ldap queries rewriting
by Guillaume Rousse
Hello list.
We have a copier here with a scan-to-mail feature allowing to use LDAP
for extracting list of email adresses for users. Unfortunatly, the full
user list is retrieved, splitted in groups according to first letter of
their email adress, but any entries over 100 in a group are excluded
from selection. As we have 120 entries in the A-E group, we have
excluded 20 users...
As copiers are usually department specific, filtering queries by group
membership would allow us to workaround the issue. Unfortunatly, the
copier doesn't allow to set up a filter :(
Is this possible to do some kind of server-side query rewriting, as
mod_rewrite does for apache ? I initially thought of setting up a
dynamic group, but this would create a single entry with multiple mail
attribute, whereas the copier expect a list of entries with single mail
attribute (didn't tested it tough).
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
16 years
Re: 2.4.6 prov/con, delta-syncrepl and auditContext
by Gavin Henry
> So, the only reason to have slapo-accesslog(5) built and loaded **BUT
> NOT INSTANTIATED** on the __consumer__ (doesn't sound such strikingly
> resource intensive a requirement) is to have this attribute defined in
> the schema. If this sounds so unreasonable, please suggest (and code) a
> better strategy. I'm open to everything (including zapping auditContext
> at all, unless anyone out there finds it useful and is actively using it).
Here's a question for you ;-)
How can test043-delta-syncrepl pass, when there is no accesslog module
loaded in slapd-deltasync-slave.conf?
Confused again...
Gavin.
16 years
ppolicy + slapcat = ldif vulnerability?
by Scott Classen
I'm not sure if this is truly a vulnerability, but I thought I'd put it out there for discussion.
openldap 2.4.6
bdb backend
ppolicy overlay
I have set up so a default ppolicy such that 3 old passwords are stored in a users pwdHistory attribute.
When I back up the bdb database via slapcat -l backup.ldif the userPassword field looks to be Base64 hashed.
userPassword:: e1NTSEF9VWFTNDNVDRWEx1QzEyWjASGVWc0VZHRNTmt4M1c=
but the passwd history leaves the passwd hashes visible.
pwdHistory: 20071203220105Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}wAuvjfMkMyKKHcMV1Tg7qiG0x4
Obviously these backup LDIF files are keep as secure as possible, and these are OLD passwds, but should the pwdHistory attribute also be hashed when being slapcated?
Scott
16 years
multiple password policies?
by R.B.
Hi;
After reading some ppolicy HOWTOs, I've seen the following line in the
slapd.conf file to assign a default password policy to users.
slapd.conf file contains:
`ppolicy_default "cn=default,ou=policies,dc=example,dc=com"`
So I imagine this is used as the default policy for all users since
it's defined globally.
If I have several OUs that define users, groups, etc… how would I
implement a password policy per user/group?
For my setup, I would conceivably have:
cn=swa-ppolicy,ou=ppolicies,dc=example,dc=com
and
cn=pse-ppolicy,ou=ppolicies,dc=example,dc=com
...and so on as I need policies in my directory.
How can I apply these per group or user? Would I add a field to my
posix[User|Group] schema?
Thanks!
Rafael
16 years
Re: 2.4.6 prov/con, delta-syncrepl and auditContext
by Gavin Henry
<quote who="Pierangelo Masarati">
> Gavin Henry wrote:
>> <quote who="Aaron Richton">
>>> In the spirit of starting with the obvious, do you find auditContext
>>> under
>>> cn=Subschema?
>>
>> I'll check ;-)
>>
>> But why would this attribute get into the normal data dir?
>
> that attribute is added to the producer to provide a pointer to the
> database that contains the log. The attributeType itself is defined by
> slapo-accesslog(5), so the overlay should be present (but does not need
> to be instantiated; just compiled in or, if built as module, loaded) in
> the consumer in order to have that attribute defined.
>
I forgot say this happened when I added auditlog to the consumer via
cn=config. Will investigate more soon.
16 years
Re: 2.4.6 prov/con, delta-syncrepl and auditContext
by Gavin Henry
<quote who="Aaron Richton">
> In the spirit of starting with the obvious, do you find auditContext under
> cn=Subschema?
I'll check ;-)
But why would this attribute get into the normal data dir?
>
> On Mon, 3 Dec 2007, Gavin Henry wrote:
>
>> Hi All,
>>
>> I blitzed my consumer to test something, and now I'm seeing in its logs:
>>
>> syncrepl_message_to_entry: rid=000 mods check (auditContext: attribute
>> type undefined)
>>
>> I don't have an accesslog on the consumer, only auditlog for testing so
>> I
>> can document it.
>>
>> Any ideas?
>>
>> Gavin.
>>
>> --
>> Kind Regards,
>>
>> Gavin Henry.
>> Managing Director.
>>
>> T +44 (0) 1224 279484
>> M +44 (0) 7930 323266
>> F +44 (0) 1224 824887
>> E ghenry(a)suretecsystems.com
>>
>> Open Source. Open Solutions(tm).
>>
>> http://www.suretecsystems.com/
>>
>>
>>
>
16 years
2.4.6 prov/con, delta-syncrepl and auditContext
by Gavin Henry
Hi All,
I blitzed my consumer to test something, and now I'm seeing in its logs:
syncrepl_message_to_entry: rid=000 mods check (auditContext: attribute
type undefined)
I don't have an accesslog on the consumer, only auditlog for testing so I
can document it.
Any ideas?
Gavin.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
16 years
Dereferencing alias
by Rommel Trindade
Hi,
Is there any way to set slapd to always dereference alias as default?
When i use the the ldapsearch with -a always the openldap server
return 5 entries as expected. But, if i use the ldapsearch without -a i do not
receive the 5 entries as expected.
Regards,
Rommel.
16 years
Regarding communication between two servers in openLDAP
by Anjali Arora
Hi,
Actually i want to establish a connection between to slapd(daemon). Suppose
we have a tree and tree structure in the attachment.
I want one slapd will take careof tree hierarchy under Home and other slapd
will take care of tree hierarchy under gstorage(This is my problem) how can
i write slapd.conf file to establish connection between these two.
Please let me know as soon as possible.
Thanks and Regards,
Anjali Arora
16 years
