back-config schema in subschema
by Dieter Kluenter
Hi,
I just discovered that with REl_ENG_2.4 objectclasses and attribute
types of back-config schema are not included in cn=subschema any
more. Is this intentional or is this a bug?
Problem is I cannot configure or modify back-config with a tool which
reads subschema for available objectclasses and attribute types
anymore.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
13 years, 9 months
Re: [phpldapadmin-users] grant access on a attribute specific value
by Pierangelo Masarati
Fabrice Eudes wrote:
> Pierangelo Masarati a écrit :
>> [please do not cross-post]
> sorry.
I mean: keep postings on the same list they started (and they belong
to). Do not assume I subscribed to any list you did.
>> Did you re-index after changing the index configuration in
>> slapd.conf(5)? See slapindex(8) for details.
> yes.
>
> I change a bit the "set" clause using "(employeeType=foo)" instead of
> "(groupesTravail=1200)" and I have the same behavior:
>
>> index employeeType eq
> makes the set clause fails (even after reindexing).
>
> without the index, access are ok.
>
> more idea(s) ?
Indexing cannot alter the response of the system. So your indexing is
not correct for some reason. I suggest you first work this issue out by
running searches without any ACL. Then go back to ACL design.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
13 years, 9 months
Re: [phpldapadmin-users] grant access on a attribute specific value
by Pierangelo Masarati
[please do not cross-post]
Fabrice Eudes wrote:
> Fabrice Eudes a écrit :
>> I don't understand :-(
> something else I don't understand...
>
> the set clause uses the groupesTravail attribute values, and if I have
> an index for groupesTravail, then it fails.
>
> without the index, all is fine.
Did you re-index after changing the index configuration in
slapd.conf(5)? See slapindex(8) for details.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
13 years, 9 months
syncrepl failure
by Ron Peterson
Hi,
I'm trying to set up syncrepl for the first time, using 2.4.7 and
copying the mirror node configuration in the OpenLDAP Administrator's
manual.
I first started my two LDAP servers without any syncprov/syncrepl
configuration in my slapd.conf, and inserted a few ou's which represent
my basic container hierarchy. I also added my syncrepl user (the one
assigned to 'binddn' in my syncrepl configuration line.) I gave this
user read access to everything.
access to *
by dn="userid=ldapsync,ou=admin,ou=account,dc=mtholyoke,dc=edu" read
by self read
Then I shut down OpenLDAP, and uncommented my syncrepl configuration.
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncrepl rid=1
provider=ldap://dira.mtholyoke.edu/
bindmethod=simple
binddn="userid=ldapsync,ou=admin,ou=accounts,dc=mtholyoke,dc=edu"
credentials="blahblah"
searchbase="dc=mtholyoke,dc=edu"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
serverID 2
Next I started OpenLDAP again, and inserted a test user. I can see in
my logs that the other server is attempting to syncronize. The bind
operation appears succesful, but then the sync fails with the following
error:
Feb 19 16:17:18 drab slapd[27432]: conn=10 op=0 BIND dn="uid=ldapsync,ou=admin,ou=accounts,dc=mtholyoke,dc=edu" mech=SIMPLE ssf=0
Feb 19 16:17:18 drab slapd[27432]: conn=10 op=0 RESULT tag=97 err=0 text=
Feb 19 16:17:18 drab slapd[27432]: begin get_filter
Feb 19 16:17:18 drab slapd[27432]: PRESENT
Feb 19 16:17:18 drab slapd[27432]: end get_filter 0
Feb 19 16:17:18 drab slapd[27432]: conn=10 op=1 SRCH base="dc=mtholyoke,dc=edu" scope=2 deref=3 filter="(objectClass=*)"
Feb 19 16:17:18 drab slapd[27432]: conn=10 op=1 SRCH attr=* +
Feb 19 16:17:18 drab slapd[27432]: conn=10 op=1 SEARCH RESULT tag=101 err=2 nentries=0 text=illegal value for derefAliases
I suspect I'm simply overlooking something obvious, or not doing the
initial setup quite right, but like I say, this is my first time through
this, so any advice is appreciated.
TIA.
--
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
13 years, 9 months
Re: LDAP in Master-Slave
by Quanah Gibson-Mount
--On Wednesday, February 20, 2008 12:05 PM +0530 Aravind Arjunan
<aravind.arjunan(a)gmail.com> wrote:
>
> Is it not possible to configure the master-slave in openldap2.2?
> anyway please say me the procedure how the check the slave ldap
> wheather it has been replicated or not?
>
>
> On 20/02/2008, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
>
> --On Wednesday, February 20, 2008 11:54 AM +0530 Aravind Arjunan
> <aravind.arjunan(a)gmail.com> wrote:
>
>>
>> am trying to configuring openldap2.2 in syncrepl method in master-slave.
>
> Don't. Get the current release (openldap 2.4). Otherwise you are just
> wasting your time and ours.
Please keep your replies on the list.
You can configure replication in OpenLDAP 2.2, but I would advise using
syncrepl with that release. And again, the 2.2 release is years out of
date, and no longer supported. You are wasting your time pursing using it.
Download and use the latest release.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
13 years, 9 months
Write changed immediately to disk
by ml@bortal.de
Hello List,
what settings do i need to write my ldap changes (almost) immedialtely
to disk?
I do not need much of performance but would rather have a higher security.
Thanks, Mario
13 years, 9 months
kerberos support any more?
by Brian J. Murrell
I'm noticing this:
http://www.openldap.org/lists/openldap-bugs/200701/msg00009.html and
wonder what that really means for OpenLDAP and Kerberos. Is there no
longer any support in OpenLDAP for Kerberos?
Specifically, I want to use my Kerberos ticket to authenticate to my
OpenLDAP directory (anonymous bind does not allow me to view/update my
address books for example). Does the above removal mean this is not
possible?
If it's still possible, anyone got a good howto they can point me at
that's relevant for 2.3.35 and higher?
Thanx,
b.
13 years, 9 months
OpenLDAP migration to new server
by George
Hello,
I have a Fedora Core 2 server running openldap-servers-2.1.29-1.
I have an address book with names stored there which I am using with Outlook.
Can someone please tell me how do I migrate this address book to a
newer server running CentOS 5 with openldap-servers-2.3.27-8?
What commands do I run to export and import the data?
Thanks
13 years, 9 months
SSL handshake failure
by Nathan Huesken
Hello together,
I am trying to enable TLS on my ldap server. I executed:
openssl req -config /etc/ssl/openssl.cnf -new -x509 -nodes -out /etc/ssl/ldap.pem -keyout /etc/openldap/ldap-key.pem -days 999999
and added:
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ldap-key.pem
TLSVerifyClient demand
to my slapd.conf.
To my ldap.conf, I added:
TLS_CERT /etc/ssl/ldap.pem
TLS_KEY /etc/openldap/ldap-key.pem
TLS_REQCERT allow
and tried
ldapsearch -x -b 'cn=Manager,dc=lonely-star,dc=org' '(objectclass=*)' -ZZ
to test it.
The result is:
ldap_start_tls: Connect error (-11)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Any suggestions what the pronblem could be?
Thanks!
nathan
13 years, 9 months
grant access on a attribute specific value
by Fabrice Eudes
Hi all,
I am runing an openldap 2.4.7 on debian with small local schema
modifications: a few more attributes and an objectClass derived from
inetOrgPerson.
I have looked in the administrator's guide and the slapd.access manpage
but I can't figure out how to do the following: I want to give write
access depending on the value of an attribute.
something like:
access to dn="cn=foo,ou=groups,dc=example,dc=com"
attrs=cn,description,memberUid,entry
by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
If I have read the manpage correctly, I can't do it with a filter. Is
there any way to get this behavior ?
It is not clear for me if the "dynacl" I saw in the manpage:
- can solve this problem
- are compulsory to solve it
any help ? example ?
thanks.
--
Fabrice Eudes -o)
Clé PGP 88AC3A66 /\\
Utilisateur Linux n°245401 _\_V
Tel 09 50 77 73 78
Fax 09 55 77 73 78
13 years, 9 months
