openldap-software June 2008

openldap-software@openldap.org

62 participants
64 discussions

ppolicy by group
by Andy Loughran 23 Jun '08

23 Jun '08

When ppolicy is set as default, it applies globally to the entire LDAP tree: dn: cn=default,ou=policies,dc=zednax,dc=com Is it possible to set the ppolicy by group? Regards, Andy

8 11

ldapmodify and authentication
by Jason Gerfen 20 Jun '08

20 Jun '08

I am new to the ldapmodify tool and I am attempting to import a .ldif file to change some schema attributes. The problem is that when I run the ldapmodify tool I am receiving the following error: jason@valhalla ~/scripts $ ldapmodify -f .UID2SID/modify-06.20.2008-mclame.ldif -h domain -D Administrator -w password SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) Can I disable this GSSAPI authentication or is this something I need to configure or use kinit to obtain? Thanks.

3 2

Installation problem with Berkeley DB
by Nuno Manuel Martins 20 Jun '08

20 Jun '08

Hello, When trying to install OpenLDAP 2.3.42 I got an error complaining about berkely DB 4.3. I Googled around and found out that OpenLDAP does not like version 4.4 so I downloaded and installed version Berkeley DB 4.5 I then tried to configure with ./configure --includedir=/usr/local/bdb4.5 (where I installed the new version). Still, the configure script is going to fetch my old version. So I decided to rename the files of the old version in /usr/lib and link the same files to the ones in /usr/local/bdb4.5... somehow he still thinks I am using BDB 4.3 with the error: checking for Berkeley DB major version... 4 checking for Berkeley DB minor version... 3 checking for Berkeley DB link (-ldb43)... no checking for Berkeley DB link (-ldb-43)... no checking for Berkeley DB link (-ldb-4.3)... no checking for Berkeley DB link (-ldb-4-3)... no checking for Berkeley DB link (-ldb-4)... no checking for Berkeley DB link (-ldb4)... no checking for Berkeley DB link (-ldb)... yes checking for Berkeley DB version match... Berkeley DB version mismatch header: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006) library: Berkeley DB 4.5.20: (September 20, 2006) So my question... is there any way to force the location of Berkeley DB when running configure? Thank you, Nuno

3 9

Force syncrepl client to do complete sync?
by Andrew Findlay 20 Jun '08

20 Jun '08

I have a syncrepl setup where some slaves get a portion of the full DIT that is defined by access-control on the master. This works well until the ACLs change or some other data update (such as group membership) allows the slave to see a different subset of the DIT. The problem is twofold: 1) The slave might now have data that it should delete. 2) The slave might now be allowed to see more data so it should replicate it. The current syncrepl implementation does not seem to handle this case very well on its own, and I don't want to delete the whole of the slave DB. Is there aome way that I can force a complete re-sync on a live server? I tried deleting the contextCSN through LDAP, but of course it won't let me do that on the slave. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

2 3

use dynlist for company name? A second question of practical use of dynlist
by Zhang Weiwu 19 Jun '08

19 Jun '08

I am setting up a business directory of contact persons and companies. I have this structure in mind: ou=companies,dc=demo cn=company1, ou=companies,dc=demo o: Company Name 1 ... cn=company2, ou=companies,dc=demo o: Company Name 2 ... ou=persons,dc=demo uid=user1,ou=persons,dc=demo cn: John Brown company: cn=company1, ou=companies,dc=demo o: Company Name 1 ... uid=user2,ou=persons,dc=demo cn: Jason Brown company: cn=company2, ou=companies,dc=demo o: Company Name 2 ... My problem: if a company updates its name, it has to be updated in 2 places: the company record, and the person record. If company name change is only updated in ou=company1, the search for "finds all people working in ABC Co.ltd" would not work as expected. Updating company names in 2 places causes 2 problems: 1: more work; 2: potentially the two doesn't match, then we have to align the records. I wish to use dynlist for o attribute for the entries in ou=persons. But that means dynlist is used in thousands of records. Is this a proper practical use of dynlist?

2 3

a second stupid dynlist question: can LDAP URI be relative?
by Zhang Weiwu 19 Jun '08

19 Jun '08

Hello. I wonder is it possible to write dynlist that automatically harvest email address from all its sub-entries. I know this works: dn: ou=People,dc=example,dc=com childrenMail: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass= person) But is it possible to write URI in the way that it doesn't explicitly refer to the dn of the current entry? e.g.: dn: ou=People,dc=example,dc=com childrenMail: ldap:///.?mail?sub?(objectClass=person) Best regards

2 1

Fw: Referral - not chased - working as designed?
by Brad T Waldorf 18 Jun '08

18 Jun '08

Hi... First, let me apologize if this isn't the right place to ask this question. If it isn't, i'd greatly appreciate any suggestions on a forum to which i can post this (and any future OpenLDAP questions). I'm wondering what the "normal" function of a referral is supposed to be. I (probably mistakenly) assumed that a referral is a way to specify a server (say server B) to which your search request is forwarded (from server A) if the search criteria isn't matched on server A.... And the data is then searched for on server B and returned to server A. (In slapd.conf on server A, i have a referral value of server B.) But all i get is the "referral (10)" result on server A... Referral (10) Referral: ldap://(IP address of server B):389/o=TPFstooge??sub The documentation says ... H.12. referral (10) Indicates that a referral needs to be chased to complete the operation (see Section 4.1.10). Well, right... but isn't server A supposed to do the chasing? Or is the referral simply a value that's passed back to server A, and not chased? (And you should use the "ldap" backend if you want your referalls chased?) Sorry if this was a dumb question. I'm probably mistakenly assuming that referrals are automatically chased, when their only function is to simply return a value. Thanks for your time!

2 1

use dynlist for company name? A question of practical use of dynlist
by Zhang Weiwu 17 Jun '08

17 Jun '08

Hello. I am setting up a business directory of contact persons and companies. I have this structure in mind: ou=companies,dc=demo o=company name 1, ou=companies,dc=demo o=company name 2, ou=companies,dc=demo ... ou=persons,dc=demo uid=user1,ou=persons,dc=demo cn: John Brown o: company name 1 ... uid=user2,ou=persons,dc=demo cn: Jason Brown o: company name 2 ... ... My problem: the system is multi-lingual, means each company can have multiple company names, and most of them do, because we are in a cross-culture location where each company must have two names. Thus maintaining correspondence between person's "o" value is a lot of work. The other trouble: If a company updates its name, all person records should update too. My idea to solve this problem is to use dynlist, that is for each person the organization he works in is a dynamic list which returns the o attribute value of the company by referring to the company with URI. Before I actually implement in this way I'd like to ask the list for wisdom. I 'invented' this solution by just looking at the manual of dynlist and not being aware if it brings some down-side (e.g. is the attribute that implements dynlist searchable? a.k.a. can I still search for Jason in "company name 2" with a single filter?) Anyway, do you think this solution works & is practical?

2 1

Re: managing OpenLDAP / back-config
by Michael Ströder 17 Jun '08

17 Jun '08

Hallvard B Furuseth wrote: > Michael Ströder writes: >> Since web2ldap and the delta-modification generator has full schema >> knowledge today I could look up whether there's an EQUALITY matching >> rule defined for a given attribute type and then explicitly delete >> certain attribute values like Hallvard suggested. > > Actually I wasn't suggesting that for web2ldap, though it sounds nice. > At the time I was talking about how EQUALITY rules would make it easier > to write config LDIFs by hand. I've now implemented that. Needs testing with other LDAP server implementations as well and many weird attribute types. The main problem with such an approach is that subschema is always incomplete. :-( Ciao, Michael.

3 3

reverse membership and permissions
by Jason Dusek 17 Jun '08

17 Jun '08

I'm curious about the intended permissions model for reverse group membership: http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Members… Consider the case where a user should only have write access to their own attributes and a friends groups to which they can add their friends. The reverse group membership overlay is used to propogate `memberOf` of attributes to all the users that they add to their group of friends. We do it this way because 'denormalizations' of this kind are helpful for query efficiency. For this application, it seems right for the overlay to propogate changes that a user does not have permission to execute themselves -- we don't have to let a user know who anybody else's friends are, for example; nor can they change that attribute. If this can be added, it'd be great. If it's already possible, I'd appreciate it if it were part of the documentation. -- _jsn

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software June 2008