openldap-software August 2008

openldap-software@openldap.org

70 participants
81 discussions

N-Way replication
by Alexander Kriventsov 07 Aug '08

07 Aug '08

Hello. I'm trying to do N-way replication, and I have some strange issue with replication. I have two servers ldap1 and ldap2. In ldap1 I did these: #slapadd -F /usr/local/etc/openldap/slapd.d/ -n 0 <<EOF dn: cn=config objectClass: olcGlobal cn: config dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootPW: SECRET EOF #chown -R ldap /usr/local/etc/openldap/slapd.d/* #/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -u ldap -g ldap -d Sync -h "ldap://" #ldapadd -D cn=config -H ldap://localhost -w larati5nco6e << EOF dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/local/libexec/openldap olcModuleLoad: {0}back_bdb olcModuleLoad: {1}back_hdb EOF #ldapmodify -D cn=config -H ldap://localhost -w larati5nco6e <<EOF dn: cn=config changetype: modify replace: olcServerID olcServerID: 1 ldap://ldap1 olcServerID: 2 ldap://ldap2 dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov dn: olcDatabase={0}config,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://ldap1 binddn="cn=config" bindmethod=simple credentials=SECRET searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncRepl: rid=002 provider=ldap://ldap2 binddn="cn=config" bindmethod=simple credentials=SECRET searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 - add: olcMirrorMode olcMirrorMode: TRUE EOF #slapcat -n 0 -l cn=config.ldif And after that I copied cn=config.ldif to ldap2, and did #slapadd -F /usr/local/etc/openldap/slapd.d/ -n 0 -l cn=config.ldif #chown -R ldap /usr/local/etc/openldap/slapd.d/* #/usr/local/libexec/slapd -F /usr/local/etc/openldap/slapd.d -u ldap -g ldap -d Sync -h "ldap://" When I did changes in cn=config in ldap1 replication works fine, but if I did it in ldap2 replication doesn't work. On console where I started slapd I don't see any tries to do replication. Please advise. -- Best Regards, Alexander Kriventsov .masterhost

3 3

Schema repository?
by Jeff Blaine 07 Aug '08

07 Aug '08

I spent a good half hour last night massaging RFC3712.txt into a schema to load into OpenLDAP. The entire time I thought, "Surely I am missing something in my Google searches -- others MUST have done this already." Is there really no LDAP schema repository website? I've found nothing in the openldap FAQ-o-matic either (which is largely filled with information from around 2001 it seems). Any tips would be great! If need be, *I'LL* make a repository for everyone, but I'm not going to duplicate effort. Jeff

5 4

ldap backend problem
by Brett ＠Google 07 Aug '08

07 Aug '08

Hello, I am trying to setup a ldap backend which is a filtered view of another larger parent directory, with respect to exposing fewer object classes and attributes. The intent is to present a simpler view of the larger directory, and the config below works, except for when i uncomment the line containing "rwm-map attribute *", to hide the attributes i do not want visible, but after that it stops returning any entries at all for any query. So may be there is some important openldap attribute i am nuking ? I'd appreciate any opinions / feedback on the config below, and if people have used rwm-map sucessfully ? The docs on the ldap/meta/etc., backends are somewhat sparse to say the least, but i believe the below should in theory work. Cheers Brett The structure of the parent directory is : c=AU o=My Org 1 ou=My Unit 1 o=My Org 2 ou=My Unit 2 Config is : database ldap suffix "c=AU" uri "ldap://<parent ip>:<parent port>/" overlay rwm lastmod off # attribute maps (ok except for final "rwm-map attribute *" map) rwm-map attribute cn * rwm-map attribute sn * rwm-map attribute mail * rwm-map attribute c * rwm-map attribute o * rwm-map attribute ou * # does not like this, it stops any entries being returned #rwm-map attribute * # objectclass maps (ok) rwm-map objectclass top * rwm-map objectclass country * rwm-map objectclass organization * rwm-map objectclass organizationalRole * rwm-map objectclass organizationalPerson * rwm-map objectclass organizationalUnit * rwm-map objectclass *

2 1

Re: Authenticated users can create new entries but then only creator can modify entry
by Pierangelo Masarati 06 Aug '08

06 Aug '08

----- "fathi engineer" <fathi.engineer(a)gnet.tn> wrote: > Hi, > > In the proccess of setting up an openldap server as a pgp key server, > I want to grant access to every authenticated user to create a new > entry in a subtree of the basedn and every body to read entries in > that subtree but only creator to be able to modify his entries. > > I tried with the following (unsuccessfully): > > access to dn.children="ou=PGP Keys,o=SNCFT,c=TN" > by dn.regex="^uid=([^,]+),(ou=[^,]+,)+ou=Users,o=SNCFT,c=TN$" > selfwrite > by dn.regex="^uid=([^,]+),ou=Users,o=SNCFT,c=TN$" write > by * read > > and also > by dnattr=owner selfwrite > by users write > by * read > > but none worked. > > I am running openldap-2.3.27-8.el5_2.4 Did you read slapd.access(5)? Did you read the requirements for the add and modify operations? You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification. And "owner" is a specific attribute of some objectClasses; unless you're creating those objects with the correct "owner" value, the creator will not be able to write them. You should use by dnattr=creatorsName write The "self" is not needed; it refers to a user writing to a target corresponding to its own name, or to an attribute whose value consists in its own name. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

4 6

Building with MSYS/MinGW
by Pierangelo Masarati 06 Aug '08

06 Aug '08

I'm building OpenLDAP with MSYS/MinGW. Tests fail because apparently slapd is unable to handle full path files. For example, "directory /home/masarati/ldap-devel/tests/testrun/db.1.a" does not work, but if I rename it to "directory ./testrun/db.1.a" it works fine. I don't have version info handy right now, I just wanted a quick feedback: is this a known issue, or did I forget anything while installing MSYS/MinGW, or am I missing something trivial? I can look at this later, if any additional info is needed. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

2 2

Re: Authenticated users can create new entries but then only creator can modify entry
by fathi.engineer＠gnet.tn 06 Aug '08

06 Aug '08

Hi, Thinking of my subtree as a file system directory, I understood what you meant by your answer and this the solution to my problem: access to dn="ou=PGP Keys,o=SNCFT,c=TN" by users write by * read access to dn.children="ou=PGP Keys,o=SNCFT,c=TN" by dnattr=creatorsName write by * read Now, an authenticated user can create a new entry but can't overwite someone else's entry. Thank you. Fathi B.N.

1 0

Re[2]: N-Way replication
by Alexander Kriventsov 05 Aug '08

05 Aug '08

Вы писали 6 августа 2008 г., 3:29:41: > --On Tuesday, August 05, 2008 6:29 PM +0400 Alexander Kriventsov > <akriventsov(a)masterhost.ru> wrote: >> >> Hello. >> I'm trying to do N-way replication, and I have some strange issue with >> replication. >> I have two servers ldap1 and ldap2. In ldap1 I did these: > OpenLDAP release? OpenLDAP 2.4.11 - Freebsd 7.0 - amd64 > --Quanah > -- > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration -- Best Regards, Alexander Kriventsov .masterhost

1 0

attrs.regex?
by Pat Riehecky 05 Aug '08

05 Aug '08

In the interest of simplifying my life I was going to convert one of my crazy ACLs to a regex (and a rather trivial one at that), but I am finding a bit of an issue... seems I have misread the doc and am not sure where... I was aiming for something along the lines of: anything that has an attribute name of IWU with something else attached afterward would be captured (in practice my perl says I want /^IWU.*/ but for now the simple and later the hard as first character on the line matching can be added later once syntax errors go away) Thus I wrote: access to dn.sub="dc=testldap,dc=iwu,dc=edu" attrs.regex="IWU.*" by self read by * none However, I get a happy syntax error on this line. That is fair as on a closer reading of the syntax I have come to the conclusion that attrs.regex is nonsense and that the regex entry near the attrs list relates to values. Am I right? Is there no way to do attrs regex matching? OpenLDAP 2.4.11 Pat

2 1

Authenticated users can create new entries but then only creator can modify entry
by fathi.engineer＠gnet.tn 05 Aug '08

05 Aug '08

Hi, In the proccess of setting up an openldap server as a pgp key server, I want to grant access to every authenticated user to create a new entry in a subtree of the basedn and every body to read entries in that subtree but only creator to be able to modify his entries. I tried with the following (unsuccessfully): access to dn.children="ou=PGP Keys,o=SNCFT,c=TN" by dn.regex="^uid=([^,]+),(ou=[^,]+,)+ou=Users,o=SNCFT,c=TN$" selfwrite by dn.regex="^uid=([^,]+),ou=Users,o=SNCFT,c=TN$" write by * read and also by dnattr=owner selfwrite by users write by * read but none worked. I am running openldap-2.3.27-8.el5_2.4 TIA Fathi B.N.

1 0

Re: slapd does not start, where do I find the error?
by Buchan Milne 05 Aug '08

05 Aug '08

On Monday 04 August 2008 22:08:16 Brad Knowles wrote: > Buchan Milne wrote: > > See the repo file for some information on how to install: > > http://staff.telkomsa.net/packages/OpenLDAP.repo > > Out of curiosity, how do you configure this repo to be used? I tried > putting it into /etc/sysconfig/rhn/sources on a RHEL4 box, and it doesn't > seem to work as either a yum-style or apt-style repo, so up2date ends up > barfing on it. RHEL4 is quite depressing, we use smart on our RHEL4 boxes (so that we have a feature that was available on Mandrake 7.0, in 2000, being able to install packages on the installation media after installation), but the repo file is actually for yum. Unfortunately, up2date on RHEL4 doesn't understand the new RPM meta-data repo as used by yum/smart etc., only the old legacy yum 1.x format. Let me see if I can run yum-arch on the repo ... > Is there additional documentation somewhere that I've missed?

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software August 2008