openldap-software November 2007

openldap-software@openldap.org

73 participants
92 discussions

Supported RFC's and "features"
by Clowser, Jeff (Contractor) 13 Jul '09

13 Jul '09

I'm currently doing a review to see how OpenLDAP compares, *feature wise* ATM, to other directory servers and specifically to the Sun DS - i.e. to get a definitive list of features it's missing that Sun has and what it has that Sun doesn't have, etc. For brevity, I haven't included all the potentially useful features of OpenLDAP, but have just focused on those associated with 1) RFC compliance (of which Sun may or may not meet) and 2) features to match the Sun DS (which it would be replacing). So far, here's what I have for OpenLDAP: RFC 4510 (which includes 4511-4519). There was recent discussion on the list around this, such that in some cases, not everything that changed from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been updated in OpenLDAP, but I think those issues are fairly minor. The following additional RFC's are supported in OpenLDAP: - RFC 2247 and RFC 3088 - RFC 2696 simple paged results - RFC 2849 ldif - RFC 3062 password mod op - RFC 3296 named referals, manageDSAit - RFC 3673 All Op attrs + feature - RFC 3687 Component matching rules - RFC 3866 Languange tag and range - RFC 3876 matched values control - RFC 4370 proxy auth - RFC 4522 binary encoding - RFC 4523 x.509 cert schema - RFC 4524 COSINE schema - RFC 4525 Mod-increment - RFC 4526 Absolute true/false filters - RFC 4527 pre/post read control - RFC 4528 assertion control - RFC 4529 request attrs by objectclass - RFC 4530 entryUUID - RFC 4532 whoamI - RFC 4533 Content Sync op (replication) RFC's NOT supported are: - RFC 2589 dds Seems with 2.4, this has gone from experimental to production quality? - RFC 2891 server side sorting - RFC 3671 collective attributes - RFC 3928 LCUP mainly for updating cached addressbooks, etc - not replication between servers - RFC 3384 looks like just reqs for replication, not an actual replication protocol - RFC 4533 is used instead Unknown: - RFC 3672 (subentries) - RFC 3698 and 3727 (additional matching rules) - RFC 3909 LDAP Cancel operation - RFC 5020 entryDN operational attribute (There are some other, often obscure, LDAP related RFC's that I didn't include, but this seems to be the major/useful ones) Other features not supported: - VLV browse indexes (per http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09). Not an RFC, but supported by Sun and MS directories, and used by things like Outlook and Solaris. Other supported features: - dyngroup/dynlist/memberof overlay (A much more useful feature than Sun's groupOfURLs "dynamic" group and "roles" mechanism) - ppolicy overlay (matches Sun DS 5.x reasonably close, but is account lockout replicated to all servers? Sun DS 6.x claims to) - refint overlay (similar to Sun's referential integrity plugin) - unique overlay (similar to Sun's uniqueness plugin) - audit and accesslog overlays, syslog logging - much more useful/complete than Sun's access/audit/error logs. - live acl changes via LDAP Unknown features: - Per user resource limits (sizelimit, timelimit, idletimeout, etc). I think Howard Chu said OpenLDAP has some of this, but I haven't seen any reference to it or how to use it in the docs (does this functionality exist, and if so, is there any documentation?) - Tracking of last login (i.e. last successful ldap authentication) Is this still fairly accurate? The ones that are really problematic are the lack of: - VLV Browse indexes - RFC 2891 (server side sorting) - per user/entry resources limits (if they don't exist) Are there any unofficial updates/patches/overlays/plans for any of this functionality? Thanks, - Jeff

11 29

using slapo-pcache with an empty attr list
by Toby Blake 05 Jun '08

05 Jun '08

Hi all, I'm doing a bit of playing with slapo-pcache and have it working fairly well (particularly once I realised that an individual attr can live in only one proxyattrset). However, there's one bit that I can't get working - is there any way to define a template that will match a search which doesn't provide an attr list? i.e. I can see quite a few searches (presumably from amd) of the following form (spacing and formatting changed by me to make it more readable): Jul 23 14:54:16 host1 slapd[26671]: conn=49 op=1 SRCH base="dc=inf,dc=ed,dc=ac,dc=uk" scope=2 deref=0 filter="(&(objectClass=amdmap)(amdmapName=home)(amdmapKey=root))" Jul 23 14:54:16 host1 slapd[26671]: query template of incoming query = (&(objectClass=)(amdmapName=)(amdmapKey=)) Jul 23 14:54:16 host1 slapd[26671]: QUERY NOT ANSWERABLE Jul 23 14:54:16 host1 slapd[26671]: QUERY NOT CACHEABLE Jul 23 14:54:16 host1 slapd[26671]: conn=49 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Note that there's no 'SRCH attr=' line. I've tried proxyattrset of the following forms... proxyattrset 1 * proxyattrset 1 (both of which crash slapd) And also proxyattrset 1 <full list of attrs returned when none specified> .... but this didn't work either. Thanks in advance for any advice, Cheers Toby Blake School of Informatics University of Edinburgh

3 8

chain and ppolicy question
by Tony Earnshaw 06 Dec '07

06 Dec '07

OpenLDAP 2.3.38. My site is implementing ppolicy on a 4-server OpenLDAP/RHEL5 setup. I have a problem with chaining referrals from the 3 slaves to the master. I followed the slapo-chain man page and chaining works: moduleload back_ldap.la overlay chain chain-uri "ldaps://mercurius.intern" chain-idassert-bind bindmethod="simple" binddn="cn=proxy,dc=barlaeus,dc=nl" credentials="secret" chain-return-error true cn=proxy,dc=barlaeus,dc=nl is the rootdn on all servers, thus also on the master. The rootdn is not able to update passwords. I have no idea why the rootdn shouldn't be able to update passwords (PASSMOD). However, it seems to me that the chaining from the slave should be carried out as the actual user and not rootdn. I can find nothing in slapo-chain or slapd-ldap that lists this possibility. Can anyone here help with this? Best, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl

2 2

Regarding communication between two servers in openLDAP
by Anjali Arora 01 Dec '07

01 Dec '07

Hi, Actually i want to establish a connection between to slapd(daemon). Suppose we have a tree and tree structure in the attachment. I want one slapd will take careof tree hierarchy under Home and other slapd will take care of tree hierarchy under gstorage(This is my problem) how can i write slapd.conf file to establish connection between these two. Please let me know as soon as possible. Thanks and Regards, Anjali Arora

2 1

BDB corruption after LDAP restart
by William Marques 30 Nov '07

30 Nov '07

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, I'm using openldap 2.3.35, which comes with ubuntu 7.10 After make some changes in slapd.conf and restarting LDAP, my database is corrupted. I'm using replication with slurpd, don't know if it has something to do with my problem. Does anyone knows or have a clue of whats happening? Any ideas are welcome, thanks in advance. Regards, William Marques -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHTplz/3e1pXF/gswRAp/zAKCd37I4WSq/aoFUswVPBJrT6RpHqwCdEJV9 VFvfqPAzvqgJgHIuGp4Wj0Y= =Py2G -----END PGP SIGNATURE-----

6 6

Regarding dn of openLDAP
by Anjali Arora 29 Nov '07

29 Nov '07

Hi, Actually i have one confusion regarding dn of openLDAP and dn contains the attributes cn but i want to replace this attribute with my customised attribute.Please let me know whether it is possible or not. and if it is possible then what will be the attribute type and syntax for customised attribute. Reply me as soon as possible. Thanks and Regards, Anjali

2 1

restrict rootdn binds by connection source IP address?
by Aleksander Adamowski 29 Nov '07

29 Nov '07

Hi! Knowing that rootdn always bypasses ACLs, is there any other way to restrict BIND operations that use rootdn to certain source IP addresses for clients? -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl -- Aleksander Adamowski Administrator systemów korporacyjnych; Instruktor Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Chłodna 51 kom. 0-601-318-080 Sąd Rejonowy dla m.st. Warszawy w Warszawie, XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS: 0000120139, NIP 118-00-08-391, Kapitał zakładowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomość zawiera informacje zastrzeżone i stanowiące tajemnicę przedsiębiorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do własnych celów jest zabronione. Jeżeli otrzymaliście Państwo niniejszą wiadomość omyłkowo, prosimy o niezwłoczne skontaktowanie się z nadawcą oraz usunięcie wszelkich kopii niniejszej wiadomości. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message.

6 7

configuration directives within opendalp itself
by John Nietzsche 28 Nov '07

28 Nov '07

Dear gentleman, i have read openldap administration handbook and it is stated slapd configuration may be stored inside openldap itself! But before it starts how would it access itself? Sorry if a lose something, but isn´t it a chicken-egg problem? Thanks in advance.

4 3

Re: 2.3.39 slapadd hangs
by Gavin Henry 28 Nov '07

28 Nov '07

<quote who="Brian Biggs"> > Hi, > > Trying to reload a slapcat dumped database after upgrading > from 2.3.38 to 2.3.39 and slapadd just hangs after adding > the records and won't exit. Has anyone else experienced this? > > We are running OpenLDAP on RHEL4 systems w/BDB 4.4.20 > > Any help/info appreciated. So you emptied the db first, before trying a restore? What errors are you getting? > > -- > Brian Biggs <brian.biggs(a)sonoma.edu> > >

4 3

2.3.39 slapadd hangs
by Brian Biggs 28 Nov '07

28 Nov '07

Hi, Trying to reload a slapcat dumped database after upgrading from 2.3.38 to 2.3.39 and slapadd just hangs after adding the records and won't exit. Has anyone else experienced this? We are running OpenLDAP on RHEL4 systems w/BDB 4.4.20 Any help/info appreciated. -- Brian Biggs <brian.biggs(a)sonoma.edu>

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software November 2007