Restricting wildcard searches - find only exact matches?
by Nick France
I'm running OpenLDAP 2.3.35 for a simple 'address book'-type directory.
There will be anonymous access available to read entries, however, I would
like to restrict wildcard searches, and only ever return exact matches. As
the entries are unique, there should only ever be one result (sizelimit is
set to 1 to ensure this).
I've tried many things with ACLs, trying to filter out the wildcard
characters [(!(cn=*\2a*))] but with no success.
Is this possible? Is there a simple flag/directive/compile option to disable
wildcard searching?
Nick
14 years, 5 months
Strange TLS behaviour with slapd 2.3.30 on Debian Etch
by Denis Sacchet
Hello,
I have a strange behaviour regarding TLS encryption with an LDAP server.
Everything works like a charm for a while, and without any sign, the
server begins to not respond for TLS traffic. As the server is partially
open on internet, I force TLS, so it is very annoying for us.
I change a lot of parameters, I already read several thread about that
(and more specially, the one with exactly the same error message as me,
where it was solved by specifying the same ciphers in slapd.conf and
ldap.conf, but it doesn't work for me ...)
You will find all my parameters below, hope I forget nothing. I can
provide more log files with and without the problem on demand.
The ldap server is used by apache, postfix, saslauthd, pam_ldap,
nss_ldap ...
Thanks in advance if someone can found a solution for me !!!
Best regards
Denis Sacchet
===================
Here are all the information I can give you :
@(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 05:43:02) $
on a Debian Etch server, here are the link information for slapd:
linux-gate.so.1 => (0xffffe000)
libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0xb7f41000)
liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f35000)
libiodbc.so.2 => /usr/lib/libiodbc.so.2 (0xb7eed000)
libslp.so.1 => /usr/lib/libslp.so.1 (0xb7ede000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7ec8000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7e89000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8
(0xb7d4f000)
libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7d21000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7d0d000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7cfb000)
libltdl.so.3 => /usr/lib/libltdl.so.3 (0xb7cf4000)
libwrap.so.0 => /lib/libwrap.so.0 (0xb7cec000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7bbb000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7bb7000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7ba0000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7b8c000)
/lib/ld-linux.so.2 (0xb7f88000)
The same for ldapsearch :
linux-gate.so.1 => (0xffffe000)
libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0xb7f8d000)
liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f81000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f6a000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7f2b000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8
(0xb7df1000)
libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7dc3000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7db0000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7c7f000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7c7a000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7c66000)
/lib/ld-linux.so.2 (0xb7fca000)
A part of my slapd.conf (no acl, no pass :) ) :
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/rfc2307bis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/mozillaabpersonalpha.schema
include /etc/ldap/schema/evolutionperson.schema
include /etc/ldap/schema/ouba.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload smbk5pwd
backend bdb
checkpoint 512 30
sizelimit 500
tool-threads 1
security ssf=128
disasllow bind_anon
password-hash {SHA}
TLSCACertificateFile /etc/ssl/certs/<hiddendomain>.pem
TLSCertificateFile /etc/ldap/ssl/ldap.<hiddendomain>.com.crt
TLSCertificateKeyFile /etc/ldap/ssl/ldap.<hiddendomain>.com.key
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
TLSVerifyClient never
TLSCRLCheck none
TLSRandFile /dev/hwrng
loglevel any
#######################################################################
# <hiddendomain>.com database
database bdb
overlay smbk5pwd
suffix "dc=<hiddendomain>,dc=com"
rootdn "cn=Manager,dc=<hiddendomain>,dc=com"
directory "/var/lib/ldap/<hiddendomain>.com"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq uid uidNumber memberUid gidNumber service
lastmod on
replogfile /var/lib/ldap/<hiddendomain>.com/replog
My ldap.conf file :
TLS_CACERT /etc/ssl/certs/<hiddendomain>.pem
TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
BASE dc=<hiddendomain>, dc=com
URI ldap://ldap.<hiddendomain>.com:389
A trace of ldapsearch when there is the problem :
ldapsearch -D "uid=dsacchet,ou=accounts,dc=<hiddendomain>,dc=com" -h
"ldap.<hiddendomain>.com" -ZZ -W -x -d 9 "(objectClass=*)"
ldap_create
ldap_url_parse_ext(ldap://ldap.<hiddendomain>.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.<hiddendomain>.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 88.191.47.236:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x8057558 msgid 1
ldap_chkResponseList ld 0x8057558 msgid 1 all 1
ldap_chkResponseList returns ld 0x8057558 NULL
wait4msg ld 0x8057558 msgid 1 (infinite timeout)
wait4msg continue ld 0x8057558 msgid 1 all 1
** ld 0x8057558 Connections:
* host: ldap.<hiddendomain>.com port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Dec 10 08:21:46 2007
** ld 0x8057558 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x8057558 Response Queue:
Empty
ldap_chkResponseList ld 0x8057558 msgid 1 all 1
ldap_chkResponseList returns ld 0x8057558 NULL
ldap_int_select
read1msg: ld 0x8057558 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x8057558 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x8057558 0 new referrals
read1msg: mark request completed, ld 0x8057558 msgid 1
request done: ld 0x8057558 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany>
Root C.A./emailAddress=it@<hiddendomain>.com, issuer:
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany>
Root C.A./emailAddress=it@<hiddendomain>.com
TLS certificate verification: depth: 0, err: 0, subject:
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=smtp.<hiddendomain>.com/emailAddress=it@<hiddendomain>.com,
issuer:
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany>
Root C.A./emailAddress=it@<hiddendomain>.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
The same just after a fresh restart :
# ldapsearch -D "uid=dsacchet,ou=accounts,dc=<hiddendomain>,dc=com"
-h "ldap.<hiddendomain>.com" -ZZ -W -x -d 9 "(objectClass=*)"
ldap_create
ldap_url_parse_ext(ldap://ldap.<hiddendomain>.com)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.<hiddendomain>.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 88.191.47.236:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 3
ldap_result ld 0x8057558 msgid 1
ldap_chkResponseList ld 0x8057558 msgid 1 all 1
ldap_chkResponseList returns ld 0x8057558 NULL
wait4msg ld 0x8057558 msgid 1 (infinite timeout)
wait4msg continue ld 0x8057558 msgid 1 all 1
** ld 0x8057558 Connections:
* host: ldap.<hiddendomain>.com port: 389 (default)
refcnt: 2 status: Connected
last used: Mon Dec 10 08:22:20 2007
** ld 0x8057558 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x8057558 Response Queue:
Empty
ldap_chkResponseList ld 0x8057558 msgid 1 all 1
ldap_chkResponseList returns ld 0x8057558 NULL
ldap_int_select
read1msg: ld 0x8057558 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x8057558 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x8057558 0 new referrals
read1msg: mark request completed, ld 0x8057558 msgid 1
request done: ld 0x8057558 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany>
Root C.A./emailAddress=it@<hiddendomain>.com, issuer:
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany>
Root C.A./emailAddress=it@<hiddendomain>.com
TLS certificate verification: depth: 0, err: 0, subject:
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=smtp.<hiddendomain>.com/emailAddress=it@<hiddendomain>.com,
issuer:
/C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany>
Root C.A./emailAddress=it@<hiddendomain>.com
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
Enter LDAP Password:
--
Denis Sacchet aka. Ouba ("`-/")_.-'"``-._
. . `; -._ )-;-,_`)
"Computers are like air conditionners (v_,)' _ )`-.\ ``-'
They stop working properly when you _.- _..-_/ / ((.'
open Windows !!!" ((,.-' ((,/
14 years, 5 months
gosa+samba3.schema and slapd.d-configuration-conversion
by Christoph Spielmann
Hi everybody!
We got a tiny problem with the new configuration layout (the
slapd.d-directory) with out openldap-installation. We're using
Gentoo-Linux-Systems here, with openldap-2.3.39, heimdal-1.0.1 and
cyrus-sasl-2.1.22 (although i don't think heimdal and cyrus-sasl
version-numbers are very interesting for you i added them for
completeness....). We have one master- and a slave-Server. Both run and
work as they should. Before we actually start to use this thing in
production we decided to move away from the original
slapd.conf-configuration (which seems to work perfectly) to the new
slapd.d-directory configuration. So i tried to automatically convert the
slapd.conf into the new slapd.d-configuration using this command:
/usr/lib/openldap/slapd -u ldap -g ldap -f /etc/openldap/slapd.conf -F
/etc/openldap/slapd.d
No output on command-line but as i checked the contents of
/etc/openldap/slapd.d/cn=config i remarked that almost everything was
missing except the include-ldifs. Next i checked the slapd-logfile and
this is what has happened:
...
Feb 20 12:46:26 pluto slapd[18078]: ldif_back_add: err: 0 text:
Feb 20 12:46:26 pluto slapd[18078]: send_ldap_result: conn=-1 op=0 p=0
Feb 20 12:46:26 pluto slapd[18078]: send_ldap_result: err=0 matched=""
text=""
Feb 20 12:46:26 pluto slapd[18078]: config_build_entry: "cn={12}gosa+samba3"
Feb 20 12:46:26 pluto slapd[18078]: ldif_back_add:
"cn={12}gosa+samba3,cn=schema,cn=config"
Feb 20 12:46:26 pluto slapd[18078]: ldif_back_add: err: 34 text:
unrecongized attribute type(s) in RDN
Feb 20 12:46:26 pluto slapd[18078]: send_ldap_result: conn=-1 op=0 p=0
Feb 20 12:46:26 pluto slapd[18078]: send_ldap_result: err=34 matched=""
text="unrecongized attribute type(s) in RDN"
Feb 20 12:46:26 pluto slapd[18078]: backend_startup_one: bi_db_open
failed! (-1)
Feb 20 12:46:26 pluto slapd[18078]: slapd shutdown: initiated
Feb 20 12:46:26 pluto slapd[18078]: ====> bdb_cache_release_all
Feb 20 12:46:26 pluto slapd[18078]: ====> bdb_cache_release_all
Feb 20 12:46:26 pluto slapd[18078]: slapd destroy: freeing system resources.
Feb 20 12:46:26 pluto slapd[18078]: slapd stopped.
...
So the gosa+samba3.schema seems to make automatic conversion hickup
somehow. After commenting out the include-line for this schema,
conversion was successful, so something most be wrong with this schema.
I tried to figure out what could be wrong with this schema myself, but i
have no clue where i should start to look. At the moment the
slave-server is running without the gosa-things included (we don't use
them yet but sooner or later we'll include gosa) and it's working
perfectly. But as i need to get gosa working too, i need to know what's
wrong with the schema. I'll attach the schema to this email, hopefully
somebody can point me in the right direction.
Regards,
Christoph Spielmann
##
## Needed attributes for GOsa (GONICUS System Administrator)
##
## Version 030303
##
## Maintainer: Cajus Pollmeier (pollmeier(a)GONICUS.de)
##
# Attributes
attributetype ( 1.3.6.1.4.1.10098.1.1.12.1 NAME 'gosaSubtreeACL'
DESC 'GOsa acl entry'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.2 NAME 'gosaUser'
DESC 'GOsa user'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.3 NAME 'gosaObject'
DESC 'GOsa object'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.4 NAME 'gosaMailServer'
DESC 'Specify users main mail server'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.5 NAME 'gosaMailQuota'
DESC 'GOsa quota definitions'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.6 NAME 'gosaMailAlternateAddress'
DESC 'Additional mail addresses where the user is reachable'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.7 NAME 'gosaMailForwardingAddress'
DESC 'Addresses where to forward mail to'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.8 NAME 'gosaMailMaxSize'
DESC 'Block mails bigger than this value'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.9 NAME 'gosaSpamSortLevel'
DESC 'Spamassassins hits'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.10 NAME 'gosaSpamMailbox'
DESC 'Where to put spam'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.11 NAME 'gosaVacationMessage'
DESC 'Text to display in case of vacation'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.12 NAME 'gosaMailDeliveryMode'
DESC 'What to do with mails'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.13 NAME 'gosaDefaultPrinter'
DESC 'Defines a default printer a user owns'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.14 NAME 'gosaDefaultLanguage'
DESC 'Defines the default language for a user'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.15 NAME 'gosaHostACL'
DESC 'Defines the places where users can login'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.16 NAME 'gosaService'
DESC 'Defines services a certain host can provide'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.17 NAME 'gosaProxyID'
DESC 'Defines the proxy user id used, needed for some filters'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.18 NAME 'gosaProxyAcctFlags'
DESC 'Proxy Account Flags'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.19 NAME 'gosaProxyWorkingStart'
DESC 'Specifies the beginning of work in minutes, relative to 00:00'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.20 NAME 'gosaProxyWorkingStop'
DESC 'Specifies the end of work in minutes, relative to 00:00'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.21 NAME 'gosaApplicationName'
DESC 'Specifies the name of an application to be shown up on users desktop'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.22 NAME 'gosaApplicationExecute'
DESC 'Specifies the executable path of an application'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.23 NAME 'gosaApplicationFlags'
DESC 'Specifies the application flags G(roup only), D(esktop), M(enu)'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.31 NAME 'gosaApplicationCategory'
DESC 'Store application parameters'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.24 NAME 'gosaApplicationIcon'
DESC 'Keeps the application icon in png format'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.28)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.25 NAME 'gosaSharedFolderTarget'
DESC 'Keeps the target of cyrus shared folders'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.26 NAME 'gosaMemberApplication'
DESC 'Like memberUid, just for applications'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.27 NAME 'gosaApplicationParameter'
DESC 'Store application parameters'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.28 NAME 'gosaProxyQuota'
DESC 'Specifies the amount of data a user may surf in a defined period of time'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.29 NAME 'gosaProxyQuotaPeriod'
DESC 'Specifies period of time where the counter is been reseted'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.30 NAME 'gosaGroupObjects'
DESC 'Takes a list of all object types that are in a gosaGroupOfNames'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.32 NAME 'gosaApplicationMimeType'
DESC 'Takes a list of relevant mime-type|priority settings'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.33 NAME 'gosaUnitTag'
DESC 'Takes a list of relevant mime-type|priority settings'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.34 NAME 'gosaAclTemplate'
DESC 'Takes ACL entries for gosaRoles'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.35 NAME 'gosaAclEntry'
DESC 'Takes ACL entries for gosaRoles'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.41 NAME 'gosaVacationStart'
DESC 'Timestamp for enabling current vacation message'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.10098.1.1.12.42 NAME 'gosaVacationStop'
DESC 'Timestamp for switching off current vacation message'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
attributetype ( 1.3.6.1.4.1.10098.1.1.6.2 NAME 'academicTitle'
DESC 'Field to represent the academic title'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.15305.2.1 NAME ( 'gender' 'sex' )
DESC 'Gender: M for male, F for female'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1}
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.15305.2.2 NAME ( 'dateOfBirth' 'dob' )
DESC 'Date of birth in ISO 8601 format'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10}
SINGLE-VALUE )
# cyrus imapd access control list
# acls work with users and groups
attributetype ( 1.3.6.1.4.1.19414.2.1.651
NAME 'acl'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
# Objectclasses
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.1 NAME 'gosaObject' SUP top AUXILIARY
DESC 'Objectclass for GOsa settings (v2.4)'
MUST ( gosaSubtreeACL ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.2 NAME 'gosaLockEntry' SUP top STRUCTURAL
DESC 'Objectclass for GOsa locking (v2.4)'
MUST ( gosaUser $ gosaObject $ cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.3 NAME 'gosaCacheEntry' SUP top STRUCTURAL
DESC 'Objectclass for GOsa caching (v2.4)'
MAY ( gosaUser )
MUST ( cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.4 NAME 'gosaDepartment' SUP top AUXILIARY
DESC 'Objectclass to mark Departments for GOsa (v2.4)'
MUST ( ou $ description ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.5 NAME 'gosaMailAccount' SUP top AUXILIARY
DESC 'Objectclass to mark MailAccounts for GOsa (v2.4)'
MUST ( mail $ gosaMailServer $ gosaMailDeliveryMode)
MAY ( gosaMailQuota $ gosaMailAlternateAddress $ gosaMailForwardingAddress $
gosaMailMaxSize $ gosaSpamSortLevel $ gosaSpamMailbox $
gosaVacationMessage $ gosaVacationStart $ gosaVacationStop $ gosaSharedFolderTarget $ acl))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.6 NAME 'gosaAccount' SUP top AUXILIARY
DESC 'Objectclass for GOsa Accounts (v2.4)'
MUST ( uid )
MAY ( sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ gosaDefaultPrinter $
gosaDefaultLanguage $ academicTitle $ personalTitle $ gosaHostACL $ dateOfBirth $
sambaBadPasswordCount $ sambaBadPasswordTime $ gender ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.7 NAME 'gosaHost' SUP top AUXILIARY
DESC 'Objectclass for GOsa Hosts (v2.4)'
MUST ( cn )
MAY ( description $ gosaService ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.8 NAME 'gosaProxyAccount' SUP top AUXILIARY
DESC 'Objectclass for GOsa Proxy settings (v2.4)'
MUST ( gosaProxyAcctFlags )
MAY ( gosaProxyID $ gosaProxyWorkingStart $ gosaProxyWorkingStop $ gosaProxyQuota $
gosaProxyQuotaPeriod ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.9 NAME 'gosaApplication' SUP top STRUCTURAL
DESC 'Objectclass for GOsa applications (v2.4)'
MUST ( cn $ gosaApplicationExecute )
MAY ( gosaApplicationName $ gosaApplicationIcon $ gosaApplicationFlags $ gosaApplicationMimeType $
gosaApplicationParameter $ gotoLogonScript $ description $ gosaApplicationCategory ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.10 NAME 'gosaApplicationGroup' SUP top AUXILIARY
DESC 'Objectclass for GOsa application groups (v2.4)'
MUST ( cn )
MAY ( gosaMemberApplication $ gosaApplicationParameter ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.11 NAME 'gosaUserTemplate' SUP top AUXILIARY
DESC 'Objectclass for GOsa User Templates (v2.4)'
MUST ( cn ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.12 NAME 'gosaGroupOfNames'
DESC 'GOsa object grouping (v2.4)'
SUP top STRUCTURAL
MUST ( cn $ gosaGroupObjects ) MAY ( member $ description ) )
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.13 NAME 'gosaWebdavAccount'
DESC 'GOsa webdav enabling account (v2.4)'
SUP top AUXILIARY
MUST ( cn $ uid ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.14 NAME 'gosaIntranetAccount'
DESC 'GOsa Inatrent enabling account (v2.4)'
SUP top AUXILIARY
MUST ( cn $ uid )
MAY ( gosaDefaultLanguage ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.15 NAME 'gosaAdministrativeUnit'
DESC 'Marker for administrational units (v2.5)'
SUP top AUXILIARY
MUST ( gosaUnitTag ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.16 NAME 'gosaAdministrativeUnitTag'
DESC 'Marker for objects below administrational units (v2.5)'
SUP top AUXILIARY
MUST ( gosaUnitTag ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.17 NAME 'gosaRole'
DESC 'ACL container to define roles (v2.5)' SUP top AUXILIARY
MUST ( gosaAclTemplate ))
objectclass ( 1.3.6.1.4.1.10098.1.2.1.19.18 NAME 'gosaAcl'
DESC 'ACL container to define single ACLs (v2.5)' SUP top AUXILIARY
MUST ( gosaAclEntry ))
14 years, 5 months
OpenLDAP Referrals
by Mack J. Jenkins, II
Does anyone have a good starting point for OpenLDAP and referrals? I
think I have it working, but I'm not 100% sure, and would like to know
if I am on the right path.
Mack
14 years, 5 months
rpath in 2.4.8
by Ron Peterson
Hi,
I'm installing 2.4.x on a server which already has earlier openldap
shared libraries installed. There are various workarounds for this kind
of thing, but the one I prefer is to use -rpath when linking so that the
app has built-in knowledge of where to look for it's own shared
libraries.
I was able to do this in 2.4.7, but I cannot accomplish the same in
2.4.8.
My build script includes a line like this:
LDFLAGS="-Wl,-rpath /local/apps/openldap2.4/lib"
Even in 2.4.7, I have to run my build script twice. The first time I
must build without the above LDFLAGS statement, as the the configure
step will choke on the compiler check otherwise. From config.log:
configure:4436: gcc -Wl,-rpath /local/apps/openldap2.4/lib conftest.c >&5
gcc: /local/apps/openldap2.4/lib: No such file or directory
I can add my LDFLAGS statement after one compile pass and not run into
this problem.
However, when I try the same thing with 2.4.8, liblber never gets
created properly, and my compile errors out with:
/usr/bin/ld: liblber-2.4.so.2: No such file: No such file or directory
When I check openldap-2.4.8/libraries/liblber/.libs/, liblber... just
isn't there.
I could just revert to using environment variables, but I find that more
error-prone than getting the path set right once during compile.
??
--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
14 years, 5 months
Confused about replication, please help
by Rob Tanner
Hi,
I'm trying to set up replication between my master and a slave.
In slapd.conf on the slave, I have included the updatedn and updateref
parameters:
updatedn "cn=Replicator,o=linfield.edu"
updateref ldap://oberon.linfield.edu
I presume that the ref refers to the slave so I have entered the URL for
the slave which seems odd because you have to be able to access the
slave to get the updateref. The other thing is that I find no parameter
in the man page for slapd.conf or googling for the password.
On the master, I have:
replica host=oberon.linfield.edu:389
binddn="cn=Replicator,,o=linfield.edu"
bindmethod=simple
This entry should include "credentials=". If I've no place to specify a
password for the updatedn on the slave, what do I put for credentials?
Could somebody please fill in the holes?
Thanks,
Rob
--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR
14 years, 5 months
installation issue
by naveen mudunuru
dear all,
i'm a newbie . when i was trying to configure OpenLDAP.
i got an error saying.
the c compiler is unable to create executables . i was trying to configure
it on debian etch and the c compiler installed in my machine is gcc 4.1.
i do not even know whether i can post this query here as i did not find any
other installation issues mailed to this list..........
please guide me on the issue
thanks in advance
--
regards
naveen
Be Free, Speak Free, Work Free.
Advocate "FREE SOFTWARE",
FREE as in FREE SPEECH, not as in FREE BEER
14 years, 5 months
Re: slapd does not answer in time
by Hans Moser
Pierangelo Masarati schrieb:
> There is no connection number limit (except for OS limits on number of
> file descriptors and so); bu 65 replicas re-syncing simultaneously, with
> operations that may require hours, will eat up all threads if configured
> as the default. If you need to have so many replicas, you might
> consider unloading the master from bulk search load, dedicating it to
> centralizing writes, and configure it with lots of threads, so that it
> can simultaneously deal with syncs and writes (e.g. 8 threads plus the
> number of consumers, to be conservative).
Thanks, I increased the number of "threads".
Should I increase "concurrency" too?
Hans
14 years, 5 months
Re: slapd does not answer in time
by Hans Moser
Quanah Gibson-Mount schrieb:
> Why do you have 65 slaves? I've yet to really see a need for more
> than 3-4 slaves unless one has world-wide distributed offices or the
> like.
No need to discuss political decisions. :)
[It's one slapd on every mailserver. And the mailservers are there from
times when there were 64kBit line between them.]
Hans
14 years, 5 months
OpenLDAP and RFC 2489
by Dave Horsfall
RFC 2489 (LDAP Data Interchange Format) says: "An LDIF file consists of a
series of records separated by line separators."
This implies that there should not be a blank line at the end of an LDIF
file (separator vs. terminator). Believe it or not, this caused a rather
heated discussion...
LDAPSEARCH will always include a trailing newline if there is data; is
this technically correct behaviour?
--
Dave Horsfall DTM VK2KFU Ph: +61 2 9552-5509 (direct) +61 2 9552-5500 (switch)
Corinthian Eng'ng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU
14 years, 5 months