Problem with connections: closed (connection lost)
by Angel L. Mateo
Hello,
We have a clustered openldap server (slapd version 2.2.23 in two debian
sarge servers). These servers are working perfectly as a user's
repository from our others servers (mail servers, radius, etc.).
But now we are renovating our servers and we want to upgrade them to a
new one based on openldap 2.3.30 (in two debian etch servers), but we
are having problems.
In a test environment the new servers seems to work perfectly, but when
we connect our mail servers to it we have a lot of errors. The mail
servers seems to lost connection with the ldap. In the ldap serves the
only errors we could find are a lot of:
Jul 5 09:44:33 canis4 slapd[28723]: conn=5087 fd=249 closed
(connection lost)
It seems that it could be a network problem, but the network is the
same than in the others.
We could thinking about a default parameter limiting connections or
something like that...
Anybody has ever had this same problem? How could we solve it?
Thanks in advance
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica _(___V
Tfo: 968367590
Fax: 968398337
14 years, 12 months
Re: read ACL working but write ACL not-[write access denied by read(=rscx)]
by Philip Guenther
On Tue, 10 Jul 2007, JOYDEEP wrote:
...
> thanks a lot for your response and clarification.
>
> I have the following as my group ACL
Before attacking the question of how to make the group ACLs behave as
desired: have you corrected the ACLs described in your previous message
and confirmed that your correct versions operate as you desired?
Once you've done that, you should then decide whether those corrections
also apply to the group ACL case...but not until you're *sure* the simpler
ACLs are behaving as desired.
Philip Guenther
14 years, 12 months
using a proxy/rewrite to obviate the need for a legacy suffix?
by Tim Mooney
All-
I'm a very recent subscriber to the list, though we've been happily using
OpenLDAP for years. Our needs have been pretty pedestrian, so for us
OpenLDAP has never required much care and feeding, and hence I've
neglected to learn much beyond the basics. Now I need some advice related
to multiple suffix support, and what we can do to lessen the pain.
We're currently using OpenLDAP 2.3.x, with a preferred suffix of
suffix "dc=nodak, dc=edu"
When we started with OpenLDAP way back in the day, we used
suffix "o=NDUS, st=North Dakota, c=US"
and unfortunately, we've had to keep that around for legacy (political)
reasons, so we're running 2.3.x with two suffix entries in our slapd.conf.
The information that's served is exactly the same, no matter which suffix
you use. It's just two ways to get at the same information.
When we upgraded to OpenLDAP 2.3.x last year, I quickly discovered that
the new default of "back-bdb" was not an option for us, because it doesn't
support multiple suffix entries (unless you build it in a special way that
"degrades performance", according to the FAQ). That means we had to
continue using back-ldbm abstracting bdb as our backend.
We would love to get with the program and switch to back-bdb. Since we
unfortunately have to continue to provide two entry points (the FAQ
seems to use "naming contexts" as the nomenclature for the suffix), we're
looking at options for some kind of proxy/rewrite, so that requests that
come in for the older suffix get proxied/rewritten/mapped to our preferred
suffix.
One of my coworkers has been doing some research into our options for
suffix rewriting, and it looks like we have at least two options:
Option #1:
database relay
suffix "ou=<old suffix here>"
relay "<new suffix here>" massage
Option #2:
database meta
suffix "ou=<old suffix here>"
uri "ldap://localhost/<old suffix here>"
suffixmassage "<old suffix here>" "<new suffix here>"
Both "meta" and "relay" are experimental, so either one of them could
be abandoned and become a dead end for us in the future.
We're leaning toward "relay", since this seems to be very close to what
it was designed to do.
Can anyone provide any hints, suggestions, or moral support on whether
we're heading in the recommended direction, or whether there's a better
way to obviate the need for our legacy suffix entry using some other
kind of rewriting?
Thanks,
Tim
--
Tim Mooney Tim.Mooney(a)ndsu.edu
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
14 years, 12 months
Re: read ACL working but write ACL not-[write access denied by read(=rscx)]
by JOYDEEP
Hi Dieter,Gavin and all,
I have mentioned in my last mail that I had ACL like
################ personal ACL #######################
###################### read #######################
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$"
by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap"
read
by * none
######################## write ############################
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap"
attr=children,entry,@inetOrgPerson,@posixAccount,@mozillaAbPersonAlpha,@evolutionPerson
by
dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write
by users none
the problem if writing was it reports
Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => access_allowed: write
access denied by read(=rscx)
So I disabled the read ACL and the problem disappeared. I have a question here that why we
need the read ACL at all more over thing is not so easy for Group ACL. If I follow the same technique
for group ACL then though the group has no delete option it can delete the entries easily.
how can I fix this problem.
thanks so far for giving me the helpful suggestions; thans a lot
14 years, 12 months
Re: using openldap as a translation layer.
by S James S Stapleton
> "S James S Stapleton" <stapleton.41(a)osu.edu> writes:
>
> > Disregard my last message, I must have downloaded the BDB only link by
> > pure-and-utter-blondness last time.
> >
> > However, I am still getting the "overlay rwm not found" error. Google
> > readings suggests I need to find a module for this. I'll look for a
> > download for that soon (unless anyone knows of a good one off hand).
>
>
> $ ./configure --help | less
>
> SLAPD Overlay Options:
> [... ]
> --enable-rwm Rewrite/Remap overlay no|yes|mod [no]
> [...]
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://www.dkluenter.de
> GPG Key ID:8EF7B6C6
Yes I tried that, but it's not compiling. My other mail to the list
describes the reason (missing an include - ltdl.h). I don't know what
package/app that include is supposed to come with, and just downloading it
seems like a bad idea because it probably relies on other in said packag.
Anyone here have experience compiling in MinGW?
Thank you,
-Jim Stapleton
14 years, 12 months
read ACL working but write ACL not
by JOYDEEP
Dear list,
Please see below my LDAP structure
base DN ---> *dc=suse,dc=ldap
virtual domain ---> **virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap*
*user DN -->**ou=users,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap
group DN --> **ou=groups,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap
**contacts DN --->**
ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap
personal contacts
-->**ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap
here is my ACL to read and write personal addressbook. the read ACL is
working here but the write ACL is not working.
*################ personal ACL #######################
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$"
by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap"
read
by * none
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,,ou=contactsvirtualDomain=([^,]+),dc=suse,dc=ldap$"
by dn.regex="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write
by * none
#################################################
the log reports ****tag=105 err=50 text=no write access to parent**********
could any one suggest how to solve the problem ?
thanks
14 years, 12 months
Re: Building OpenLDAP client tools in Wintel platform - reg
by matthew sporleder
Please keep replies on-list. In that kind of situation, I would
recommend downloading the symas kit, trying ldapmodify.c until it
compiles in VC++ (I would imagine this is possible, since it's just a
client, but I'm definitely not the person to give you advice on it),
or just using any number of the existing windows tools that do exactly
the same thing + gui views. (see also perl versions of similar tools,
java versions of similar tools, etc)
On 7/6/07, Aviator LDap <dinesh.openldap(a)gmail.com> wrote:
> Hi Matthew,
>
> Thank you very much for your inputs. But Our requirement does not allow me
> to use CYGWIN dependency.Is there no way to build the client tools using
> VC++.
> Could you please give me some inputs on this.
>
> regards,
> dinesh.
>
>
> On 7/5/07, matthew sporleder <msporleder(a)gmail.com> wrote:
> > On 7/5/07, Aviator LDap <dinesh.openldap(a)gmail.com> wrote:
> > > Hi Friends,
> > >
> > > I am in need of building the OpenLDAP client tools (ldapsearch, etc.,)
> in
> > > WinTel platform. Could anybody help me in briefing the procedure to
> build
> > > the files. That is the files need to be in the workspace and impact of
> > > dependent libraries., etc.,
> > > Any kind of help is hugely appreciated.
> >
> >
> > You might want to look here: (check the right-rail news section)
> > http://www.symas.com/cds.shtml
> >
> > If you need to build it yourself, I would probably look into MinGW or
> cygwin.
> > I'm not sure if this email is still valid:
> >
> http://www.openldap.org/lists/openldap-devel/200701/msg00002.html
> > but it's also worth looking into if you go that route.
> >
>
>
15 years
reference to other entry - question
by Marcin Giedz
Is there any way to do something like this without copying all data many
times.
1) there is entry: uid=user1,ou=people,dc=xx,dc=x
The entry has objectClass = person, posixAccount etc.. So there is
attribute userPassword.
2) there are entries:
mail=user1@dom1,ou=domains,dc=xx,dc=x
mail=user1@dom2,ou=domains,dc=xx,dc=x
mail=user1@dom3,ou=domains,dc=xx,dc=x,
however I had to copy some attributes from
uid=user1,ou=people,dc=xx,dc=x like userPassword (with objectClass') to
every entry @dom1,@dom2,@dom3 to be able to authenticate such user.
Now I'm wondering if there is any way to NOT copy attribute userPassword
(and others) to @dom1.... but rather "create" reference to
uid=user1,ou=people,dc=xx,dc=x in every @domX so when ldapsearch is
performed I will be able to get userPassword using filter
(mail=user1@dom1) and authenticate user1?
Regards,
Marcin
--
ARISE M.Giedz, T.Żebruń sp.j.
http: www.arise.pl
mail: giedz(a)arise.pl
tel: +48 502 537 157
15 years
How to search for all entries that have modified themselves
by Zhang Weiwu
Dear all
We have accesslog feature turned on for several months. It's very useful
for us to identify who have modified what (only edit access is logged).
The new requirement is to search for all entries that have modified
themselves;
I don't know how to do (and failed after many experiments). It's very
easy to identify whether or not a given user have modified herself by
doing:
ldapsearch ... '(&(reqDN=uid=zhangweiwu,ou=contacts,dc=eoa,dc=cn)(reqAuthzID=uid=zhangweiwu,ou=contacts,dc=eoa,dc=cn))'
But I need to do this search 4000 times to locate all entries who have
modified themselves. I wish I can work smarter using something like
ldapsearch ... '(&(reqDN=\(.*\))(reqAuthzID=\1))'
Certainly this doesn't work but you get the idea. Is there a solution?
Thanks a lot in advance! Would you please kindly use "reply all" to
reply this message so that my colleague on the 'cc' can be enlightened
too?
--
Zhang Weiwu
Real Softservice
http://www.realss.com
+86 592 2091112
15 years
how to delete entire base dn ?
by JOYDEEP
Hi,
I am very much interested to know the deletion procedure of entire base
dn as I am implemeting different types of ldif
to learn
thanks
15 years
