February 2008 - openldap-software

Restricting wildcard searches - find only exact matches?

by Nick France

I'm running OpenLDAP 2.3.35 for a simple 'address book'-type directory. There will be anonymous access available to read entries, however, I would like to restrict wildcard searches, and only ever return exact matches. As the entries are unique, there should only ever be one result (sizelimit is set to 1 to ensure this). I've tried many things with ACLs, trying to filter out the wildcard characters [(!(cn=*\2a*))] but with no success. Is this possible? Is there a simple flag/directive/compile option to disable wildcard searching? Nick

13 years, 9 months

2
1
0 / 0

Strange TLS behaviour with slapd 2.3.30 on Debian Etch

by Denis Sacchet

Hello, I have a strange behaviour regarding TLS encryption with an LDAP server. Everything works like a charm for a while, and without any sign, the server begins to not respond for TLS traffic. As the server is partially open on internet, I force TLS, so it is very annoying for us. I change a lot of parameters, I already read several thread about that (and more specially, the one with exactly the same error message as me, where it was solved by specifying the same ciphers in slapd.conf and ldap.conf, but it doesn't work for me ...) You will find all my parameters below, hope I forget nothing. I can provide more log files with and without the problem on demand. The ldap server is used by apache, postfix, saslauthd, pam_ldap, nss_ldap ... Thanks in advance if someone can found a solution for me !!! Best regards Denis Sacchet =================== Here are all the information I can give you : @(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 05:43:02) $ on a Debian Etch server, here are the link information for slapd: linux-gate.so.1 => (0xffffe000) libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0xb7f41000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f35000) libiodbc.so.2 => /usr/lib/libiodbc.so.2 (0xb7eed000) libslp.so.1 => /usr/lib/libslp.so.1 (0xb7ede000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7ec8000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7e89000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d4f000) libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7d21000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7d0d000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7cfb000) libltdl.so.3 => /usr/lib/libltdl.so.3 (0xb7cf4000) libwrap.so.0 => /lib/libwrap.so.0 (0xb7cec000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7bbb000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7bb7000) libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7ba0000) libz.so.1 => /usr/lib/libz.so.1 (0xb7b8c000) /lib/ld-linux.so.2 (0xb7f88000) The same for ldapsearch : linux-gate.so.1 => (0xffffe000) libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0xb7f8d000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f81000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f6a000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7f2b000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7df1000) libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7dc3000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7db0000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7c7f000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7c7a000) libz.so.1 => /usr/lib/libz.so.1 (0xb7c66000) /lib/ld-linux.so.2 (0xb7fca000) A part of my slapd.conf (no acl, no pass :) ) : include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/rfc2307bis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/mozillaabpersonalpha.schema include /etc/ldap/schema/evolutionperson.schema include /etc/ldap/schema/ouba.schema include /etc/ldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap moduleload back_bdb moduleload smbk5pwd backend bdb checkpoint 512 30 sizelimit 500 tool-threads 1 security ssf=128 disasllow bind_anon password-hash {SHA} TLSCACertificateFile /etc/ssl/certs/<hiddendomain>.pem TLSCertificateFile /etc/ldap/ssl/ldap.<hiddendomain>.com.crt TLSCertificateKeyFile /etc/ldap/ssl/ldap.<hiddendomain>.com.key TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSVerifyClient never TLSCRLCheck none TLSRandFile /dev/hwrng loglevel any ####################################################################### # <hiddendomain>.com database database bdb overlay smbk5pwd suffix "dc=<hiddendomain>,dc=com" rootdn "cn=Manager,dc=<hiddendomain>,dc=com" directory "/var/lib/ldap/<hiddendomain>.com" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq uid uidNumber memberUid gidNumber service lastmod on replogfile /var/lib/ldap/<hiddendomain>.com/replog My ldap.conf file : TLS_CACERT /etc/ssl/certs/<hiddendomain>.pem TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP BASE dc=<hiddendomain>, dc=com URI ldap://ldap.<hiddendomain>.com:389 A trace of ldapsearch when there is the problem : ldapsearch -D "uid=dsacchet,ou=accounts,dc=<hiddendomain>,dc=com" -h "ldap.<hiddendomain>.com" -ZZ -W -x -d 9 "(objectClass=*)" ldap_create ldap_url_parse_ext(ldap://ldap.<hiddendomain>.com) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.<hiddendomain>.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 88.191.47.236:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x8057558 msgid 1 ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL wait4msg ld 0x8057558 msgid 1 (infinite timeout) wait4msg continue ld 0x8057558 msgid 1 all 1 ** ld 0x8057558 Connections: * host: ldap.<hiddendomain>.com port: 389 (default) refcnt: 2 status: Connected last used: Mon Dec 10 08:21:46 2007 ** ld 0x8057558 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8057558 Response Queue: Empty ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL ldap_int_select read1msg: ld 0x8057558 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x8057558 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8057558 0 new referrals read1msg: mark request completed, ld 0x8057558 msgid 1 request done: ld 0x8057558 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS certificate verification: depth: 0, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=smtp.<hiddendomain>.com/emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure The same just after a fresh restart : # ldapsearch -D "uid=dsacchet,ou=accounts,dc=<hiddendomain>,dc=com" -h "ldap.<hiddendomain>.com" -ZZ -W -x -d 9 "(objectClass=*)" ldap_create ldap_url_parse_ext(ldap://ldap.<hiddendomain>.com) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.<hiddendomain>.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 88.191.47.236:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x8057558 msgid 1 ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL wait4msg ld 0x8057558 msgid 1 (infinite timeout) wait4msg continue ld 0x8057558 msgid 1 all 1 ** ld 0x8057558 Connections: * host: ldap.<hiddendomain>.com port: 389 (default) refcnt: 2 status: Connected last used: Mon Dec 10 08:22:20 2007 ** ld 0x8057558 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8057558 Response Queue: Empty ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL ldap_int_select read1msg: ld 0x8057558 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x8057558 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8057558 0 new referrals read1msg: mark request completed, ld 0x8057558 msgid 1 request done: ld 0x8057558 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS certificate verification: depth: 0, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=smtp.<hiddendomain>.com/emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A Enter LDAP Password: -- Denis Sacchet aka. Ouba ("`-/")_.-'"``-._ . . `; -._ )-;-,_`) "Computers are like air conditionners (v_,)' _ )`-.\ ``-' They stop working properly when you _.- _..-_/ / ((.' open Windows !!!" ((,.-' ((,/

13 years, 9 months

8
19
0 / 0

gosa+samba3.schema and slapd.d-configuration-conversion

by Christoph Spielmann

Hi everybody! We got a tiny problem with the new configuration layout (the slapd.d-directory) with out openldap-installation. We're using Gentoo-Linux-Systems here, with openldap-2.3.39, heimdal-1.0.1 and cyrus-sasl-2.1.22 (although i don't think heimdal and cyrus-sasl version-numbers are very interesting for you i added them for completeness....). We have one master- and a slave-Server. Both run and work as they should. Before we actually start to use this thing in production we decided to move away from the original slapd.conf-configuration (which seems to work perfectly) to the new slapd.d-directory configuration. So i tried to automatically convert the slapd.conf into the new slapd.d-configuration using this command: /usr/lib/openldap/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d No output on command-line but as i checked the contents of /etc/openldap/slapd.d/cn=config i remarked that almost everything was missing except the include-ldifs. Next i checked the slapd-logfile and this is what has happened: ... Feb 20 12:46:26 pluto slapd[18078]: ldif_back_add: err: 0 text: Feb 20 12:46:26 pluto slapd[18078]: send_ldap_result: conn=-1 op=0 p=0 Feb 20 12:46:26 pluto slapd[18078]: send_ldap_result: err=0 matched="" text="" Feb 20 12:46:26 pluto slapd[18078]: config_build_entry: "cn={12}gosa+samba3" Feb 20 12:46:26 pluto slapd[18078]: ldif_back_add: "cn={12}gosa+samba3,cn=schema,cn=config" Feb 20 12:46:26 pluto slapd[18078]: ldif_back_add: err: 34 text: unrecongized attribute type(s) in RDN Feb 20 12:46:26 pluto slapd[18078]: send_ldap_result: conn=-1 op=0 p=0 Feb 20 12:46:26 pluto slapd[18078]: send_ldap_result: err=34 matched="" text="unrecongized attribute type(s) in RDN" Feb 20 12:46:26 pluto slapd[18078]: backend_startup_one: bi_db_open failed! (-1) Feb 20 12:46:26 pluto slapd[18078]: slapd shutdown: initiated Feb 20 12:46:26 pluto slapd[18078]: ====> bdb_cache_release_all Feb 20 12:46:26 pluto slapd[18078]: ====> bdb_cache_release_all Feb 20 12:46:26 pluto slapd[18078]: slapd destroy: freeing system resources. Feb 20 12:46:26 pluto slapd[18078]: slapd stopped. ... So the gosa+samba3.schema seems to make automatic conversion hickup somehow. After commenting out the include-line for this schema, conversion was successful, so something most be wrong with this schema. I tried to figure out what could be wrong with this schema myself, but i have no clue where i should start to look. At the moment the slave-server is running without the gosa-things included (we don't use them yet but sooner or later we'll include gosa) and it's working perfectly. But as i need to get gosa working too, i need to know what's wrong with the schema. I'll attach the schema to this email, hopefully somebody can point me in the right direction. Regards, Christoph Spielmann ## ## Needed attributes for GOsa (GONICUS System Administrator) ## ## Version 030303 ## ## Maintainer: Cajus Pollmeier (pollmeier(a)GONICUS.de) ## # Attributes attributetype ( 1.3.6.1.4.1.10098.1.1.12.1 NAME 'gosaSubtreeACL' DESC 'GOsa acl entry' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributetype ( 1.3.6.1.4.1.10098.1.1.12.2 NAME 'gosaUser' DESC 'GOsa user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributetype ( 1.3.6.1.4.1.10098.1.1.12.3 NAME 'gosaObject' DESC 'GOsa object' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributetype ( 1.3.6.1.4.1.10098.1.1.12.4 NAME 'gosaMailServer' DESC 'Specify users main mail server' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.5 NAME 'gosaMailQuota' DESC 'GOsa quota definitions' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.6 NAME 'gosaMailAlternateAddress' DESC 'Additional mail addresses where the user is reachable' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.7 NAME 'gosaMailForwardingAddress' DESC 'Addresses where to forward mail to' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.8 NAME 'gosaMailMaxSize' DESC 'Block mails bigger than this value' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.9 NAME 'gosaSpamSortLevel' DESC 'Spamassassins hits' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.10 NAME 'gosaSpamMailbox' DESC 'Where to put spam' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.11 NAME 'gosaVacationMessage' DESC 'Text to display in case of vacation' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributetype ( 1.3.6.1.4.1.10098.1.1.12.12 NAME 'gosaMailDeliveryMode' DESC 'What to do with mails' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.13 NAME 'gosaDefaultPrinter' DESC 'Defines a default printer a user owns' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) attributetype ( 1.3.6.1.4.1.10098.1.1.12.14 NAME 'gosaDefaultLanguage' DESC 'Defines the default language for a user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) attributetype ( 1.3.6.1.4.1.10098.1.1.12.15 NAME 'gosaHostACL' DESC 'Defines the places where users can login' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.16 NAME 'gosaService' DESC 'Defines services a certain host can provide' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.17 NAME 'gosaProxyID' DESC 'Defines the proxy user id used, needed for some filters' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.18 NAME 'gosaProxyAcctFlags' DESC 'Proxy Account Flags' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE) attributetype ( 1.3.6.1.4.1.10098.1.1.12.19 NAME 'gosaProxyWorkingStart' DESC 'Specifies the beginning of work in minutes, relative to 00:00' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.20 NAME 'gosaProxyWorkingStop' DESC 'Specifies the end of work in minutes, relative to 00:00' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.21 NAME 'gosaApplicationName' DESC 'Specifies the name of an application to be shown up on users desktop' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributetype ( 1.3.6.1.4.1.10098.1.1.12.22 NAME 'gosaApplicationExecute' DESC 'Specifies the executable path of an application' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributetype ( 1.3.6.1.4.1.10098.1.1.12.23 NAME 'gosaApplicationFlags' DESC 'Specifies the application flags G(roup only), D(esktop), M(enu)' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.31 NAME 'gosaApplicationCategory' DESC 'Store application parameters' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributetype ( 1.3.6.1.4.1.10098.1.1.12.24 NAME 'gosaApplicationIcon' DESC 'Keeps the application icon in png format' SYNTAX 1.3.6.1.4.1.1466.115.121.1.28) attributetype ( 1.3.6.1.4.1.10098.1.1.12.25 NAME 'gosaSharedFolderTarget' DESC 'Keeps the target of cyrus shared folders' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.26 NAME 'gosaMemberApplication' DESC 'Like memberUid, just for applications' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributetype ( 1.3.6.1.4.1.10098.1.1.12.27 NAME 'gosaApplicationParameter' DESC 'Store application parameters' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) attributetype ( 1.3.6.1.4.1.10098.1.1.12.28 NAME 'gosaProxyQuota' DESC 'Specifies the amount of data a user may surf in a defined period of time' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.29 NAME 'gosaProxyQuotaPeriod' DESC 'Specifies period of time where the counter is been reseted' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.30 NAME 'gosaGroupObjects' DESC 'Takes a list of all object types that are in a gosaGroupOfNames' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) attributetype ( 1.3.6.1.4.1.10098.1.1.12.32 NAME 'gosaApplicationMimeType' DESC 'Takes a list of relevant mime-type|priority settings' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) attributetype ( 1.3.6.1.4.1.10098.1.1.12.33 NAME 'gosaUnitTag' DESC 'Takes a list of relevant mime-type|priority settings' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) attributetype ( 1.3.6.1.4.1.10098.1.1.12.34 NAME 'gosaAclTemplate' DESC 'Takes ACL entries for gosaRoles' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.35 NAME 'gosaAclEntry' DESC 'Takes ACL entries for gosaRoles' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) attributetype ( 1.3.6.1.4.1.10098.1.1.12.41 NAME 'gosaVacationStart' DESC 'Timestamp for enabling current vacation message' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) attributetype ( 1.3.6.1.4.1.10098.1.1.12.42 NAME 'gosaVacationStop' DESC 'Timestamp for switching off current vacation message' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE) attributetype ( 1.3.6.1.4.1.10098.1.1.6.2 NAME 'academicTitle' DESC 'Field to represent the academic title' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) attributetype ( 1.3.6.1.4.1.15305.2.1 NAME ( 'gender' 'sex' ) DESC 'Gender: M for male, F for female' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1} SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.15305.2.2 NAME ( 'dateOfBirth' 'dob' ) DESC 'Date of birth in ISO 8601 format' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10} SINGLE-VALUE ) # cyrus imapd access control list # acls work with users and groups attributetype ( 1.3.6.1.4.1.19414.2.1.651 NAME 'acl' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) # Objectclasses objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.1 NAME 'gosaObject' SUP top AUXILIARY DESC 'Objectclass for GOsa settings (v2.4)' MUST ( gosaSubtreeACL )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.2 NAME 'gosaLockEntry' SUP top STRUCTURAL DESC 'Objectclass for GOsa locking (v2.4)' MUST ( gosaUser $ gosaObject $ cn )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.3 NAME 'gosaCacheEntry' SUP top STRUCTURAL DESC 'Objectclass for GOsa caching (v2.4)' MAY ( gosaUser ) MUST ( cn )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.4 NAME 'gosaDepartment' SUP top AUXILIARY DESC 'Objectclass to mark Departments for GOsa (v2.4)' MUST ( ou $ description )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.5 NAME 'gosaMailAccount' SUP top AUXILIARY DESC 'Objectclass to mark MailAccounts for GOsa (v2.4)' MUST ( mail $ gosaMailServer $ gosaMailDeliveryMode) MAY ( gosaMailQuota $ gosaMailAlternateAddress $ gosaMailForwardingAddress $ gosaMailMaxSize $ gosaSpamSortLevel $ gosaSpamMailbox $ gosaVacationMessage $ gosaVacationStart $ gosaVacationStop $ gosaSharedFolderTarget $ acl)) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.6 NAME 'gosaAccount' SUP top AUXILIARY DESC 'Objectclass for GOsa Accounts (v2.4)' MUST ( uid ) MAY ( sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ gosaDefaultPrinter $ gosaDefaultLanguage $ academicTitle $ personalTitle $ gosaHostACL $ dateOfBirth $ sambaBadPasswordCount $ sambaBadPasswordTime $ gender )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.7 NAME 'gosaHost' SUP top AUXILIARY DESC 'Objectclass for GOsa Hosts (v2.4)' MUST ( cn ) MAY ( description $ gosaService )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.8 NAME 'gosaProxyAccount' SUP top AUXILIARY DESC 'Objectclass for GOsa Proxy settings (v2.4)' MUST ( gosaProxyAcctFlags ) MAY ( gosaProxyID $ gosaProxyWorkingStart $ gosaProxyWorkingStop $ gosaProxyQuota $ gosaProxyQuotaPeriod )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.9 NAME 'gosaApplication' SUP top STRUCTURAL DESC 'Objectclass for GOsa applications (v2.4)' MUST ( cn $ gosaApplicationExecute ) MAY ( gosaApplicationName $ gosaApplicationIcon $ gosaApplicationFlags $ gosaApplicationMimeType $ gosaApplicationParameter $ gotoLogonScript $ description $ gosaApplicationCategory )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.10 NAME 'gosaApplicationGroup' SUP top AUXILIARY DESC 'Objectclass for GOsa application groups (v2.4)' MUST ( cn ) MAY ( gosaMemberApplication $ gosaApplicationParameter )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.11 NAME 'gosaUserTemplate' SUP top AUXILIARY DESC 'Objectclass for GOsa User Templates (v2.4)' MUST ( cn )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.12 NAME 'gosaGroupOfNames' DESC 'GOsa object grouping (v2.4)' SUP top STRUCTURAL MUST ( cn $ gosaGroupObjects ) MAY ( member $ description ) ) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.13 NAME 'gosaWebdavAccount' DESC 'GOsa webdav enabling account (v2.4)' SUP top AUXILIARY MUST ( cn $ uid )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.14 NAME 'gosaIntranetAccount' DESC 'GOsa Inatrent enabling account (v2.4)' SUP top AUXILIARY MUST ( cn $ uid ) MAY ( gosaDefaultLanguage )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.15 NAME 'gosaAdministrativeUnit' DESC 'Marker for administrational units (v2.5)' SUP top AUXILIARY MUST ( gosaUnitTag )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.16 NAME 'gosaAdministrativeUnitTag' DESC 'Marker for objects below administrational units (v2.5)' SUP top AUXILIARY MUST ( gosaUnitTag )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.17 NAME 'gosaRole' DESC 'ACL container to define roles (v2.5)' SUP top AUXILIARY MUST ( gosaAclTemplate )) objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.18 NAME 'gosaAcl' DESC 'ACL container to define single ACLs (v2.5)' SUP top AUXILIARY MUST ( gosaAclEntry ))

13 years, 9 months

3
5
0 / 0

OpenLDAP Referrals

by Mack J. Jenkins, II

Does anyone have a good starting point for OpenLDAP and referrals? I think I have it working, but I'm not 100% sure, and would like to know if I am on the right path. Mack

13 years, 9 months

7
7
0 / 0

rpath in 2.4.8

by Ron Peterson

Hi, I'm installing 2.4.x on a server which already has earlier openldap shared libraries installed. There are various workarounds for this kind of thing, but the one I prefer is to use -rpath when linking so that the app has built-in knowledge of where to look for it's own shared libraries. I was able to do this in 2.4.7, but I cannot accomplish the same in 2.4.8. My build script includes a line like this: LDFLAGS="-Wl,-rpath /local/apps/openldap2.4/lib" Even in 2.4.7, I have to run my build script twice. The first time I must build without the above LDFLAGS statement, as the the configure step will choke on the compiler check otherwise. From config.log: configure:4436: gcc -Wl,-rpath /local/apps/openldap2.4/lib conftest.c >&5 gcc: /local/apps/openldap2.4/lib: No such file or directory I can add my LDFLAGS statement after one compile pass and not run into this problem. However, when I try the same thing with 2.4.8, liblber never gets created properly, and my compile errors out with: /usr/bin/ld: liblber-2.4.so.2: No such file: No such file or directory When I check openldap-2.4.8/libraries/liblber/.libs/, liblber... just isn't there. I could just revert to using environment variables, but I find that more error-prone than getting the path set right once during compile. ?? -- Ron Peterson Network & Systems Manager Mount Holyoke College http://www.mtholyoke.edu/~rpeterso

13 years, 9 months

2
2
0 / 0

Confused about replication, please help

by Rob Tanner

Hi, I'm trying to set up replication between my master and a slave. In slapd.conf on the slave, I have included the updatedn and updateref parameters: updatedn "cn=Replicator,o=linfield.edu" updateref ldap://oberon.linfield.edu I presume that the ref refers to the slave so I have entered the URL for the slave which seems odd because you have to be able to access the slave to get the updateref. The other thing is that I find no parameter in the man page for slapd.conf or googling for the password. On the master, I have: replica host=oberon.linfield.edu:389 binddn="cn=Replicator,,o=linfield.edu" bindmethod=simple This entry should include "credentials=". If I've no place to specify a password for the updatedn on the slave, what do I put for credentials? Could somebody please fill in the holes? Thanks, Rob -- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR

13 years, 9 months

3
2
0 / 0

installation issue

by naveen mudunuru

dear all, i'm a newbie . when i was trying to configure OpenLDAP. i got an error saying. the c compiler is unable to create executables . i was trying to configure it on debian etch and the c compiler installed in my machine is gcc 4.1. i do not even know whether i can post this query here as i did not find any other installation issues mailed to this list.......... please guide me on the issue thanks in advance -- regards naveen Be Free, Speak Free, Work Free. Advocate "FREE SOFTWARE", FREE as in FREE SPEECH, not as in FREE BEER

13 years, 9 months

4
5
0 / 0

Re: slapd does not answer in time

by Hans Moser

Pierangelo Masarati schrieb: > There is no connection number limit (except for OS limits on number of > file descriptors and so); bu 65 replicas re-syncing simultaneously, with > operations that may require hours, will eat up all threads if configured > as the default. If you need to have so many replicas, you might > consider unloading the master from bulk search load, dedicating it to > centralizing writes, and configure it with lots of threads, so that it > can simultaneously deal with syncs and writes (e.g. 8 threads plus the > number of consumers, to be conservative). Thanks, I increased the number of "threads". Should I increase "concurrency" too? Hans

13 years, 9 months

5
7
0 / 0

Re: slapd does not answer in time

by Hans Moser

Quanah Gibson-Mount schrieb: > Why do you have 65 slaves? I've yet to really see a need for more > than 3-4 slaves unless one has world-wide distributed offices or the > like. No need to discuss political decisions. :) [It's one slapd on every mailserver. And the mailservers are there from times when there were 64kBit line between them.] Hans

13 years, 9 months

2
1
0 / 0

OpenLDAP and RFC 2489

by Dave Horsfall

RFC 2489 (LDAP Data Interchange Format) says: "An LDIF file consists of a series of records separated by line separators." This implies that there should not be a blank line at the end of an LDIF file (separator vs. terminator). Believe it or not, this caused a rather heated discussion... LDAPSEARCH will always include a trailing newline if there is data; is this technically correct behaviour? -- Dave Horsfall DTM VK2KFU Ph: +61 2 9552-5509 (direct) +61 2 9552-5500 (switch) Corinthian Eng'ng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU

13 years, 9 months

3
6
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2008