openldap-software July 2007

openldap-software@openldap.org

108 participants
124 discussions

Problem with connections: closed (connection lost)
by Angel L. Mateo 10 Jul '07

10 Jul '07

Hello, We have a clustered openldap server (slapd version 2.2.23 in two debian sarge servers). These servers are working perfectly as a user's repository from our others servers (mail servers, radius, etc.). But now we are renovating our servers and we want to upgrade them to a new one based on openldap 2.3.30 (in two debian etch servers), but we are having problems. In a test environment the new servers seems to work perfectly, but when we connect our mail servers to it we have a lot of errors. The mail servers seems to lost connection with the ldap. In the ldap serves the only errors we could find are a lot of: Jul 5 09:44:33 canis4 slapd[28723]: conn=5087 fd=249 closed (connection lost) It seems that it could be a network problem, but the network is the same than in the others. We could thinking about a default parameter limiting connections or something like that... Anybody has ever had this same problem? How could we solve it? Thanks in advance -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337

6 13

Re: read ACL working but write ACL not-[write access denied by read(=rscx)]
by Philip Guenther 09 Jul '07

09 Jul '07

On Tue, 10 Jul 2007, JOYDEEP wrote: ... > thanks a lot for your response and clarification. > > I have the following as my group ACL Before attacking the question of how to make the group ACLs behave as desired: have you corrected the ACLs described in your previous message and confirmed that your correct versions operate as you desired? Once you've done that, you should then decide whether those corrections also apply to the group ACL case...but not until you're *sure* the simpler ACLs are behaving as desired. Philip Guenther

1 0

using a proxy/rewrite to obviate the need for a legacy suffix?
by Tim Mooney 09 Jul '07

09 Jul '07

All- I'm a very recent subscriber to the list, though we've been happily using OpenLDAP for years. Our needs have been pretty pedestrian, so for us OpenLDAP has never required much care and feeding, and hence I've neglected to learn much beyond the basics. Now I need some advice related to multiple suffix support, and what we can do to lessen the pain. We're currently using OpenLDAP 2.3.x, with a preferred suffix of suffix "dc=nodak, dc=edu" When we started with OpenLDAP way back in the day, we used suffix "o=NDUS, st=North Dakota, c=US" and unfortunately, we've had to keep that around for legacy (political) reasons, so we're running 2.3.x with two suffix entries in our slapd.conf. The information that's served is exactly the same, no matter which suffix you use. It's just two ways to get at the same information. When we upgraded to OpenLDAP 2.3.x last year, I quickly discovered that the new default of "back-bdb" was not an option for us, because it doesn't support multiple suffix entries (unless you build it in a special way that "degrades performance", according to the FAQ). That means we had to continue using back-ldbm abstracting bdb as our backend. We would love to get with the program and switch to back-bdb. Since we unfortunately have to continue to provide two entry points (the FAQ seems to use "naming contexts" as the nomenclature for the suffix), we're looking at options for some kind of proxy/rewrite, so that requests that come in for the older suffix get proxied/rewritten/mapped to our preferred suffix. One of my coworkers has been doing some research into our options for suffix rewriting, and it looks like we have at least two options: Option #1: database relay suffix "ou=<old suffix here>" relay "<new suffix here>" massage Option #2: database meta suffix "ou=<old suffix here>" uri "ldap://localhost/<old suffix here>" suffixmassage "<old suffix here>" "<new suffix here>" Both "meta" and "relay" are experimental, so either one of them could be abandoned and become a dead end for us in the future. We're leaning toward "relay", since this seems to be very close to what it was designed to do. Can anyone provide any hints, suggestions, or moral support on whether we're heading in the recommended direction, or whether there's a better way to obviate the need for our legacy suffix entry using some other kind of rewriting? Thanks, Tim -- Tim Mooney Tim.Mooney(a)ndsu.edu Information Technology Services (701) 231-1076 (Voice) Room 242-J6, IACC Building (701) 231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164

3 2

Re: read ACL working but write ACL not-[write access denied by read(=rscx)]
by JOYDEEP 09 Jul '07

09 Jul '07

Hi Dieter,Gavin and all, I have mentioned in my last mail that I had ACL like ################ personal ACL ####################### ###################### read ####################### access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" read by * none ######################## write ############################ access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap" attr=children,entry,@inetOrgPerson,@posixAccount,@mozillaAbPersonAlpha,@evolutionPerson by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by users none the problem if writing was it reports Jul 9 11:59:33 lvps87-230-8-228 slapd[5147]: => access_allowed: write access denied by read(=rscx) So I disabled the read ACL and the problem disappeared. I have a question here that why we need the read ACL at all more over thing is not so easy for Group ACL. If I follow the same technique for group ACL then though the group has no delete option it can delete the entries easily. how can I fix this problem. thanks so far for giving me the helpful suggestions; thans a lot

2 1

Re: using openldap as a translation layer.
by S James S Stapleton 09 Jul '07

09 Jul '07

> "S James S Stapleton" <stapleton.41(a)osu.edu> writes: > > > Disregard my last message, I must have downloaded the BDB only link by > > pure-and-utter-blondness last time. > > > > However, I am still getting the "overlay rwm not found" error. Google > > readings suggests I need to find a module for this. I'll look for a > > download for that soon (unless anyone knows of a good one off hand). > > > $ ./configure --help | less > > SLAPD Overlay Options: > [... ] > --enable-rwm Rewrite/Remap overlay no|yes|mod [no] > [...] > > -Dieter > > -- > Dieter Klünter | Systemberatung > http://www.dkluenter.de > GPG Key ID:8EF7B6C6 Yes I tried that, but it's not compiling. My other mail to the list describes the reason (missing an include - ltdl.h). I don't know what package/app that include is supposed to come with, and just downloading it seems like a bad idea because it probably relies on other in said packag. Anyone here have experience compiling in MinGW? Thank you, -Jim Stapleton

2 3

read ACL working but write ACL not
by JOYDEEP 09 Jul '07

09 Jul '07

Dear list, Please see below my LDAP structure base DN ---> *dc=suse,dc=ldap virtual domain ---> **virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap* *user DN -->**ou=users,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap group DN --> **ou=groups,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap **contacts DN --->** ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap personal contacts -->**ou=personal,ou=contacts,ou=contacts,virtualDomain=kolkata.opendingo.com,dc=suse,dc=ldap here is my ACL to read and write personal addressbook. the read ACL is working here but the write ACL is not working. *################ personal ACL ####################### access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" read by * none access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,,ou=contactsvirtualDomain=([^,]+),dc=suse,dc=ldap$" by dn.regex="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap" write by * none ################################################# the log reports ****tag=105 err=50 text=no write access to parent********** could any one suggest how to solve the problem ? thanks

3 7

Re: Building OpenLDAP client tools in Wintel platform - reg
by matthew sporleder 06 Jul '07

06 Jul '07

Please keep replies on-list. In that kind of situation, I would recommend downloading the symas kit, trying ldapmodify.c until it compiles in VC++ (I would imagine this is possible, since it's just a client, but I'm definitely not the person to give you advice on it), or just using any number of the existing windows tools that do exactly the same thing + gui views. (see also perl versions of similar tools, java versions of similar tools, etc) On 7/6/07, Aviator LDap <dinesh.openldap(a)gmail.com> wrote: > Hi Matthew, > > Thank you very much for your inputs. But Our requirement does not allow me > to use CYGWIN dependency.Is there no way to build the client tools using > VC++. > Could you please give me some inputs on this. > > regards, > dinesh. > > > On 7/5/07, matthew sporleder <msporleder(a)gmail.com> wrote: > > On 7/5/07, Aviator LDap <dinesh.openldap(a)gmail.com> wrote: > > > Hi Friends, > > > > > > I am in need of building the OpenLDAP client tools (ldapsearch, etc.,) > in > > > WinTel platform. Could anybody help me in briefing the procedure to > build > > > the files. That is the files need to be in the workspace and impact of > > > dependent libraries., etc., > > > Any kind of help is hugely appreciated. > > > > > > You might want to look here: (check the right-rail news section) > > http://www.symas.com/cds.shtml > > > > If you need to build it yourself, I would probably look into MinGW or > cygwin. > > I'm not sure if this email is still valid: > > > http://www.openldap.org/lists/openldap-devel/200701/msg00002.html > > but it's also worth looking into if you go that route. > > > >

1 0

reference to other entry - question
by Marcin Giedz 06 Jul '07

06 Jul '07

Is there any way to do something like this without copying all data many times. 1) there is entry: uid=user1,ou=people,dc=xx,dc=x The entry has objectClass = person, posixAccount etc.. So there is attribute userPassword. 2) there are entries: mail=user1@dom1,ou=domains,dc=xx,dc=x mail=user1@dom2,ou=domains,dc=xx,dc=x mail=user1@dom3,ou=domains,dc=xx,dc=x, however I had to copy some attributes from uid=user1,ou=people,dc=xx,dc=x like userPassword (with objectClass') to every entry @dom1,@dom2,@dom3 to be able to authenticate such user. Now I'm wondering if there is any way to NOT copy attribute userPassword (and others) to @dom1.... but rather "create" reference to uid=user1,ou=people,dc=xx,dc=x in every @domX so when ldapsearch is performed I will be able to get userPassword using filter (mail=user1@dom1) and authenticate user1? Regards, Marcin -- ARISE M.Giedz, T.Żebruń sp.j. http: www.arise.pl mail: giedz(a)arise.pl tel: +48 502 537 157

3 4

How to search for all entries that have modified themselves
by Zhang Weiwu 06 Jul '07

06 Jul '07

Dear all We have accesslog feature turned on for several months. It's very useful for us to identify who have modified what (only edit access is logged). The new requirement is to search for all entries that have modified themselves; I don't know how to do (and failed after many experiments). It's very easy to identify whether or not a given user have modified herself by doing: ldapsearch ... '(&(reqDN=uid=zhangweiwu,ou=contacts,dc=eoa,dc=cn)(reqAuthzID=uid=zhangweiwu,ou=contacts,dc=eoa,dc=cn))' But I need to do this search 4000 times to locate all entries who have modified themselves. I wish I can work smarter using something like ldapsearch ... '(&(reqDN=$.*$)(reqAuthzID=\1))' Certainly this doesn't work but you get the idea. Is there a solution? Thanks a lot in advance! Would you please kindly use "reply all" to reply this message so that my colleague on the 'cc' can be enlightened too? -- Zhang Weiwu Real Softservice http://www.realss.com +86 592 2091112

2 1

how to delete entire base dn ?
by JOYDEEP 06 Jul '07

06 Jul '07

Hi, I am very much interested to know the deletion procedure of entire base dn as I am implemeting different types of ldif to learn thanks

2 2

← Newer
1
...
6
7
8
9
10
11
12
13
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software July 2007