I'm currently doing a review to see how OpenLDAP compares, *feature
wise* ATM, to other directory servers and specifically to the Sun DS -
i.e. to get a definitive list of features it's missing that Sun has and
what it has that Sun doesn't have, etc. For brevity, I haven't included
all the potentially useful features of OpenLDAP, but have just focused
on those associated with 1) RFC compliance (of which Sun may or may not
meet) and 2) features to match the Sun DS (which it would be replacing).
So far, here's what I have for OpenLDAP:
RFC 4510 (which includes 4511-4519). There was recent discussion on the
list around this, such that in some cases, not everything that changed
from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been
updated in OpenLDAP, but I think those issues are fairly minor.
The following additional RFC's are supported in OpenLDAP:
- RFC 2247 and RFC 3088
- RFC 2696 simple paged results
- RFC 2849 ldif
- RFC 3062 password mod op
- RFC 3296 named referals, manageDSAit
- RFC 3673 All Op attrs + feature
- RFC 3687 Component matching rules
- RFC 3866 Languange tag and range
- RFC 3876 matched values control
- RFC 4370 proxy auth
- RFC 4522 binary encoding
- RFC 4523 x.509 cert schema
- RFC 4524 COSINE schema
- RFC 4525 Mod-increment
- RFC 4526 Absolute true/false filters
- RFC 4527 pre/post read control
- RFC 4528 assertion control
- RFC 4529 request attrs by objectclass
- RFC 4530 entryUUID
- RFC 4532 whoamI
- RFC 4533 Content Sync op (replication)
RFC's NOT supported are:
- RFC 2589 dds Seems with 2.4, this has gone from experimental to
- RFC 2891 server side sorting
- RFC 3671 collective attributes
- RFC 3928 LCUP mainly for updating cached addressbooks, etc - not
replication between servers
- RFC 3384 looks like just reqs for replication, not an actual
replication protocol - RFC 4533 is used instead
- RFC 3672 (subentries)
- RFC 3698 and 3727 (additional matching rules)
- RFC 3909 LDAP Cancel operation
- RFC 5020 entryDN operational attribute
(There are some other, often obscure, LDAP related RFC's that I didn't
include, but this seems to be the major/useful ones)
Other features not supported:
- VLV browse indexes (per
http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09). Not an
RFC, but supported by Sun and MS directories, and used by things like
Outlook and Solaris.
Other supported features:
- dyngroup/dynlist/memberof overlay (A much more useful feature than
Sun's groupOfURLs "dynamic" group and "roles" mechanism)
- ppolicy overlay (matches Sun DS 5.x reasonably close, but is account
lockout replicated to all servers? Sun DS 6.x claims to)
- refint overlay (similar to Sun's referential integrity plugin)
- unique overlay (similar to Sun's uniqueness plugin)
- audit and accesslog overlays, syslog logging - much more
useful/complete than Sun's access/audit/error logs.
- live acl changes via LDAP
- Per user resource limits (sizelimit, timelimit, idletimeout, etc). I
think Howard Chu said OpenLDAP has some of this, but I haven't seen any
reference to it or how to use it in the docs (does this functionality
exist, and if so, is there any documentation?)
- Tracking of last login (i.e. last successful ldap authentication)
Is this still fairly accurate?
The ones that are really problematic are the lack of:
- VLV Browse indexes
- RFC 2891 (server side sorting)
- per user/entry resources limits (if they don't exist)
Are there any unofficial updates/patches/overlays/plans for any of this
I'm doing a bit of playing with slapo-pcache and have it working
fairly well (particularly once I realised that an individual attr can
live in only one proxyattrset).
However, there's one bit that I can't get working - is there any way
to define a template that will match a search which doesn't provide an
i.e. I can see quite a few searches (presumably from amd) of the
following form (spacing and formatting changed by me to make it more
Jul 23 14:54:16 host1 slapd: conn=49 op=1
SRCH base="dc=inf,dc=ed,dc=ac,dc=uk" scope=2 deref=0
Jul 23 14:54:16 host1 slapd: query template of incoming query =
Jul 23 14:54:16 host1 slapd: QUERY NOT ANSWERABLE
Jul 23 14:54:16 host1 slapd: QUERY NOT CACHEABLE
Jul 23 14:54:16 host1 slapd: conn=49 op=1 SEARCH RESULT tag=101
err=0 nentries=0 text=
Note that there's no 'SRCH attr=' line.
I've tried proxyattrset of the following forms...
proxyattrset 1 *
(both of which crash slapd)
proxyattrset 1 <full list of attrs returned when none specified>
.... but this didn't work either.
Thanks in advance for any advice,
School of Informatics
University of Edinburgh
My site is implementing ppolicy on a 4-server OpenLDAP/RHEL5 setup. I
have a problem with chaining referrals from the 3 slaves to the master.
I followed the slapo-chain man page and chaining works:
cn=proxy,dc=barlaeus,dc=nl is the rootdn on all servers, thus also on
The rootdn is not able to update passwords. I have no idea why the
rootdn shouldn't be able to update passwords (PASSMOD). However, it
seems to me that the chaining from the slave should be carried out as
the actual user and not rootdn. I can find nothing in slapo-chain or
slapd-ldap that lists this possibility.
Can anyone here help with this?
Email: tonni at hetnet dot nl
Actually i want to establish a connection between to slapd(daemon). Suppose
we have a tree and tree structure in the attachment.
I want one slapd will take careof tree hierarchy under Home and other slapd
will take care of tree hierarchy under gstorage(This is my problem) how can
i write slapd.conf file to establish connection between these two.
Please let me know as soon as possible.
Thanks and Regards,
-----BEGIN PGP SIGNED MESSAGE-----
I'm using openldap 2.3.35, which comes with ubuntu 7.10
After make some changes in slapd.conf and restarting LDAP, my database
I'm using replication with slurpd, don't know if it has something to
do with my problem.
Does anyone knows or have a clue of whats happening?
Any ideas are welcome, thanks in advance.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Actually i have one confusion regarding dn of openLDAP and dn contains the
attributes cn but i want to replace this attribute with my customised
attribute.Please let me know whether it is possible or not. and if it is
possible then what will be the attribute type and syntax for customised
Reply me as soon as possible.
Thanks and Regards,
Knowing that rootdn always bypasses ACLs, is there any other way to
restrict BIND operations that use rootdn to certain source IP addresses
ICQ UIN: 19780575
Administrator systemów korporacyjnych; Instruktor
Altkom Akademia S.A. http://www.altkom.pl
Warszawa, ul. Chłodna 51
Sąd Rejonowy dla m.st. Warszawy w Warszawie, XII Wydział Gospodarczy Krajowego Rejestru Sądowego,
KRS: 0000120139, NIP 118-00-08-391, Kapitał zakładowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa.
Niniejsza wiadomość zawiera informacje zastrzeżone i stanowiące tajemnicę przedsiębiorstwa firmy Altkom Akademia S.A.
Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do własnych celów jest zabronione.
Jeżeli otrzymaliście Państwo niniejszą wiadomość omyłkowo, prosimy o niezwłoczne skontaktowanie się z nadawcą oraz usunięcie wszelkich kopii niniejszej wiadomości.
This message contains proprietary information and trade secrets of Altkom Akademia S.A. company.
Unauthorized use or disclosure of this information to any third party is prohibited.
If you received this message by mistake, please contact the sender immediately and delete all copies of this message.
i have read openldap administration handbook and it is stated slapd
configuration may be stored inside openldap itself! But before it
starts how would it access itself?
Sorry if a lose something, but isn´t it a chicken-egg problem?
Thanks in advance.
<quote who="Brian Biggs">
> Trying to reload a slapcat dumped database after upgrading
> from 2.3.38 to 2.3.39 and slapadd just hangs after adding
> the records and won't exit. Has anyone else experienced this?
> We are running OpenLDAP on RHEL4 systems w/BDB 4.4.20
> Any help/info appreciated.
So you emptied the db first, before trying a restore?
What errors are you getting?
> Brian Biggs <brian.biggs(a)sonoma.edu>
Trying to reload a slapcat dumped database after upgrading
from 2.3.38 to 2.3.39 and slapadd just hangs after adding
the records and won't exit. Has anyone else experienced this?
We are running OpenLDAP on RHEL4 systems w/BDB 4.4.20
Any help/info appreciated.
Brian Biggs <brian.biggs(a)sonoma.edu>