openldap-software February 2008

openldap-software@openldap.org

86 participants
94 discussions

back-config schema in subschema
by Dieter Kluenter 20 Feb '08

20 Feb '08

Hi, I just discovered that with REl_ENG_2.4 objectclasses and attribute types of back-config schema are not included in cn=subschema any more. Is this intentional or is this a bug? Problem is I cannot configure or modify back-config with a tool which reads subschema for available objectclasses and attribute types anymore. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

2 1

Re: [phpldapadmin-users] grant access on a attribute specific value
by Pierangelo Masarati 20 Feb '08

20 Feb '08

Fabrice Eudes wrote: > Pierangelo Masarati a écrit : >> [please do not cross-post] > sorry. I mean: keep postings on the same list they started (and they belong to). Do not assume I subscribed to any list you did. >> Did you re-index after changing the index configuration in >> slapd.conf(5)? See slapindex(8) for details. > yes. > > I change a bit the "set" clause using "(employeeType=foo)" instead of > "(groupesTravail=1200)" and I have the same behavior: > >> index employeeType eq > makes the set clause fails (even after reindexing). > > without the index, access are ok. > > more idea(s) ? Indexing cannot alter the response of the system. So your indexing is not correct for some reason. I suggest you first work this issue out by running searches without any ACL. Then go back to ACL design. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it ---------------------------------------

1 0

Re: [phpldapadmin-users] grant access on a attribute specific value
by Pierangelo Masarati 20 Feb '08

20 Feb '08

[please do not cross-post] Fabrice Eudes wrote: > Fabrice Eudes a écrit : >> I don't understand :-( > something else I don't understand... > > the set clause uses the groupesTravail attribute values, and if I have > an index for groupesTravail, then it fails. > > without the index, all is fine. Did you re-index after changing the index configuration in slapd.conf(5)? See slapindex(8) for details. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it ---------------------------------------

1 0

syncrepl failure
by Ron Peterson 20 Feb '08

20 Feb '08

Hi, I'm trying to set up syncrepl for the first time, using 2.4.7 and copying the mirror node configuration in the OpenLDAP Administrator's manual. I first started my two LDAP servers without any syncprov/syncrepl configuration in my slapd.conf, and inserted a few ou's which represent my basic container hierarchy. I also added my syncrepl user (the one assigned to 'binddn' in my syncrepl configuration line.) I gave this user read access to everything. access to * by dn="userid=ldapsync,ou=admin,ou=account,dc=mtholyoke,dc=edu" read by self read Then I shut down OpenLDAP, and uncommented my syncrepl configuration. overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=1 provider=ldap://dira.mtholyoke.edu/ bindmethod=simple binddn="userid=ldapsync,ou=admin,ou=accounts,dc=mtholyoke,dc=edu" credentials="blahblah" searchbase="dc=mtholyoke,dc=edu" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on serverID 2 Next I started OpenLDAP again, and inserted a test user. I can see in my logs that the other server is attempting to syncronize. The bind operation appears succesful, but then the sync fails with the following error: Feb 19 16:17:18 drab slapd[27432]: conn=10 op=0 BIND dn="uid=ldapsync,ou=admin,ou=accounts,dc=mtholyoke,dc=edu" mech=SIMPLE ssf=0 Feb 19 16:17:18 drab slapd[27432]: conn=10 op=0 RESULT tag=97 err=0 text= Feb 19 16:17:18 drab slapd[27432]: begin get_filter Feb 19 16:17:18 drab slapd[27432]: PRESENT Feb 19 16:17:18 drab slapd[27432]: end get_filter 0 Feb 19 16:17:18 drab slapd[27432]: conn=10 op=1 SRCH base="dc=mtholyoke,dc=edu" scope=2 deref=3 filter="(objectClass=*)" Feb 19 16:17:18 drab slapd[27432]: conn=10 op=1 SRCH attr=* + Feb 19 16:17:18 drab slapd[27432]: conn=10 op=1 SEARCH RESULT tag=101 err=2 nentries=0 text=illegal value for derefAliases I suspect I'm simply overlooking something obvious, or not doing the initial setup quite right, but like I say, this is my first time through this, so any advice is appreciated. TIA. -- Ron Peterson Network & Systems Manager Mount Holyoke College http://www.mtholyoke.edu/~rpeterso

2 2

Re: LDAP in Master-Slave
by Quanah Gibson-Mount 20 Feb '08

20 Feb '08

--On Wednesday, February 20, 2008 12:05 PM +0530 Aravind Arjunan <aravind.arjunan(a)gmail.com> wrote: > > Is it not possible to configure the master-slave in openldap2.2? > anyway please say me the procedure how the check the slave ldap > wheather it has been replicated or not? > > > On 20/02/2008, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > > --On Wednesday, February 20, 2008 11:54 AM +0530 Aravind Arjunan > <aravind.arjunan(a)gmail.com> wrote: > >> >> am trying to configuring openldap2.2 in syncrepl method in master-slave. > > Don't. Get the current release (openldap 2.4). Otherwise you are just > wasting your time and ours. Please keep your replies on the list. You can configure replication in OpenLDAP 2.2, but I would advise using syncrepl with that release. And again, the 2.2 release is years out of date, and no longer supported. You are wasting your time pursing using it. Download and use the latest release. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

2 1

Write changed immediately to disk
by ml＠bortal.de 20 Feb '08

20 Feb '08

Hello List, what settings do i need to write my ldap changes (almost) immedialtely to disk? I do not need much of performance but would rather have a higher security. Thanks, Mario

7 9

kerberos support any more?
by Brian J. Murrell 19 Feb '08

19 Feb '08

I'm noticing this: http://www.openldap.org/lists/openldap-bugs/200701/msg00009.html and wonder what that really means for OpenLDAP and Kerberos. Is there no longer any support in OpenLDAP for Kerberos? Specifically, I want to use my Kerberos ticket to authenticate to my OpenLDAP directory (anonymous bind does not allow me to view/update my address books for example). Does the above removal mean this is not possible? If it's still possible, anyone got a good howto they can point me at that's relevant for 2.3.35 and higher? Thanx, b.

4 5

OpenLDAP migration to new server
by George 19 Feb '08

19 Feb '08

Hello, I have a Fedora Core 2 server running openldap-servers-2.1.29-1. I have an address book with names stored there which I am using with Outlook. Can someone please tell me how do I migrate this address book to a newer server running CentOS 5 with openldap-servers-2.3.27-8? What commands do I run to export and import the data? Thanks

4 3

SSL handshake failure
by Nathan Huesken 18 Feb '08

18 Feb '08

Hello together, I am trying to enable TLS on my ldap server. I executed: openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ldap-key.pem -days 999999 and added: TLSCertificateFile /etc/ssl/ldap.pem TLSCertificateKeyFile /etc/openldap/ldap-key.pem TLSVerifyClient demand to my slapd.conf. To my ldap.conf, I added: TLS_CERT /etc/ssl/ldap.pem TLS_KEY /etc/openldap/ldap-key.pem TLS_REQCERT allow and tried ldapsearch -x -b 'cn=Manager,dc=lonely-star,dc=org' '(objectclass=*)' -ZZ to test it. The result is: ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure Any suggestions what the pronblem could be? Thanks! nathan

3 2

grant access on a attribute specific value
by Fabrice Eudes 18 Feb '08

18 Feb '08

Hi all, I am runing an openldap 2.4.7 on debian with small local schema modifications: a few more attributes and an objectClass derived from inetOrgPerson. I have looked in the administrator's guide and the slapd.access manpage but I can't figure out how to do the following: I want to give write access depending on the value of an attribute. something like: access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by (&(objectClass=inetOrgPerson)(employeeType=chief)) write If I have read the manpage correctly, I can't do it with a filter. Is there any way to get this behavior ? It is not clear for me if the "dynacl" I saw in the manpage: - can solve this problem - are compulsory to solve it any help ? example ? thanks. -- Fabrice Eudes -o) Clé PGP 88AC3A66 /\\ Utilisateur Linux n°245401 _\_V Tel 09 50 77 73 78 Fax 09 55 77 73 78

4 8

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2008