wrote: > And I see 2.3.31 is now STABLE... Which solved my problem, really. :-) Thanks, whoever did that. I have 2.3.31 up and running on a test server, and will deploy during the quiet time next week. I do like happy endings! -- Lesley Walker Linux Systems Administrator Opus International Consultants Ltd Email lesley.walker(a)opus.co.nz Tel +64 4 471 7002, Fax +64 4 473 3017 http://www.opus.co.nz Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343 Wellington, New Zealand

1 0

two different rootdn
by Rudy Setiawan 21 Dec '06

21 Dec '06

Hi there, I need to add another rootdn in the same ldap server. The goal is to separate two organizations ldap authentication. let's say i have these two rootdn's: (in the file slapd.conf) database dbd suffix "dc=companya,dc=com" rootdn "cn=CompanyAManager,dc=companya,dc=com" rootpw {SSHA}as98dyasdhasiduhasiudhashdas directory /var/lib/ldap/companya database dbd suffix "dc=companyb,dc=com" rootdn "cn=CompanyBManager,dc=companyb,dc=com" rootpw {SSHA}aoshdsadhsaodasdhasdhasih directory /var/lib/ldap/companyb Any pointers or advise are really appreciated :) Thank you all. Regards, Rudy Setiawan -- +++++++++ Booo

2 3

pdf version of documentation, including manuals
by Douglas B. Jones 21 Dec '06

21 Dec '06

Is there a pdf version of the manuals that are up to date. I see the admin. guide, but it is dated last 2005. I am really interested if there was a document or series of documents that had "everything" in pdf format. When I try to download all the web pages within acrobat, it fails (acrobat has a feature to read the web pages and convert them, but I am trying to avoid doing that one page at a time). Thanks for any help!

1 0

A "which version" question
by Lesley Walker 21 Dec '06

21 Dec '06

Hi all, First of all, I'll mention that I've read the information on the download page about "stable" vs "release" and I understand the difference. I've also read the FAQ-o-matic entries on the topic. I'm working towards upgrading our OpenLDAP software (currently 2.3.24). Since we are utterly dependant on OpenLDAP for many things, policy is to go with "stable". However, I noticed a few days ago that somebody said in another thread: > > Look into syncrepl (make sure to upgrade to 2.3.30 first) Are there problems with syncrepl in 2.3.27? Our plan is to move from slurpd to syncrepl with this upgrade. Perhaps the comment was simply made in the spirit of generally keeping up to date, but if there is a potential issue we'd like to know about it. We operate a single master with about 80 identical replicas and some local schema additions, and have about 8000-9000 records. There's nothing particularly special or fancy about any of it as far as I'm aware. All running on Debian 3.1 except the master which is still 3.0 (upgrading RSN). Thanks in advance for any insights. Lesley W -- Lesley Walker Linux Systems Administrator Opus International Consultants Ltd Email lesley.walker(a)opus.co.nz Tel +64 4 471 7002, Fax +64 4 473 3017 http://www.opus.co.nz Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343 Wellington, New Zealand

6 9

combining loglevel sync and 256
by Daniel Eckstein 21 Dec '06

21 Dec '06

Dear listmember, Ive set up a master/5 replica solution using openldap and syncrepl. Everything is working as expected. Regarding logging theres one question left, I was not able to find an answer. Ive configured ldap to use syslog to write its logfiles. Is it possible to combine loglevel 256 and loglevel sync? Because either Iam able to see every bind/connection/search activity, or all the synchronisation stuff which is going on. Thanks alot in advance! Best regards, Daniel

4 3

Question RE: User-only config directives
by Sean Myers 21 Dec '06

21 Dec '06

I've been doing some searching on this to no avail, so I have a question regarding these two posts: http://www.openldap.org/lists/openldap-software/200603/msg00037.html http://www.openldap.org/lists/openldap-software/200603/msg00039.html As an administrator, I have difficulty understanding why I am unable to be as specific as possible in ldap.conf in defining how my clients are to access my directory. In the second link above, I can understand the reasoning behind generally having SASL_MECH be user-only, but in my case I would appreciate the ability to throw some sort of overriding directive in ldap.conf to allow the user-only options in ldap.conf. While I could just as easily modify libraries/libldap/init.c to suit my needs or otherwise work around this, I was thinking that this might be of some use to other LDAP admins. -- Sean Myers American Research Institute

1 0

No result for SSOXType=3
by Nicolas Lorin 20 Dec '06

20 Dec '06

Hello, I have OpenLDAP v2.2.29 with a local schema. When I launch a search request with filter SSOXType=3 I get no result but it exist. Here my part of schema and ldap contenance : Schema line : attributeType ( 1.3.6.1.4.1.11454.1.5.8 NAME 'SSOXType' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Avencis' ) And ldap (in ldif) : version: 1 dn: SSOXName=SSOXSecrets,ou=SSOX,dc=avencis,dc=com objectClass: SSOXConfiguration SSOXComment:: U1NPWCBTZWNyZXRz SSOXCVersion: 1 SSOXName: SSOXSecrets SSOXParameter:: no communicated values SSOXParameter:: no communicated values SSOXParameter:: no communicated values SSOXParameter:: no communicated values SSOXType: 3 Thanks for your answer. PS : Sorry if my English isn't very good, I'm French. -- LORIN Nicolas n.lorin(a)free.fr https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=androw95220%40gm…

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2006