ldapsearch across back-sql and non-back-sql tree
by Robert Brooks
I have a back-sql portion of my ldap tree, I can search within the
back-sql part of the tree (and within the ldbm), but searches do not
cross from the ldbm tree into the back-sql part of the tree.
Should I make a referal in the ldbm tree at the point the back-sql tree
is mounted, or is there a better way to do this?
Regarrds,
Rob
16 years, 9 months
cleaning up logs from bdb db and upgrading ldap
by Douglas B. Jones
I noticed the that I am getting a number of bdb logs (log.0000000000 .. 210)
so far for one db. What is the proper procedure for consolidating these
with openldap while keeping the server process running. We have version 2.3.27,
but plan on upgrading to 2.3.33.
The second question: is the best way to migrate from one ldap version to
another to slapcat from the old one and the slapadd to the new one? I realize
if I do this way, I would in essence have an answer for the first question,
but the first one I was wondering from a live point of view.
Thank you for any help, I have not had much time finding an answer
in the archives o slapd.conf or slapd.bdb man pages. Thanks!
16 years, 9 months
SASL GSSAPI authentication with Sun Java Directory Server 5.2P4
by Andrew Deason
I am trying to use OpenLDAP's ldapsearch to connect to a Sun DS 5.2
server using SASL/GSSAPI to authenticate. The setup works perfectly
fine on Solaris clients, but not on Linux ones using OpenLDAP's
ldapsearch (Debian sid on x86). Instead, it always gives the following
error:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Unknown code 188)
This error is coming from the DS server (right?), so I know this may
not be OpenLDAP's problem. I was just wondering if anyone else had
encountered this problem, or if there are any workarounds or anything,
or if this is known to just not work at all.
I'm using the Cyrus SASL implementation with MIT Kerberos. I tried this
with ldapsearch 2.3.30 and 2.2.23.
--
Andrew Deason
adeason2(a)uiuc.edu
16 years, 9 months
Re: map custom attribute to another non custom attribute
by matthew sporleder
On 1/19/07, P. Martinez <martinezino(a)googlemail.com> wrote:
> Hello List,
>
> before i start, i am very new to directory
> services, therefore please be patient to
> me. I am with myself ;)
>
> I am writing an custom schema - and thought
> about a way to mapping attributes.
>
> attributeType ( OIDXXX NAME ( 'cn' 'commonName' )
> SUP name )
>
> Here we have two ways to query for entries - cn
> and commonName, right.
>
> My question: Is is possible to construct a
> schema that maps attributes to another
> attribute of a different objectclass/schema.
>
> Why? - Lets say an application ask for
> "unordinaryattributeName". Now i want to
> map it to cn transparently. So i need only
> to manipulate cn fields etc.
>
> This idea comes to me as a flash of genius.
> But i hope that it is quite old and therefore
> possible.
>
Although this might be possible, (I'm not sure how many NAME's you're
allowed in a schema), openldap provides mechanisms to do this already.
And you wouldn't have to hijack namespace, or get into other nasty
things like that.
See slapo-rwm(5)
---
DESCRIPTION
The rwm overlay to slapd(8) performs basic DN/data rewrite and object-
Class/attributeType mapping. Its usage is mostly intended to provide
virtual views of existing data either remotely, in conjunction with the
proxy backend described in slapd-ldap(5), or locally, in conjunction
with the relay backend described in slapd-relay(5).
16 years, 9 months
Salted passwords, further clarification please
by m h
Hi all.
I'm trying to write a script to change the rootpw value in slapd.conf.
Before allowing the user to change the password, I'm asking that they
first verify the existing password.
My question has to do with the random salt. How do I verify the
existing password? Going through slappasswd doesn't appear to work,
since it uses a random salt each time. ie:
r52 ~ # slappasswd -s foo
{SSHA}OBe71ShE85Wd8PINTJzunxazszPWpon1
r52 ~ # slappasswd -s foo
{SSHA}OCK0lxJa+pfFqDfE39N3EZ8529IZIMhd
It doesn't appear from the man page for slappasswd that you can
specify the salt.
Furthermore, how does the server know what the salt is? (I read
through the FAQ on the website and it says the salt is added to the
password before encryption).
A little confused. Anything enlightening would be wonderful! Thanks much.
matt
16 years, 9 months
[Fwd: Re: Bug(?) With OpenLDAP 2.3.32]
by daniel@ncsu.edu
Dooh, sorry, this was supposed to go to the list instead of you directly.
---------------------------- Original Message ----------------------------
Subject: Re: Bug(?) With OpenLDAP 2.3.32
From: daniel(a)ncsu.edu
Date: Wed, January 24, 2007 1:51 pm
To: "Gavin Henry" <ghenry(a)suretecsystems.com>
--------------------------------------------------------------------------
I'm not supplying the old attribute. This particular individual has a
double major and hence the way we are using it, he has two ou's associated
with him.
Daniel
> <quote who="daniel(a)ncsu.edu">
>> Hi folk!
>>
>> We upgraded to OpenLDAP 2.3.32 recently and I ran into something that,
>> unless I have completely lost my mind, should not be occuring:
>>
>> /local/ldap/data # /local/ldap/bin/ldapmodify -x -h localhost -D
>> "cn=ldapadmin,dc=ncsu,dc=edu" -w LDAPADMINPASSWORD
>> dn: uid=STUDENTUSERNAME,ou=students,ou=people,dc=ncsu,dc=edu
>> changetype: modify
>> replace: ou
>> ou: B A - Physics
>> ou: B S - Philosophy
>> -
>> replace: ncsucurriculumcode
>> ncsucurriculumcode: PYA
>> ncsucurriculumcode: LSL
>>
>> modifying entry
>> "uid=STUDENTUSERNAME,ou=students,ou=people,dc=ncsu,dc=edu"
>> ldap_modify: Type or value exists (20)
>> additional info: modify/replace: ou: value #1 already exists
>>
>>
>> Obviously I replaced the user's username and my ldap admin password. ;D
>> A replace should literally be replacing the ou and ignoring what it's
>> currently set to, correct? And since those two ou's are not the same,
>> it
>> should be fine? What's even more bizarre is that I didn't run into this
>> while populating the database in the first place. Is this, perchance,
>> fixed in 2.3.33? Thanks!
>
> You don't supply the old attribute value, just the new one.
>
> man ldapmodify
>
>>
>> Daniel
>>
>
>
16 years, 10 months
Can't add data to new ou
by gandalf istari
Hi,
I'm quite new with LDAP so ....
i have created a new ou with this command:
slapadd -l ./new-od.ldif without any errors
dn: ou=Recipients_Seny, ou=Recipients, ou=not_users, ou=users_sxo,
dc=internal,dc=sodexho,dc=be
ou: Recipients_Seny
objectClass: top
objectClass: organizationalUnit
when i add data i get this error:
igor:~# ldapadd -c -x -S /var/log/sync-ldap/ldapadd-userinfo.log -D
"cn=admin,dc=internal,dc=sodexh
o,dc=be" -w xxx -h 127.0.0.1 -P 3 -f ./sos.ldif
adding new entry
"CN=SOSCATALOG,OU=Recipients_Seny,OU=Recipients,OU=not_users,OU=users_sxo,DC=intern
al,DC=sodexho,DC=be"
ldap_add: No such object (32)
matched DN:
ou=Recipients,ou=not_users,ou=users_sxo,dc=internal,dc=sodexho,dc=be
the ldif:
dn:
CN=SOSCATALOG,OU=Recipients_Seny,OU=Recipients,OU=not_users,OU=users_sxo,DC=internal,DC=sodexho,DC=be
cn: SOSCATALOG
displayName: SOSCATALOG
mail: SOSCATALOG(a)sodexho-be.com
givenName: SOSCATALOG
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
sn: SOSCATALOG
what must be done to solve this?
TIA
16 years, 10 months
ldapsearch for digest-md5
by Radhakrishnan Balasubramanian
Hi All,
I have Openldap Server -2.2.13 with Cyrus SASL
configured.
I am trying to do ldapsearch for digest-md5 .I am
getting the following error :
ldapsearch -Y digest-md5 -D
"uid=pokemon,ou=People,dc=cisco,dc=com" -w pokemon123
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication
failure: client response doesn't match what we
generated
But ldapsearch with -U option is successful. Please
let me know what need to be done on my LDAP server for
making ldapsearch sucessful without using -U (SASL
authentication identiy) and using only -D option .
Thanks,
RK
____________________________________________________________________________________
Don't get soaked. Take a quick peak at the forecast
with the Yahoo! Search weather shortcut.
http://tools.search.yahoo.com/shortcuts/#loc_weather
16 years, 10 months
2.3.33 back_meta test failure
by Andreas Hasenack
Hello,
while running make test on a 2.3.33 build, I get an error in
test030-relay when using the meta backend:
(...)
Using meta backend...
Starting slapd on TCP/IP port 9011...
Using ldapsearch to check that slapd is running...
Using ldapadd to populate the database...
Searching base="dc=example,dc=com"...
Searching base="o=Example,c=US"...
Search failed (255)!
./scripts/relay: line 78: kill: (31577) - Processo inexistente
>>>>> ./scripts/test030-relay failed (exit 255)
make: ** [bdb-yes] Erro 255
The log shows:
$ tail testrun/slapd.1.log
conn=3 op=1 >>> meta_search_dobind_init[0]
conn=3 op=1 <<< meta_search_dobind_init[0]=1
==> rewrite_context_apply [depth=1] string='o=Example,c=US'
==> rewrite_rule_apply rule='((.+),)?o=Example,[ ]?c=US$' string='o=Example,c=US' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'dc=example,dc=com'}
[rw] searchBase: "o=Example,c=US" -> "dc=example,dc=com"
==> rewrite_context_apply [depth=1] string='(objectClass=*)'
==> rewrite_context_apply [depth=1] res={0,'NULL'}
[rw] searchFilter: "(objectClass=*)" -> "(objectClass=*)"
/home/andreas/updates-svn/openldap/BUILD/openldap-2.3.33/servers/slapd/.libs/lt-slapd: symbol lookup error: ../servers/slapd/back-meta/.libs/back_meta-2.3.so.0: undefined symbol: ldap_back_proxy_authz_ctrl
Anybody else with the same problem?
16 years, 10 months
Notes on LDAP Performance, docs
by Howard Chu
In a recent blog entry
http://www.connexitor.com/blog/pivot/entry.php?id=103
I discussed how LDAP gets misused in some applications, using sendmail as an
example. Gavin Henry commented that some of that material ought to go in the
FAQ-o-Matic. And I replied with the usual "the FAQ-o-Matic is open for anyone
to contribute."
I think we could really use someone to volunteer to be a documentation lead,
because just relying on random members of the community to contribute is just
too, well, random.
One of the things such a doc person might do is take responsibility for
merging useful mailing list posts into the FAQ-o-Matic.
Another task that would be a big help would be to sift thru the current
entries in the FAQ and identify articles that can move into the Admin Guide.
Part of that task may include consolidating information from several FAQ
items into a single coherent piece of text.
If you've been looking for a way to get more involved in the OpenLDAP
community, this would be a great way to start. You don't have to be a
programmer, and you'll learn a lot on the way. Plus you'll get that warm
fuzzy feeling from knowing you've helped to improve the OpenLDAP package for
all to benefit.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
16 years, 10 months