openldap-software June 2008

openldap-software@openldap.org

62 participants
64 discussions

Re: additional info: homePhone: value #0 normalization failed
by Michael Ströder 13 Jun '08

13 Jun '08

Jay Jesus Amorin wrote: > Thanks Michael, Do you have any idea on how i can fix this issue? Simply provide attribute value which complies to telephone number syntax. There are examples like +49 123 456789. Since you did not provide your file data.ldif here further hints about how to exactly fix your data are not possible. > Is there any tool that I can use to handle this problem? No special tool needed. Simply fix your data.ldif with your preferred text editor. Ciao, Michael.

2 1

query result size limit by ip
by Bill MacAllister 13 Jun '08

13 Jun '08

We have an application that can only bind to the directory anonymously and needs to be able to exceed our query size limit. The queries will come from a small set of IP addresses. What we want to do is to set the query size limit by source ip address. One way that I can see to do this is to run two slapd servers with different -h switches specified on the slapd startup so that each server will bind to a different interface:port. Then we can restrict access to the unlimited-size-query server using ip tables. What would be really nice is if the two configurations could specify the same backend databases. Has anyone done this? Should this work? Is there a better way to do this? Bill -- Bill MacAllister <whm(a)stanford.edu> Systems Programmer, ITS Unix Systems, Stanford University

2 2

Syncrepl connections
by Erich Weiler 13 Jun '08

13 Jun '08

Greetings all! I'm using OpenLDAP 2.3.28-8, and have configured a master LDAP server for our environment, works great. I then configured a slave server that stays in sync using syncrepl (use refreshAndPersist), also works fine. One think I'm noticing is that is I restart slapd on the master server, it seems that the slave server stops syncing properly. i.e. if I make a change on the master, it is not sync'd to the slave. If I restart slapd on the slave it then syncs any changes that it missed from before. Is this standard behavior? Does anyone know of a way to tell the slave to automatically try and reconnect with the master if the connection is temporarily lost? Thanks in Advance! Erich

2 2

user they can modify passwords
by Sven Buchstaller 13 Jun '08

13 Jun '08

Hi List i need an user "it" they can modify on my ldap the passwords for all users. atm my settings in the acl.conf are: access to dn.base="" by * read access to dn.base="cn=subSchema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to dn.subtree="ou=users,dc=server1,dc=intern" by self write by dn="uid=intern,ou=users,dc=server1,dc=intern" by * read access to dn.subtree="ou=groups,dc=server1,dc=intern" by * read access to dn.sub="ou=hosts,dc=server1,dc=intern" by self write by dn="uid=hostadmin,ou=users,dc=server1,dc=intern" write by * read can i do like this: access to dn.subtree="ou=users,dc=server1,dc=intern" by self write by dn="uid=intern,ou=users,dc=server1,dc=intern" by * read by dn="uid=it,ou=users,dc=server1,dc=intern" by * write MFG Sven

2 1

Re: additional info: homePhone: value #0 normalization failed
by Michael Ströder 12 Jun '08

12 Jun '08

Jay Jesus Amorin wrote: > ldapadd -x -D "cn=Administrator,dc=house,dc=org" -w 12345678 -f > /home/ja9/data.ldif > adding new entry "cn=labacan,ou=house_backup,dc=house,dc=org" > ldap_add: Invalid syntax (21) > additional info: homePhone: value #0 normalization failed It means what the error code says: The syntax of the attribute value you're providing in your data.ldif does not comply to the LDAP syntax assigned to attribute type 'homePhone'. Ciao, Michael.

1 0

Authentication by group
by Mauricio Paulo de Sousa 12 Jun '08

12 Jun '08

Helo all! The problem I have to resolve is to see if is possible authenticate the users by groups... and make users belong from more than one group,mut, by priorities... I dont know if this is possible. can anybody said me if its is possible?? thanks to all! -- Mauricio Paulo de Sousa

2 1

US ECCN and AL Number/EU ECCN for OpenLDAP 2.3.31
by joerg.rockel＠nsn.com 12 Jun '08

12 Jun '08

Hi, We are using OpenLDAP 2.3.31 in one of our products, and are now in the process of collecting the information needed to export it to other countries. Can you tell me what the U.S. Export Control Classification Number(ECCN) for OpenLDAP 2.3.31 is, and whether a license exception may be used for it? If you don't know the US ECCN, can you tell me whether any US citizens or people living in the U.S.A. have contributed code to OpenLDAP 2.3.31 ? In addition to the U.S. ECCN, there is also a German "ECCN", which is called the AL Number or EU-ECCN. Can you tell me what the AL or EU-ECCN Number is for OpenLDAP 2.3.31? To better understand the meaning of the U.S. ECCN, please check the following webpage: http://www.bis.doc.gov/Licensing/Do_I_NeedAnECCN.html Many thanks, Jörg Rockel _______________________________________ www.nokiasiemensnetworks.com <http://www.nokiasiemensnetworks.com/> Nokia Networks GmbH Heltorfer Str.1 D-40472 Düsseldorf Germany Mobile: +49(0)151 5515 3554 Direct: +49 (0)151 5515 3554 Fax: +49 (0) 211 9412 3383 email: Jörg Rockel(a)nsn.com <mailto:joerg.rockel@nsn.com> Jörg Rockel Senior Software Design Engineer Research & Development _______________________________________ This message is confidential. If you have received this message in error, please delete it from your system. You should not copy it for any purpose, or disclose its contents to any other person. Internet communications are not secure and therefore Nokia GmbH does not accept legal responsibility for the contents of this message as it has been transmitted over a public network. Thank you. Nokia Networks GmbH Sitz der Gesellschaft: Bochum Amtsgericht Bochum: HRB 11180 Ust-Id.-Nr./ VAT ID: DE814765854 WEEE-Reg.-Nr. DE 51797011 Geschäftsführer: Dr. Ulrich Halka Nokia Networks GmbH arbeitet auf Rechnung der Nokia Siemens Networks Nokia Networks GmbH operates for the account of Nokia Siemens Networks

4 3

enumeratin all ldap objects in a LDAP ?
by Michael Arndt 12 Jun '08

12 Jun '08

Hello *, what is a "good" way to enumerate all objects in an open ldap in order to get a total count of defined objects ? ( how many objects ..) TIA Michael PS: Sorry if i should know this by reading basic infos -- Vorstand/Board of Management: Dr. Bernd Finkbeiner, Dr. Florian Geyer, Dr. Roland Niemeier, Dr. Arno Steitz, Dr. Ingrid Zech Vorsitzender des Aufsichtsrats/ Chairman of the Supervisory Board: Prof. Dr. Hanns Ruder Sitz/Registered Office: Tuebingen Registergericht/Registration Court: Stuttgart Registernummer/Commercial Register No.: HRB 382196

5 4

automatic uidnumber overlay
by Joel Reed 12 Jun '08

12 Jun '08

The attached uidnumber.c overlay intercepts ADD requests for entries with a posixAccount objectclass that do not have a uidNumber. When such ADD requests are found, the overlay searches the directory for the largest uidNumber, then automatically adds a uidNumber attribute of largest+1 to the entry being added. This overlay was made possible by copying and pasting lots of code from David Hawes' addpartial.c. This is my first time ever using the openldap API, so any feedback for improvement is greatly appreciated. jr OPENLDAP_SRC=/home/jreed/src/slapd/openldap2.3-2.4.7 CPPFLAGS+=-I${OPENLDAP_SRC}/include -I${OPENLDAP_SRC}/servers/slapd -I${OPENLDAP_SRC}/debian/build/include/ LDFLAGS+=-L/usr/local/openldap-2.4.9 CC=gcc all: uidnumber.so uidnumber.so: uidnumber.c $(CC) -shared $(CPPFLAGS) $(LDFLAGS) -Wall -o $@ $? clean: rm uidnumber.so ######################################################### # the rest of this makefile was used for testing purposes # YMMV TEST_ARGS=-x -D cn=admin,o=root -y ~/.ds.pwd install: uidnumber.so sudo /etc/init.d/slapd stop sudo cp -v $^ /usr/lib/ldap/ sudo /etc/init.d/slapd start uninstall: rm -fv /usr/lib/ldap/uidnumber.so test: ldapadd $(TEST_ARGS) -f test.ldif testclean: ldapdelete $(TEST_ARGS) "uid=jane2.doe(a)visn.biz,ou=users,dc=nviznit,dc=com,o=root" ldapdelete $(TEST_ARGS) "uid=jane3.doe(a)visn.biz,ou=users,dc=nviznit,dc=com,o=root" ldapdelete $(TEST_ARGS) "uid=jane4.doe(a)visn.biz,ou=users,dc=nviznit,dc=com,o=root"

9 10

Adding additional schema - objectClass: value #1 invalid per syntax
by Ed Greenberg 10 Jun '08

10 Jun '08

Hi folks, I added the following to my schema directory: dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser$ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' ) and referenced it in slapd.conf as: include /etc/openldap/schema/sudoers.schema When I try to add this: dn: cn=SU_WGADMIN,ou=SUDOers,dc=geni,dc=com sudoHost: +srv-web sudoHost: +srv-rs sudoHost: +srv-memc sudoHost: +srv-db sudoHost: +srv-admin sudoHost: +srv-office sudoHost: +srv-solr sudoHost: +srv-sn sudoCommand: /bin/su - wgadmin sudoCommand: /bin/su -l wgadmin sudoCommand: /bin/su -l qa sudoCommand: /bin/su - qa sudoOption: !authenticate objectClass: top objectClass: sudoRole cn: SU_WGADMIN sudoUser: +ppl-eng sudoUser: +fp-automation I get the error: add sudoHost: +srv-web +srv-rs +srv-memc +srv-db +srv-admin +srv-office +srv-solr +srv-sn add sudoCommand: /bin/su - wgadmin /bin/su -l wgadmin /bin/su -l qa /bin/su - qa add sudoOption: !authenticate add objectClass: top sudorole add cn: SU_WGADMIN add sudoUser: +ppl-eng +fp-automation adding new entry "cn=SU_WGADMIN,ou=SUDOers,dc=geni,dc=com" modify complete ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax Trimming things down to just dn: cn=SU_WGADMIN,ou=SUDOers,dc=geni,dc=com objectClass: top objectClass: sudoRole cn: SU_WGADMIN produces the same error, which makes sense. Reversing top and sudoRole migrates the error from value #1 to value #0, which also makes sense. On reviewing the list of available objectClasses with the GQ application, I can't find the objectClass sudoRole, although I _can_ find the five attributes, in the attribute list. I can't find a log that might tell me what is being loaded, and slapd starts without error. I also can't figure out how to dump the schemas with ldapsearch or any other command, so I can check to see for myself what's in there. Can anybody tell me what might be wrong, or how to continue to investigate the problem? Thanks, </edg>

5 6

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software June 2008