Re: Re: ACL problem, restrict access to several attributes
by mheinric@imn.htwk-leipzig.de
>>mheinric(a)imn.htwk-leipzig.de wrote:
>> Hi
>>
>> im trying to get an openldap server (2.3.) running with acl restricting access to special attributes
>>
>> tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid...
>>
>> so i added this access rule to my slapd.conf :
>>
>> access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName
>> by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read
>
>If you don't allow access to the "entry" attribute somewhere else, that's why it >doesn't work:
>
>(Quoting Adminguide23, 6.3.1)
>"To read (and hence return) a target entry, the subject must have read access to >the target's entry attribute."
>
>bye
>Christian
>--
>Christian Marg mail : mailto:marg@rz.tu-clausthal.de
>Dezernat 2 TU Clausthal web : http://www.tu-clausthal.de
>D-38678 Clausthal-Zellerfeld fon : 05323/72-2107
>Germany jabber: ifcma(a)jabber.tu-clausthal.de
thanks,
i added "entry" and "objectClass" to the "attrs" and searching works fine too
___________________________________
NOCC, http://nocc.sourceforge.net
15 years, 2 months
N-Way Multi-Master when one server down
by Chris G. Sellers
I'm noticing that with N-Way Multi-master servers, if one server is
down or crashed, the updates don't always get to this server once it's
back up. (e..g updates are not queued and when the connection re-
establishes it does not flush out that queue)
Do I understand this to be correct? Can you adjust the retry time
settings to help mitigate this?
Thanks
Sellers
______________________________________________
Chris G. Sellers | NITLE Technology
734.661.2318 | chris.sellers(a)nitle.org
AIM: imthewherd | GTalk: cgseller(a)gmail.com
15 years, 2 months
no timeout and proxy still contacting server
by Nathan Morrow
Sorry I haven't gotten an answer on how to respond to threads while
receiving daily digests of this forum, but her it continues.
Wonderful help. It showed that I wasn't indexing the attribute I was
querying. That is done and now the debug level responds with QUERY
ANSWERABLE. Looks like the proxy is actually working.
Well, almost. If the master server is there, it returns with the answer and
all looks good. If the master server isn't there for the proxy, the proxy
still responds in debug with QUERY ANSWERABLE, but blocks after that. This
causes ldapsearch to stay blocked as well.
Why would a proxy still check with the master If the proxy is working? I
want to use this to relieve processing from the master.
It also gets back to the other part of my problem. Since it seems to block
indefinitely, how can I set a decent timeout for slapd?
Again, thanks for the help so far.
Nathan
"Nathan Morrow" <nmorrow(a)spotswood.org> writes:
> Two questions for the group
>
> 1.
>
> I am running slapd as a ldap proxy which is working fine. I have
> tried idetimeout and idle-timeout to shorten the query if the tcp
> connection isn?t there for the proxy, but the connection still seems
> to hang indefinitely. Again, it works fine when the master ldap
> server is there.
> overlay pcache
>
> proxyCache bdb 100000 1 1000 100
>
> proxyAttrset 0 proxyAddresses
>
> proxyTemplate (&(objectClass=)(proxyAddresses=)) 0 3600
>
> The query (that works when the master server is available) below,
> doesn?t work when the same request is made after that and the server
> isn?t there. But that shouldn?t matter if the cache were used. Alas,
> no luck.
>
> ldapsearch -x -D 'CN=MTA,OU=Restricted,DC=fake,DC=com? -b
> 'OU=Staff,DC=fake,DC=com' -l 5 -Z "(&
> (objectClass=person)(proxyAddresses=SMTP:user@fake.com))"
> proxyAddresses
In order to test the proxy caching function run your proxy slapd with -d
pcache.
-Dieter
--
Dieter Kl?nter | Systemberatung
http://www.dkluenter.de <http://www.dkluenter.de/>
GPG Key ID:8EF7B6C6
15 years, 2 months
Re: query timeout and proxytemplate
by Nathan Morrow
Wonderful help. It showed that I wasn't indexing the attribute I was
querying. That is done and now the debug level responds with QUERY
ANSWERABLE. Looks like the proxy is actually working.
Well, almost. If the master server is there, it returns with the answer and
all looks good. If the master server isn't there for the proxy, the proxy
still responds in debug with QUERY ANSWERABLE, but blocks after that. This
causes ldapsearch to stay blocked as well.
Why would a proxy still check with the master If the proxy is working? I
want to use this to relieve processing from the master.
It also gets back to the other part of my problem. Since it seems to block
indefinitely, how can I set a decent timeout for slapd?
Again, thanks for the help so far.
Nathan
------------------------------
Date: Mon, 14 Jan 2008 10:09:53 +0100
From: "Dieter Kluenter" <dieter(a)dkluenter.de>
Subject: Re: query timeout and proxytemplate
To: openldap-software(a)openldap.org
Message-ID: <87hchglqn2.fsf(a)magenta.l4b.de>
Content-Type: text/plain; charset=utf-8
"Nathan Morrow" <nmorrow(a)spotswood.org> writes:
> Two questions for the group
>
> 1.
>
> I am running slapd as a ldap proxy which is working fine. I have
> tried idetimeout and idle-timeout to shorten the query if the tcp
> connection isn?t there for the proxy, but the connection still seems
> to hang indefinitely. Again, it works fine when the master ldap
> server is there.
> overlay pcache
>
> proxyCache bdb 100000 1 1000 100
>
> proxyAttrset 0 proxyAddresses
>
> proxyTemplate (&(objectClass=)(proxyAddresses=)) 0 3600
>
> The query (that works when the master server is available) below,
> doesn?t work when the same request is made after that and the server
> isn?t there. But that shouldn?t matter if the cache were used. Alas,
> no luck.
>
> ldapsearch -x -D 'CN=MTA,OU=Restricted,DC=fake,DC=com? -b
> 'OU=Staff,DC=fake,DC=com' -l 5 -Z "(&
> (objectClass=person)(proxyAddresses=SMTP:user@fake.com))"
> proxyAddresses
In order to test the proxy caching function run your proxy slapd with
-d pcache.
-Dieter
--
Dieter Kl?nter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
------------------------------
15 years, 2 months
Slapd running out of file descriptors (leak?)
by Diego Woitasen
Hi,
I have OpenLDAP 2.3.27, Redhat 5 package, and it's running out of file
descriptors suddendly. It's works fine a few days, but runs out of FDs
and the the solution is restart.
I think It's a bug, because see the following weird thing with lsof:
slapd 19157 ldap 303u sock 0,5 193051928 can't
identify protocol
The file descriptors from 159 up to 4094 are like that. Under normal
operations I don't see FDs like these, only have 100 FDs aprox in the rush
hour.
I don't have any interesting in the log and this is not a file descriptor
limit problem.
regards,
diegows
--
Diego Woitasen
XTECH - Soluciones Linux para empresas
(54) 011 5219-0678
15 years, 2 months
configure: error: Berkeley DB version mismatch
by Rakesh Yadav
Hi,
I am installing openLDAP 2.3.28 with BerkeleyDB.4.6.
I have already installed BerkeleyDB.4.6
export CPPFLAGS="-I/usr/local/BerkeleyDB.4.6/include -I/usr/local/ssl/include/openssl"
export LDFLAGS="-L/usr/local/BerkeleyDB.4.6/lib -L/usr/local/ssl/lib"
./configure --enable-slapd --enable-sql --with-cyrus-sasl --enable-crypt
Configuring OpenLDAP 2.3.38-Release ...
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
checking for a BSD-compatible install... /usr/bin/install -c
.....
.....
checking for Berkeley DB major version... 4
checking for Berkeley DB minor version... 6
checking for Berkeley DB link (-ldb-4)... yes
checking for Berkeley DB version match... no
configure: error: Berkeley DB version mismatch
-------------------------------------------------------------------------------------------------------------
I have installed BerkeleyDB.4.6
Then why it is giving version mismatch error ?
Please reply
Thanks
Rakesh Yadav
15 years, 2 months
delete: Internal (implementation specific) error (80)
by jehan procaccia
Hello,
when I want to delete an entry I get "delete: Internal (implementation
specific) error (80)" . I run openldap-2.3.32 on a Fedora Core release 5
Example:
$ ldapdelete mail=woaa(a)int-edu.eu,ou=AliasesSympa,dc=int-evry,dc=fr -D
cn=admin,dc=int-evry,dc=fr -W -d 4 -H ldaps://ldapmaster.int-evry.fr -Z -x
request done: ld 0x8874110 msgid 2
request done: ld 0x8874110 msgid 3
ldap_delete: Internal (implementation specific) error (80)
additional info: DN index delete failed
ldap logs
Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=1 BIND
dn="cn=admin,dc=int-evry,dc=fr" method=128
Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=1 BIND
dn="cn=admin,dc=int-evry,dc=fr" mech=SIMPLE ssf=0
Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=1 RESULT tag=97
err=0 text=
Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=2 DEL
dn="mail=woaa(a)int-edu.eu,ou=AliasesSympa,dc=int-evry,dc=fr"
Jan 14 17:11:53 ldapmaster slapd[25329]: => bdb_dn2id_delete: parent
(ou=aliasessympa,dc=int-evry,dc=fr) delete failed: -30989
Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=2 RESULT tag=107
err=80 text=DN index delete failed
Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 op=3 UNBIND
Jan 14 17:11:53 ldapmaster slapd[25329]: conn=287 fd=45 closed ()
thanks .
15 years, 2 months
query timeout and proxytemplate
by Nathan Morrow
Two questions for the group
1.
I am running slapd as a ldap proxy which is working fine. I have tried
idetimeout and idle-timeout to shorten the query if the tcp connection isn't
there for the proxy, but the connection still seems to hang indefinitely.
Again, it works fine when the master ldap server is there.
To test I am actually closing the hole in the firewall to the server on the
ldap port. The firewall doesn't respond at all to the request.
Then I am running and ldapsearch against localhost (the proxy slapd). I
have tried the ldapsearch command with and without the -l parameter to limit
the request there as well with no success.
Any ideas?
2.
I have the proxy overlay running (details below). From everything I read it
looks good to me, but I haven't found many examples. I really only want to
cache the proxyAddresses attribute and possible the objectClass type, as
that is all I will be querying. The below is meant to do that. I have
removed the objectClass from the template, no better. I have added
objectClass as part of the proxyAttrset, no better.
overlay pcache
proxyCache bdb 100000 1 1000 100
proxyAttrset 0 proxyAddresses
proxyTemplate (&(objectClass=)(proxyAddresses=)) 0 3600
The query (that works when the master server is available) below, doesn't
work when the same request is made after that and the server isn't there.
But that shouldn't matter if the cache were used. Alas, no luck.
ldapsearch -x -D 'CN=MTA,OU=Restricted,DC=fake,DC=com' -b
'OU=Staff,DC=fake,DC=com' -l 5 -Z
"(&(objectClass=person)(proxyAddresses=SMTP:user@fake.com))" proxyAddresses
15 years, 2 months
openldap 2.4.6 bug in LDAP searchRequest when derefAliases=derefInSearching and scope=wholeSubtree
by Antonio Alonso
Hi !
I think I have found a a bug in openLDAP 2.4.6 (maybe I am misunderstanding RFC4511 ...). I explain
the test case where (maybe) I found it:
I have created an alias (alias_entry) which points to another created entry (pointed_entry). I have
not created any subordinate entry under "alias_entry" nor under "pointed_entry.
Using always the "alias_entry" as the "searchRequest.baseObject" I have been checking the answers
obtained from an slapd/back-bdb as I change the values of "searchRequest.scope" and "searchRequest.derefAliases"
fields (I am checking -and assuring- with "wireShark" that the LDAP searchRequest messages being sent to the slapd
process are the desired ones).
I found the expected behaviour (according to RFC4511) in all cases except for the following one:
- searchRequest.scope: wholeSubtree
- searchRequest.derefAliases: derefInSearching
I received two LDAP searchResEntry messages (instead of the single one expected) !!!
(1) One for the "alias_entry" (where I can see the "aliasedObjectName" attribute set to the pointed_entry's dn) ==> OK
(2) One for the "pointed_entry" ==> ???????
As far as I understand RFC4511 the second entry should NOT be returned from the LDAP server !!!!
BR / Antonio
> Antonio Alonso Alarcón
CUDB System Engineer
> Ericsson España, S.A. Phone: +34 91339 3085
Via de los Poblados 13 Mobile: +34 609640579 (66215)
28033 Madrid, Spain Fax: +34 91339 1636
E-mail: Antonio.Alonso(a)ericsson.com
15 years, 2 months
rewriting search scope
by Me Me
Hi all. I'm looking at using the rwm rewriter to
rewite some ldap queries. The rewrite contexts don't
list an entry for the search scope. How can I rewrite
the scope for a search from say sub (subtree) to one.
Also, is there a way to get the ldap query in uri
format in the rewriter, so instead of using a context
to get each section can you write the uri (which may
help my first question). Eg to get
"http://ldap.server.com/o=searchbase,dc=site?sub?(someattr=somevalue)"
Once you get the uri like this, you can easily parse it..Thanks....
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
15 years, 2 months