Re: OpenLDAP questions
by Michael Ströder
Kristen Walker wrote:
> Another possibility would be to sync the LDAP server with our Mysql
> database, that way we could keep adding users as we do now and sync
> them nightly with the LDAP server.
Would be a better approach than messing around with CSV files.
> Does anyone do this?
Very simple example script for such a sync implemented in Python:
http://www.stroeder.com/pylib/egadr2ldap.py
Your mileage may vary.
Ciao, Michael.
14 years
Proxy Auth Question
by Yeargan Yancey
My goal is to configure OpenLDAP as a proxy to provide e-mail
addresses to the public (via anonymous simple binds) using an LDAP
back-end which requires authenticated simple binds.
Public ccess to this server will be anonymous only and read-only. All
non-anonymous bind attempts are transformed to anonymous using authz-
regexp ".+" "dn:".
However, I need all binds to the back-end LDAP service to use a
specific account. I've looked at the docs and the list archives for
information related to "idassert-bind" but I'm not understanding it
well enough.
I tried this ...
idassert-authzFrom "dn:*"
idassert-bind bindmethod="simple"
binddn="cn=info,o=org"
credentials="password"
but that does not seem to be working for me. I'm getting anonymous
binds on the back-end. Is it possible to do what I'm asking? If so,
what am I doing wrong?
Thanks,
Yancey
14 years
restoring an accesslog database
by Emmanuel Dreyfus
Hello
I'm trying to restore an accesslog database, and it badly breaks:
slapadd -b cn=accesslog -f /etc/openldap/slapd.conf -l accesslog.ldif
(...)
str2entry: invalid value for attributeType reqControls #0 (syntax 1.3.6.1.4.1.4203.666.11.5.3.1)
Any hint?
--
Emmanuel Dreyfus
manu(a)netbsd.org
14 years
slapo-chain and propagation delay
by manu@netbsd.org
Hello
I have a minor problem with slapo-chain: when a user makes a
modification on a replica, the modification is sent to the master, and
then pulled from the master through syncrepl.
It takes a short time to syncrepl for pulling the updated data from the
master, but that time is long enough for a web form to reload the
previous data, therefore giving the feeling that the modification has
been ignored.
Is ther any solution for that problem?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
14 years
PGP Keys
by Jorge Medina
Do anybody knows where I could get the PGP keys to verify the integrity
of the source code I downloaded from a mirror?
Thanks
-Jorge
14 years
Re: Reset LDAP Password for root
by Michael Ströder
Uli Kleemann wrote:
>
> Installing openldap I made the mistake to follow an old HOWTO and put
> the root passwort in slapd.conf encrypted as recommend in that HOWTO.
> So far so good. According to murphyś law I didn`t note the plain
> password so that I know have to reset it. As I couldn`t find a
> usefull description to do that yet, I would like to ask you for help.
Put the output of slappasswd after directive 'rootdn' and restart the
server.
Ciao, Michael.
14 years
back-sql using varchar keyvals and ids
by Potkanski, Jason
I have an interest in using openldap as an external authenticator for
our membership to connect to external services. Our main table has a
primary key of a varchar (10) and nothing unique in the table that is an
int.
I would love to replace ldap_entries with a view, however, returning the
entries failed when I attempted it.
I did a bit of experimentation with the dc=example,dc=com on a search:
ldapsearch -x -b dc=example,dc=com sn=Puzdoy
The ldap_entries keyval was changed from int to varchar 10 and persons
table id was changed to varchar 10.
Below is a table on some experiments
ldap_entries.keyval and persons.id MySQL SQL SERVER 2000
2 Ok Ok
02 Ok Fail
ABC Fail Fail
abc Fail Fail
Log:
Jul 31 10:15:41 jpotkanski-lx slapd[30011]: Constructed query: SELECT
DISTINCT ldap_entries.id,persons.id,'inetOrgPerson' AS objectClass...
Jul 31 10:15:41 jpotkanski-lx slapd[30011]: id: '1'
Jul 31 10:15:41 jpotkanski-lx slapd[30011]: >>> dnPrettyNormal:
<cn=Torvlobnor Puzdoy,dc=example,dc=com>
Jul 31 10:15:41 jpotkanski-lx slapd[30011]: <<< dnPrettyNormal:
<cn=Torvlobnor Puzdoy,dc=example,dc=com>, <cn=torvlobnor puzdoy,dc=examp
...
Jul 31 10:15:41 jpotkanski-lx slapd[30011]: backsql_oc_get_candidates():
added entry id=3, keyval=2 dn="cn=Torvlobnor Puzdoy,dc=example, ...
Jul 31 10:15:41 jpotkanski-lx slapd[30011]:
<==backsql_oc_get_candidates(): 1
Jul 31 10:15:41 jpotkanski-lx slapd[30011]: backsql_search(): loading
data for entry id=0, oc_id=0, keyval=0
Jul 31 10:15:41 jpotkanski-lx slapd[30011]: backsql_search(): loading
data for entry id=5, oc_id=2, keyval=1
On a failed one, backsql_oc_get_candidates(): 0
openldap 2.3.39, 4.fc8 , unixodbc 2.2.12, freetds .84, mysql-odbc
latest.
Before opening anything in ITS, I wondered if this is a bug, feature
request or maybe solved in 2.4?
Jason Potkanski
Information Technology Developer
CCIM Institute
430 N. Michigan Ave, Suite 800
Chicago, IL 60611-4092
jpotkanski(a)ccim.com
www.ccim.com
tel: 312.321.8559
14 years
slapd does not start, where do I find the error?
by Jorge Medina
I got the sources (2.2.8), compiled and installed OpenLDAP in RedHat
Enterprise Linux 5 ( 64-bit.) (I also got the sources and compiled
BerkeleyDB 4.6)
Now, I am trying to start the server. I don't get any error message in
the console.
In Ubuntu, the errors would show up in /var/log/syslog
Where could I find what is wrong when I invoke slapd? Where do the
errors get logged ?
14 years
Determine current access level
by Simon Victor
Hi all,
I'm stuck on a specific issue with acls: I wan't to get the "current
access level" for an entry (not at attribute level).
My problem is, that i want to check if the acls allows me to delete or
modify an entry before i really do it.
Is there a way go read out the acls?
Is this possible with aci's? The inheritance of aci could be tricky...
Best regards,
Simon
14 years