RE: How do I tell ldapsearch to authenticate to the referred to LDAP server when chasing a referral?
by Gavin Henry
<quote who="Comisario, Alejandro">
> Gavin.
> Thanks for the answer, the thing is, and i could't say it befote, on the
> other side of the openLDAP is an Active Directory, when i try what you
> say,
> it gave me.
>
> doldap@root # ldapsearch -b "ou=prueba,dc=adsc,dc=com" \
> -H ldap://doldap.sc.com -D "cn=admin,cn=users,dc=adsc,dc=com" -W -x
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>
>
> Any Ideas?
Is cn=admin,cn=users,dc=adsc,dc=com in AD?
Gavin.
>
>
> -----Mensaje original-----
> De: Gavin Henry [mailto:ghenry@suretecsystems.com]
> Enviado el: martes, 17 de julio de 2007 13:59
> Para: Comisario, Alejandro
> CC: openldap-software(a)openldap.org
> Asunto: Re: How do I tell ldapsearch to authenticate to the referred to
> LDAP
> server when chasing a referral?
>
> <quote who="Comisario, Alejandro">
>> Hello everyone.
>>
>> I have an OpenLDAP 2.3.30 running on Debian Etch Stable in a DMZ,
>> managing
>> external users for an application.
>> But at the same time i want this openLDAP to comunicate when given for a
>> specific DN with another directory service on my internal network.
>> The connection between the two machines passing thru the firewall is
>> correct.
>>
>> The reference are:
>> openLDAP machine : doldap.sc.com with domain dc=si,dc=com
>> the other directory : adldap.adsc.com with domain dc=adsc,dc=com
>>
>> I defined the referral like this:
>> dn: ou=test,dc=adsc,dc=com
>> objectClass: referral
>> objectClass: extensibleObject
>> dc: prueba
>> ref: ldap://adldap.adsc.com/ou=test,dc=adsc,dc=com
>>
>> So, when i query something like this (anonymous):
>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x
>>
>> I get this response:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter:
>> (objectclass=*) # requesting: ALL #
>>
>> # search result
>> search: 2
>> result: 10 Referral
>> ref: ldap://adldap.adsc.com/ou=prueba,dc=adsc,dc=com??sub
>>
>> # numResponses: 1
>>
>> So, apparently the referral for that query is found, next i tell
>> ldapsearch
>> to follow it:
>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C
>>
>> The openLDAP try to follow the referral and get this response from the
>> other
>> service:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter:
>> (objectclass=*) # requesting: ALL #
>>
>> # search result
>> search: 2
>> result: 1 Operations error
>> text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform
>> this
>> operation a successful bind must be completed on the connection., data
>> 0,
>> vece
>>
>> # numResponses: 1
>>
>> So, How do I tell ldapsearch to authenticate to the referred to LDAP
>> server
>> when chasing a referral?
>> Hope someone can helpme.
>
> You need to actually bind as a user, e.g.:
>
> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C -D
> "uid=blah,dc=adsc,dc=com" -W
>
> Gavin.
>
>>
>> Regards.
>>
>> .A l e j a n d r o.
>>
>>
>>
>>
>
14 years, 10 months
Recommended back-end
by Daniel Corbe
I was wondering what the viability of switching to a MySQL-based back-end
would be and how much slower it is compared to the default gdbm back-end.
-Daniel
14 years, 10 months
Authentication per service
by Linux Corporativo
Hi guys,
I'm new at this list and with OpenLDAP.
I intend to set up an OpenLDAP server. I know I can register my
users and they respective passwords.
Well, one thing is authentication, permission another.
Suppose I have users A, B, C and D, and services MAIL and PROXY.
My question is: How to give permission to A user to MAIL only, B user
to MAIL and PROXY and D user to PROXY only, since my users/password
base is unique ?
Thanks to all..
14 years, 10 months
Reg : patch download for SUN studio 11 c,cpp (native compiler)
by sridhar varadarajan
Hi friends,
I am facing a problem in solaris 9 which has build with native compiler (SUN
studio 11 c,cpp) . i am in need of latest patch source for this compiler.
can anyone find me to get the URL for downloading this patch .
thanks in advance
with regards,
sri.
14 years, 10 months
regarding hdb
by Arunachalam Parthasarathy
Hello,
If i use database as hdb , did it use Sleepycat Berkeley DB package to store
data?
When we specify database dierective as hdb, so I need to take any special
considerations as i came across the following the openldap FAQ -> "back-hdb
tends to require larger caches than back-bdb" ?
Thanks in advance,
Arunachalm.
****************************************************************************
****************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
14 years, 10 months
Reg:ldapsearch not running on port 636
by sridhar varadarajan
Hello freinds,
This is Sri.i have a encountered a problem while tring to work with
ldapsearch on port 636 .. though slapd in my server system is listening to
both 636 & 389 ports. my server is configured in LINUX machine while my
client is SOLARIS machine. i have added these lines to slapd.conf :(path of
my server and client certificates) and ldap.conf with( HOST rsasol1 ,PORT
636). (FYI::but ldapsearch is working fine with 389 port.)
rsasol1 is hostname of my machine.
it throws an error: *can`t contact ldapserver(-1)*
*
addiditional
info:error:140943FC:SSL routines:SSL#_READ_BYTES:sslv3 laert bad
record mac*
can any one of us help me in this issue.
thanks in advance
with regards,
sri.
14 years, 10 months
ssl handshake failure
by kxiluri@email.arizona.edu
Dear all,
i have been experimenting with Ldap for 2 months now.
I had a test RedHat V4 linux workstation 32-bit where i downloaded the most
recent
Red Hat rpms and installed openldap and made it work with SSL.
The clients are 7 iMACs running OSX 10.4. The recommended tests
went fine for the most part (expect i cant change user passwds).
But i had some very happy users, being able to make the best
of both worlds.
Then i decided to install LDAP with the same procedure on the
production server, again RH V4, Enterprise 64-bit.
While i could get it to work with out SSL, i am having hard time
enabling SSL.
On the linux ldap server when i do:
openssl s_client -connect localhost:636 -showcerts -state -CAfile
/usr/share/ssl/certs/slapd.pem
i get
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
18203:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
i get the same result with the ldap service stopped on started.
I have used the same slapd.conf file in both cases. THe rpms are
the same, the ssl rpms are the same from what i can tell the cyrus-sasl
is the same.
Could anyone shed some light here? That would be mostly appreciated.
Many thanks
kiriaki
14 years, 10 months
syncrepl work fine, but no entry not visible
by stephane.purnelle@corman.be
Hi,
Openldap 2.3.24 on consummer and 2.3.20 (not sure) on producer.
The syncrepl seems to work fine but if I try to see reccord with
ldapbrowser or jexplorer or a simple ldapserach, I don't find all entry.
And if I try to add with a ldif import, ldap see that the netry already
exist ?
what happening.
My consummer ldap server will be using as a BDC (samba) server.
thanks
Stéphane
-----------------------------------
Stéphane PURNELLE stephane.purnelle(a)corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
14 years, 10 months
asking for new feature extending LDAP: return entriest that only matches in default language
by Zhang Weiwu
Dear list
I am not sure if this is the right place to ask for this, but can
someone help me by writing me a patch to openldap that allow me to do
search and only getting entries that mathches in default language (but
not in other language versions)?
How much do I need to pay for such a patch?
e.g. there are 2 entries:
First Entry is:
o: Company A
Second Entry is:
o: Company B
o;lang-de: Aaaa
Then the patch I need would allow me to do a search for o with "*A" that
only return me the first entry but do not return the second entry.
I suspect maybe the patch would accept a special search filter format:
search for o=*A -> return both entry, this is like traditional
search for o;lang-=*A -> return only first entry, this is using the
"special search filter format"
The later search filter is only my imagination, I mean ";lang-" is
telling server only look for the default language version. There can be
better ways to invent search filter format for my purpose without
breaking other standards too much.
Thank you very much and best regards
Zhang Weiwu
14 years, 10 months
cn=config: allow more users to access
by José Marco
Hi everydoby, I'm juggling with permissions and slapd.d configuration
and I am having problems to allow access to the cn=config backend...
How can I allow access to users different to the backend's rootdn?
I tried inserting lines in file "olcDatabase={0}config.ldif" like:
olcAccess: to * by dn="uid=my_user, dc=my_domain, dc=com" read
or even
olcAccess: to * by * read
With no success...
After that I thought of creating a branch under the cn=config with
users (something like "ou=people, cn=config") in order to allow access
for them, but I get constraint problems...
Any suggestions?
14 years, 10 months
