ppolicy by group
by Andy Loughran
When ppolicy is set as default, it applies globally to the entire LDAP tree:
dn: cn=default,ou=policies,dc=zednax,dc=com
Is it possible to set the ppolicy by group?
Regards,
Andy
12 years, 6 months
ldapmodify and authentication
by Jason Gerfen
I am new to the ldapmodify tool and I am attempting to import a .ldif file to change some schema attributes.
The problem is that when I run the ldapmodify tool I am receiving the following error:
jason@valhalla ~/scripts $ ldapmodify -f .UID2SID/modify-06.20.2008-mclame.ldif -h domain -D Administrator -w password
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)
Can I disable this GSSAPI authentication or is this something I need to configure or use kinit to obtain? Thanks.
12 years, 7 months
Installation problem with Berkeley DB
by Nuno Manuel Martins
Hello,
When trying to install OpenLDAP 2.3.42 I got an error complaining about berkely DB 4.3. I Googled around and found out that OpenLDAP does not like version 4.4 so I downloaded and installed version Berkeley DB 4.5
I then tried to configure with ./configure --includedir=/usr/local/bdb4.5 (where I installed the new version).
Still, the configure script is going to fetch my old version. So I decided to rename the files of the old version in /usr/lib and link the same files to the ones in /usr/local/bdb4.5... somehow he still thinks I am using BDB 4.3 with the error:
checking for Berkeley DB major version... 4
checking for Berkeley DB minor version... 3
checking for Berkeley DB link (-ldb43)... no
checking for Berkeley DB link (-ldb-43)... no
checking for Berkeley DB link (-ldb-4.3)... no
checking for Berkeley DB link (-ldb-4-3)... no
checking for Berkeley DB link (-ldb-4)... no
checking for Berkeley DB link (-ldb4)... no
checking for Berkeley DB link (-ldb)... yes
checking for Berkeley DB version match... Berkeley DB version mismatch
header: Sleepycat Software: Berkeley DB 4.3.29: (September 12, 2006)
library: Berkeley DB 4.5.20: (September 20, 2006)
So my question... is there any way to force the location of Berkeley DB when running configure?
Thank you,
Nuno
12 years, 7 months
Force syncrepl client to do complete sync?
by Andrew Findlay
I have a syncrepl setup where some slaves get a portion of the full
DIT that is defined by access-control on the master. This works well
until the ACLs change or some other data update (such as group
membership) allows the slave to see a different subset of the DIT.
The problem is twofold:
1) The slave might now have data that it should delete.
2) The slave might now be allowed to see more data so it should
replicate it.
The current syncrepl implementation does not seem to handle this case very
well on its own, and I don't want to delete the whole of the slave DB.
Is there aome way that I can force a complete re-sync on a live server? I
tried deleting the contextCSN through LDAP, but of course it won't let
me do that on the slave.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
12 years, 7 months
use dynlist for company name? A second question of practical use of dynlist
by Zhang Weiwu
I am setting up a business directory of contact persons and companies. I
have this structure in mind:
ou=companies,dc=demo
cn=company1, ou=companies,dc=demo
o: Company Name 1
...
cn=company2, ou=companies,dc=demo
o: Company Name 2
...
ou=persons,dc=demo
uid=user1,ou=persons,dc=demo
cn: John Brown
company: cn=company1, ou=companies,dc=demo
o: Company Name 1
...
uid=user2,ou=persons,dc=demo
cn: Jason Brown
company: cn=company2, ou=companies,dc=demo
o: Company Name 2
...
My problem: if a company updates its name, it has to be updated in 2
places: the company record, and the person record. If company name
change is only updated in ou=company1, the search for "finds all people
working in ABC Co.ltd" would not work as expected.
Updating company names in 2 places causes 2 problems: 1: more work; 2:
potentially the two doesn't match, then we have to align the records.
I wish to use dynlist for o attribute for the entries in ou=persons. But
that means dynlist is used in thousands of records. Is this a proper
practical use of dynlist?
12 years, 7 months
a second stupid dynlist question: can LDAP URI be relative?
by Zhang Weiwu
Hello.
I wonder is it possible to write dynlist that automatically harvest
email address from all its sub-entries.
I know this works:
dn: ou=People,dc=example,dc=com
childrenMail: ldap:///ou=People,dc=example,dc=com?mail?sub?(objectClass=
person)
But is it possible to write URI in the way that it doesn't explicitly
refer to the dn of the current entry?
e.g.:
dn: ou=People,dc=example,dc=com
childrenMail: ldap:///.?mail?sub?(objectClass=person)
Best regards
12 years, 7 months
Fw: Referral - not chased - working as designed?
by Brad T Waldorf
Hi...
First, let me apologize if this isn't the right place to ask this question.
If it isn't, i'd greatly appreciate any suggestions on a forum to which i
can post this (and any future OpenLDAP questions).
I'm wondering what the "normal" function of a referral is supposed to be.
I (probably mistakenly) assumed that a referral is a way to specify a
server (say server B) to which your search request is forwarded (from
server A) if the search criteria isn't matched on server A.... And the data
is then searched for on server B and returned to server A. (In slapd.conf
on server A, i have a referral value of server B.)
But all i get is the "referral (10)" result on server A...
Referral (10)
Referral: ldap://(IP address of server B):389/o=TPFstooge??sub
The documentation says ...
H.12. referral (10)
Indicates that a referral needs to be chased to complete the operation (see
Section 4.1.10).
Well, right... but isn't server A supposed to do the chasing? Or is the
referral simply a value that's passed back to server A, and not chased?
(And you should use the "ldap" backend if you want your referalls chased?)
Sorry if this was a dumb question. I'm probably mistakenly assuming that
referrals are automatically chased, when their only function is to simply
return a value.
Thanks for your time!
12 years, 7 months
use dynlist for company name? A question of practical use of dynlist
by Zhang Weiwu
Hello.
I am setting up a business directory of contact persons and companies. I
have this structure in mind:
ou=companies,dc=demo
o=company name 1, ou=companies,dc=demo
o=company name 2, ou=companies,dc=demo
...
ou=persons,dc=demo
uid=user1,ou=persons,dc=demo
cn: John Brown
o: company name 1
...
uid=user2,ou=persons,dc=demo
cn: Jason Brown
o: company name 2
...
...
My problem: the system is multi-lingual, means each company can have
multiple company names, and most of them do, because we are in a
cross-culture location where each company must have two names. Thus
maintaining correspondence between person's "o" value is a lot of work.
The other trouble: If a company updates its name, all person records
should update too.
My idea to solve this problem is to use dynlist, that is for each person
the organization he works in is a dynamic list which returns the o
attribute value of the company by referring to the company with URI.
Before I actually implement in this way I'd like to ask the list for
wisdom. I 'invented' this solution by just looking at the manual of
dynlist and not being aware if it brings some down-side (e.g. is the
attribute that implements dynlist searchable? a.k.a. can I still search
for Jason in "company name 2" with a single filter?) Anyway, do you
think this solution works & is practical?
12 years, 7 months
Re: managing OpenLDAP / back-config
by Michael Ströder
Hallvard B Furuseth wrote:
> Michael Ströder writes:
>> Since web2ldap and the delta-modification generator has full schema
>> knowledge today I could look up whether there's an EQUALITY matching
>> rule defined for a given attribute type and then explicitly delete
>> certain attribute values like Hallvard suggested.
>
> Actually I wasn't suggesting that for web2ldap, though it sounds nice.
> At the time I was talking about how EQUALITY rules would make it easier
> to write config LDIFs by hand.
I've now implemented that. Needs testing with other LDAP server
implementations as well and many weird attribute types. The main problem
with such an approach is that subschema is always incomplete. :-(
Ciao, Michael.
12 years, 7 months
reverse membership and permissions
by Jason Dusek
I'm curious about the intended permissions model for reverse
group membership:
http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membe...
Consider the case where a user should only have write access to
their own attributes and a friends groups to which they can add
their friends. The reverse group membership overlay is used to
propogate `memberOf` of attributes to all the users that they
add to their group of friends. We do it this way because
'denormalizations' of this kind are helpful for query
efficiency.
For this application, it seems right for the overlay to
propogate changes that a user does not have permission to
execute themselves -- we don't have to let a user know who
anybody else's friends are, for example; nor can they change
that attribute.
If this can be added, it'd be great. If it's already possible,
I'd appreciate it if it were part of the documentation.
--
_jsn
12 years, 7 months
