LDAPMod field types
by Bernd Jendrissek
I'm building a big piece of inherited code that uses OpenLDAP
extensively, and now that we're (trying to) switch to FreeBSD 7.0, GCC
complains quite a bit more than before:
43 modFormat.mod_op = LDAP_MOD_ADD;
44 modFormat.mod_type = "rocketseedFormat";
45 vformat[0] = "2";
46 vformat[1] = NULL;
47 modFormat.mod_values = vformat;
rscode/rocketutil/mydap.cpp:44: warning: deprecated conversion from
string constant to 'char*'
rscode/rocketutil/mydap.cpp:45: warning: deprecated conversion from
string constant to 'char*'
Are we risking some sort of free()-based crashes by populating the
struct with string constants? I grepped for mod_type in the OpenLDAP
source and couldn't find any explicit dependency on the strings being
dynamically allocated (except for ldap_mods_free(), which we don't
call). That doesn't mean there exists no such dependency!
Would it be safe to const_cast<char *> the string constants, or will I
need to wrap each with a strdup() and ldap_mods_free() it all after
we're done?
Thanks
15 years, 7 months
ppolicy
by Rick Stevens
I've got a question regarding the ppolicy overlay. I've read the docs I
can find for it on the web, but there's a couple of holes in them and in
my knowledge.
I've got the config set up (schema, module load, external check library)
and such. I've got the default policy DN in the database and such.
From slapd.conf:
overlay ppolicy
ppolicy_default \
"cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
From ldapsearch -b "ou=policies...":
dn: cn=DefaultPassword,ou=Policies,dc=billing,dc=com
cn: DefaultPassword
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdMinAge: 86400
pwdMaxAge: 7776000
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 3
pwdMinLength: 10
pwdCheckQuality: 2
pwdMaxFailure: 3
pwdLockoutDuration: 180
pwdFailureCountInterval: 120
pwdInHistory: 4
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdSafeModify: TRUE
When I add a user and do an ldapsearch of that user, should I see any of
the ppolicy user attributes such as "pwdReset" or "pwdChangedTime" in
the entry right off the bat or must something happen first (such as
having the user change their password)? I ask because I see nothing
and hence don't know if ppolicy is ruling the roost or not.
Does ppolicy only affect a specific objectClass of entry (e.g.
"inetOrgPerson") or will it take effect on any entry with a
"userPassword" entry? None of my user accounts have "inetOrgPerson"
object classes. Typical entry:
dn: uid=testuser,ou=People,dc=billing,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 1
shadowMax: 90
shadowWarning: 7
loginShell: /bin/bash
gecos: Test User
homeDirectory: /home/testuser
uidNumber: 32004
gidNumber: 32004
userPassword:: OXgtJnhFM2VsZVls
shadowLastChange: 13978
Oh, by the way, that user was JUST added.
--
----------------------------------------------------------------------
- Rick Stevens, Unix Geek rps2(a)socal.rr.com -
- -
- I haven't lost my mind. It's backed up on tape somewhere, but -
- probably not recoverable. -
----------------------------------------------------------------------
15 years, 7 months
ldapmodify hangs
by Adam Williams
I have an .ldif that is:
dn: uid=hholmes,ou=People,dc=mdah,dc=state,dc=ms,dc=us
changetype: modify
sambaProfilePath: \\roark\profiles\hholmes
sambaHomePath: \\roark\hholmes
sambaLogonScript: \\roark\netlogon\scripts\hholmes.bat
sambaHomeDrive: R:
dn: uid=lhosey,ou=People,dc=mdah,dc=state,dc=ms,dc=us
changetype: modify
sambaProfilePath: \\roark\profiles\lhosey
sambaHomePath: \\roark\lhosey
sambaLogonScript: \\roark\netlogon\scripts\lhosey.bat
sambaHomeDrive: R:
dn: uid=bkearney,ou=People,dc=mdah,dc=state,dc=ms,dc=us
changetype: modify
sambaProfilePath: \\roark\profiles\bkearney
sambaHomePath: \\roark\bkearney
sambaLogonScript: \\roark\netlogon\scripts\bkearney.bat
sambaHomeDrive: R:
and when I run it with:
[root@roark ldap]# ldapmodify -D
"cn=Manager,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxxxxxxxxx -x -v -f
profilepaths.ldif
ldap_initialize( <DEFAULT> )
replace sambaProfilePath:
\\roark\profiles\hholmes
replace sambaHomePath:
\\roark\hholmes
replace sambaLogonScript:
\\roark\netlogon\scripts\hholmes.bat
replace sambaHomeDrive:
R:
modifying entry "uid=hholmes,ou=People,dc=mdah,dc=state,dc=ms,dc=us"
modify complete
it hangs at modify complete and doesn't go on to the next person which
is lhosey. Why is this? I'm running openldap 2.3.39.
15 years, 7 months
restricting slapd memory consumption
by Ralf Narozny
Hi,
I'm wondering, how I could restrict the memory usage of the slapd process.
We got a quite large amount of data (23 million entries) in our login
ldap. Since we are still using OpenLDAP 2.0 and of course want to
migrate now, I added our data into an OpenLDAP 2.3.37 (this version will
be updated soon). The problem I stumble over is that while inserting the
data with ldapadd (mainly to check the performance we have to expect in
the future), the amount of memory the slapd uses endlessly grows. The
slapd process uses 11GB of memory after the insert has finished.
We are using the BDB backend which is currently configured to use 4GB of
shared memory.
Machine: Linux masterldap 2.6.21.5 #1 SMP Mon Jul 2 13:54:33 CEST 2007
x86_64 GNU/Linux, with 2 Dual-Core AMD Opteron(tm) Processor 2218 and
16GB of RAM.
slapd.conf (converted to cn=config format):
include /usr/local/our/ldap/etc/openldap/schema/core.schema
include /usr/local/our/ldap/etc/openldap/schema/our.schema
pidfile /usr/local/our/ldap/var/ldap/run/slapd.pid
argsfile /usr/local/our/ldap/var/ldap/run/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/our/ldap/lib
moduleload back_bdb.la
access to * by * write
loglevel 0
sizelimit 10000
timelimit 3600
cachesize 1000000
tool-threads 2
# backend definition
backend bdb
database config
rootdn "cn=root,cn=config"
rootpw {SSHA}***
#######################################################################
# BDB database definitions
#######################################################################
# first database definition & config directives
database bdb
directory /usr/local/our/ldap/var/ldap/openldap-data/
replogfile /usr/local/our/ldap/log/replica.log
suffix "o=our"
rootdn "cn=root,o=our"
rootpw {SSHA}***
index cid eq
index cn eq,sub
index objectClass eq
index folderName eq
index locked eq
DB_CONFIG:
set_flags DB_LOG_AUTOREMOVE
set_cachesize 4 0 2
set_lg_max 524288000
set_lg_regionmax 512000
set_lg_bsize 268435456
15 years, 7 months
Authentication in openldap
by Jyotishmaan Ray
Please see below for your reply
Please let me know whatyou meant by saying ppolicy overlay and may I know, where theattributes-pwdLockout and pwdLockoutDuration are(available in whichobjectClass )?
Kindly let me know if youhave done it usinga filter-based acl to disable a given user's uid forsometime -here thequestion, rises can time be defined ?
Thanks,
Jyotishmaan Ray
Moderator Of Paradise Groups
http://yahoogroups.com/group/Spirituality-Paradise
Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe(a)yahoogroups.com
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
15 years, 7 months
on Authentication in openldap
by Jyotishmaan Ray
Hello List,
I have a question in my mind, which I think probably, can be ansered by you-it is as below:-
If there are anywayz that, on successful credentials match too, authentication can be stopped by returning false??
Inotherwords when a user logs on and he is being asked to enter his uid andpassword and then it is checked with the entry stored in the database which returns either True/ False resulting into ansuccessful/unsuccessful authentication.
Is it possible tomake it a unsuccessful authentication manually for a specific userwithout hampering the user's password-this i need in order to disablethe user from the openldap server for some interval of time.
(This I want to do, in order to suspend the user to log on for some time, temporarily.)
Please throw some pointers in this direction !!!!
Thanks,
Jyotishmaan Ray
Moderator Of Paradise Groups
http://yahoogroups.com/group/Spirituality-Paradise
Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe(a)yahoogroups.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
15 years, 7 months
error while adding entry using ldap.jar JAVA API
by Sumith Narayanan
Hi All,
I am trying to add a dn to openLDAP using novell's ldap.jar APIs. When I try
to add a record it error out with the below exception 1% times :
com.novell.ldap.LDAPException: No Such Object : (32) No Such Object
at com.novell.ldap.LDAPResponse.getResultException(LDAPResponse.java:247)
at com.novell.ldap.LDAPResponse.chkResultCode(LDAPResponse.java:174)
at com.novell.ldap.LDAPConnection.add(LDAPConnection.java:1049)
at com.novell.ldap.LDAPConnection.add(LDAPConnection.java:1015)
at org.ietf.ldap.LDAPConnection.add(LDAPConnection.java:820)
Could anyone provide any clue to help fix this ?
openLDAP & DB details :
The database which I am trying to update is 24GB in size, OpenLDAP 2.3.27
and BDB backend *4.4.20.* <http://4.4.20./> Mac OS Tiger with 4GB RAM. It
will be receiving 100 searches / min at an average.
Thanks, Sumith.
15 years, 8 months
SASL DIGEST-MD5 and Realm
by Eric
Hello,
I am running OpenLDAP v2.3.39 and have some questions
regarding SASL. Is it possible to use realms with
DIGEST-MD5 and no saslauthdb running? I am using ldap
to store the uid and password and authz-regexp
statements to map user ids. However, it seems that
ldap tools do not pass the realm parameter to the
server with my setup.
example:
ldapsearch -Y digest-md5 -U eric -R example.com
slapd debug:
do_sasl_bind: dn () mech DIGEST-MD5
SASL [conn=8] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to
uid=deploy,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=eric,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=eric,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=eric,cn=digest-md5,cn=auth to a DN
How come the realm parameter is missing?
Here is the authz-regexp I have in slapd.conf:
authz-regexp
uid=([^,]*),cn=example.com,cn=digest-md5,cn=auth
ldap:///ou=users,dc=example,dc=com??sub?(&(uid=$1)(objectClass=posixAccount))
Thanks!
Eric
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
15 years, 8 months
Re: error while adding entry using ldap.jar JAVA API
by Sumith Narayanan
With BDB 4.4.20 & openldap-2.3.39 , I got a version incompatible error :
checking Berkeley DB version for BDB/HDB backends... no
configure: error: BDB/HDB: BerkeleyDB version incompatible
Please suggest which BDB version I should use.
Thanks, Sumith
On Fri, Apr 11, 2008 at 2:37 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
> Whatever ones are on the Oracle website for BDB 4.4.20, and one for the
> region size problem.
>
> --Quanah
>
>
> --On Friday, April 11, 2008 2:34 PM -0700 Sumith Narayanan <
> sumith.narayanan(a)gmail.com> wrote:
>
> Thanks Quanah,
> >
> >
> > So if I use 4.4.20 , which all patches do I need to apply ? just the
> > region size one ?
> >
> >
> > -=Sumith
> >
> >
> > On Fri, Apr 11, 2008 at 2:15 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
> > wrote:
> >
> > The region size problem applies to 4.4.20 as well, but you may have to
> > manually fix it.
> >
> > I've kept on 4.2.52 because I've seen no gain from 4.4 or 4.5
> > performance
> > wise, and 4.2.52 has been quite stable.
> >
> > --Quanah
> >
> >
> >
> >
> > --On Friday, April 11, 2008 2:04 PM -0700 Sumith Narayanan
> > <sumith.narayanan(a)gmail.com> wrote:
> >
> >
> > I am already on db-4.4.20 , do I need to downgrade that ?
> >
> >
> > Thanks, Sumith
> >
> >
> > On Fri, Apr 11, 2008 at 12:49 PM, Quanah Gibson-Mount <quanah(a)zimbra.com
> > >
> > wrote:
> >
> >
> > --On Friday, April 11, 2008 12:32 PM -0700 Sumith Narayanan
> > <sumith.narayanan(a)gmail.com> wrote:
> >
> >
> > Thanks,
> >
> >
> > I could download BDB4.2.52+5 patches from
> >
> >
> >
> > http://www.oracle.com/technology/software/products/berkeley-db/db/index.h
> > tml
> >
> >
> > Where can I get all the 6 paches ?
> >
> >
> > <
> > http://www.stanford.edu/services/directory/openldap/configuration/patche
> > s/db/4252-region-fix.diff>
> >
> >
> >
> > Also , I how should I apply patch , in the oracle website , I just see
> > the code that need to be added as a patch ? Do I manually make changes
> > ?
> > Please suggest the best approach
> >
> >
> > I suggest familiarizing your self with the "patch" command.
> >
> >
> >
> >
> > --Quanah
> >
> > --
> >
> > Quanah Gibson-Mount
> > Principal Software Engineer
> > Zimbra, Inc
> > --------------------
> > Zimbra :: the leader in open source messaging and collaboration
> >
> >
> >
> >
> >
> >
> > --
> >
> > Quanah Gibson-Mount
> > Principal Software Engineer
> > Zimbra, Inc
> > --------------------
> > Zimbra :: the leader in open source messaging and collaboration
> >
> >
> >
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
15 years, 8 months
Re: error while adding entry using ldap.jar JAVA API
by Sumith Narayanan
Thanks Quanah,
So if I use 4.4.20 , which all patches do I need to apply ? just the region
size one ?
-=Sumith
On Fri, Apr 11, 2008 at 2:15 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
> The region size problem applies to 4.4.20 as well, but you may have to
> manually fix it.
>
> I've kept on 4.2.52 because I've seen no gain from 4.4 or 4.5 performance
> wise, and 4.2.52 has been quite stable.
>
> --Quanah
>
>
> --On Friday, April 11, 2008 2:04 PM -0700 Sumith Narayanan <
> sumith.narayanan(a)gmail.com> wrote:
>
> I am already on db-4.4.20 , do I need to downgrade that ?
> >
> >
> > Thanks, Sumith
> >
> >
> > On Fri, Apr 11, 2008 at 12:49 PM, Quanah Gibson-Mount <quanah(a)zimbra.com
> > >
> > wrote:
> >
> >
> > --On Friday, April 11, 2008 12:32 PM -0700 Sumith Narayanan
> > <sumith.narayanan(a)gmail.com> wrote:
> >
> >
> > Thanks,
> >
> >
> > I could download BDB4.2.52+5 patches from
> >
> >
> >
> > http://www.oracle.com/technology/software/products/berkeley-db/db/index.h
> > tml
> >
> >
> > Where can I get all the 6 paches ?
> >
> >
> > <
> > http://www.stanford.edu/services/directory/openldap/configuration/patche
> > s/db/4252-region-fix.diff>
> >
> >
> >
> > Also , I how should I apply patch , in the oracle website , I just see
> > the code that need to be added as a patch ? Do I manually make changes
> > ?
> > Please suggest the best approach
> >
> >
> > I suggest familiarizing your self with the "patch" command.
> >
> >
> >
> >
> > --Quanah
> >
> > --
> >
> > Quanah Gibson-Mount
> > Principal Software Engineer
> > Zimbra, Inc
> > --------------------
> > Zimbra :: the leader in open source messaging and collaboration
> >
> >
> >
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
15 years, 8 months