openldap-software December 2007

openldap-software@openldap.org

75 participants
90 discussions

ldap queries rewriting
by Guillaume Rousse 04 Dec '07

04 Dec '07

Hello list. We have a copier here with a scan-to-mail feature allowing to use LDAP for extracting list of email adresses for users. Unfortunatly, the full user list is retrieved, splitted in groups according to first letter of their email adress, but any entries over 100 in a group are excluded from selection. As we have 120 entries in the A-E group, we have excluded 20 users... As copiers are usually department specific, filtering queries by group membership would allow us to workaround the issue. Unfortunatly, the copier doesn't allow to set up a filter :( Is this possible to do some kind of server-side query rewriting, as mod_rewrite does for apache ? I initially thought of setting up a dynamic group, but this would create a single entry with multiple mail attribute, whereas the copier expect a list of entries with single mail attribute (didn't tested it tough). -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62

1 0

Re: 2.4.6 prov/con, delta-syncrepl and auditContext
by Gavin Henry 04 Dec '07

04 Dec '07

> So, the only reason to have slapo-accesslog(5) built and loaded **BUT > NOT INSTANTIATED** on the __consumer__ (doesn't sound such strikingly > resource intensive a requirement) is to have this attribute defined in > the schema. If this sounds so unreasonable, please suggest (and code) a > better strategy. I'm open to everything (including zapping auditContext > at all, unless anyone out there finds it useful and is actively using it). Here's a question for you ;-) How can test043-delta-syncrepl pass, when there is no accesslog module loaded in slapd-deltasync-slave.conf? Confused again... Gavin.

1 0

ppolicy + slapcat = ldif vulnerability?
by Scott Classen 04 Dec '07

04 Dec '07

I'm not sure if this is truly a vulnerability, but I thought I'd put it out there for discussion. openldap 2.4.6 bdb backend ppolicy overlay I have set up so a default ppolicy such that 3 old passwords are stored in a users pwdHistory attribute. When I back up the bdb database via slapcat -l backup.ldif the userPassword field looks to be Base64 hashed. userPassword:: e1NTSEF9VWFTNDNVDRWEx1QzEyWjASGVWc0VZHRNTmt4M1c= but the passwd history leaves the passwd hashes visible. pwdHistory: 20071203220105Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}wAuvjfMkMyKKHcMV1Tg7qiG0x4 Obviously these backup LDIF files are keep as secure as possible, and these are OLD passwds, but should the pwdHistory attribute also be hashed when being slapcated? Scott

4 5

multiple password policies?
by R.B. 04 Dec '07

04 Dec '07

Hi; After reading some ppolicy HOWTOs, I've seen the following line in the slapd.conf file to assign a default password policy to users. slapd.conf file contains: `ppolicy_default "cn=default,ou=policies,dc=example,dc=com"` So I imagine this is used as the default policy for all users since it's defined globally. If I have several OUs that define users, groups, etc… how would I implement a password policy per user/group? For my setup, I would conceivably have: cn=swa-ppolicy,ou=ppolicies,dc=example,dc=com and cn=pse-ppolicy,ou=ppolicies,dc=example,dc=com ...and so on as I need policies in my directory. How can I apply these per group or user? Would I add a field to my posix[User|Group] schema? Thanks! Rafael

3 2

Re: 2.4.6 prov/con, delta-syncrepl and auditContext
by Gavin Henry 04 Dec '07

04 Dec '07

<quote who="Pierangelo Masarati"> > Gavin Henry wrote: >> <quote who="Aaron Richton"> >>> In the spirit of starting with the obvious, do you find auditContext >>> under >>> cn=Subschema? >> >> I'll check ;-) >> >> But why would this attribute get into the normal data dir? > > that attribute is added to the producer to provide a pointer to the > database that contains the log. The attributeType itself is defined by > slapo-accesslog(5), so the overlay should be present (but does not need > to be instantiated; just compiled in or, if built as module, loaded) in > the consumer in order to have that attribute defined. > I forgot say this happened when I added auditlog to the consumer via cn=config. Will investigate more soon.

1 0

Re: 2.4.6 prov/con, delta-syncrepl and auditContext
by Gavin Henry 04 Dec '07

04 Dec '07

<quote who="Aaron Richton"> > In the spirit of starting with the obvious, do you find auditContext under > cn=Subschema? I'll check ;-) But why would this attribute get into the normal data dir? > > On Mon, 3 Dec 2007, Gavin Henry wrote: > >> Hi All, >> >> I blitzed my consumer to test something, and now I'm seeing in its logs: >> >> syncrepl_message_to_entry: rid=000 mods check (auditContext: attribute >> type undefined) >> >> I don't have an accesslog on the consumer, only auditlog for testing so >> I >> can document it. >> >> Any ideas? >> >> Gavin. >> >> -- >> Kind Regards, >> >> Gavin Henry. >> Managing Director. >> >> T +44 (0) 1224 279484 >> M +44 (0) 7930 323266 >> F +44 (0) 1224 824887 >> E ghenry(a)suretecsystems.com >> >> Open Source. Open Solutions(tm). >> >> http://www.suretecsystems.com/ >> >> >> >

2 1

2.4.6 prov/con, delta-syncrepl and auditContext
by Gavin Henry 04 Dec '07

04 Dec '07

Hi All, I blitzed my consumer to test something, and now I'm seeing in its logs: syncrepl_message_to_entry: rid=000 mods check (auditContext: attribute type undefined) I don't have an accesslog on the consumer, only auditlog for testing so I can document it. Any ideas? Gavin. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

2 1

[Unofficial] OpenLDAP Weekly News Issue 6
by Gavin Henry 04 Dec '07

04 Dec '07

Dear All, The sixth issue is out: http://blog.suretecsystems.com/categories/1-OpenLDAP Summary: - Upcoming OpenLDAP 2.4.7 - Update on Build Farm - Contributions - OpenLDAP Documentation updates - OpenLDAP Development - Blog LDAP Schema Ideas - Selected user issues and solutions discussed - LDAP Roundup Thanks, Gavin. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

1 0

Dereferencing alias
by Rommel Trindade 02 Dec '07

02 Dec '07

Hi, Is there any way to set slapd to always dereference alias as default? When i use the the ldapsearch with -a always the openldap server return 5 entries as expected. But, if i use the ldapsearch without -a i do not receive the 5 entries as expected. Regards, Rommel.

2 1

Regarding communication between two servers in openLDAP
by Anjali Arora 01 Dec '07

01 Dec '07

Hi, Actually i want to establish a connection between to slapd(daemon). Suppose we have a tree and tree structure in the attachment. I want one slapd will take careof tree hierarchy under Home and other slapd will take care of tree hierarchy under gstorage(This is my problem) how can i write slapd.conf file to establish connection between these two. Please let me know as soon as possible. Thanks and Regards, Anjali Arora

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2007