openldap-software June 2007

openldap-software@openldap.org

86 participants
106 discussions

ppolicy and others attributes
by Raphaël 'SurcouF' Bordet 06 Jun '07

06 Jun '07

Hi, Can we use ppolicy with another attribut than userPassword, userCertificate by example ? Regards, -- Raphaël 'SurcouF' Bordet

4 3

monitoring openldap
by Scott Feldstein 06 Jun '07

06 Jun '07

Hello, I was looking at the docs on http://www.openldap.org/devel/admin/ monitoringslapd.html and section 13.1 (cn=config) has yet to be written. Could anyone give me a brief description what what that is? Also, I am writing a health check for openldap and I am only able to find effective monitoring stats via the cn=Monitor but that is not always configured in every slapd instance. Is there another way of going about this? thanks, Scott

2 1

Re: monitoring openldap
by Scott Feldstein 06 Jun '07

06 Jun '07

Hi Buchan, > I assume this section would be on how to configure back-monitor via > back-config, for now, converting your slapd.conf (that you set up for > back-monitor in 13.3) would do what is necessary. If you use a > slapd.conf, > this is irrelevant for you at present. ok, so setting it up in slapd.conf does the same thing. > >> Also, I am writing a health check for openldap > > For what monitoring system ? Hyperic HQ > > Here is the one I use for performance and replication monitoring > with Hobbit > (but I also use it stand-alone). > > http://staff.telkomsa.net/~bgmilne/bb-openldap.pl > thanks, I will definitely check it out. >> and I am only able to >> find effective monitoring stats via the cn=Monitor but that is not >> always configured in every slapd instance. > > The best solution here is to configure it. Yeah, that is unfortunate since not all slapd instances will have this :@( > >> Is there another way of >> going about this? > > AFAIK, no. thanks. Scott > > Regards, > Buchan > > -- > Buchan Milne > ISP Systems Specialist - Monitoring/Authentication Team Leader > B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

1 0

RE: TLS bare minimum
by Quanah Gibson-Mount 06 Jun '07

06 Jun '07

--On June 5, 2007 6:28:11 PM -0400 "West, Jon (NIH/NIMH) [C]" <wjon(a)mail.nih.gov> wrote: > > yes, I've actually have it looking at the cert but I still get a > connection error when using TLS I think I understand it > ldap_start_tls: Connect error (-11) > additional info: TLS: hostname does not match CN in peer > certificate I think this means is because I used 'test.com' as the server > name when generating the cert rather then the actual server? test.com is > just the test domain I am using Hi, Please keep replies to the list. This error means that the host name in the certificate does not match the hostname for the server. They must match to establish a TLS connection. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

3 2

translucent overlay and bind
by Raphaël 'SurcouF' Bordet 06 Jun '07

06 Jun '07

Hi, Using OpenLDAP 2.3.35, when I've set translucent and rwm overlays to dynamically adds an external attribute (userCertificate) in respond of search request, I can't able anymore to bind. slapd return "Invalid credentials" error messages. If translucent and rwm overlays are commented, bind usage is back. /---( slapd.conf )--- ... overlay translucent uri ldap://A.B.C.D lastmod on overlay rwm rwm-map objectclass * rwm-map attribute * \----8<----8<----8<----8<----8<---- I've also configure a syncrepl replication on this database. Any ideas ? -- Raphaël 'SurcouF' Bordet

1 0

Need to build LDAP on Win64 (IA/EM64T) platform
by Sanghi, Aditya 05 Jun '07

05 Jun '07

Hi All, I need to build LDAP for Win64 platforms, for which I need the following 64bit files. oldap_r.lib Are they available on both Itanium /EM64T ( AMD 64 ) platforms and Where can I get them from? Any pointers to this will be greatly appreciated. Thanks and regards, Aditya Sanghi Informatica Business Solutions PVT LTD "The Data Integration Company" (TM) Diamond District, Tower 'B', 3rd Floor #150, Airport Road, Bangalore - 560 008 India. www.informatica.com <http://www.informatica.com/>

2 1

TLS bare minimum
by West, Jon (NIH/NIMH) [C] 05 Jun '07

05 Jun '07

I would like to set up TLS on our server. Looking through the Administration guide, I am unsure if I need both server AND client certificates. As I understand it I am supposed to first see if I can use the command line tools to establish the TLS connection then attempt to set up a client. So I have created a server certificate. I would like to do this with a test system. The test server is running 2.0.27-22 and our actual server runs 2.2.13-6.4E.. How can I be sure that I am getting an encrypted connection. I am also unsure of how to use LDAP search since whenever I do use it I get errors but when I verify the contents of our directory with other software I can see the things I'm looking for. Again this is a question about LDAPsearch, not the other software. I have a user called tester in my dc=test,dc=com test server (Is it a problem that I use test.com when the machine is not on that domain?) what would be the command to get the LDAP information about tester? Jon West

3 4

translucent overlay question
by Raphaël 'SurcouF' Bordet 05 Jun '07

05 Jun '07

Hi, I've to add some attributes like userCertificate from a PKI LDAP server to my meta-directory, which integrating some others LDAP servers. Some branches are replicated using syncrepl and I don't have rights to modify any entries. I was looked to translucent overlay and added theses following directives to main configuration file of slapd : /---( slapd.conf )--- overlay translucent uri ldap://pkiserver:389/ lastmod on overlay rwm rwm-map attribute userCertificate * \----8<----8<----8<----8<----8<---- First question: I can't bind any more using rootdn of this database when theses directives are activated, why ? Second question: When I'm looking for an entry than have a userCertificate attribute on pkiserver database, I'm getting two responses, why and how can I've only the local entry with remote userCertificate attribute without modify local database ? Best regards, -- Raphaël 'SurcouF' Bordet

1 0

search in ldap access log not fast enough?
by Zhang Weiwu 03 Jun '07

03 Jun '07

Dear list For some special reasons search for modification log is a frequent operation here in our environment. Usually searching for modification log takes 30 seconds or longer: $ ldapsearch -x -D cn=admin,cn=accesslog -w -b cn=accesslog reqDN=uid=Schleifring,ou=contacts,ou=china,dc=ahk,dc=de reqSession; Compare to a typical ldap search that search for a contact person or anyone who live in a state which usually return the result in less then 1 seconds. 30 second time is not acceptable consider the frequency such search is being used. I think I have 'optimized' slapd.conf by using these lines: # used for accesslog, realss database bdb # The base of your directory for database #2 suffix "cn=accesslog" rootdn "cn=admin,cn=accesslog" rootpw .... directory "/var/lib/ldap-log" index reqDN,reqType eq And I have also rebuilt index by using $ slapindex -b cn=accesslog Is this 30 second search time normal and how can I improve search speed? Thanks a lot in advance! The total amount of accesslog entry is about 658147 -- Zhang Weiwu Real Softservice http://www.realss.com +86 592 2091112

2 1

how to create db files
by Craig 03 Jun '07

03 Jun '07

I am trying to upgrade from 2.2.13 to 2.3.35 in order to (possibly) fix another problem. But, I am having a ton of problems. At this point, I just want to scratch the current DB and start over. However, if I try this, slapd complains about not being able to find the database: Checking configuration files for : bdb_db_open: db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2) Which makes sense... so, how do I create an empty one? TIA!

4 10

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software June 2007